a = AES.new(session_key) plaintext = a.decrypt(unhexlify(slcsResp)) # remove AES padding n = ord(plaintext[-1]) # last byte contains number of padding bytes if n > AES.block_size or n > len(plaintext): raise Exception('invalid padding') print plaintext try: certificate = slcs_handler(StringIO(plaintext[:-n])) print "cert = " + str(certificate) except SLCSException, e: # TODO add error handling print "Exception: " + str(e) pass #return template(simple_page,title='Error - %s' % e.expression, body='<h1>%s</h1><pre>%s</pre>' % (e.expression, e.message)) username = certificate.get_dn() passphrase = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(8)) # Create a passphrase of length = 8 data = get_base_data(context, request) data['username'] = username data['passphrase'] = passphrase c = MyProxyClient(hostname='myproxy2.arcs.org.au', port= 7512, serverDN='/C=AU/O=APACGrid/OU=VPAC/CN=myproxy2.arcs.org.au') c.put(username, passphrase, certificate, certificate.get_key()._key, lambda *a: '', retrievers='*') print "MYPROXY Username = "******"MYPROXY Passphrase = " + passphrase print "URL = " + originURL return data
def process_slcs_token(context, request): """ Creates a SLCS certificate based on a shibboleth auth_token, request and url. Uploads SLCS certificate to specified MyProxy. If no such MyProxy exists, creates one with specified details before uploading. @param request: Data submitted via https POST. @requires request: 6 parameters 'auth_token' Shibboleth authentication token as text 'dn' DN string of request 'reqURL' URL of SLCS server 'myproxy_username' Desired MyProxy username 'myproxy_passphrase' Desired MyProxy passphrase 'elements' Any extensions to be applied to the certificate NOTE: Must be in the the form of: [{'name' : <String>, 'critical' : 0=true 1=false, 'value' : <String>}, ..., ...] An example request is below... dn: DC=slcs,DC=bestgrid,DC=org,DC=nz,O=Organisation Name,CN=Contact Name rDJ6f5h1bqDAQ-tKnQx68LWsOjk elements: [{'critical': False, 'name': 'ExtendedKeyUsage', 'value': 'ClientAuth'}, {'critical': True, 'name': 'KeyUsage', 'value': 'DigitalSignature,KeyEncipherment'}, {'critical': False, 'name': 'CertificatePolicies', 'value': '1.3.6.1.4.1.31863.1.0.1'}, {'critical': False, 'name': 'SubjectAltName', 'value': 'email:[email protected]'}] auth_token: 4F24CEA27F23A47927D92CA89D7F9756E89689A8968CDBB907A8611FB232A768 myproxy_username: testuser myproxy_passphrase: pa55w0rd reqURL: https://slcs1.arcs.org.au:443/SLCS/certificate """ post_data = request.POST if (post_data.has_key("auth_token") and post_data.has_key("dn") and \ post_data.has_key("reqURL") and post_data.has_key("elements") and \ post_data.has_key("myproxy_username") and post_data.has_key("myproxy_passphrase")): elements = eval(post_data['elements']) certreq = CertificateRequest(dn=str(post_data['dn']), extensions=elements) certreq.sign() data = urlencode({'AuthorizationToken': str(post_data['auth_token']), 'CertificateSigningRequest': repr(certreq)}) print "token:\n"+str(post_data['auth_token']) print "CertSigningRequest:\n"+repr(certreq) certResp = urllib2.urlopen(post_data['reqURL'], data) dom = xml.dom.minidom.parse(certResp) status = dom.getElementsByTagName("Status")[0].childNodes[0].data if status == 'Error': error = dom.getElementsByTagName("Error")[0].childNodes[0].data stack = dom.getElementsByTagName("StackTrace")[0].childNodes[0].data print stack print error #raise SLCSException(error, stack) cert = ''.join([i.data for i in dom.getElementsByTagName("Certificate")[0].childNodes]) certificate = Certificate(str(cert), certreq.get_key()) certFile = open('cert.pem', 'w') certFile.writelines(repr(certificate)) certFile.close() keyFile = open('cert.key', 'w') keyFile.writelines(str(certificate.get_key())) keyFile.close() username = str(post_data['myproxy_username']) passphrase = str(post_data['myproxy_passphrase']) #Upload to MyProxy... c = MyProxyClient(hostname='myproxy2.arcs.org.au', port= 7512, serverDN='/C=AU/O=APACGrid/OU=VPAC/CN=myproxy2.arcs.org.au') c.put(username, passphrase, certificate, certificate.get_key()._key, lambda *a: '', retrievers='*') not_before, not_after = certificate.get_times() return Response(str(not_before)+"\n"+str(not_after)) else: return Response("Incorrect parameters")