Changeset 4336 for TI12-security/trunk

Timestamp:

14/10/08 16:21:31 (11 years ago)

Author:

pjkersha

Message:

Fixes for BADC Data Browser integration tests:

• ndg.security.common.X509.X500DN: fix for DNs where field content contains commas - X509_Name.as_text is not safe for this use X509_Name.str
• ndg.security.common.m2CryptoSSLUtility: use ndg.security.common.X509.X500DN for accurate comparison of DNs in HostCheck? class peer cert checking.

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/X509.py (modified) (14 diffs)
• ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py (modified) (6 diffs)
• ndg.security.test/setup.py (modified) (1 diff)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

@@ -539 +539 @@
 
 
-#_____________________________________________________________________________
 def X509StackParseFromDER(derString):
     """Make a new stack from a DER string
@@ -550 +549 @@
 
 
-#_____________________________________________________________________________
 class X500DNError(Exception):
     """Exception handling for NDG X.500 DN class."""
 
 
-#_____________________________________________________________________________
 # For use with parseSeparator method:
 import re
@@ -566 +563 @@
     # name equivalents
     # * private *
-    __shortNameLUT = {  'commonName':               'CN',
-                        'organisationalUnitName':   'OU',
-                        'organisation':             'O',
-                        'countryName':              'C',
-                        'emailAddress':             'EMAILADDRESS',
-                        'localityName':             'L',
-                        'stateOrProvinceName':      'ST',
-                        'streetAddress':            'STREET',
-                        'domainComponent':          'DC',
-                        'userid':                   'UID'}
-
-    
-    def __init__(self,
-                 dn=None,
-                 m2CryptoX509Name=None,
-                 separator=None):
+    __shortNameLUT = {
+        'commonName':               'CN',
+        'organisationalUnitName':   'OU',
+        'organisation':             'O',
+        'countryName':              'C',
+        'emailAddress':             'EMAILADDRESS',
+        'localityName':             'L',
+        'stateOrProvinceName':      'ST',
+        'streetAddress':            'STREET',
+        'domainComponent':              'DC',
+        'userid':                       'UID'
+    }
+
+    
+    def __init__(self, dn=None, m2CryptoX509Name=None, separator=None):
 
         """Create a new X500 Distinguished Name
 
-        m2CryptoX509Name:   initialise using using an M2Crypto.X509.X509_Name
-        dn:                 initialise using a distinguished name string
-        separator:          separator used to delimit dn fields - usually
-                            '/' or ','.  If dn is input and separator is
-                            omitted the separator character will be
-                            automatically parsed from the dn string.
-                            """
+        @type m2CryptoX509Name: M2Crypto.X509.X509_Name
+        @param m2CryptoX509Name:   initialise using using an 
+        M2Crypto.X509.X509_Name
+        @type dn: basestring
+        @param dn: initialise using a distinguished name string
+        @type separator: basestring
+        @param: separator: separator used to delimit dn fields - usually '/' 
+        or ','.  If dn is input and separator is omitted the separator 
+        character will be automatically parsed from the dn string.
+        """
+        
         # Private key data
-        self.__dat = {  'CN':           '',
-                        'OU':           '',
-                        'O':            '',
-                        'C':            '',
-                        'EMAILADDRESS': '',
-                        'L':            '',
-                        'ST':           '',
-                        'STREET':       '',
-                        'DC':           '',
-                        'UID':          ''}
+        self.__dat = {}.fromkeys(X500DN.__shortNameLUT.values(), '')
     
         dict.__init__(self)
@@ -618 +609 @@
 
             self.__separator = separator
-
             
         if m2CryptoX509Name is not None:
             # the argument is an x509 dn in m2crypto format
-            #
-            # Hack required here because M2Crypto doesn't
-            # correctly separate emailAddress fields e.g.
-            #
-            # C=SG, ST=Singapore, O=BMTAP Pte Ltd, 
-            # OU=Environmental Development, 
-            # CN=www.bmtap.com.sg/emailAddress=sjamsul.lakau@bmtasia.com.sg
-            #                    ^
-            # - The slash is left in place
-            #
-            # TODO: re-check this for future M2Crypto releases
-            dnTxt = ', '.join(m2CryptoX509Name.as_text().split('/'))            
-            # End hack
-            
-            self.deserialise(dnTxt)
+            self.deserialise(str(m2CryptoX509Name))
             
         elif dn is not None:
@@ -647 +623 @@
             self.deserialise(dn)
 
-
     def __repr__(self):
         """Override default behaviour to return internal dictionary content"""
         return self.serialise()
-
 
     def __str__(self):
@@ -657 +631 @@
         serialised format."""
         return self.serialise()
-
         
     def __eq__(self, x500dn):
@@ -666 +639 @@
 
         return self.__dat.items() == x500dn.items()
-
-        
+   
     def __ne__(self, x500dn):
         """Return true if the all the fields of the two DNs are equal"""
@@ -675 +647 @@
 
         return self.__dat.items() != x500dn.items()
-
-    
+  
     def __delitem__(self, key):
         """Prevent keys from being deleted."""
         raise X500DNError('Keys cannot be deleted from the X500DN')
-
 
     def __getitem__(self, key):
@@ -699 +669 @@
         else:
             # key not recognised as a short or long name version
-            raise X500DNError('Key "' + key + '" not recognised for X500DN')
-
+            raise KeyError('Key "' + key + '" not recognised for X500DN')
 
     def __setitem__(self, key, item):
@@ -719 +688 @@
         else:
             # key not recognised as a short or long name version
-            raise X500DNError('Key "' + key + '" not recognised for X500DN')
-
+            raise KeyError('Key "' + key + '" not recognised for X500DN')
 
     def clear(self):
-        raise X500DNError("Data cannot be cleared from " + self.__class__.__name__)
-
-    
+        raise X500DNError("Data cannot be cleared from X500DN")
+
     def copy(self):
 
@@ -731 +698 @@
         return copy.copy(self)
 
-    
     def keys(self):
         return self.__dat.keys()
 
-
     def items(self):
         return self.__dat.items()
 
-
     def values(self):
         return self.__dat.values()
-
 
     def has_key(self, key):
@@ -751 +714 @@
         return key in self.__tags
 
-
-    def get(self, kw):
-        return self.__dat.get(kw)
-
-    
+    def get(self, *arg):
+        return self.__dat.get(*arg)
+  
     def serialise(self, separator=None):
         """Combine fields in Distinguished Name into a single string."""
@@ -781 +742 @@
                 if isinstance(val, tuple):
                     dnList += [separator.join(["%s=%s" % (key, valSub) \
-                                            for valSub in val])]
+                                               for valSub in val])]
                 else:
                     dnList += ["%s=%s" % (key, val)]
@@ -837 +798 @@
             for key, val in parsedDN.items():
                 if key not in self.__dat and key not in self.__shortNameLUT:
-                    raise X500DNError, \
-                        "Invalid field \"%s\" in input DN string" % key
+                    raise X500DNError('Invalid field "%s" in input DN string' %
+                                      key)
 
                 self.__dat[key] = val

TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py

@@ -18 +18 @@
 from M2Crypto.httpslib import HTTPSConnection as _HTTPSConnection
 
-from ndg.security.common.X509 import X509Cert, X509Stack
+from ndg.security.common.X509 import X509Cert, X509Stack, X500DN
 
 class InvalidCertSignature(SSL.Checker.SSLVerificationError):
@@ -46 +46 @@
         where the hostname is not fully qualified.  
 
-        *param acceptedDNs: a list of acceptable DNs.  This enables validation where the expected DN is
-        where against a limited list of certs.
+        *param acceptedDNs: a list of acceptable DNs.  This enables validation 
+        where the expected DN is where against a limited list of certs.
         
         @type peerCertCN: string
@@ -81 +81 @@
         """
         if peerCert is None:
-            raise SSL.Checker.NoCertificate(\
-                                        'SSL Peer did not return certificate')
+            raise SSL.Checker.NoCertificate('SSL Peer did not return '
+                                            'certificate')
 
         peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ', '/')
@@ -93 +93 @@
                 raise e
 
-        # At least one match should be found in the list
-        if self.acceptedDNs and \
-           not len([dn for dn in self.acceptedDNs if peerCertDN==dn]):
-            raise InvalidCertDN, \
-            'Peer cert DN "%s" doesn\'t match verification list' % peerCertDN
+        # At least one match should be found in the list - first convert to
+        # NDG X500DN type to allow per field matching for DN comparison
+        peerCertX500DN = X500DN(dn=peerCertDN)
+        
+        if self.acceptedDNs:
+           matchFound = False
+           for dn in self.acceptedDNs:
+               x500dn = X500DN(dn=dn)
+               if x500dn == peerCertX500DN:
+                   matchFound = True
+                   break
+               
+           if not matchFound:
+               raise InvalidCertDN('Peer cert DN "%s" doesn\'t match '
+                                   'verification list' % peerCertDN)
 
         if len(self.__caCertStack) > 0:
@@ -104 +114 @@
                            x509Cert2Verify=X509Cert(m2CryptoX509=peerCert))
             except Exception, e:
-                raise InvalidCertSignature(
-                "Peer certificate verification against CA cert failed: %s" % e)
+                raise InvalidCertSignature("Peer certificate verification "
+                                           "against CA cert failed: %s" % e)
               
         # They match - drop the exception and return all OK instead          
@@ -207 +217 @@
 
         self.sock = SSL.Connection(self.ssl_ctx)
-        self.sock.set_post_connection_check_callback(
-                                                 self._postConnectionCheck)
+        self.sock.set_post_connection_check_callback(self._postConnectionCheck)
 
         self.sock.set_socket_read_timeout(self.readTimeout)

TI12-security/trunk/python/ndg.security.test/setup.py

@@ -51 +51 @@
                                   'Makefile',
                                   'README'],
-    'ndg.security.test.sessionCookie': ['test.crt',
-                                        'test.key',
-                                        'README'],
     'ndg.security.test.sessionMgr': ['*.xml', 
                                      '*.cfg',