From 407f648e93cffa292c800c3cf7dff1bec0dccff0 Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Tue, 13 Apr 2010 20:43:02 +0000
Subject: [PATCH] Added warnings to encode() and sign()

---
 sfa/trust/credential.py | 18 ++++++++++++++++++
 tests/testCred.py       |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 4c396a95..0b76372f 100644
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -92,6 +92,7 @@ def append_sub(doc, parent, element, text):
 ##
 # Signature contains information about an xmlsec1 signature
 # for a signed-credential
+#
 
 class Signature(object):
     refid = None
@@ -146,6 +147,11 @@ class Signature(object):
 # Credentials are encoded in one of two ways.  The legacy style places
 # it in the subjectAltName of an X509 certificate.  The new credentials
 # are placed in signed XML.
+#
+# WARNING:
+# In general, a signed credential obtained externally should
+# not be changed else the signature is no longer valid.  So, once
+# you have loaded an existing signed credential, do not call encode() or sign() on it.
 
 
 class Credential(object):
@@ -326,6 +332,10 @@ class Credential(object):
     ##
     # Encode the attributes of the credential into an XML string    
     # This should be done immediately before signing the credential.    
+    # WARNING:
+    # In general, a signed credential obtained externally should
+    # not be changed else the signature is no longer valid.  So, once
+    # you have loaded an existing signed credential, do not call encode() or sign() on it.
 
     def encode(self):
         p_sigs = None
@@ -454,6 +464,14 @@ class Credential(object):
             self.encode()
         return self.xml
 
+    ##
+    # Sign the XML file created by encode()
+    #
+    # WARNING:
+    # In general, a signed credential obtained externally should
+    # not be changed else the signature is no longer valid.  So, once
+    # you have loaded an existing signed credential, do not call encode() or sign() on it.
+
     def sign(self):
         if not self.issuer_privkey or not self.issuer_gid:
             return
diff --git a/tests/testCred.py b/tests/testCred.py
index 2a694b53..4a6efde2 100755
--- a/tests/testCred.py
+++ b/tests/testCred.py
@@ -167,7 +167,7 @@ class TestCred(unittest.TestCase):
       except CredentialNotVerifiable:
          pass      
       
-      
+      # Test that * gets translated properly
 
 if __name__ == "__main__":
     unittest.main()
-- 
2.47.0