Changeset 4336 for TI12-security/trunk
- Timestamp:
- 14/10/08 16:21:31 (12 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py
r4156 r4336 539 539 540 540 541 #_____________________________________________________________________________542 541 def X509StackParseFromDER(derString): 543 542 """Make a new stack from a DER string … … 550 549 551 550 552 #_____________________________________________________________________________553 551 class X500DNError(Exception): 554 552 """Exception handling for NDG X.500 DN class.""" 555 553 556 554 557 #_____________________________________________________________________________558 555 # For use with parseSeparator method: 559 556 import re … … 566 563 # name equivalents 567 564 # * private * 568 __shortNameLUT = { 'commonName': 'CN', 569 'organisationalUnitName': 'OU', 570 'organisation': 'O', 571 'countryName': 'C', 572 'emailAddress': 'EMAILADDRESS', 573 'localityName': 'L', 574 'stateOrProvinceName': 'ST', 575 'streetAddress': 'STREET', 576 'domainComponent': 'DC', 577 'userid': 'UID'} 578 579 580 def __init__(self, 581 dn=None, 582 m2CryptoX509Name=None, 583 separator=None): 565 __shortNameLUT = { 566 'commonName': 'CN', 567 'organisationalUnitName': 'OU', 568 'organisation': 'O', 569 'countryName': 'C', 570 'emailAddress': 'EMAILADDRESS', 571 'localityName': 'L', 572 'stateOrProvinceName': 'ST', 573 'streetAddress': 'STREET', 574 'domainComponent': 'DC', 575 'userid': 'UID' 576 } 577 578 579 def __init__(self, dn=None, m2CryptoX509Name=None, separator=None): 584 580 585 581 """Create a new X500 Distinguished Name 586 582 587 m2CryptoX509Name: initialise using using an M2Crypto.X509.X509_Name 588 dn: initialise using a distinguished name string 589 separator: separator used to delimit dn fields - usually 590 '/' or ','. If dn is input and separator is 591 omitted the separator character will be 592 automatically parsed from the dn string. 593 """ 583 @type m2CryptoX509Name: M2Crypto.X509.X509_Name 584 @param m2CryptoX509Name: initialise using using an 585 M2Crypto.X509.X509_Name 586 @type dn: basestring 587 @param dn: initialise using a distinguished name string 588 @type separator: basestring 589 @param: separator: separator used to delimit dn fields - usually '/' 590 or ','. If dn is input and separator is omitted the separator 591 character will be automatically parsed from the dn string. 592 """ 593 594 594 # Private key data 595 self.__dat = { 'CN': '', 596 'OU': '', 597 'O': '', 598 'C': '', 599 'EMAILADDRESS': '', 600 'L': '', 601 'ST': '', 602 'STREET': '', 603 'DC': '', 604 'UID': ''} 595 self.__dat = {}.fromkeys(X500DN.__shortNameLUT.values(), '') 605 596 606 597 dict.__init__(self) … … 618 609 619 610 self.__separator = separator 620 621 611 622 612 if m2CryptoX509Name is not None: 623 613 # the argument is an x509 dn in m2crypto format 624 # 625 # Hack required here because M2Crypto doesn't 626 # correctly separate emailAddress fields e.g. 627 # 628 # C=SG, ST=Singapore, O=BMTAP Pte Ltd, 629 # OU=Environmental Development, 630 # CN=www.bmtap.com.sg/emailAddress=sjamsul.lakau@bmtasia.com.sg 631 # ^ 632 # - The slash is left in place 633 # 634 # TODO: re-check this for future M2Crypto releases 635 dnTxt = ', '.join(m2CryptoX509Name.as_text().split('/')) 636 # End hack 637 638 self.deserialise(dnTxt) 614 self.deserialise(str(m2CryptoX509Name)) 639 615 640 616 elif dn is not None: … … 647 623 self.deserialise(dn) 648 624 649 650 625 def __repr__(self): 651 626 """Override default behaviour to return internal dictionary content""" 652 627 return self.serialise() 653 654 628 655 629 def __str__(self): … … 657 631 serialised format.""" 658 632 return self.serialise() 659 660 633 661 634 def __eq__(self, x500dn): … … 666 639 667 640 return self.__dat.items() == x500dn.items() 668 669 641 670 642 def __ne__(self, x500dn): 671 643 """Return true if the all the fields of the two DNs are equal""" … … 675 647 676 648 return self.__dat.items() != x500dn.items() 677 678 649 679 650 def __delitem__(self, key): 680 651 """Prevent keys from being deleted.""" 681 652 raise X500DNError('Keys cannot be deleted from the X500DN') 682 683 653 684 654 def __getitem__(self, key): … … 699 669 else: 700 670 # key not recognised as a short or long name version 701 raise X500DNError('Key "' + key + '" not recognised for X500DN') 702 671 raise KeyError('Key "' + key + '" not recognised for X500DN') 703 672 704 673 def __setitem__(self, key, item): … … 719 688 else: 720 689 # key not recognised as a short or long name version 721 raise X500DNError('Key "' + key + '" not recognised for X500DN') 722 690 raise KeyError('Key "' + key + '" not recognised for X500DN') 723 691 724 692 def clear(self): 725 raise X500DNError("Data cannot be cleared from " + self.__class__.__name__) 726 727 693 raise X500DNError("Data cannot be cleared from X500DN") 694 728 695 def copy(self): 729 696 … … 731 698 return copy.copy(self) 732 699 733 734 700 def keys(self): 735 701 return self.__dat.keys() 736 702 737 738 703 def items(self): 739 704 return self.__dat.items() 740 705 741 742 706 def values(self): 743 707 return self.__dat.values() 744 745 708 746 709 def has_key(self, key): … … 751 714 return key in self.__tags 752 715 753 754 def get(self, kw): 755 return self.__dat.get(kw) 756 757 716 def get(self, *arg): 717 return self.__dat.get(*arg) 718 758 719 def serialise(self, separator=None): 759 720 """Combine fields in Distinguished Name into a single string.""" … … 781 742 if isinstance(val, tuple): 782 743 dnList += [separator.join(["%s=%s" % (key, valSub) \ 783 for valSub in val])]744 for valSub in val])] 784 745 else: 785 746 dnList += ["%s=%s" % (key, val)] … … 837 798 for key, val in parsedDN.items(): 838 799 if key not in self.__dat and key not in self.__shortNameLUT: 839 raise X500DNError , \840 "Invalid field \"%s\" in input DN string" % key800 raise X500DNError('Invalid field "%s" in input DN string' % 801 key) 841 802 842 803 self.__dat[key] = val -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py
r4145 r4336 18 18 from M2Crypto.httpslib import HTTPSConnection as _HTTPSConnection 19 19 20 from ndg.security.common.X509 import X509Cert, X509Stack 20 from ndg.security.common.X509 import X509Cert, X509Stack, X500DN 21 21 22 22 class InvalidCertSignature(SSL.Checker.SSLVerificationError): … … 46 46 where the hostname is not fully qualified. 47 47 48 *param acceptedDNs: a list of acceptable DNs. This enables validation where the expected DN is49 where against a limited list of certs.48 *param acceptedDNs: a list of acceptable DNs. This enables validation 49 where the expected DN is where against a limited list of certs. 50 50 51 51 @type peerCertCN: string … … 81 81 """ 82 82 if peerCert is None: 83 raise SSL.Checker.NoCertificate( \84 'SSL Peer did not returncertificate')83 raise SSL.Checker.NoCertificate('SSL Peer did not return ' 84 'certificate') 85 85 86 86 peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ', '/') … … 93 93 raise e 94 94 95 # At least one match should be found in the list 96 if self.acceptedDNs and \ 97 not len([dn for dn in self.acceptedDNs if peerCertDN==dn]): 98 raise InvalidCertDN, \ 99 'Peer cert DN "%s" doesn\'t match verification list' % peerCertDN 95 # At least one match should be found in the list - first convert to 96 # NDG X500DN type to allow per field matching for DN comparison 97 peerCertX500DN = X500DN(dn=peerCertDN) 98 99 if self.acceptedDNs: 100 matchFound = False 101 for dn in self.acceptedDNs: 102 x500dn = X500DN(dn=dn) 103 if x500dn == peerCertX500DN: 104 matchFound = True 105 break 106 107 if not matchFound: 108 raise InvalidCertDN('Peer cert DN "%s" doesn\'t match ' 109 'verification list' % peerCertDN) 100 110 101 111 if len(self.__caCertStack) > 0: … … 104 114 x509Cert2Verify=X509Cert(m2CryptoX509=peerCert)) 105 115 except Exception, e: 106 raise InvalidCertSignature( 107 "Peer certificate verificationagainst CA cert failed: %s" % e)116 raise InvalidCertSignature("Peer certificate verification " 117 "against CA cert failed: %s" % e) 108 118 109 119 # They match - drop the exception and return all OK instead … … 207 217 208 218 self.sock = SSL.Connection(self.ssl_ctx) 209 self.sock.set_post_connection_check_callback( 210 self._postConnectionCheck) 219 self.sock.set_post_connection_check_callback(self._postConnectionCheck) 211 220 212 221 self.sock.set_socket_read_timeout(self.readTimeout) -
TI12-security/trunk/python/ndg.security.test/setup.py
r4143 r4336 51 51 'Makefile', 52 52 'README'], 53 'ndg.security.test.sessionCookie': ['test.crt',54 'test.key',55 'README'],56 53 'ndg.security.test.sessionMgr': ['*.xml', 57 54 '*.cfg',
Note: See TracChangeset
for help on using the changeset viewer.