Changeset 6277

Timestamp:

11/01/10 10:19:43 (11 years ago)

Author:

pjkersha

Message:

ndg.security.server.wsgi.openid.relyingparty.validation.SSLClientAuthNValidator integrated and working with Relying Party. RP will not only accept Providers running over SSL with DN common names matching a whitelist.

File:

• TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py

@@ -336 +336 @@
                           
     def validate(self, x509StoreCtx):
-        '''callback function used to control the behaviour when the 
-        SSL_VERIFY_PEER flag is set
-        
-        @type x509StoreCtx: M2Crypto.X509_Store_Context
+        '''Validate the peer certificate DN common name against a whitelist
+        of acceptable IdP names
+        
+        @type x509StoreCtx: M2Crypto.X509.X509_Store_Context
         @param x509StoreCtx: locate the certificate to be verified and perform 
         additional verification steps as needed
-        @rtype: int
-        @return: controls the strategy of the further verification process. 
-        - If verify_callback returns 0, the verification process is immediately 
-        stopped with "verification failed" state. If SSL_VERIFY_PEER is set, 
-        a verification failure alert is sent to the peer and the TLS/SSL 
-        handshake is terminated. 
-        - If verify_callback returns 1, the verification process is continued. 
-        If verify_callback always returns 1, the TLS/SSL handshake will not be 
-        terminated with respect to verification failures and the connection 
-        will be established. The calling process can however retrieve the error
-        code of the last verification error using SSL_get_verify_result(3) or 
-        by maintaining its own error storage managed by verify_callback.
-        '''
-        x509Cert = X509Cert.fromM2Crypto(x509StoreCtx.get_current_cert())
-        commonName = x509Cert.dn['CN']
-        
-        
+        
+        @raise IdPInvalidException: if none of the certificates in the chain
+        have DN common names matching the list of valid IdPs'''
         x509CertChain = x509StoreCtx.get1_chain()
+        dnList = []
         for cert in x509CertChain:
-            subject = cert.get_subject()
-            dn = subject.as_text()
-            log.debug("verifyCallback: dn = %r", dn)
-
-        # If all is OK preVerifyOK will be 1.  Return this to the caller to
-        # that it's OK to proceed
-        if commonName not in self.validIdPNames:
-            raise IdPInvalidException("Peer certificate CN=%s is not in list "
-                                      "of valid OpenID Providers" % commonName)
+            x509Cert = X509Cert.fromM2Crypto(cert)
+            dn = x509Cert.dn
+            commonName = dn['CN']
+            log.debug("iterating over cert. chain dn = %s", dn)
+    
+            if commonName in self.validIdPNames:
+                # Match found - return
+                log.debug("Found peer certificate with CN matching list of "
+                          "valid OpenID Provider peer certificates %r" %
+                          self.validIdPNames)
+                return
+            
+            dnList.append(dn)
+            
+        log.debug("Certificate chain yield certificates with DNs = %s"
+                  % dnList)
+        
+        # No matching peer certificate was found
+        raise IdPInvalidException("Peer certificate is not in list of valid "
+                                  "OpenID Providers")