cert-validate: keep all messages in cert validation

Previous attempt to improve error messages during certificate validation would only work in English locale so we're keeping the whole NSS messages for all cases. https://pagure.io/freeipa/issue/6945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2024-12-23 07:33:27 -06:00 · 2017-05-22 14:36:43 +02:00 · 2017-05-22 14:36:43 +02:00 · f827fe0f19
commit f827fe0f19
parent 36532031cf
2 changed files with 18 additions and 23 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -55,8 +55,6 @@ CA_NICKNAME_FMT = "%s IPA CA"

 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")

-BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
-
 TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')

 EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
@ -690,10 +688,7 @@ class NSSDatabase(object):
        except ipautil.CalledProcessError as e:
            # certutil output in case of error is
            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
-            msg = e.output.split(': ')[2].strip()
-            if msg == BAD_USAGE_ERR:
-                msg = 'invalid for a SSL server.'
-            raise ValueError(msg)
+            raise ValueError(e.output)

        try:
            x509.match_hostname(cert, hostname)
@ -728,10 +723,7 @@ class NSSDatabase(object):
        except ipautil.CalledProcessError as e:
            # certutil output in case of error is
            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
-            msg = e.output.split(': ')[2].strip()
-            if msg == BAD_USAGE_ERR:
-                msg = 'invalid for a CA.'
-            raise ValueError(msg)
+            raise ValueError(e.output)

    def verify_kdc_cert_validity(self, nickname, realm):
        nicknames = self.get_trust_chain(nickname)
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@ -38,7 +38,10 @@ _DEFAULT = object()

 assert_error = tasks.assert_error

-CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+NSS_INVALID_FMT = "certutil: certificate is invalid: %s"
+CERT_EXPIRED_MSG = NSS_INVALID_FMT % "Peer's Certificate has expired."
+BAD_USAGE_MSG = NSS_INVALID_FMT % ("Certificate key usage inadequate for "
+                                   "attempted operation.")


 def get_install_stdin(cert_passwords=()):
@ -557,8 +560,8 @@ class TestServerInstall(CALessBase):
        result = self.install_server(http_pkcs12='http.p12',
                                     dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    @server_install_teardown
    def test_ds_bad_usage(self):
@ -572,8 +575,8 @@ class TestServerInstall(CALessBase):
        result = self.install_server(http_pkcs12='http.p12',
                                     dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in dirsrv.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in dirsrv.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    @server_install_teardown
    def test_revoked_http(self):
@ -940,8 +943,8 @@ class TestReplicaInstall(CALessBase):
        result = self.prepare_replica(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in http.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    @replica_install_teardown
    def test_ds_bad_usage(self):
@ -953,8 +956,8 @@ class TestReplicaInstall(CALessBase):
        result = self.prepare_replica(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
        assert_error(result,
-                     'The server certificate in dirsrv.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in dirsrv.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    @replica_install_teardown
    def test_revoked_http(self):
@ -1355,16 +1358,16 @@ class TestCertinstall(CALessBase):

        result = self.certinstall('w', 'ca1/server-badusage')
        assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    def test_ds_bad_usage(self):
        "Install new DS certificate with invalid key usage"

        result = self.certinstall('d', 'ca1/server-badusage')
        assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
-                     'invalid for a SSL server')
+                     'The server certificate in server.p12 is not valid: {err}'
+                     .format(err=BAD_USAGE_MSG))

    def test_revoked_http(self):
        "Install new revoked HTTP certificate"