+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. {} is not signed by parent {}, but by {}"
+ .format(self.pretty_cert(),
+ self.parent.pretty_cert(),
+ self.get_issuer()))
+ raise CertNotSignedByParent("{}: Parent {}, issuer {}"
+ .format(self.pretty_cert(),
+ self.parent.pretty_cert(),
+ self.get_issuer()))
+
+ # Confirm that the parent is a CA. Only CAs can be trusted as
+ # signers.
+ # Note that trusted roots are not parents, so don't need to be
+ # CAs.
+ # Ugly - cert objects aren't parsed so we need to read the
+ # extension and hope there are no other basicConstraints
+ if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'):
+ logger.warn("verify_chain: cert {}'s parent {} is not a CA"
+ .format(self.pretty_cert(), self.parent.pretty_cert()))
+ raise CertNotSignedByParent("{}: Parent {} not a CA"
+ .format(self.pretty_cert(), self.parent.pretty_cert()))