From: Josh Karlin <jkarlin@bbn.com>
Date: Tue, 13 Jul 2010 14:02:02 +0000 (+0000)
Subject: small changes to creds/gid
X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=773737fdb9942fbdb017985968672c7546fc6ccb

small changes to creds/gid
---

diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index e2a05cc3..453401f6 100644
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -631,7 +631,19 @@ class Credential(object):
     def verify(self, trusted_certs):
         if not self.xml:
             self.decode()        
-        trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+
+#        trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+        trusted_cert_objects = []
+        ok_trusted_certs = []
+        for f in trusted_certs:
+            try:
+                # Failures here include unreadable files
+                # or non PEM files
+                trusted_cert_objects.append(GID(filename=f))
+                ok_trusted_certs.append(f)
+            except Exception, exc:
+                logger.error("Failed to load trusted cert from %s: %r", f, exc)
+        trusted_certs = ok_trusted_certs
 
         # Use legacy verification if this is a legacy credential
         if self.legacy:
diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py
index 00d3ac1f..cda25fc3 100644
--- a/sfa/trust/gid.py
+++ b/sfa/trust/gid.py
@@ -196,7 +196,6 @@ class GID(Certificate):
     # for a principal that is not a member of that authority. For example,
     # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo.
 
-
     def verify_chain(self, trusted_certs = None):
         # do the normal certificate verification stuff
         trusted_root = Certificate.verify_chain(self, trusted_certs)        
@@ -204,8 +203,8 @@ class GID(Certificate):
         if self.parent:
             # make sure the parent's hrn is a prefix of the child's hrn
             if not self.get_hrn().startswith(self.parent.get_hrn()):
-                print self.get_hrn(), " ", self.parent.get_hrn()
-                raise GidParentHrn(self.parent.get_subject())
+                #print self.get_hrn(), " ", self.parent.get_hrn()
+                raise GidParentHrn("This cert %s HRN doesnt start with parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))
         else:
             # make sure that the trusted root's hrn is a prefix of the child's
             trusted_gid = GID(string=trusted_root.save_to_string())
@@ -215,8 +214,6 @@ class GID(Certificate):
             #    trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
             cur_hrn = self.get_hrn()
             if not self.get_hrn().startswith(trusted_hrn):
-                raise GidParentHrn(trusted_hrn + " " + self.get_hrn())
+                raise GidParentHrn("Trusted roots HRN %s isnt start of this cert %s" % (trusted_hrn, cur_hrn))
 
         return
-
-