URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783
From a811c5fb7d1ee68c8f987e1ca228af58326f9a3a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert verification When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 26 ++++++++++++++++++++------ ipatests/test_integration/test_caless.py | 32 ++++++++++++++------------------ 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: - self.run_certutil(['-V', '-n', nickname, '-u', 'V']) - except ipautil.CalledProcessError: - raise ValueError('invalid for a SSL server') + self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) + except ipautil.CalledProcessError as e: + # certutil output in case of error is + # 'certutil: certificate is invalid: <ERROR_STRING>\n' + msg = e.output.split(': ')[2].strip() + if msg == BAD_USAGE_ERR: + msg = 'invalid for a SSL server.' + raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: - self.run_certutil(['-V', '-n', nickname, '-u', 'L']) - except ipautil.CalledProcessError: - raise ValueError('invalid for a CA') + self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) + except ipautil.CalledProcessError as e: + # certutil output in case of error is + # 'certutil: certificate is invalid: <ERROR_STRING>\n' + msg = e.output.split(': ')[2].strip() + if msg == BAD_USAGE_ERR: + msg = 'invalid for a CA.' + raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @replica_install_teardown def test_expired_ds(self): @@ -898,9 +897,8 @@ def test_expired_ds(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @replica_install_teardown def test_http_bad_usage(self): @@ -1311,18 +1309,16 @@ def test_expired_http(self): result = self.certinstall('w', 'ca1/server-expired') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) def test_expired_ds(self): "Install new expired DS certificate" result = self.certinstall('d', 'ca1/server-expired') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) def test_http_bad_usage(self): "Install new HTTP certificate with invalid key usage"
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
