X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcertificate.py;h=4e9fa29c616438511408efb8aa1489758d098fa8;hb=acd13fb68264ecdc1996954f3f464537806f7380;hp=595812b502094498e5b3c616a773c010ad1c35f9;hpb=f7f57707d12dd626d4293dc1e34451fc23763052;p=sfa.git

diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py
index 595812b5..4e9fa29c 100644
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -48,10 +48,13 @@ from M2Crypto import X509
 from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent
 from sfa.util.sfalogging import logger
 
+# this tends to generate quite some logs for little or no value
+debug_verify_chain = False
+
 glo_passphrase_callback = None
 
 ##
-# A global callback msy be implemented for requesting passphrases from the
+# A global callback may be implemented for requesting passphrases from the
 # user. The function will be called with three arguments:
 #
 #    keypair_obj: the keypair object that is calling the passphrase
@@ -89,7 +92,7 @@ def convert_public_key(key):
 
     # we can only convert rsa keys
     if "ssh-dss" in key:
-        raise Exception, "keyconvert: dss keys are not supported"  
+        raise Exception, "keyconvert: dss keys are not supported"
 
     (ssh_f, ssh_fn) = tempfile.mkstemp()
     ssl_fn = tempfile.mktemp()
@@ -103,7 +106,7 @@ def convert_public_key(key):
     # that it can be expected to see why it failed.
     # TODO: for production, cleanup the temporary files
     if not os.path.exists(ssl_fn):
-        raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed." 
+        raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."
 
     k = Keypair()
     try:
@@ -119,7 +122,6 @@ def convert_public_key(key):
         if os.path.exists(ssl_fn):
             os.remove(ssl_fn)
 
-
 ##
 # Public-private key pairs are implemented by the Keypair class.
 # A Keypair object may represent both a public and private key pair, or it
@@ -696,7 +698,8 @@ class Certificate:
 
         # verify expiration time
         if self.cert.has_expired():
-            logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
+            if debug_verify_chain:
+                logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
             raise CertExpired(self.get_printable_subject(), "client cert")
 
         # if this cert is signed by a trusted_cert, then we are set
@@ -704,22 +707,29 @@ class Certificate:
             if self.is_signed_by_cert(trusted_cert):
                 # verify expiration of trusted_cert ?
                 if not trusted_cert.cert.has_expired():
-                    logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
+                    if debug_verify_chain: 
+                        logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
                             self.get_printable_subject(), trusted_cert.get_printable_subject()))
                     return trusted_cert
                 else:
-                    logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
+                    if debug_verify_chain:
+                        logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
                             self.get_printable_subject(),trusted_cert.get_printable_subject()))
                     raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject())
 
         # if there is no parent, then no way to verify the chain
         if not self.parent:
-            logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
-            raise CertMissingParent(self.get_printable_subject() + ": Issuer %s not trusted by any of %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs)))
+            if debug_verify_chain:
+                logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%\
+                             (self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
+            raise CertMissingParent(self.get_printable_subject() + \
+                                    ": Issuer %s is not one of the %d trusted roots, and cert has no parent." %\
+                                    (self.get_issuer(), len(trusted_certs)))
 
         # if it wasn't signed by the parent...
         if not self.is_signed_by_cert(self.parent):
-            logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+            if debug_verify_chain:
+                logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
                              (self.get_printable_subject(), 
                               self.parent.get_printable_subject(), 
                               self.get_issuer()))
@@ -741,7 +751,8 @@ class Certificate:
                                                                     self.parent.get_printable_subject()))
 
         # if the parent isn't verified...
-        logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
+        if debug_verify_chain:
+            logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
                          (self.get_printable_subject(),self.parent.get_printable_subject()))
         self.parent.verify_chain(trusted_certs)