Changeset 1947

Timestamp:

03/01/07 17:17:49 (14 years ago)

Author:

pjkersha

Message:

python/ndg.security.test/ndg/security/test/XMLSecDoc/xmlSecDocTest.py and
python/ndg.security.common/ndg/security/common/XMLSec.py: cont'd refactoring to use M2Crypto based XML
signature.

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/XMLSec.py (modified) (10 diffs)
• ndg.security.test/ndg/security/test/XMLSecDoc/xmlSecDocTest.py (modified) (2 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

@@ -1 +1 @@
 """NDG XML Security - Encryption and Digital Signature
 
-Wraps pyXMLSec package
-
 Nerc Data Grid Project
 
 P J Kershaw 05/04/05
 
-Copyright (C) 2006 CCLRC & NERC
+P J Kershaw 03/01/07: Re-write to use M2Crypto, ZSI and DOM instead of 
+pyXMLSec
 
 This software may be distributed under the terms of the Q Public License,
@@ -30 +29 @@
 # associated note
 from xml.dom.ext.reader.PyExpat import Reader
+
+# Digest and signature/verify
+from sha import sha
+from M2Crypto import X509, BIO, RSA
+import base64
+
+# Canonicalization
+from ZSI.wstools.c14n import Canonicalize
+from xml.dom import Node
+from xml.xpath.Context import Context
+from xml import xpath
+
+from ZSI.wstools.Namespaces import DSIG
 
 
@@ -1481 +1493 @@
                         fdel=__delFilePath,
                         doc="File Path for XML document to apply security to")
-
-
-    #_________________________________________________________________________
-    def __setCertFilePathList(self, filePath):
+    
+    
+    def __getDocNode(self):
+        """Get file path for file to be signed/encrypted."""
+        return self.__docNode
+
+
+    def __delDocNode(self):
+        """Prevent file path being deleted."""
+        raise AttributeError, "\"docNode\" cannot be deleted"
+ 
+  
+    # Publish attribute as read/write
+    docNode = property(fget=__getDocNode,
+                       fdel=__delDocNode,
+                       doc="DOM document node for XML")
+
+    #_________________________________________________________________________
+    def __setCertdocNodeList(self, filePath):
         """File path for certificate used to sign document / 
         list of certificates used to check the signature of a document"""
@@ -1627 +1654 @@
              inclX509SubjName=True,
              inclX509IssSerial=True,
-             rtnAsString=False):
+             rtnAsString=False,
+             **c14nKw):
         """Sign XML document using an X.509 certificate private key
 
@@ -1657 +1685 @@
             self.parse(xmlTxt)
 
-            
+        if self.__docNode is None:
+            XMLSecDocError, "XML to be signed has not been read in or parsed."
+               
         # Set private key file
         if signingKeyFilePath is not None:
@@ -1666 +1696 @@
         if certFilePathList is not None:
             self.__setCertFilePathList(certFilePathList)
-            
-        # Return as required
-        if rtnAsString:
-            return self.asString()
-        
-        
-        # Add X.509 cert as binary security token
-        x509Cert = X509.load_cert(self.__certFilePathList[0])
-        
-        x509CertPat = re.compile(\
-            '-----BEGIN CERTIFICATE-----\n?(.*?)\n?-----END CERTIFICATE-----',
-            re.S)
-        x509CertStr = x509CertPat.findall(x509Cert.as_pem())[0]
-
-        soapWriter._header.setNamespaceAttribute('ds', DSIG.BASE)
-        soapWriter._header.setNamespaceAttribute('ec', DSIG.C14N_EXCL)
-        
-        
-        # Change value and encoding types to suite WebSphere
-#        binSecTokElem.node.setAttribute('ValueType', "wsse:X509v3")
-        valueType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"
-        binSecTokElem.node.setAttribute('ValueType', valueType)
-#        binSecTokElem.node.setAttribute('EncodingType', "wsse:Base64Binary")
-        encodingType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
-        binSecTokElem.node.setAttribute('EncodingType', encodingType)
-        
-        # Add ID so that the binary token can be included in the signature
-        binSecTokElem.node.setAttribute('wsu:Id', "binaryToken")
-
-        binSecTokElem.createAppendTextNode(x509CertStr)
+
+        self.__docNode.setNamespaceAttribute('ds', DSIG.BASE)
+        self.__docNode.setNamespaceAttribute('ec', DSIG.C14N_EXCL)
 
         
         # Signature
-        signatureElem = wsseElem.createAppendElement(DSIG.BASE, 'Signature')
+        signatureElem = self.__docNode.createAppendElement(DSIG.BASE, 
+                                                           'Signature')
         signatureElem.setNamespaceAttribute('ds', DSIG.BASE)
         
@@ -1713 +1717 @@
         c14nMethodElem.node.setAttribute('Algorithm', DSIG.C14N_EXCL)
         c14nInclNamespacesElem = c14nMethodElem.createAppendElement(\
-                        DSIG.C14N_EXCL,
-                                                'InclusiveNamespaces')
+                                                    DSIG.C14N_EXCL,
+                                                    'InclusiveNamespaces')
         c14nInclNamespacesElem.node.setAttribute('PrefixList', 
             ' '.join(signedInfoC14nKw['unsuppressedPrefixes']))
@@ -1721 +1725 @@
         sigMethodElem = signedInfoElem.createAppendElement(DSIG.BASE,
                                                     'SignatureMethod')
-        #sigMethodElem.node.setAttribute('Algorithm', DSIG.DIGEST_SHA1)
         sigMethodElem.node.setAttribute('Algorithm', DSIG.SIG_RSA_SHA1)
         
@@ -1741 +1744 @@
             'ds':     DSIG.BASE, 
         }
-        ctxt = Context(docNode, processorNss=processorNss)
-        idNodes = xpath.Evaluate('//*[@wsu:Id]', 
-                                 contextNode=docNode, 
-                                 context=ctxt)
+        ctxt = Context(self.__docNode, processorNss=processorNss)
         
         # 1) Reference Generation
         #
         # Find references
-        c14nKw = {}
-        c14nKw['unsuppressedPrefixes'] = ['xmlns', 'xsi', 'xsd', 'SOAP-ENV', 'wsu', 'wsse', 'ns1']
-        for idNode in idNodes:
-            
-            # Set URI attribute to point to reference to be signed
-            #uri = u"#" + idNode.getAttribute('wsu:Id')
-            uri = u"#" + idNode.attributes[(_WSU.UTILITY, 'Id')].value
-            
-            # Canonicalize reference
-            c14nRef = Canonicalize(idNode, **c14nKw)
-            
-            # Calculate digest for reference and base 64 encode
-            #
-            # Nb. encodestring adds a trailing newline char
-            digestValue = base64.encodestring(sha(c14nRef).digest()).strip()
-
-
-            # Add a new reference element to SignedInfo
-            refElem = signedInfoElem.createAppendElement(DSIG.BASE, 
-                                                         'Reference')
-            refElem.node.setAttribute('URI', uri)
-            
-            # Use ds:Transforms or wsse:TransformationParameters?
-            transformsElem = refElem.createAppendElement(DSIG.BASE, 
-                                                        'Transforms')
-            transformElem = transformsElem.createAppendElement(DSIG.BASE, 
-                                                               'Transform')
-            transformElem.node.setAttribute('Algorithm', DSIG.C14N_EXCL)
-
-            inclNamespacesElem = transformElem.createAppendElement(\
-                            DSIG.C14N_EXCL,
-                                                       'InclusiveNamespaces')
-            inclNamespacesElem.node.setAttribute('PrefixList',
-                ' '.join(c14nKw['unsuppressedPrefixes']))
-            
-            # Digest Method 
-            digestMethodElem = refElem.createAppendElement(DSIG.BASE, 
-                                                           'DigestMethod')
-            digestMethodElem.node.setAttribute('Algorithm', DSIG.DIGEST_SHA1)
-            
-            # Digest Value
-            digestValueElem = refElem.createAppendElement(DSIG.BASE, 
-                                                          'DigestValue')
-            digestValueElem.createAppendTextNode(digestValue)
+        if not c14nKw:
+            c14nKw['unsuppressedPrefixes'] = ['xmlns', 'ns1']
+        
+        # Canonicalize reference
+        c14nRef = Canonicalize(idNode, **c14nKw)
+        
+        # Calculate digest for reference and base 64 encode
+        #
+        # Nb. encodestring adds a trailing newline char
+        digestValue = base64.encodestring(sha(c14nRef).digest()).strip()
+
+
+        # Add a new reference element to SignedInfo
+        refElem = signedInfoElem.createAppendElement(DSIG.BASE, 'Reference')
+        
+        # Use ds:Transforms or wsse:TransformationParameters?
+        transformsElem = refElem.createAppendElement(DSIG.BASE, 
+                                                    'Transforms')
+        transformElem = transformsElem.createAppendElement(DSIG.BASE, 
+                                                           'Transform')
+        transformElem.node.setAttribute('Algorithm', DSIG.C14N_EXCL)
+
+        inclNamespacesElem = transformElem.createAppendElement(\
+                                                   DSIG.C14N_EXCL,
+                                                   'InclusiveNamespaces')
+        inclNamespacesElem.node.setAttribute('PrefixList',
+                                    ' '.join(c14nKw['unsuppressedPrefixes']))
+        
+        # Digest Method 
+        digestMethodElem = refElem.createAppendElement(DSIG.BASE, 
+                                                       'DigestMethod')
+        digestMethodElem.node.setAttribute('Algorithm', DSIG.DIGEST_SHA1)
+        
+        # Digest Value
+        digestValueElem = refElem.createAppendElement(DSIG.BASE, 
+                                                      'DigestValue')
+        digestValueElem.createAppendTextNode(digestValue)
 
    
@@ -1845 +1838 @@
         print "Signature Generated"
         print str(soapWriter)
+        
+        if inclX509Cert:
+            # Add X.509 cert
+            x509Cert = X509.load_cert(self.__certFilePathList[0])
+            
+            x509CertPat = re.compile(\
+            '-----BEGIN CERTIFICATE-----\n?(.*?)\n?-----END CERTIFICATE-----',
+            re.S)
+            x509CertStr = x509CertPat.findall(x509Cert.as_pem())[0]
+                
+            x509CertElem.createAppendTextNode(x509CertStr)
+            
+        # Return as required
+        if rtnAsString:
+            return self.asString()
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/XMLSecDoc/xmlSecDocTest.py

@@ -74 +74 @@
             
         try:
+            certFilePathList = self.cfg['test2Sign']['certfile']
+            signingKeyFilePath = self.cfg['test2Sign']['keyfile']
             self.xmlSecDoc.sign()
         except:
@@ -82 +84 @@
             
         try:
-            self.xmlSecDoc.filePath = self.cfg['test3Write'].get('filePath')
+            self.xmlSecDoc.filePath = self.cfg['test3Write']['filePath']
             self.xmlSecDoc.write()
         except: