def verify_chain(self, trusted_certs = None): # do the normal certificate verification stuff trusted_root = Certificate.verify_chain(self, trusted_certs) if self.parent: # make sure the parent's hrn is a prefix of the child's hrn if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) # Parent must also be an authority (of some type) to sign a GID # There are multiple types of authority - accept them all here if not self.parent.get_type().find('authority') == 0: raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) # Then recurse up the chain - ensure the parent is a trusted # root or is in the namespace of a trusted root self.parent.verify_chain(trusted_certs) else: # make sure that the trusted root's hrn is a prefix of the child's trusted_gid = GID(string=trusted_root.save_to_string()) trusted_type = trusted_gid.get_type() trusted_hrn = trusted_gid.get_hrn() #if trusted_type == 'authority': # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] cur_hrn = self.get_hrn() if not hrn_authfor_hrn(trusted_hrn, cur_hrn): raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn)) # There are multiple types of authority - accept them all here if not trusted_type.find('authority') == 0: raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) return
def verify_chain(self, trusted_certs = None): # do the normal certificate verification stuff trusted_root = Certificate.verify_chain(self, trusted_certs) if self.parent: # make sure the parent's hrn is a prefix of the child's hrn if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) # Parent must also be an authority (of some type) to sign a GID # There are multiple types of authority - accept them all here if not self.parent.get_type().find('authority') == 0: raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) # Then recurse up the chain - ensure the parent is a trusted # root or is in the namespace of a trusted root self.parent.verify_chain(trusted_certs) else: # make sure that the trusted root's hrn is a prefix of the child's trusted_gid = GID(string=trusted_root.save_to_string()) trusted_type = trusted_gid.get_type() trusted_hrn = trusted_gid.get_hrn() #if trusted_type == 'authority': # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] cur_hrn = self.get_hrn() if not hrn_authfor_hrn(trusted_hrn, cur_hrn): raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert %s" % (trusted_hrn, cur_hrn)) # There are multiple types of authority - accept them all here if not trusted_type.find('authority') == 0: raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) return
def verify_chain(self, trusted_certs = None): # do the normal certificate verification stuff Certificate.verify_chain(self, trusted_certs) if self.parent: # make sure the parent delegated rights to the child if not self.parent.get_delegate(): raise MissingDelegateBit(self.parent.get_subject()) # make sure the rights given to the child are a subset of the # parents rights if not self.parent.get_privileges().is_superset(self.get_privileges()): raise ChildRightsNotSubsetOfParent(self.get_subject() + " " + self.parent.get_privileges().save_to_string() + " " + self.get_privileges().save_to_string()) return
def verify_chain(self, trusted_certs=None): # do the normal certificate verification stuff Certificate.verify_chain(self, trusted_certs) if self.parent: # make sure the parent delegated rights to the child if not self.parent.get_delegate(): raise MissingDelegateBit(self.parent.get_subject()) # make sure the rights given to the child are a subset of the # parents rights if not self.parent.get_privileges().is_superset( self.get_privileges()): raise ChildRightsNotSubsetOfParent( self.get_subject() + " " + self.parent.get_privileges().save_to_string() + " " + self.get_privileges().save_to_string()) return
def test_parents(self): cert_root = Certificate(subject="root") key_root = Keypair(create=True) cert_root.set_pubkey(key_root) cert_root.set_issuer(key_root, "root") cert_root.sign() cert1 = Certificate(subject="one") key1 = Keypair(create=True) cert1.set_pubkey(key1) cert1.set_issuer(key_root, "root") cert1.sign() cert2 = Certificate(subject="two") key2 = Keypair(create=True) cert2.set_pubkey(key2) cert2.set_issuer(key1, cert=cert1) cert2.set_parent(cert1) cert2.sign() cert3 = Certificate(subject="three") key3 = Keypair(create=True) cert3.set_pubkey(key3) cert3.set_issuer(key2, cert=cert2) cert3.set_parent(cert2) cert3.sign() self.assert_(cert1.verify(key_root)) self.assert_(cert2.is_signed_by_cert(cert1)) self.assert_(cert3.is_signed_by_cert(cert2)) cert3.verify_chain([cert_root]) # now save the chain to a string and load it into a new certificate str_chain = cert3.save_to_string(save_parents=True) cert4 = Certificate(string = str_chain) # verify the newly loaded chain still verifies cert4.verify_chain([cert_root]) # verify the parentage self.assertEqual(cert4.get_parent().get_subject(), "two") self.assertEqual(cert4.get_parent().get_parent().get_subject(), "one")
def verify_chain(self, trusted_certs = None): # do the normal certificate verification stuff trusted_root = Certificate.verify_chain(self, trusted_certs) if self.parent: # make sure the parent's hrn is a prefix of the child's hrn if not self.get_hrn().startswith(self.parent.get_hrn()): #print self.get_hrn(), " ", self.parent.get_hrn() raise GidParentHrn("This cert %s HRN doesnt start with parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) else: # make sure that the trusted root's hrn is a prefix of the child's trusted_gid = GID(string=trusted_root.save_to_string()) trusted_type = trusted_gid.get_type() trusted_hrn = trusted_gid.get_hrn() #if trusted_type == 'authority': # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] cur_hrn = self.get_hrn() if not self.get_hrn().startswith(trusted_hrn): raise GidParentHrn("Trusted roots HRN %s isnt start of this cert %s" % (trusted_hrn, cur_hrn)) return