Context Navigation

← Previous Change
Next Change →

python

Timestamp:

17/12/08 14:46:43 (11 years ago)

Author:

pjkersha

Message:

Re-run unit tests following fixes:

BaseSignatureHandler?.SignatureHandler? - important fix to setCert method
ndg.security.server.wsgi.openid.provider.OpenIDProviderMiddleware fix to _filterOpts
update to remaining certs due to expire in the unit tests dirs.

Location:

TI12-security/trunk/python

Files:

: 2 added
: 9 edited

ndg.security.common/ndg/security/common/X509.py (modified) (8 diffs)
ndg.security.common/ndg/security/common/wssecurity/BaseSignatureHandler.py (modified) (3 diffs)
ndg.security.common/ndg/security/common/wssecurity/dom.py (modified) (2 diffs)
ndg.security.common/ndg/security/common/wssecurity/etree.py (modified) (2 diffs)
ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (2 diffs)
ndg.security.test/ndg/security/test/attributeauthorityclient/attAuthorityClientTest.cfg (modified) (1 diff)
ndg.security.test/ndg/security/test/attributeauthorityclient/test_attributeauthorityclient.py (modified) (1 diff)
ndg.security.test/ndg/security/test/combinedservices/server.crt (added)
ndg.security.test/ndg/security/test/combinedservices/server.key (added)
ndg.security.test/ndg/security/test/combinedservices/services.ini (modified) (4 diffs)
ndg.security.test/ndg/security/test/credentialwallet/clnt.crt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

-                      r4671
+                      r4672
 class X509CertReadError(X509CertError):
     """Error reading in certificate from file"""
+class X509CertParseError(X509CertError):
+    """Error parsing a certificate"""
 class X509CertInvalidNotBeforeTime(X509CertError):
     """Call from X509Cert.isValidTime if certificates not before time is
 …
     "NDG X509 Certificate Handling"
+    formatPEM = M2Crypto.X509.FORMAT_PEM
+    formatDER = M2Crypto.X509.FORMAT_DER
     def __init__(self, filePath=None, m2CryptoX509=None):
 …
+    def read(self, filePath=None, **isValidTimeKw):
+        """Read a certificate from PEM encoded file
+    def read(self,
+             filePath=None,
+             format=None,
+             warningStackLevel=3,
+             **isValidTimeKw):
+        """Read a certificate from PEM encoded DER format file
         @type filePath: basestring
         @param filePath: file path of PEM format file to be read
+        @type format: int
+        @param format: format of input file - PEM is the default.  Set to
+        X509Cert.formatDER for DER format
         @type isValidTimeKw: dict
         @param isValidTimeKw: keywords to isValidTime() call"""
+        if format is None:
+            format = X509Cert.formatPEM
         # Check for optional input certificate file path
 …
         try:
+            self.__m2CryptoX509 = M2Crypto.X509.load_cert(self.__filePath)
+            self.__m2CryptoX509 = M2Crypto.X509.load_cert(self.__filePath,
+                                                          format=format)
         except Exception, e:
             raise X509CertReadError("Error loading certificate \"%s\": %s" %
 …
         self.__setM2CryptoX509()
+        if 'warningStackLevel'not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 3
+        self.isValidTime(**isValidTimeKw)
+    def parse(self, certTxt, **isValidTimeKw):
+        self.isValidTime(warningStackLevel=warningStackLevel, **isValidTimeKw)
+    def parse(self,
+              certTxt,
+              format=None,
+              warningStackLevel=3,
+              **isValidTimeKw):
         """Read a certificate input as a string
 …
         @param certTxt: PEM encoded certificate to parse
+        @type format: int
+        @param format: format of input file - PEM is the default.  Set to
+        X509Cert.formatDER for DER format
         @type isValidTimeKw: dict
         @param isValidTimeKw: keywords to isValidTime() call"""
+        if format is None:
+            format = X509Cert.formatPEM
         try:
             # Create M2Crypto memory buffer and pass to load certificate
 …
             # Nb. input converted to standard string - buffer method won't
             # accept unicode type strings
+            certBIO = M2Crypto.BIO.MemoryBuffer(str(certTxt))
+            self.__m2CryptoX509 = M2Crypto.X509.load_cert_bio(certBIO)
+#            certBIO = M2Crypto.BIO.MemoryBuffer(str(certTxt))
+#            self.__m2CryptoX509 = M2Crypto.X509.load_cert_bio(certBIO)
+            self.__m2CryptoX509 = M2Crypto.X509.load_cert_string(str(certTxt),
+                                                                 format=format)
         except Exception, e:
             raise X509CertError("Error loading certificate: %s" % e)
+            raise X509CertParseError("Error loading certificate: %s" % e)
         # Update DN and validity times from M2Crypto X509 object just
 …
         self.__setM2CryptoX509()
+        if 'warningStackLevel'not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 3
+        self.isValidTime(**isValidTimeKw)
+        self.isValidTime(warningStackLevel=warningStackLevel, **isValidTimeKw)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/BaseSignatureHandler.py

-                      r4656
+                      r4672
         @type: ndg.security.common.X509.X509Cert / M2Crypto.X509.X509 /
         string or None
+        PEM encoded string or None
         @param cert: X.509 certificate.
 …
         elif isinstance(cert, basestring):
+            # Nb. Assume PEM encoded string!
             x509Cert = X509CertParse(cert)
 …
         if x509Cert:
             x509Cert.isValidTime(raiseExcep=True)
+        return x509Cert

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/dom.py

-                      r4479
+                      r4672
                     # Remove base 64 encoding
                     derString = base64.decodestring(x509CertTxt)
+                    # Load from DER format into M2Crypto.X509
+                    m2X509Cert = X509.load_cert_string(derString,
+                                                       format=X509.FORMAT_DER)
+                    self.verifyingCert = m2X509Cert
+                    self.verifyingCert = X509Cert.Parse(derString,
+                                                    format=X509Cert.formatDER)
                     x509Stack = X509Stack()
 …
                 else:
                     raise WSSecurityError("BinarySecurityToken ValueType "
                                           'attribute is not recognised: "%s"'%\
+                                          'attribute is not recognised: "%s"' %
                                           valueType)
             except Exception, e:
                 raise VerifyError("Error extracting BinarySecurityToken "
                                   "from WSSE header: " % e)
+                                  "from WSSE header: %s" % e)
         if self.verifyingCert is None:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/etree.py

-                      r4404
+                      r4672
                 # Remove base 64 encoding
                 derString = base64.decodestring(x509CertTxt)
+                # Load from DER format into M2Crypto.X509
+                m2X509Cert = X509.load_cert_string(derString,
+                                                   format=X509.FORMAT_DER)
+                self.__setVerifyingCert(m2X509Cert)
+                self.verifyingCert = X509Cert.Parse(derString,
+                                                    format=X509Cert.formatDER)
                 x509Stack = X509Stack()
+            elif valueType == \
+                self.binSecTokValType['X509PKIPathv1']:
+            elif valueType == self.binSecTokValType['X509PKIPathv1']:
                 derString = base64.decodestring(x509CertTxt)
 …
                 self.verifyingCert = x509Stack[-1]
             else:
+                raise WSSecurityError('BinarySecurityToken ValueType ' \
+                    'attribute is not recognised: "%s"' % valueType)
+                raise WSSecurityError('BinarySecurityToken ValueType '
+                                      'attribute is not recognised: "%s"' %
+                                      valueType)
         if self.verifyingCert is None:
             raise VerifyError("No certificate set for verification of the " \
+            raise VerifyError("No certificate set for verification of the "
                               "signature")

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/init.py

-                      r4603
+                      r4672
         defOpt class variable
         '''
+        badOpt = []
+        for k,v in newOpt.items():
+            if prefix and k.startswith(prefix):
+                subK = k.replace(prefix, '')
+                filtK = '_'.join(subK.split('.'))
+        def _isBadOptName(optName):
+            # Allow for authN.* and rendering.* properties used by the
+            # Authentication and Rendering interfaces respectively
+            return optName not in cls.defOpt and \
+               not optName.startswith('authN_') and \
+               not optName.startswith('rendering_')
+        badOptNames = []
+        for optName, optVal in newOpt.items():
+            if prefix:
+                if optName.startswith(prefix):
+                    optName = optName.replace(prefix, '')
+                    filtOptName = '_'.join(optName.split('.'))
+                    # Skip assignment for bad option names and record them in
+                    # an error list instead
+                    if _isBadOptName(filtOptName):
+                        badOptNames += [optName]
+                    else:
+                        opt[filtOptName] = optVal
+                else:
+                    # Options not starting with prefix are ignored
+                    log.debug("Skipping option \"%s\": it doesn't start with "
+                              "the prefix \"%s\"", optName, prefix)
             else:
+                filtK = k
+            # Allow for authN.* properties used by the Authentication
+            # Interface
+            if filtK not in cls.defOpt and \
+               not filtK.startswith('authN_') and \
+               not filtK.startswith('rendering_'):
+                badOpt += [k]
+            else:
+                opt[filtK] = v
+                filtOptName = '_'.join(optName.split('.'))
+                # Record any bad option names
+                if _isBadOptName(filtOptName):
+                    badOptNames += [optName]
+                else:
+                    opt[filtOptName] = optVal
         if len(badOpt) > 0:
+        if len(badOptNames) > 0:
             raise TypeError("Invalid input option(s) set: %s" %
+                            (", ".join(badOpt)))
+                            (", ".join(badOptNames)))
     def __call__(self, environ, start_response):
         """Standard WSGI interface.  Intercepts the path if it matches any of
 …
 <xrds:XRDS
     xmlns:xrds="xri://$xrds"
     xmlns="xri://$xrd*($v*2.0)">
+    xmlns="xri://$xrd*($OptNameSfx*2.0)">
   <XRD>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attributeauthorityclient/attAuthorityClientTest.cfg

-                      r4671
+                      r4672
 # ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this
 # setting for test6GetMappedAttCert
 #uri = http://localhost:5000/AttributeAuthority
+uri = http://localhost:5000/AttributeAuthority
 # With TCP Mon:
 uri = http://localhost:4999/AttributeAuthority
+#uri = http://localhost:4999/AttributeAuthority
 # For https connections only.  !Omit ssl* settings if using http!

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attributeauthorityclient/test_attributeauthorityclient.py

-                      r4667
+                      r4672
             sslCACertList = []
+        thisSection = self.cfg['setUp']
         # Instantiate WS proxy
         self.siteAClnt = AttributeAuthorityClient(uri=self.cfg['setUp']['uri'],
                         sslPeerCertCN=self.cfg['setUp'].get('sslPeerCertCN'),
                         sslCACertList=sslCACertList,
                         cfgFileSection='wsse',
                         cfg=self.cfgParser)
+        self.siteAClnt = AttributeAuthorityClient(uri=thisSection['uri'],
+                                sslPeerCertCN=thisSection.get('sslPeerCertCN'),
+                                sslCACertList=sslCACertList,
+                                cfgFileSection='wsse',
+                                cfg=self.cfgParser)
     def test01GetHostInfo(self):

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

-                      r4587
+                      r4672
 [DEFAULT]
-# Settings for WS-Security signature handler
-#wsseCfgFilePath = %(here)s/services.ini
-#wsseCfgFileSection = WS-Security
 #______________________________________________________________________________
 # Attribute Authority settings
 …
 # The SessionManagerWS SOAP interface class needs to know about these other
 # filters
+referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01 ndg.security.server.wsgi.attributeAuthorityFilter
+referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+                                        ndg.security.server.wsgi.attributeAuthorityFilter
 # Path from URL for Session Manager in this Paste deployment
 …
 # Settings for WS-Security SignatureHandler class used by this filter
-#wsseCfgFilePath = %(here)s/services.ini
-#wsseCfgFileSection = WS-Security
 wsseCfgFilePrefix = wssecurity
 …
 # Certificate associated with private key used to sign a message.  The sign
 # method will add this to the BinarySecurityToken element of the WSSE header.
+wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
+#wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt
+wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.crt
 # PEM encoded private key file
+wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
+#wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key
+wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.key
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a

TI12-security/trunk/python/ndg.security.test/ndg/security/test/credentialwallet/clnt.crt

-                      r4285
+                      r4672
     Data:
         Version: 3 (0x2)
         Serial Number: 243 (0xf3)
+        Serial Number: 259 (0x103)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=NDG, OU=BADC, CN=Test CA
         Validity
             Not Before: Dec 18 11:42:41 2007 GMT
             Not After : Dec 17 11:42:41 2008 GMT
+            Not Before: Dec 16 15:19:45 2008 GMT
+            Not After : Dec 15 15:19:45 2013 GMT
         Subject: O=NDG Security Test, OU=WS-Security Unittest, CN=client
         Subject Public Key Info:
 …
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             Netscape Cert Type:
+            Netscape Cert Type:
                 SSL Client, SSL Server, S/MIME, Object Signing
     Signature Algorithm: md5WithRSAEncryption
         c1:2b:11:0e:c3:fe:3e:f2:87:ee:48:e5:f1:29:9c:1f:a3:d8:
         eb:f9:3a:d4:af:75:c7:b4:39:e0:b2:83:5e:ee:71:7c:fc:28:
 :fb:e4:62:7e:96:7b:f1:c3:b7:a4:94:b5:f7:41:a4:32:6a:
 :4b:8c:60:36:0c:c1:79:62:51:aa:79:fa:1e:8c:a0:82:58:
 :c6:cf:da:9b:79:eb:3a:f3:bf:e2:4a:8e:c2:f3:55:3f:b9:
         c6:0e:55:ea:a9:79:9e:3c:d2:d1:07:6c:81:90:2f:a9:54:ba:
 a:7e:3c:f0:7c:86:c5:e0:b3:71:a5:48:a8:77:e3:83:b6:48:
 d:78
+:11:bf:8c:fe:88:3a:7d:12:1e:c1:ea:90:f6:11:33:f2:7d:
+d:2b:f3:22:3d:72:fb:1b:35:ed:cc:55:79:0e:98:13:41:cf:
+:5e:c7:88:75:08:b4:b2:2b:ad:11:0e:0b:2e:49:21:41:18:
+b:e9:2f:77:6d:27:4b:17:85:c8:fa:7b:91:45:97:a4:2d:f3:
+:4e:1e:be:c5:e5:bc:ca:fd:dc:b2:e9:e1:b1:8a:f0:c1:4f:
+        f9:c9:14:f8:c3:c2:98:66:fa:04:82:f1:8d:68:59:17:1f:f2:
+        bf:34:f7:c6:3c:85:9b:80:c6:bc:2f:66:2e:0e:f4:24:7c:d8:
+e:5f
 -----BEGIN CERTIFICATE-----
 MIICizCCAfSgAwIBAgICAPMwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
 MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA3MTIxODExNDI0
 MVoXDTA4MTIxNzExNDI0MVowTDEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
+MIICizCCAfSgAwIBAgICAQMwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNjE1MTk0
+NVoXDTEzMTIxNTE1MTk0NVowTDEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
 HTAbBgNVBAsTFFdTLVNlY3VyaXR5IFVuaXR0ZXN0MQ8wDQYDVQQDEwZjbGllbnQw
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY7CFf5GAGGJEY38Vukj0U
 …
 mtvitXt9HJwdCZbPmPyxs6STvFHMZru1mY5dj1YWT8PBT5Svmpo/EEiL+TZctcXE
 SRRSVxu99yRBJ0f9Nd8IPxtuyyIVX4+xfgOLrNoVQuIV5vKTCZh5RrWjpbk/0eqN
 AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0BAQQFAAOBgQDB
+KxEOw/4+8ofuSOXxKZwfo9jr+TrUr3XHtDngsoNe7nF8/Chz++RifpZ78cO3pJS1
+GkMmoWS4xgNgzBeWJRqnn6Hoygglgoxs/am3nrOvO/4kqOwvNVP7nGDlXqqXme
 PNLRB2yBkC+pVLpKfjzwfIbF4LNxpUiod+ODtkhteA==
+AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0BAQQFAAOBgQBj
+Eb+M/og6fRIeweqQ9hEz8n0dK/MiPXL7GzXtzFV5DpgTQc9EXseIdQi0siutEQ4L
+LkkhQRhr6S93bSdLF4XI+nuRRZekLfMkTh6+xeW8yv3csunhsYrwwU/5yRT4w8KY
+ZvoEgvGNaFkXH/K/NPfGPIWbgMa8L2YuDvQkfNieXw==
 -----END CERTIFICATE-----

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 4672 for TI12-security/trunk/python

Legend:

Download in other formats: