Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6672

Timestamp:

04/03/10 10:55:47 (11 years ago)

Author:

pjkersha

Message:

Patched ndg.security.common.AttCert? so that it uses a proxy to ndg.security.common.XMLSec.XMLSecDoc for Python versions >= 2.5.5. This is to allow for PyXML incompatibility with later versions of Python. Disabling XMLSecDoc means that Attribute Certificates are not signed but the NDG Attribute Certificates are no longer used. SAML assertions take their place. NDG AC functionality will be deleted from the trunk.

Location:

TI12-security/branches/ndg-security-1.5.x

Files:

: 6 edited

ndg_security_common/ndg/security/common/AttCert.py (modified) (4 diffs)
ndg_security_common/ndg/security/common/credentialwallet.py (modified) (2 diffs)
ndg_security_server/ndg/security/server/attributeauthority.py (modified) (3 diffs)
ndg_security_server/ndg/security/server/zsi/attributeauthority/__init__.py (modified) (1 diff)
ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml (modified) (2 diffs)
ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/branches/ndg-security-1.5.x/ndg_security_common/ndg/security/common/AttCert.py

-                      r5564
+                      r6672
 # XML signature module based on M2Crypto, ZSI Canonicalization and DOM
+from XMLSec import XMLSecDoc, InvalidSignature, getParentNode
+import sys
+import warnings
+if sys.version_info[:2] < (2, 5, 5):
+    from XMLSec import XMLSecDoc, InvalidSignature
+else:
+    msg = ("ndg.security.common.XMLSec not supported for Python versions 2.5.5 "
+           "or later because of PyXML incompatibility")
+    warnings.warn(msg)
+    class XMLSecDoc(object):
+        "XMLSecDoc Stub class: %s" % msg
+        def __init__(self):
+            self.filePath = None
+        def parse(self, *arg):
+            "XMLSecDoc Stub class parse: %s" % msg
+        def applyEnvelopedSignature(self, **kw):
+            "XMLSecDoc Stub class - no signature applied: %s" % msg
+        def verifyEnvelopedSignature(self, **kw):
+            "XMLSecDoc Stub class - no verification executed: %s" % msg
+        def toString(self):
+            "XMLSecDoc Stub class toString returns None: %s" % msg
+            return None
+    class InvalidSignature(Exception):
+        "XMLSecDoc.InvalidSignature Stub class: %s" % msg
 from X509 import X500DN
 from X509 import X500DNError
 …
         try:
             self.__holderDN = X500DN(dn=self.__dat['holder'])
+        except IndexError:
+            warnings.warn("Error parsing Attribute Certificate holder as an "
+                          "X.500 DN, treating as a regular string instead")
+            self.__holderDN = None
         except X500DNError, x500dnErr:
             raise AttCertError, "Holder DN: %s" % x500dnErr
 …
+        # Create string of all XML content
+        xmlTxt = '<attributeCertificate targetNamespace="%s">' % \
+        # Create string of all XML content
+        try:
+            xmlTxt = '<attributeCertificate targetNamespace="%s">' % \
                                                 self.__class__.namespace + \
 """
 …
     </acInfo>
 </attributeCertificate>"""
+        except:
+            return ''
         # Return XML file content as a string

TI12-security/branches/ndg-security-1.5.x/ndg_security_common/ndg/security/common/credentialwallet.py

-                      r6512
+                      r6672
 # Authorisation - attribute certificate
 from ndg.security.common.AttCert import AttCert, AttCertError
+from ndg.security.common.wssecurity.signaturehandler.dom import SignatureHandler
+from ndg.security.common.wssecurity.signaturehandler.foursuite import \
+                                                            SignatureHandler
 # generic parser to read INI/XML properties file
 …
             # Request Attribute Certificate from Attribute Authority
             try:
                 attCert = self._getAttCert(extAttCert=extAttCert)
+                attCert = self._getAttCert(extAttCert=extAttCert)
                 # Access granted
                 return attCert

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/attributeauthority.py

-                      r6644
+                      r6672
 import os
 import re
+import traceback
 # For parsing of properties file
 …
                                         separator=self.dnSeparator)
             except Exception, e:
+                 log.error("Holder X.509 Certificate DN: %s" % e)
+                 raise
+                log.error("Holder X.509 Certificate DN: %s" % e)
+                raise
+        else:
+            log.debug("No holder X.509 Certificate set, setting Attribute "
+                      "Certificate holder to userId=%r", userId)
+            attCert['holder'] = userId
         # Set Issuer details from Attribute Authority
 …
             return attCert
         except Exception, e:
+        except Exception:
             raise AttributeAuthorityError('New Attribute Certificate "%s": %s'%
+                                          (attCert.filePath, e))
+                                          (attCert.filePath,
+                                           traceback.format_exc()))
     def samlAttributeQuery(self, attributeQuery):

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/zsi/attributeauthority/init.py

-                      r6069
+                      r6672
     AttributeAuthorityAccessDenied
+from ndg.security.common.wssecurity.signaturehandler.dom import SignatureHandler
+from ndg.security.common.wssecurity.signaturehandler.foursuite import \
+                                                            SignatureHandler
 from ndg.security.common.X509 import X509Cert, X509CertRead

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml

-                      r6637
+                      r6672
+<?xml version="1.0" encoding="utf-8"?>
+<attributeCertificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" targetNamespace="urn:ndg:security:attributeCertificate">
+<attributeCertificate targetNamespace="urn:ndg:security:attributeCertificate">
     <acInfo>
         <version>1.0</version>
         <holder>/CN=server/O=NDG Security Test/OU=WS-Security Unittest</holder>
         <issuer>/CN=AttributeAuthority/O=NDG Security Test/OU=Site A</issuer>
+        <holder>/O=NDG Security Test/OU=WS-Security Unittest/CN=server</holder>
+        <issuer>/O=NDG Security Test/OU=Site A/CN=AttributeAuthority</issuer>
         <issuerName>Site A</issuerName>
         <issuerSerialNumber>253</issuerSerialNumber>
         <userId>testuser</userId>
         <validity>
             <notBefore>2010 02 24 16 27 53</notBefore>
             <notAfter>2010 02 25 00 27 53</notAfter>
+            <notBefore>2010 03 04 10 13 26</notBefore>
+            <notAfter>2010 03 04 18 13 26</notAfter>
         </validity>
         <attributes>
 …
         <provenance>original</provenance>
     </acInfo>
+<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>o7ULDHEgL9VF+pxrpxvq6wUZix4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>oFmYBQ2wTNHU6dGoNEZOMtOV6C9IPRkSoLKCJ9Ktg5vscegd5U3KDuQe2YyEZPlKyN+mlgMsaXOu
+Ngq1pKsKY2yg7rPRAC4J1gbNapJFmnJ4ro/HIYeiRUXSbWhcdyZOa6v1uDmjZmcUkhCjWjyLkZ
+qq/+s/Yx3cV2Wgl2qNM=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgICAP0wDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNTE2MzUy
+NFoXDTEzMTIxNDE2MzUyNFowSjEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
+DzANBgNVBAsTBlNpdGUgQTEbMBkGA1UEAxMSQXR0cmlidXRlQXV0aG9yaXR5MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCntf+hUxFKXx/KY3LXy/RYc/yqhfIL
+M8h95c14n/WdSqh8rK3VxkUu5gujlEgCHafI2AjNZJZqJfKG7ZucYmRcnXbCX1qP
+IGKa+TllbIWdsa5y/IF/Do2AoPMJnTNJ2U1IBfPQXbO5Sd49OvfTi4Cldk89872R
+IuzPmLIDcFydgQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJKoZIhvcN
+AQEEBQADgYEAWD04scBB91kWT8qXKZyN2EZ5nBFqs6REXtI+ddOaZt7VtiaHYMXA
+mcRW/kCw8YgS+Ull+mZpAwpWUU9kR/A5dbiIDDRbxlz4BJCeMgkO/OxU31zmvqqa
+UyGXPhtaTuo8DG2uSr5XDk6GnJ5sb0WB3UgsRh7V4ryWkStImCSGY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></attributeCertificate>
+</attributeCertificate>

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

r6512	r6672
200	200	# user ID should be the same as that set for the wallet
201	201	assert(attCert.userId == credWallet.userId)
202		~~print("Attribute Certificate:\n%s" % attCert)~~
203	202
204	203	def test08Pickle(self):

Note: See TracChangeset for help on using the changeset viewer.