Commit 034c3621 authored by Opi Danihelka's avatar Opi Danihelka
Browse files

Certificate chain is used insted of single file.

parent 61a1ce31
-----BEGIN CERTIFICATE-----
MIIDVTCCAr6gAwIBAgIJAISwtl7NKtCSMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
BAYTAmN6MQ4wDAYDVQQIEwVQcmFoYTEOMAwGA1UEBxMFUHJhaGExDzANBgNVBAoT
BkNaLk5JQzEOMAwGA1UECxMFTm90YXIxDjAMBgNVBAMTBU5vdGFyMRswGQYJKoZI
hvcNAQkBFgxub3RhckB4eXouY3owHhcNMTExMDI1MTMwMzI4WhcNMTIxMDI0MTMw
MzI4WjB7MQswCQYDVQQGEwJjejEOMAwGA1UECBMFUHJhaGExDjAMBgNVBAcTBVBy
YWhhMQ8wDQYDVQQKEwZDWi5OSUMxDjAMBgNVBAsTBU5vdGFyMQ4wDAYDVQQDEwVO
b3RhcjEbMBkGCSqGSIb3DQEJARYMbm90YXJAeHl6LmN6MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCtysMiapnXZiwulfzRcWasqHQ/xKhRGAMto4kXJURNgIJz
BM7+kv0q3rTD0HZSdcddoI2A5FjQ5F0ryAC7MIKNKtnKuJvjroKCkU0rJQ4gd+Z8
hhH1A7XEKO1bPERCAgdSk+kOGBNE0MKlg6A72elSoY7C4IxxDAWpJZgwup7pMQID
AQABo4HgMIHdMB0GA1UdDgQWBBRLZY//ZtRbAl0TQqSr6LG5vsgaEzCBrQYDVR0j
BIGlMIGigBRLZY//ZtRbAl0TQqSr6LG5vsgaE6F/pH0wezELMAkGA1UEBhMCY3ox
DjAMBgNVBAgTBVByYWhhMQ4wDAYDVQQHEwVQcmFoYTEPMA0GA1UEChMGQ1ouTklD
MQ4wDAYDVQQLEwVOb3RhcjEOMAwGA1UEAxMFTm90YXIxGzAZBgkqhkiG9w0BCQEW
DG5vdGFyQHh5ei5jeoIJAISwtl7NKtCSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAGX6MAh8h4cg+CB8F/JJqZCen16764vefPSzLEWCGAbXuCQ5+iSbj
sKpNgufKmUR7jsM1X5nSJ7ccFntCRgOVD6OMERjwjN7lbnn82ELYN+9IPKuyMvKN
jyohQkcQrxzBjwyZiIIqHB7uaSnsHvnpKKsonrmm9dS6+kZ7r+agN4Q=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFnDCCBISgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJDWjEs
MCoGA1UECgwjxIxlc2vDoSBwb8WhdGEsIHMucC4gW0nEjCA0NzExNDk4M10xHjAc
BgNVBAMTFVBvc3RTaWdudW0gUm9vdCBRQ0EgMjAeFw0xMDAxMTkwODA0MzFaFw0y
NTAxMTkwODA0MzFaMFsxCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBv
xaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEeMBwGA1UEAxMVUG9zdFNpZ251bSBS
b290IFFDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFz8yBxf
2gf1uN0GGXknvGHwurpp4Lw3ZPWZB6nEBDGjSGIXK0Or6Xa3ZT+tVDTeUUjT133G
7Vs51D6z/ShWy+9T7a1f6XInakewyFj8PT0EdZ4tAybNYdEUO/dShg2WvUyfZfXH
0jmmZm6qUDy0VfKQfiyWchQRi/Ax6zXaU2+X3hXBfvRMr5l6zgxYVATEyxCfOLM9
a5U6lhpyCDf2Gg6dPc5Cy6QwYGGpYER1fzLGsN9stdutkwlP13DHU1Sp6W5ywtfL
owYaV1bqOOdARbAoJ7q8LO6EBjyIVr03mFusPaMCOzcEn3zL5XafknM36Vqtdmqz
iWR+3URAUgqE0wIDAQABo4ICaTCCAmUwgaUGA1UdHwSBnTCBmjAxoC+gLYYraHR0
cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NybC9wc3Jvb3RxY2EyLmNybDAyoDCgLoYs
aHR0cDovL3d3dzIucG9zdHNpZ251bS5jei9jcmwvcHNyb290cWNhMi5jcmwwMaAv
oC2GK2h0dHA6Ly9wb3N0c2lnbnVtLnR0Yy5jei9jcmwvcHNyb290cWNhMi5jcmww
gfEGA1UdIASB6TCB5jCB4wYEVR0gADCB2jCB1wYIKwYBBQUHAgIwgcoagcdUZW50
byBrdmFsaWZpa292YW55IHN5c3RlbW92eSBjZXJ0aWZpa2F0IGJ5bCB2eWRhbiBw
b2RsZSB6YWtvbmEgMjI3LzIwMDBTYi4gYSBuYXZhem55Y2ggcHJlZHBpc3UvVGhp
cyBxdWFsaWZpZWQgc3lzdGVtIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3Jk
aW5nIHRvIExhdyBObyAyMjcvMjAwMENvbGwuIGFuZCByZWxhdGVkIHJlZ3VsYXRp
b25zMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQW
BBQVKYzFRWmruLPD6v5LuDHY3PDndjCBgwYDVR0jBHwweoAUFSmMxUVpq7izw+r+
S7gx2Nzw53ahX6RdMFsxCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBv
xaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEeMBwGA1UEAxMVUG9zdFNpZ251bSBS
b290IFFDQSAyggFkMA0GCSqGSIb3DQEBCwUAA4IBAQBeKtoLQKFqWJEgLNxPbQNN
5OTjbpOTEEkq2jFI0tUhtRx//6zwuqJCzfO/KqggUrHBca+GV/qXcNzNAlytyM71
fMv/VwgL9gBHTN/IFIw100JbciI23yFQTdF/UoEfK/m+IFfirxSRi8LRERdXHTEb
vwxMXIzZVXloWvX64UwWtf4Tvw5bAoPj0O1Z2ly4aMTAT2a+y+z184UhuZ/oGyMw
eIakmFM7M7RrNki507jiSLTzuaFMCpyWOX7ULIhzY6xKdm5iQLjTvExn2JTvVChF
Y+jUu/G0zAdLyeU4vaXdQm1A8AEiJPTd0Z9LAxL6Sq2iraLNN36+NyEK/ts3mPLL
-----END CERTIFICATE-----
\ No newline at end of file
-----BEGIN CERTIFICATE-----
MIIGXzCCBUegAwIBAgIBcTANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJDWjEs
MCoGA1UECgwjxIxlc2vDoSBwb8WhdGEsIHMucC4gW0nEjCA0NzExNDk4M10xHjAc
BgNVBAMTFVBvc3RTaWdudW0gUm9vdCBRQ0EgMjAeFw0xMDAxMTkxMTMxMjBaFw0y
MDAxMTkxMTMwMjBaMF8xCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBv
xaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEiMCAGA1UEAxMZUG9zdFNpZ251bSBR
dWFsaWZpZWQgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbR
ReVFlmMooQD/ZzJA9M793LcZivHRvWEG8jsEpp2xTayR17ovs8OMeoYKjvGo6PDf
kCJs+sBYS0q5WQFApdWkyl/tUOw1oZ2SPSq6uYLJUyOYSKPMOgKz4u3XuB4Ki1Z+
i8Fb7zeRye6eqahK+tql3ZAJnrJKgC4X2Ta1RKkxK+Hu1bdhWJA3gwL+WkIZbL/P
YIzjet++T8ssWK1PWdBXsSfKOTikNzZt2VPETAQDBpOYxqAgLfCRbcb9KU2WIMT3
NNxILu3sNl+OM9gV/GWO943JHsOMAVyJSQREaZksG5KDzzNzQS/LsbYkFtnJAmmh
7g9p9Ci6cEJ+pfBTtMECAwEAAaOCAygwggMkMIHxBgNVHSAEgekwgeYwgeMGBFUd
IAAwgdowgdcGCCsGAQUFBwICMIHKGoHHVGVudG8ga3ZhbGlmaWtvdmFueSBzeXN0
ZW1vdnkgY2VydGlmaWthdCBieWwgdnlkYW4gcG9kbGUgemFrb25hIDIyNy8yMDAw
U2IuIGEgbmF2YXpueWNoIHByZWRwaXN1L1RoaXMgcXVhbGlmaWVkIHN5c3RlbSBj
ZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byBMYXcgTm8gMjI3LzIw
MDBDb2xsLiBhbmQgcmVsYXRlZCByZWd1bGF0aW9uczASBgNVHRMBAf8ECDAGAQH/
AgEAMIG8BggrBgEFBQcBAQSBrzCBrDA3BggrBgEFBQcwAoYraHR0cDovL3d3dy5w
b3N0c2lnbnVtLmN6L2NydC9wc3Jvb3RxY2EyLmNydDA4BggrBgEFBQcwAoYsaHR0
cDovL3d3dzIucG9zdHNpZ251bS5jei9jcnQvcHNyb290cWNhMi5jcnQwNwYIKwYB
BQUHMAKGK2h0dHA6Ly9wb3N0c2lnbnVtLnR0Yy5jei9jcnQvcHNyb290cWNhMi5j
cnQwDgYDVR0PAQH/BAQDAgEGMIGDBgNVHSMEfDB6gBQVKYzFRWmruLPD6v5LuDHY
3PDndqFfpF0wWzELMAkGA1UEBhMCQ1oxLDAqBgNVBAoMI8SMZXNrw6EgcG/FoXRh
LCBzLnAuIFtJxIwgNDcxMTQ5ODNdMR4wHAYDVQQDExVQb3N0U2lnbnVtIFJvb3Qg
UUNBIDKCAWQwgaUGA1UdHwSBnTCBmjAxoC+gLYYraHR0cDovL3d3dy5wb3N0c2ln
bnVtLmN6L2NybC9wc3Jvb3RxY2EyLmNybDAyoDCgLoYsaHR0cDovL3d3dzIucG9z
dHNpZ251bS5jei9jcmwvcHNyb290cWNhMi5jcmwwMaAvoC2GK2h0dHA6Ly9wb3N0
c2lnbnVtLnR0Yy5jei9jcmwvcHNyb290cWNhMi5jcmwwHQYDVR0OBBYEFInoTN+L
Jjk+1yQuEg565+Yn5daXMA0GCSqGSIb3DQEBCwUAA4IBAQB17M2VB48AXCVfVeeO
Lo0LIJZcg5EyHUKurbnff6tQOmyT7gzpkJNY3I3ijW2ErBfUM/6HefMxYKKWSs4j
XqGSK5QfxG0B0O3uGfHPS4WFftaPSAnWk1tiJZ4c43+zSJCcH33n9pDmvt8n0j+6
cQAZIWh4PPpmkvUg3uN4E0bzZHnH2uKzMvpVnE6wKml6oV+PUfPASPIYQw9gFEAN
cMzp10hXJHrnOo0alPklymZdTVssBXwdzhSBsFel1eVBSvVOx6+y8zdbrkRLOvTV
nSMb6zH+fsygU40mimdo30rY/6N+tdQhbM/sTCxgdWAy2g0elAN1zi9Jx6aQ76wo
Dcn+
-----END CERTIFICATE-----
\ No newline at end of file
......@@ -16,7 +16,7 @@ Built in packages:
2. Configure settings
-----------------------
Copy settings_local.py.example into settings_local.py and fill in the values that are specific for this installation - edit paths 'BASE_SHARE_DIR' and 'MEDIA_ROOT'.
Copy settings_local.py.example into settings_local.py and fill in the values that are specific for this installation - edit paths 'BASE_SHARE_DIR', 'MEDIA_ROOT' and 'NOTARY_CERTIFICATE_FILE'.
--------------------------
......
......@@ -9,6 +9,7 @@ import libxml2
import xmlsec
import yaml
import os
log = logging.getLogger(__name__)
......@@ -154,29 +155,34 @@ def destroy():
# cannot cleanup parser, because lxml also uses libxml and we get some segfaults....
pass
def get_keymanager(certificate_file):
def get_keymanager(certificate_files):
mngr = xmlsec.KeysMngr()
if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0:
print "Error: failed to initialize keys manager."
mngr.destroy()
return False
if mngr.certLoad(certificate_file, xmlsec.KeyDataFormatPem,
xmlsec.KeyDataTypeTrusted) < 0:
print "Error: failed to load pem certificate from \"%s\"", file
mngr.destroy()
return None
for cert in certificate_files:
if mngr.certLoad(cert, xmlsec.KeyDataFormatPem, xmlsec.KeyDataTypeTrusted) < 0:
print "Error: failed to load pem certificate from \"%s\"", file
mngr.destroy()
return None
return mngr
def verify_xml(certificate_file, xml_data):
def verify_xml(certificate_path, xml_data):
"""
Returns an integer from the SIGNATURE_* set described above in this module.
Anything other than SIGNATURE_VALID means the signature is not OK.
SIGNATURE_INVALID means the signature does not match, the rest is some kind
of error state.
"""
certificate_files = [os.path.join(certificate_path, f) for f in os.listdir(certificate_path)]
init()
mngr = get_keymanager(certificate_file)
mngr = get_keymanager(certificate_files)
if not mngr:
raise Exception("KeyManager init error")
......
......@@ -27,6 +27,8 @@ def finish_order(request):
# check signature
sig_ok = None
res = podepsano.verify_xml(settings.NOTARY_CERTIFICATE_PATH, xml_data)
#res = podepsano.verify_xml("/home/opi/prog/NIC/podepsano_mock/cert/", xml_data)
#res = podepsano.verify_xml(["/home/opi/prog/NIC/podepsano_mock/cert/postsignum_qca2_root.pem", "/home/opi/prog/NIC/podepsano_mock/cert/postsignum_qca2_sub.pem"], xml_data)
if res == podepsano.SIGNATURE_VALID:
sig_ok = True
elif res == podepsano.SIGNATURE_INVALID:
......
......@@ -5,6 +5,8 @@ import os
from settings_local import BASE_SHARE_DIR
from settings_local import MEDIA_ROOT
from settings_local import NOTARY_CERTIFICATE_FILE
def basedir_share(folder = ''):
return os.path.normpath(os.path.join(BASE_SHARE_DIR, folder))
......@@ -13,8 +15,9 @@ TEMPLATE_DEBUG = DEBUG
NOTARY_SCHEMA_FILE = basedir_share("../xsd/schema.xsd")
NOTARY_CERTIFICATE_PATH = basedir_share("../cert/podepsano_public_certificate.pem")
NOTARY_PRIV_KEY_PATH = basedir_share("../cert/podepsano_private_key.pem")
NOTARY_CERTIFICATE_PATH = basedir_share(NOTARY_CERTIFICATE_FILE)
#NOTARY_CERTIFICATE_PATH = basedir_share("../cert/podepsano_public_certificate.pem")
#NOTARY_PRIV_KEY_PATH = basedir_share("../cert/podepsano_private_key.pem")
ADMINS = (
# ('Your Name', 'your_email@domain.com'),
......
......@@ -4,6 +4,8 @@ BASE_URL = 'podepsano/'
#BASE_URL = ''
### EDIT ME!!!
NOTARY_CERTIFICATE_FILE = "/PATH_TO/podepsano/cert/" # directory with certificates
MEDIA_ROOT = '/PATH_TO/podepsano_mock/media/'
BASE_SHARE_DIR = '/PATH_TO/podepsano_mock/notary/'
###
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment