Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1964

Timestamp:

08/01/07 09:21:13 (14 years ago)

Author:

pjkersha

Message:

python/ndg.security.common/ndg/security/common/XMLSec.py: tidy up imports
python/ndg.security.common/ndg/security/common/AttCert.py: updated for
new version of XMLSecDoc parent class. Added standard doc strings.

Location:

TI12-security/trunk/python/ndg.security.common/ndg/security/common

Files:

: 2 edited

AttCert.py (modified) (43 diffs)
XMLSec.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py

-                      r1642
+                      r1964
 """NDG Attribute Certificate (Authentication -or Access- Token)
+"""NDG Attribute Certificate (Authorisation -or Access- Token)
 NERC Data Grid Project
 P J Kershaw 05/04/05
 Copyright (C) 2006 CCLRC & NERC
+This software may be distributed under the terms of the Q Public License,
 version 1.0 or later."""
+@author P J Kershaw 05/04/05
+@copyright (C) 2006 CCLRC & NERC
+@license This software may be distributed under the terms of the Q Public
+License, version 1.0 or later."""
 reposID = '$Id$'
 …
 # Time module for use with validity times
+from time import strftime
+from time import strptime
+from datetime import datetime
+from datetime import timedelta
+from time import strftime, strptime
+from datetime import datetime, timedelta
 # XML signature module based on xmlsec and libxml2
 from XMLSecDoc import *
+from XMLSec import XMLSecDoc
 from X509 import X500DN
 …
+class AttCertError(Exception):
+class AttCertError(Exception):
     """Exception handling for NDG Attribute Certificate class."""
+    def __init__(self, msg):
+        self.__msg = msg
+    def __str__(self):
+        return self.__msg
+#_____________________________________________________________________________
+class _MetaAttCert(type):
+    """Enable AttCert to have read only class variables e.g.
+    print AttCert.mappedProvenance is allowed but,
+    AttCert.mappedProvenance = None
+    ... raises - AttributeError: can't set attribute"""
+    #_________________________________________________________________________
+    def __getVersion(cls):
+        '''Version of THIS format for the certificate'''
+        return '1.0'
+    version = property(fget=__getVersion,
+                       doc="Version of the certificate format")
+    #_________________________________________________________________________
+    def __getMappedProvenance(cls):
+        '''Text for mapped provenance setting of certificate'''
+        return 'mapped'
+    mappedProvenance = property(fget=__getMappedProvenance,
+        doc="Text constant indicating cert has mapped roles from another")
+    #_________________________________________________________________________
+    def __getOriginalProvenance(cls):
+        '''Text for original provenance setting of certificate'''
+        return 'original'
+    origProvenance = property(fget=__getOriginalProvenance,
+        doc="Text constant indicating cert has original and not mapped roles")
+#_____________________________________________________________________________
 class AttCert(dict, XMLSecDoc):
+    """NDG Attribute Certificate (Authentication or Access Token)."""
+    # Attribute Certificate file version
+    __version = "1.0"
+    """NDG Attribute Certificate (Authorisation or Access Token)."""
+    __metaclass__ = _MetaAttCert
     # Provenance of certificate may be original or mapped from another
     # certificate
-    mappedProvenance = 'mapped'
-    origProvenance = 'original'
     __provenance = (origProvenance, mappedProvenance)
+    # Nb. pass XMLSecDoc keyword arguments in xmlSecDocKeys dictionary
+    def __init__(self, filePath=None, lifeTime=-1, **xmlSecDocKeys):
+    #_________________________________________________________________________
+    def __init__(self, lifeTime=28800, **xmlSecDocKw):
         """Initialisation - Attribute Certificate file path may be specified.
         Also, holder and issuer details and signing authority key and
+        certificate."""
+        certificate.
+        @param lifeTime: set the lifetime for the certificate in seconds.
+        Defaults to 8 hours.
+        @param **xmlSecDocKw: see XMLSec.XMLSec class for an explanation.
+        Keywords include, filePath for the cert. for reading/writing and
+        cert./private key settings for digital signature and verification."""
         # Base class initialisation
         dict.__init__(self)
+        XMLSecDoc.__init__(self, **xmlSecDocKeys)
+        if filePath is not None:
+            if not isinstance(filePath, basestring):
+                raise AttCertError("Input file path must be a valid string")
+            self.filePath = filePath
+        XMLSecDoc.__init__(self, **xmlSecDocKw)
         # Data dictionary version of xml
 …
         self.__dat = {
             "version":            AttCert.__version,
+            "version":            AttCert.version,
             "holder":             '',
             "issuer":             '',
 …
+        # Check for input certificate life time interval - if not set default
+        # to one day
+        if lifeTime is -1:
+            self.__lifeTime = 28800 # 8 hours
+        else:
+            self.__lifeTime = lifeTime
+        # Certificate life time interval in seconds
+        self.__lifeTime = lifeTime
         self.__dtNotBefore = None
         self.__dtNotAfter = None
+    #_________________________________________________________________________
     def __repr__(self):
         """Override default behaviour to return internal dictionary content"""
 …
+    #_________________________________________________________________________
     def __delitem__(self, key):
         "Attribute Certificate keys cannot be removed"
+        raise AttCertError('Keys cannot be deleted from ' + \
+                           self.__class__.__name__)
+        raise AttCertError, 'Keys cannot be deleted from ' + \
+                           self.__class__.__name__
+    #_________________________________________________________________________
     def __getitem__(self, key):
         self.__class__.__name__ + """ behaves as data dictionary of Attribute
 …
         else:
             # key not recognised as a short or long name version
+            raise AttCertError('Key "%s" not recognised for %s' % \
+                               (key, self.__class__.__name__))
+            raise AttCertError, 'Key "%s" not recognised for %s' % \
+                               (key, self.__class__.__name__)
+    #_________________________________________________________________________
     def __setitem__(self, key, item):
         self.__class__.__name__ + """ behaves as data dictionary of Attribute
 …
             # key recognised - check if setting provenance
             if key is "provenance" and not self.isValidProvenance(item):
                 raise AttCertError("Provenance must be set to \"" + \
                             "\" or \"".join(AttCert.__provenance) + "\"")
+                raise AttCertError, "Provenance must be set to \"" + \
+                            "\" or \"".join(AttCert.__provenance) + "\""
             self.__dat[key] = item
 …
         elif self.__dat['validity'].has_key(key):
             # Prevent setting of notBefore/notAfter - restrict to method
             # setValidityTime
+            raise AttCertError(\
+                "Use setValidityTime method to set notBefore/notAfter times")
+            raise AttCertError, \
+                "Use setValidityTime method to set notBefore/notAfter times"
         else:
             # key not recognised as a short or long name version
+            raise AttCertError('Key "%s" not recognised for %s' % \
+                               (key, self.__class__.__name__))
+            raise AttCertError, 'Key "%s" not recognised for %s' % \
+                               (key, self.__class__.__name__)
+    #_________________________________________________________________________
     def __eq__(self, attCert):
         """Return true if all elements are the same"""
 …
+    #_________________________________________________________________________
     def __nonzero__(self):
         """Ensure if <attCertInstance> test yields True"""
 …
+    #_________________________________________________________________________
     def clear(self):
+        raise AttCertError("Data cannot be cleared from " + \
+                           self.__class__.__name__)
+        raise AttCertError, "Data cannot be cleared from " + \
+                           self.__class__.__name__
+    #_________________________________________________________________________
     def copy(self):
 …
+    #_________________________________________________________________________
     def keys(self):
         return self.__dat.keys()
+    #_________________________________________________________________________
     def items(self):
         return self.__dat.items()
+    #_________________________________________________________________________
     def values(self):
         return self.__dat.values()
+    #_________________________________________________________________________
     def has_key(self, key):
         return self.__dat.has_key(key)
     # 'in' operator
+    #_________________________________________________________________________
     def __contains__(self, key):
         return key in self.__dat
-    def getExptdVersion(self):
-        """Return the Attribute Certificate XML expected version."""
-        return AttCert.__version
 …
     # __setitem__ and __getitem__ standard dictionary methods
+    #
+    #_________________________________________________________________________
     def setVersion(self, version):
         """Set the version number to be written to file."""
         self.__dat['version'] = version
+    #_________________________________________________________________________
     def getVersion(self):
         """Get version number as set in file."""
         return self.__dat['version']
+    #_________________________________________________________________________
     def setHolder(self, holder):
         """Set holder's Distinguished Name string."""
         self.__dat['holder'] = holder
+    #_________________________________________________________________________
     def getHolder(self):
         """Get holder's Distinguished Name string."""
         return self.__dat['holder']
+    #_________________________________________________________________________
     def getHolderDN(self):
          """Get the holder's Distinguished Name as an X500DN instance"""
          return self.__holderDN
+    #_________________________________________________________________________
     def setIssuer(self, issuer):
         """Set issuer's Distinguished Name."""
         self.__dat['issuer'] = issuer
+    #_________________________________________________________________________
     def getIssuer(self):
         """Get the issuer's Distinguished Name string"""
         return self.__dat['issuer']
+    #_________________________________________________________________________
     def getIssuerDN(self):
          """Get the issuer's Distinguished Name as an X500DN instance"""
          return self.__issuerDN
+    #_________________________________________________________________________
     def setIssuerName(self, issuerName):
         """Set the name of the issuer"""
         self.__dat['issuerName'] = issuerName
+    #_________________________________________________________________________
     def getIssuerName(self):
         """Get the name of the issuer"""
+        """@return the name of the issuer"""
         return self.__dat['issuerName']
+    #_________________________________________________________________________
     def setIssuerSerialNumber(self, serialNumber):
         """Set the issuer serial number"""
+        """@param serialNumber: the issuer serial number"""
         self.__dat['issuerSerialNumber'] = serialNumber
+    #_________________________________________________________________________
     def getIssuerSerialNumber(self):
         """Get the issuer serial number"""
+        """@return the issuer serial number"""
         return self.__dat['issuerSerialNumber']
 …
     # setValidityTime instead.
+    #_________________________________________________________________________
     def getValidityNotBefore(self, asDatetime=False):
         """Get the validity Not Before date/time string
+        Set asDatetime to True to return as a datetime type
+        Nb. time may not have been set - if so it will be set to None"""
+        @param asDatetime: boolean to True to return as a datetime type
+        Nb. time may not have been set - if so it will be set to None
+        @return the not before time as string or datetime type - see above"""
         if asDatetime is True:
             return self.__dtNotBefore
 …
+    #_________________________________________________________________________
     def getValidityNotAfter(self, asDatetime=False):
         """Get the validity Not After date/time string
+        Set asDatetime to True to return as a datetime type
+        Nb. time may not have been set - if so it will be set to None"""
+        @param asDatetime: boolean set to True to return as a datetime type
+        Nb. time may not have been set - if so it will be set to None
+        @return the not after time as string or datetime type - see above"""
         if asDatetime is True:
             return self.__dtNotAfter
 …
+    #_________________________________________________________________________
     def getRoleSet(self):
         """Get the roleSet as a list of role dictionaries."""
+        """@return the roleSet as a list of role dictionaries."""
         return self.__dat['attributes']['roleSet']
+    #_________________________________________________________________________
     def getRoles(self):
+        """Return roles as a list"""
+        """Return roles as a list
+        @return list of roles contained in the certificate"""
         try:
             return [i.values()[0].values()[0] \
 …
+    #_________________________________________________________________________
     def setProvenance(self, provenance):
+        """Set the provenance for the certificate: 'original' or 'mapped'."""
+        """Set the provenance for the certificate: 'original' or 'mapped'.
+        @param provenance: string provenance setting"""
         if not self.isValidProvenance(provenance):
             raise AttCertError("Provenance must be set to \"" + \
                                "\" or \"".join(AttCert.__provenance) + "\"")
+            raise AttCertError, "Provenance must be set to \"" + \
+                               "\" or \"".join(AttCert.__provenance) + "\""
         self.__dat['provenance'] = provenance
+    #_________________________________________________________________________
     def getProvenance(self):
+        """Get the provenance for the certificate."""
+        """Get the provenance for the certificate.
+        @return provenance of certificate mapped or original"""
         return self.__dat['provenance']
+    #_________________________________________________________________________
     def isValidProvenance(self, provenance=None):
         """Check provenance is set correctly - to 'original'/'mapped'.
 …
         If no provenance argument is provided, test against the setting in
         the current instance.
+        @param provenance: by default the current provenance setting is
+        checked i.e. self.__dat['provenance'].  Set this keyword to override
+        and check against an alternate provenance setting.
+        @return True if certificate has a valid provenance setting
         """
 …
+    #_________________________________________________________________________
     def isOriginal(self):
+        """Check for original provenance."""
+        """Check for original provenance.
+        @return True if certificate has original roles"""
         return self.__dat['provenance'] == self.__class__.origProvenance
+    #_________________________________________________________________________
     def isMapped(self):
+        """Check for mapped provenance."""
+        """Check for mapped provenance.
+        @return True if certificate contain roles mapped from another"""
         return self.__dat['provenance'] == self.__class__.mappedProvenance
+    #_________________________________________________________________________
     def addRoles(self, roleName):
+        """Add new roles to the roleSet in attributes."""
+        """Add new roles to the roleSet in attributes.
+        @param roleName: role name or list of role names to add to certificate
+        """
         if isinstance(roleName, basestring):
 …
+    #_________________________________________________________________________
     def parse(self, xmlTxt, rtnRootElem=False):
         """Parse an Attribute Certificate content contained in string input
+        xmlTxt:     Attribute Certificate XML content as string"""
+        @param xmlTxt:     Attribute Certificate XML content as string
+        @param rtnRootElem: boolean set to True to return the ElementTree
+        root element
+        @return root element if rtnRootElem keyword is set to True"""
         rootElem = ElementTree.XML(xmlTxt)
 …
         # Call base class parser method to initialise libxml2 objects for
+        # Call base class parser method to initialise DOM objects for
         # signature validation
         try:
 …
         except Exception, e:
             raise AttCertError("Attribute Certificate: %s" % e)
+            raise AttCertError, "Attribute Certificate: %s" % e
         if rtnRootElem:
 …
     def read(self, filePath=None):
         """Read Attribute Certificate
         filePath:   file to be read, if omitted __filePath member variable is
                     used instead"""
+    #_________________________________________________________________________
+    def read(self, filePath=None, **xmlSecDocKw):
+        """Read an Attribute Certificate from file
+        @param filePath:   file to be read, if omitted XMLSecDoc.__filePath
+        member variable is used instead"""
         if filePath:
-            if not isinstance(filePath, basestring):
-                raise AttCertError("Input file path must be a string.")
             self.filePath = filePath
-        else:
-            filePath = self.filePath
         try:
             tree = ElementTree.parse(filePath)
+            tree = ElementTree.parse(self.filePath)
             rootElem = tree.getroot()
         except Exception, e:
             raise AttCertError("Attribute Certificate: %s" % e)
+            raise AttCertError, "Attribute Certificate: %s" % e
         # Call generic ElementTree parser
         self.__parse(rootElem)
         # Call base class read method to initialise libxml2 objects for
         # signature validation
         try:
             XMLSecDoc.read(self)
+            XMLSecDoc.read(self, **xmlSecDocKw)
         except Exception, e:
+            raise AttCertError("Attribute Certificate: %s" % e)
+            raise AttCertError, "Attribute Certificate: %s" % e
+    #_________________________________________________________________________
     def __parse(self, rootElem):
         """Private XML parsing method accepts a ElementTree.Element type
         as input
         rootElem:       ElementTree.Element type
+        @param rootElem: root element of doc - ElementTree.Element type
         """
 …
         if not acInfoElem:
             raise AttCertError("<acInfo> tag not found in \"%s\"" % \
                                self.filePath)
+            raise AttCertError, "<acInfo> tag not found in \"%s\"" % \
+                               self.filePath
         # Copy all acInfo tags into dictionary
         for elem in acInfoElem:
+            if not self.__dat.has_key(elem.tag):
+                raise AttCertError(self.filePath + "\": <" + \
+                                   elem.tag + "> not recognised.")
+            if elem.tag not in self.__dat:
+                raise AttCertError, '%s: "<%s>" not recognised.' % \
+                                    (self.filePath, elem.tag)
             # Make sure not to copy validity and attributes tags - handle
 …
         except X500DNError, x500dnErr:
             raise AttCertError("Issuer DN: %s" % x500dnErr)
+            raise AttCertError, "Issuer DN: %s" % x500dnErr
 …
         except X500DNError, x500dnErr:
             raise AttCertError("Holder DN: %s" % x500dnErr)
+            raise AttCertError, "Holder DN: %s" % x500dnErr
 …
         if self.__dat['validity']['notBefore'] is None:
             raise AttCertError("<notBefore> tag not found in \"%s\"" % \
                                self.filePath)
+            raise AttCertError, "<notBefore> tag not found in \"%s\"" % \
+                               self.filePath
         # Update datetime object equivalent
 …
         if self.__dat['validity']['notAfter'] is None:
+            raise AttCertError("<notAfter> tag not found in \"%s\"" %
+                               self.filePath)
+            raise AttCertError, '<notAfter> tag not found in "%s"' % \
+                               self.filePath
         # Update datetime object equivalent
 …
                                         self.__dat['validity']['notAfter'])
         # set up role list
         roleElem = acInfoElem.findall("attributes/roleSet/role/name")
         if roleElem is None:
             raise AttCertError("<role> tag not found in \"%s\"" % \
                                self.filePath)
+            raise AttCertError, "<role> tag not found in \"%s\"" % \
+                               self.filePath
         self.__dat['attributes']['roleSet'] = \
 …
         if not self.isValidVersion():
             raise AttCertError('Attribute Certificate version is ' + \
+            raise AttCertError, 'Attribute Certificate version is ' + \
                                self.__dat['version'] + ' but version ' + \
+                               AttCert.__version + ' expected')
+                               AttCert.version + ' expected'
+    #_________________________________________________________________________
     def createXML(self):
         """Create XML for Attribute Token from current data settings and
         return as a string.  The XML created is MINUS the digital signature.
+        To obtain the signed version, run the sign method and pass the attCert
+        object reference into str()
+        Implementation of virtual method defined in XMLSecDoc base class"""
+        To obtain the signed version, run the applyEnvelopedSignature method
+        (inherited from XMLSecDoc) and pass the attCert object reference into
+        str()
+        @return xmlTxt: formatted XML for certificate as a string"""
         # Nb.
 …
         # Check for valid provenance
         if not self.isValidProvenance():
             raise AttCertError("Provenance must be set to \"" + \
                                "\" or \"".join(AttCert.__provenance) + "\"")
+            raise AttCertError, "Provenance must be set to \"" + \
+                               "\" or \"".join(AttCert.__provenance) + "\""
         # Create string of all XML content
+        xmlTxt = \
+"""<attributeCertificate>
+        xmlTxt = """<attributeCertificate>
     <acInfo>
         <version>""" + self.__dat['version'] + """</version>
 …
         <attributes>
             <roleSet>
                 """ + \
         "".join(["""<role>
+""" + "".join([\
+"""        <role>
                     <name>""" + i['role']['name'] + """</name>
                 </role>
             """ for i in self.__dat['attributes']['roleSet']]) +\
+            """ for i in self.__dat['attributes']['roleSet']]) + \
             """</roleSet>
         </attributes>
 …
 </attributeCertificate>"""
         # Return XML file content as a string
         return xmlTxt
+    #_________________________________________________________________________
     def setValidityTime(self,
                         dtNotBefore=None,
 …
                         lifeTime=None,
                         notBeforeOffset=None):
         """Set the notBefore and notAfter times which determine the window for
+        which the Attribute Certificate is valid
+        which the Attribute Certificate is valid.  These times are set as
+        datetime types and also the correct string format settings are made
+        ready for output.
         Nb. use UTC time.  lifeTime and notBeforeOffset are in seconds
+        @param dtNotBefore: not before time as datetime type.  If omitted,
+        it defaults to the current time
+        @param dtNotAfter: not after time as datetime type.  Defaults to
+        self.__dtNotBefore + self.__lifetime.  If dtNotAfter is set it will
+        reset self.__lifetime to self.__dtNotAfter - self.dtNotBefore
+        @param lifetime: lifetime for certificate in seconds i.e. not after
+        time - not before time.  If dtNotAfter is set then this keyword will
+        be ignored.
+        @param notBeforeOffset: skew the not before time by some offset.  This
+        is useful in cases where system clocks are not correctly synchronized
+        between different hosts.  Set a negative value to skew the offset
+        backward in time.
         """
         if dtNotBefore is not None:
             if not isinstance(dtNotBefore, datetime):
                 raise AttCertError(\
                                 "Input not before time must be datetime type")
+                raise AttCertError, \
+                                "Input not before time must be datetime type"
             self.__dtNotBefore = dtNotBefore
 …
         if dtNotAfter is not None:
             if not isinstance(dtNotAfter, datetime):
                 raise AttCertError(\
                                 "Input not after time must be datetime type")
+                raise AttCertError, \
+                                "Input not after time must be datetime type"
             # Use input Not After time to calculate a new lifetime setting
             dtDeltaLifeTime = dtNotAfter - self.__dtNotBefore
             if dtDeltaLifeTime < timedelta(0):
                 raise AttCertError("Input Not After time is invalid %s" % \
                                    str(dtNotAfter))
+                raise AttCertError, "Input Not After time is invalid %s" % \
+                                   str(dtNotAfter)
             self.__lifeTime = dtDeltaLifeTime.days*86400 + \
 …
                 dtDeltaLifeTime = timedelta(seconds=self.__lifeTime)
             except Exception, e:
                 raise AttCertError("Invalid Certificate lifetime set %.3f" % \
                                    self.__lifeTime)
+                raise AttCertError, "Invalid Certificate lifetime set %.3f" %\
+                                   self.__lifeTime
             # Add certificate lifetime to calculate not after time
 …
+    #_________________________________________________________________________
     def datetime2timeStr(self, dtVal):
+        """Convert a datetime object to a notBefore/notAfter time string"""
+        """Convert a datetime object to a notBefore/notAfter time string
+        @param dtVal: input datetime
+        @return datetime converted into correct string format for AttCert"""
         if not isinstance(dtVal, datetime):
             raise AttCertError(\
                         "Invalid datetime object for conversion to string")
+            raise AttCertError, \
+                        "Invalid datetime object for conversion to string"
         # Convert from 1-12 to 0-11 month format used in XML file
 …
+    #_________________________________________________________________________
     def timeStr2datetime(self, sTime):
+        """Convert a notBefore/notAfter time string to a datetime object"""
+        # Convert from 0-11 to 1-12 month format used by datetime()
+        """Convert a notBefore/notAfter time string to a datetime object
+        @param sTime: time in string format as used by AttCert
+        @return datetime type equivalent of string input"""
         try:
-            #lTime = [int(i) for i in sTime.split()]
             lTime = strptime(sTime, "%Y %m %d %H %M %S")
+            # Use 1-12 format
+            # P J Kershaw 09/05/05
+            #lTime[1] += 1
+            return datetime(lTime[0], lTime[1], lTime[2],
+                            lTime[3], lTime[4], lTime[5])
+            return datetime(*lTime[0:6])
         except Exception, e:
+            raise AttCertError(\
+                "Error converting time string into datetime object: %s" % e)
+            raise AttCertError, \
+                "Error converting time string into datetime object: %s" % e
+    #_________________________________________________________________________
     def isValidTime(self, dtNow=None, raiseExcep=False):
         """Check Attribute Certificate for expiry.  Set raiseExcep to True
         to raise an exception with a message indicating the nature of the
+        time error"""
+        time error
+        @param dtNow: the time to test against in datetime format.  This time
+        must be within the range of the not before and not after times in
+        order for the certificate to be valid.  Defaults to the current
+        system time
+        @param raiseExcep: boolean set to True to raise an exception if the
+        time is invalid.  Defaults to False in which case no exception is
+        raised if the time is invalid, instead False is returned
+        @return boolean True if time is valid, False if invalid.  Also see
+        raiseExcep keyword above."""
         if not isinstance(self.__dtNotBefore, datetime):
             raise AttCertError("Not Before datetime is not set")
+            raise AttCertError, "Not Before datetime is not set"
         if not isinstance(self.__dtNotAfter, datetime):
             raise AttCertError("Not After datetime is not set")
+            raise AttCertError, "Not After datetime is not set"
         if dtNow is None:
 …
         else:
             return dtNow > self.__dtNotBefore and dtNow < self.__dtNotAfter
+    #_________________________________________________________________________
     def isValidVersion(self):
+        """Check Attribute Certificate XML file version"""
+        return self.__dat['version'] == AttCert.__version
+        """Check Attribute Certificate XML file version
+        @return boolean True if certificate version matches the expected one,
+        False otherwise.
+        """
+        return self.__dat['version'] == AttCert.version
+    #_________________________________________________________________________
     def isValid(self,
                 raiseExcep=False,
 …
                 chkProvenance=True,
                 chkSig=True,
+                **xmlSecDocKeys):
+                **xmlSecDocKw):
         """Check Attribute Certificate is valid:
 …
         - Signature is valid.
+        chkTime:                set to True to do time validity check (default
+                                is True)
+        chkVersion:             set to True to Attribute Certificate file
+                                version (default is True)
+        chkProvenance:          set to True to check provenance value is valid
+                                (default is True)
+        chkSig:                 set to True to check digital signature - for
+                                this certFilePathList must contain the root
+                                certificate of the X.509 certificate used to
+                                sign the AttCert.  Alternatively,
+                                certFilePathList can be set via __init__
+                                (default chkSig value is True)
+        @param chkTime: set to True to do time validity check (default is
+        True)
+        @param chkVersion: set to True to Attribute Certificate file
+        version (default is True)
+        @param chkProvenanceset to True to check provenance value is valid
+        (default is True)
+        @param chkSig: set to True to check digital signature - for
+        this certFilePathList must contain the root certificate of the X.509
+        certificate used to sign the AttCert.  Alternatively, certFilePathList
+        can be set via __init__ (default chkSig value is True)
+        raiseExcep:             set to true to raise an exception if invalid
+                                instead of returning False.  Default is to set
+                                this flag to False.
+        Also accepts keyword arguments corresponding to XMLSecDoc.isValidSig:
+        xmlTxt:                 string buffer containing the text from the XML
+                                file to be checked.  If omitted, the
+                                filePath argument is used instead.
+        filePath:               file path to XML file to be checked.  This
+                                argument is used if no xmlTxt was provided.
+                                If filePath itself is omitted the file set
+                                by self.__filePath is read instead.
+        certFilePathList:       list of files paths must contain certificate
+                                of trusted authority used to validate the
+                                signature.  If set, it is copied into
+                                self.__certFilePathList.  If omitted
+                                self.__certFilePathList is used unchanged.
+        @param raiseExcep: set to true to raise an exception if invalid
+        instead of returning False.  Default is to set this flag to False.
+        @param **xmlSecDocKw: Also accepts keyword arguments corresponding to
+        XMLSecDoc.verifyEnvelopedSignature().
+        @return boolean True if certificate is valid, False otherwise.  Also
+        see explanation for raiseExcep keyword.
         """
 …
             return False
         if chkVersion and not self.isValidVersion():
             if raiseExcep:
                 raise AttCertError('Attribute Certificate version is ' + \
+                raise AttCertError, 'Attribute Certificate version is ' + \
                                    self.__dat['version'] + ' but version ' + \
+                                   AttCert.__version + ' expected')
+                                   AttCert.version + ' expected'
             return False
         if chkProvenance and not self.isValidProvenance():
             if raiseExcep:
                 raise AttCertError(\
+                raise AttCertError, \
                     "Attribute Certificate Provenance must be set to \"" + \
+                    "\" or \"".join(AttCert.__provenance) + "\"")
+                    "\" or \"".join(AttCert.__provenance) + "\""
             return False
         # Handle exception from XMLSecDocc.isValidSig() regardless of
         # raiseExcep flag setting
+        try:
+            if chkSig and not self.isValidSig(**xmlSecDocKeys):
+                if raiseExcep:
+                    raise AttCertError(\
+                                "Attribute Certificate signature is invalid")
+        if chkSig:
+            try:
+                self.verifyEnvelopedSignature(**xmlSecDocKw)
+            except InvalidSignature, e:
+                 if raiseExcep:
+                     raise AttCertError, \
+                                "Attribute Certificate signature:" + str(e)
+                 else:
+                     return False
-                return False
-        except Exception, e:
-            raise AttCertError(str(e))
         # All tests passed
         return True
 #_____________________________________________________________________________
 # Alternative AttCert constructors
+#
 def AttCertRead(filePath):
     """Create a new attribute certificate read in from a file"""
 …
     return attCert
+#_________________________________________________________________________
 def AttCertParse(attCertTxt):
     """Create a new attribute certificate from string of file content"""

TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

-                      r1962
+                      r1964
 import sys
 # For asString() - enables XML header to be stripped if required
+# For removal of BEGIN and END CERTIFICATE markers from X.509 certs
 import re
-# Use to create buffer for string output for asString() method
-from cStringIO import StringIO
 # Include for re-parsing doc ready for canonicalization in sign method - see

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 1964

Legend:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py

TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

Download in other formats: