from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent
from sfa.util.sfalogging import logger
+# this tends to generate quite some logs for little or no value
+debug_verify_chain = False
+
glo_passphrase_callback = None
##
-# A global callback msy be implemented for requesting passphrases from the
+# A global callback may be implemented for requesting passphrases from the
# user. The function will be called with three arguments:
#
# keypair_obj: the keypair object that is calling the passphrase
# we can only convert rsa keys
if "ssh-dss" in key:
- raise Exception, "keyconvert: dss keys are not supported"
+ raise Exception, "keyconvert: dss keys are not supported"
(ssh_f, ssh_fn) = tempfile.mkstemp()
ssl_fn = tempfile.mktemp()
# that it can be expected to see why it failed.
# TODO: for production, cleanup the temporary files
if not os.path.exists(ssl_fn):
- raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."
+ raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."
k = Keypair()
try:
if os.path.exists(ssl_fn):
os.remove(ssl_fn)
-
##
# Public-private key pairs are implemented by the Keypair class.
# A Keypair object may represent both a public and private key pair, or it
# verify expiration time
if self.cert.has_expired():
- logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
raise CertExpired(self.get_printable_subject(), "client cert")
# if this cert is signed by a trusted_cert, then we are set
if self.is_signed_by_cert(trusted_cert):
# verify expiration of trusted_cert ?
if not trusted_cert.cert.has_expired():
- logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
self.get_printable_subject(), trusted_cert.get_printable_subject()))
return trusted_cert
else:
- logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
self.get_printable_subject(),trusted_cert.get_printable_subject()))
raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject())
# if there is no parent, then no way to verify the chain
if not self.parent:
- logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
- raise CertMissingParent(self.get_printable_subject() + ": Issuer %s not trusted by any of %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs)))
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%\
+ (self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
+ raise CertMissingParent(self.get_printable_subject() + \
+ ": Issuer %s is not one of the %d trusted roots, and cert has no parent." %\
+ (self.get_issuer(), len(trusted_certs)))
# if it wasn't signed by the parent...
if not self.is_signed_by_cert(self.parent):
- logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
(self.get_printable_subject(),
self.parent.get_printable_subject(),
self.get_issuer()))
self.parent.get_printable_subject()))
# if the parent isn't verified...
- logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
(self.get_printable_subject(),self.parent.get_printable_subject()))
self.parent.verify_chain(trusted_certs)