git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
merged namespace
[sfa.git] / sfa / trust / certificate.py
diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py
index a76b22d..64ac865 100644 (file)
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -42,16 +42,18 @@ import os
 import tempfile
 import base64
 import traceback
+from tempfile import mkstemp
+
 from OpenSSL import crypto
 import M2Crypto
 from M2Crypto import X509
-from tempfile import mkstemp
-from sfa.util.sfalogging import logger
+
+from sfa.util.sfalogging import sfa_logger
 from sfa.util.namespace import urn_to_hrn
 from sfa.util.faults import *
 
 def convert_public_key(key):
-    keyconvert_path = "/usr/bin/keyconvert"
+    keyconvert_path = "/usr/bin/keyconvert.py"
     if not os.path.isfile(keyconvert_path):
         raise IOError, "Could not find keyconvert in %s" % keyconvert_path
 
@@ -77,7 +79,7 @@ def convert_public_key(key):
     try:
         k.load_pubkey_from_file(ssl_fn)
     except:
-        traceback.print_exc()
+        sfa_logger.log_exc("convert_public_key caught exception")
         k = None
 
     # remove the temporary files
@@ -575,27 +577,29 @@ class Certificate:
         # Verify a chain of certificates. Each certificate must be signed by
         # the public key contained in it's parent. The chain is recursed
         # until a certificate is found that is signed by a trusted root.
-        # TODO: verify expiration time
-        #print "====Verify Chain====="
+
+        # verify expiration time
+        if self.cert.has_expired():
+            raise CertExpired(self.get_subject(), "client cert")   
+        
         # if this cert is signed by a trusted_cert, then we are set
         for trusted_cert in trusted_certs:
-            #print "***************"
-            # TODO: verify expiration of trusted_cert ?
-            #print "CLIENT CERT", self.dump()
-            #print "TRUSTED CERT", trusted_cert.dump()
-            #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
             if self.is_signed_by_cert(trusted_cert):
-                logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
-                return trusted_cert
+                sfa_logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
+                # verify expiration of trusted_cert ?
+                if not trusted_cert.cert.has_expired():
+                    return trusted_cert
+                else:
+                    sfa_logger.debug("Trusted cert %s is expired", trusted_cert.get_subject())       
 
         # if there is no parent, then no way to verify the chain
         if not self.parent:
-            #print self.get_subject(), "has no parent"
+            sfa_logger.debug("%r has no parent"%self.get_subject())
             raise CertMissingParent(self.get_subject())
 
         # if it wasn't signed by the parent...
         if not self.is_signed_by_cert(self.parent):
-            #print self.get_subject(), "is not signed by parent"
+            sfa_logger.debug("%r is not signed by parent"%self.get_subject())
             return CertNotSignedByParent(self.get_subject())
 
         # if the parent isn't verified...
sfa