merge with geni_api branch
Tony Mack [Thu, 10 Jun 2010 18:16:05 +0000 (18:16 +0000)]
config/geni_aggregates.xml
sfa/managers/geni_am_pl.py
sfa/trust/hierarchy.py
sfa/util/server.py

index 4630736..e744134 100644 (file)
@@ -1,3 +1,3 @@
 <aggregates>
-       <aggregate addr="" hrn="" port=""/>
+       <aggregate addr="" hrn="" port="" url=""/>
 </aggregates>
index 1637d0b..de7d27a 100644 (file)
@@ -16,7 +16,6 @@ from lxml import etree
 def GetVersion():
     version = {}
     version['geni_api'] = 1
-    version['geni_stitching'] = False
     return version
 
 
index e277ec5..6ab509e 100644 (file)
@@ -251,6 +251,7 @@ class Hierarchy:
             parent_auth_info = self.get_auth_info(parent_hrn)
             gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
             gid.set_parent(parent_auth_info.get_gid_object())
+            gid.set_intermediate_ca(True)
 
         gid.set_pubkey(pkey)
         gid.encode()
index e6d3f3b..0151e5b 100644 (file)
@@ -25,7 +25,7 @@ from sfa.util.faults import *
 from sfa.plc.api import SfaAPI
 from sfa.util.cache import Cache 
 from sfa.util.debug import log
-
+from sfa.util.sfalogging import logger
 ##
 # Verification callback for pyOpenSSL. We do our own checking of keys because
 # we have our own authentication spec. Thus we disable several of the normal
@@ -37,10 +37,6 @@ def verify_callback(conn, x509, err, depth, preverify):
        #print "  preverified"
        return 1
 
-    # we're only passing single certificates, not chains
-    if depth > 0:
-       #print "  depth > 0 in verify_callback"
-       return 0
 
     # the certificate verification done by openssl checks a number of things
     # that we aren't interested in, so we look out for those error messages
@@ -62,6 +58,10 @@ def verify_callback(conn, x509, err, depth, preverify):
        #print "  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
        return 1
 
+    # allow chained certs with self-signed roots
+    if err == 19:
+        return 1
+    
     # allow certs that are untrusted
     if err == 21:
        #print "  X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
@@ -149,9 +149,12 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR
            SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
         SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
         ctx = SSL.Context(SSL.SSLv23_METHOD)
-        ctx.use_privatekey_file(key_file)
+        ctx.use_privatekey_file(key_file)        
         ctx.use_certificate_file(cert_file)
+        # If you wanted to verify certs against known CAs.. this is how you would do it
+        #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
         ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
+        ctx.set_verify_depth(5)
         ctx.set_app_data(self)
         self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
                                                         self.socket_type))