def GetSelfCredential(certificate, xnr, type):
        if type:
            hrn = urn_to_hrn(xrn)[0]
        else:
            hrn, type = urn_to_hrn(xrn)

        origin_hrn = Certificate(string=cert).get_subject()
        ### authenticate the gid
        # import here so we can load this module at build-time for sfa2wsdl
        #from sfa.storage.alchemy import dbsession
        from sfa.storage.model import RegRecord

        # xxx-local - the current code runs Resolve, which would forward to 
        # another registry if needed
        # I wonder if this is truly the intention, or shouldn't we instead 
        # only look in the local db ?
        records = self.api.manager.Resolve(self.api, xrn, type, details=False)
        if not records:
            raise RecordNotFound(hrn)

        record_obj = RegRecord (dict=records[0])
        # xxx-local the local-only version would read 
        #record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
        #if not record_obj: raise RecordNotFound(hrn)
        gid = record_obj.get_gid_object()
        gid_str = gid.save_to_string(save_parents=True)
        self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
        # authenticate the certificate against the gid in the db
        certificate = Certificate(string=cert)
        if not certificate.is_pubkey(gid.get_pubkey()):
            for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
                if hasattr (obj,'filename'):
            raise ConnectionKeyGIDMismatch(gid.get_subject())

        return self.api.manager.GetCredential(self.api, xrn, type)

    def do_POST(self):
        """Handles the HTTPS POST request.

        It was copied out from SimpleXMLRPCServer.py and modified to shutdown 
        the socket cleanly.
        """
        try:
            peer_cert = Certificate()
            peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate())
            generic=Generic.the_flavour()
            self.api = generic.make_api (peer_cert = peer_cert, 
                                         interface = self.server.interface, 
                                         key_file = self.server.key_file, 
                                         cert_file = self.server.cert_file,
                                         cache = self.cache)
            #logger.info("SecureXMLRpcRequestHandler.do_POST:")
            #logger.info("interface=%s"%self.server.interface)
            #logger.info("key_file=%s"%self.server.key_file)
            #logger.info("api=%s"%self.api)
            #logger.info("server=%s"%self.server)
            #logger.info("handler=%s"%self)
            # get arguments
            request = self.rfile.read(int(self.headers["content-length"]))
            remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
            self.api.remote_addr = remote_addr            
            response = self.api.handle(remote_addr, request, self.server.method_map)
        except Exception, fault:
            # This should only happen if the module is buggy
            # internal error, report as HTTP server error
            logger.log_exc("server.do_POST")
            response = self.api.prepare_response(fault)

   def testSign(self):
      cert = Certificate(subject="test")

      # create an issuer and sign the certificate
      issuerKey = Keypair(create=True)
      issuerSubject = "testissuer"
      cert.set_issuer(issuerKey, issuerSubject)
      cert.sign()

    def call(self, cert, xrn, type):
        """
        GetSelfCredential a degenerate version of GetCredential used by a client
        to get his initial credential when de doesnt have one. This is the same as
        GetCredential(..., cred = None, ...)

        The registry ensures that the client is the principal that is named by
        (type, name) by comparing the public key in the record's  GID to the
        private key used to encrypt the client side of the HTTPS connection. Thus
        it is impossible for one principal to retrieve another principal's
        credential without having the appropriate private key.

        @param type type of object (user | slice | sa | ma | node)
        @param hrn human readable name of authority to list
        @return string representation of a credential object
        """
        if type:
            hrn = urn_to_hrn(xrn)[0]
        else:
            hrn, type = urn_to_hrn(xrn) 
        self.api.auth.verify_object_belongs_to_me(hrn)

        origin_hrn = Certificate(string=cert).get_subject()
        self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
        
 
        ### authenticate the gid
        # import here so we can load this module at build-time for sfa2wsdl
        #from sfa.storage.alchemy import dbsession
        from sfa.storage.model import RegRecord

        # xxx-local - the current code runs Resolve, which would forward to 
        # another registry if needed
        # I wonder if this is truly the intention, or shouldn't we instead 
        # only look in the local db ?
        records = self.api.manager.Resolve(self.api, xrn, type, details=False)
        if not records:
            raise RecordNotFound(hrn)

        record_obj = RegRecord (dict=records[0])
        # xxx-local the local-only version would read 
        #record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
        #if not record_obj: raise RecordNotFound(hrn)
        gid = record_obj.get_gid_object()
        gid_str = gid.save_to_string(save_parents=True)
        self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
        # authenticate the certificate against the gid in the db
        certificate = Certificate(string=cert)
        if not certificate.is_pubkey(gid.get_pubkey()):
            for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
                self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
                self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
                if hasattr (obj,'filename'): 
                    self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
            raise ConnectionKeyGIDMismatch(gid.get_subject())
        
        return self.api.manager.GetCredential(self.api, xrn, type)

    def get_cert_file(self, key_file):
    
        cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert")
        if (os.path.isfile(cert_file)):
            # we'd perfer to use Registry issued certs instead of self signed certs. 
            # if this is a Registry cert (GID) then we are done 
            gid = GID(filename=cert_file)
            if gid.get_urn():
                return cert_file

        # generate self signed certificate
        k = Keypair(filename=key_file)
        cert = Certificate(subject=self.user)
        cert.set_pubkey(k)
        cert.set_issuer(k, self.user)
        cert.sign()
        self.logger.info("Writing self-signed certificate to %s"%cert_file)
        cert.save_to_file(cert_file)
        self.cert = cert
        # try to get registry issued cert
        try:
            self.logger.info("Getting Registry issued cert")
            self.read_config()
            # *hack.  need to set registyr before _get_gid() is called 
            self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug)
            gid = self._get_gid(type='user')
            self.registry = None 
            self.logger.info("Writing certificate to %s"%cert_file)
            gid.save_to_file(cert_file)
        except:
            self.logger.info("Failed to download Registry issued cert")

        return cert_file

 def get_trusted_certs(self, opts, args):
     """
     return uhe trusted certs at this interface 
     """ 
     trusted_certs = self.registry.get_trusted_certs()
     for trusted_cert in trusted_certs:
         gid = GID(string=trusted_cert)
         gid.dump()
         cert = Certificate(string=trusted_cert)
         self.logger.debug('Sfi.get_trusted_certs -> %r'%cert.get_subject())
     return 

 def CreateGid(self, api, xrn, cert):
     # get the authority
     authority = Xrn(xrn=xrn).get_authority_hrn()
     auth_info = api.auth.get_auth_info(authority)
     if not cert:
         pkey = Keypair(create=True)
     else:
         certificate = Certificate(string=cert)
         pkey = certificate.get_pubkey()    
     gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey) 
     return gid.save_to_string(save_parents=True)

def init_self_signed_cert(hrn, key, server_cert_file):
    logger.debug("generating self signed cert")
    # generate self signed certificate
    cert = Certificate(subject=hrn)
    cert.set_issuer(key=key, subject=hrn)
    cert.set_pubkey(key)
    cert.sign()
    cert.save_to_file(server_cert_file)

 def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None):
     
     Certificate.__init__(self, create, subject, string, filename)
     if subject:
         logger.debug("Creating GID for subject: %s" % subject)
     if uuid:
         self.uuid = int(uuid)
     if hrn:
         self.hrn = hrn
         self.urn = hrn_to_urn(hrn, 'unknown')
     if urn:
         self.urn = urn
         self.hrn, type = urn_to_hrn(urn)

def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False):
    """
    create the server key/cert pair in the right place
    """
    key = Keypair(filename=keyfile)
    key.save_to_file(keyfile)
    cert = Certificate(subject=hrn)
    cert.set_issuer(key=key, subject=hrn)
    cert.set_pubkey(key)
    cert.sign()
    cert.save_to_file(certfile, save_parents=True)       

 def self_signed_cert_produce (self,output):
     self.assert_private_key()
     private_key_filename = self.private_key_filename()
     keypair=Keypair(filename=private_key_filename)
     self_signed = Certificate (subject = self.hrn)
     self_signed.set_pubkey (keypair)
     self_signed.set_issuer (keypair, self.hrn)
     self_signed.sign ()
     self_signed.save_to_file (output)
     self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
                           (self.hrn,output))
     return output

    def __init__(self, config = "/etc/sfa/sfa_config.py", encoding = "utf-8", 
                 methods='sfa.methods', peer_cert = None, interface = None, 
                key_file = None, cert_file = None, cache = None):
        BaseAPI.__init__(self, config=config, encoding=encoding, methods=methods, \
                         peer_cert=peer_cert, interface=interface, key_file=key_file, \
                         cert_file=cert_file, cache=cache)
 
        self.encoding = encoding
        from sfa.util.table import SfaTable
        self.SfaTable = SfaTable
        # Better just be documenting the API
        if config is None:
            return

        # Load configuration
        self.config = Config(config)
        self.auth = Auth(peer_cert)
        self.interface = interface
        self.key_file = key_file
        self.key = Keypair(filename=self.key_file)
        self.cert_file = cert_file
        self.cert = Certificate(filename=self.cert_file)
        self.credential = None
        # Initialize the PLC shell only if SFA wraps a myPLC
        rspec_type = self.config.get_aggregate_type()
        if (rspec_type == 'pl' or rspec_type == 'vini' or \
            rspec_type == 'eucalyptus' or rspec_type == 'max'):
            self.plshell = self.getPLCShell()
            self.plshell_version = "4.3"

        self.hrn = self.config.SFA_INTERFACE_HRN
        self.time_format = "%Y-%m-%d %H:%M:%S"

    def verify_chain(self, trusted_certs = None):
        # do the normal certificate verification stuff
        trusted_root = Certificate.verify_chain(self, trusted_certs)        
       
        if self.parent:
            # make sure the parent's hrn is a prefix of the child's hrn
            if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
                raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))

            # Parent must also be an authority (of some type) to sign a GID
            # There are multiple types of authority - accept them all here
            if not self.parent.get_type().find('authority') == 0:
                raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type()))

            # Then recurse up the chain - ensure the parent is a trusted
            # root or is in the namespace of a trusted root
            self.parent.verify_chain(trusted_certs)
        else:
            # make sure that the trusted root's hrn is a prefix of the child's
            trusted_gid = GID(string=trusted_root.save_to_string())
            trusted_type = trusted_gid.get_type()
            trusted_hrn = trusted_gid.get_hrn()
            #if trusted_type == 'authority':
            #    trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
            cur_hrn = self.get_hrn()
            if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
                raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn))

            # There are multiple types of authority - accept them all here
            if not trusted_type.find('authority') == 0:
                raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type))

        return

    def __init__ (self, encoding="utf-8", methods='sfa.methods', 
                  config = "/etc/sfa/sfa_config", 
                  peer_cert = None, interface = None, 
                  key_file = None, cert_file = None, cache = None):
        
        XmlrpcApi.__init__ (self, encoding)
        
        # we may be just be documenting the API
        if config is None:
            return
        # Load configuration
        self.config = Config(config)
        self.credential = None
        self.auth = Auth(peer_cert)
        self.interface = interface
        self.hrn = self.config.SFA_INTERFACE_HRN
        self.key_file = key_file
        self.key = Keypair(filename=self.key_file)
        self.cert_file = cert_file
        self.cert = Certificate(filename=self.cert_file)
        self.cache = cache
        if self.cache is None:
            self.cache = Cache()
        
        # load registries
        from sfa.server.registry import Registries
        self.registries = Registries() 

        # load aggregates
        from sfa.server.aggregate import Aggregates
        self.aggregates = Aggregates()
        
        # filled later on by generic/Generic
        self.manager=None
        self._dbsession=None

    def call(self, cert, xrn, type):
        """
        GetSelfCredential a degenerate version of GetCredential used by a client
        to get his initial credential when de doesnt have one. This is the same as
        GetCredential(..., cred = None, ...)

        The registry ensures that the client is the principal that is named by
        (type, name) by comparing the public key in the record's  GID to the
        private key used to encrypt the client side of the HTTPS connection. Thus
        it is impossible for one principal to retrieve another principal's
        credential without having the appropriate private key.

        @param type type of object (user | slice | sa | ma | node)
        @param hrn human readable name of authority to list
        @return string representation of a credential object
        """
        if type:
            hrn = urn_to_hrn(xrn)[0]
        else:
            hrn, type = urn_to_hrn(xrn) 
        self.api.auth.verify_object_belongs_to_me(hrn)

        origin_hrn = Certificate(string=cert).get_subject()
        self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
        
        manager = self.api.get_interface_manager()
 
        # authenticate the gid
        records = manager.resolve(self.api, xrn, type)
        if not records:
            raise RecordNotFound(hrn)
        record = SfaRecord(dict=records[0])
        gid = record.get_gid_object()
        gid_str = gid.save_to_string(save_parents=True)
        self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
        # authenticate the certificate against the gid in the db
        certificate = Certificate(string=cert)
        if not certificate.is_pubkey(gid.get_pubkey()):
            for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
                self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
                self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
                if hasattr (obj,'filename'): 
                    self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
            raise ConnectionKeyGIDMismatch(gid.get_subject())
        
        return manager.get_credential(self.api, xrn, type, is_self=True)

    def verify_chain(self, trusted_certs = None):
        # do the normal certificate verification stuff
        Certificate.verify_chain(self, trusted_certs)

        if self.parent:
            # make sure the parent delegated rights to the child
            if not self.parent.get_delegate():
                raise MissingDelegateBit(self.parent.get_subject())

            # make sure the rights given to the child are a subset of the
            # parents rights
            if not self.parent.get_privileges().is_superset(self.get_privileges()):
                raise ChildRightsNotSubsetOfParent(self.get_subject() 
                                                   + " " + self.parent.get_privileges().save_to_string()
                                                   + " " + self.get_privileges().save_to_string())

        return

 def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825, email=None):
     self.uuid = None
     self.hrn = None
     self.urn = None
     self.email = None # for adding to the SubjectAltName             
     Certificate.__init__(self, lifeDays, create, subject, string, filename)
     if subject:
         logger.debug("Creating GID for subject: %s" % subject)
     if uuid:
         self.uuid = int(uuid)
     if hrn:
         self.hrn = hrn
         self.urn = hrn_to_urn(hrn, 'unknown')
     if urn:
         self.urn = urn
         self.hrn, type = urn_to_hrn(urn)
     if email:
         self.set_email(email)

    def CreateGid(self, api, xrn, cert):
        # get the authority
        authority = Xrn(xrn=xrn).get_authority_hrn()
        auth_info = api.auth.get_auth_info(authority)
        if not cert:
            pkey = Keypair(create=True)
        else:
            certificate = Certificate(string=cert)
            pkey = certificate.get_pubkey()    

        # Add the email of the user to SubjectAltName in the GID
        email = None
        hrn = Xrn(xrn).get_hrn()
        dbsession=api.dbsession()
        record=dbsession.query(RegUser).filter_by(hrn=hrn).first()
        if record:
            email=getattr(record,'email',None)
        gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey, email = email)
        return gid.save_to_string(save_parents=True)

   def testSetData(self):
      cert = Certificate(subject="test")
      data = "this is a test"
      cert.set_data(data)
      self.assertEqual(cert.get_data(), data)

      # try something a bit more complicated, like an xmlrpc encoding of
      # some parameters
      cert = Certificate(subject="test")
      data = xmlrpclib.dumps((1, "foo", ["a", "b"], {"c": "d", "e": "f"}, True))
      cert.set_data(data)
      self.assertEqual(cert.get_data(), data)

 def get_node_key(self):
     # this call requires no authentication,
     # so we can generate a random keypair here
     subject="component"
     (kfd, keyfile) = tempfile.mkstemp()
     (cfd, certfile) = tempfile.mkstemp()
     key = Keypair(create=True)
     key.save_to_file(keyfile)
     cert = Certificate(subject=subject)
     cert.set_issuer(key=key, subject=subject)
     cert.set_pubkey(key)
     cert.sign()
     cert.save_to_file(certfile)
     registry = self.get_registry()
     # the registry will scp the key onto the node
     registry.get_key()