Context Navigation

← Previous Change
Next Change →

Changeset 6840 for TI12-security/trunk/MyProxyClient

Timestamp:

23/04/10 10:16:33 (11 years ago)

Author:

pjkersha

Message:

Experimented with PUT method but PyOpenSSL doesn't support the required X.509 extension for proxy certificates.

Location:

TI12-security/trunk/MyProxyClient/myproxy

Files:

: 3 deleted
: 7 edited

client.py (modified) (49 diffs)
test/myProxyClient.cfg (modified) (1 diff)
test/myProxyClientTest.cfg (modified) (2 diffs)
test/ndg-glue-ca.crt (deleted)
test/proxy.crt (modified) (1 diff)
test/proxy.key (modified) (1 diff)
test/test_myproxyclient.py (modified) (9 diffs)
test/user.crt (deleted)
test/user.key (deleted)
utils/__init__.py (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/MyProxyClient/myproxy/client.py

-                      r6837
+                      r6840
 import re
 import traceback
-from ConfigParser import SafeConfigParser
 from OpenSSL import crypto, SSL
+from myproxy.utils.openssl import OpenSSLConfig, OpenSSLConfigError
+class CaseSensitiveConfigParser(SafeConfigParser):
+    '''Subclass the SafeConfigParser - to preserve the original string case of
+    config section names
+    '''
+    def optionxform(self, optionstr):
+        '''Extend SafeConfigParser.optionxform to preserve case of option names
+        '''
+        return optionstr
+from myproxy.utils.openssl import OpenSSLConfig
+from myproxy.utils import CaseSensitiveConfigParser
 …
     PARSER_RE = re.compile(PARSER_RE_STR)
+    def __init__(self,
+                 myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN'),
+                 cnHostPfx='host/',
+                 **kw):
+    def __init__(self, myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN')):
         """Override parent class __init__ to enable setting of myProxyServerDN
         setting
 …
         MyProxy server to avoid errors matching hostnames.  This is useful
         where the hostname is not fully qualified
+        @type cnHostPfx: string
+        @param cnHostPfx: globus host certificates are
+        generated by default with a 'host/' prefix to the host name.  Set
+        this keyword to '' or None to override and omit the prefix"""
+        """
         # Allow for quoted DN
 …
         self.myProxyServerDN = zip(dnFields[1::2], dnFields[2::2])
         self.myProxyServerDN.sort()
-        self.cnHostPfx = cnHostPfx
     def __call__(self, connection, peerCert, errorStatus, errorDepth,
 …
         @return: status code
         """
-        return errorStatus
         if peerCert.has_expired():
             # Any expired certificate in the chain should result in an error
 …
 class MyProxyClientError(Exception):
     """Base exception class for MyProxyClient exceptions"""
 class MyProxyClientConfigError(MyProxyClientError):
     """Error with configuration"""
 class MyProxyClientGetError(MyProxyClientError):
     """Exceptions arising from get request to server"""
 class MyProxyClientRetrieveError(MyProxyClientError):
     """Error recovering a response from MyProxy"""
 class MyProxyCredentialsAlreadyExist(MyProxyClientError):
 …
     """
 class MyProxyClientGetTrustRootsError(MyProxyClientError):
     """Error retrieving trust roots"""
 …
     created with
     @type propertyDefaults: tuple
     @cvar propertyDefaults: sets permissable element names for MyProxy config
+    @type PROPERTY_DEFAULTS: tuple
+    @cvar PROPERTY_DEFAULTS: sets permissable element names for MyProxy config
     file
     """
 …
 PASSPHRASE=%s
 LIFETIME=%d"""
+    PUT_CMD="""VERSION=MYPROXYv2
+COMMAND=1
+USERNAME=%s
+PASSPHRASE=<pass phrase>
+LIFETIME=%d"""
     INFO_CMD="""VERSION=MYPROXYv2
 COMMAND=2
 …
     _hostKeySubDirPath = ('etc', 'hostkey.pem')
+    PROXY_FILE_PERMISSIONS = 0600
     # Work out default location of proxy file if it exists.  This is set if a
     # call has been made previously to logon / get-delegation
 …
                                     or None)
     PRIKEY_NBITS = 2048 #4096
+    PRIKEY_NBITS = 4096
     MESSAGE_DIGEST_TYPE = "md5"
     SERVER_RESP_BLK_SIZE = 8192
 …
     # valid configuration property keywords
     propertyDefaults = {
+    PROPERTY_DEFAULTS = {
        'hostname':              'localhost',
        'port':                  7512,
        'serverDN':              '',
-       'serverCNPrefix':        'host/',
        'openSSLConfFilePath':   '',
        'proxyCertMaxLifetime':  43200,
 …
     # Restrict attributes to the above properties, their equivalent
     # protected values + extra OpenSSL config object.
+    __slots__ = propertyDefaults.copy()
+    __slots__.update(dict([('_'+k, v) for k,v in propertyDefaults.items()] +
+                          [('_openSSLConfig', None),
+                           ('_cfg',           None)]
+                          )
+                     )
+    __slots__ = tuple(['__' + k for k in PROPERTY_DEFAULTS.keys()])
+    __slots__ += ('__openSSLConfig', '__cfg', '__serverSSLCertVerify')
     def __init__(self, cfgFilePath=None, **prop):
         """Make any initial settings for client connections to MyProxy
 …
         given by cfgFilePath
+        @param cfgFilePath:   set properties via a configuration file
+        @param **prop:         set properties via keywords - see
+        propertyDefaults class variable for a list of these
+        @param cfgFilePath: set properties via a configuration file
+        @type cfgFilePath: basestring
+        @param **prop: set properties via keywords - see
+        PROPERTY_DEFAULTS class variable for a list of these
+        @type **prop: dict
         """
+        # Default settings.  Nb. '_' - override property methods in order to
+        # set defaults
+        for opt, val in MyProxyClient.propertyDefaults.items():
+            setattr(self, '_'+opt, val)
+        self.__hostname = None
+        self.__port = None
+        self.__serverDN = None
+        self.__openSSLConfFilePath = None
+        self.__proxyCertMaxLifetime = MyProxyClient.PROPERTY_DEFAULTS[
+                                                        'proxyCertMaxLifetime']
+        self.__proxyCertLifetime = MyProxyClient.PROPERTY_DEFAULTS[
+                                                        'proxyCertLifetime']
+        self.__caCertFilePath = None
+        self.__caCertDir = None
+        self.__cfg = None
         # Configuration file used to get default subject when generating a
         # new proxy certificate request
         self._openSSLConfig = OpenSSLConfig()
+        self.__openSSLConfig = OpenSSLConfig()
         # Server host name - take from environment variable if available
         self.hostname = os.environ.get('MYPROXY_SERVER',
                                     MyProxyClient.propertyDefaults['hostname'])
+                                    MyProxyClient.PROPERTY_DEFAULTS['hostname'])
         # ... and port number
         self.port = int(os.environ.get('MYPROXY_SERVER_PORT',
                                        MyProxyClient.propertyDefaults['port']))
+                                       MyProxyClient.PROPERTY_DEFAULTS['port']))
         # Server Distinguished Name
         self.serverDN = os.environ.get('MYPROXY_SERVER_DN',
                                     MyProxyClient.propertyDefaults['serverDN'])
+                                    MyProxyClient.PROPERTY_DEFAULTS['serverDN'])
         # Environment variable may be quoted
 …
             self.serverDN = self.serverDN.strip('"')
         # keyword settings
+        # Any keyword settings override the defaults above
         for opt, val in prop.items():
             setattr(self, opt, val)
         # If properties file is set any parameters settings in file will
         # override those set by input keyword
+        # override those set by input keyword or the defaults
         if cfgFilePath is not None:
             self.parseConfig(cfg=cfgFilePath)
+        self.__serverSSLCertVerify = MyProxyServerSSLCertVerification(
+                                                myProxyServerDN=self.serverDN)
+    def _getServerSSLCertVerify(self):
+        return self.__serverSSLCertVerify
+    def _setServerSSLCertVerify(self, value):
+        if not isinstance(value, MyProxyServerSSLCertVerification):
+            raise TypeError('Expecting %r derived type for '
+                            '"serverSSLCertVerify" attribute; got %r' %
+                            MyProxyServerSSLCertVerification,
+                            value)
+        self.__serverSSLCertVerify = value
+    serverSSLCertVerify = property(_getServerSSLCertVerify,
+                                   _setServerSSLCertVerify,
+                                   doc="Class with a __call__ method which is "
+                                       "passed to the SSL context to verify "
+                                       "the peer (MyProxy server) certificate "
+                                       "in the SSL handshake between this "
+                                       "client and the MyProxy server")
     def parseConfig(self, cfg, section='DEFAULT'):
 …
         if isinstance(cfg, basestring):
             cfgFilePath = os.path.expandvars(cfg)
             self._cfg = CaseSensitiveConfigParser()
             self._cfg.read(cfgFilePath)
+            self.__cfg = CaseSensitiveConfigParser()
+            self.__cfg.read(cfgFilePath)
         else:
             cfgFilePath = None
             self._cfg = cfg
         for key, val in self._cfg.items(section):
+            self.__cfg = cfg
+        for key, val in self.__cfg.items(section):
             setattr(self, key, val)
     # Get/Set Property methods
     def _getHostname(self):
         return self._hostname
+        return self.__hostname
     def _setHostname(self, val):
 …
             raise AttributeError("Expecting string type for hostname "
                                  "attribute")
         self._hostname = val
+        self.__hostname = val
     hostname = property(fget=_getHostname,
 …
     def _getPort(self):
         return self._port
+        return self.__port
     def _setPort(self, val):
         if isinstance(val, basestring):
             self._port = int(val)
+            self.__port = int(val)
         elif isinstance(val, int):
             self._port = val
+            self.__port = val
         else:
             raise AttributeError("Expecting int type for port attribute")
 …
     def _getServerDN(self):
         return self._serverDN
+        return self.__serverDN
     def _setServerDN(self, val):
 …
             raise AttributeError("Expecting string type for serverDN "
                                  "attribute")
         self._serverDN = val
+        self.__serverDN = val
     serverDN = property(fget=_getServerDN,
 …
                             "Certificate")
-    def _getServerCNPrefix(self):
-        return self._serverCNPrefix
-    def _setServerCNPrefix(self, val):
-        if not isinstance(val, basestring):
-            raise AttributeError("Expecting string type for serverCNPrefix "
-                                 "attribute")
-        self._serverCNPrefix = val
-    serverCNPrefix = property(fget=_getServerCNPrefix,
-                              fset=_setServerCNPrefix,
-                              doc="Prefix if any for Server Certificate DN "
-                                  "Common Name e.g. 'host/'")
     def _getOpenSSLConfFilePath(self):
         return self._openSSLConfFilePath
+        return self.__openSSLConfFilePath
     def _setOpenSSLConfFilePath(self, val):
 …
             raise AttributeError("Expecting string type for "
                                  "openSSLConfFilePath attribute")
         self._openSSLConfFilePath = os.path.expandvars(val)
         self._openSSLConfig.filePath = self._openSSLConfFilePath
         self._openSSLConfig.read()
+        self.__openSSLConfFilePath = os.path.expandvars(val)
+        self.__openSSLConfig.filePath = self.__openSSLConfFilePath
+        self.__openSSLConfig.read()
     openSSLConfFilePath = property(fget=_getOpenSSLConfFilePath,
 …
     def _getProxyCertMaxLifetime(self):
         return self._proxyCertMaxLifetime
+        return self.__proxyCertMaxLifetime
     def _setProxyCertMaxLifetime(self, val):
         if isinstance(val, basestring):
             self._proxyCertMaxLifetime = int(val)
+            self.__proxyCertMaxLifetime = int(val)
         elif isinstance(val, int):
             self._proxyCertMaxLifetime = val
+            self.__proxyCertMaxLifetime = val
         else:
             raise AttributeError("Expecting int type for proxyCertMaxLifetime "
 …
     def _getProxyCertLifetime(self):
         return self._proxyCertLifetime
+        return self.__proxyCertLifetime
     def _setProxyCertLifetime(self, val):
         if isinstance(val, basestring):
             self._proxyCertLifetime = int(val)
+            self.__proxyCertLifetime = int(val)
         elif isinstance(val, int):
             self._proxyCertLifetime = val
+            self.__proxyCertLifetime = val
         else:
             raise AttributeError("Expecting int type for proxyCertLifetime "
 …
     def _getCACertFilePath(self):
         return self._caCertFilePath
+        return self.__caCertFilePath
     def _setCACertFilePath(self, val):
 …
         if isinstance(val, basestring):
             if val == '':
                 self._caCertFilePath = None
+                self.__caCertFilePath = None
             else:
                 self._caCertFilePath = os.path.expandvars(val)
+                self.__caCertFilePath = os.path.expandvars(val)
         elif isinstance(val, None):
 …
     def _getCACertDir(self):
         return self._caCertDir
+        return self.__caCertDir
     def _setCACertDir(self, val):
 …
         if isinstance(val, basestring):
             if val == '':
                 self._caCertDir = None
+                self.__caCertDir = None
             else:
                 self._caCertDir = os.path.expandvars(val)
+                self.__caCertDir = os.path.expandvars(val)
         elif isinstance(val, None):
             self._caCertDir = val
+            self.__caCertDir = val
         else:
             raise AttributeError("Expecting string or None type for caCertDir "
 …
     def _getOpenSSLConfig(self):
         "Get OpenSSLConfig object property method"
+        return self._openSSLConfig
+    openSSLConfig = property(fget=_getOpenSSLConfig,
+                             doc="OpenSSLConfig object")
+        return self.__openSSLConfig
+    openSSLConfig = property(fget=_getOpenSSLConfig, doc="OpenSSLConfig object")
     def _initConnection(self,
                         ownerCertFile=None,
                         ownerKeyFile=None,
                         ownerPassphrase=None):
+                        certFile=None,
+                        keyFile=None,
+                        keyFilePassphrase=None):
         """Initialise connection setting up SSL context and client and
         server side identity checks
         @type ownerCertFile: basestring
         @param ownerCertFile: client certificate and owner of credential
         to be acted on.  Can be a proxy cert + proxy's signing cert.  Cert
         and private key are not necessary for getDelegation / logon calls
         @type ownerKeyFile: basestring
         @param ownerKeyFile: client private key file
         @type ownerPassphrase: basestring
         @param ownerPassphrase: pass-phrase protecting private key if set -
         not needed in the case of a proxy private key
+        @type sslCertFile: basestring
+        @param sslCertFile: certificate for SSL client authentication.  It may
+        be owner of a credential to be acted on or the concatenated proxy
+        certificate + proxy's signing cert.  SSL client authentication is not
+        necessary for getDelegation / logon calls
+        @type sslKeyFile: basestring
+        @param sslKeyFile: client private key file
+        @type keyFilePassphrase: basestring
+        @param keyFilePassphrase: pass-phrase protecting private key if set
         """
         # Must be version 3 for MyProxy
 …
             context.load_verify_locations(self.caCertFilePath, self.caCertDir)
         if ownerCertFile:
+        if certFile:
             try:
                 context.use_certificate_chain_file(ownerCertFile)
+                context.use_certificate_chain_file(certFile)
                 def pwdCallback(passphraseMaxLen,
                                 promptPassphraseTwice,
 …
                     return passphrase
+                context.set_passwd_cb(pwdCallback, ownerPassphrase)
+                context.use_privatekey_file(ownerKeyFile)
+                if keyFilePassphrase is not None:
+                    context.set_passwd_cb(pwdCallback, keyFilePassphrase)
+                context.use_privatekey_file(keyFile)
             except Exception:
                 raise MyProxyClientConfigError("Loading certificate "
 …
         # Verify peer's (MyProxy server) certificate
         context.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
                            MyProxyServerSSLCertVerification())
+                           self.__serverSSLCertVerify)
 …
         # connect to myproxy server
         conn = SSL.Connection(context, socket.socket())
-        # Check server host identity - if host doesn't match use explicit
-        # 'serverDN'
-        # host/<hostname> one
-#        hostCheck = _HostCheck(host=self.hostname,
-#                               myProxyServerDN=self.serverDN,
-#                               cnHostPfx=self.serverCNPrefix)
-#        conn.set_post_connection_check_callback(hostCheck)
         return conn
 …
         return pemCerts
     @classmethod
+    def writeProxyFile(cls,proxyCert,proxyPriKey,userX509Cert,filePath=None):
+    def writeProxyFile(cls, proxyCert, proxyPriKey, userX509Cert,
+                       filePath=None):
         """Write out proxy cert to file in the same way as myproxy-logon -
         proxy cert, private key, user cert.  Nb. output from logon can be
 …
         # Split certs and key into separate tuple items
         return tuple(['-----BEGIN'+i for i in proxy.split('-----BEGIN')[1:]])
+    def put(self,
+            username,
+            passphrase,
+            userCertFile,
+            userKeyFile,
+            lifetime=None,
+            sslCertFile=None,
+            sslKeyFile=None,
+            sslKeyFilePassphrase=None):
+        """Store a proxy credential on the server
+        @raise MyProxyClientError: no client certificate and private key set
+        @type username: string
+        @param username: username selected for new credential
+        @type passphrase: string
+        @param passphrase: pass-phrase for new credential.  This will be used
+        by the server to authenticate later requests.
+        @type certFile: string
+        @param certFile: user's X.509 proxy certificate in PEM format
+        @type keyFile: string
+        @param keyFile: equivalent private key file in PEM format
+        @type sslCertFile: string
+        @param sslCertFile: certificate used for client authentication with
+        the MyProxy server SSL connection.  This ID will be set as the owner
+        of the stored credentials.  Only the owner can later remove
+        credentials with myproxy-destroy or the destroy method.  If not set,
+        this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem or if this
+        is not set, certFile
+        @type sslKeyFile: string
+        @param sslKeyFile: corresponding private key file.  See explanation
+        for sslCertFile
+        @type sslKeyFilePassphrase: string
+        @param sslKeyFilePassphrase: passphrase for sslKeyFile.  Omit if the
+        private key is not password protected.
+        @type lifetime: int / None
+        @param lifetime: the maximum lifetime allowed for retrieved proxy
+        credentials in seconds. defaults to proxyCertMaxLifetime attribute value
+        """
+        lifetime = lifetime or self.proxyCertMaxLifetime
+        # Inputs must be string type otherwise server will reject the request
+        if isinstance(username, unicode):
+            username = str(username)
+        if isinstance(passphrase, unicode):
+            passphrase = str(passphrase)
+        globusLoc = os.environ.get('GLOBUS_LOCATION')
+        if not sslCertFile or not sslKeyFile:
+            if globusLoc:
+                sslCertFile = os.path.join(globusLoc,
+                                           *MyProxyClient._hostCertSubDirPath)
+                sslKeyFile = os.path.join(globusLoc,
+                                          *MyProxyClient._hostKeySubDirPath)
+            else:
+                raise MyProxyClientError('No client certificate and private '
+                                         'key set and no $GLOBUS_LOCATION set '
+                                         'in order to retrieve and use a host '
+                                         'certificate and private key')
+        # Set up SSL connection
+        conn = self._initConnection(certFile=sslCertFile,
+                                    keyFile=sslKeyFile,
+                                    keyFilePassphrase=sslKeyFilePassphrase)
+        conn.connect((self.hostname, self.port))
+        # send globus compatibility stuff
+        conn.write('0')
+        # send store command - ensure conversion from unicode before writing
+        cmd = MyProxyClient.PUT_CMD % (username, lifetime)
+        conn.write(str(cmd))
+        # process server response
+        dat = conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
+        respCode, errorTxt = self._deserializeResponse(dat)
+        if respCode:
+            raise MyProxyClientGetError(errorTxt)
+        # Get the certificate request generated by the server
+        certReqDat = conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
+        certReq = crypto.load_certificate_request(crypto.FILETYPE_ASN1,
+                                                  certReqDat)
+        pubKey = certReq.get_pubkey()
+        userKey = crypto.load_privatekey(crypto.FILETYPE_PEM,
+                                         open(userKeyFile).read(),
+                                         'testpassword')
+        userCert = crypto.load_certificate(crypto.FILETYPE_PEM,
+                                           open(userCertFile).read())
+        # Create the proxy certificate
+        proxyCert = crypto.X509()
+        userCertSubject = userCert.get_subject()
+        proxyCert.set_issuer(userCertSubject)
+        proxyCert.set_pubkey(pubKey)
+        proxyCert.set_notBefore('20100421130000Z')
+        proxyCert.set_notAfter('20100421170000Z')
+        proxyCert.set_serial_number(12345)
+        proxyCertSubject = crypto.X509Name(userCertSubject)
+        proxyCertSubject.CN = userCertSubject.CN+'/CN=1234567'
+        proxyCert.set_subject(proxyCertSubject)
+        proxyCert.set_version(3)
+        # Oops not currently supported!
+#        extension = crypto.X509Extension('proxyCertInfo',
+#                                         1,
+#                                         'Path Length Constraint: infinite')
+#        proxyCert.add_extensions([extension])
+        proxyCert.sign(userKey, 'md5')
+        wantRead = conn.want_read()
+        wantWrite = conn.want_write()
+        nCerts = '\002'
+        conn.send(nCerts)
+        conn.send(crypto.dump_certificate(crypto.FILETYPE_ASN1, proxyCert))
+        conn.send(crypto.dump_certificate(crypto.FILETYPE_ASN1, userCert))
+        resp = conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
+        respCode, errorTxt = self._deserializeResponse(resp)
+        if respCode:
+            raise MyProxyClientRetrieveError(errorTxt)
     def info(self,
              username,
              ownerCertFile=None,
              ownerKeyFile=None,
              ownerPassphrase=None):
+             sslCertFile=None,
+             sslKeyFile=None,
+             sslKeyFilePassphrase=None):
         """return True/False whether credentials exist on the server for a
         given username
 …
         @type username: string
         @param username: username selected for credential
         @type ownerCertFile: string
         @param ownerCertFile: certificate used for client authentication with
+        @type sslCertFile: string
+        @param sslCertFile: certificate used for client authentication with
         the MyProxy server SSL connection.  This ID will be set as the owner
         of the stored credentials.  Only the owner can later remove
         credentials with myproxy-destroy or the destroy method.  If not set,
         this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem
         @type ownerKeyFile: string
         @param ownerKeyFile: corresponding private key file.  See explanation
         for ownerCertFile
         @type ownerPassphrase: string
         @param ownerPassphrase: passphrase for ownerKeyFile.  Omit if the
+        @type sslKeyFile: string
+        @param sslKeyFile: corresponding private key file.  See explanation
+        for sslCertFile
+        @type sslKeyFilePassphrase: string
+        @param sslKeyFilePassphrase: passphrase for sslKeyFile.  Omit if the
         private key is not password protected.
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
         if not ownerCertFile:
+        if not sslCertFile:
             if globusLoc:
                 ownerCertFile = os.path.join(globusLoc,
+                sslCertFile = os.path.join(globusLoc,
                                             *MyProxyClient._hostCertSubDirPath)
                 ownerKeyFile = os.path.join(globusLoc,
+                sslKeyFile = os.path.join(globusLoc,
                                             *MyProxyClient._hostKeySubDirPath)
             else:
 …
         # Set-up SSL connection
         conn = self._initConnection(ownerCertFile=ownerCertFile,
                                     ownerKeyFile=ownerKeyFile,
                                     ownerPassphrase=ownerPassphrase)
+        conn = self._initConnection(certFile=sslCertFile,
+                                    keyFile=sslKeyFile,
+                                    keyFilePassphrase=sslKeyFilePassphrase)
         conn.connect((self.hostname, self.port))
 …
         return not bool(respCode), errorTxt, field
     def changePassphrase(self,
                          username,
                          passphrase,
                          newPassphrase,
                          ownerCertFile=None,
                          ownerKeyFile=None,
                          ownerPassphrase=None):
+                         sslCertFile=None,
+                         sslKeyFile=None,
+                         sslKeyFilePassphrase=None):
         """change pass-phrase protecting the credentials for a given username
 …
         @param passphrase: existing pass-phrase for credential
         @param newPassphrase: new pass-phrase to replace the existing one.
         @param ownerCertFile: certificate used for client authentication with
+        @param sslCertFile: certificate used for client authentication with
         the MyProxy server SSL connection.  This ID will be set as the owner
         of the stored credentials.  Only the owner can later remove
         credentials with myproxy-destroy or the destroy method.  If not set,
         this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem
         @param ownerKeyFile: corresponding private key file.  See explanation
         for ownerCertFile
         @param ownerPassphrase: passphrase for ownerKeyFile.  Omit if the
+        @param sslKeyFile: corresponding private key file.  See explanation
+        for sslCertFile
+        @param sslKeyFilePassphrase: passphrase for sslKeyFile.  Omit if the
         private key is not password protected.
         @return none
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
         if not ownerCertFile or not ownerKeyFile:
+        if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 ownerCertFile = os.path.join(globusLoc,
+                sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
                 ownerKeyFile = os.path.join(globusLoc,
+                sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
             else:
 …
         # Set-up SSL connection
         conn = self._initConnection(ownerCertFile=ownerCertFile,
                                     ownerKeyFile=ownerKeyFile,
                                     ownerPassphrase=ownerPassphrase)
+        conn = self._initConnection(certFile=sslCertFile,
+                                    keyFile=sslKeyFile,
+                                    keyFilePassphrase=sslKeyFilePassphrase)
         conn.connect((self.hostname, self.port))
 …
             raise MyProxyClientGetError(errorTxt)
     def destroy(self,
                 username,
                 ownerCertFile=None,
                 ownerKeyFile=None,
                 ownerPassphrase=None):
+                sslCertFile=None,
+                sslKeyFile=None,
+                sslKeyFilePassphrase=None):
         """destroy credentials from the server for a given username
 …
         @param username: username selected for credential
         @param ownerCertFile: certificate used for client authentication with
+        @param sslCertFile: certificate used for client authentication with
         the MyProxy server SSL connection.  This ID will be set as the owner
         of the stored credentials.  Only the owner can later remove
         credentials with myproxy-destroy or the destroy method.  If not set,
         this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem
         @param ownerKeyFile: corresponding private key file.  See explanation
         for ownerCertFile
         @param ownerPassphrase: passphrase for ownerKeyFile.  Omit if the
+        @param sslKeyFile: corresponding private key file.  See explanation
+        for sslCertFile
+        @param sslKeyFilePassphrase: passphrase for sslKeyFile.  Omit if the
         private key is not password protected.
         @return none
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
         if not ownerCertFile or not ownerKeyFile:
+        if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 ownerCertFile = os.path.join(globusLoc,
+                sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
                 ownerKeyFile = os.path.join(globusLoc,
+                sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
             else:
 …
         # Set-up SSL connection
         conn = self._initConnection(ownerCertFile=ownerCertFile,
                                     ownerKeyFile=ownerKeyFile,
                                     ownerPassphrase=ownerPassphrase)
+        conn = self._initConnection(certFile=sslCertFile,
+                                    keyFile=sslKeyFile,
+                                    keyFilePassphrase=sslKeyFilePassphrase)
         conn.connect((self.hostname, self.port))
 …
         if respCode:
             raise MyProxyClientGetError(errorTxt)
     def store(self,
 …
               certFile,
               keyFile,
               ownerCertFile=None,
               ownerKeyFile=None,
               ownerPassphrase=None,
+              sslCertFile=None,
+              sslKeyFile=None,
+              sslKeyFilePassphrase=None,
               lifetime=None,
               force=True):
 …
         @type keyFile: string
         @param keyFile: equivalent private key file in PEM format
         @type ownerCertFile: string
         @param ownerCertFile: certificate used for client authentication with
+        @type sslCertFile: string
+        @param sslCertFile: certificate used for client authentication with
         the MyProxy server SSL connection.  This ID will be set as the owner
         of the stored credentials.  Only the owner can later remove
 …
         this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem or if this
         is not set, certFile
         @type ownerKeyFile: string
         @param ownerKeyFile: corresponding private key file.  See explanation
         for ownerCertFile
         @type ownerPassphrase: string
         @param ownerPassphrase: passphrase for ownerKeyFile.  Omit if the
+        @type sslKeyFile: string
+        @param sslKeyFile: corresponding private key file.  See explanation
+        for sslCertFile
+        @type sslKeyFilePassphrase: string
+        @param sslKeyFilePassphrase: passphrase for sslKeyFile.  Omit if the
         private key is not password protected.  Nb. keyFile is expected to
         be passphrase protected as this will be the passphrase used for
 …
         globusLoc = os.environ.get('GLOBUS_LOCATION')
         if not ownerCertFile or not ownerKeyFile:
+        if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 ownerCertFile = os.path.join(globusLoc,
+                sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
                 ownerKeyFile = os.path.join(globusLoc,
+                sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
             else:
                 # Default so that the owner is the same as the ID of the
                 # credentials to be uploaded.
                 ownerCertFile = certFile
                 ownerKeyFile = keyFile
                 ownerPassphrase = passphrase
+                sslCertFile = certFile
+                sslKeyFile = keyFile
+                sslKeyFilePassphrase = passphrase
         if not force:
             # Check credentials don't already exist
             if self.info(username,
                          ownerCertFile=ownerCertFile,
                          ownerKeyFile=ownerKeyFile,
                          ownerPassphrase=ownerPassphrase)[0]:
+                         sslCertFile=sslCertFile,
+                         sslKeyFile=sslKeyFile,
+                         sslKeyFilePassphrase=sslKeyFilePassphrase)[0]:
                 raise MyProxyCredentialsAlreadyExist(
                         "Credentials already exist for user: %s" % username)
         # Set up SSL connection
         conn = self._initConnection(ownerCertFile=ownerCertFile,
                                     ownerKeyFile=ownerKeyFile,
                                     ownerPassphrase=ownerPassphrase)
+        conn = self._initConnection(certFile=sslCertFile,
+                                    keyFile=sslKeyFile,
+                                    keyFilePassphrase=sslKeyFilePassphrase)
         conn.connect((self.hostname, self.port))
 …
             raise MyProxyClientRetrieveError(errorTxt)
     def logon(self, username, passphrase, lifetime=None, keyPair=None,
               certReq=None, nBitsForKey=PRIKEY_NBITS):

TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClient.cfg

-                      r6829
+                      r6840
 #serverDN=/O=NDG/OU=Raphael/CN=raphael
-# Set "host/" prefix to host cert CN as is default with globus
-serverCNPrefix=host/
 # This directory path is used to locate the OpenSSL configuration file
+#

TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClientTest.cfg

-                      r6829
+                      r6840
 username: testuser
 passphrase: testpassword
+signingCertFilePath: $MYPROXYCLIENT_UNITTEST_DIR/testuser.crt
+signingPriKeyFilePath: $MYPROXYCLIENT_UNITTEST_DIR/testuser.key
+ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.crt
+ownerKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.key
+ownerPassphrase: testpassword
+sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.crt
+sslKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.key
+sslKeyFilePassphrase: testpassword
 [test02GetDelegation]
 …
 [test03Info]
 username: testuser
 ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
 ownerKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
 ownerPassphrase: testpassword
+sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
+sslKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
+sslKeyFilePassphrase: testpassword
 [test04ChangePassphrase]
 username: testuser
 ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
 ownerKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
+sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
+sslKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
 passphrase: testpassword
 newPassphrase: testpassword2
 ownerPassphrase: testpassword
+sslKeyFilePassphrase: testpassword
 [test05Destroy]
 username: testuser
+ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
+ownerKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
+ownerPassphrase: testpassword
+sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
+sslKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
+sslKeyFilePassphrase: testpassword
+[test07Put]
+username: proxytestuser
+passphrase: proxypassword
+userCertFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.crt
+userKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.key
+sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.crt
+sslKeyFile: $MYPROXYCLIENT_UNITTEST_DIR/testuser.key
+sslKeyFilePassphrase: testpassword

TI12-security/trunk/MyProxyClient/myproxy/test/proxy.crt

-                      r6837
+                      r6840
 -----BEGIN CERTIFICATE-----
+MIICfTCCAeagAwIBAgIEeVU+zzANBgkqhkiG9w0BAQUFADAlMRAwDgYDVQQKEwdH
+YWJyaWVsMREwDwYDVQQDEwh0ZXN0dXNlcjAeFw0xMDA0MjExNTMxMjVaFw0xMDA0
+MjIwOTM2MjVaMDoxEDAOBgNVBAoTB0dhYnJpZWwxETAPBgNVBAMTCHRlc3R1c2Vy
+MRMwEQYDVQQDEwoyMDM1NjI5Nzc1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA3xsYzad74OW10LnCPO+DRZDbhin7/L1E8XKdPKrmau0Gt1HrpEiXsAa4
+WwhdCJZ/i/eDwRCNQDvcqQ6O4fBpyl3pk3LOjZOHsZir1ya8pODOjhfQI4hRY1Da
+R7PIh2woa13qFj0lTlaeYMEtxcC6Mp1q/wdnAzIJtQgXlVlPfB4cnQBFp8q5+8RO
+ZGe8ie2yHT9mo02ymoKwtWHUJbhLc7LFkV1D9/GdtmfrfyOd8oOleGM9p29omtA8
+qnnaj2oqr5XvEFu3ThxSC0Y3QI16QKJCdK+0PyEtj5NZ3OqtYK+GnkgLftKfjUL
+c078kBWkcwS042lIMhmgAjM0hD7ZwIDAQABoyEwHzAdBggrBgEFBQcBDgEB/wQO
+MAwwCgYIKwYBBQUHFQEwDQYJKoZIhvcNAQEFBQADgYEAlyn+pgDT0AuKZpBRdLLN
+lbNBVlVrOz1tBvBpyuuzhuS8GpAO7AJb8FuvyWNqXPSjSXzzm6CDFX0pXKuaA0VM
+QZ/gG61o1ky2xhbJfgMxousIyu32YlPfUrmv5xM7pgl3NCuK67fJMC13hjq+RkT1
+wDMNhY1ngTo1sxV8UnKjcx0=
+MIIDfTCCAuagAwIBAgIEVu1r4TANBgkqhkiG9w0BAQUFADAlMRAwDgYDVQQKEwdH
+YWJyaWVsMREwDwYDVQQDEwh0ZXN0dXNlcjAeFw0xMDA0MjIxMTI3MjNaFw0xMDA0
+MjMwNTMyMjNaMDoxEDAOBgNVBAoTB0dhYnJpZWwxETAPBgNVBAMTCHRlc3R1c2Vy
+MRMwEQYDVQQDEwoxNDU4NDAwMjI1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAocqzpomfIySbinA99pxwS5xcGAIbh9OUoZsxk3BNm4ECImacUdfV3xLF
+g10hjOUVzA7TQJ4avOHhf8xmmGBczQw92u/eMzrHJq398MqHjjCyqhXW9A9aINeR
+gdPRV8ccCLoLJMI8fGdCjr+rWhC8MK6XJa0VtTzy56Yk3tXt1imXyFGJAbkZMz4
+nofmUOVfBv6MVqSB+IL1kVJu3K19DOGMXBEFiJZdSHGER8MOuZeQxfibGAWdLMV9
+i13sz3tAIpjh4ztGFeMjX0s9bvLeAPRMsIM84PdxzUTRNGvZGOuTTn+cA0ZCespY
+FKOewP5mnkCjUM9MOeuQMv6M9wloGoVIGPUvx38Xt0pL4Ku+TD4fVyWLfkN+XnfL
+CXpWl9+SIjEiA3VN/MTgDsLCM4lfoHZohVJEE9K61FKxNP2lLTlh+t6FEzLxcCPD
+b6RMFaGb0pHxWDwp9NXYJuHMzUH21OmckMTzXgGU/tgtm/Q+ssIdGr/h0YpzzWK0
+LMg2oM8Z2YGpHryN7xYXWdxqkI6fv7a7tyW1Dh2460OyyoPY7fB5lDkskAm9eiEw
+raqbN7iGC57gUVaZbsp9Y3xqZThJBDlrwN/KRa0VmHWuxpseeaGm2sE85UNMwYnS
+smnbUbw3SMz8rETgMqHqrtwHkdc3+YJV86xVRGZWDItEclBO8TkCAwEAAaMhMB8w
+HQYIKwYBBQUHAQ4BAf8EDjAMMAoGCCsGAQUFBxUBMA0GCSqGSIb3DQEBBQUAA4GB
+AMl7p7tyPuzYHtwRI86UrpuBZydPhaPFH2LFWHWW3mmBLnoWH2dhTLdPpsfn6W4G
+/iCZZGf09zR/VgVZvqAuLZagMTY4hn2GGjbOgfF/+pt+4GUGBoJMyX0tG/ksh3T5
++009F3GkkP/9WwGjM7QCIoaaJbCsT41iw8h+dPwHHNdi
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----

TI12-security/trunk/MyProxyClient/myproxy/test/proxy.key

-                      r6837
+                      r6840
 -----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA3xsYzad74OW10LnCPO+DRZDbhin7/L1E8XKdPKrmau0Gt1Hr
+pEiXsAa4WwhdCJZ/i/eDwRCNQDvcqQ6O4fBpyl3pk3LOjZOHsZir1ya8pODOjhfQ
+I4hRY1DaR7PIh2woa13qFj0lTlaeYMEtxcC6Mp1q/wdnAzIJtQgXlVlPfB4cnQBF
+p8q5+8ROZGe8ie2yHT9mo02ymoKwtWHUJbhLc7LFkV1D9/GdtmfrfyOd8oOleGM9
+p29omtA80qnnaj2oqr5XvEFu3ThxSC0Y3QI16QKJCdK+0PyEtj5NZ3OqtYK+Gnkg
+LftKfjUL1c078kBWkcwS042lIMhmgAjM0hD7ZwIDAQABAoIBAQDMuCiCTPS24RF8
+fXdmQsDJzKoi6dN3jpT8mJb/XDIiW2yWOm1nSdUmiIQRxBLaFn7jCDO1rGJwVn2c
+AufJGrl4H8R8sBQohP82T0kfG0RuZnoimGc8s5E6+K3SrX2MBgrwujRaQ7E/uOuL
+DLfbhYVVfGz5puk3XWra2poJSPJOh/vigFF9mrKUSMNHr9wfRr9nPCMBLv7MUkwW
+OsrFCEQpm75myJT82mWiGaKrSz8y4rvrPq2XhalnJ0DeeXFB3wU+h90McG3tL1PT
+cKoPfU9yYtTBgxJHwFnrjS87jg8RgExm9PX03VPzErXjHbTpl3z9PGU2asNhCOv
++Qjsj/jBAoGBAPnhuzgJqnYEWDzs6D3QM3EorD4I2lhi+6cURqD6C0AbFyQjvXqG
++mD46Vn9Vdymzcf8pXtT0QHmrfZWBoRB/SeuhOr6YblQdH9YaNSXojtixp0S4O5
+oYDjRiwKpny0oB4c71QXPezoMNELdhb5x8HoZKvBRW8TOFTID029yE3TAoGBAOSR
+iHekrljQLNyk0DnVZymRQIdkmW1gWyvr7q8rdWzxaxEE+VamO8CtQhUYyk9cuD8m
++r/P+cquLcEpKJhpP8DuOte2g5cPtlHnMNnCoAIkCFYLUpU9ynhNO4I0bq+cSnkQ
+Fwy6DhquW5efNFCltDUO/Ucp8Xo2ot8Y+sDbBudAoGBAOCEzxgxryStEK9lWeK4
+YJBLMD/o6m7COUTNNgzLvjISZT+GkWg3KZcCdxeWid3Rzt6/6NKHUFJa1sxcEAoT
+xWco+x5Tt9cJxJMuLH13tBMqBHN3jKZFs3RAQTuvMhoYnUmRTATtgSmNEtexiaBp
+O+/hpBqi5IVB6rpaq015uTEbAoGBAODjmGQvsiNMYHeP6hidMe2iLt2IS7VkUxA6
+CRRtLBJOzstmG3X4BV6kmhpr09KWJeptDdZgaSPUkMw3FOww0jufqmHIAF1HZlnb
+oSMA7bJthY4zgcO5klcflmeb8zPyEQxhXI+Svw2TZHOFoEW8wOsjhwK6eRCu9Si8
+QqwyVO5AoGAf6j/gey0WC0iOKfqCyMLdNo+M89ZVn4IFkhfoi6DwCK267cijame
+DcLmr0Za8pGkCIxPlOk7Pogjpd1nPNqhjJp0xZlLMZE+e1/T6OMPE4rFvZBwekC7
+L8tXaFgdgISSCpi6wRCS5omokEY4QpYVtJJmowwLTwnq4GO0Cl6pjG8=
+MIIJJwIBAAKCAgEAocqzpomfIySbinA99pxwS5xcGAIbh9OUoZsxk3BNm4ECImac
+UdfV3xLFg10hjOUVzA7TQJ4avOHhf8xmmGBczQw92u/eMzrHJq398MqHjjCyqhXW
+A9aINeR8gdPRV8ccCLoLJMI8fGdCjr+rWhC8MK6XJa0VtTzy56Yk3tXt1imXyFG
+JAbkZMz4nofmUOVfBv6MVqSB+IL1kVJu3K19DOGMXBEFiJZdSHGER8MOuZeQxfib
+GAWdLMV9i13sz3tAIpjh4ztGFeMjX0s9bvLeAPRMsIM84PdxzUTRNGvZGOuTTn+c
+A0ZCespYFKOewP5mnkCjUM9MOeuQMv6M9wloGoVIGPUvx38Xt0pL4Ku+TD4fVyWL
+fkN+XnfLCXpWl9+SIjEiA3VN/MTgDsLCM4lfoHZohVJEE9K61FKxNP2lLTlh+t6F
+EzLxcCPDb6RMFaGb0pHxWDwp9NXYJuHMzUH21OmckMTzXgGU/tgtm/Q+ssIdGr/h
+YpzzWK0LMg2oM8Z2YGpHryN7xYXWdxqkI6fv7a7tyW1Dh2460OyyoPY7fB5lDks
+kAm9eiEwraqbN7iGC57gUVaZbsp9Y3xqZThJBDlrwN/KRa0VmHWuxpseeaGm2sE8
+UNMwYnSsmnbUbw3SMz8rETgMqHqrtwHkdc3+YJV86xVRGZWDItEclBO8TkCAwEA
+AQKCAgB2aB3gZNnFY3Y98/U1Nbpta6pum6RAXJVrTGQU7lyt0NWaDZSbxSUt09Qf
+VppGPiYcqEDtCoiw8XMSD6qKHAPuwOXIBEKPJZY4dZ/iiKZ6ZqNrHP6qsU2ZuYqD
+Idxe/cOXQcS/UoB6aQQwR4q5qBNNloXDWzvyTHl77L7nOJ6yfTuNZZGqriyapPPT
+OcxSKfvI56QXiN/h2x4TU8v0zzc0pSEPBBoTo0/zw7g2uMdfBlCawl3nT7x+1q4R
+wBSeqCoA5/hxT6D0Rb5OcIcuWqok8qXpjLKSRiXQP2wIPGGu/kFZcsTgFJx0tv+N
+Y029GrJJYS7k5kF4JjDrUSYjaYv4quegyFGUiYlaYsL/GY1jPYS26jOSuCvxovBM
+zGZQ1foBN/vZ8gzislQtWhmCgspXW0JVVG5VE8RgLKbim30uIh0ck+VTpjpvPamI
+HgrAn6BKaFJhQNuKuRneWl3XS9YM+ieXHehkbLWRhl4QG2xPkCe9hAecEM3Pd0D1
+US2exElUHHRE2WmcgvdRxKcqkwHn74nS/ic2K9JFumEkxqKlCDno16tK6vuseycH
++ygiUzEbmCSYu3NfHay4L00Ogzr9QMA4YbLnEUbBZ6kl/n30mgNYRQ9SjXXYSpKM
+DhtehH6B5Um/62Ahkq+6Kr3Ea3K9EGam2FdGstkJ8VQqgtCQcQKCAQEAzeP3lbqm
+gNQvpc9TiRvGqFsCSeBw/KNpg9IrIBQjrNbtvDJqh051JBQioOwjfW7p5QNXI
+mRT3YhOYv9Pq3cCEOiKsbYAPBcbDPW5gSceiqcnT4ErK/1N+7Obfn34oa5e3g3mE
+AHwk/q0e1grXNBuDkXomhg9l6nalU/DmJG2B/0Qm6hDRN0hAkdRWjPpaLrtF++7
+Z3TMxfYy2Gj1Wbp2gNpLtZeCw1fznz1vkG76WECddHLAgphG37KLCREWUsyspW2K
+qbANYAASUlulVMv8iZA+K+yLDPk5uXwleCBDvmLbmWXKa76KqNXjarVIbBusyI
+tnAt1U30aeBy7QKCAQEAySso/V0ty/vhrxQSPosqmDLjbOvZJDX863jDvWlndlj9
+aZIR0tIVk2hnM+hD0enAjnz1+OmTVAdLCmaK4HNZTVM2eE7pWVUaufLM40b9xotC
+DAiDCNEt2UtAU78+co8yQPg3tBZyoDdVqFgvF/VskODNCNesIipFjOIjZCSewX
+QPGUQ/5mY9kXtkfziOvQO9B4y+6qTJ/9WlFtJbzHWKPr4vILrPG7Re/7NVLKG74G
+I/+xJn8eiE7j2okDB8hhIIe6GwkErvUUnmVW3Sl4lSuSaYlkvLFLL8tmauJHyvPW
+f6yxdeVFCUrRsMSzrbeF6ss7v5inkHN6mYOAr7Yx/QKCAQBs70gI5af5gsuupW3Q
+hntuk+Cthxg4CqH0SI7x9Bfeahig5lncLlie8WI4EpuIGKqtCt2qyzIGpMw7DSlN
+nZ9v0rNjWwMmMJJCOScF8sdpYgITmaDL1GbRbukCCSmaZpKWUsCbBImkSAJ1GTmy
+TSUOAdy79Qg6+ByxUDMrVZM/BN26JOH+CAXaHRVk0xc0IiXjAd0GbhrBaZuu1Ot
+ouLlpb2bcWSLYO2j034n68aCgeVdGlr0yN5Ieq9NHldn5a2NA5P5Nxs+bVPDvnZk
+JLZwfz9LXaRwJOFSqBI8BB/oiIpXGSYxXTdMMD/N26dOiNhfsakA38UZ2gK2EDfY
+aRQFAoIBAHxu4Anoix10DmNXjPl258ABKkADmusVIf8dUiZlfoPsA8Q7gB7hqErn
+aGylK57q7fQKcqG7/m+ExEJJJh2GXKUg9t4V0aPXARBAJp4waNCjTr8QOFBUp
+ToQUAMObpu7OzXHM2eXQTRdYCOG4M8Yg0zoF/p2CXB9AdzEeUt6a1L9tLwLn57m3
+XT15QCDfjIyTJUUvudNv2yz01QjUvpILwys8ARDW7boS+VZAgZercOzvikp/swkp
+kzNoMKGtxrZyfiGe8HCwVDKuCI8Ayf+rVgNF4zP8jr9fl1hh43qcXX/X+GUujgdz
+akVnRqUbshBL6gdXi76ET7+JYh5OGpkCggEACVn9R8R9HU1NCX/Vu+wSmA5QWQ3g
+Jego0/GFYStzaxOE9GjgJF/Mmpdgv/q0xG7YXMVSgQ+2vjpFvfiFeonCBZngS7rS
+S3R5NRWbbMVg0UOBviML8j+tpIWV0mvb/fLtpjfn5kdGuG+zxDYuxYJliha0Jsm2
+M+pkdTkraHjIzjVriH+yi90iTkLc93QQgVDD6ol7lV2n5XEfqoM6sTkUaQyNusD
+iX4wBp02Xxda70nW15G+KPmibl/7IJdNP07BMbdO+tGSYug3R0iX+GOVsnozF6CV
+W91hTP2E/UI4eB20vgJPnAt0n4GmSTX8IGhM5sAhPBEanttf6o5luXH0Q==
 -----END RSA PRIVATE KEY-----

TI12-security/trunk/MyProxyClient/myproxy/test/test_myproxyclient.py

-                      r6837
+                      r6840
                                                 "pass-phrase: ")
         ownerPassphrase = thisSection.get('ownerPassphrase')
         if ownerPassphrase is None:
             ownerPassphrase = getpass.getpass(prompt="\ntest1Store credential "
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(prompt="\ntest1Store credential "
                                                      " owner pass-phrase: ")
         certFile = path.expandvars(thisSection['signingCertFilePath'])
         keyFile = path.expandvars(thisSection['signingPriKeyFilePath'])
         ownerCertFile = path.expandvars(thisSection['ownerCertFile'])
         ownerKeyFile = path.expandvars(thisSection['ownerKeyFile'])
+        sslCertFile = path.expandvars(thisSection['sslCertFile'])
+        sslKeyFile = path.expandvars(thisSection['sslKeyFile'])
         self.clnt.store(thisSection['username'],
 …
                         certFile,
                         keyFile,
                         ownerCertFile=ownerCertFile,
                         ownerKeyFile=ownerKeyFile,
                         ownerPassphrase=ownerPassphrase,
+                        sslCertFile=sslCertFile,
+                        sslKeyFile=sslKeyFile,
+                        sslKeyFilePassphrase=sslKeyFilePassphrase,
                         force=False)
         print("Store creds for user %s" % thisSection['username'])
 …
         thisSection = self.cfg['test03Info']
         # ownerPassphrase can be omitted from the congif file in which case
+        # sslKeyFilePassphrase can be omitted from the congif file in which case
         # the get call below would return None
         ownerPassphrase = thisSection.get('ownerPassphrase')
         if ownerPassphrase is None:
             ownerPassphrase = getpass.getpass(prompt="\ntest3Info owner "
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(prompt="\ntest3Info owner "
                                               "credentials passphrase: ")
         credExists, errorTxt, fields = self.clnt.info(
                                  thisSection['username'],
                                  path.expandvars(thisSection['ownerCertFile']),
                                  path.expandvars(thisSection['ownerKeyFile']),
                                  ownerPassphrase=ownerPassphrase)
+                                 path.expandvars(thisSection['sslCertFile']),
+                                 path.expandvars(thisSection['sslKeyFile']),
+                                 sslKeyFilePassphrase=sslKeyFilePassphrase)
         print "test3Info... "
         print "credExists: %s" % credExists
 …
                 self.fail("New and confirmed new password don't match")
         ownerPassphrase = thisSection.get('ownerPassphrase') or passphrase
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase') or passphrase
         self.clnt.changePassphrase(thisSection['username'],
                                passphrase,
                                newPassphrase,
                                path.expandvars(thisSection['ownerCertFile']),
                                path.expandvars(thisSection['ownerKeyFile']),
                                ownerPassphrase=ownerPassphrase)
+                               path.expandvars(thisSection['sslCertFile']),
+                               path.expandvars(thisSection['sslKeyFile']),
+                               sslKeyFilePassphrase=sslKeyFilePassphrase)
         print("Changed pass-phrase")
 …
         thisSection = self.cfg['test05Destroy']
         ownerPassphrase = thisSection.get('ownerPassphrase')
         if ownerPassphrase is None:
             ownerPassphrase = getpass.getpass(prompt="\ntest5Destroy "
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(prompt="\ntest5Destroy "
                                               "credential owner passphrase: ")
         self.clnt.destroy(thisSection['username'],
                   ownerCertFile=path.expandvars(thisSection['ownerCertFile']),
                   ownerKeyFile=path.expandvars(thisSection['ownerKeyFile']),
                   ownerPassphrase=ownerPassphrase)
+                      sslCertFile=path.expandvars(thisSection['sslCertFile']),
+                      sslKeyFile=path.expandvars(thisSection['sslKeyFile']),
+                      sslKeyFilePassphrase=sslKeyFilePassphrase)
         print("Destroy creds for user %s" % thisSection['username'])
 …
                 self.assert_(subj)
                 print("Trust root certificate retrieved with DN=%s" % subj)
+    def test07Put(self):
+        # Make a new credential on the server and a proxy certificate to it
+        thisSection = self.cfg['test07Put']
+        response = self.clnt.put(
+                     thisSection['username'],
+                     thisSection['passphrase'],
+                     path.expandvars(thisSection['userCertFile']),
+                     path.expandvars(thisSection['userKeyFile']),
+                     sslCertFile=path.expandvars(thisSection['sslCertFile']),
+                     sslKeyFile=path.expandvars(thisSection['sslKeyFile']),
+                     sslKeyFilePassphrase=thisSection['sslKeyFilePassphrase'])
 from myproxy.utils.openssl import OpenSSLConfigError
 …
             os.environ['MYPROXY_SERVER_DN'] = '/O=NDG/OU=Raphael/CN=raphael'
             os.environ['MYPROXY_SERVER_PORT'] = '20000'
+            client = MyProxyClient(serverCNPrefix='',
+                                   openSSLConfFilePath=mkPath('openssl.conf'),
+            client = MyProxyClient(openSSLConfFilePath=mkPath('openssl.conf'),
                                    proxyCertMaxLifetime=60000,
                                    proxyCertLifetime=30000,
 …
             self.assert_(client.caCertFilePath == mkPath('ndg-test-ca.crt'))
         finally:
+            os.environ = environBackup
+            os.environ = environBackup
     def test02SetProperties(self):
 …
         self.assert_(
                 client.caCertDir == mkPath('/etc/grid-security/certificates'))
 if __name__ == "__main__":

TI12-security/trunk/MyProxyClient/myproxy/utils/init.py

-                      r6069
+                      r6840
 config files.
 NERC Data Grid Project
+NERC DataGrid Project
 """
 __author__ = "P J Kershaw"
 …
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
+from ConfigParser import SafeConfigParser
+class CaseSensitiveConfigParser(SafeConfigParser):
+    '''Subclass the SafeConfigParser - to preserve the original string case of
+    config section names
+    '''
+    def optionxform(self, optionstr):
+        '''Extend SafeConfigParser.optionxform to preserve case of option names
+        '''
+        return optionstr

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: