More verbose error message on kdc cert validation

KDC cert validation was added but provides rather non-descriptive error should there be something wrong with a certificate. Pass the error message from the `openssl` tool in such cases. https://pagure.io/freeipa/issue/6945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-05-22 17:08:00 +02:00 · 2017-05-22 17:08:00 +02:00 · bee3c1eccd
commit bee3c1eccd
parent f827fe0f19
1 changed files with 7 additions and 3 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -192,13 +192,17 @@ def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):

        try:
            ipautil.run(
-                [OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name])
+                [OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name],
+                capture_output=True)
+        except ipautil.CalledProcessError as e:
+            raise ValueError(e.output)
+
+        try:
            eku = kdc_cert.extensions.get_extension_for_class(
                cryptography.x509.ExtendedKeyUsage)
            list(eku.value).index(
                cryptography.x509.ObjectIdentifier(x509.EKU_PKINIT_KDC))
-        except (ipautil.CalledProcessError,
-                cryptography.x509.ExtensionNotFound,
+        except (cryptography.x509.ExtensionNotFound,
                ValueError):
            raise ValueError("invalid for a KDC")