from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent
from sfa.util.sfalogging import logger
+# this tends to generate quite some logs for little or no value
+debug_verify_chain = False
+
glo_passphrase_callback = None
##
# verify expiration time
if self.cert.has_expired():
- logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())
raise CertExpired(self.get_printable_subject(), "client cert")
# if this cert is signed by a trusted_cert, then we are set
if self.is_signed_by_cert(trusted_cert):
# verify expiration of trusted_cert ?
if not trusted_cert.cert.has_expired():
- logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(
self.get_printable_subject(), trusted_cert.get_printable_subject()))
return trusted_cert
else:
- logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(
self.get_printable_subject(),trusted_cert.get_printable_subject()))
raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject())
# if there is no parent, then no way to verify the chain
if not self.parent:
- logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
- raise CertMissingParent(self.get_printable_subject() + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs)))
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%\
+ (self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))
+ raise CertMissingParent(self.get_printable_subject() + \
+ ": Issuer %s is not one of the %d trusted roots, and cert has no parent." %\
+ (self.get_issuer(), len(trusted_certs)))
# if it wasn't signed by the parent...
if not self.is_signed_by_cert(self.parent):
- logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\
(self.get_printable_subject(),
self.parent.get_printable_subject(),
self.get_issuer()))
self.parent.get_printable_subject()))
# if the parent isn't verified...
- logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
+ if debug_verify_chain:
+ logger.debug("verify_chain: .. %s, -> verifying parent %s"%\
(self.get_printable_subject(),self.parent.get_printable_subject()))
self.parent.verify_chain(trusted_certs)