asn1_utils

This module contains utilities for parsing extensions in general, but mostly the VOMS extensions. It has been done based on the reading of the VOMS standard (https://www.ogf.org/documents/GFD.182.pdf) and on the RFC 5755 (http://www.ietf.org/rfc/rfc5755.txt)

This module relies on definition of the RFC 3281, which is the predecessor of 5755, but it still seems to work for what we are interested in.

To summarize, the attributes we are interested in are called CertificateAttributes, and are stored in proxy extensions. The VOMS extension in a proxy is a Sequence of Sequence (??) of CertificateAttribute. One Sequence is due to the fact that you can embed more than one VO CertificateAttribute in one proxy. The other one was acknowledge as a an error in the formal description (an Errata will come)

This is now pure python, but it might be interesting to wrap the existing C library (https://github.com/italiangrid/voms) instead…

DIRAC.Core.Security.m2crypto.asn1_utils.decodeDIRACGroup(m2cert)

Decode the content of the dirac group extension

Parameters:m2cert – M2crypto x509 object, a certificate
Returns:the dirac group
Raises:same as retrieveExtension
DIRAC.Core.Security.m2crypto.asn1_utils.decodeVOMSExtension(m2cert)

Decode the content of the VOMS extension

Parameters:m2cert – M2Crypto X509 object, a certificate
Returns:A dictionnary containing the following fields:
  • notBefore: datetime.datetime
  • notAfter: datetime.datetime
  • attribute: (string). Comma separated list of VOMS tags presented as bellow
    ”<tagName> = <tagValue> (<tagQualifier>)” Typically, the nickname will look like ‘nickname = chaen (lhcb)’,
  • fqan: List of VOMS “position” ([‘/lhcb/Role=production/Capability=NULL’, ‘/lhcb/Role=NULL/Capability=NULL’])
  • vo: name of the VO,
  • subject: subject DN to which the attributes were granted,
  • issuer: typically the DN of the VOMS server (e.g ‘/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch’)
DIRAC.Core.Security.m2crypto.asn1_utils.hasVOMSExtension(m2cert)

Utility fonction to check if the certificate has VOMS extensions

Parameters:m2cert – M2Crypto X509 object, a certificate
Returns:boolean
DIRAC.Core.Security.m2crypto.asn1_utils.retrieveExtension(m2Cert, extensionOID)

Retrieves the extension from a certificate from its OID

Parameters:
  • m2Cert – M2Crypto X509 object, a certificate
  • extensionOID – the OID we are looking for
Returns:

an ~pyasn1.type.univ.OctetString object, which is the content of the extension (it still needs to be deserialized, depending on the extension !)

Raises:

LookupError if it does not have the extension