- sfa_logger().debug("verify_chain: NO %s is not signed by parent"%self.get_subject())
- return CertNotSignedByParent(self.get_subject())
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+ (self.pretty_cert(),
+ self.parent.pretty_cert(),
+ self.get_issuer()))
+ raise CertNotSignedByParent("%s: Parent %s, issuer %s"\
+ % (self.pretty_cert(),
+ self.parent.pretty_cert(),
+ self.get_issuer()))
+
+ # Confirm that the parent is a CA. Only CAs can be trusted as
+ # signers.
+ # Note that trusted roots are not parents, so don't need to be
+ # CAs.
+ # Ugly - cert objects aren't parsed so we need to read the
+ # extension and hope there are no other basicConstraints
+ if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'):
+ logger.warn("verify_chain: cert %s's parent %s is not a CA" % \
+ (self.pretty_cert(), self.parent.pretty_cert()))
+ raise CertNotSignedByParent("%s: Parent %s not a CA" % (self.pretty_cert(),
+ self.parent.pretty_cert()))