Changeset 6557 for TI12-security


Ignore:
Timestamp:
11/02/10 17:09:02 (10 years ago)
Author:
pjkersha
Message:

Fix for ApacheSSLAuthnMiddleware - use comma separated list for accepted DNs. This enables DNs with fields containing spaces to be correctly parsed.

Location:
TI12-security/trunk/NDGSecurity/python
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/X509.py

    r6440 r6557  
    422422    def Read(cls, filePath, warningStackLevel=4, **isValidTimeKw): 
    423423        """Create a new X509 certificate read in from a file""" 
    424      
    425         x509Cert = cls(filePath=filePath) 
    426          
     424        x509Cert = cls(filePath=filePath)   
    427425        x509Cert.read(warningStackLevel=warningStackLevel, **isValidTimeKw) 
    428426         
     
    432430    def Parse(cls, x509CertTxt, warningStackLevel=4, **isValidTimeKw): 
    433431        """Create a new X509 certificate from string of file content""" 
    434      
    435         x509Cert = cls() 
    436          
     432        x509Cert = cls()       
    437433        x509Cert.parse(x509CertTxt,  
    438434                       warningStackLevel=warningStackLevel, 
     
    471467    """Error from X509Stack type""" 
    472468 
     469 
    473470class X509StackEmptyError(X509CertError): 
    474471    """Expecting non-zero length X509Stack""" 
     472 
    475473 
    476474class X509CertIssuerNotFound(X509CertError): 
     
    478476    input""" 
    479477 
     478 
    480479class SelfSignedCert(X509CertError): 
    481480    """Raise from verifyCertChain if cert. is self-signed and  
    482481    rejectSelfSignedCert=True""" 
    483482 
     483 
    484484class X509CertInvalidSignature(X509CertError): 
    485485    """X.509 Certificate has an invalid signature""" 
     486        
    486487        
    487488class X509Stack(object): 
     
    545546        return X509Cert(m2CryptoX509=self.__m2X509Stack.pop()) 
    546547 
    547  
    548548    def asDER(self): 
    549549        """Return the stack as a DER encoded string 
     
    551551        @rtype: string""" 
    552552        return self.__m2X509Stack.as_der() 
    553  
    554553 
    555554    def verifyCertChain(self,  
     
    585584 
    586585            x509Cert2Verify = self[-1] 
    587               
    588                  
     586               
    589587        # Exit loop if all certs have been validated or if find a self  
    590588        # signed cert. 
     
    622620        if issuerX509Cert:             
    623621            # Check for self-signed certificate 
    624             if nValidated == 1 and rejectSelfSignedCert and \ 
    625                issuerX509Cert.dn == issuerX509Cert.issuer: 
     622            if (nValidated == 1 and rejectSelfSignedCert and  
     623                issuerX509Cert.dn == issuerX509Cert.issuer): 
    626624 
    627625                # If only one iteration occurred then it must be a self 
     
    634632                          
    635633        elif not caX509Stack: 
    636             raise X509CertIssuerNotFound('No issuer cert. found for cert. ' 
    637                                          '"%s"' % x509Cert2Verify.dn) 
     634            raise X509CertIssuerNotFound('No issuer certificate found for ' 
     635                                         'certificate "%s"' %  
     636                                         x509Cert2Verify.dn) 
    638637             
    639638        for caCert in caX509Stack: 
     
    645644        if issuerX509Cert:    
    646645            if not x509Cert2Verify.verify(issuerX509Cert.pubKey): 
    647                 X509CertInvalidSignature('Signature is invalid for cert. "%s"'% 
     646                X509CertInvalidSignature('Signature is invalid for cert. "%s"' % 
    648647                                         x509Cert2Verify.dn) 
    649648             
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/cond/__init__.py

    r6069 r6557  
    8989        self.isCondition = isCondition 
    9090     
    91      
    9291    @classmethod 
    9392    def getConditionInstance(cls, root): 
     
    104103            FunctionFactory 
    105104        cls.__getInstance(root, FunctionFactory.getConditionInstance(), True) 
    106      
    107105     
    108106    @classmethod 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

    r6440 r6557  
    5656    CACERT_FILEPATH_LIST_OPTNAME = 'caCertFilePathList' 
    5757    CLIENT_CERT_DN_MATCH_LIST_OPTNAME = 'clientCertDNMatchList' 
     58    CLIENT_CERT_DN_MATCH_LIST_SEP_PAT = re.compile(',\s*') 
    5859    SSL_KEYNAME_OPTNAME = 'sslKeyName' 
    5960    SSL_CLIENT_CERT_KEYNAME_OPTNAME = 'sslClientCertKeyName' 
     
    7879    AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.' 
    7980                                       'ApacheSSLAuthnMiddleware.authenticated') 
    80      
     81 
    8182    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf): 
    8283         
     
    212213        if isinstance(value, basestring): 
    213214            # Try parsing a space separated list of file paths 
    214             self.__clientCertDNMatchList = [X500DN(dn=dn)  
    215                                             for dn in value.split()] 
     215            pat = ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_SEP_PAT 
     216            dnList = pat.split(value) 
     217            self.__clientCertDNMatchList = [X500DN(dn=dn) for dn in dnList] 
    216218             
    217219        elif isinstance(value, (list, tuple)): 
     
    225227                    raise TypeError('Expecting a string, or %r type for "%s" ' 
    226228                                    'list item; got %r' %  
    227                 (X500DN, 
    228                  ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME, 
    229                  type(dn))) 
     229                    (X500DN, 
     230                     ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME, 
     231                     type(dn))) 
    230232                     
    231233        else: 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini

    r5779 r6557  
    2323ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt 
    2424ssl.rePathMatchList = ^/secured/.*$ ^/restrict.* 
    25 ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test /O=localhost/OU=local/CN=test2 
     25ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test, /O=localhost/OU=local client/CN=test 2 
Note: See TracChangeset for help on using the changeset viewer.