make sure the trusted cert's hrn is a prefix of the signed cert's hrn

author Tony Mack <tmack@cs.princeton.edu>

Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)

committer Tony Mack <tmack@cs.princeton.edu>

Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)
author Tony Mack <tmack@cs.princeton.edu>
Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)
committer Tony Mack <tmack@cs.princeton.edu>
Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)
diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py

index 9b48835..8150ae1 100644 (file)
--- a/sfa/trust/certificate.py
+++ b/sfa/trust/certificate.py
@@ -525,6 +525,10 @@ class Certificate:
              #print "TRUSTED CERT", trusted_cert.dump()
              #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
              if self.is_signed_by_cert(trusted_cert):
+                # make sure sure the trusted cert's hrn is a prefix of the
+                # signed cert's hrn
+                if not self.get_subject().startswith(trusted_cert.get_subject()):
+                    raise GidParentHrn(trusted_cert.get_subject()) 
                  #print self.get_subject(), "is signed by a root"
                  return
author	Tony Mack <tmack@cs.princeton.edu>
	Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)
committer	Tony Mack <tmack@cs.princeton.edu>
	Thu, 29 Apr 2010 02:29:49 +0000 (02:29 +0000)