Changeset 6417
- Timestamp:
- 26/01/10 14:43:23 (11 years ago)
- Location:
- TI12-security/trunk/NDGSoap
- Files:
-
- 6 added
- 6 edited
-
.pydevproject (modified) (1 diff)
-
ndg/soap/wssecurity/__init__.py (modified) (1 diff)
-
ndg/soap/wssecurity/server (added)
-
ndg/soap/wssecurity/server/__init__.py (added)
-
ndg/soap/wssecurity/server/wsgi (added)
-
ndg/soap/wssecurity/server/wsgi/__init__.py (added)
-
ndg/soap/wssecurity/server/wsgi/wssecurity.py (added)
-
ndg/soap/wssecurity/signaturehandler/__init__.py (modified) (6 diffs)
-
ndg/soap/wssecurity/signaturehandler/foursuite.py (modified) (25 diffs)
-
ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/client/echoClientTest.cfg (modified) (1 diff)
-
ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/client/test_echoclient.py (modified) (4 diffs)
-
ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/server/echoservice.ini (added)
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSoap/.pydevproject
r6416 r6417 5 5 <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.5</pydev_property> 6 6 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property> 7 <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH"> 8 <path>/NDGSoap</path> 9 </pydev_pathproperty> 7 10 </pydev_project> -
TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/__init__.py
r6416 r6417 9 9 __contact__ = "Philip.Kershaw@stfc.ac.uk" 10 10 __revision__ = '$Id$' 11 class WSSecurityError(Exception): 12 """For WS-Security generic exceptions not covered by other exception 13 classes in this module""" 14 15 class WSSecurityConfigError(WSSecurityError): 16 """Configuration error with WS-Security setting or settings""" 17 18 class TimestampError(WSSecurityError): 19 """Raised from SignatureHandler._verifyTimestamp if there is a problem with 20 the created or expiry times in an input message Timestamp""" 21 22 class MessageExpired(TimestampError): 23 """Raised from SignatureHandler._verifyTimestamp if the timestamp of 24 the message being processed is before the current time. Can be caught in 25 order to set a wsu:MessageExpired fault code""" 26 27 class InvalidCertChain(WSSecurityError): 28 """Raised from SignatureHandler.verify if the certificate submitted to 29 verify a signature is not from a known CA""" -
TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/signaturehandler/__init__.py
r6409 r6417 1 """ 1 """Base class for the WS-Security digital signature handlers - to allow 2 2 sharing of common code 3 3 … … 5 5 """ 6 6 __author__ = "C Byrom, Philip Kershaw" 7 __date__ = "18/08/08 "7 __date__ = "18/08/08, refactored for NDGSoap egg 22/01/2010" 8 8 __copyright__ = "" 9 9 __license__ = "BSD - see LICENSE file in top-level directory" … … 26 26 from ZSI.wstools.Namespaces import OASIS as _OASIS 27 27 28 from ndg.wssecurity.common import WSSecurityConfigError, WSSecurityError 29 from ndg.wssecurity.common.utils import classfactory 30 from ndg.wssecurity.common.utils.configfileparsers import ( 31 CaseSensitiveConfigParser, 32 WithGetListConfigParser) 33 from ndg.wssecurity.common.utils.pki import (X509Cert, X509Stack, 34 X509StackParseFromDER) 28 from ndg.soap.utils import classfactory 29 from ndg.soap.utils.configfileparsers import (CaseSensitiveConfigParser, 30 WithGetListConfigParser) 31 from ndg.soap.wssecurity import WSSecurityConfigError, WSSecurityError 32 from ndg.soap.wssecurity.utils.pki import (X509Cert, X509Stack, 33 X509StackParseFromDER) 35 34 36 35 … … 147 146 __slots__.update( 148 147 __caX509Stack=None, 149 __ref C14nKw=None,150 __signedInfo C14nKw=None148 __referenceElemsC14nKeywords=None, 149 __signedInfoElemC14nKeywords=None 151 150 ) 152 151 … … 158 157 159 158 self.__caX509Stack = X509Stack() 160 self.__ref C14nKw= {}161 self.__signedInfo C14nKw= {}159 self.__referenceElemsC14nKeywords = {} 160 self.__signedInfoElemC14nKeywords = {} 162 161 163 162 @classmethod … … 341 340 342 341 343 def _setRef C14nKw(self, kw):342 def _setReferenceElemsC14nKeywords(self, kw): 344 343 """Set keywords for canonicalization of reference elements in the 345 344 signing process""" 346 345 self.__checkC14nKw(kw) 347 self.__ref C14nKw= kw348 349 def _getRef C14nKw(self):350 return self.__ref C14nKw351 352 ref C14nKw = property(fset=_setRefC14nKw,353 fget=_getRef C14nKw,346 self.__referenceElemsC14nKeywords = kw 347 348 def _getReferenceElemsC14nKeywords(self): 349 return self.__referenceElemsC14nKeywords 350 351 referenceElemsC14nKeywords = property(fset=_setReferenceElemsC14nKeywords, 352 fget=_getReferenceElemsC14nKeywords, 354 353 doc="Keywords for C14N of reference elements") 355 354 356 def _setSignedInfo C14nKw(self, kw):355 def _setSignedInfoElemC14nKeywords(self, kw): 357 356 """Set keywords for canonicalization of SignedInfo element in the 358 357 signing process""" 359 358 self.__checkC14nKw(kw) 360 self.__signedInfo C14nKw= kw361 362 def _getSignedInfo C14nKw(self):363 if hasattr(self, '_signedInfo C14nKw'):364 return self.__signedInfo C14nKw359 self.__signedInfoElemC14nKeywords = kw 360 361 def _getSignedInfoElemC14nKeywords(self): 362 if hasattr(self, '_signedInfoElemC14nKeywords'): 363 return self.__signedInfoElemC14nKeywords 365 364 else: 366 365 return {} 367 366 368 signedInfo C14nKw = property(fset=_setSignedInfoC14nKw,369 fget=_getSignedInfo C14nKw,367 signedInfoElemC14nKeywords = property(fset=_setSignedInfoElemC14nKeywords, 368 fget=_getSignedInfoElemC14nKeywords, 370 369 doc="Keywords for C14N of SignedInfo element") 371 370 -
TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/signaturehandler/foursuite.py
r6409 r6417 36 36 from Ft.Xml.Domlette import CanonicalPrint 37 37 38 from ndg.wssecurity.common import (WSSecurityError, TimestampError, 39 MessageExpired) 40 from ndg.wssecurity.common.signaturehandler import (_WSU, OASIS, 38 from ndg.soap.wssecurity import (WSSecurityError, TimestampError, 39 MessageExpired) 40 from ndg.soap.wssecurity.utils.pki import (X509Cert, X509Stack, 41 X509StackParseFromDER) 42 from ndg.soap.wssecurity.signaturehandler import (_WSU, OASIS, 41 43 BaseSignatureHandler, NoSignatureFound, InvalidSignature, 42 44 VerifyError, SignatureError) 43 44 from ndg.wssecurity.common.utils.pki import (X509Cert, X509CertParse,45 X509CertRead, X509Stack,46 X509StackParseFromDER)47 45 48 46 … … 66 64 } 67 65 68 _refC14nPfxSet = lambda self: len(self.ref C14nKw.get(66 _refC14nPfxSet = lambda self: len(self.referenceElemsC14nKeywords.get( 69 67 BaseSignatureHandler.ZSI_C14N_KEYWORD_NAME, [])) > 0 70 68 … … 73 71 "signature of reference elements") 74 72 75 _signedInfoC14nPfxSet = lambda self: len(self.signedInfo C14nKw.get(73 _signedInfoC14nPfxSet = lambda self: len(self.signedInfoElemC14nKeywords.get( 76 74 BaseSignatureHandler.ZSI_C14N_KEYWORD_NAME, [])) > 0 77 75 … … 80 78 "for signature of signed info " 81 79 "elements") 80 81 XPATH_C14N_METHOD = "//ds:CanonicalizationMethod" 82 XPATH_REF_ELEMS = "//ds:Reference" 83 XPATH_SIGNED_INFO_ELEM = "//ds:SignedInfo" 84 XPATH_SIGNATURE_ELEM = "//ds:Signature" 85 XPATH_SIGNATURE_VAL_ELEM = "//ds:SignatureValue" 86 XPATH_BINARY_SECURITY_TOK_ELEM = "//wsse:BinarySecurityToken" 87 88 INCLUSIVE_NS_PREFIXES_ATTRNAME = "InclusiveNamespaces" 89 PREFIX_LIST_ATTRNAME = "PrefixList" 82 90 83 91 def sign(self, soapWriter): … … 90 98 # Add X.509 cert as binary security token 91 99 if self.reqBinarySecurityTokValType == \ 92 self. BINARY_SECURITY_TOK_VAL_TYPE['X509PKIPathv1']:100 self.__class__.BINARY_SECURITY_TOK_VAL_TYPE['X509PKIPathv1']: 93 101 if self.signingCertChain is None: 94 102 msg = 'SignatureHandler signingCertChain attribute is not set' … … 174 182 signedInfoC14nAlg = c14nAlgOpt[int(self.signedInfoC14nIsExcl)] 175 183 176 c14nMethodElem.setAttributeNS(None, 'Algorithm', signedInfoC14nAlg) 184 c14nMethodElem.setAttributeNS(None, 185 SignatureHandler.C14N_ALG_ATTRNAME, 186 signedInfoC14nAlg) 177 187 178 188 if self.signedInfoC14nPfxSet: … … 180 190 signedInfoC14nAlg, 181 191 'InclusiveNamespaces') 182 inclNsPfx = ' '.join(self.signedInfo C14nKw[192 inclNsPfx = ' '.join(self.signedInfoElemC14nKeywords[ 183 193 SignatureHandler.ZSI_C14N_KEYWORD_NAME]) 184 c14nInclNamespacesElem.setAttributeNS(None, 'PrefixList', inclNsPfx) 194 c14nInclNamespacesElem.setAttributeNS( 195 None, 196 SignatureHandler.PREFIX_LIST_ATTRNAME, 197 inclNsPfx) 185 198 186 199 # Signed Info - Signature method 187 200 sigMethodElem = signedInfoElem.createAppendElement(DSIG.BASE, 188 201 'SignatureMethod') 189 sigMethodElem.setAttributeNS(None, 'Algorithm', DSIG.SIG_RSA_SHA1) 202 sigMethodElem.setAttributeNS(None, 203 SignatureHandler.C14N_ALG_ATTRNAME, 204 DSIG.SIG_RSA_SHA1) 190 205 191 206 # Signature - Signature value … … 224 239 # Canonicalize reference 225 240 # 226 # ndg. wssecurity.common.utils.zsi.DomletteElementProxy's C14N method241 # ndg.soap.wssecurity.utils.zsi.DomletteElementProxy's C14N method 227 242 # wraps 4Suite-XML CanonicalPrint 228 unsuppressedPrefixes = self.ref C14nKw.get(243 unsuppressedPrefixes = self.referenceElemsC14nKeywords.get( 229 244 SignatureHandler.ZSI_C14N_KEYWORD_NAME, []) 230 245 … … 250 265 251 266 # Set Canonicalization algorithm type 252 transformElem.setAttributeNS(None, 'Algorithm', refC14nAlg)267 transformElem.setAttributeNS(None, SignatureHandler.C14N_ALG_ATTRNAME, refC14nAlg) 253 268 if self.refC14nPfxSet: 254 269 # Exclusive C14N requires inclusive namespace elements … … 256 271 refC14nAlg, 257 272 'InclusiveNamespaces') 258 refInclNsPfx = ' '.join(self.ref C14nKw[273 refInclNsPfx = ' '.join(self.referenceElemsC14nKeywords[ 259 274 SignatureHandler.ZSI_C14N_KEYWORD_NAME]) 260 inclNamespacesElem.setAttributeNS(None, 'PrefixList',275 inclNamespacesElem.setAttributeNS(None, SignatureHandler.PREFIX_LIST_ATTRNAME, 261 276 refInclNsPfx) 262 277 … … 264 279 digestMethodElem = refElem.createAppendElement(DSIG.BASE, 265 280 'DigestMethod') 266 digestMethodElem.setAttributeNS(None, 'Algorithm', DSIG.DIGEST_SHA1)281 digestMethodElem.setAttributeNS(None, SignatureHandler.C14N_ALG_ATTRNAME, DSIG.DIGEST_SHA1) 267 282 268 283 # Digest Value … … 275 290 # Canonicalize the signedInfo node 276 291 try: 277 signedInfoElem = soapWriter.body.evaluate('//ds:SignedInfo', 292 signedInfoElem = soapWriter.body.evaluate( 293 SignatureHandler.XPATH_SIGNED_INFO_ELEM, 278 294 processorNss=SignatureHandler.PROCESSOR_NSS)[0] 279 295 except TypeError, e: … … 281 297 raise 282 298 283 unsuppressedPrefixes = self.ref C14nKw.get(299 unsuppressedPrefixes = self.referenceElemsC14nKeywords.get( 284 300 SignatureHandler.ZSI_C14N_KEYWORD_NAME, []) 285 301 286 # ndg. wssecurity.common.utils.zsi.DomletteElementProxy's C14N method302 # ndg.soap.utils.zsi.DomletteElementProxy's C14N method 287 303 # wraps 4Suite-XML CanonicalPrint 288 304 c14nSignedInfo = signedInfoElem.canonicalize( … … 300 316 301 317 log.info("Signature generation complete") 302 318 303 319 def verify(self, parsedSOAP, raiseNoSignatureFound=True): 304 320 """Verify signature … … 308 324 sender""" 309 325 310 signatureElem = parsedSOAP.dom.xpath('//ds:Signature', 326 signatureElem = parsedSOAP.dom.xpath( 327 SignatureHandler.XPATH_SIGNATURE_ELEM, 311 328 explicitNss=SignatureHandler.PROCESSOR_NSS) 312 329 nSignatureElem = len(signatureElem) … … 334 351 # the transforms elements 335 352 try: 336 c14nMethodElem = parsedSOAP.dom.xpath('//ds:CanonicalizationMethod', 353 c14nMethodElem = parsedSOAP.dom.xpath( 354 SignatureHandler.XPATH_C14N_METHOD, 337 355 explicitNss=SignatureHandler.PROCESSOR_NSS)[0] 338 356 except TypeError: … … 342 360 raise 343 361 344 refElems = parsedSOAP.dom.xpath( '//ds:Reference',362 refElems = parsedSOAP.dom.xpath(SignatureHandler.XPATH_REF_ELEMS, 345 363 explicitNss=SignatureHandler.PROCESSOR_NSS) 346 364 … … 354 372 355 373 refAlgorithm = transformElems[0].getAttributeNS(None, 356 'Algorithm')374 SignatureHandler.C14N_ALG_ATTRNAME) 357 375 except Exception, e: 358 376 raise VerifyError('failed to get transform algorithm for ' … … 361 379 362 380 # Add extra keyword for Exclusive canonicalization method 363 ref C14nKw= {}381 referenceElemsC14nKeywords = {} 364 382 if self.refC14nIsExcl: 365 383 try: 366 384 # Check for no inclusive namespaces set 367 385 inclusiveNS = getElements(transformElems[0], 368 "InclusiveNamespaces")386 SignatureHandler.INCLUSIVE_NS_PREFIXES_ATTRNAME) 369 387 if len(inclusiveNS) > 0: 370 pfxListAttElem = inclusiveNS[0].getAttributeNodeNS(None, 371 'PrefixList') 388 pfxListAttElem = inclusiveNS[0].getAttributeNodeNS( 389 None, 390 SignatureHandler.PREFIX_LIST_ATTRNAME) 372 391 373 ref C14nKw['inclusivePrefixes'] = \392 referenceElemsC14nKeywords['inclusivePrefixes'] = \ 374 393 pfxListAttElem.value.split() 375 394 else: 376 ref C14nKw['inclusivePrefixes'] = None395 referenceElemsC14nKeywords['inclusivePrefixes'] = None 377 396 except Exception, e: 378 397 raise VerifyError('failed to handle transform (%s) in ' … … 392 411 f = StringIO() 393 412 CanonicalPrint(uriElem, stream=f, exclusive=self.refC14nIsExcl, 394 **ref C14nKw)413 **referenceElemsC14nKeywords) 395 414 refC14n = f.getvalue() 396 415 digestValue = base64.encodestring(sha(refC14n).digest()).strip() … … 408 427 409 428 # 2) Signature Validation 410 signedInfoElem = parsedSOAP.dom.xpath( '//ds:SignedInfo',429 signedInfoElem = parsedSOAP.dom.xpath(SignatureHandler.XPATH_SIGNED_INFO_ELEM, 411 430 explicitNss=SignatureHandler.PROCESSOR_NSS)[0] 412 431 … … 414 433 # element. Nb. This is NOT necessarily the same as that used to 415 434 # canonicalize the reference elements checked above! 416 signedInfoC14nAlg = c14nMethodElem.getAttributeNS(None, "Algorithm") 417 signedInfoC14nKw = {} 435 signedInfoC14nAlg = c14nMethodElem.getAttributeNS( 436 None, 437 SignatureHandler.C14N_ALG_ATTRNAME) 438 signedInfoElemC14nKeywords = {} 418 439 if self.signedInfoC14nIsExcl: 419 440 try: 420 441 # Check for inclusive namespaces 421 442 inclusiveNsElem = getElements(c14nMethodElem, 422 "InclusiveNamespaces")443 SignatureHandler.INCLUSIVE_NS_PREFIXES_ATTRNAME) 423 444 if len(inclusiveNsElem) > 0: 424 445 pfxListAttElem = inclusiveNsElem[0].getAttributeNodeNS(None, 425 'PrefixList')426 signedInfo C14nKw['inclusivePrefixes'446 SignatureHandler.PREFIX_LIST_ATTRNAME) 447 signedInfoElemC14nKeywords['inclusivePrefixes' 427 448 ] = pfxListAttElem.value.split() 428 449 else: 429 signedInfo C14nKw['inclusivePrefixes'] = None450 signedInfoElemC14nKeywords['inclusivePrefixes'] = None 430 451 except Exception, e: 431 452 raise VerifyError('failed to handle exclusive ' … … 437 458 stream=f, 438 459 exclusive=self.signedInfoC14nIsExcl, 439 **signedInfo C14nKw)460 **signedInfoElemC14nKeywords) 440 461 c14nSignedInfo = f.getvalue() 441 462 … … 445 466 # calculated 446 467 try: 447 signatureValueElem = parsedSOAP.dom.xpath('//ds:SignatureValue', 468 signatureValueElem = parsedSOAP.dom.xpath( 469 SignatureHandler.XPATH_SIGNATURE_VAL_ELEM, 448 470 explicitNss=SignatureHandler.PROCESSOR_NSS)[0] 449 471 except: … … 470 492 # Look for X.509 Cert in wsse:BinarySecurityToken node 471 493 try: 472 binSecTokElem = parsedSOAP.dom.xpath('//wsse:BinarySecurityToken', 494 binSecTokElem = parsedSOAP.dom.xpath( 495 SignatureHandler.XPATH_BINARY_SECURITY_TOK_ELEM, 473 496 explicitNss=SignatureHandler.PROCESSOR_NSS)[0] 474 497 except: -
TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/client/echoClientTest.cfg
r6396 r6417 7 7 # BSD - See LICENCE file for details 8 8 [setUp] 9 className = ndg. wssecurity.common.signaturehandler.foursuite.SignatureHandler9 className = ndg.soap.wssecurity.signaturehandler.foursuite.SignatureHandler 10 10 uri = http://localhost:7600/Echo 11 11 signingPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/wsse-clnt.key -
TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/client/test_echoclient.py
r6396 r6417 5 5 """ 6 6 __author__ = "P J Kershaw" 7 __date__ = " 13/12/06"7 __date__ = "22/01/2010" 8 8 __copyright__ = "(C) 2009 Science and Technology Facilities Council" 9 9 __license__ = "BSD - see LICENSE file in top-level directory" … … 17 17 18 18 from os.path import join, dirname, abspath 19 mkPath = lambda file: join(os.environ['NDGS EC_WSSECLNT_UNITTEST_DIR'], file)19 mkPath = lambda file: join(os.environ['NDGSOAP_WSSECLNT_UNITTEST_DIR'], file) 20 20 21 21 from ConfigParser import SafeConfigParser … … 23 23 from EchoService_services import EchoServiceLocator 24 24 25 from ndg.wssecurity.test.unit import BaseTestCase 26 from ndg.wssecurity.common import TimestampError 27 from ndg.wssecurity.common.utils.zsi import DomletteReader, DomletteElementProxy 28 from ndg.wssecurity.common.signaturehandler import (NoSignatureFound, 29 SignatureHandlerFactory) 30 #from ndg.wssecurity.common.signaturehandler.foursuite import SignatureHandler 25 from ndg.soap.utils.zsi import DomletteReader, DomletteElementProxy 26 from ndg.soap.wssecurity.test.unit import BaseTestCase 27 from ndg.soap.wssecurity import TimestampError 28 from ndg.soap.wssecurity.signaturehandler import (NoSignatureFound, 29 SignatureHandlerFactory) 31 30 32 31 … … 37 36 super(EchoClientTestCase, self).setUp() 38 37 39 if 'NDGS EC_INT_DEBUG' in os.environ:38 if 'NDGSOAP_INT_DEBUG' in os.environ: 40 39 import pdb 41 40 pdb.set_trace() 42 41 43 if 'NDGS EC_WSSECLNT_UNITTEST_DIR' not in os.environ:44 os.environ['NDGS EC_WSSECLNT_UNITTEST_DIR'] = \42 if 'NDGSOAP_WSSECLNT_UNITTEST_DIR' not in os.environ: 43 os.environ['NDGSOAP_WSSECLNT_UNITTEST_DIR'] = \ 45 44 abspath(dirname(__file__)) 46 45
Note: See TracChangeset
for help on using the changeset viewer.
