From: Josh Karlin <jkarlin@bbn.com>
Date: Thu, 20 May 2010 13:44:14 +0000 (+0000)
Subject: gid's verify_chain makes sure that parent GID's hrn is a prefix of current GID's hrn
X-Git-Tag: geni-apiv1-totrunk~13
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;ds=sidebyside;h=0f2a847b8f4f90fae33880078dd30b9ce65df3ad;p=sfa.git

gid's verify_chain makes sure that parent GID's hrn is a prefix of current GID's hrn
---

diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py
index b82e256f..3bdad0f4 100644
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -563,14 +563,8 @@ class Certificate:
             #print "TRUSTED CERT", trusted_cert.dump()
             #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
             if self.is_signed_by_cert(trusted_cert):
-                # make sure sure the trusted cert's hrn is a prefix of the
-                # signed cert's hrn
-                trusted_hrn, _ = urn_to_hrn(trusted_cert.get_subject())
-                cur_hrn, _ = urn_to_hrn(self.get_subject())
-                if not cur_hrn.startswith(trusted_hrn):
-                    raise GidParentHrn(trusted_cert.get_subject() + " " + self.get_subject()) 
                 #print self.get_subject(), "is signed by a root"
-                return
+                return trusted_cert
 
         # if there is no parent, then no way to verify the chain
         if not self.parent:
diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py
index db2cb44e..b41d0fd7 100644
--- a/sfa/trust/gid.py
+++ b/sfa/trust/gid.py
@@ -177,12 +177,19 @@ class GID(Certificate):
 
     def verify_chain(self, trusted_certs = None):
         # do the normal certificate verification stuff
-        Certificate.verify_chain(self, trusted_certs)        
+        trusted_root = Certificate.verify_chain(self, trusted_certs)        
+       
         if self.parent:
             # make sure the parent's hrn is a prefix of the child's hrn
             if not self.get_hrn().startswith(self.parent.get_hrn()):
                 raise GidParentHrn(self.parent.get_subject())
-                
+        else:
+            # make sure that the trusted root's hrn is a prefix of the child's
+            trusted_gid = GID(string=trusted_root.save_to_string())
+            trusted_hrn = trusted_gid.get_hrn()
+            cur_hrn = self.get_hrn()
+            if not self.get_hrn().startswith(trusted_hrn):
+                raise GidParentHrn(trusted_hrn + " " + self.get_hrn())
 
         return