from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent
from sfa.util.sfalogging import logger
+# this tends to generate quite some logs for little or no value
+debug_verify_chain = False
+
glo_passphrase_callback = None
##
-# A global callback msy be implemented for requesting passphrases from the
+# A global callback may be implemented for requesting passphrases from the
# user. The function will be called with three arguments:
#
# keypair_obj: the keypair object that is calling the passphrase
# we can only convert rsa keys
if "ssh-dss" in key:
- raise Exception, "keyconvert: dss keys are not supported"
+ raise Exception, "keyconvert: dss keys are not supported"
(ssh_f, ssh_fn) = tempfile.mkstemp()
ssl_fn = tempfile.mktemp()
# that it can be expected to see why it failed.
# TODO: for production, cleanup the temporary files
if not os.path.exists(ssl_fn):
- raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."
+ raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."
k = Keypair()
try:
if os.path.exists(ssl_fn):
os.remove(ssl_fn)
-
##
# Public-private key pairs are implemented by the Keypair class.
# A Keypair object may represent both a public and private key pair, or it
# verify expiration time
if self.cert.has_expired():
- logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
raise CertExpired(self.get_printable_subject(), "client cert")
# if this cert is signed by a trusted_cert, then we are set
if self.is_signed_by_cert(trusted_cert):
# verify expiration of trusted_cert ?
if not trusted_cert.cert.has_expired():
- logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
self.get_printable_subject(), trusted_cert.get_printable_subject()))
return trusted_cert
else:
- logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
self.get_printable_subject(),trusted_cert.get_printable_subject()))
raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject())
# if there is no parent, then no way to verify the chain
if not self.parent:
- logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
- raise CertMissingParent(self.get_printable_subject() + ": Issuer %s not trusted by any of %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs)))
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%\
+ (self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
+ raise CertMissingParent(self.get_printable_subject() + \
+ ": Issuer %s is not one of the %d trusted roots, and cert has no parent." %\
+ (self.get_issuer(), len(trusted_certs)))
# if it wasn't signed by the parent...
if not self.is_signed_by_cert(self.parent):
- logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
(self.get_printable_subject(),
self.parent.get_printable_subject(),
self.get_issuer()))
self.parent.get_printable_subject()))
# if the parent isn't verified...
- logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
(self.get_printable_subject(),self.parent.get_printable_subject()))
self.parent.verify_chain(trusted_certs)
### more introspection
def get_extensions(self):
# pyOpenSSL does not have a way to get extensions
- triples=[]
+ triples = []
m2x509 = X509.load_cert_string(self.save_to_string())
- nb_extensions=m2x509.get_ext_count()
+ nb_extensions = m2x509.get_ext_count()
logger.debug("X509 had %d extensions"%nb_extensions)
for i in range(nb_extensions):
ext=m2x509.get_ext_at(i)
return self.data.keys()
def get_all_datas (self):
- triples=self.get_extensions()
+ triples = self.get_extensions()
for name in self.get_data_names():
triples.append( (name,self.get_data(name),'data',) )
return triples
filename=self.get_filename()
if filename: result += "Filename %s\n"%filename
if show_extensions:
- all_datas=self.get_all_datas()
+ all_datas = self.get_all_datas()
result += " has %d extensions/data attached"%len(all_datas)
- for (n,v,c) in all_datas:
+ for (n, v, c) in all_datas:
if c=='data':
result += " data: %s=%s\n"%(n,v)
else: