X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcertificate.py;h=fb515e5aa4435942a6dbba90f12a61e9ab590cb1;hb=5b37ec55340b8b9d9214618001eed4ea9f0254aa;hp=936352f7b96b17615ad354b19b531a395cf0782b;hpb=8c0bf91e46675c699393dc209794ade4733ef3da;p=sfa.git

diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py
index 936352f7..fb515e5a 100644
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -64,7 +64,7 @@ from sfa.util.faults import (CertExpired, CertMissingParent,
 from sfa.util.sfalogging import logger
 
 # this tends to generate quite some logs for little or no value
-debug_verify_chain = False
+debug_verify_chain = True
 
 glo_passphrase_callback = None
 
@@ -182,7 +182,8 @@ class Keypair:
     # @param filename name of file to store the keypair in
 
     def save_to_file(self, filename):
-        open(filename, 'w').write(self.as_pem())
+        with open(filename, 'w') as output:
+            output.write(self.as_pem())
         self.filename = filename
 
     ##
@@ -410,7 +411,7 @@ class Certificate:
         # certs)
 
         if string is None or string.strip() == "":
-            logger.warn("Empty string in load_from_string")
+            logger.warning("Empty string in load_from_string")
             return
 
         string = string.strip()
@@ -441,7 +442,7 @@ class Certificate:
             OpenSSL.crypto.FILETYPE_PEM, parts[0])
 
         if self.x509 is None:
-            logger.warn(
+            logger.warning(
                 "Loaded from string but cert is None: {}".format(string))
 
         # if there are more certs, then create a parent and let the parent load
@@ -467,7 +468,7 @@ class Certificate:
 
     def save_to_string(self, save_parents=True):
         if self.x509 is None:
-            logger.warn("None cert in certificate.save_to_string")
+            logger.warning("None cert in certificate.save_to_string")
             return ""
         string = OpenSSL.crypto.dump_certificate(
             OpenSSL.crypto.FILETYPE_PEM, self.x509)
@@ -583,7 +584,6 @@ class Certificate:
         data = self.get_data(field='subjectAltName')
         if data:
             message += " SubjectAltName:"
-            counter = 0
             filtered = [self.filter_chunk(chunk) for chunk in data.split()]
             message += " ".join([f for f in filtered if f])
             omitted = len([f for f in filtered if not f])
@@ -694,7 +694,7 @@ class Certificate:
         # pyOpenSSL does not have a way to get extensions
         m2x509 = M2Crypto.X509.load_cert_string(certstr)
         if m2x509 is None:
-            logger.warn("No cert loaded in get_extension")
+            logger.warning("No cert loaded in get_extension")
             return None
         if m2x509.get_ext(name) is None:
             return None
@@ -714,7 +714,9 @@ class Certificate:
         if field in self.data:
             raise Exception("Cannot set {} more than once".format(field))
         self.data[field] = string
-        self.add_extension(field, 0, string)
+        # call str() because we've seen unicode there
+        # and the underlying C code doesn't like it
+        self.add_extension(field, 0, str(string))
 
     ##
     # Return the data string that was previously set with set_data
@@ -789,9 +791,11 @@ class Certificate:
     # @param cert certificate object
 
     def is_signed_by_cert(self, cert):
-        logger.debug("Certificate.is_signed_by_cert -> invoking verify")
-        k = cert.get_pubkey()
-        result = self.verify(k)
+        key = cert.get_pubkey()
+        logger.debug("Certificate.is_signed_by_cert -> verify on {}\n"
+                     "with pubkey {}"
+                     .format(self, key))
+        result = self.verify(key)
         return result
 
     ##
@@ -834,7 +838,6 @@ class Certificate:
         # the public key contained in it's parent. The chain is recursed
         # until a certificate is found that is signed by a trusted root.
 
-        logger.debug("Certificate.verify_chain {}".format(self.pretty_name()))
         # verify expiration time
         if self.x509.has_expired():
             if debug_verify_chain:
@@ -844,7 +847,8 @@ class Certificate:
 
         # if this cert is signed by a trusted_cert, then we are set
         for i, trusted_cert in enumerate(trusted_certs, 1):
-            logger.debug("Certificate.verify_chain - trying trusted #{} : {}"
+            logger.debug(5*'-' +
+                         " Certificate.verify_chain - trying trusted #{} : {}"
                          .format(i, trusted_cert.pretty_name()))
             if self.is_signed_by_cert(trusted_cert):
                 # verify expiration of trusted_cert ?
@@ -867,7 +871,7 @@ class Certificate:
                                               trusted_cert.pretty_name()))
             else:
                 logger.debug("verify_chain: not a direct"
-                             " descendant of a trusted root")
+                             " descendant of trusted root #{}".format(i))
 
         # if there is no parent, then no way to verify the chain
         if not self.parent:
@@ -903,8 +907,8 @@ class Certificate:
         # extension and hope there are no other basicConstraints
         if not self.parent.isCA and not (
                 self.parent.get_extension('basicConstraints') == 'CA:TRUE'):
-            logger.warn("verify_chain: cert {}'s parent {} is not a CA"
-                        .format(self.pretty_name(), self.parent.pretty_name()))
+            logger.warning("verify_chain: cert {}'s parent {} is not a CA"
+                            .format(self.pretty_name(), self.parent.pretty_name()))
             raise CertNotSignedByParent("{}: Parent {} not a CA"
                                         .format(self.pretty_name(),
                                                 self.parent.pretty_name()))