[pkg-discuss] Re: Review request 15507548 cert validation needs to validate all certificates before raising e
- From: Erik Trauschke <
- Cc: Yiteng Zhang <
- Subject: [pkg-discuss] Re: Review request 15507548 cert validation needs to validate all certificates before raising e
- Date: Thu, 24 Oct 2013 08:49:00 -0700
On 10/23/13 03:52 PM, Yiteng Zhang wrote:
The webrev can be seen at:
This still needs some work.
You don't want to generate the error messages in
image.py:check_cert_validity(). That is the job of the exception.
You also don't need to modify misc.py:validate_ssl_cert().
How this should look like is, that ExpiredCertificates() includes a list
of ExpiredCertificate() objects. And the str() method of this Exception
just prints the generic header ("One or more client key and certificates
...") and then cycles through each ExpiredCertificate exceptions in the
list and extracts the information needed for the message (everything you
need is in the 'uri' property.
Then, in image.py, you leave the code mainly as is but put in a
try/except statement which checks for an ExpiredCertificate exception
when misc.validate_ssl_cert() is called. If that happens you add it to
your ExpiredCertificates exception.
At the end of the loop you check if your ExpiredCertificates exception
contains any ExpiredCertificate exceptions and if so you raise it.
One thing to mention is that when I create two pairs of valid
certificates and keys for two repositories of the same publisher, it
seems that the pkg system can only use one pair of certificate and key
(seen from the [authority_solaris] section of pkg5.image file). Is that
I have to try but it could be that we still have some issues with that.
Nevertheless, if you fix your exception issue it will work as soon as
this would be fixed.