From: Tony Mack Date: Thu, 10 Jun 2010 18:16:05 +0000 (+0000) Subject: merge with geni_api branch X-Git-Tag: sfa-1.0-0~174 X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=731ec9fdd043e15f1f1da3b4a42f0cb7a941f835 merge with geni_api branch --- diff --git a/config/geni_aggregates.xml b/config/geni_aggregates.xml index 4630736c..e744134b 100644 --- a/config/geni_aggregates.xml +++ b/config/geni_aggregates.xml @@ -1,3 +1,3 @@ - + diff --git a/sfa/managers/geni_am_pl.py b/sfa/managers/geni_am_pl.py index 1637d0b3..de7d27a5 100644 --- a/sfa/managers/geni_am_pl.py +++ b/sfa/managers/geni_am_pl.py @@ -16,7 +16,6 @@ from lxml import etree def GetVersion(): version = {} version['geni_api'] = 1 - version['geni_stitching'] = False return version diff --git a/sfa/trust/hierarchy.py b/sfa/trust/hierarchy.py index e277ec51..6ab509e1 100644 --- a/sfa/trust/hierarchy.py +++ b/sfa/trust/hierarchy.py @@ -251,6 +251,7 @@ class Hierarchy: parent_auth_info = self.get_auth_info(parent_hrn) gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) gid.set_parent(parent_auth_info.get_gid_object()) + gid.set_intermediate_ca(True) gid.set_pubkey(pkey) gid.encode() diff --git a/sfa/util/server.py b/sfa/util/server.py index e6d3f3be..0151e5b8 100644 --- a/sfa/util/server.py +++ b/sfa/util/server.py @@ -25,7 +25,7 @@ from sfa.util.faults import * from sfa.plc.api import SfaAPI from sfa.util.cache import Cache from sfa.util.debug import log - +from sfa.util.sfalogging import logger ## # Verification callback for pyOpenSSL. We do our own checking of keys because # we have our own authentication spec. Thus we disable several of the normal @@ -37,10 +37,6 @@ def verify_callback(conn, x509, err, depth, preverify): #print " preverified" return 1 - # we're only passing single certificates, not chains - if depth > 0: - #print " depth > 0 in verify_callback" - return 0 # the certificate verification done by openssl checks a number of things # that we aren't interested in, so we look out for those error messages @@ -62,6 +58,10 @@ def verify_callback(conn, x509, err, depth, preverify): #print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" return 1 + # allow chained certs with self-signed roots + if err == 19: + return 1 + # allow certs that are untrusted if err == 21: #print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" @@ -149,9 +149,12 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None) SocketServer.BaseServer.__init__(self, server_address, HandlerClass) ctx = SSL.Context(SSL.SSLv23_METHOD) - ctx.use_privatekey_file(key_file) + ctx.use_privatekey_file(key_file) ctx.use_certificate_file(cert_file) + # If you wanted to verify certs against known CAs.. this is how you would do it + #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) + ctx.set_verify_depth(5) ctx.set_app_data(self) self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))