asn1_utils
This module contains utilities for parsing extensions in general, but mostly the VOMS extensions. It has been done based on the reading of the VOMS standard (https://www.ogf.org/documents/GFD.182.pdf) and on the RFC 5755 (http://www.ietf.org/rfc/rfc5755.txt)
This module relies on definition of the RFC 3281, which is the predecessor of 5755, but it still seems to work for what we are interested in.
To summarize, the attributes we are interested in are called CertificateAttributes, and are stored in proxy extensions. The VOMS extension in a proxy is a Sequence of Sequence (??) of CertificateAttribute. One Sequence is due to the fact that you can embed more than one VO CertificateAttribute in one proxy. The other one was acknowledge as a an error in the formal description (an Errata will come)
This is now pure python, but it might be interesting to wrap the existing C library (https://github.com/italiangrid/voms) instead…
- DIRAC.Core.Security.m2crypto.asn1_utils.decodeDIRACGroup(m2cert)
Decode the content of the dirac group extension
- Parameters:
m2cert – M2crypto x509 object, a certificate
- Returns:
the dirac group
- Raises:
same as retrieveExtension
- DIRAC.Core.Security.m2crypto.asn1_utils.decodeVOMSExtension(m2cert)
Decode the content of the VOMS extension
- Parameters:
m2cert – M2Crypto X509 object, a certificate
- Returns:
A dictionary containing the following fields:
notBefore: datetime.datetime
notAfter: datetime.datetime
attribute: (string). Comma separated list of VOMS tags presented as below
”<tagName> = <tagValue> (<tagQualifier>)” Typically, the nickname will look like ‘nickname = chaen (lhcb)’,
fqan: List of VOMS “position” ([‘/lhcb/Role=production/Capability=NULL’, ‘/lhcb/Role=NULL/Capability=NULL’])
vo: name of the VO,
subject: subject DN to which the attributes were granted,
issuer: typically the DN of the VOMS server (e.g ‘/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch’)
- DIRAC.Core.Security.m2crypto.asn1_utils.hasVOMSExtension(m2cert)
Utility fonction to check if the certificate has VOMS extensions
- Parameters:
m2cert – M2Crypto X509 object, a certificate
- Returns:
boolean
- DIRAC.Core.Security.m2crypto.asn1_utils.retrieveExtension(m2Cert, extensionOID)
Retrieves the extension from a certificate from its OID
- Parameters:
m2Cert – M2Crypto X509 object, a certificate
extensionOID – the OID we are looking for
- Returns:
an ~pyasn1.type.univ.OctetString object, which is the content of the extension (it still needs to be deserialized, depending on the extension !)
- Raises:
LookupError if it does not have the extension