- if not self.get_hrn().startswith(self.parent.get_hrn()):
- raise GidParentHrn("This cert HRN %s doesnt start with parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))
+ if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
+ raise GidParentHrn(
+ "This cert HRN {} isn't in the namespace for parent HRN {}"
+ .format(self.get_hrn(), self.parent.get_hrn()))
+
+ # Parent must also be an authority (of some type) to sign a GID
+ # There are multiple types of authority - accept them all here
+ if not self.parent.get_type().find('authority') == 0:
+ raise GidInvalidParentHrn(
+ "This cert {}'s parent {} is not an authority (is a %{})"
+ .format(self.get_hrn(), self.parent.get_hrn(), self.parent.get_type()))
+
+ # Then recurse up the chain - ensure the parent is a trusted
+ # root or is in the namespace of a trusted root
+ self.parent.verify_chain(trusted_certs)