From b22daf424a6fb4b43dd8b95410881586475a5e1d Mon Sep 17 00:00:00 2001 From: Josh Karlin Date: Tue, 8 Jun 2010 14:33:21 +0000 Subject: [PATCH] Add in check for authority as signer of cert/cred --- sfa/trust/credential.py | 54 +++++++++++++++++++++++++++++++++++------ sfa/trust/gid.py | 26 ++++++++++++++++++++ 2 files changed, 73 insertions(+), 7 deletions(-) diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index f3fb180b..430cffdd 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -1,3 +1,25 @@ +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- ## # Implements SFA Credentials # @@ -693,13 +715,31 @@ class Credential(object): root_cred = self.get_credential_list()[-1] root_target_gid = root_cred.get_gid_object() root_cred_signer = root_cred.get_signature().get_issuer_gid() - - if root_target_gid.is_signed_by_cert(root_cred_signer) or \ - root_target_gid.save_to_string() == root_cred_signer.save_to_string(): - pass - else: - raise CredentialNotVerifiable("Could not verify credential signer") - + + if root_target_gid.is_signed_by_cert(root_cred_signer): + # cred signer matches target signer, return success + return + + root_target_gid_str = root_target_gid.save_to_string() + root_cred_signer_str = root_cred_signer.save_to_string() + if root_target_gid_str == root_cred_signer_str: + # cred signer is target, return success + return + + # See if it the signer is an authority over the domain of the target + # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn()) + root_cred_signer_type = root_cred_signer.get_type() + if (root_cred_signer_type == 'authority'): + # signer is an authority, see if target is in authority's domain + hrn = root_cred_signer.get_hrn() + domain = hrn[:hrn.rindex('.')] + if root_target_gid.get_hrn().startswith(domain): + # target is in domain of signer's authority + return + + # Give up, credential does not pass issuer verification + raise CredentialNotVerifiable("Could not verify credential signer") + ## # -- For Delegates (credentials with parents) verify that: diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py index 99fa0314..9cab1a51 100644 --- a/sfa/trust/gid.py +++ b/sfa/trust/gid.py @@ -1,3 +1,25 @@ +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- ## # Implements SFA GID. GIDs are based on certificates, and the GID class is a # descendant of the certificate class. @@ -186,7 +208,11 @@ class GID(Certificate): else: # make sure that the trusted root's hrn is a prefix of the child's trusted_gid = GID(string=trusted_root.save_to_string()) + trusted_type = trusted_gid.get_type() trusted_hrn = trusted_gid.get_hrn() + if trusted_type == 'authority': + # Could add a check for type == 'authority' + trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] cur_hrn = self.get_hrn() if not self.get_hrn().startswith(trusted_hrn): raise GidParentHrn(trusted_hrn + " " + self.get_hrn()) -- 2.43.0