diff options
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/rpki/x509.py | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index be5ef1f4..04efbe92 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -605,19 +605,27 @@ class CMS_object(DER_object): if cms.eContentType() != self.econtent_oid: raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (cms.eContentType(), self.econtent_oid) + certs = cms.certs() + crls = cms.crls() + + if self.debug_cms_certs: + for x in certs: + rpki.log.debug("Received CMS cert issuer %s subject %s" % (x.getIssuer(), x.getSubject())) + for c in crls: + rpki.log.debug("Received CMS CRL issuer %s" % c.getIssuer()) + store = POW.X509Store() - ta = X509.normalize_chain(ta) + trusted_ee = None - for x in ta: + for x in X509.normalize_chain(ta): if self.debug_cms_certs: rpki.log.debug("CMS trusted cert issuer %s subject %s" % (x.getIssuer(), x.getSubject())) + if not x.is_CA(): + assert trusted_ee is None, "Can't have two EE certs in the same validation chain" + trusted_ee = x store.addTrust(x.get_POW()) - if self.debug_cms_certs: - for x in cms.certs(): - rpki.log.debug("Received CMS cert issuer %s subject %s" % (x.getIssuer(), x.getSubject())) - try: content = cms.verify(store) except: |