Home | Trees | Index | Help |
|
---|
Package AccessGrid :: Package Security :: Module CertificateManager :: Class CertificateManager |
|
object
--+
|
CertificateManager
A CertificateManager manages the certificates for a user. It uses a CertificateRepository instance to maintain the certificates. The repository keeps its certificates in a single large pool; however, it provides a mechanism by which the user of the repository can tag certificates with metadata. The certificate manager uses this tagging mechanism to distinguish between a user's identity certificates and the user's set of trusted CA certificates. We accomplish this by defining a metadata tag for each certificate imported: AG.CertificateManager.certType is the key; the value is "identity" or "trustedCA". The user's default identity is marked in the repository as well with the metadat AG.CertificateManager.isDefaultIdentity, values 0/1. This default is then returned by the call repo.FindCertificatesWithMetadata("AG.CertificateManager.isDefaultIdentity", "1") The repo doesn't ensure that multiple certs get set to default; that is up to this code. This certificate manager will not use the system trusted CA directory directly; it maintains a local cache of trusted CA certs in the repository. Since OpenSSL and the Globus library expect these certificates to have a particular file layout, the certificate manager will regenerate this cache from the certificates in teh repository each time the set of trusted CA certificates in the repo changes. This set of certificates can be determined by the call repo.FindCertificatesWithMetadata("AG.CertificateManager.certType", "trustedCA") Globus proxies are also stored in the repository's space. Since they do not have unique serial numbers, they are stored in filespace provided for users with each certificate: certDesc = defaultCert proxyPath = certDesc.GetFilePath("globus_proxy") CreateGlobusProxy(certDesc.GetCertPath(), certDesc.GetKeyPath(), proxyPath) Initialization -------------- We will assume that if the repository is not already present that we've not run this app before and must therefore initialize the repository. It may be the case that the user has run an earlier version of the AG software and therefore has an AG2.0-style certificate repository already in place. We will ignore this, and initialize directly from globus state. It is not likely at this stage of the game that users already have a lot of new state built up in that repository. Runtime configuration --------------------- When an app starts up, we will need to do the following things to initialize the user's environment to work properly with the Globus toolkit: Set up the user's environment to point at the appropriate local settings by modifying os.environ. Determine if a valid proxy is in place. If not, call grid-proxy-init to create one. We also support a mechanism for determining if the existing proxy will expire soon, and provide a way to as the user for a renewal of it. Instance variables ------------------ userInterface Reference to the UI object responsbile for manipulations on this manager. userProfileDir Location of the per-user profile directory for the user of this manager. repoPath Location of the certificate repository used by this mgr.
Method Summary | |
---|---|
CertificateManager constructor. | |
Perform a sanity check on the security execution environment | |
Check the server to see if the given request has been granted. | |
Check a certificate for validity. | |
CreateProxy(self)
| |
Create a globus proxy. | |
GetCACerts(self)
| |
Return the certification path for cert. | |
GetCertificateRepository(self)
| |
GetDefaultIdentity(self)
| |
GetDefaultIdentityCerts(self)
| |
GetGlobusConfig(self)
| |
Perform some exhaustive checks to see if there is a valid globus proxy in place. | |
GetIdentityCerts(self)
| |
Return a list of the certificate requests in the repository for which we don't have a certificate, and for which the metadata AG.CertificateManager.requestToken is set. | |
GetProxyPath(self)
| |
GetUserInterface(self)
| |
Return true if there is a valid proxy for the current identity. | |
ImportCACertificatePEM(self,
repo,
cert)
| |
ImportIdentityCertificatePEM(self,
repo,
userCert,
userKey,
passphraseCB)
| |
ImportIdentityCertificateX509(self,
repo,
certObj,
pkeyObj,
passphraseCB)
| |
ImportRequestedCertificate(self,
userCert)
| |
Configure the process environment to correspond to the chosen configuration. | |
InitEnvironmentStandard(self)
| |
Set up the cert mgr to run with the specified cert and file. | |
Set up the cert mgr to run with the specified DN as the default for this instance. | |
Initiailize the cert repository as we don't already have one. | |
Initialize the given repository from the Globus cert state. | |
IsDefaultIdentityCert(self,
c)
| |
IsIdentityCert(self,
c)
| |
Make the identity represented by certDesc the default identity. | |
Set the default identity to use for this instance of the certificate manager. | |
Verify that we have CA certificates for the issuing chain of this cert. | |
Inherited from object | |
x.__delattr__('name') <==> del x.name | |
x.__getattribute__('name') <==> x.name | |
x.__hash__() <==> hash(x) | |
T.__new__(S, ...) -> a new object with type S, a subtype of T | |
helper for pickle | |
helper for pickle | |
x.__repr__() <==> repr(x) | |
x.__setattr__('name', value) <==> x.name = value | |
x.__str__() <==> str(x) |
Class Variable Summary | |
---|---|
list |
__slots__ = ['userInterface', 'userProfileDir', 'certRep...
|
member_descriptor |
caDir = <member 'caDir' of 'CertificateManager' objects>
|
member_descriptor |
certRepo = <member 'certRepo' of 'CertificateManager' ob...
|
member_descriptor |
certRepoPath = <member 'certRepoPath' of 'CertificateMan...
|
member_descriptor |
defaultIdentity = <member 'defaultIdentity' of 'Certific...
|
member_descriptor |
globusConfig = <member 'globusConfig' of 'CertificateMan...
|
member_descriptor |
issuedGlobusWarning = <member 'issuedGlobusWarning' of '...
|
member_descriptor |
proxyPath = <member 'proxyPath' of 'CertificateManager' ...
|
member_descriptor |
useCertFile = <member 'useCertFile' of 'CertificateManag...
|
member_descriptor |
useDefaultDN = <member 'useDefaultDN' of 'CertificateMan...
|
member_descriptor |
useKeyFile = <member 'useKeyFile' of 'CertificateManager...
|
member_descriptor |
userInterface = <member 'userInterface' of 'CertificateM...
|
member_descriptor |
userProfileDir = <member 'userProfileDir' of 'Certificat...
|
Method Details |
---|
__init__(self,
userProfileDir,
userInterface)
|
CheckConfiguration(self)Perform a sanity check on the security execution environment |
CheckRequestedCertificate(self, req, token, server, proxyHost=None, proxyPort=None)Check the server to see if the given request has been granted. Return a tuple of (success, msg). If successful, success=1 and msg is the granted certificate. If not successful, success=0 and msg is an error message. |
CheckValidity(self, cert)Check a certificate for validity. Return "Expired", "OK", "Not yet valid", "Invalid CA Chain", "Missing private key" |
CreateProxyCertificate(self, passphrase, bits, hours)Create a globus proxy. |
GetCertificatePath(self, cert)Return the certification path for cert. |
GetGlobusProxyCert(self)Perform some exhaustive checks to see if there is a valid globus proxy in place. This is similar to _VerifyGlobusProxy() above, but does not do validity checking. It is here for the purposes of returning the proxy info to the user (for the cert mgr interface), expired or not. |
GetPendingRequests(self)Return a list of the certificate requests in the repository for which we don't have a certificate, and for which the metadata AG.CertificateManager.requestToken is set. Return is actually a list of tuples (certReqDescriptor, requestToken, serverURL, creationDate) |
HaveValidProxy(self)Return true if there is a valid proxy for the current identity. |
InitEnvironment(self)Configure the process environment to correspond to the chosen configuration. This method does not attempt to remedy any problems in the configuration; rather, if the situation is not to its liking, it raises an exception telling the caller what the problem is. It is safe to reinvoke this method as needed. If self.useDefaultDN is set, use the given DN to be the default for this instance of the class. If self.useCertFile is set, use that certificate as the default. Otherwise, If there are no identity certificates present, raise the NoCertificates exception. If there is exactly one identity certificate, mark it as the default certificate. If there are more than one identity certificates and none is marked default, or more than one is marked default, raise the NoDefaultIdentity exception. Examine the default identity certificate. If it has an encrypted private key, check for the existence of a Globus proxy for the cert. If one does not exist, raise the ProxyExpired exception. Otherwise, set the following environment variables: X509_USER_PROXY: user proxy cert X509_CERT_DIR: location of trusted CA certificates If the default identity certificate has an unencrypted private key, we can use it directly. Set the following environment variables: X509_USER_CERT: user's certificate X509_USER_KEY: user's private key X509_RUN_AS_SERVER: set to override any lingering proxy cert setting This method sets self.defaultIdentity as a side effect. It should be viewed as the current appropriate mechanism for setting defaultIdentity. |
InitEnvironmentWithCert(self, certFile, keyFile)Set up the cert mgr to run with the specified cert and file. Do not modify the default identity keys in the repository. |
InitEnvironmentWithDN(self, dn)Set up the cert mgr to run with the specified DN as the default for this instance. Do not modify the default identity keys in the repository. |
InitializeRepository(self)Initiailize the cert repository as we don't already have one. We need to first create a new repository (by passing create=1 to the constructor). Then we need to grope about in the system for the location of any existing certificates, both user identity and trusted CA. |
InitRepoFromGlobus(self, repo)Initialize the given repository from the Globus cert state. If we cannot find an identity certificate, do a callback on the user interface when we're done with the rest of the initialization so that the user has an opportunity to request a certificate. If we cannot find any globus state, callback to the user interface for that as well. That's a harder problem to solve, but it's not up to us down here. |
SetDefaultIdentity(self, certDesc)Make the identity represented by certDesc the default identity. This only affects the cert repository; a followup call to InitEnvironment is necessary to effect the change in the environment.
|
SetTemporaryDefaultIdentity(self, useDefaultDN=None, useCertFile=None, useKeyFile=None)Set the default identity to use for this instance of the certificate manager. |
VerifyCertificatePath(self, cert)Verify that we have CA certificates for the issuing chain of this cert. |
Class Variable Details |
---|
__slots__
|
caDir
|
certRepo
|
certRepoPath
|
defaultIdentity
|
globusConfig
|
issuedGlobusWarning
|
proxyPath
|
useCertFile
|
useDefaultDN
|
useKeyFile
|
userInterface
|
userProfileDir
|
Home | Trees | Index | Help |
|
---|
Generated by Epydoc 2.1 on Thu Apr 14 16:39:28 2005 | http://epydoc.sf.net |