From f827fe0f19596d29f9354368077fb43be2e16e8e Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Jun 16 2017 14:04:00 +0000 Subject: cert-validate: keep all messages in cert validation Previous attempt to improve error messages during certificate validation would only work in English locale so we're keeping the whole NSS messages for all cases. https://pagure.io/freeipa/issue/6945 Reviewed-By: Martin Babinsky --- diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 8c53821..be2af60 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -55,8 +55,6 @@ CA_NICKNAME_FMT = "%s IPA CA" NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") -BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' - TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages') EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None) @@ -690,10 +688,7 @@ class NSSDatabase(object): except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: \n' - msg = e.output.split(': ')[2].strip() - if msg == BAD_USAGE_ERR: - msg = 'invalid for a SSL server.' - raise ValueError(msg) + raise ValueError(e.output) try: x509.match_hostname(cert, hostname) @@ -728,10 +723,7 @@ class NSSDatabase(object): except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: \n' - msg = e.output.split(': ')[2].strip() - if msg == BAD_USAGE_ERR: - msg = 'invalid for a CA.' - raise ValueError(msg) + raise ValueError(e.output) def verify_kdc_cert_validity(self, nickname, realm): nicknames = self.get_trust_chain(nickname) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 539ce12..4b412f6 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,7 +38,10 @@ _DEFAULT = object() assert_error = tasks.assert_error -CERT_EXPIRED_MSG = "Peer's Certificate has expired." +NSS_INVALID_FMT = "certutil: certificate is invalid: %s" +CERT_EXPIRED_MSG = NSS_INVALID_FMT % "Peer's Certificate has expired." +BAD_USAGE_MSG = NSS_INVALID_FMT % ("Certificate key usage inadequate for " + "attempted operation.") def get_install_stdin(cert_passwords=()): @@ -557,8 +560,8 @@ class TestServerInstall(CALessBase): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @server_install_teardown def test_ds_bad_usage(self): @@ -572,8 +575,8 @@ class TestServerInstall(CALessBase): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @server_install_teardown def test_revoked_http(self): @@ -940,8 +943,8 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @replica_install_teardown def test_ds_bad_usage(self): @@ -953,8 +956,8 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) @replica_install_teardown def test_revoked_http(self): @@ -1355,16 +1358,16 @@ class TestCertinstall(CALessBase): result = self.certinstall('w', 'ca1/server-badusage') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) def test_ds_bad_usage(self): "Install new DS certificate with invalid key usage" result = self.certinstall('d', 'ca1/server-badusage') assert_error(result, - 'The server certificate in server.p12 is not valid: ' - 'invalid for a SSL server') + 'The server certificate in server.p12 is not valid: {err}' + .format(err=BAD_USAGE_MSG)) def test_revoked_http(self): "Install new revoked HTTP certificate"