From 1d4e593b50031e1fba5b8c2f9d9eeed6bdf84936 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Wed, 20 Aug 2014 12:25:11 +0200 Subject: [PATCH 1/1] debug statements about verify_chain are very verbose, so they are now disabled by default --- sfa/trust/certificate.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py index 59ec4427..4e9fa29c 100644 --- a/sfa/trust/certificate.py +++ b/sfa/trust/certificate.py @@ -48,6 +48,9 @@ from M2Crypto import X509 from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent from sfa.util.sfalogging import logger +# this tends to generate quite some logs for little or no value +debug_verify_chain = False + glo_passphrase_callback = None ## @@ -695,7 +698,8 @@ class Certificate: # verify expiration time if self.cert.has_expired(): - logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject()) + if debug_verify_chain: + logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject()) raise CertExpired(self.get_printable_subject(), "client cert") # if this cert is signed by a trusted_cert, then we are set @@ -703,22 +707,29 @@ class Certificate: if self.is_signed_by_cert(trusted_cert): # verify expiration of trusted_cert ? if not trusted_cert.cert.has_expired(): - logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%( + if debug_verify_chain: + logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%( self.get_printable_subject(), trusted_cert.get_printable_subject())) return trusted_cert else: - logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%( + if debug_verify_chain: + logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%( self.get_printable_subject(),trusted_cert.get_printable_subject())) raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject()) # if there is no parent, then no way to verify the chain if not self.parent: - logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs))) - raise CertMissingParent(self.get_printable_subject() + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs))) + if debug_verify_chain: + logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%\ + (self.get_printable_subject(), self.get_issuer(), len(trusted_certs))) + raise CertMissingParent(self.get_printable_subject() + \ + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." %\ + (self.get_issuer(), len(trusted_certs))) # if it wasn't signed by the parent... if not self.is_signed_by_cert(self.parent): - logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\ + if debug_verify_chain: + logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\ (self.get_printable_subject(), self.parent.get_printable_subject(), self.get_issuer())) @@ -740,7 +751,8 @@ class Certificate: self.parent.get_printable_subject())) # if the parent isn't verified... - logger.debug("verify_chain: .. %s, -> verifying parent %s"%\ + if debug_verify_chain: + logger.debug("verify_chain: .. %s, -> verifying parent %s"%\ (self.get_printable_subject(),self.parent.get_printable_subject())) self.parent.verify_chain(trusted_certs) -- 2.45.2