mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate validation would only work in English locale so we're keeping the whole NSS messages for all cases. https://pagure.io/freeipa/issue/6945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
36532031cf
commit
f827fe0f19
@ -55,8 +55,6 @@ CA_NICKNAME_FMT = "%s IPA CA"
|
|||||||
|
|
||||||
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
|
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
|
||||||
|
|
||||||
BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
|
|
||||||
|
|
||||||
TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
|
TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
|
||||||
|
|
||||||
EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
|
EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
|
||||||
@ -690,10 +688,7 @@ class NSSDatabase(object):
|
|||||||
except ipautil.CalledProcessError as e:
|
except ipautil.CalledProcessError as e:
|
||||||
# certutil output in case of error is
|
# certutil output in case of error is
|
||||||
# 'certutil: certificate is invalid: <ERROR_STRING>\n'
|
# 'certutil: certificate is invalid: <ERROR_STRING>\n'
|
||||||
msg = e.output.split(': ')[2].strip()
|
raise ValueError(e.output)
|
||||||
if msg == BAD_USAGE_ERR:
|
|
||||||
msg = 'invalid for a SSL server.'
|
|
||||||
raise ValueError(msg)
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
x509.match_hostname(cert, hostname)
|
x509.match_hostname(cert, hostname)
|
||||||
@ -728,10 +723,7 @@ class NSSDatabase(object):
|
|||||||
except ipautil.CalledProcessError as e:
|
except ipautil.CalledProcessError as e:
|
||||||
# certutil output in case of error is
|
# certutil output in case of error is
|
||||||
# 'certutil: certificate is invalid: <ERROR_STRING>\n'
|
# 'certutil: certificate is invalid: <ERROR_STRING>\n'
|
||||||
msg = e.output.split(': ')[2].strip()
|
raise ValueError(e.output)
|
||||||
if msg == BAD_USAGE_ERR:
|
|
||||||
msg = 'invalid for a CA.'
|
|
||||||
raise ValueError(msg)
|
|
||||||
|
|
||||||
def verify_kdc_cert_validity(self, nickname, realm):
|
def verify_kdc_cert_validity(self, nickname, realm):
|
||||||
nicknames = self.get_trust_chain(nickname)
|
nicknames = self.get_trust_chain(nickname)
|
||||||
|
@ -38,7 +38,10 @@ _DEFAULT = object()
|
|||||||
|
|
||||||
assert_error = tasks.assert_error
|
assert_error = tasks.assert_error
|
||||||
|
|
||||||
CERT_EXPIRED_MSG = "Peer's Certificate has expired."
|
NSS_INVALID_FMT = "certutil: certificate is invalid: %s"
|
||||||
|
CERT_EXPIRED_MSG = NSS_INVALID_FMT % "Peer's Certificate has expired."
|
||||||
|
BAD_USAGE_MSG = NSS_INVALID_FMT % ("Certificate key usage inadequate for "
|
||||||
|
"attempted operation.")
|
||||||
|
|
||||||
|
|
||||||
def get_install_stdin(cert_passwords=()):
|
def get_install_stdin(cert_passwords=()):
|
||||||
@ -557,8 +560,8 @@ class TestServerInstall(CALessBase):
|
|||||||
result = self.install_server(http_pkcs12='http.p12',
|
result = self.install_server(http_pkcs12='http.p12',
|
||||||
dirsrv_pkcs12='dirsrv.p12')
|
dirsrv_pkcs12='dirsrv.p12')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in http.p12 is not valid: '
|
'The server certificate in http.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
@server_install_teardown
|
@server_install_teardown
|
||||||
def test_ds_bad_usage(self):
|
def test_ds_bad_usage(self):
|
||||||
@ -572,8 +575,8 @@ class TestServerInstall(CALessBase):
|
|||||||
result = self.install_server(http_pkcs12='http.p12',
|
result = self.install_server(http_pkcs12='http.p12',
|
||||||
dirsrv_pkcs12='dirsrv.p12')
|
dirsrv_pkcs12='dirsrv.p12')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in dirsrv.p12 is not valid: '
|
'The server certificate in dirsrv.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
@server_install_teardown
|
@server_install_teardown
|
||||||
def test_revoked_http(self):
|
def test_revoked_http(self):
|
||||||
@ -940,8 +943,8 @@ class TestReplicaInstall(CALessBase):
|
|||||||
result = self.prepare_replica(http_pkcs12='http.p12',
|
result = self.prepare_replica(http_pkcs12='http.p12',
|
||||||
dirsrv_pkcs12='dirsrv.p12')
|
dirsrv_pkcs12='dirsrv.p12')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in http.p12 is not valid: '
|
'The server certificate in http.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
@replica_install_teardown
|
@replica_install_teardown
|
||||||
def test_ds_bad_usage(self):
|
def test_ds_bad_usage(self):
|
||||||
@ -953,8 +956,8 @@ class TestReplicaInstall(CALessBase):
|
|||||||
result = self.prepare_replica(http_pkcs12='http.p12',
|
result = self.prepare_replica(http_pkcs12='http.p12',
|
||||||
dirsrv_pkcs12='dirsrv.p12')
|
dirsrv_pkcs12='dirsrv.p12')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in dirsrv.p12 is not valid: '
|
'The server certificate in dirsrv.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
@replica_install_teardown
|
@replica_install_teardown
|
||||||
def test_revoked_http(self):
|
def test_revoked_http(self):
|
||||||
@ -1355,16 +1358,16 @@ class TestCertinstall(CALessBase):
|
|||||||
|
|
||||||
result = self.certinstall('w', 'ca1/server-badusage')
|
result = self.certinstall('w', 'ca1/server-badusage')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in server.p12 is not valid: '
|
'The server certificate in server.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
def test_ds_bad_usage(self):
|
def test_ds_bad_usage(self):
|
||||||
"Install new DS certificate with invalid key usage"
|
"Install new DS certificate with invalid key usage"
|
||||||
|
|
||||||
result = self.certinstall('d', 'ca1/server-badusage')
|
result = self.certinstall('d', 'ca1/server-badusage')
|
||||||
assert_error(result,
|
assert_error(result,
|
||||||
'The server certificate in server.p12 is not valid: '
|
'The server certificate in server.p12 is not valid: {err}'
|
||||||
'invalid for a SSL server')
|
.format(err=BAD_USAGE_MSG))
|
||||||
|
|
||||||
def test_revoked_http(self):
|
def test_revoked_http(self):
|
||||||
"Install new revoked HTTP certificate"
|
"Install new revoked HTTP certificate"
|
||||||
|
Loading…
Reference in New Issue
Block a user