Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6399

Timestamp:

25/01/10 16:19:17 (11 years ago)

Author:

pjkersha

Message:

Working client side

Location:

TI12-security/trunk/WSSecurity/ndg/wssecurity

Files:

: 4 edited

common/signaturehandler/__init__.py (modified) (8 diffs)
common/signaturehandler/foursuite.py (modified) (4 diffs)
test/unit/signaturehandler/foursuite/server/echoServer.py (modified) (2 diffs)
test/unit/signaturehandler/foursuite/server/wssecurity.cfg (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/WSSecurity/ndg/wssecurity/common/signaturehandler/init.py

-                      r6396
+                      r6399
         className=('',),
         reqBinarySecurityTokValType=(OASIS.X509TOKEN.X509,),
         verifyingCert=(None,),
+        verifyingCert=(None, ''),
         verifyingCertFilePath=(None, ''),
         signingCert=(None,),
+        signingCert=(None, ''),
         signingCertFilePath=(None, ''),
         signingCertChain=([],),
         signingPriKey=(None,),
+        signingPriKey=(None, ''),
         signingPriKeyFilePath=(None, ''),
         signingPriKeyPwd=(None, ''),
 …
                            doc="X.509 Certificate to include signature")
+    def _getSigningCertFilePath(self):
+        "Get signature X.509 certificate property method"
+        return self.__signingCertFilePath
     def _setSigningCertFilePath(self, signingCertFilePath):
         "Set signature X.509 certificate property method"
 …
         self.__signingCertFilePath = signingCertFilePath
+    signingCertFilePath = property(fset=_setSigningCertFilePath,
+    signingCertFilePath = property(fget=_getSigningCertFilePath,
+                                   fset=_setSigningCertFilePath,
                                    doc="File path X.509 cert. to include with "
                                        "signed message")
 …
         chain of trust.  The last certificate is the one associated with the
         private key used to sign the message.'''
+        self.__signingCertChain = X509Stack()
         for cert in signingCertChain:
+            self.__signingCertChain.push(cert)
+            if cert:
+                self.__signingCertChain.push(cert)
     def _getSigningCertChain(self):
 …
     signingCertChain = property(fset=_setSigningCertChain,
                                 fget=_getSigningCertChain,
+                                doc="Cert.s in chain of trust to cert. used "
+                                    "to verify msg.")
+                                doc="Certificates in the chain of trust to "
+                                    "verify the certificate provided in an "
+                                    "incoming message.")
     def _setSigningPriKeyPwd(self, signingPriKeyPwd):
         "Set method for private key file password used to sign message"
         if signingPriKeyPwd is not None and \
            not isinstance(signingPriKeyPwd, basestring):
+        if (signingPriKeyPwd is not None and
+            not isinstance(signingPriKeyPwd, basestring)):
             raise AttributeError("Signing private key password must be None "
                                  "or a valid string")
 …
         @type signingPriKey: M2Crypto.RSA.RSA / string / None
         @param signingPriKey: private key used to sign message"""
+        if isinstance(signingPriKey, basestring):
+        if not signingPriKey:
+            self.__signingPriKey = None
+        elif isinstance(signingPriKey, basestring):
             pwdCallback = lambda *ar, **kw: self.__signingPriKeyPwd
             self.__signingPriKey = RSA.load_key_string(signingPriKey,
 …
             self.__signingPriKey = signingPriKey
-        elif signingPriKey is None:
-            self.__signingPriKey = None
         else:
             raise TypeError("Signing private key must be a valid "
 …
         @type caCertDir: directory from which to read CA certificate files'''
         if caCertDir is None:
+        if not caCertDir:
             return

TI12-security/trunk/WSSecurity/ndg/wssecurity/common/signaturehandler/foursuite.py

-                      r6396
+                      r6399
 import os
 import re
+import traceback
 from cStringIO import StringIO
 …
     WS-Security
     """
+    # Namespaces for XPath searches
+    PROCESSOR_NSS = {
+        'ds':     DSIG.BASE,
+        'wsu':    _WSU.UTILITY,
+        'wsse':   OASIS.WSSE,
+        'soapenv':SOAP.ENV
+    }
     _refC14nPfxSet = lambda self: len(self.refC14nKw.get(
                             BaseSignatureHandler.ZSI_C14N_KEYWORD_NAME, [])) > 0
 …
                                         "for signature of signed info "
                                         "elements")
+    def sign(self, soapWriter):
+        '''Sign the message body and binary security token of a SOAP message
+        @type soapWriter: ZSI.writer.SoapWriter
+        @param soapWriter: ZSI object to write SOAP message
+        '''
+        # Add X.509 cert as binary security token
+        if self.reqBinarySecurityTokValType == \
+           self.BINARY_SECURITY_TOK_VAL_TYPE['X509PKIPathv1']:
+            if self.signingCertChain is None:
+                msg = 'SignatureHandler signingCertChain attribute is not set'
+                log.error(msg)
+                raise AttributeError(msg)
+            binSecTokVal = base64.encodestring(self.signingCertChain.asDER())
+        else:
+            # Assume X.509 / X.509 vers 3
+            if self.signingCert is None:
+                msg = 'SignatureHandler signingCert attribute is not set'
+                log.error(msg)
+                raise AttributeError(msg)
+            binSecTokVal = base64.encodestring(self.signingCert.asDER())
+        soapWriter._header.setNamespaceAttribute('wsse', OASIS.WSSE)
+        soapWriter._header.setNamespaceAttribute('wsse11', OASIS.WSSE11)
+        soapWriter._header.setNamespaceAttribute('wsu', _WSU.UTILITY)
+        soapWriter._header.setNamespaceAttribute('ds', DSIG.BASE)
+        # Flag if inclusive namespace prefixes are set for the signature or
+        # reference elements
+        if self.refC14nPfxSet or self.signedInfoC14nPfxSet:
+           soapWriter._header.setNamespaceAttribute('ec', DSIG.C14N_EXCL)
+        # Check <wsse:security> isn't already present in header
+        wsseElems = soapWriter._header.evaluate('//wsse:security',
+                                    processorNss=SignatureHandler.PROCESSOR_NSS)
+        if len(wsseElems) > 1:
+            raise SignatureError('wsse:Security element is already present')
+        # Add WSSE element
+        wsseElem = soapWriter._header.createAppendElement(OASIS.WSSE,
+                                                          'Security')
+        wsseElem.setNamespaceAttribute('wsse', OASIS.WSSE)
+        # Flag to recipient - they MUST parse and check this signature
+        wsseElem.setAttributeNS(SOAP.ENV, 'mustUnderstand', "1")
+        # Binary Security Token element will contain the X.509 cert
+        # corresponding to the private key used to sing the message
+        binSecTokElem = wsseElem.createAppendElement(OASIS.WSSE,
+                                                     'BinarySecurityToken')
+        # Value type can be any be any one of those supported via
+        # BINARY_SECURITY_TOK_VAL_TYPE
+        binSecTokElem.setAttributeNS(None,
+                                     'ValueType',
+                                     self.reqBinarySecurityTokValType)
+        binSecTokElem.setAttributeNS(None,
+                                     'EncodingType',
+                                     self.BINARY_SECURITY_TOK_ENCODING_TYPE)
+        # Add ID so that the binary token can be included in the signature
+        binSecTokElem.setAttributeNS(_WSU.UTILITY, 'Id', "binaryToken")
+        binSecTokElem.createAppendTextNode(binSecTokVal)
+        # Timestamp
+        if self.addTimestamp:
+            self._addTimeStamp(wsseElem)
+        # Signature Confirmation
+        if self.applySignatureConfirmation:
+            self._applySignatureConfirmation(wsseElem)
+        # Signature
+        signatureElem = wsseElem.createAppendElement(DSIG.BASE, 'Signature')
+        signatureElem.setNamespaceAttribute('ds', DSIG.BASE)
+        # Signature - Signed Info
+        signedInfoElem = signatureElem.createAppendElement(DSIG.BASE,
+                                                           'SignedInfo')
+        # Signed Info - Canonicalization method
+        c14nMethodElem = signedInfoElem.createAppendElement(DSIG.BASE,
+                                                    'CanonicalizationMethod')
+        # Set based on 'signedInfoIsExcl' property
+        c14nAlgOpt = (DSIG.C14N, DSIG.C14N_EXCL)
+        signedInfoC14nAlg = c14nAlgOpt[int(self.signedInfoC14nIsExcl)]
+        c14nMethodElem.setAttributeNS(None, 'Algorithm', signedInfoC14nAlg)
+        if self.signedInfoC14nPfxSet:
+            c14nInclNamespacesElem = c14nMethodElem.createAppendElement(
+                                                    signedInfoC14nAlg,
+                                                    'InclusiveNamespaces')
+            inclNsPfx = ' '.join(self.signedInfoC14nKw[
+                                        SignatureHandler.ZSI_C14N_KEYWORD_NAME])
+            c14nInclNamespacesElem.setAttributeNS(None, 'PrefixList', inclNsPfx)
+        # Signed Info - Signature method
+        sigMethodElem = signedInfoElem.createAppendElement(DSIG.BASE,
+                                                           'SignatureMethod')
+        sigMethodElem.setAttributeNS(None, 'Algorithm', DSIG.SIG_RSA_SHA1)
+        # Signature - Signature value
+        signatureValueElem = signatureElem.createAppendElement(DSIG.BASE,
+                                                             'SignatureValue')
+        # Key Info
+        KeyInfoElem = signatureElem.createAppendElement(DSIG.BASE, 'KeyInfo')
+        secTokRefElem = KeyInfoElem.createAppendElement(OASIS.WSSE,
+                                                  'SecurityTokenReference')
+        # Reference back to the binary token included earlier
+        wsseRefElem = secTokRefElem.createAppendElement(OASIS.WSSE,
+                                                        'Reference')
+        wsseRefElem.setAttributeNS(None, 'URI', "#binaryToken")
+        # Add Reference to body so that it can be included in the signature
+        soapWriter.body.setAttributeNS(_WSU.UTILITY, 'Id', "body")
+        refElems = soapWriter.body.evaluate('//*[@wsu:Id]',
+                                    processorNss=SignatureHandler.PROCESSOR_NSS)
+        # Set based on 'signedInfoIsExcl' property
+        refC14nAlg = c14nAlgOpt[int(self.refC14nIsExcl)]
+        # 1) Reference Generation
+        #
+        # Find references
+        for refElem in refElems:
+            refID = refElem.getAttributeValue(_WSU.UTILITY, 'Id')
+            # Set URI attribute to point to reference to be signed
+            uri = u"#" + refID
+            # Canonicalize reference
+            #
+            # ndg.wssecurity.common.utils.zsi.DomletteElementProxy's C14N method
+            # wraps 4Suite-XML CanonicalPrint
+            unsuppressedPrefixes = self.refC14nKw.get(
+                                    SignatureHandler.ZSI_C14N_KEYWORD_NAME, [])
+            refC14n = refElem.canonicalize(algorithm=refC14nAlg,
+                                    unsuppressedPrefixes=unsuppressedPrefixes)
+            # Calculate digest for reference and base 64 encode
+            #
+            # Nb. encodestring adds a trailing newline char
+            digestValue = base64.encodestring(sha(refC14n).digest()).strip()
+            # Add a new reference element to SignedInfo
+            refElem = signedInfoElem.createAppendElement(DSIG.BASE,
+                                                         'Reference')
+            refElem.setAttributeNS(None, 'URI', uri)
+            # Use ds:Transforms or wsse:TransformationParameters?
+            transformsElem = refElem.createAppendElement(DSIG.BASE,
+                                                         'Transforms')
+            transformElem = transformsElem.createAppendElement(DSIG.BASE,
+                                                               'Transform')
+            # Set Canonicalization algorithm type
+            transformElem.setAttributeNS(None, 'Algorithm', refC14nAlg)
+            if self.refC14nPfxSet:
+                # Exclusive C14N requires inclusive namespace elements
+                inclNamespacesElem = transformElem.createAppendElement(
+                                                       refC14nAlg,
+                                                       'InclusiveNamespaces')
+                refInclNsPfx = ' '.join(self.refC14nKw[
+                                        SignatureHandler.ZSI_C14N_KEYWORD_NAME])
+                inclNamespacesElem.setAttributeNS(None, 'PrefixList',
+                                                  refInclNsPfx)
+            # Digest Method
+            digestMethodElem = refElem.createAppendElement(DSIG.BASE,
+                                                           'DigestMethod')
+            digestMethodElem.setAttributeNS(None, 'Algorithm', DSIG.DIGEST_SHA1)
+            # Digest Value
+            digestValueElem = refElem.createAppendElement(DSIG.BASE,
+                                                          'DigestValue')
+            digestValueElem.createAppendTextNode(digestValue)
+        # 2) Signature Generation
+        #
+        # Canonicalize the signedInfo node
+        try:
+            signedInfoElem = soapWriter.body.evaluate('//ds:SignedInfo',
+                                processorNss=SignatureHandler.PROCESSOR_NSS)[0]
+        except TypeError, e:
+            log.error("Error locating SignedInfo element for signature")
+            raise
+        unsuppressedPrefixes = self.refC14nKw.get(
+                                    SignatureHandler.ZSI_C14N_KEYWORD_NAME, [])
+        # ndg.wssecurity.common.utils.zsi.DomletteElementProxy's C14N method
+        # wraps 4Suite-XML CanonicalPrint
+        c14nSignedInfo = signedInfoElem.canonicalize(
+                                    algorithm=signedInfoC14nAlg,
+                                    unsuppressedPrefixes=unsuppressedPrefixes)
+        # Calculate digest of SignedInfo
+        signedInfoDigestValue = sha(c14nSignedInfo).digest()
+        # Sign using the private key and base 64 encode the result
+        signatureValue = self.signingPriKey.sign(signedInfoDigestValue)
+        b64EncSignatureValue = base64.encodestring(signatureValue).strip()
+        # Add to <SignatureValue>
+        signatureValueElem.createAppendTextNode(b64EncSignatureValue)
+        log.info("Signature generation complete")
+    def verify(self, parsedSOAP, raiseNoSignatureFound=True):
+        """Verify signature
+        @type parsedSOAP: ZSI.parse.ParsedSoap
+        @param parsedSOAP: object contain parsed SOAP message received from
+        sender"""
+        signatureElem = parsedSOAP.dom.xpath('//ds:Signature',
+                                    explicitNss=SignatureHandler.PROCESSOR_NSS)
+        nSignatureElem = len(signatureElem)
+        if nSignatureElem > 1:
+            raise VerifyError('Multiple <ds:Signature/> elements found')
+        elif nSignatureElem < 1:
+            # Message wasn't signed
+            msg = "Input message wasn't signed!"
+            if raiseNoSignatureFound:
+                raise NoSignatureFound(msg)
+            else:
+                log.warning(msg)
+                return
+        signatureElem = signatureElem[0]
+        # Two stage process: reference validation followed by signature
+        # validation
+        # 1) Reference Validation
+        # Check for canonicalization set via ds:CanonicalizationMethod -
+        # Use this later as a back up in case no Canonicalization was set in
+        # the transforms elements
+        try:
+            c14nMethodElem = parsedSOAP.dom.xpath('//ds:CanonicalizationMethod',
+                                explicitNss=SignatureHandler.PROCESSOR_NSS)[0]
+        except TypeError:
+            log.error("XPath query error locating "
+                      "<ds:CanonicalizationMethod/>: %s" %
+                      traceback.format_exc())
+            raise
+        refElems = parsedSOAP.dom.xpath('//ds:Reference',
+                                    explicitNss=SignatureHandler.PROCESSOR_NSS)
+        for refElem in refElems:
+            # Get the URI for the reference
+            refURI = refElem.getAttributeNS(None, 'URI')
+            try:
+                transformsElem = getElements(refElem, "Transforms")[0]
+                transformElems = getElements(transformsElem, "Transform")
+                refAlgorithm = transformElems[0].getAttributeNS(None,
+                                                                'Algorithm')
+            except Exception, e:
+                raise VerifyError('failed to get transform algorithm for '
+                                  '<ds:Reference URI="%s">' %
+                                  (refURI, e))
+            # Add extra keyword for Exclusive canonicalization method
+            refC14nKw = {}
+            if self.refC14nIsExcl:
+                try:
+                    # Check for no inclusive namespaces set
+                    inclusiveNS = getElements(transformElems[0],
+                                              "InclusiveNamespaces")
+                    if len(inclusiveNS) > 0:
+                        pfxListAttElem = inclusiveNS[0].getAttributeNodeNS(None,
+                                                                'PrefixList')
+                        refC14nKw['inclusivePrefixes'] = \
+                                                pfxListAttElem.value.split()
+                    else:
+                        refC14nKw['inclusivePrefixes'] = None
+                except Exception, e:
+                    raise VerifyError('failed to handle transform (%s) in '
+                                      '<ds:Reference URI="%s">: %s' % \
+                                      (transformElems[0], refURI, e))
+            # Canonicalize the reference data and calculate the digest
+            if refURI[0] != "#":
+                raise VerifyError("Expecting # identifier for Reference URI "
+                                  "\"%s\"" % refURI)
+            # XPath reference
+            uriXPath = '//*[@wsu:Id="%s"]' % refURI[1:]
+            uriElem = parsedSOAP.dom.xpath(uriXPath,
+                                explicitNss=SignatureHandler.PROCESSOR_NSS)[0]
+            f = StringIO()
+            CanonicalPrint(uriElem, stream=f, exclusive=self.refC14nIsExcl,
+                           **refC14nKw)
+            refC14n = f.getvalue()
+            digestValue = base64.encodestring(sha(refC14n).digest()).strip()
+            # Extract the digest value that was stored
+            digestNode = getElements(refElem, "DigestValue")[0]
+            nodeDigestValue = str(digestNode.childNodes[0].nodeValue).strip()
+            # Reference validates if the two digest values are the same
+            if digestValue != nodeDigestValue:
+                raise InvalidSignature('Digest Values do not match for URI: '
+                                       '"%s"' % refURI)
+            log.debug("Verified canonicalization for element %s" % refURI[1:])
+        # 2) Signature Validation
+        signedInfoElem = parsedSOAP.dom.xpath('//ds:SignedInfo',
+                                explicitNss=SignatureHandler.PROCESSOR_NSS)[0]
+        # Get algorithm used for canonicalization of the SignedInfo
+        # element.  Nb. This is NOT necessarily the same as that used to
+        # canonicalize the reference elements checked above!
+        signedInfoC14nAlg = c14nMethodElem.getAttributeNS(None, "Algorithm")
+        signedInfoC14nKw = {}
+        if self.signedInfoC14nIsExcl:
+            try:
+                # Check for inclusive namespaces
+                inclusiveNsElem = getElements(c14nMethodElem,
+                                              "InclusiveNamespaces")
+                if len(inclusiveNsElem) > 0:
+                    pfxListAttElem = inclusiveNsElem[0].getAttributeNodeNS(None,
+                                                                 'PrefixList')
+                    signedInfoC14nKw['inclusivePrefixes'
+                                     ] = pfxListAttElem.value.split()
+                else:
+                    signedInfoC14nKw['inclusivePrefixes'] = None
+            except Exception, e:
+                raise VerifyError('failed to handle exclusive '
+                                  'canonicalisation for SignedInfo: %s' % e)
+        # Canonicalize the SignedInfo node and take digest
+        f = StringIO()
+        CanonicalPrint(signedInfoElem,
+                       stream=f,
+                       exclusive=self.signedInfoC14nIsExcl,
+                       **signedInfoC14nKw)
+        c14nSignedInfo = f.getvalue()
+        signedInfoDigestValue = sha(c14nSignedInfo).digest()
+        # Get the signature value in order to check against the digest just
+        # calculated
+        try:
+            signatureValueElem = parsedSOAP.dom.xpath('//ds:SignatureValue',
+                                explicitNss=SignatureHandler.PROCESSOR_NSS)[0]
+        except:
+            raise WSSecurityError("No signature value found: %s" %
+                                  traceback.format_exc())
+        # Remove base 64 encoding
+        b64EncSignatureValue = signatureValueElem.childNodes[0].nodeValue
+        signatureValue = base64.decodestring(b64EncSignatureValue)
+        # Cache Signature Value here so that a response can include it.
+        #
+        # Nb. If the sign method is called from a separate SignatureHandler
+        # object then the signature value must be passed from THIS object to
+        # the other SignatureHandler otherwise signature confirmation will
+        # fail
+        if self.applySignatureConfirmation:
+            # re-encode string to avoid possible problems with interpretation
+            # of line breaks
+            self.b64EncSignatureValue = b64EncSignatureValue
+        else:
+            self.b64EncSignatureValue = None
+        # Look for X.509 Cert in wsse:BinarySecurityToken node
+        try:
+            binSecTokElem = parsedSOAP.dom.xpath('//wsse:BinarySecurityToken',
+                                explicitNss=SignatureHandler.PROCESSOR_NSS)[0]
+        except:
+            # Signature may not have included the Binary Security Token in
+            # which case the verifying cert will need to have been set
+            # elsewhere
+            log.info("No Binary Security Token found in WS-Security header")
+            binSecTokElem = None
+        if binSecTokElem:
+            try:
+                x509CertTxt=str(binSecTokElem.childNodes[0].nodeValue)
+                valueType = binSecTokElem.getAttributeNS(None, "ValueType")
+                tokValTypes = (
+                    self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509v3'],
+                    self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509'])
+                if valueType in tokValTypes:
+                    # Remove base 64 encoding
+                    derString = base64.decodestring(x509CertTxt)
+                    self.verifyingCert = X509Cert.Parse(derString,
+                                                    format=X509Cert.formatDER)
+                    x509Stack = X509Stack()
+                elif valueType == self.__class__.BINARY_SECURITY_TOK_VAL_TYPE[
+                                                            'X509PKIPathv1']:
+                    derString = base64.decodestring(x509CertTxt)
+                    x509Stack = X509StackParseFromDER(derString)
+                    # TODO: Check ordering - is the last off the stack the
+                    # one to use to verify the message?
+                    self.verifyingCert = x509Stack[-1]
+                else:
+                    raise WSSecurityError("BinarySecurityToken ValueType "
+                                          'attribute is not recognised: "%s"' %
+                                          valueType)
+            except Exception:
+                raise VerifyError("Error extracting BinarySecurityToken "
+                                  "from WSSE header: %s" %
+                                  traceback.format_exc())
+        if self.verifyingCert is None:
+            raise VerifyError("No certificate set for verification of the "
+                              "signature")
+        # Extract RSA public key from the cert
+        rsaPubKey = self.verifyingCert.pubKey.get_rsa()
+        # Apply the signature verification
+        try:
+            verify = rsaPubKey.verify(signedInfoDigestValue, signatureValue)
+        except RSA.RSAError, e:
+            raise VerifyError("Error in Signature: " % e)
+        if not verify:
+            raise InvalidSignature("Invalid signature")
+        # Verify chain of trust
+        x509Stack.verifyCertChain(x509Cert2Verify=self.verifyingCert,
+                                  caX509Stack=self._caX509Stack)
+        self._verifyTimeStamp(parsedSOAP,
+                              SignatureHandler.PROCESSOR_NSS,
+                              timestampClockSkew=self.timestampClockSkew,
+                              timestampMustBeSet=self.timestampMustBeSet,
+                              createdElemMustBeSet=self.createdElemMustBeSet,
+                              expiresElemMustBeSet=self.expiresElemMustBeSet)
+        log.info("Signature OK")
     def _applySignatureConfirmation(self, wsseElem):
         '''Add SignatureConfirmation element - as specified in WS-Security 1.1
 …
                                      "time %s is before the current time %s." %
                                      (dtExpiry, dtNow))
-    def sign(self, soapWriter):
-        '''Sign the message body and binary security token of a SOAP message
-        @type soapWriter: ZSI.writer.SoapWriter
-        @param soapWriter: ZSI object to write SOAP message
-        '''
-        # Namespaces for XPath searches
-        processorNss = \
+        {
-            'ds':     DSIG.BASE,
-            'wsu':    _WSU.UTILITY,
-            'wsse':   OASIS.WSSE,
-            'soapenv':"http://schemas.xmlsoap.org/soap/envelope/"
+        }
-        # Add X.509 cert as binary security token
-        if self.reqBinarySecurityTokValType == \
-           self.BINARY_SECURITY_TOK_VAL_TYPE['X509PKIPathv1']:
-            if self.signingCertChain is None:
-                msg = 'SignatureHandler signingCertChain attribute is not set'
-                log.error(msg)
-                raise AttributeError(msg)
-            binSecTokVal = base64.encodestring(self.signingCertChain.asDER())
-        else:
-            # Assume X.509 / X.509 vers 3
-            if self.signingCert is None:
-                msg = 'SignatureHandler signingCert attribute is not set'
-                log.error(msg)
-                raise AttributeError(msg)
-            binSecTokVal = base64.encodestring(self.signingCert.asDER())
-        soapWriter._header.setNamespaceAttribute('wsse', OASIS.WSSE)
-        soapWriter._header.setNamespaceAttribute('wsse11', OASIS.WSSE11)
-        soapWriter._header.setNamespaceAttribute('wsu', _WSU.UTILITY)
-        soapWriter._header.setNamespaceAttribute('ds', DSIG.BASE)
-        # Flag if inclusive namespace prefixes are set for the signature or
-        # reference elements
-        if self.refC14nPfxSet or self.signedInfoC14nPfxSet:
-           soapWriter._header.setNamespaceAttribute('ec', DSIG.C14N_EXCL)
-        # Check <wsse:security> isn't already present in header
-        wsseElems = soapWriter._header.evaluate('//wsse:security',
-                                                processorNss=processorNss)
-        if len(wsseElems) > 1:
-            raise SignatureError('wsse:Security element is already present')
-        # Add WSSE element
-        wsseElem = soapWriter._header.createAppendElement(OASIS.WSSE,
-                                                          'Security')
-        wsseElem.setNamespaceAttribute('wsse', OASIS.WSSE)
-        # Flag to recipient - they MUST parse and check this signature
-        wsseElem.setAttributeNS(SOAP.ENV, 'mustUnderstand', "1")
-        # Binary Security Token element will contain the X.509 cert
-        # corresponding to the private key used to sing the message
-        binSecTokElem = wsseElem.createAppendElement(OASIS.WSSE,
-                                                     'BinarySecurityToken')
-        # Value type can be any be any one of those supported via
-        # BINARY_SECURITY_TOK_VAL_TYPE
-        binSecTokElem.setAttributeNS(None,
-                                     'ValueType',
-                                     self.reqBinarySecurityTokValType)
-        binSecTokElem.setAttributeNS(None,
-                                     'EncodingType',
-                                     self.BINARY_SECURITY_TOK_ENCODING_TYPE)
-        # Add ID so that the binary token can be included in the signature
-        binSecTokElem.setAttributeNS(_WSU.UTILITY, 'Id', "binaryToken")
-        binSecTokElem.createAppendTextNode(binSecTokVal)
-        # Timestamp
-        if self.addTimestamp:
-            self._addTimeStamp(wsseElem)
-        # Signature Confirmation
-        if self.applySignatureConfirmation:
-            self._applySignatureConfirmation(wsseElem)
-        # Signature
-        signatureElem = wsseElem.createAppendElement(DSIG.BASE, 'Signature')
-        signatureElem.setNamespaceAttribute('ds', DSIG.BASE)
-        # Signature - Signed Info
-        signedInfoElem = signatureElem.createAppendElement(DSIG.BASE,
-                                                           'SignedInfo')
-        # Signed Info - Canonicalization method
-        c14nMethodElem = signedInfoElem.createAppendElement(DSIG.BASE,
-                                                    'CanonicalizationMethod')
-        # Set based on 'signedInfoIsExcl' property
-        c14nAlgOpt = (DSIG.C14N, DSIG.C14N_EXCL)
-        signedInfoC14nAlg = c14nAlgOpt[int(self.signedInfoC14nIsExcl)]
-        c14nMethodElem.setAttributeNS(None, 'Algorithm', signedInfoC14nAlg)
-        if self.signedInfoC14nPfxSet:
-            c14nInclNamespacesElem = c14nMethodElem.createAppendElement(
-                                                    signedInfoC14nAlg,
-                                                    'InclusiveNamespaces')
-            inclNsPfx = ' '.join(self.signedInfoC14nKw['inclusive_namespaces'])
-            c14nInclNamespacesElem.setAttributeNS(None,'PrefixList',inclNsPfx)
-        # Signed Info - Signature method
-        sigMethodElem = signedInfoElem.createAppendElement(DSIG.BASE,
-                                                           'SignatureMethod')
-        sigMethodElem.setAttributeNS(None, 'Algorithm', DSIG.SIG_RSA_SHA1)
-        # Signature - Signature value
-        signatureValueElem = signatureElem.createAppendElement(DSIG.BASE,
-                                                             'SignatureValue')
-        # Key Info
-        KeyInfoElem = signatureElem.createAppendElement(DSIG.BASE, 'KeyInfo')
-        secTokRefElem = KeyInfoElem.createAppendElement(OASIS.WSSE,
-                                                  'SecurityTokenReference')
-        # Reference back to the binary token included earlier
-        wsseRefElem = secTokRefElem.createAppendElement(OASIS.WSSE,
-                                                        'Reference')
-        wsseRefElem.setAttributeNS(None, 'URI', "#binaryToken")
-        # Add Reference to body so that it can be included in the signature
-        soapWriter.body.setAttributeNS(_WSU.UTILITY, 'Id', "body")
-        refElems = soapWriter.body.evaluate('//*[@wsu:Id]',
-                                            processorNss=processorNss)
-        # Set based on 'signedInfoIsExcl' property
-        refC14nAlg = c14nAlgOpt[int(self.refC14nIsExcl)]
-        # 1) Reference Generation
+        #
-        # Find references
-        for refElem in refElems:
-            refID = refElem.getAttributeValue(_WSU.UTILITY, 'Id')
-            # Set URI attribute to point to reference to be signed
-            uri = u"#" + refID
-            # Canonicalize reference
-            inclusiveNsKWs = self.createUnsupressedPrefixKW(self.refC14nKw)
-            refC14n = refElem.canonicalize(algorithm=refC14nAlg,
-                                           **inclusiveNsKWs)
-            # Calculate digest for reference and base 64 encode
+            #
-            # Nb. encodestring adds a trailing newline char
-            digestValue = base64.encodestring(sha(refC14n).digest()).strip()
-            # Add a new reference element to SignedInfo
-            refElem = signedInfoElem.createAppendElement(DSIG.BASE,
-                                                         'Reference')
-            refElem.setAttributeNS(None, 'URI', uri)
-            # Use ds:Transforms or wsse:TransformationParameters?
-            transformsElem = refElem.createAppendElement(DSIG.BASE,
-                                                         'Transforms')
-            transformElem = transformsElem.createAppendElement(DSIG.BASE,
-                                                               'Transform')
-            # Set Canonicalization algorithm type
-            transformElem.setAttributeNS(None, 'Algorithm', refC14nAlg)
-            if self.refC14nPfxSet:
-                # Exclusive C14N requires inclusive namespace elements
-                inclNamespacesElem = transformElem.createAppendElement(
-                                                                                   refC14nAlg,
-                                                       'InclusiveNamespaces')
-                refInclNsPfx = ' '.join(self.refC14nKw['inclusive_namespaces'])
-                inclNamespacesElem.setAttributeNS(None, 'PrefixList',
-                                                  refInclNsPfx)
-            # Digest Method
-            digestMethodElem = refElem.createAppendElement(DSIG.BASE,
-                                                           'DigestMethod')
-            digestMethodElem.setAttributeNS(None, 'Algorithm',DSIG.DIGEST_SHA1)
-            # Digest Value
-            digestValueElem = refElem.createAppendElement(DSIG.BASE,
-                                                          'DigestValue')
-            digestValueElem.createAppendTextNode(digestValue)
-        # 2) Signature Generation
+        #
-        # Canonicalize the signedInfo node
-        signedInfoInclusiveNsKWs = self.createUnsupressedPrefixKW(
-                                                        self.signedInfoC14nKw)
-        try:
-            signedInfoElem = soapWriter.body.evaluate('//ds:SignedInfo',
-                                                  processorNss=processorNss)[0]
-        except TypeError, e:
-            log.error("Error locating SignedInfo element for signature")
-            raise
-        c14nSignedInfo=signedInfoElem.canonicalize(algorithm=signedInfoC14nAlg,
-                                                   **signedInfoInclusiveNsKWs)
-        # Calculate digest of SignedInfo
-        signedInfoDigestValue = sha(c14nSignedInfo).digest()
-        # Sign using the private key and base 64 encode the result
-        signatureValue = self.signingPriKey.sign(signedInfoDigestValue)
-        b64EncSignatureValue = base64.encodestring(signatureValue).strip()
-        # Add to <SignatureValue>
-        signatureValueElem.createAppendTextNode(b64EncSignatureValue)
-        log.info("Signature generation complete")
-    def createUnsupressedPrefixKW(self, dictToConvert):
-        """
-        Convert a dictionary to use keys with names, 'inclusive_namespaces' in
-        place of keys with names 'unsupressedPrefixes'
-        NB, this is required for the ZSI canonicalize method
-        @type dictToConvert: dict
-        @param dictToConvert: dictionary to convert
-        @rtype: dict
-        @return: dictionary with corrected keys
-        """
-        nsList = []
-        newDict = dictToConvert.copy()
-        if isinstance(newDict, dict) and \
-            isinstance(newDict.get('inclusive_namespaces'), list):
-            nsList = newDict.get('inclusive_namespaces')
-            newDict.pop('inclusive_namespaces')
-        newDict['unsuppressedPrefixes'] = nsList
-        return newDict
-    def verify(self, parsedSOAP, raiseNoSignatureFound=True):
-        """Verify signature
-        @type parsedSOAP: ZSI.parse.ParsedSoap
-        @param parsedSOAP: object contain parsed SOAP message received from
-        sender"""
-        processorNss = {
-            'ds':     DSIG.BASE,
-            'wsu':    _WSU.UTILITY,
-            'wsse':   OASIS.WSSE,
-            'soapenv':SOAP.ENV
+        }
-        signatureElem = parsedSOAP.dom.xpath('//ds:Signature',
-                                             explicitNss=processorNss)
-        if len(signatureElem) > 1:
-            raise VerifyError('Multiple <ds:Signature/> elements found')
-        try:
-            signatureElem = signatureElem[0]
-        except IndexError:
-            # Message wasn't signed
-            msg = "Input message wasn't signed!"
-            if raiseNoSignatureFound:
-                raise NoSignatureFound(msg)
-            else:
-                log.warning(msg)
-                return
-        # Two stage process: reference validation followed by signature
-        # validation
-        # 1) Reference Validation
-        # Check for canonicalization set via ds:CanonicalizationMethod -
-        # Use this later as a back up in case no Canonicalization was set in
-        # the transforms elements
-        try:
-            c14nMethodElem=parsedSOAP.dom.xpath('//ds:CanonicalizationMethod',
-                                                explicitNss=processorNss)[0]
-        except TypeError, e:
-            log.error("XPath query error locating "
-                      "<ds:CanonicalizationMethod/>: %s" % e)
-            raise
-        refElems = parsedSOAP.dom.xpath('//ds:Reference',
-                                        explicitNss=processorNss)
-        for refElem in refElems:
-            # Get the URI for the reference
-            refURI = refElem.getAttributeNS(None, 'URI')
-            try:
-                transformsElem = getElements(refElem, "Transforms")[0]
-                transformElems = getElements(transformsElem, "Transform")
-                refAlgorithm = transformElems[0].getAttributeNS(None,
-                                                                'Algorithm')
-            except Exception, e:
-                raise VerifyError('failed to get transform algorithm for '
-                                  '<ds:Reference URI="%s">' %
-                                  (refURI, e))
-            # Add extra keyword for Exclusive canonicalization method
-            refC14nKw = {}
-            refC14nIsExcl = refAlgorithm == DSIG.C14N_EXCL
-            if refC14nIsExcl:
-                try:
-                    # Check for no inclusive namespaces set
-                    inclusiveNS = getElements(transformElems[0],
-                                              "InclusiveNamespaces")
-                    if len(inclusiveNS) > 0:
-                        pfxListAttElem=inclusiveNS[0].getAttributeNodeNS(None,
-                                                                'PrefixList')
-                        refC14nKw['inclusivePrefixes'] = \
-                                                pfxListAttElem.value.split()
-                    else:
-                        refC14nKw['inclusivePrefixes'] = None
-                except Exception, e:
-                    raise VerifyError('failed to handle transform (%s) in '
-                                      '<ds:Reference URI="%s">: %s' % \
-                                      (transformElems[0], refURI, e))
-            # Canonicalize the reference data and calculate the digest
-            if refURI[0] != "#":
-                raise VerifyError("Expecting # identifier for Reference URI "
-                                  "\"%s\"" % refURI)
-            # XPath reference
-            uriXPath = '//*[@wsu:Id="%s"]' % refURI[1:]
-            uriElem = parsedSOAP.dom.xpath(uriXPath,
-                                           explicitNss=processorNss)[0]
-            f = StringIO()
-            CanonicalPrint(uriElem, stream=f, exclusive=refC14nIsExcl,
-                           **refC14nKw)
-            refC14n = f.getvalue()
-            digestValue = base64.encodestring(sha(refC14n).digest()).strip()
-            # Extract the digest value that was stored
-            digestNode = getElements(refElem, "DigestValue")[0]
-            nodeDigestValue = str(digestNode.childNodes[0].nodeValue).strip()
-            # Reference validates if the two digest values are the same
-            if digestValue != nodeDigestValue:
-                raise InvalidSignature('Digest Values do not match for URI: '
-                                       '"%s"' % refURI)
-            log.debug("Verified canonicalization for element %s" % refURI[1:])
-        # 2) Signature Validation
-        signedInfoElem = parsedSOAP.dom.xpath('//ds:SignedInfo',
-                                              explicitNss=processorNss)[0]
-        # Get algorithm used for canonicalization of the SignedInfo
-        # element.  Nb. This is NOT necessarily the same as that used to
-        # canonicalize the reference elements checked above!
-        signedInfoC14nAlg = c14nMethodElem.getAttributeNS(None, "Algorithm")
-        signedInfoC14nKw = {}
-        signedInfoC14nIsExcl = signedInfoC14nAlg == DSIG.C14N_EXCL
-        if signedInfoC14nIsExcl:
-            try:
-                # Check for inclusive namespaces
-                inclusiveNsElem = getElements(c14nMethodElem,
-                                              "InclusiveNamespaces")
-                if len(inclusiveNsElem) > 0:
-                    pfxListAttElem=inclusiveNsElem[0].getAttributeNodeNS(None,
-                                                                 'PrefixList')
-                    signedInfoC14nKw['inclusivePrefixes'] = \
-                                                pfxListAttElem.value.split()
-                else:
-                    signedInfoC14nKw['inclusivePrefixes'] = None
-            except Exception, e:
-                raise VerifyError('failed to handle exclusive '
-                                  'canonicalisation for SignedInfo: %s' % e)
-        # Canonicalize the SignedInfo node and take digest
-        f = StringIO()
-        CanonicalPrint(signedInfoElem,
-                       stream=f,
-                       exclusive=signedInfoC14nIsExcl,
-                       **signedInfoC14nKw)
-        c14nSignedInfo = f.getvalue()
-        signedInfoDigestValue = sha(c14nSignedInfo).digest()
-        # Get the signature value in order to check against the digest just
-        # calculated
-        signatureValueElem = parsedSOAP.dom.xpath('//ds:SignatureValue',
-                                                  explicitNss=processorNss)[0]
-        # Remove base 64 encoding
-        b64EncSignatureValue = signatureValueElem.childNodes[0].nodeValue
-        signatureValue = base64.decodestring(b64EncSignatureValue)
-        # Cache Signature Value here so that a response can include it.
+        #
-        # Nb. If the sign method is called from a separate SignatureHandler
-        # object then the signature value must be passed from THIS object to
-        # the other SignatureHandler otherwise signature confirmation will
-        # fail
-        if self.applySignatureConfirmation:
-            # re-encode string to avoid possible problems with interpretation
-            # of line breaks
-            self.b64EncSignatureValue = b64EncSignatureValue
-        else:
-            self.b64EncSignatureValue = None
-        # Look for X.509 Cert in wsse:BinarySecurityToken node
-        try:
-            binSecTokElem = parsedSOAP.dom.xpath('//wsse:BinarySecurityToken',
-                                                 explicitNss=processorNss)[0]
-        except:
-            # Signature may not have included the Binary Security Token in
-            # which case the verifying cert will need to have been set
-            # elsewhere
-            log.info("No Binary Security Token found in WS-Security header")
-            binSecTokElem = None
-        if binSecTokElem:
-            try:
-                x509CertTxt=str(binSecTokElem.childNodes[0].nodeValue)
-                valueType = binSecTokElem.getAttributeNS(None, "ValueType")
-                if valueType in (self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509v3'],
-                                 self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509']):
-                    # Remove base 64 encoding
-                    derString = base64.decodestring(x509CertTxt)
-                    self.verifyingCert = X509Cert.Parse(derString,
-                                                    format=X509Cert.formatDER)
-                    x509Stack = X509Stack()
-                elif valueType == \
-                    self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509PKIPathv1']:
-                    derString = base64.decodestring(x509CertTxt)
-                    x509Stack = X509StackParseFromDER(derString)
-                    # TODO: Check ordering - is the last off the stack the
-                    # one to use to verify the message?
-                    self.verifyingCert = x509Stack[-1]
-                else:
-                    raise WSSecurityError("BinarySecurityToken ValueType "
-                                          'attribute is not recognised: "%s"' %
-                                          valueType)
-            except Exception, e:
-                raise VerifyError("Error extracting BinarySecurityToken "
-                                  "from WSSE header: %s" % e)
-        if self.verifyingCert is None:
-            raise VerifyError("No certificate set for verification of the "
-                              "signature")
-        # Extract RSA public key from the cert
-        rsaPubKey = self.verifyingCert.pubKey.get_rsa()
-        # Apply the signature verification
-        try:
-            verify = rsaPubKey.verify(signedInfoDigestValue, signatureValue)
-        except RSA.RSAError, e:
-            raise VerifyError("Error in Signature: " % e)
-        if not verify:
-            raise InvalidSignature("Invalid signature")
-        # Verify chain of trust
-        x509Stack.verifyCertChain(x509Cert2Verify=self.verifyingCert,
-                                  caX509Stack=self._caX509Stack)
-        self._verifyTimeStamp(parsedSOAP,
-                              processorNss,
-                              timestampClockSkew=self.timestampClockSkew,
-                              timestampMustBeSet=self.timestampMustBeSet,
-                              createdElemMustBeSet=self.createdElemMustBeSet,
-                              expiresElemMustBeSet=self.expiresElemMustBeSet)
-        log.info("Signature OK")

TI12-security/trunk/WSSecurity/ndg/wssecurity/test/unit/signaturehandler/foursuite/server/echoServer.py

-                      r5291
+                      r6399
 from EchoService_services_server import EchoService as _EchoService
 from ndg.security.common.wssecurity.signaturehandler.dom import SignatureHandler
+from ndg.wssecurity.common.signaturehandler import SignatureHandlerFactory
 from os.path import expandvars as xpdVars
 …
     # Create the Inherited version of the server
     echo = EchoService()
+    echo.signatureHandler = SignatureHandler(cfg=wsseCfgFilePath)
+    echo.signatureHandler = SignatureHandlerFactory.fromConfigFile(
+                                                                wsseCfgFilePath)
     serviceContainer.setNode(echo, url=path)

TI12-security/trunk/WSSecurity/ndg/wssecurity/test/unit/signaturehandler/foursuite/server/wssecurity.cfg

r5560	r6399
9	9	# BSD - See LICENCE file for details
10	10	#
11		~~# TODO: Refactor option names - put into inbound and outbound sections / apply~~
12		~~# namespace prefixes to better categorise~~
13	11	[DEFAULT]
	12	className = ndg.wssecurity.common.signaturehandler.foursuite.SignatureHandler
14	13
15	14	#

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 6399

Legend:

TI12-security/trunk/WSSecurity/ndg/wssecurity/common/signaturehandler/__init__.py

TI12-security/trunk/WSSecurity/ndg/wssecurity/common/signaturehandler/foursuite.py

TI12-security/trunk/WSSecurity/ndg/wssecurity/test/unit/signaturehandler/foursuite/server/echoServer.py

TI12-security/trunk/WSSecurity/ndg/wssecurity/test/unit/signaturehandler/foursuite/server/wssecurity.cfg

Download in other formats:

TI12-security/trunk/WSSecurity/ndg/wssecurity/common/signaturehandler/init.py