+ if self.parent and dump_parents:
+ print " "*indent, "parent:"
+ self.parent.dump(indent+4)
+
+ ##
+ # Verify the chain of authenticity of the GID. First perform the checks
+ # of the certificate class (verifying that each parent signs the child,
+ # etc). In addition, GIDs also confirm that the parent's HRN is a prefix
+ # of the child's HRN.
+ #
+ # Verifying these prefixes prevents a rogue authority from signing a GID
+ # for a principal that is not a member of that authority. For example,
+ # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo.
+
+ def verify_chain(self, trusted_certs = None):
+ # do the normal certificate verification stuff
+ Certificate.verify_chain(self, trusted_certs)
+
+ if self.parent:
+ # make sure the parent's hrn is a prefix of the child's hrn
+ if not self.get_hrn().startswith(self.parent.get_hrn()):
+ raise GidParentHrn(self.parent.get_subject())
+
+ return
+