Ignore:
Timestamp:
11/01/10 10:19:43 (10 years ago)
Author:
pjkersha
Message:

ndg.security.server.wsgi.openid.relyingparty.validation.SSLClientAuthNValidator integrated and working with Relying Party. RP will not only accept Providers running over SSL with DN common names matching a whitelist.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py

    r6276 r6277  
    336336                           
    337337    def validate(self, x509StoreCtx): 
    338         '''callback function used to control the behaviour when the  
    339         SSL_VERIFY_PEER flag is set 
    340          
    341         @type x509StoreCtx: M2Crypto.X509_Store_Context 
     338        '''Validate the peer certificate DN common name against a whitelist 
     339        of acceptable IdP names 
     340         
     341        @type x509StoreCtx: M2Crypto.X509.X509_Store_Context 
    342342        @param x509StoreCtx: locate the certificate to be verified and perform  
    343343        additional verification steps as needed 
    344         @rtype: int 
    345         @return: controls the strategy of the further verification process.  
    346         - If verify_callback returns 0, the verification process is immediately  
    347         stopped with "verification failed" state. If SSL_VERIFY_PEER is set,  
    348         a verification failure alert is sent to the peer and the TLS/SSL  
    349         handshake is terminated.  
    350         - If verify_callback returns 1, the verification process is continued.  
    351         If verify_callback always returns 1, the TLS/SSL handshake will not be  
    352         terminated with respect to verification failures and the connection  
    353         will be established. The calling process can however retrieve the error 
    354         code of the last verification error using SSL_get_verify_result(3) or  
    355         by maintaining its own error storage managed by verify_callback. 
    356         ''' 
    357         x509Cert = X509Cert.fromM2Crypto(x509StoreCtx.get_current_cert()) 
    358         commonName = x509Cert.dn['CN'] 
    359          
    360          
     344         
     345        @raise IdPInvalidException: if none of the certificates in the chain 
     346        have DN common names matching the list of valid IdPs''' 
    361347        x509CertChain = x509StoreCtx.get1_chain() 
     348        dnList = [] 
    362349        for cert in x509CertChain: 
    363             subject = cert.get_subject() 
    364             dn = subject.as_text() 
    365             log.debug("verifyCallback: dn = %r", dn) 
    366  
    367         # If all is OK preVerifyOK will be 1.  Return this to the caller to 
    368         # that it's OK to proceed 
    369         if commonName not in self.validIdPNames: 
    370             raise IdPInvalidException("Peer certificate CN=%s is not in list " 
    371                                       "of valid OpenID Providers" % commonName) 
     350            x509Cert = X509Cert.fromM2Crypto(cert) 
     351            dn = x509Cert.dn 
     352            commonName = dn['CN'] 
     353            log.debug("iterating over cert. chain dn = %s", dn) 
     354     
     355            if commonName in self.validIdPNames: 
     356                # Match found - return 
     357                log.debug("Found peer certificate with CN matching list of " 
     358                          "valid OpenID Provider peer certificates %r" % 
     359                          self.validIdPNames) 
     360                return 
     361             
     362            dnList.append(dn) 
     363             
     364        log.debug("Certificate chain yield certificates with DNs = %s" 
     365                  % dnList) 
     366         
     367        # No matching peer certificate was found 
     368        raise IdPInvalidException("Peer certificate is not in list of valid " 
     369                                  "OpenID Providers") 
    372370 
    373371 
Note: See TracChangeset for help on using the changeset viewer.