URL: https://github.com/freeipa/freeipa/pull/802 Author: stlaz Title: #802: Improve cert messages some more + do that for KDC certs as well Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/802/head:pr802 git checkout pr802
From cc61afb71ec6e0110e9c519368bf6d4e6b168ca6 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 22 May 2017 14:36:43 +0200 Subject: [PATCH 1/2] cert-validate: keep all messages in cert validation Previous attempt to improve error messages during certificate validation would only work in English locale so we're keeping the NSS messages for all cases. TODO: fix CA-less tests https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 6 ------ ipatests/test_integration/test_caless.py | 25 +++++++++++++------------ 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index fa6995d3d7..ee0e837469 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -55,8 +55,6 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") -BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' - TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages') EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None) @@ -691,8 +689,6 @@ def verify_server_cert_validity(self, nickname, hostname): # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n' msg = e.output.split(': ')[2].strip() - if msg == BAD_USAGE_ERR: - msg = 'invalid for a SSL server.' raise ValueError(msg) try: @@ -723,8 +719,6 @@ def verify_ca_cert_validity(self, nickname): # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n' msg = e.output.split(': ')[2].strip() - if msg == BAD_USAGE_ERR: - msg = 'invalid for a CA.' raise ValueError(msg) def verify_kdc_cert_validity(self, nickname, realm): diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 539ce123ef..a1723be198 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -39,6 +39,7 @@ assert_error = tasks.assert_error CERT_EXPIRED_MSG = "Peer's Certificate has expired." +BAD_USAGE_MSG = "Certificate key usage inadequate for attempted operation." def get_install_stdin(cert_passwords=()): @@ -557,8 +558,8 @@ def test_http_bad_usage(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @server_install_teardown def test_ds_bad_usage(self): @@ -572,8 +573,8 @@ def test_ds_bad_usage(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @server_install_teardown def test_revoked_http(self): @@ -940,8 +941,8 @@ def test_http_bad_usage(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @replica_install_teardown def test_ds_bad_usage(self): @@ -953,8 +954,8 @@ def test_ds_bad_usage(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @replica_install_teardown def test_revoked_http(self): @@ -1355,16 +1356,16 @@ def test_http_bad_usage(self): result = self.certinstall('w', 'ca1/server-badusage') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) def test_ds_bad_usage(self): "Install new DS certificate with invalid key usage" result = self.certinstall('d', 'ca1/server-badusage') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) def test_revoked_http(self): "Install new revoked HTTP certificate" From 5bb64f7da0a49af9ea1425abc3be967adebeb08d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 22 May 2017 17:08:00 +0200 Subject: [PATCH 2/2] More verbose error message on kdc cert validation KDC cert validation was added but provides rather non-descriptive error should there be something wrong with a certificate. Pass the error message from the `openssl` tool in such cases. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index ee0e837469..caecfca0a0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -192,7 +192,12 @@ def verify_kdc_cert_validity(kdc_cert, ca_certs, realm): try: ipautil.run( - [OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name]) + [OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name], + capture_output=True) + except ipautil.CalledProcessError as e: + raise ValueError(e.output) + + try: eku = kdc_cert.extensions.get_extension_for_class( cryptography.x509.ExtendedKeyUsage) list(eku.value).index(
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org