IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

More verbose error message on kdc cert validation

Browse Source 
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-05-22 17:08:00 +02:00 committed by Martin Babinsky
parent f827fe0f19
commit bee3c1eccd
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ipapython/certdb.py
View File

@ -192,13 +192,17 @@ def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):
try: try:
ipautil.run( ipautil.run(
[OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name]) [OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name],
capture_output=True)
except ipautil.CalledProcessError as e:
raise ValueError(e.output)
try:
eku = kdc_cert.extensions.get_extension_for_class( eku = kdc_cert.extensions.get_extension_for_class(
cryptography.x509.ExtendedKeyUsage) cryptography.x509.ExtendedKeyUsage)
list(eku.value).index( list(eku.value).index(
cryptography.x509.ObjectIdentifier(x509.EKU_PKINIT_KDC)) cryptography.x509.ObjectIdentifier(x509.EKU_PKINIT_KDC))
except (ipautil.CalledProcessError, except (cryptography.x509.ExtensionNotFound,
cryptography.x509.ExtensionNotFound,
ValueError): ValueError):
raise ValueError("invalid for a KDC") raise ValueError("invalid for a KDC")