Fix a shamefully dumb copy-paste bug in the output

[public/dnssec-swede-utility.git] / swede
diff --git a/swede b/swede

index 60947eb7d2a1d7e5cccf7488de1fe562dcb048a3..bc1952a455465e9f5a6dc72027abb11ded73017e 100755 (executable)
--- a/swede
+++ b/swede
@@ -271,7 +271,7 @@ class TLSARecord:
                         if self.getPort() != '*':
                                 err.append('Port %s not a number' % self.getPort())
                 if not self.usage in [0,1,2,3]:
-                       err.append('Usage: invalid (%s is not one of 0, 1 or 2)' % self.usage)
+                       err.append('Usage: invalid (%s is not one of 0, 1, 2 or 3)' % self.usage)
                 if not self.selector in [0,1]:
                         err.append('Selector: invalid (%s is not one of 0 or 1)' % self.selector)
                 if not self.mtype in [0,1,2]:
@@ -416,8 +416,8 @@ if __name__ == '__main__':
                         if not args.quiet:
                                 print 'Received the following record for name %s:' % record.name
                                 print '\tUsage:\t\t\t\t%d (%s)' % (record.usage, {0:'CA Constraint', 1:'End-Entity Constraint + chain to CA', 2:'Trust Anchor', 3:'End-Entity'}.get(record.usage, 'INVALID'))
-                               print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.usage, 'INVALID'))
-                               print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.usage, 'INVALID'))
+                               print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.selector, 'INVALID'))
+                               print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.mtype, 'INVALID'))
                                 print '\tCertificate for Association:\t%s' % record.cert
  
                         try:
@@ -466,8 +466,7 @@ if __name__ == '__main__':
  
                                 # Good, now let's verify
                                 if record.usage == 1: # End-host cert
-                                       cert = chain[0]
-                                       if verifyCertMatch(record, cert):
+                                       if verifyCertMatch(record, chain[0]):
                                                 if verify_result == 0: # The cert chains to a valid CA cert according to the system-certificates
                                                         print 'SUCCESS (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record and chains to a valid CA certificate'
                                                 else:
@@ -504,7 +503,13 @@ if __name__ == '__main__':
                                 elif record.usage == 2: # Usage 2, use the cert in the record as trust anchor
                                         #FIXME: doesnt comply to the spec
                                         matched = False
+                                       previous_issuer = None
                                         for cert in chain:
+                                               if previous_issuer:
+                                                       if not str(previous_issuer) == str(cert.get_subject()): # The chain cannot be valid
+                                                               print "FAIL: Certificates don't chain"
+                                                               break
+                                                       previous_issuer = cert.get_issuer()
                                                 if verifyCertMatch(record, cert):
                                                         matched = True
                                                         continue