IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

cert-validate: keep all messages in cert validation

Browse Source 
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-05-22 14:36:43 +02:00 committed by Martin Babinsky
parent 36532031cf
commit f827fe0f19
2 changed files with 18 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ipapython/certdb.py
View File

@ -55,8 +55,6 @@ CA_NICKNAME_FMT = "%s IPA CA"
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages') TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None) EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
@ -690,10 +688,7 @@ class NSSDatabase(object):
except ipautil.CalledProcessError as e: except ipautil.CalledProcessError as e:
# certutil output in case of error is # certutil output in case of error is
# 'certutil: certificate is invalid: <ERROR_STRING>\n' # 'certutil: certificate is invalid: <ERROR_STRING>\n'
msg = e.output.split(': ')[2].strip() raise ValueError(e.output)
if msg == BAD_USAGE_ERR:
msg = 'invalid for a SSL server.'
raise ValueError(msg)
try: try:
x509.match_hostname(cert, hostname) x509.match_hostname(cert, hostname)
@ -728,10 +723,7 @@ class NSSDatabase(object):
except ipautil.CalledProcessError as e: except ipautil.CalledProcessError as e:
# certutil output in case of error is # certutil output in case of error is
# 'certutil: certificate is invalid: <ERROR_STRING>\n' # 'certutil: certificate is invalid: <ERROR_STRING>\n'
msg = e.output.split(': ')[2].strip() raise ValueError(e.output)
if msg == BAD_USAGE_ERR:
msg = 'invalid for a CA.'
raise ValueError(msg)
def verify_kdc_cert_validity(self, nickname, realm): def verify_kdc_cert_validity(self, nickname, realm):
nicknames = self.get_trust_chain(nickname) nicknames = self.get_trust_chain(nickname)

29
ipatests/test_integration/test_caless.py
View File

@ -38,7 +38,10 @@ _DEFAULT = object()
assert_error = tasks.assert_error assert_error = tasks.assert_error
CERT_EXPIRED_MSG = "Peer's Certificate has expired." NSS_INVALID_FMT = "certutil: certificate is invalid: %s"
CERT_EXPIRED_MSG = NSS_INVALID_FMT % "Peer's Certificate has expired."
BAD_USAGE_MSG = NSS_INVALID_FMT % ("Certificate key usage inadequate for "
"attempted operation.")
def get_install_stdin(cert_passwords=()): def get_install_stdin(cert_passwords=()):
@ -557,8 +560,8 @@ class TestServerInstall(CALessBase):
result = self.install_server(http_pkcs12='http.p12', result = self.install_server(http_pkcs12='http.p12',
dirsrv_pkcs12='dirsrv.p12') dirsrv_pkcs12='dirsrv.p12')
assert_error(result, assert_error(result,
'The server certificate in http.p12 is not valid: ' 'The server certificate in http.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
@server_install_teardown @server_install_teardown
def test_ds_bad_usage(self): def test_ds_bad_usage(self):
@ -572,8 +575,8 @@ class TestServerInstall(CALessBase):
result = self.install_server(http_pkcs12='http.p12', result = self.install_server(http_pkcs12='http.p12',
dirsrv_pkcs12='dirsrv.p12') dirsrv_pkcs12='dirsrv.p12')
assert_error(result, assert_error(result,
'The server certificate in dirsrv.p12 is not valid: ' 'The server certificate in dirsrv.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
@server_install_teardown @server_install_teardown
def test_revoked_http(self): def test_revoked_http(self):
@ -940,8 +943,8 @@ class TestReplicaInstall(CALessBase):
result = self.prepare_replica(http_pkcs12='http.p12', result = self.prepare_replica(http_pkcs12='http.p12',
dirsrv_pkcs12='dirsrv.p12') dirsrv_pkcs12='dirsrv.p12')
assert_error(result, assert_error(result,
'The server certificate in http.p12 is not valid: ' 'The server certificate in http.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
@replica_install_teardown @replica_install_teardown
def test_ds_bad_usage(self): def test_ds_bad_usage(self):
@ -953,8 +956,8 @@ class TestReplicaInstall(CALessBase):
result = self.prepare_replica(http_pkcs12='http.p12', result = self.prepare_replica(http_pkcs12='http.p12',
dirsrv_pkcs12='dirsrv.p12') dirsrv_pkcs12='dirsrv.p12')
assert_error(result, assert_error(result,
'The server certificate in dirsrv.p12 is not valid: ' 'The server certificate in dirsrv.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
@replica_install_teardown @replica_install_teardown
def test_revoked_http(self): def test_revoked_http(self):
@ -1355,16 +1358,16 @@ class TestCertinstall(CALessBase):
result = self.certinstall('w', 'ca1/server-badusage') result = self.certinstall('w', 'ca1/server-badusage')
assert_error(result, assert_error(result,
'The server certificate in server.p12 is not valid: ' 'The server certificate in server.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
def test_ds_bad_usage(self): def test_ds_bad_usage(self):
"Install new DS certificate with invalid key usage" "Install new DS certificate with invalid key usage"
result = self.certinstall('d', 'ca1/server-badusage') result = self.certinstall('d', 'ca1/server-badusage')
assert_error(result, assert_error(result,
'The server certificate in server.p12 is not valid: ' 'The server certificate in server.p12 is not valid: {err}'
'invalid for a SSL server') .format(err=BAD_USAGE_MSG))
def test_revoked_http(self): def test_revoked_http(self):
"Install new revoked HTTP certificate" "Install new revoked HTTP certificate"