unable to load certificate should abort request

If openssl returns with a command line error (3), we assume
the PKI certificate is not properly installed.  Added
'try ... except' blocks to cms_sign_text and cms_sign_token
calls.

Fixes: bug #1103569
Change-Id: Iad98738e990d3ab1ec0d0015840d76cf948ae560

1 files changed, 10 insertions, 5 deletions

diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
index ade2af4f..4474deaa 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -1,4 +1,5 @@
 import json
+import subprocess
 import uuid
 
 from keystone.common import cms
@@ -114,13 +115,17 @@ class Auth(controller.V2Controller):
         if CONF.signing.token_format == 'UUID':
             token_id = uuid.uuid4().hex
         elif CONF.signing.token_format == 'PKI':
-            token_id = cms.cms_sign_token(json.dumps(token_data),
-                                          CONF.signing.certfile,
-                                          CONF.signing.keyfile)
+            try:
+                token_id = cms.cms_sign_token(json.dumps(token_data),
+                                              CONF.signing.certfile,
+                                              CONF.signing.keyfile)
+            except subprocess.CalledProcessError:
+                raise exception.UnexpectedError(_(
+                    'Unable to sign token.'))
         else:
-            raise exception.UnexpectedError(
+            raise exception.UnexpectedError(_(
                 'Invalid value for token_format: %s.'
-                '  Allowed values are PKI or UUID.' %
+                '  Allowed values are PKI or UUID.') %
                 CONF.signing.token_format)
         try:
             self.token_api.create_token(