Changeset 4138 for TI12-security/trunk/python/ndg.security.test/ndg/security

Timestamp:

27/08/08 11:48:57 (13 years ago)

Author:

cbyrom

Message:

Implement consistent use of keywords throughout the codebase - using
the wssecurity class as the guide - effectively changing the xml
property file key names to match those of the ini files. Also remove
useSignatureHandler keyword and replace with a check for the WS-Security
property + add better checking of properties in the tac and py files
+ add new config files and remove some unnecessary ones.

Location:

TI12-security/trunk/python/ndg.security.test/ndg/security/test

Files:

• XMLSecDoc/xmlSecDocTest.cfg (modified) (1 diff)
• XMLSecDoc/xmlSecDocTest.py (modified) (1 diff)
• attAuthority/attAuthorityClientTest.cfg (modified) (1 diff)
• attAuthority/invalidSiteAAttAuthority.cfg (deleted)
• attAuthority/invalidSiteAAttAuthorityProperties.xml (deleted)
• attAuthority/siteAAttAuthority.cfg (modified) (4 diffs)
• attAuthority/siteAAttAuthorityProperties.xml (modified) (1 diff)
• attAuthority/siteBAttAuthority.cfg (added)
• attAuthority/siteBAttAuthorityProperties.xml (modified) (1 diff)
• attCert/AttCertTest.py (modified) (2 diffs)
• attCert/attCertTest.cfg (modified) (2 diffs)
• authz/pdp/browse/browse.cfg (modified) (1 diff)
• ca/simpleCAProperties.xml (modified) (1 diff)
• myProxy/MyProxyClientTest.py (modified) (1 diff)
• myProxy/myProxyClientTest.cfg (modified) (1 diff)
• sessionMgr/sessionMgrProperties.xml (modified) (1 diff)
• sessionMgrClient/sessionMgrClientTest.cfg (modified) (1 diff)
• sessionMgrClient/sessionMgrProperties.xml (modified) (1 diff)
• utils/attAuthority.cfg (modified) (4 diffs)
• utils/attAuthorityProperties.xml (modified) (2 diffs)
• utils/invalidAttAuthority.cfg (modified) (2 diffs)
• utils/invalidAttAuthorityProperties.xml (modified) (2 diffs)
• utils/sessionMgr.cfg (modified) (2 diffs)
• utils/sessionMgrProperties.xml (modified) (2 diffs)
• xmlsec/etree/etree.cfg (modified) (1 diff)
• xmlsec/etree/test_etree.py (modified) (2 diffs)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/XMLSecDoc/xmlSecDocTest.cfg

@@ -12 +12 @@
 
 [test2Sign]
-certFile: $NDGSEC_XMLSECDOC_UNITTEST_DIR/test.crt
-keyFile: $NDGSEC_XMLSECDOC_UNITTEST_DIR/test.key
+signingCertFilePath: $NDGSEC_XMLSECDOC_UNITTEST_DIR/test.crt
+signingPriKeyFilePath: $NDGSEC_XMLSECDOC_UNITTEST_DIR/test.key
 filePath: $NDGSEC_XMLSECDOC_UNITTEST_DIR/ac-signed.xml
-keyPwd:
+signingPriKeyPwd:
 
 [test3Write]

TI12-security/trunk/python/ndg.security.test/ndg/security/test/XMLSecDoc/xmlSecDocTest.py

@@ -89 +89 @@
         self.xmlSecDoc.filePath = xpdVars(self.cfg['test2Sign']['filepath'])
         self.xmlSecDoc.certFilePathList = \
-                                xpdVars(self.cfg['test2Sign']['certfile'])
+                                xpdVars(self.cfg['test2Sign']['signingCertFilePath'])
         self.xmlSecDoc.signingKeyFilePath = \
                                 xpdVars(self.cfg['test2Sign']['keyfile'])
         
-        keyPwd = self.cfg['test2Sign'].get('keypwd')
+        keyPwd = self.cfg['test2Sign'].get('signingPriKeyPwd')
         if keyPwd is None:
             self.xmlSecDoc.signingKeyPwd = \

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attAuthority/attAuthorityClientTest.cfg

@@ -65 +65 @@
 
 # Inclusive namespaces for Exclusive C14N
-#wssRefInclNS: xmlns xsi xsd SOAP-ENV wsu wsse ns1
-#wssSignedInfoInclNS: xsi xsd SOAP-ENV ds wsse ec
-wssRefInclNS: 
-wssSignedInfoInclNS: 
+#refC14nInclNS: xmlns xsi xsd SOAP-ENV wsu wsse ns1
+#signedInfoC14nInclNS: xsi xsd SOAP-ENV ds wsse ec
+refC14nInclNS: 
+signedInfoC14nInclNS: 
 
 [test3GetTrustedHostInfo]

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attAuthority/siteAAttAuthority.cfg

@@ -33 +33 @@
 sslCACertDir: $NDGSEC_AACLNT_UNITTEST_DIR/ca
 
-# CA Certificates used to verify X.509 certs used in Attribute Certificates.
-# The CA certificates of other NDG trusted sites should go here.  NB, multiple
-# values should be delimited by a space
-caCertFileList: $NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem
-
-# Leave blank for NO SOAP signature
-useSignatureHandler: Yes 
-
-# Set the certificate used to verify the signature of messages from the 
-# client.  This can usually be left blank since the client is expected to 
-# include the cert with the signature in the inbound SOAP message
-clntCertFile:
 # Lifetime is measured in seconds
 attCertLifetime: 28800 
@@ -70 +58 @@
 #
 # SOAP Signature Handler settings
+# Leave blank for NO SOAP signature
 [WS-Security]
 #
 # OUTBOUND MESSAGE CONFIG
+
+# CA Certificates used to verify X.509 certs used in Attribute Certificates.
+# The CA certificates of other NDG trusted sites should go here.  NB, multiple
+# values should be delimited by a space
+caCertFileList: $NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem
 
 # Signature of an outbound message
@@ -82 +76 @@
 
 # PEM encoded cert
-certFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
+signingCertFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
 
 # ... or provide file path to PEM encoded private key file
-keyFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
+signingPriKeyFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
 
 # Password protecting private key.  Leave blank if there is no password.
-keyPwd=
+signingPriKeyPwd=
+
+# Pass a list of certificates ',' separated PEM encoded certs constituting a 
+# chain of trust from the certificate used to verifying the signature backward 
+# to the CA cert.  The CA cert need not be included.  To use this option, 
+# reqBinSecTokValType must be set to the X509PKIPathv1
+signingCertChain=
 
 # Inclusive namespace prefixes Canonicalisation of reference elements - 
 # space separated list e.g. refC14nInclNS=wsse ds ns1
-wssRefInclNS:
+refC14nInclNS:
 
 # Inclusive namespaces prefixes for Canonicalisation of SignedInfo element -
 # same format as the above
-wssSignedInfoInclNS:
+signedInfoC14nInclNS:
 
 
@@ -114 +114 @@
 
 
+#
+# INBOUND MESSAGE CONFIG
+
+# X.509 certificate used by verify method to verify a message.  This argument 
+# can be omitted if the message to be verified contains the X.509 certificate 
+# in the BinarySecurityToken element.  In this case, the cert read from the
+# message will be assigned to the verifyingCert attribute.
+
+# Provide the PEM encoded content here
+verifyingCert=
+
+# ... or provide file path PEM encode cert here
+verifyingCertFilePath=
+

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attAuthority/siteAAttAuthorityProperties.xml

@@ -12 +12 @@
     -->
     <sslCACertDir>$NDGSEC_AACLNT_UNITTEST_DIR/ca</sslCACertDir>
+    <!--  NB, if no signature handling is required, do not include this element -->
     <!-- 
-        WS-Security settings leave 'useSignatureHandler' blank for no 
-        signature 
+        WS-Security settings 
         -->
-    <useSignatureHandler>Yes</useSignatureHandler> 
-    <certFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</certFile>
-    <keyFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</keyFile>
-    <keyPwd></keyPwd>
-        <wssRefInclNS></wssRefInclNS>
-        <wssSignedInfoInclNS></wssSignedInfoInclNS>
-    <caCertFileList>
-        <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
-        <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem</caCertFile>
-        <!-- 
-        To also trust certificates issued from your MyProxy CA, replace 
-        "abcdef01.0" with the unique name for your CA certificate and uncomment
-        the following line:
-        <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
-        -->
-    </caCertFileList>
-    <!-- Set the value type of the server cert -->
-    <reqBinSecTokValType>X509v3</reqBinSecTokValType>
-    <!-- Set the response message header to include a SignatureConfirmation element -->
-    <applySignatureConfirmation>True</applySignatureConfirmation>
-    <!-- 
-    Set the certificate used to verify the signature of messages from the 
-    client.  This can usually be left blank since the client is expected to 
-    include the cert with the signature in the inbound SOAP message
-    -->
-    <clntCertFile></clntCertFile>    
+    <WS-Security>
+        <signingCertFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</signingCertFilePath>
+            <signingPriKeyFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</signingPriKeyFilePath>
+        <signingPriKeyPwd></signingPriKeyPwd>
+                <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
+            <caCertFileList>
+            <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+                <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem</caCertFile>
+                <!-- 
+            To also trust certificates issued from your MyProxy CA, replace 
+                "abcdef01.0" with the unique name for your CA certificate and uncomment
+                the following line:
+            <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
+                -->
+            </caCertFileList>
+            <!-- Set the value type of the server cert -->
+        <reqBinSecTokValType>X509v3</reqBinSecTokValType>
+            <!-- Set the response message header to include a SignatureConfirmation element -->
+            <applySignatureConfirmation>True</applySignatureConfirmation>
+            <!-- 
+        Set the certificate used to verify the signature of messages from the 
+            client.  This can usually be left blank since the client is expected to 
+        include the cert with the signature in the inbound SOAP message
+            -->
+        <verifyingCertFilePath></verifyingCertFilePath>    
+    </WS-Security>
     <attCertLifetime>28800</attCertLifetime>
     <attCertNotBeforeOff>0</attCertNotBeforeOff>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attAuthority/siteBAttAuthorityProperties.xml

@@ -11 +11 @@
     -->
     <sslCACertDir>$NDGSEC_AACLNT_UNITTEST_DIR/ca</sslCACertDir>
-        <!-- WS-Security settings -->
-    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature -->
-    <certFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteB-aa.crt</certFile>
-    <caCertFileList>
-        <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
-        <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem</caCertFile>
-        <!-- 
-        To also trust certificates issued from your MyProxy CA, replace 
-        "abcdef01.0" with the unique name for your CA certificate and uncomment
-        the following line:
-        <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
-        -->
-    </caCertFileList>
-    <keyFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteB-aa.key</keyFile>
-    <keyPwd></keyPwd>
-        <wssRefInclNS></wssRefInclNS>
-        <wssSignedInfoInclNS></wssSignedInfoInclNS>
-    <!-- 
-    Set the certificate used to verify the signature of messages from the 
-    client.  This can usually be left blank since the client is expected to 
-    include the cert with the signature in the inbound SOAP message
-    -->
-    <clntCertFile></clntCertFile>    
+    <!--  NB, if no signature handling is required, do not include this element -->
+    <WS-Security>
+                <!-- WS-Security settings -->
+        <signingCertFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteB-aa.crt</signingCertFilePath>
+            <caCertFileList>
+            <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+                <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem</caCertFile>
+                <!-- 
+            To also trust certificates issued from your MyProxy CA, replace 
+                "abcdef01.0" with the unique name for your CA certificate and uncomment
+                the following line:
+            <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
+                -->
+            </caCertFileList>
+        <signingPriKeyFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteB-aa.key</signingPriKeyFilePath>
+            <signingPriKeyPwd></signingPriKeyPwd>
+                <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
+        <!-- 
+            Set the certificate used to verify the signature of messages from the 
+        client.  This can usually be left blank since the client is expected to 
+            include the cert with the signature in the inbound SOAP message
+        -->
+            <verifyingCertFilePath></verifyingCertFilePath>
+        </WS-Security>    
     <attCertLifetime>28800</attCertLifetime>
     <attCertNotBeforeOff>0</attCertNotBeforeOff>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attCert/AttCertTest.py

@@ -188 +188 @@
         self.attCert.filePath = xpdVars(self.cfg['test9Sign']['filepath'])
         self.attCert.certFilePathList = \
-            xpdVars(self.cfg['test9Sign']['certfile'])
+            xpdVars(self.cfg['test9Sign']['signingCertFilePath'])
         self.attCert.signingKeyFilePath = \
-            xpdVars(self.cfg['test9Sign']['keyfile'])
-        
-        signingKeyPwd = self.cfg['test9Sign'].get('keypwd')
+            xpdVars(self.cfg['test9Sign']['signingPriKeyFilePath'])
+        
+        signingKeyPwd = self.cfg['test9Sign'].get('signingPriKeyPwd')
         if signingKeyPwd is None:
             try:
@@ -241 +241 @@
             self.cfg['test13IsValidStressTest']['certfilepathlist'].split()]
         self.attCert.signingKeyFilePath = \
-                        xpdVars(self.cfg['test13IsValidStressTest']['keyfile'])
-        
-        signingKeyPwd = self.cfg['test13IsValidStressTest'].get('keypwd')
+                        xpdVars(self.cfg['test13IsValidStressTest']['signingPriKeyFilePath'])
+        
+        signingKeyPwd = self.cfg['test13IsValidStressTest'].get('signingPriKeyPwd')
         if signingKeyPwd is None:
             try:

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attCert/attCertTest.cfg

@@ -10 +10 @@
 
 [test9Sign]
-certFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.crt
-keyFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
+signingCertFilePath: $NDGSEC_ATTCERT_UNITTEST_DIR/test.crt
+signingPriKeyFilePath: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
 filePath: $NDGSEC_ATTCERT_UNITTEST_DIR/ac-signed.xml
-keyPwd:
+signingPriKeyPwd:
 
 [test10Write]
@@ -28 +28 @@
 # verification
 certFilepathlist: $NDGSEC_ATTCERT_UNITTEST_DIR/test.crt $NDGSEC_ATTCERT_UNITTEST_DIR/ndg-test-ca.crt
-keyFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
-keyPwd:
+signingPriKeyFilePath: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
+signingPriKeyPwd:
 nruns: 10
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/authz/pdp/browse/browse.cfg

@@ -85 +85 @@
 signingPriKeyPwd=
 
+# Pass a list of certificates ',' separated PEM encoded certs constituting a 
+# chain of trust from the certificate used to verifying the signature backward 
+# to the CA cert.  The CA cert need not be included.  To use this option, 
+# reqBinSecTokValType must be set to the X509PKIPathv1
+signingCertChain=
+
 # Provide a space separated list of file paths.  CA Certs should be included 
 # for all the sites this installation trusts

TI12-security/trunk/python/ndg.security.test/ndg/security/test/ca/simpleCAProperties.xml

@@ -6 +6 @@
     <sslKeyFile>$NDGSEC_CA_UNITTEST_DIR/srv-key.pem</sslKeyFile>
     <caCertFile>$NDGSEC_CA_UNITTEST_DIR/cacert.pem</caCertFile>
-    <certFile>$NDGSEC_CA_UNITTEST_DIR/srv-cert.pem</certFile>
-    <keyFile>$NDGSEC_CA_UNITTEST_DIR/srv-key.pem</keyFile>
-    <keyPwd/>
-    <!-- 
-    Set the certificate used to verify the signature of messages from the 
-    client.  This can usually be left blank since the client is expected to 
-    include the cert with the signature in the inbound SOAP message
-    -->
-    <clntCertFile></clntCertFile>    
+    <WS-Security>
+            <signingCertFilePath>$NDGSEC_CA_UNITTEST_DIR/srv-cert.pem</signingCertFilePath>
+        <signingPriKeyFilePath>$NDGSEC_CA_UNITTEST_DIR/srv-key.pem</signingPriKeyFilePath>
+            <signingPriKeyPwd/>
+        <!-- 
+            Set the certificate used to verify the signature of messages from the 
+        client.  This can usually be left blank since the client is expected to 
+            include the cert with the signature in the inbound SOAP message
+        -->
+            <verifyingCertFilePath></verifyingCertFilePath>
+        </WS-Security>    
         <!-- 
         OpenSSL configuration file - omit to use globus default

TI12-security/trunk/python/ndg.security.test/ndg/security/test/myProxy/MyProxyClientTest.py

@@ -64 +64 @@
                               prompt="\ntest1Store cred. owner pass-phrase: ")
 
-        certFile = xpdVars(self.cfg['test1Store']['certfile'])
-        keyFile = xpdVars(self.cfg['test1Store']['keyfile'])
+        certFile = xpdVars(self.cfg['test1Store']['signingCertFilePath'])
+        keyFile = xpdVars(self.cfg['test1Store']['signingPriKeyFilePath'])
         ownerCertFile = xpdVars(self.cfg['test1Store']['ownercertfile'])
         ownerKeyFile = xpdVars(self.cfg['test1Store']['ownerkeyfile'])

TI12-security/trunk/python/ndg.security.test/ndg/security/test/myProxy/myProxyClientTest.cfg

@@ -16 +16 @@
 username: testuser
 passphrase: testpassword
-certFile: $NDGSEC_MYPROXY_UNITTEST_DIR/user.crt
-keyFile: $NDGSEC_MYPROXY_UNITTEST_DIR/user.key
+signingCertFilePath: $NDGSEC_MYPROXY_UNITTEST_DIR/user.crt
+signingPriKeyFilePath: $NDGSEC_MYPROXY_UNITTEST_DIR/user.key
 ownerCertFile: $NDGSEC_MYPROXY_UNITTEST_DIR/user.crt
 ownerKeyFile: $NDGSEC_MYPROXY_UNITTEST_DIR/user.key

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgr/sessionMgrProperties.xml

@@ -13 +13 @@
     <!--
     WS-Security settings for signature of outbound SOAP messages
+    NB, if no signature handling is required, do not include this element 
     -->
-    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature -->
-    <!-- 
-    CA Certificates used to verify X.509 certs used in peer SOAP messages,
-    SSL connections and Attribute Certificates
-    -->
-    <caCertFileList>
-        <caCertFile>$NDGSEC_SM_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
-    </caCertFileList>
-    <certFile>$NDGSEC_SM_UNITTEST_DIR/sm.crt</certFile>
-    <keyFile>$NDGSEC_SM_UNITTEST_DIR/sm.key</keyFile>
-    <keyPwd/>
-        <!-- 
-        Inclusive namespace prefixes for reference and SignedInfo sections of
-        WS-Security digital signature
-        -->
-        <wssRefInclNS></wssRefInclNS>
-        <wssSignedInfoInclNS></wssSignedInfoInclNS>
-    <!-- 
-    Set the certificate used to verify the signature of messages from the 
-    client.  This can usually be left blank since the client is expected to 
-    include the cert with the signature in the inbound SOAP message
-    -->
-    <clntCertFile></clntCertFile>    
+    <WS-Security>
+            <!-- 
+            CA Certificates used to verify X.509 certs used in peer SOAP messages,
+            SSL connections and Attribute Certificates
+        -->
+            <caCertFileList>
+            <caCertFile>$NDGSEC_SM_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+        </caCertFileList>
+            <signingCertFilePath>$NDGSEC_SM_UNITTEST_DIR/sm.crt</signingCertFilePath>
+        <signingPriKeyFilePath>$NDGSEC_SM_UNITTEST_DIR/sm.key</signingPriKeyFilePath>
+            <signingPriKeyPwd/>
+                <!-- 
+                Inclusive namespace prefixes for reference and SignedInfo sections of
+                WS-Security digital signature
+                -->
+                <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
+        <!-- 
+            Set the certificate used to verify the signature of messages from the 
+        client.  This can usually be left blank since the client is expected to 
+            include the cert with the signature in the inbound SOAP message
+        -->
+        <verifyingCertFilePath></verifyingCertFilePath>
+    </WS-Security>    
     <sessMgrEncrKey>abcdef0123456789</sessMgrEncrKey>
     <sessMgrURI>https://localhost:5700/SessionManager</sessMgrURI>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrClientTest.cfg

@@ -65 +65 @@
 
 # Inclusive namespaces for Exclusive C14N
-#wssRefInclNS: xmlns xsi xsd SOAP-ENV wsu wsse ns1
-#wssSignedInfoInclNS: xsi xsd SOAP-ENV ds wsse ec
-wssRefInclNS: 
-wssSignedInfoInclNS: 
+#refC14nInclNS: xmlns xsi xsd SOAP-ENV wsu wsse ns1
+#signedInfoC14nInclNS: xsi xsd SOAP-ENV ds wsse ec
+refC14nInclNS: 
+signedInfoC14nInclNS: 
 
 [test1Connect] 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml

@@ -13 +13 @@
     <!--
     PKI settings for WS-Security signature of outbound SOAP messages
+    NB, if no signature handling is required, do not include this element
     -->
-    <!--
-    PKI settings for signature of outbound SOAP messages
-    -->
-    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature -->
-    <!-- 
-    CA Certificates used to verify X.509 certs used in peer SOAP messages,
-    SSL connections and Attribute Certificates
-    -->
-    <caCertFileList>
-        <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
-        <!-- 
-        To also trust certificates issued from your MyProxy CA, replace 
-        "abcdef01.0" with the unique name for your CA certificate and uncomment
-        the following line:
-        <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/abcdef01.0</caCertFile>
-        -->
-    </caCertFileList>
-    <certFile>$NDGSEC_SMCLNT_UNITTEST_DIR/sm.crt</certFile>
-    <keyFile>$NDGSEC_SMCLNT_UNITTEST_DIR/sm.key</keyFile>
-    <keyPwd/>
-        <!-- 
-        Inclusive namespace prefixes for reference and SignedInfo sections of
-        WS-Security digital signature
-        -->
-        <wssRefInclNS></wssRefInclNS>
-        <wssSignedInfoInclNS></wssSignedInfoInclNS>
-    <!-- 
-    Set the certificate used to verify the signature of messages from the 
-    client.  This can usually be left blank since the client is expected to 
-    include the cert with the signature in the inbound SOAP message
-    -->
-    <clntCertFile></clntCertFile>    
+    <WS-Security>
+            <!-- 
+        CA Certificates used to verify X.509 certs used in peer SOAP messages,
+        SSL connections and Attribute Certificates
+        -->
+            <caCertFileList>
+            <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+                <!-- 
+                To also trust certificates issued from your MyProxy CA, replace 
+            "abcdef01.0" with the unique name for your CA certificate and uncomment
+                the following line:
+                <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/abcdef01.0</caCertFile>
+            -->
+            </caCertFileList>
+        <signingCertFilePath>$NDGSEC_SMCLNT_UNITTEST_DIR/sm.crt</signingCertFilePath>
+            <signingPriKeyFilePath>$NDGSEC_SMCLNT_UNITTEST_DIR/sm.key</signingPriKeyFilePath>
+        <signingPriKeyPwd/>
+                <!-- 
+                Inclusive namespace prefixes for reference and SignedInfo sections of
+                WS-Security digital signature
+                -->
+                <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
+            <!-- 
+        Set the certificate used to verify the signature of messages from the 
+            client.  This can usually be left blank since the client is expected to 
+        include the cert with the signature in the inbound SOAP message
+            -->
+        <verifyingCertFilePath></verifyingCertFilePath>
+    </WS-Security>    
     <sessMgrEncrKey>abcdef0123456789</sessMgrEncrKey>
     <sessMgrURI>https://localhost:5700/SessionManager</sessMgrURI>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/attAuthority.cfg

@@ -58 +58 @@
 #
 # SOAP Signature Handler settings
+# Leave blank for NO SOAP signature
 [WS-Security]
 #
 # OUTBOUND MESSAGE CONFIG
-
-
-# Set the certificate used to verify the signature of messages from the 
-# client.  This can usually be left blank since the client is expected to 
-# include the cert with the signature in the inbound SOAP message
-clntCertFile:
 
 # CA Certificates used to verify X.509 certs used in Attribute Certificates.
@@ -72 +67 @@
 # values should be delimited by a space
 caCertFileList: $NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem
-
-# Leave blank for NO SOAP signature
-useSignatureHandler: Yes 
 
 # Signature of an outbound message
@@ -84 +76 @@
 
 # PEM encoded cert
-certFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
+signingCertFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
 
 # ... or provide file path to PEM encoded private key file
-keyFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
+signingPriKeyFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
 
 # Password protecting private key.  Leave blank if there is no password.
-keyPwd=
+signingPriKeyPwd=
+
+# Pass a list of certificates ',' separated PEM encoded certs constituting a 
+# chain of trust from the certificate used to verifying the signature backward 
+# to the CA cert.  The CA cert need not be included.  To use this option, 
+# reqBinSecTokValType must be set to the X509PKIPathv1
+signingCertChain=
 
 # Inclusive namespace prefixes Canonicalisation of reference elements - 
 # space separated list e.g. refC14nInclNS=wsse ds ns1
-wssRefInclNS:
+refC14nInclNS:
 
 # Inclusive namespaces prefixes for Canonicalisation of SignedInfo element -
 # same format as the above
-wssSignedInfoInclNS:
+signedInfoC14nInclNS:
 
 
@@ -116 +114 @@
 
 
+#
+# INBOUND MESSAGE CONFIG
+
+# X.509 certificate used by verify method to verify a message.  This argument 
+# can be omitted if the message to be verified contains the X.509 certificate 
+# in the BinarySecurityToken element.  In this case, the cert read from the
+# message will be assigned to the verifyingCert attribute.
+
+# Provide the PEM encoded content here
+verifyingCert=
+
+# ... or provide file path PEM encode cert here
+verifyingCertFilePath=
+

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/attAuthorityProperties.xml

@@ -14 +14 @@
     <WS-Security>
     <!-- 
-        WS-Security settings leave 'useSignatureHandler' blank for no signature 
+        WS-Security settings 
+    NB, if no signature handling is required, do not include this element
         -->
-            <useSignatureHandler>Yes</useSignatureHandler> 
-        <certFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</certFile>
-            <keyFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</keyFile>
-        <keyPwd></keyPwd>
-                <wssRefInclNS></wssRefInclNS>
-                <wssSignedInfoInclNS></wssSignedInfoInclNS>
+        <signingCertFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</signingCertFilePath>
+            <signingPriKeyFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</signingPriKeyFilePath>
+        <signingPriKeyPwd></signingPriKeyPwd>
+                <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
             <caCertFileList>
             <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
@@ -41 +41 @@
         include the cert with the signature in the inbound SOAP message
             -->
-        <clntCertFile></clntCertFile>    
+        <verifyingCertFilePath></verifyingCertFilePath>    
     </WS-Security>
     <attCertLifetime>28800</attCertLifetime>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/invalidAttAuthority.cfg

@@ -13 +13 @@
     <sslCACertDir>$NDGSEC_AACLNT_UNITTEST_DIR/ca</sslCACertDir>
     <!-- 
-        WS-Security settings leave 'useSignatureHandler' blank for no 
-        signature 
+        WS-Security settings - remove for no signature 
         -->
-    <useSignatureHandler>Yes</useSignatureHandler> 
-    <certFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</certFile>
-    <keyFile>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</keyFile>
-    <keyPwd></keyPwd>
-        <wssRefInclNS></wssRefInclNS>
-        <wssSignedInfoInclNS></wssSignedInfoInclNS>
+    <signingCertFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt</signingCertFilePath>
+    <signingPriKeyFilePath>$NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key</signingPriKeyFilePath>
+    <signingPriKeyPwd></signingPriKeyPwd>
+        <refC14nInclNS></refC14nInclNS>
+        <signedInfoC14nInclNS></signedInfoC14nInclNS>
     <caCertFileList>
         <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
@@ -41 +39 @@
     include the cert with the signature in the inbound SOAP message
     -->
-    <clntCertFile></clntCertFile>    
+    <verifyingCertFilePath></verifyingCertFilePath>    
     <attCertLifetime>28800</attCertLifetime>
     <attCertNotBeforeOff>0</attCertNotBeforeOff>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/invalidAttAuthorityProperties.xml

@@ -38 +38 @@
 caCertFileList: $NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_AACLNT_UNITTEST_DIR/ca/cacert.pem
 
-# Leave blank for NO SOAP signature
-useSignatureHandler: Yes 
-
 # Set the certificate used to verify the signature of messages from the 
 # client.  This can usually be left blank since the client is expected to 
 # include the cert with the signature in the inbound SOAP message
-clntCertFile:
+verifyingCertFilePath:
 # Lifetime is measured in seconds
 attCertLifetime: 28800 
@@ -82 +79 @@
 
 # PEM encoded cert
-certFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
+signingCertFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.crt
 
 # ... or provide file path to PEM encoded private key file
-keyFile: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
+signingPriKeyFilePath: $NDGSEC_AACLNT_UNITTEST_DIR/siteA-aa.key
 
 # Password protecting private key.  Leave blank if there is no password.
-keyPwd=
+signingPriKeyPwd=
+
+# Pass a list of certificates ',' separated PEM encoded certs constituting a 
+# chain of trust from the certificate used to verifying the signature backward 
+# to the CA cert.  The CA cert need not be included.  To use this option, 
+# reqBinSecTokValType must be set to the X509PKIPathv1
+signingCertChain=
 
 # Inclusive namespace prefixes Canonicalisation of reference elements - 
 # space separated list e.g. refC14nInclNS=wsse ds ns1
-wssRefInclNS:
+refC14nInclNS:
 
 # Inclusive namespaces prefixes for Canonicalisation of SignedInfo element -
 # same format as the above
-wssSignedInfoInclNS:
+signedInfoC14nInclNS:
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/sessionMgr.cfg

@@ -32 +32 @@
 cookieDomain: 
 
-# Leave blank for NO SOAP signature
-useSignatureHandler: Yes 
-
 #
 # SOAP Signature Handler settings
+# Leave blank for NO SOAP signature
 [WS-Security]
 #
@@ -61 +59 @@
 # Password protecting private key.  Leave blank if there is no password.
 signingPriKeyPwd=
+
+# Pass a list of certificates ',' separated PEM encoded certs constituting a 
+# chain of trust from the certificate used to verifying the signature backward 
+# to the CA cert.  The CA cert need not be included.  To use this option, 
+# reqBinSecTokValType must be set to the X509PKIPathv1
+signingCertChain=
 
 # Provide a space separated list of file paths

TI12-security/trunk/python/ndg.security.test/ndg/security/test/utils/sessionMgrProperties.xml

@@ -18 +18 @@
     <!--
     PKI settings for WS-Security signature of outbound SOAP messages
+    - remove element for no signature handling
     -->
     <WS-Security>
-            <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature -->
         <!-- X.509 certificate included in SOAP header -->
-            <certFile>$NDGSEC_DIR/conf/certs/sm-cert.pem</certFile>
+            <signingCertFilePath>$NDGSEC_DIR/conf/certs/sm-cert.pem</signingCertFilePath>
         <!-- corresponding private key used to sign the SOAP message -->
-            <keyFile>$NDGSEC_DIR/conf/certs/sm-key.pem</keyFile>
+            <signingPriKeyFilePath>$NDGSEC_DIR/conf/certs/sm-key.pem</signingPriKeyFilePath>
         <!-- Password protecting private key file - leave blank if none set -->
-            <keyPwd></keyPwd>
+            <signingPriKeyPwd></signingPriKeyPwd>
         <!-- 
                 Inclusive namespace prefixes for reference and SignedInfo sections of
                 WS-Security digital signature
         -->
-            <wssRefInclNS></wssRefInclNS>
-                <wssSignedInfoInclNS></wssSignedInfoInclNS>
+            <refC14nInclNS></refC14nInclNS>
+                <signedInfoC14nInclNS></signedInfoC14nInclNS>
             <!-- 
         CA Certificates used to verify X.509 certs used in peer SOAP messages,
@@ -47 +47 @@
             include the cert with the signature in the inbound SOAP message
             -->
-        <clntCertFile></clntCertFile> 
+        <verifyingCertFilePath></verifyingCertFilePath> 
     </WS-Security>
     <!--

TI12-security/trunk/python/ndg.security.test/ndg/security/test/xmlsec/etree/etree.cfg

@@ -12 +12 @@
 
 [test2SignWithInclC14N]
-certFile: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.crt
-keyFile: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.key
+signingCertFilePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.crt
+signingPriKeyFilePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.key
 filePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test-incl-c14n-signed.xml
-keyPwd:
+signingPriKeyPwd:
 
 [test3SignWithExclC14N]
-certFile: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.crt
-keyFile: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.key
+signingCertFilePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.crt
+signingPriKeyFilePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test.key
 filePath: $NDGSEC_XMLSEC_ETREE_UNITTEST_DIR/test-excl-c14n-signed.xml
-keyPwd:
+signingPriKeyPwd:
 
 [test4Write]

TI12-security/trunk/python/ndg.security.test/ndg/security/test/xmlsec/etree/test_etree.py

@@ -86 +86 @@
                     xpdVars(self.cfg['test2SignWithInclC14N']['filepath'])
         self.xmlSecDoc.certFilePathList = \
-                    xpdVars(self.cfg['test2SignWithInclC14N']['certfile'])
+                    xpdVars(self.cfg['test2SignWithInclC14N']['signingCertFilePath'])
         self.xmlSecDoc.signingKeyFilePath = \
                     xpdVars(self.cfg['test2SignWithInclC14N']['keyfile'])
 
-        keyPwd = self.cfg['test2SignWithInclC14N'].get('keypwd')
+        keyPwd = self.cfg['test2SignWithInclC14N'].get('signingPriKeyPwd')
         if keyPwd is None:
             self.xmlSecDoc.signingKeyPwd = getpass.getpass(prompt=\
@@ -106 +106 @@
                     xpdVars(self.cfg['test3SignWithExclC14N']['filepath'])
         self.xmlSecDoc.certFilePathList = \
-                    xpdVars(self.cfg['test3SignWithExclC14N']['certfile'])
+                    xpdVars(self.cfg['test3SignWithExclC14N']['signingCertFilePath'])
         self.xmlSecDoc.signingKeyFilePath = \
                     xpdVars(self.cfg['test3SignWithExclC14N']['keyfile'])
 
-        keyPwd = self.cfg['test3SignWithExclC14N'].get('keypwd')
+        keyPwd = self.cfg['test3SignWithExclC14N'].get('signingPriKeyPwd')
         if keyPwd is None:
             self.xmlSecDoc.signingKeyPwd = getpass.getpass(prompt=\