[Freeipa-devel] [freeipa PR#783][opened] Provide useful messages during cert verification

Fri, 12 May 2017 01:50:26 -0700 

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert verification
Action: opened

PR body:
"""
When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/783/head:pr783
git checkout pr783

From 159ed99baebf29fcd928e5fdbc27036564243414 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Fri, 12 May 2017 10:41:08 +0200
Subject: [PATCH] Provide useful messages during cert verification

When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
---
 ipapython/certdb.py                      | 26 ++++++++++++++++++++------
 ipatests/test_integration/test_caless.py | 32 ++++++++++++++------------------
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..b86a705 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,8 @@
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
     return format % realm
@@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname):
         cert = x509.load_certificate(cert, x509.DER)
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
-        except ipautil.CalledProcessError:
-            raise ValueError('invalid for a SSL server')
+            self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
+                              capture_output=True)
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a SSL server.'
+            raise ValueError(msg)
 
         try:
             x509.match_hostname(cert, hostname)
@@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname):
             raise ValueError("not a CA certificate")
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
-        except ipautil.CalledProcessError:
-            raise ValueError('invalid for a CA')
+            self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
+                              capture_output=True)
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a CA.'
+            raise ValueError(msg)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d7692ec..62ebba3 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -38,6 +38,8 @@
 
 assert_error = tasks.assert_error
 
+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+
 
 def get_install_stdin(cert_passwords=()):
     lines = [
@@ -495,9 +497,8 @@ def test_expired_http(self):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     @server_install_teardown
     def test_expired_ds(self):
@@ -511,9 +512,8 @@ def test_expired_ds(self):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in dirsrv.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in dirsrv.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     @server_install_teardown
     def test_http_bad_usage(self):
@@ -884,9 +884,8 @@ def test_expired_http(self):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     @replica_install_teardown
     def test_expired_ds(self):
@@ -898,9 +897,8 @@ def test_expired_ds(self):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     @replica_install_teardown
     def test_http_bad_usage(self):
@@ -1311,18 +1309,16 @@ def test_expired_http(self):
 
         result = self.certinstall('w', 'ca1/server-expired')
         assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     def test_expired_ds(self):
         "Install new expired DS certificate"
 
         result = self.certinstall('d', 'ca1/server-expired')
         assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))
 
     def test_http_bad_usage(self):
         "Install new HTTP certificate with invalid key usage"

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to