diff options
| author | Dan Prince <dprince@redhat.com> | 2012-07-31 07:49:49 -0400 |
|---|---|---|
| committer | Dan Prince <dprince@redhat.com> | 2012-07-31 07:53:59 -0400 |
| commit | 2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8 (patch) | |
| tree | 342755bbee3f3e3926ce70f247f8dc2de315d03f | |
| parent | 0f77f751447ab2a1e2f4dc715aef07233e1669ef (diff) | |
| download | keystone-2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8.tar.gz keystone-2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8.tar.xz keystone-2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8.zip | |
Log errors when signing/verifying.
The patch updates the PKI cms_verify and cms_sign_text methods so
that they log full error messages to the log file when errors occur.
These error messages will now include useful output from the openssl
commands that failed (which should help end users better diagnose
configuration issues with PKI). For example:
2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing
key file /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission
denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
140380567730016:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load signing key file
Previously you'd just get an error that looked like this:
CalledProcessError: Command 'openssl' returned non-zero exit status 3
Fixes LP Bug #1031317.
Change-Id: I8990ef057488fe71d077a02b443da464f99fcd94
| -rw-r--r-- | keystone/common/cms.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/keystone/common/cms.py b/keystone/common/cms.py index 1f0b8fc0..22dadfcc 100644 --- a/keystone/common/cms.py +++ b/keystone/common/cms.py @@ -2,13 +2,16 @@ import os import stat import subprocess +from keystone.common import logging + +LOG = logging.getLogger(__name__) UUID_TOKEN_LENGTH = 32 def cms_verify(formatted, signing_cert_file_name, ca_file_name): """ - verifies the signature of the contensts IAW CMS syntax + verifies the signature of the contents IAW CMS syntax """ process = subprocess.Popen(["openssl", "cms", "-verify", "-certfile", signing_cert_file_name, @@ -22,6 +25,7 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name): output, err = process.communicate(formatted) retcode = process.poll() if retcode: + LOG.error('Verify error: %s' % err) raise subprocess.CalledProcessError(retcode, "openssl", output=err) return output @@ -64,10 +68,12 @@ def cms_sign_text(text, signing_cert_file_name, signing_key_file_name): "-nosmimecap", "-nodetach", "-nocerts", "-noattr"], stdin=subprocess.PIPE, - stdout=subprocess.PIPE) - output, unused_err = process.communicate(text) + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + output, err = process.communicate(text) retcode = process.poll() if retcode: + LOG.error('Signing error: %s' % err) raise subprocess.CalledProcessError(retcode, "openssl", output=output) return cms_to_token(output) |