Changeset 5357

Timestamp:

05/06/09 12:36:59 (12 years ago)

Author:

pjkersha

Message:

• fix to WS-Security signature handler 4Suite implementation (ndg.security.common.wssecurity.signaturehandler.foursuite) to ensure timestamp is checked correctly
• refactored ndg.security.common.wssecurity moving encryption handler development code into its own ndg.security.common.wssecurity.encryptionhandler package
• Fixed copyright on some remaining files that still had NERC/CCLRC
• further work on SSL CLient AuthN WSGI unit tests ndg.security.test.unit.wsgi.ssl

Location:

TI12-security/trunk/python

Files:

• Makefile (modified) (1 diff)
• MyProxyClient/documentation/Makefile (modified) (1 diff)
• Tests/etreewss/client/Makefile (modified) (1 diff)
• Tests/etreewss/server/Makefile (modified) (1 diff)
• ndg.security.common/ndg/security/common/authz/msi.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/wssecurity/__init__.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/wssecurity/encryptionhandler (added)
• ndg.security.common/ndg/security/common/wssecurity/encryptionhandler/__init__.py (added)
• ndg.security.common/ndg/security/common/wssecurity/encryptionhandler/dom.py (added)
• ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py (modified) (6 diffs)
• ndg.security.common/ndg/security/common/wssecurity/signaturehandler/dom.py (modified) (8 diffs)
• ndg.security.common/ndg/security/common/wssecurity/signaturehandler/etree.py (modified) (9 diffs)
• ndg.security.common/ndg/security/common/wssecurity/signaturehandler/foursuite.py (modified) (7 diffs)
• ndg.security.common/ndg/security/common/zsi/attributeauthority/Makefile (modified) (1 diff)
• ndg.security.common/ndg/security/common/zsi/sessionmanager/Makefile (modified) (1 diff)
• ndg.security.server/ndg/security/server/share/Makefile (modified) (1 diff)
• ndg.security.server/ndg/security/server/wsgi/authz.py (modified) (6 diffs)
• ndg.security.server/ndg/security/server/wsgi/ssl.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/zsi/attributeauthority/Makefile (modified) (1 diff)
• ndg.security.server/ndg/security/server/zsi/sessionmanager/Makefile (modified) (1 diff)
• ndg.security.server/ndg/security/server/zsi/twisted/attributeauthority/Makefile (modified) (1 diff)
• ndg.security.server/ndg/security/server/zsi/twisted/sessionmanager/Makefile (modified) (1 diff)
• ndg.security.test/ndg/security/test/config/sessionmanager/userx509certauthn.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/unit/attCert/ac.xml (modified) (2 diffs)
• ndg.security.test/ndg/security/test/unit/wsgi/ssl/test_ssl.py (modified) (4 diffs)
• ndg.security.test/ndg/security/test/unit/wssecurity/dom/client/Makefile (modified) (1 diff)
• ndg.security.test/ndg/security/test/unit/wssecurity/dom/server/Makefile (modified) (1 diff)
• ndg.security.test/ndg/security/test/unit/wssecurity/foursuite/client/Makefile (modified) (1 diff)
• ndg.security.test/ndg/security/test/unit/wssecurity/foursuite/server/Makefile (modified) (1 diff)

TI12-security/trunk/python/Makefile

@@ -6 +6 @@
 # Make all eggs
 #
-# @copyright: (C) 2007 CCLRC & NERC
+# @copyright: (C) 2007 STFC
 #
 # @license: This software may be distributed under the terms of the Q Public

TI12-security/trunk/python/MyProxyClient/documentation/Makefile

@@ -7 +7 @@
 #
 
-# @copyright: (C) 2008 CCLRC & NERC
+# @copyright: (C) 2008 STFC
 #
 # @license: This software may be distributed under the terms of the Q Public

TI12-security/trunk/python/Tests/etreewss/client/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public

TI12-security/trunk/python/Tests/etreewss/server/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/msi.py

@@ -554 +554 @@
         
         # Iterate through matching targets checking for user access
-        knownAttributeAuthorityURIs = []
         request.subject[Subject.ROLES_NS] = []
         permitForAllTargets = [Response.DECISION_PERMIT]*numMatchingTargets
@@ -565 +564 @@
             # Make call to the Policy Information Point to pull user
             # attributes applicable to this resource
-            if matchingTarget.attributeAuthorityURI not in \
-               knownAttributeAuthorityURIs:
+            attributeQuery = PIPAttributeQuery()
+            attributeQuery[PIPAttributeQuery.SUBJECT_NS] = request.subject
+            
+            attributeQuery[PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] = \
+                                    matchingTarget.attributeAuthorityURI
+            
+            # Exit from function returning indeterminate status if a 
+            # problem occurs here
+            try:
+                attributeResponse=self.pip.attributeQuery(attributeQuery)
                 
-                attributeQuery = PIPAttributeQuery()
-                attributeQuery[PIPAttributeQuery.SUBJECT_NS] = request.subject
+            except SubjectRetrievalError, e:
+                # i.e. a defined exception within the scope of this
+                # module
+                log.exception(e)
+                return Response(Response.DECISION_INDETERMINATE,
+                                message=str(e))
                 
-                attributeQuery[PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] = \
-                                        matchingTarget.attributeAuthorityURI
-                
-                # Exit from function returning indeterminate status if a 
-                # problem occurs here
-                try:
-                    attributeResponse=self.pip.attributeQuery(attributeQuery)
-                    
-                except SubjectRetrievalError, e:
-                    # i.e. a defined exception within the scope of this
-                    # module
-                    log.exception(e)
-                    return Response(Response.DECISION_INDETERMINATE,
-                                    message=str(e))
-                    
-                except Exception, e:
-                    log.exception(e)
-                    return Response(Response.DECISION_INDETERMINATE,
-                                    message="An internal error occurred")
-                    
-                knownAttributeAuthorityURIs.append(
-                                        matchingTarget.attributeAuthorityURI)
-                
-                # Accumulate attributes retrieved from multiple attribute
-                # authorities
-                request.subject[Subject.ROLES_NS] += attributeResponse[
-                                                            Subject.ROLES_NS]
+            except Exception, e:
+                log.exception(e)
+                return Response(Response.DECISION_INDETERMINATE,
+                                message="An internal error occurred")
+                            
+            # Accumulate attributes retrieved from multiple attribute
+            # authorities
+            request.subject[Subject.ROLES_NS] += attributeResponse[
+                                                        Subject.ROLES_NS]
                
             # Match the subject's attributes against the target

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

@@ -23 +23 @@
     CaseSensitiveConfigParser
 
-class WSSecurityConfigError(Exception):
+class WSSecurityError(Exception):
+    """For WS-Security generic exceptions not covered by other exception
+    classes in this module"""
+    def __init__(self, errorMessage):
+        log.warning(errorMessage)
+        super(WSSecurityError, self).__init__(errorMessage)
+        
+class WSSecurityConfigError(WSSecurityError):
     """Configuration error with WS-Security setting or settings"""
     
@@ -46 +53 @@
              caCertFilePathList=[],
              addTimestamp=True,
+             timestampMustBeSet=False,
+             createdElemMustBeSet=True,
+             expiresElemMustBeSet=True,
              applySignatureConfirmation=False,
              refC14nInclNS=[],

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py

@@ -26 +26 @@
 
 # Enable settings from a config file
-from ndg.security.common.wssecurity import WSSecurityConfig
+from ndg.security.common.wssecurity import WSSecurityConfig, WSSecurityError
 
 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \
@@ -35 +35 @@
 log = logging.getLogger(__name__)
 
-
-class _ENCRYPTION(ENCRYPTION):
-    '''Derived from ENCRYPTION class to add in extra 'tripledes-cbc' - is this
-    any different to 'des-cbc'?  ENCRYPTION class implies that it is the same
-    because it's assigned to 'BLOCK_3DES' ??'''
-    BLOCK_TRIPLEDES = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
 
 class _WSU(WSU):
@@ -57 +51 @@
 
 
-class WSSecurityError(Exception):
-    """For WS-Security generic exceptions not covered by other exception
-    classes in this module"""
-    def __init__(self, errorMessage):
-        log.warning(errorMessage)
-        super(WSSecurityError, self).__init__(errorMessage)
-
 class InvalidCertChain(WSSecurityError):    
     """Raised from SignatureHandler.verify if the certificate submitted to
@@ -75 +62 @@
     """Raised from SignatureHandler._verifyTimestamp if there is a problem with
     the created or expiry times in an input message Timestamp"""
+
+class MessageExpired(TimestampError):
+    """Raised from SignatureHandler._verifyTimestamp if the timestamp of
+    the message being processed is before the current time.  Can be caught in
+    order to set a wsu:MessageExpired fault code"""
     
 class InvalidSignature(WSSecurityError):
@@ -271 +263 @@
             self.caCertFilePathList = self.cfg['caCertFilePathList']
         
+        # Configure signature generation t oadd/omit a timestamp
         self.addTimestamp = self.cfg['addTimestamp']
+        
+        # Configure timestamp checking in Signature verification handler
+        self.timestampMustBeSet = self.cfg['timestampMustBeSet']
+        self.createdElemMustBeSet = self.cfg['createdElemMustBeSet']
+        self.expiresElemMustBeSet = self.cfg['expiresElemMustBeSet']
         
         # set default value, if none specified in config file
@@ -691 +689 @@
                       doc="List of CA cert. files used for verification")
                 
+
+    def _setBool(self, val):
+        """Convert input string, float or int to bool type
+        
+        @type val: int, float or basestring
+        @param val: input value to be converted
+        @rtype: bool
+        @return: input value converted to bool type
+        """
+        
+        if isinstance(val, bool):
+            return val
+        
+        elif isinstance(val, basestring):
+            val = val.lower()
+            if val not in ("true", "false"):
+                raise ValueError("String conversion failed for input: %r"%val)
+            
+            return val == "true"
+            
+        elif isinstance(val, (int, float)): 
+            return bool(val)
+        else:
+            raise TypeError("Invalid type for bool conversion: %r" % 
+                            val.__class__)
+        
+    def _get_timestampMustBeSet(self):
+        return getattr(self, "_timestampMustBeSet", False)
+
+    def _set_timestampMustBeSet(self, val):
+        self._timestampMustBeSet = self._setBool(val)
+        
+    timestampMustBeSet = property(fset=_set_timestampMustBeSet,
+                                  fget=_get_timestampMustBeSet,
+                                  doc="Set to True to raise an exception if a "
+                                      "message to be verified doesn't have a "
+                                      "timestamp element.  Set to False to "
+                                      "log a warning message and continue "
+                                      "processing")
+    
+    def _get_createdElemMustBeSet(self):
+        return getattr(self, "_createdElemMustBeSet", False)
+
+    def _set_createdElemMustBeSet(self, val):
+        self._createdElemMustBeSet = self._setBool(val)
+        
+    createdElemMustBeSet = property(fset=_set_createdElemMustBeSet,
+                                    fget=_get_createdElemMustBeSet,
+                                    doc="Set to True to raise an exception if "
+                                        "a message to be verified doesn't "
+                                        "have <wsu:Created/> element with its "
+                                        "timestamp element.  Set to False to "
+                                        "log a warning message and continue "
+                                        "processing")
+    
+    def _get_expiresElemMustBeSet(self):
+        return getattr(self, "_expiresElemMustBeSet", False)
+
+    def _set_expiresElemMustBeSet(self, val):
+        self._expiresElemMustBeSet = self._setBool(val)
+        
+    expiresElemMustBeSet = property(fset=_set_expiresElemMustBeSet,
+                                    fget=_get_expiresElemMustBeSet,
+                                    doc="Set to True to raise an exception if "
+                                        "a message to be verified doesn't "
+                                        "have <wsu:Expires/> element with its "
+                                        "timestamp element.  Set to False to "
+                                        "log a warning message and continue "
+                                        "processing")                                  
+
+                              

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/dom.py

@@ -1 +1 @@
 """ DOM based WS-Security digital signature handler
 
-NERC Data Grid Project
+NERC DataGrid Project
 """
 __author__ = "C Byrom"
@@ -18 +18 @@
 import base64
 
-# Conditional import as this is required for the encryption
-# handler
-try:
-    # For shared key encryption
-    from Crypto.Cipher import AES, DES3
-except:
-    from warnings import warn
-    warn('Crypto.Cipher not available: EncryptionHandler disabled!',
-         RuntimeWarning)
-    class AES:
-        MODE_ECB = None
-        MODE_CBC = None
-        
-    class DES3: 
-        MODE_CBC = None
-
 import os
 
@@ -68 +52 @@
 import logging
 log = logging.getLogger(__name__)
-
-from ndg.security.common.wssecurity.signaturehandler import _ENCRYPTION, \
-    _WSU, OASIS, BaseSignatureHandler, WSSecurityError, NoSignatureFound, \
-    InvalidSignature, TimestampError, VerifyError, SignatureError
-
-# Enable settings from a config file
-from ndg.security.common.wssecurity import WSSecurityConfig
+from ndg.security.common.wssecurity import WSSecurityError
+from ndg.security.common.wssecurity.signaturehandler import _WSU, OASIS, \
+    BaseSignatureHandler, NoSignatureFound, InvalidSignature, TimestampError, \
+    MessageExpired, VerifyError, SignatureError
 
 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \
     X509Stack, X509StackParseFromDER
+
+
+# Helper functions     
+def getElements(node, nameList):
+    '''DOM Helper function for getting child elements from a given node'''
+    # Avoid sub-string matches
+    nameList = isinstance(nameList, basestring) and [nameList] or nameList
+    return [n for n in node.childNodes if str(n.localName) in nameList]
+
+
+def getChildNodes(node, nodeList=None):
+    if nodeList is None:
+        nodeList = [node] 
+    return _getChildNodes(node, nodeList)
+           
+def _getChildNodes(node, nodeList):
+
+    if node.attributes is not None:
+        nodeList += node.attributes.values() 
+    nodeList += node.childNodes
+    for childNode in node.childNodes:
+        _getChildNodes(childNode, nodeList)
+    return nodeList
+
 
 class SignatureHandler(BaseSignatureHandler):
@@ -141 +146 @@
         
 
-    def _verifyTimeStamp(self, parsedSOAP, ctxt, timestampMustBeSet=False):
+    def _verifyTimeStamp(self, 
+                         parsedSOAP, 
+                         ctxt, 
+                         timestampMustBeSet=False,
+                         createdElemMustBeSet=True,
+                         expiresElemMustBeSet=True):
         """Call from verify to check timestamp if found.  
         
@@ -150 +160 @@
         sender
         @type ctxt:
-        @param ctxt: XPath context object"""
+        @param ctxt: XPath context object
+        @type timestampMustBeSet: bool
+        @param timestampMustBeSet: if set to True, raise an exception if no
+        timestamp element is found
+        @type createdElemMustBeSet: bool
+        @param createdElemMustBeSet: if True. raise an exception if no
+        <wsu:Created/> element is present
+        @param expiresElemMustBeSet: if True. raise an exception if no
+        <wsu:Expires/> element is present
+        """
 
         # TODO: do we need to be more rigorous in terms of handling the 
@@ -159 +178 @@
                                            contextNode=parsedSOAP.dom,
                                            context=ctxt)[0]
-        except:
+        except IndexError:
             msg = "Verifying message - No timestamp element found"
             if timestampMustBeSet:
@@ -172 +191 @@
         createdNode = timestampNode.getElementsByTagName("wsu:Created")
         if createdNode is None:
-            raise TimestampError("Verifying message - No Created timestamp "
-                                 "sub-element found")
-            
-        # Workaround for fractions of second
-        try:
-            createdDateTime, createdSecFraction = \
+            msg = ("Verifying message: no <wsu:Created/> timestamp "
+                   "sub-element found")
+            if createdElemMustBeSet:
+                raise TimestampError(msg)
+            else:
+                log.warning(msg)
+        else:    
+            # Workaround for fractions of second
+            try:
+                createdDateTime, createdSecFraction = \
                             createdNode[0].childNodes[0].nodeValue.split('.')
-            dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
-            createdSeconds = float("0." + createdSecFraction.replace('Z', ''))
-            dtCreated += timedelta(seconds=createdSeconds)
-                                            
-        except ValueError, e:
-            raise TimestampError("Failed to parse timestamp Created element: "
-                                 "%s" % e)
-        
-        if dtCreated >= dtNow:
-            raise TimestampError("Timestamp created time %s is equal to or "
-                                 "after the current time %s" % \
-                                 (dtCreated, dtNow))
+                dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
+                createdSeconds = float("0."+createdSecFraction.replace('Z',''))
+                dtCreated += timedelta(seconds=createdSeconds)
+                                                
+            except ValueError, e:
+                raise TimestampError("Failed to parse timestamp Created "
+                                     "element: %s" % e)
+            
+            if dtCreated >= dtNow:
+                raise TimestampError("Timestamp created time %s is equal to "
+                                     "or after the current time %s" %
+                                     (dtCreated, dtNow))
         
         expiresNode = timestampNode.getElementsByTagName("wsu:Expires")
         if expiresNode is None:
-            log.warning("Verifying message - No Expires element found in "
-                        "Timestamp")
-            return
-
-        try:
-            expiresDateTime, expiresSecFraction = \
+            msg = ("Verifying message: no <wsu:Expires/> element found in "
+                   "Timestamp")
+            if expiresElemMustBeSet:
+                raise TimestampError(msg)
+            else:
+                log.warning(msg)
+        else:
+            try:
+                expiresDateTime, expiresSecFraction = \
                             expiresNode[0].childNodes[0].nodeValue.split('.')
-            dtExpiry = _strptime(expiresDateTime, '%Y-%m-%dT%H:%M:%S')
-            expirySeconds = float("0." + expiresSecFraction.replace('Z', ''))
-            dtExpiry += timedelta(seconds=expirySeconds)
-
-        except ValueError, e:
-            raise TimestampError("Failed to parse timestamp Expires element: "
-                                 "%s" % e)
-
-        if dtExpiry < dtNow:
-            raise TimestampError("Timestamp expiry time %s is before the "
-                                 "current time %s - i.e. the message has "
-                                 "expired." % (dtExpiry, dtNow))
+                dtExpiry = _strptime(expiresDateTime, '%Y-%m-%dT%H:%M:%S')
+                expirySeconds = float("0."+expiresSecFraction.replace('Z', ''))
+                dtExpiry += timedelta(seconds=expirySeconds)
+    
+            except ValueError, e:
+                raise TimestampError("Failed to parse timestamp Expires "
+                                     "element: %s" % e)
+    
+            if dtExpiry < dtNow:
+                raise MessageExpired("Message has expired: timestamp expiry "
+                                     "time %s is before the current time %s." %
+                                     (dtExpiry, dtNow))
             
                    
@@ -723 +749 @@
                                   caX509Stack=self._caX509Stack)
         
-        self._verifyTimeStamp(parsedSOAP, ctxt) 
+        self._verifyTimeStamp(parsedSOAP, 
+                              ctxt,
+                              timestampMustBeSet=self.timestampMustBeSet,
+                              createdElemMustBeSet=self.createdElemMustBeSet,
+                              expiresElemMustBeSet=self.expiresElemMustBeSet) 
+
         log.info("Signature OK")        
-        
-
-class EncryptionError(WSSecurityError):
-    """Flags an error in the encryption process"""
-
-class DecryptionError(WSSecurityError):
-    """Raised from EncryptionHandler.decrypt if an error occurs with the
-    decryption process"""
-
-
-class EncryptionHandler(object):
-    """Encrypt/Decrypt SOAP messages using WS-Security""" 
-    
-    # Map namespace URIs to Crypto algorithm module and mode 
-    cryptoAlg = \
-    {
-         _ENCRYPTION.WRAP_AES256:      {'module':       AES, 
-                                        'mode':         AES.MODE_ECB,
-                                        'blockSize':    16},
-         
-         # CBC (Cipher Block Chaining) modes
-         _ENCRYPTION.BLOCK_AES256:     {'module':       AES, 
-                                        'mode':         AES.MODE_CBC,
-                                        'blockSize':    16},
-                                        
-         _ENCRYPTION.BLOCK_TRIPLEDES:  {'module':       DES3, 
-                                        'mode':         DES3.MODE_CBC,
-                                        'blockSize':    8}   
-    }
-
-     
-    def __init__(self,
-                 signingCertFilePath=None, 
-                 signingPriKeyFilePath=None, 
-                 signingPriKeyPwd=None,
-                 chkSecurityTokRef=False,
-                 encrNS=_ENCRYPTION.BLOCK_AES256):
-        
-        self.__signingCertFilePath = signingCertFilePath
-        self.__signingPriKeyFilePath = signingPriKeyFilePath
-        self.__signingPriKeyPwd = signingPriKeyPwd
-        
-        self.__chkSecurityTokRef = chkSecurityTokRef
-        
-        # Algorithm for shared key encryption
-        try:
-            self.__encrAlg = self.cryptoAlg[encrNS]
-            
-        except KeyError:
-            raise EncryptionError, \
-        'Input encryption algorithm namespace "%s" is not supported' % encrNS
-
-        self.__encrNS = encrNS
-        
-        
-    def encrypt(self, soapWriter):
-        """Encrypt an outbound SOAP message
-        
-        Use Key Wrapping - message is encrypted using a shared key which 
-        itself is encrypted with the public key provided by the X.509 cert.
-        signingCertFilePath"""
-        
-        # Use X.509 Cert to encrypt
-        x509Cert = X509.load_cert(self.__signingCertFilePath)
-        
-        soapWriter.dom.setNamespaceAttribute('wsse', OASIS.WSSE)
-        soapWriter.dom.setNamespaceAttribute('xenc', _ENCRYPTION.BASE)
-        soapWriter.dom.setNamespaceAttribute('ds', DSIG.BASE)
-        
-        # TODO: Put in a check to make sure <wsse:security> isn't already 
-        # present in header
-        wsseElem = soapWriter._header.createAppendElement(OASIS.WSSE, 
-                                                         'Security')
-        wsseElem.node.setAttribute('SOAP-ENV:mustUnderstand', "1")
-        
-        encrKeyElem = wsseElem.createAppendElement(_ENCRYPTION.BASE, 
-                                                   'EncryptedKey')
-        
-        # Encryption method used to encrypt the shared key
-        keyEncrMethodElem = encrKeyElem.createAppendElement(_ENCRYPTION.BASE, 
-                                                        'EncryptionMethod')
-        
-        keyEncrMethodElem.node.setAttribute('Algorithm', 
-                                            _ENCRYPTION.KT_RSA_1_5)
-
-
-        # Key Info
-        KeyInfoElem = encrKeyElem.createAppendElement(DSIG.BASE, 'KeyInfo')
-        
-        secTokRefElem = KeyInfoElem.createAppendElement(OASIS.WSSE, 
-                                                  'SecurityTokenReference')
-        
-        x509IssSerialElem = secTokRefElem.createAppendElement(DSIG.BASE, 
-                                                          'X509IssuerSerial')
-
-        
-        x509IssNameElem = x509IssSerialElem.createAppendElement(DSIG.BASE, 
-                                                          'X509IssuerName')
-        x509IssNameElem.createAppendTextNode(x509Cert.get_issuer().as_text())
-
-        
-        x509IssSerialNumElem = x509IssSerialElem.createAppendElement(
-                                                  DSIG.BASE, 
-                                                  'X509IssuerSerialNumber')
-        
-        x509IssSerialNumElem.createAppendTextNode(
-                                          str(x509Cert.get_serial_number()))
-
-        # References to what has been encrypted
-        encrKeyCiphDataElem = encrKeyElem.createAppendElement(
-                                                          _ENCRYPTION.BASE,
-                                                          'CipherData')
-        
-        encrKeyCiphValElem = encrKeyCiphDataElem.createAppendElement(
-                                                          _ENCRYPTION.BASE,
-                                                          'CipherValue')
-
-        # References to what has been encrypted
-        refListElem = encrKeyElem.createAppendElement(_ENCRYPTION.BASE,
-                                                      'ReferenceList')
-        
-        dataRefElem = refListElem.createAppendElement(_ENCRYPTION.BASE,
-                                                      'DataReference')
-        dataRefElem.node.setAttribute('URI', "#encrypted")
-
-                     
-        # Add Encrypted data to SOAP body
-        encrDataElem = soapWriter.body.createAppendElement(_ENCRYPTION.BASE, 
-                                                           'EncryptedData')
-        encrDataElem.node.setAttribute('Id', 'encrypted')
-        encrDataElem.node.setAttribute('Type', _ENCRYPTION.BASE)  
-              
-        # Encryption method used to encrypt the target data
-        dataEncrMethodElem = encrDataElem.createAppendElement(
-                                                      _ENCRYPTION.BASE, 
-                                                      'EncryptionMethod')
-        
-        dataEncrMethodElem.node.setAttribute('Algorithm', self.__encrNS)
-        
-        # Cipher data
-        ciphDataElem = encrDataElem.createAppendElement(_ENCRYPTION.BASE,
-                                                        'CipherData')
-        
-        ciphValueElem = ciphDataElem.createAppendElement(_ENCRYPTION.BASE,
-                                                         'CipherValue')
-
-
-        # Get elements from SOAP body for encryption
-        dataElem = soapWriter.body.node.childNodes[0]
-        data = dataElem.toxml()
-     
-        # Pad data to nearest multiple of encryption algorithm's block size    
-        modData = len(data) % self.__encrAlg['blockSize']
-        nPad = modData and self.__encrAlg['blockSize'] - modData or 0
-        
-        # PAd with random junk but ...
-        data += os.urandom(nPad-1)
-        
-        # Last byte should be number of padding bytes
-        # (http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block)
-        data += chr(nPad)       
-        
-        # Generate shared key and input vector - for testing use hard-coded 
-        # values to allow later comparison              
-        sharedKey = os.urandom(self.__encrAlg['blockSize'])
-        iv = os.urandom(self.__encrAlg['blockSize'])
-        
-        alg = self.__encrAlg['module'].new(sharedKey,
-                                           self.__encrAlg['mode'],
-                                           iv)
- 
-        # Encrypt required elements - prepend input vector
-        encryptedData = alg.encrypt(iv + data)
-        dataCiphValue = base64.encodestring(encryptedData).strip()
-
-        ciphValueElem.createAppendTextNode(dataCiphValue)
-        
-        
-        # ! Delete unencrypted message body elements !
-        soapWriter.body.node.removeChild(dataElem)
-
-        
-        # Use X.509 cert public key to encrypt the shared key - Extract key
-        # from the cert
-        rsaPubKey = x509Cert.get_pubkey().get_rsa()
-        
-        # Encrypt the shared key
-        encryptedSharedKey = rsaPubKey.public_encrypt(sharedKey, 
-                                                      RSA.pkcs1_padding)
-        
-        encrKeyCiphVal = base64.encodestring(encryptedSharedKey).strip()
-        
-        # Add the encrypted shared key to the EncryptedKey section in the SOAP
-        # header
-        encrKeyCiphValElem.createAppendTextNode(encrKeyCiphVal)
-
-#        print soapWriter.dom.node.toprettyxml()
-#        import pdb;pdb.set_trace()
-        
-        
-    def decrypt(self, parsedSOAP):
-        """Decrypt an inbound SOAP message"""
-        
-        processorNss = \
-        {
-            'xenc':   _ENCRYPTION.BASE,
-            'ds':     DSIG.BASE, 
-            'wsu':    _WSU.UTILITY, 
-            'wsse':   OASIS.WSSE, 
-            'soapenv':"http://schemas.xmlsoap.org/soap/envelope/" 
-        }
-        ctxt = Context(parsedSOAP.dom, processorNss=processorNss)
-        
-        refListNodes = xpath.Evaluate('//xenc:ReferenceList', 
-                                      contextNode=parsedSOAP.dom, 
-                                      context=ctxt)
-        if len(refListNodes) > 1:
-            raise DecryptionError, 'Expecting a single ReferenceList element'
-        
-        try:
-            refListNode = refListNodes[0]
-        except:
-            # Message wasn't encrypted - is this OK or is a check needed for
-            # encryption info in SOAP body - enveloped form?
-            return
-
-
-        # Check for wrapped key encryption
-        encrKeyNodes = xpath.Evaluate('//xenc:EncryptedKey', 
-                                      contextNode=parsedSOAP.dom, 
-                                      context=ctxt)
-        if len(encrKeyNodes) > 1:
-            raise DecryptionError, 'This implementation can only handle ' + \
-                                   'single EncryptedKey element'
-        
-        try:
-            encrKeyNode = encrKeyNodes[0]
-        except:
-            # Shared key encryption used - leave out for the moment
-            raise DecryptionError, 'This implementation can only handle ' + \
-                                   'wrapped key encryption'
-
-        
-        # Check encryption method
-        keyEncrMethodNode = getElements(encrKeyNode, 'EncryptionMethod')[0]     
-        keyAlgorithm = keyEncrMethodNode.getAttributeNode("Algorithm").value
-        if keyAlgorithm != _ENCRYPTION.KT_RSA_1_5:
-            raise DecryptionError, \
-            'Encryption algorithm for wrapped key is "%s", expecting "%s"' % \
-                (keyAlgorithm, _ENCRYPTION.KT_RSA_1_5)
-
-                                                            
-        if self.__chkSecurityTokRef and self.__signingCertFilePath:
-             
-            # Check input cert. against SecurityTokenReference
-            securityTokRefXPath = '/ds:KeyInfo/wsse:SecurityTokenReference'
-            securityTokRefNode = xpath.Evaluate(securityTokRefXPath, 
-                                                contextNode=encrKeyNode, 
-                                                context=ctxt)
-            # TODO: Look for ds:X509* elements to check against X.509 cert 
-            # input
-
-
-        # Look for cipher data for wrapped key
-        keyCiphDataNode = getElements(encrKeyNode, 'CipherData')[0]
-        keyCiphValNode = getElements(keyCiphDataNode, 'CipherValue')[0]
-
-        keyCiphVal = str(keyCiphValNode.childNodes[0].nodeValue)
-        encryptedKey = base64.decodestring(keyCiphVal)
-
-        # Read RSA Private key in order to decrypt wrapped key  
-        priKeyFile = BIO.File(open(self.__signingPriKeyFilePath))          
-        pwdCallback = lambda *ar, **kw: self.__signingPriKeyPwd                                        
-        priKey = RSA.load_key_bio(priKeyFile, callback=pwdCallback)
-        
-        sharedKey = priKey.private_decrypt(encryptedKey, RSA.pkcs1_padding)
-        
-
-        # Check list of data elements that have been encrypted
-        for dataRefNode in refListNode.childNodes:
-
-            # Get the URI for the reference
-            dataRefURI = dataRefNode.getAttributeNode('URI').value                            
-            if dataRefURI[0] != "#":
-                raise VerifyError, \
-                    "Expecting # identifier for DataReference URI \"%s\"" % \
-                    dataRefURI
-
-            # XPath reference - need to check for wsu namespace qualified?
-            #encrNodeXPath = '//*[@wsu:Id="%s"]' % dataRefURI[1:]
-            encrNodeXPath = '//*[@Id="%s"]' % dataRefURI[1:]
-            encrNode = xpath.Evaluate(encrNodeXPath, 
-                                      contextNode=parsedSOAP.dom, 
-                                      context=ctxt)[0]
-                
-            dataEncrMethodNode = getElements(encrNode, 'EncryptionMethod')[0]     
-            dataAlgorithm = \
-                        dataEncrMethodNode.getAttributeNode("Algorithm").value
-            try:        
-                # Match algorithm name to Crypto module
-                CryptoAlg = self.cryptoAlg[dataAlgorithm]
-                
-            except KeyError:
-                raise DecryptionError, \
-'Encryption algorithm for data is "%s", supported algorithms are:\n "%s"' % \
-                    (keyAlgorithm, "\n".join(self.cryptoAlg.keys()))
-
-            # Get Data
-            dataCiphDataNode = getElements(encrNode, 'CipherData')[0]
-            dataCiphValNode = getElements(dataCiphDataNode, 'CipherValue')[0]
-        
-            dataCiphVal = str(dataCiphValNode.childNodes[0].nodeValue)
-            encryptedData = base64.decodestring(dataCiphVal)
-            
-            alg = CryptoAlg['module'].new(sharedKey, CryptoAlg['mode'])
-            decryptedData = alg.decrypt(encryptedData)
-            
-            # Strip prefix - assume is block size
-            decryptedData = decryptedData[CryptoAlg['blockSize']:]
-            
-            # Strip any padding suffix - Last byte should be number of padding
-            # bytes
-            # (http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block)
-            lastChar = decryptedData[-1]
-            nPad = ord(lastChar)
-            
-            # Sanity check - there may be no padding at all - the last byte 
-            # being the end of the encrypted XML?
-            #
-            # TODO: are there better sanity checks than this?!
-            if nPad < CryptoAlg['blockSize'] and nPad > 0 and \
-               lastChar != '\n' and lastChar != '>':
-                
-                # Follow http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block -
-                # last byte gives number of padding bytes
-                decryptedData = decryptedData[:-nPad]
-
-
-            # Parse the encrypted data - inherit from Reader as a fudge to 
-            # enable relevant namespaces to be added prior to parse
-            processorNss.update({'xsi': SCHEMA.XSI3, 'ns1': 'urn:ZSI:examples'})
-            class _Reader(Reader):
-                def initState(self, ownerDoc=None):
-                    Reader.initState(self, ownerDoc=ownerDoc)
-                    self._namespaces.update(processorNss)
-                    
-            rdr = _Reader()
-            dataNode = rdr.fromString(decryptedData, ownerDoc=parsedSOAP.dom)
-            
-            # Add decrypted element to parent and remove encrypted one
-            parentNode = encrNode._get_parentNode()
-            parentNode.appendChild(dataNode)
-            parentNode.removeChild(encrNode)
-            
-            from xml.dom.ext import ReleaseNode
-            ReleaseNode(encrNode)
-            
-            # Ensure body_root attribute is up to date in case it was
-            # previously encrypted
-            parsedSOAP.body_root = parsedSOAP.body.childNodes[0]
-            #print decryptedData
-            #import pdb;pdb.set_trace()
-
-
-       
-def getElements(node, nameList):
-    '''DOM Helper function for getting child elements from a given node'''
-    # Avoid sub-string matches
-    nameList = isinstance(nameList, basestring) and [nameList] or nameList
-    return [n for n in node.childNodes if str(n.localName) in nameList]
-
-
-def getChildNodes(node, nodeList=None):
-    if nodeList is None:
-        nodeList = [node] 
-    return _getChildNodes(node, nodeList)
-           
-def _getChildNodes(node, nodeList):
-
-    if node.attributes is not None:
-        nodeList += node.attributes.values() 
-    nodeList += node.childNodes
-    for childNode in node.childNodes:
-        _getChildNodes(childNode, nodeList)
-    return nodeList

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/etree.py

@@ -1 +1 @@
 """WS-Security digital signature handler for ElementTree XML package
 
-NERC Data Grid Project
+NERC DataGrid Project
 """
 __author__ = "P J Kershaw"
@@ -8 +8 @@
 __license__ = "BSD - see LICENSE file in top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
-__revision__ = '$Id:  $'
-
+__revision__ = '$Id$'
+import base64
+import os
 import re
 
@@ -15 +16 @@
 from sha import sha
 from M2Crypto import X509, BIO, RSA
-import base64
+from StringIO import StringIO
+
+from ZSI.wstools.Namespaces import DSIG, SOAP
 
 from elementtree import ElementTree, ElementC14N
-from StringIO import StringIO
-
-# Conditional import as this is required for the encryption
-# handler
-try:
-    # For shared key encryption
-    from Crypto.Cipher import AES, DES3
-except:
-    from warnings import warn
-    warn('Crypto.Cipher not available: EncryptionHandler disabled!',
-         RuntimeWarning)
-    class AES:
-        MODE_ECB = None
-        MODE_CBC = None
-        
-    class DES3: 
-        MODE_CBC = None
-
-import os
-
-import ZSI
-from ZSI.wstools.Namespaces import DSIG, WSA200403, \
-                                   SOAP, SCHEMA # last included for xsi
-
-from ZSI.TC import ElementDeclaration,TypeDefinition
-from ZSI.generate.pyclass import pyclass_type
-
-from ZSI.wstools.Utility import DOMException
-from ZSI.wstools.Utility import NamespaceError, MessageInterface, ElementProxy
-
-# Canonicalization
-from ZSI.wstools.c14n import Canonicalize
-
-from xml.dom import Node
-from xml.xpath.Context import Context
-from xml import xpath
-
-# Enable settings from a config file
-from ndg.security.common.wssecurity import WSSecurityConfig
-
-from ndg.security.common.wssecurity.signaturehandler import _WSU, OASIS, \
-    BaseSignatureHandler
 
 # Check SoapWriter.dom attribute is ElementTreeProxy type
 from ndg.security.common.zsi.elementtreeproxy import ElementTreeProxy
+
+from ndg.security.common.wssecurity import WSSecurityError
+from ndg.security.common.wssecurity.signaturehandler import _WSU, OASIS, \
+    BaseSignatureHandler, NoSignatureFound, \
+    InvalidSignature, TimestampError, MessageExpired, VerifyError, \
+    SignatureError
+
 
 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \
@@ -93 +61 @@
     }
 
-                
 
     def _applySignatureConfirmation(self, wsseElem):
@@ -138 +105 @@
         '''
         # Nb. wsu ns declaration is in the SOAP header elem
-        timestampElem = ElementTree.Element("{%s}%s"%(_WSU.UTILITY,'Timestamp'))
+        timestampElem=ElementTree.Element("{%s}%s"%(_WSU.UTILITY,'Timestamp'))
         wsseElem.append(timestampElem)
         
@@ -159 +126 @@
         
 
-    def _verifyTimeStamp(self, parsedSOAP, timestampMustBeSet=False):
+    def _verifyTimeStamp(self, 
+                         parsedSOAP, 
+                         timestampMustBeSet=False,
+                         createdElemMustBeSet=True,
+                         expiresElemMustBeSet=True):
         """Call from verify to check timestamp if found.  
         
@@ -168 +139 @@
         sender
         @type timestampMustBeSet: bool
-        @param timestampMustBeSet: set to True to raise an exception if no
-        timestamp element is present in the message to be checked"""
-
+        @type timestampMustBeSet: bool
+        @param timestampMustBeSet: if set to True, raise an exception if no
+        timestamp element is found
+        @type createdElemMustBeSet: bool
+        @param createdElemMustBeSet: if True. raise an exception if no
+        <wsu:Created/> element is present
+        @param expiresElemMustBeSet: if True. raise an exception if no
+        <wsu:Expires/> element is present
+        """
         timestampElems = self._soapEnvElem.findall('.//wsu:Timestamp', 
                                                 namespaces=self._processorNSs)
@@ -193 +170 @@
                                          namespaces=self._processorNSs)
         if createdElem is None:
-            raise TimestampError("No 'Created' element found in timestamp")
-
-        # Workaround for fractions of second with datetime module
-        try:
-            createdDateTime,strCreatedSecFraction = createdElem.text.split('.')
-            strCreatedSecFraction = strCreatedSecFraction.split('Z')[0]
-            createdExp = -int(len(strCreatedSecFraction))
-            createdSecFraction = int(strCreatedSecFraction) * 10 ** createdExp
-            
-        except ValueError, e:
-            raise ValueError("Parsing timestamp Created element: %s" % e)
-        
-
-        dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
-        dtCreated += timedelta(seconds=createdSecFraction)
-        if dtCreated >= dtNow:
-            raise TimestampError(\
-        "Timestamp created time %s is equal to or after the current time %s" %\
-                (dtCreated, dtNow))
+            "No <wsu:Created/> element found in timestamp"
+            if createdElemMustBeSet:
+                raise TimestampError(msg)
+            else:
+                log.warning(msg)
+        else:
+            # Workaround for fractions of second with datetime module
+            try:
+                createdDateTime, strCreatedSecFraction = \
+                                                    createdElem.text.split('.')
+                strCreatedSecFraction = strCreatedSecFraction.split('Z')[0]
+                createdExp = -int(len(strCreatedSecFraction))
+                createdSecFraction = int(strCreatedSecFraction) *10**createdExp
+                
+            except ValueError, e:
+                raise ValueError("Parsing timestamp Created element: %s" % e)
+            
+    
+            dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
+            dtCreated += timedelta(seconds=createdSecFraction)
+            if dtCreated >= dtNow:
+                raise TimestampError("Timestamp created time %s is equal to "
+                                     "or after the current time %s" %
+                                     (dtCreated, dtNow))
         
         expiresElem = timestampElem.find("wsu:Expires",
                                          namespaces=self._processorNSs)
         if expiresElem is None:
-            raise TimestampError("Verifying message - No Expires element "
-                                 "found in Timestamp")
-
-        try:
-            expiryDateTime, strExpirySecFraction = expiresElem.text.split('.')
-            strExpirySecFraction = strExpirySecFraction.split('Z')[0]
-            expiryExp = -int(len(strExpirySecFraction))
-            expirySecFraction = int(strExpirySecFraction) * 10 ** expiryExp
-        except ValueError, e:
-            raise ValueError("Parsing timestamp Expires element: %s" % e)
-        
-        dtExpiry = _strptime(expiryDateTime, '%Y-%m-%dT%H:%M:%S')
-        dtExpiry += timedelta(seconds=expirySecFraction)
-        if dtExpiry < dtNow:
-            raise TimestampError(\
-                "Timestamp expiry time %s is before the current time %s" % \
-                (dtCreated, dtNow))
-            
-        log.debug("Verified timestamp")
-            
-                   
-    #_________________________________________________________________________
+            msg = "No <wsu:Expires/> element found in Timestamp"
+            if expiresElemMustBeSet:
+                raise TimestampError(msg)
+            else:
+                log.warning(msg)
+        else:
+            try:
+                expiryDateTime, strExpirySecFraction = \
+                                                    expiresElem.text.split('.')
+                strExpirySecFraction = strExpirySecFraction.split('Z')[0]
+                expiryExp = -int(len(strExpirySecFraction))
+                expirySecFraction = int(strExpirySecFraction) * 10 ** expiryExp
+                
+            except ValueError, e:
+                raise ValueError("Parsing timestamp Expires element: %s" % e)
+            
+            dtExpiry = _strptime(expiryDateTime, '%Y-%m-%dT%H:%M:%S')
+            dtExpiry += timedelta(seconds=expirySecFraction)
+            if dtExpiry < dtNow:
+                raise MessageExpired("Message has expired: timestamp expiry "
+                                     "time %s is before the current time %s" % 
+                                     (dtCreated, dtNow))
+            
+        log.debug("Completed timestamp verification")
+            
+            
     def sign(self, soapWriter):
         '''Sign the message body and binary security token of a SOAP message
@@ -697 +683 @@
         log.debug("Verified certificate chain of trust")
         
-        self._verifyTimeStamp(parsedSOAP) 
+        self._verifyTimeStamp(parsedSOAP,
+                              timestampMustBeSet=self.timestampMustBeSet,
+                              createdElemMustBeSet=self.createdElemMustBeSet,
+                              expiresElemMustBeSet=self.expiresElemMustBeSet) 
 
         log.info("Signature OK")        

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/foursuite.py

@@ -35 +35 @@
 from Ft.Xml.Domlette import CanonicalPrint
 
-from ndg.security.common.wssecurity.signaturehandler import _ENCRYPTION, \
-    _WSU, OASIS, BaseSignatureHandler, WSSecurityError, NoSignatureFound, \
-    InvalidSignature, TimestampError, VerifyError, SignatureError
-
-# Enable settings from a config file
-from ndg.security.common.wssecurity import WSSecurityConfig
+from ndg.security.common.wssecurity import WSSecurityError
+from ndg.security.common.wssecurity.signaturehandler import _WSU, OASIS, \
+    BaseSignatureHandler, NoSignatureFound, InvalidSignature, TimestampError, \
+    MessageExpired, VerifyError, SignatureError
 
 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \
@@ -116 +114 @@
         
 
-    def _verifyTimeStamp(self, parsedSOAP, timestampMustBeSet=False):
-        """Call from verify to check timestamp if found.  
-        
-        TODO: refactor input args - maybe these should by object attributes
+    def _verifyTimeStamp(self, 
+                         parsedSOAP, 
+                         processorNss,
+                         timestampMustBeSet=False,
+                         createdElemMustBeSet=True,
+                         expiresElemMustBeSet=True):
+        """Call from verify to check timestamp if found.  The WS-Security 1.1
+        specification allows elements to be optional.  Hence, the bool flags
+        enable their configuration.  The default behaviour is, send a warning
+        if a timestamp is not found but if a timestamp is present raise
+        an exception if the created or the expired elements are missing.
         
         @type parsedSOAP: ZSI.parse.ParsedSoap
         @param parsedSOAP: object contain parsed SOAP message received from
         sender
-        @type ctxt:
-        @param ctxt: XPath context object"""
-
-        # TODO: do we need to be more rigorous in terms of handling the 
-        # situation where no timestamp is found?
-        
+        @type processorNss: dict
+        @param processorNss: namespaces to be used in XPath query to locate
+        timestamp.
+        @type timestampMustBeSet: bool
+        @param timestampMustBeSet: if set to True, raise an exception if no
+        timestamp element is found
+        @type createdElemMustBeSet: bool
+        @param createdElemMustBeSet: if True. raise an exception if no
+        <wsu:Created/> element is present
+        @param expiresElemMustBeSet: if True. raise an exception if no
+        <wsu:Expires/> element is present
+        """
+
         try:
-            timestampNode = parsedSOAP.dom.xpath('//wsu:Timestamp', 
+            timestampElem = parsedSOAP.dom.xpath('//wsu:Timestamp', 
                                                  explicitNss=processorNss)[0]
-        except:
+        except IndexError:
+            # Catch TypeError raised from attempt to reference element 0 of
+            # None type
             msg = "Verifying message - No timestamp element found"
             if timestampMustBeSet:
@@ -144 +158 @@
         dtNow = datetime.utcnow()
 
-        createdNode = timestampNode.getElementsByTagName("wsu:Created")
-        if createdNode is None:
-            raise TimestampError("Verifying message - No Created timestamp "
-                                 "sub-element found")
-            
-        # Workaround for fractions of second
-        try:
-            createdDateTime, createdSecFraction = \
-                            createdNode[0].childNodes[0].nodeValue.split('.')
-            dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
-            createdSeconds = float("0." + createdSecFraction.replace('Z', ''))
-            dtCreated += timedelta(seconds=createdSeconds)
-                                            
-        except ValueError, e:
-            raise TimestampError("Failed to parse timestamp Created element: "
-                                 "%s" % e)
-        
-        if dtCreated >= dtNow:
-            raise TimestampError("Timestamp created time %s is equal to or "
-                                 "after the current time %s" % \
-                                 (dtCreated, dtNow))
-        
-        expiresNode = timestampNode.getElementsByTagName("wsu:Expires")
-        if expiresNode is None:
-            log.warning("Verifying message - No Expires element found in "
-                        "Timestamp")
-            return
-
-        try:
-            expiresDateTime, expiresSecFraction = \
-                            expiresNode[0].childNodes[0].nodeValue.split('.')
-            dtExpiry = _strptime(expiresDateTime, '%Y-%m-%dT%H:%M:%S')
-            expirySeconds = float("0." + expiresSecFraction.replace('Z', ''))
-            dtExpiry += timedelta(seconds=expirySeconds)
-
-        except ValueError, e:
-            raise TimestampError("Failed to parse timestamp Expires element: "
-                                 "%s" % e)
-
-        if dtExpiry < dtNow:
-            raise TimestampError("Timestamp expiry time %s is before the "
-                                 "current time %s - i.e. the message has "
-                                 "expired." % (dtExpiry, dtNow))
+        createdElem = getElements(timestampElem, "Created")           
+        if len(createdElem) == 0:
+            msg = ("Verifying message: no <wsu:Created/> timestamp "
+                   "sub-element found")
+            if createdElemMustBeSet:
+                raise TimestampError(msg)
+            else:
+                log.warning(msg)
+        else:               
+            # Workaround for fractions of second
+            try:
+                createdDateTime, createdSecFraction = \
+                            createdElem[0].childNodes[0].nodeValue.split('.')
+                dtCreated = _strptime(createdDateTime, '%Y-%m-%dT%H:%M:%S')
+                createdSeconds = float("0."+createdSecFraction.replace('Z',''))
+                dtCreated += timedelta(seconds=createdSeconds)
+                                                
+            except ValueError, e:
+                raise TimestampError("Failed to parse timestamp Created "
+                                     "element: %s" % e)
+            
+            if dtCreated >= dtNow:
+                raise TimestampError("Timestamp created time %s is equal to "
+                                     "or after the current time %s" %
+                                     (dtCreated, dtNow))
+        
+        expiresElem = getElements(timestampElem, "Expires")
+        if len(expiresElem) == 0:
+            msg = ("Verifying message: no <wsu:Expires/> element found in "
+                   "Timestamp")
+            if expiresElemMustBeSet:
+                raise TimeStampError(msg)
+            else:
+                log.warning(warning)
+        else:
+            try:
+                expiresDateTime, expiresSecFraction = \
+                            expiresElem[0].childNodes[0].nodeValue.split('.')
+                dtExpiry = _strptime(expiresDateTime, '%Y-%m-%dT%H:%M:%S')
+                expirySeconds = float("0."+expiresSecFraction.replace('Z', ''))
+                dtExpiry += timedelta(seconds=expirySeconds)
+    
+            except ValueError, e:
+                raise TimestampError("Failed to parse timestamp Expires "
+                                     "element: %s" % e)
+    
+            if dtExpiry < dtNow:
+                raise MessageExpired("Message has expired: timestamp expiry "
+                                     "time %s is before the current time %s." %
+                                     (dtExpiry, dtNow))
             
                    
@@ -324 +345 @@
         # Add Reference to body so that it can be included in the signature
         soapWriter.body.setAttributeNS(_WSU.UTILITY, 'Id', "body")
-#        soapWriter.body.setAttributeNS('xmlns:wsu', _WSU.UTILITY)
-
-        # Serialize and re-parse prior to reference generation - calculating
-        # canonicalization based on soapWriter.dom.node seems to give an
-        # error: the order of wsu:Id attribute is not correct
-#        try:
-#            docNode = Reader().fromString(str(soapWriter))
-#        except Exception, e:
-#            raise SignatureError("Error parsing SOAP message for signing: %s"%
-#                                 e)
-
 
         refElems = soapWriter.body.evaluate('//*[@wsu:Id]', 
@@ -354 +364 @@
             # Canonicalize reference
             inclusiveNsKWs = self.createUnsupressedPrefixKW(self.refC14nKw)
-#            refSubsetList = getChildNodes(refElem)
-#            refC14n = Canonicalize(docNode, 
-#                                   None, 
-#                                   subset=refSubsetList,
-#                                   **inclusiveNsKWs)
             refC14n = refElem.canonicalize(algorithm=refC14nAlg, 
                                            **inclusiveNsKWs)
@@ -404 +409 @@
         #        
         # Canonicalize the signedInfo node
-#        docNode = Reader().fromString(str(soapWriter))
-#        ctxt = Context(docNode, processorNss=processorNss)
-#        signedInfoElem = xpath.Evaluate('//ds:SignedInfo', 
-#                                        contextNode=docNode, 
-#                                        context=ctxt)[0]
-#
-#        signedInfoSubsetList = getChildNodes(signedInfoElem)
-        
         signedInfoInclusiveNsKWs = self.createUnsupressedPrefixKW(
                                                         self.signedInfoC14nKw)
-#        c14nSignedInfo = Canonicalize(docNode, 
-#                                      None, 
-#                                      subset=signedInfoSubsetList,
-#                                      **inclusiveNSKWs)
         try:
             signedInfoElem = soapWriter.body.evaluate('//ds:SignedInfo',
@@ -691 +684 @@
                                   caX509Stack=self._caX509Stack)
         
-        self._verifyTimeStamp(parsedSOAP) 
+        self._verifyTimeStamp(parsedSOAP, 
+                              processorNss,
+                              timestampMustBeSet=self.timestampMustBeSet,
+                              createdElemMustBeSet=self.createdElemMustBeSet,
+                              expiresElemMustBeSet=self.expiresElemMustBeSet) 
         log.info("Signature OK")        

TI12-security/trunk/python/ndg.security.common/ndg/security/common/zsi/attributeauthority/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2008 CCLRC & NERC
+# @copyright (C) 2008 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/zsi/sessionmanager/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/share/Makefile

@@ -6 +6 @@
 # Generate SysV init scripts from ndg-aa template
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz.py

@@ -137 +137 @@
         policyCfg = PEPFilter._filterKeywords(local_conf, 'policy.')
         self.policyFilePath = policyCfg['filePath']
-        self.policy = Policy.Parse(policyCfg['filePath'])
+        policy = Policy.Parse(policyCfg['filePath'])
         
         # Initialise the Policy Information Point to None.  This object is
         # created and set later.  See AuthorizationMiddleware.
-        self.pdp = PDP(self.policy, None)
+        self.pdp = PDP(policy, None)
         
         self.sessionKey = local_conf.get('sessionKey', 
@@ -250 +250 @@
         path 
         """
-        matchingTargets = [target for target in self.policy.targets 
+        matchingTargets = [target for target in self.pdp.policy.targets 
                            if target.regEx.match(resourceURI) is not None]
         return matchingTargets
@@ -302 +302 @@
                 
         return filteredConf
+
+    def _getPDP(self):
+        if self._pdp is None:
+            raise TypeError("PDP object has not been initialised")
+        return self._pdp
+    
+    def _setPDP(self, pdp):
+        if not isinstance(pdp, (PDP, None.__class__)):
+            raise TypeError("Expecting %s or None type for pdp; got %r" %
+                            (PDP.__class__.__name__, pdp))
+        self._pdp = pdp
+
+    pdp = property(fget=_getPDP,
+                   fset=_setPDP,
+                   doc="Policy Decision Point object makes access control "
+                       "decisions on behalf of the PEP")
 
    
@@ -409 +425 @@
         attrCert = credential.get('attCert')
         if attrCert is not None:
-            log.debug("PIPMiddleware._getAttributeCertificate: existing "
-                      "Attribute Certificate cached in Credential Wallet for "
-                      "user session [%s]",
+            log.debug("PIPMiddleware._getAttributeCertificate: retrieved "
+                      "existing Attribute Certificate cached in Credential "
+                      "Wallet for user session [%s]",
                       self.session['username'])
 
@@ -474 +490 @@
         pepInterceptFunc = pepFilter.multiHandlerInterceptFactory()
         
+        # Slot in the Policy Information Point in the WSGI stack at this point
+        # so that it can take a copy of the beaker session object from environ
+        # ahead of the PDP make a request to it for an Attribute Certificate
+        # retrieval
         pipApp = PIPMiddleware(pepFilter,
                                global_conf,
@@ -480 +500 @@
         pepFilter.pdp.pip = pipApp
         
-#        app = MultiHandler(pepFilter)
         app = MultiHandler(pipApp)
 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/ssl.py

@@ -263 +263 @@
         # Check certificate Distinguished Name via 
         # ClientCertVerificationInterface object
-        return self._clientCertVerify(x509Cert)
-
+        return self._verifyClientCert(x509Cert)
+

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/attributeauthority/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/twisted/attributeauthority/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/twisted/sessionmanager/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/config/sessionmanager/userx509certauthn.py

@@ -45 +45 @@
         '''
         
-        # Check password by executing a trial load of the private key
+        # Check password by executing a trial load of the private key - Nb.
+        # unicode is not supported
         try:
             RSA.load_key_string(self.userPriKey, 
-                                callback=lambda *ar, **kw: passphrase)
+                                callback=lambda *ar, **kw: str(passphrase))
         except RSA.RSAError, e:
             raise AuthNServiceInvalidCredentials(e)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/attCert/ac.xml

@@ -9 +9 @@
         <userId>/O=NDG/OU=BADC/CN=pjkershaw</userId>
         <validity>
-            <notBefore>2009 05 14 11 18 00</notBefore> 
-            <notAfter>2009 05 14 19 18 00</notAfter> 
+            <notBefore>2009 06 05 08 04 29</notBefore> 
+            <notAfter>2009 06 05 16 04 29</notAfter> 
         </validity>
         <attributes>
@@ -27 +27 @@
         <provenance>original</provenance> 
     </acInfo>
-<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>sPx/VQ+W/6ImQpzpVyqNN4SRi94=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lvYk1Pjb7lDkkkZBrF8PhlT5krZWReU1l6X1vjDUPPkthV2ASVwj3NHCLJIFwrp3PCD8TLUERbhN
-7MBO/IhQ9AM2qHZDScc+QxJ1iCdXgIGiV5Bb98Gyex3ZxBE+Kj7HlD2NCwzLswKUTEHfdstMlWWI
-FuDlalmEJ2pyGdyi+DaA7b1g2rUxapJneqvH94SNQCaS7RqiThy5JyI/u43cMeZXgxCeGzDUZmWo
-UQb4jbLe+oQn7PhYV15jf3MwksLqfiLYO9iyjKZhfXQpn+mOW5dY3+00NTb5v6wup+f3l7uGNHkU
-U+AfrdIAp52UPM15kWd9aYjQQgdwDegzAz/mBA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICazCCAdSgAwIBAgICAQEwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>7rpCVUcm4cDwkpIzPBthqpqj38Q=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FPniax9JlVxqLYlj9b0aEYbPFMyTvz8ok0Ci3tU+s0GV5HIiA0c7eXj9sU1JVy5jxyYYMtzcU9V6
+eszrVX4TL7Twk9GL3xCWk+7VttUAAT3AAdtYisjD2O6wCHl6H/K/orV5EKERb+raB4v6ji++wOi1
+WJFjtV/QTz8Ld/kaQFdJV2cl3DFlO3XvL+TkBMayrjI4UXuwZk+AlhYtvDUKrcSL36JNpJBIhvgu
+RLgdwgDwdQKoLkg/tNhYNaqDiAs6N2F17jhYzisfLmwZfTs8vefT9nrvz0lTbpEB1/geiAl9nWdB
+zKGTsPpYlOG9wdEL6BBhAD2RsDSr4pb+ng1tjA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICazCCAdSgAwIBAgICAQEwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
 MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNjE1MTE0
 OFoXDTEzMTIxNTE1MTE0OFowLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wsgi/ssl/test_ssl.py

@@ -19 +19 @@
 from paste.deploy import loadapp
 from ndg.security.test.unit import BaseTestCase
+from ndg.security.common.X509 import X509Cert
 
 class TestSSLClientAuthNMiddleware(BaseTestCase):
@@ -51 +52 @@
 
 
-class SSLClientAuthNTestCase(unittest.TestCase):
+class SSLClientAuthNTestCase(BaseTestCase):
 
     def __init__(self, *args, **kwargs):
@@ -58 +59 @@
         self.app = paste.fixture.TestApp(wsgiapp)
          
-        unittest.TestCase.__init__(self, *args, **kwargs)
+        BaseTestCase.__init__(self, *args, **kwargs)
         
 
@@ -73 +74 @@
     
     def test03ClientCertSet(self):
-        thisDir = os.dirname(__file__)
-        sslClientCertFilePath = os.path.join(BaseTestCase.configDirEnvVarName,
-                                             'pki',
-                                             'test.crt')
-        sslClientCert = str(X509.Read(sslClientCertFilePath))
+        thisDir = os.path.dirname(__file__)
+        sslClientCertFilePath = os.path.join(
+                                os.environ[BaseTestCase.configDirEnvVarName],
+                                'pki',
+                                'test.crt')
+        sslClientCert = X509Cert.Read(sslClientCertFilePath).toString()
         extra_environ = {'HTTPS':'1', 'SSL_CLIENT_CERT': sslClientCert}
         response = self.app.get('/secured/uri',

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wssecurity/dom/client/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wssecurity/dom/server/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wssecurity/foursuite/client/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public

TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wssecurity/foursuite/server/Makefile

@@ -7 +7 @@
 # server side code
 #
-# @copyright (C) 2007 CCLRC & NERC
+# @copyright (C) 2007 STFC
 #
 # @license This software may be distributed under the terms of the Q Public