From: Tony Mack <tmack@cs.princeton.edu>
Date: Tue, 14 Sep 2010 19:55:40 +0000 (+0000)
Subject: check for certificate expiration
X-Git-Tag: sfa-1.0-2~34
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=a12041cb089904994e1153b6fc5649348690cbc6;p=sfa.git

check for certificate expiration
---

diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py
index 503ebe99..fe7f291d 100644
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -575,18 +575,20 @@ class Certificate:
         # Verify a chain of certificates. Each certificate must be signed by
         # the public key contained in it's parent. The chain is recursed
         # until a certificate is found that is signed by a trusted root.
-        # TODO: verify expiration time
-        #print "====Verify Chain====="
+
+        # verify expiration time
+        if self.cert.has_expired():
+            raise CertExpired(self.get_subject(), "client cert")   
+        
         # if this cert is signed by a trusted_cert, then we are set
         for trusted_cert in trusted_certs:
-            #print "***************"
-            # TODO: verify expiration of trusted_cert ?
-            #print "CLIENT CERT", self.dump()
-            #print "TRUSTED CERT", trusted_cert.dump()
-            #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
             if self.is_signed_by_cert(trusted_cert):
                 logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
-                return trusted_cert
+                # verify expiration of trusted_cert ?
+                if not trusted_cert.cert.has_expired():
+                    return trusted_cert
+                else:
+                    logger.debug("Trusted cert %s is expired", trusted_cert.get_subject())       
 
         # if there is no parent, then no way to verify the chain
         if not self.parent: