Changeset 5372

Timestamp:

09/06/09 16:41:23 (12 years ago)

Author:

pjkersha

Message:

Added code for validation of OpenID Provider by Relying Party using M2Crypto.m2urllib2 for SSL peer authN

Location:

TI12-security/trunk/python

Files:

• Tests/m2Crypto/test_m2urllib2.py (modified) (3 diffs)
• buildout/ndgsecurity_pydap/eggs/setuptools-0.6c9-py2.5.egg (deleted)
• buildout/ndgsecurity_pydap/eggs/zc.buildout-1.2.1-py2.5.egg (deleted)
• ndg.security.common/ndg/security/common/utils/classfactory.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py (modified) (4 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/validation.py (added)
• ndg.security.test/ndg/security/test/config/ca/bc1332e6.0 (added)
• ndg.security.test/ndg/security/test/config/ca/bcaeadc0.0 (added)
• ndg.security.test/ndg/security/test/config/pki/localhost.crt (added)
• ndg.security.test/ndg/security/test/config/pki/localhost.key (added)
• ndg.security.test/ndg/security/test/integration/authz/securityservices.ini (modified) (1 diff)
• ndg.security.test/ndg/security/test/integration/authz/validator.xml (added)
• ndg.security.test/ndg/security/test/unit/sslclientauthnmiddleware/localhost.crt (modified) (3 diffs)

TI12-security/trunk/python/Tests/m2Crypto/test_m2urllib2.py

@@ -3 +3 @@
 from M2Crypto.m2urllib2 import HTTPSHandler
 from M2Crypto import SSL
+from M2Crypto.X509 import X509_Store_Context
 
 class M2Urllib2Fetcher(Urllib2Fetcher):
@@ -29 +30 @@
         req = urllib2.Request(url, data=body, headers=headers)
         try:
+            def verifyCallback(arg, x509StoreCtx):
+                '''@type x509StoreCtx: M2Crypto.X509_Store_Context
+                '''
+                x509Cert = x509StoreCtx.get_current_cert()
+                x509Cert.get_subject()
+                x509CertChain = x509StoreCtx.get1_chain()
+                for cert in x509CertChain:
+                    subject = cert.get_subject()
+                    dn = subject.as_text()
+                    print dn
+                    
+                return True
+                
             ctx = SSL.Context()
             caFilePath = '/home/pjkersha/Documents/BADC/Certificates/Cybertrust/cybertrustCombo.crt'
 #            ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
-            ctx.set_verify(SSL.verify_peer, 9)
+            ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 
+                           9, 
+                           callback=verifyCallback)
             ctx.load_verify_locations(cafile=caFilePath)
 #            ctx.load_cert(certfile, 
@@ -50 +66 @@
 
         return resp
+
+class M2Urllib2Fetcher2(Urllib2Fetcher):
+    """M2Crypto urllib2 based fetcher to enable SSL based authentication of 
+    peer
+    """
+
+    def fetch(self, url, body=None, headers=None):
+        
+        # Use parent class behaviour for non-SSL connections
+        if url.startswith('http://'):
+            return super(M2Urllib2Fetcher, self).fetch(url, 
+                                                       body=body, 
+                                                       headers=headers)
+            
+        if not _allowedURL(url):
+            raise ValueError('Bad URL scheme: %r' % (url,))
+
+        if headers is None:
+            headers = {}
+
+        headers.setdefault(
+            'User-Agent',
+            "%s Python-urllib/%s" % (USER_AGENT, urllib2.__version__,))
+
+        req = urllib2.Request(url, data=body, headers=headers)
+        try:
+            def verifyCallback(arg, x509StoreCtx):
+                '''@type x509StoreCtx: M2Crypto.X509_Store_Context
+                '''
+                x509Cert = x509StoreCtx.get_current_cert()
+                x509Cert.get_subject()
+                x509CertChain = x509StoreCtx.get1_chain()
+                for cert in x509CertChain:
+                    subject = cert.get_subject()
+                    dn = subject.as_text()
+                    print dn
+                    
+                return True
+                
+            ctx = SSL.Context()
+            caFilePath = '/home/pjkersha/Documents/BADC/Certificates/Cybertrust/cybertrustCombo.crt'
+#            ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
+            ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 
+                           9, 
+                           callback=verifyCallback)
+            ctx.load_verify_locations(cafile=caFilePath)
+#            ctx.load_cert(certfile, 
+#                          keyfile=None, 
+#                          callback=util.passphrase_callback)
+            httpsHandler = HTTPSHandler(ssl_context=ctx)
+            f = httpsHandler.https_open(req)
+            try:
+                return self._makeResponse(f)
+            finally:
+                f.close()
+        except urllib2.HTTPError, why:
+            try:
+                return self._makeResponse(why)
+            finally:
+                why.close()
+
+        return resp
+
+def installOpener():
+    def verifyCallback(preVerifyOK, x509StoreCtx):
+        '''callback function used to control the behaviour when the 
+        SSL_VERIFY_PEER flag is set
+        
+        http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
+        
+        @type preVerifyOK: int
+        @param preVerifyOK: If a verification error is found, this parameter 
+        will be set to 0
+        @type x509StoreCtx: M2Crypto.X509_Store_Context
+        @param x509StoreCtx: locate the certificate to be verified and perform 
+        additional verification steps as needed
+        @rtype: int
+        @return: controls the strategy of the further verification process. 
+        - If verify_callback returns 0, the verification process is immediately 
+        stopped with "verification failed" state. If SSL_VERIFY_PEER is set, 
+        a verification failure alert is sent to the peer and the TLS/SSL 
+        handshake is terminated. 
+        - If verify_callback returns 1, the verification process is continued. 
+        If verify_callback always returns 1, the TLS/SSL handshake will not be 
+        terminated with respect to verification failures and the connection 
+        will be established. The calling process can however retrieve the error
+        code of the last verification error using SSL_get_verify_result(3) or 
+        by maintaining its own error storage managed by verify_callback.
+        '''
+        if preVerifyOK == 0:
+            # Something is wrong with the certificate don't bother proceeding
+            # any further
+            return preVerifyOK
+        
+        x509Cert = x509StoreCtx.get_current_cert()
+        x509Cert.get_subject()
+        x509CertChain = x509StoreCtx.get1_chain()
+        for cert in x509CertChain:
+            subject = cert.get_subject()
+            dn = subject.as_text()
+            print dn
+            
+        # If all is OK preVerifyOK will be 1.  Return this to the caller to
+        # that it's OK to proceed
+        return preVerifyOK
+        
+    ctx = SSL.Context()
+#    caFilePath = '/home/pjkersha/Documents/BADC/Certificates/Cybertrust/cybertrustCombo.crt'
+    caDirPath = '/home/pjkersha/workspace/ndg.security.python/ndg.security.test/ndg/security/test/config/ca'
+    ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 
+                   9, 
+                   callback=verifyCallback)
+#    ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 1)
+
+    ctx.load_verify_locations(capath=caDirPath)
+#    ctx.load_cert(certfile, 
+#                  keyfile=None, 
+#                  callback=util.passphrase_callback)
+
+    from M2Crypto.m2urllib2 import build_opener
+    urllib2.install_opener(build_opener(ssl_context=ctx))
     
 if __name__ == "__main__":
-    fetcher = M2Urllib2Fetcher()
-    resp = fetcher.fetch('https://ndg3beta.badc.rl.ac.uk/openid')
-    print resp
+    installOpener()
+    fetcher = Urllib2Fetcher()
+#    fetcher = M2Urllib2Fetcher()
+#    resp = fetcher.fetch('https://ndg3beta.badc.rl.ac.uk/openid')
+    resp = fetcher.fetch('https://localhost/openid')
+    print resp.body

TI12-security/trunk/python/ndg.security.common/ndg/security/common/utils/classfactory.py

@@ -34 +34 @@
     else:
         _moduleName = moduleName
-           
+    
+    log.debug("Importing class %s ..." % className) 
+      
     module = __import__(_moduleName)
     components = _moduleName.split('.')
@@ -72 +74 @@
     '''
 
-    log.debug("Instantiating class '%s'" % className)
     
     # ensure that classproperties is a dict - NB, it may be passed in as a null
@@ -113 +114 @@
 
     # Instantiate class
+    log.debug("Instantiating class '%s'" % importedClass.__name__)
     try:
         if classArgs:

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py

@@ -17 +17 @@
 import urllib # decode quoted URI in query arg
 from urlparse import urlsplit, urlunsplit
+
 
 from paste.request import parse_querystring, parse_formvars
@@ -42 +43 @@
     middleware to return to following OpenID sign in.
     '''
+    sslPropertyDefaults = {
+        'certFilePath': '',
+        'priKeyFilePath': None,
+        'priKeyPwd': None,
+        'caCertDirPath': None,
+        'providerWhitelistFilePath': None
+    }
     propertyDefaults = {
+        'sslPeerCertAuthN': True,
         'signinInterfaceMiddlewareClass': None,
         'baseURL': '',
         'sessionKey': 'beaker.session.ndg.security'
     }
+    propertyDefaults.update(sslPropertyDefaults)
     propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
     
     def __init__(self, app, global_conf, prefix='openid.relyingparty.', 
                  **app_conf):
-        """Add AuthKit and Beaker middleware dependencies to WSGI stack
+        """Add AuthKit and Beaker middleware dependencies to WSGI stack and 
+        set-up SSL Peer Certificate Authentication of OpenID Provider set by
+        the user
         
         @type app: callable following WSGI interface signature
@@ -64 +76 @@
         format of propertyDefaults class variable"""    
 
-            
+        # Default to set SSL peer cert authN where no flag is set in the config
+        # To override, it must explicitly be set to False in the config
+        if app_conf.get('sslPeerCertAuthN', 'true').lower() != 'false':
+            
+            # Set parameters for SSL client connection to OpenID Provider Yadis
+            # retrieval URI
+            for paramName in self.__class__.sslPropertyDefaults:
+                paramDefault = self.__class__.sslPropertyDefaults[paramName]
+                setattr(self, 
+                        paramName, 
+                        app_conf.get(prefix+paramName, paramDefault))
+                
+            self._initSSLPeerAuthN()
+        
         # Check for sign in template settings
         if prefix+'signinInterfaceMiddlewareClass' in app_conf:
@@ -228 +253 @@
         return self._app(environ, _start_response)
 
+    def _initSSLPeerAuthN(self):
+        """Initialise M2Crypto based urllib2 HTTPS handler to enable SSL 
+        authentication of OpenID Providers"""
+        log.info("Setting parameters for SSL Authentication of OpenID "
+                 "Provider ...")
+        
+        def verifySSLPeerCertCallback(preVerifyOK, x509StoreCtx):
+            '''SSL verify callback function used to control the behaviour when 
+            the SSL_VERIFY_PEER flag is set
+            
+            http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
+            
+            @type preVerifyOK: int
+            @param preVerifyOK: If a verification error is found, this parameter 
+            will be set to 0
+            @type x509StoreCtx: M2Crypto.X509_Store_Context
+            @param x509StoreCtx: locate the certificate to be verified and perform 
+            additional verification steps as needed
+            @rtype: int
+            @return: controls the strategy of the further verification process. 
+            - If verify_callback returns 0, the verification process is immediately 
+            stopped with "verification failed" state. If SSL_VERIFY_PEER is set, 
+            a verification failure alert is sent to the peer and the TLS/SSL 
+            handshake is terminated. 
+            - If verify_callback returns 1, the verification process is continued. 
+            If verify_callback always returns 1, the TLS/SSL handshake will not be 
+            terminated with respect to verification failures and the connection 
+            will be established. The calling process can however retrieve the error
+            code of the last verification error using SSL_get_verify_result or 
+            by maintaining its own error storage managed by verify_callback.
+            '''
+            if preVerifyOK == 0:
+                # Something is wrong with the certificate don't bother proceeding
+                # any further
+                log.error("verifyCallback: pre-verify OK flagged an error "
+                          "with the peer certificate, returning error state "
+                          "to caller ...")
+                return preVerifyOK
+            
+            x509Cert = x509StoreCtx.get_current_cert()
+            x509Cert.get_subject()
+            x509CertChain = x509StoreCtx.get1_chain()
+            for cert in x509CertChain:
+                subject = cert.get_subject()
+                dn = subject.as_text()
+                log.debug("verifyCallback: dn = %r", dn)
+                
+            # If all is OK preVerifyOK will be 1.  Return this to the caller to
+            # that it's OK to proceed
+            return preVerifyOK
+           
+        # Imports here so that if SSL Auth is not set the app will not need 
+        # these packages 
+        import urllib2
+        from M2Crypto import SSL
+        from M2Crypto.m2urllib2 import build_opener
+        from openid.fetchers import setDefaultFetcher, Urllib2Fetcher
+        
+        # Create a context specifying verification of the peer but with an
+        # additional callback function
+        ctx = SSL.Context()
+        ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 
+                       9, 
+                       callback=verifySSLPeerCertCallback)
+
+        # Point to a directory containing CA certificates.  These must be named
+        # in their hashed form as expected by the OpenSSL API.  Use c_rehash
+        # utility to generate names or in the CA directory:
+        #
+        # $ for i in *.crt *.pem; do ln -s $i $(openssl x509 -hash -noout -in $i).0; done
+        ctx.load_verify_locations(capath=self.caCertDirPath)
+        
+        # Load this client's certificate and private key to enable the peer 
+        # OpenID Provider to authenticate it
+        ctx.load_cert(self.certFilePath, 
+                      keyfile=self.priKeyFilePath, 
+                      callback=lambda *arg, **kw: self.priKeyPwd)
+    
+        setDefaultFetcher(Urllib2Fetcher())
+        
+        log.debug("Adding the M2Crypto SSL handler to urllib2's list of "
+                  "handlers...")
+        urllib2.install_opener(build_opener(ssl_context=ctx))
     
 class SigninInterfaceError(Exception):

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini

@@ -203 +203 @@
 openid.relyingparty.sessionKey = beaker.session
 openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
+openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
+openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
+openid.relyingparty.priKeyPwd = 
+openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
+openid.relyingparty.providerWhitelistFilePath =
 #openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
 #openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/sslclientauthnmiddleware/localhost.crt

@@ -2 +2 @@
     Data:
         Version: 3 (0x2)
-        Serial Number: 252 (0xfc)
+        Serial Number: 263 (0x107)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=NDG, OU=BADC, CN=Test CA
         Validity
-            Not Before: Dec 11 21:33:25 2008 GMT
-            Not After : Dec 11 21:33:25 2009 GMT
+            Not Before: Jun  9 09:28:37 2009 GMT
+            Not After : Jun  9 09:28:37 2010 GMT
         Subject: C=UK, ST=Oxfordshire, O=BADC, OU=Security, CN=localhost
         Subject Public Key Info:
@@ -36 +36 @@
                 SSL Client, SSL Server, S/MIME, Object Signing
     Signature Algorithm: md5WithRSAEncryption
-        34:a0:99:74:f0:9d:2e:81:7d:a5:2c:d9:72:8d:cb:b1:1f:56:
-        ec:97:7d:1c:69:05:db:03:47:9a:ba:32:9d:ec:f9:a3:cf:eb:
-        d3:a9:e3:c4:8d:8d:7c:df:60:54:2e:35:8c:8c:30:a5:df:bb:
-        33:46:59:04:07:a8:00:0b:18:86:3d:8c:8e:e6:c6:0c:54:f1:
-        9e:34:5e:68:07:c5:78:1b:f4:40:ad:1b:70:99:dc:61:3b:e2:
-        4a:b2:81:c3:2c:bf:92:48:b6:ab:4b:4c:fd:f3:9d:25:d4:f9:
-        2f:3a:e7:47:0f:d7:f7:4f:4d:11:f0:8e:8f:cb:73:ee:18:8e:
-        10:7f
+        8b:8c:45:03:bb:90:4a:70:54:28:69:b7:02:3e:50:95:12:10:
+        ef:c7:d4:48:c2:56:be:7a:4d:0a:6e:28:9f:07:4d:71:8c:01:
+        fc:e0:e0:dd:6e:ef:5a:d7:b0:0c:df:14:be:af:e4:20:11:4c:
+        ca:9b:4b:ae:ce:4b:0f:1f:46:b0:57:74:e0:86:ff:94:b2:27:
+        0b:2a:7b:e9:09:d5:2b:72:14:fe:99:5c:66:12:87:31:2f:e0:
+        7b:5c:47:b5:52:09:bb:18:09:d8:0a:c2:95:8e:bf:23:e6:ac:
+        0d:ea:48:19:c8:11:e6:8f:da:10:d2:cd:a2:de:72:e7:b1:75:
+        c0:d8
 -----BEGIN CERTIFICATE-----
-MIICmDCCAgGgAwIBAgICAPwwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
-MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxMTIxMzMy
-NVoXDTA5MTIxMTIxMzMyNVowWTELMAkGA1UEBhMCVUsxFDASBgNVBAgTC094Zm9y
+MIICmDCCAgGgAwIBAgICAQcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA5MDYwOTA5Mjgz
+N1oXDTEwMDYwOTA5MjgzN1owWTELMAkGA1UEBhMCVUsxFDASBgNVBAgTC094Zm9y
 ZHNoaXJlMQ0wCwYDVQQKEwRCQURDMREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UE
 AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOCU
@@ -56 +56 @@
 Rx0ZaEBiWROL6+iJZCDso7fnso+Y8mS0qm7Q8XP86u0ZGWeYEfWVynYLx0M1PFMj
 tWewtSZZ0cU+StFw3QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJKoZI
-hvcNAQEEBQADgYEANKCZdPCdLoF9pSzZco3LsR9W7Jd9HGkF2wNHmroynez5o8/r
-06njxI2NfN9gVC41jIwwpd+7M0ZZBAeoAAsYhj2MjubGDFTxnjReaAfFeBv0QK0b
-cJncYTviSrKBwyy/kki2q0tM/fOdJdT5LzrnRw/X909NEfCOj8tz7hiOEH8=
+hvcNAQEEBQADgYEAi4xFA7uQSnBUKGm3Aj5QlRIQ78fUSMJWvnpNCm4onwdNcYwB
+/ODg3W7vWtewDN8Uvq/kIBFMyptLrs5LDx9GsFd04Ib/lLInCyp76QnVK3IU/plc
+ZhKHMS/ge1xHtVIJuxgJ2ArClY6/I+asDepIGcgR5o/aENLNot5y57F1wNg=
 -----END CERTIFICATE-----