- test_gid = GID(string=trusted_root.save_to_string())
-
- test_type = test_gid.get_type()
- test_hrn = test_gid.get_hrn()
- if test_type == 'authority':
- # Could add a check for type == 'authority'
- test_hrn = test_hrn[:test_hrn.rindex('.')]
- cur_hrn = self.get_hrn()
- if not self.get_hrn().startswith(test_hrn):
- GidParentHrn(test_hrn + " " + self.get_hrn())
-
- return
-
-
-
-
-
+ # make sure that the trusted root's hrn is a prefix of the child's
+ trusted_gid = GID(string=trusted_root.save_to_string())
+ trusted_type = trusted_gid.get_type()
+ trusted_hrn = trusted_gid.get_hrn()
+ # if trusted_type == 'authority':
+ # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
+ cur_hrn = self.get_hrn()
+ if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
+ raise GidParentHrn(
+ "Trusted root with HRN {} isn't a namespace authority for this cert: {}"
+ .format(trusted_hrn, cur_hrn))
+
+ # There are multiple types of authority - accept them all here
+ if not trusted_type.find('authority') == 0:
+ raise GidInvalidParentHrn(
+ "This cert {}'s trusted root signer {} is not an authority (is a {})"
+ .format(self.get_hrn(), trusted_hrn, trusted_type))