signature_certificate_file_list may have url and/or paths.

Well, before this change the signature_certificate_file_list worked
only with filesystem paths.
 - i.e ['/home/user/public.pem']

Now it is possible to define urls as well.
 - i.e ['http://example.com/public.pem']

The url content will be downloaded to a temporary file before the
verification and automatically removed after.

The filesystem paths has higher priority than url, it is checked first.
If it does not find any valid certificate, then it will try
to download the certificates from the url provided.

slapos/libnetworkcache.py

@@ -66,7 +66,16 @@ class NetworkcacheClient(object):
       setattr(self, 'shadir_%s' % k, v)
 
     self.signature_private_key_file = signature_private_key_file
-    self.signature_certificate_file_list = signature_certificate_file_list
+
+    self.signature_certificate_file_list = []
+    self.signature_certificate_url_list = []
+    if signature_certificate_file_list is not None:
+      # Split the path and urls
+      for value in signature_certificate_file_list:
+        if os.path.exists(value):
+          self.signature_certificate_file_list.append(value)
+        elif value.startswith('http'):
+          self.signature_certificate_url_list.append(value)
 
   def upload(self, file_descriptor, directory_key=None, **kw):
     ''' Upload the file to the server.
@@ -199,22 +208,44 @@ class NetworkcacheClient(object):
 
   def _verifySignatureInCertificateList(self, signature_string):
     """
-      Returns true if it can find any valid certificate.
-    """
-    if self.signature_certificate_file_list in _MARKER:
-      return 0
+      Returns true if it can find any valid certificate or false if it does not
+      find any.
 
+      It must check the local certificate files first before checking the files
+      which are available under HTTP.
+    """
     for certificate_path in self.signature_certificate_file_list:
-      PubKey = M2Crypto.X509.load_cert(certificate_path)
-      VerifyEVP = M2Crypto.EVP.PKey()
-      VerifyEVP.assign_rsa(PubKey.get_pubkey().get_rsa())
-      VerifyEVP.verify_init()
-      VerifyEVP.verify_update('')
-      if VerifyEVP.verify_final(signature_string.decode('base64')):
+      if self._verifySignatureCertificate(signature_string, certificate_path):
         return True
 
+    for certificate_url in self.signature_certificate_url_list:
+      file_descriptor = self._fetchCertificateFileFromUrl(certificate_url)
+      try:
+        file_name = file_descriptor.name
+        if self._verifySignatureCertificate(signature_string, file_name):
+          return True
+      finally:
+        file_descriptor.close()
+
     return False
 
+  def _verifySignatureCertificate(self, signature_string, certificate_path):
+    """ verify if the signature is valid for a given certificate. """
+    PubKey = M2Crypto.X509.load_cert(certificate_path)
+    VerifyEVP = M2Crypto.EVP.PKey()
+    VerifyEVP.assign_rsa(PubKey.get_pubkey().get_rsa())
+    VerifyEVP.verify_init()
+    VerifyEVP.verify_update('')
+    return VerifyEVP.verify_final(signature_string.decode('base64'))
+
+  def _fetchCertificateFileFromUrl(self, certification_file_url):
+    """ Download the certification files from the url. """
+    file_descriptor = tempfile.NamedTemporaryFile()
+    path, headers = urllib.urlretrieve(certification_file_url, file_descriptor.name)
+    file_descriptor.seek(0)
+    return file_descriptor
+
+
 
 class DirectoryNotFound(Exception):
   pass