Provide useful messages during cert validation

When the certificate validation was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-05-12 10:41:08 +02:00 · 2017-05-12 10:41:08 +02:00 · 3d969d7bad
commit 3d969d7bad
parent c26038d24c
2 changed files with 34 additions and 24 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -52,6 +52,8 @@ CA_NICKNAME_FMT = "%s IPA CA"

 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")

+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+

 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
    return format % realm
@ -547,9 +549,15 @@ class NSSDatabase(object):
        cert = x509.load_certificate(cert, x509.DER)

        try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
-        except ipautil.CalledProcessError:
-            raise ValueError('invalid for a SSL server')
+            self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
+                              capture_output=True)
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a SSL server.'
+            raise ValueError(msg)

        try:
            x509.match_hostname(cert, hostname)
@ -573,6 +581,12 @@ class NSSDatabase(object):
            raise ValueError("not a CA certificate")

        try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
-        except ipautil.CalledProcessError:
-            raise ValueError('invalid for a CA')
+            self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
+                              capture_output=True)
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a CA.'
+            raise ValueError(msg)
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@ -38,6 +38,8 @@ _DEFAULT = object()

 assert_error = tasks.assert_error

+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+

 def get_install_stdin(cert_passwords=()):
    lines = [
@ -495,9 +497,8 @@ class TestServerInstall(CALessBase):
        result = self.install_server(http_pkcs12='http.p12',
                                     dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    @server_install_teardown
    def test_expired_ds(self):
@ -511,9 +512,8 @@ class TestServerInstall(CALessBase):
        result = self.install_server(http_pkcs12='http.p12',
                                     dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in dirsrv.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in dirsrv.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    @server_install_teardown
    def test_http_bad_usage(self):
@ -884,9 +884,8 @@ class TestReplicaInstall(CALessBase):
        result = self.prepare_replica(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    @replica_install_teardown
    def test_expired_ds(self):
@ -898,9 +897,8 @@ class TestReplicaInstall(CALessBase):
        result = self.prepare_replica(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    @replica_install_teardown
    def test_http_bad_usage(self):
@ -1311,18 +1309,16 @@ class TestCertinstall(CALessBase):

        result = self.certinstall('w', 'ca1/server-expired')
        assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    def test_expired_ds(self):
        "Install new expired DS certificate"

        result = self.certinstall('d', 'ca1/server-expired')
        assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
-                     'expired.')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=CERT_EXPIRED_MSG))

    def test_http_bad_usage(self):
        "Install new HTTP certificate with invalid key usage"