+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+ (self.get_printable_subject(),
+ self.parent.get_printable_subject(),
+ self.get_issuer()))
+ raise CertNotSignedByParent("%s: Parent %s, issuer %s"\
+ % (self.get_printable_subject(),
+ self.parent.get_printable_subject(),
+ self.get_issuer()))
+
+ # Confirm that the parent is a CA. Only CAs can be trusted as
+ # signers.
+ # Note that trusted roots are not parents, so don't need to be
+ # CAs.
+ # Ugly - cert objects aren't parsed so we need to read the
+ # extension and hope there are no other basicConstraints
+ if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'):
+ logger.warn("verify_chain: cert %s's parent %s is not a CA" % \
+ (self.get_printable_subject(), self.parent.get_printable_subject()))
+ raise CertNotSignedByParent("%s: Parent %s not a CA" % (self.get_printable_subject(),
+ self.parent.get_printable_subject()))