From 2b2d0a15311fb1e9b6369374dfd5e0b49e4bf7a8 Mon Sep 17 00:00:00 2001
From: Dan Prince <dprince@redhat.com>
Date: Tue, 31 Jul 2012 07:49:49 -0400
Subject: Log errors when signing/verifying.

The patch updates the PKI cms_verify and cms_sign_text methods so
that they log full error messages to the log file when errors occur.
These error messages will now include useful output from the openssl
commands that failed (which should help end users better diagnose
configuration issues with PKI). For example:

 2012-07-31 11:10:53    ERROR [keystone.common.cms] Error opening signing
 key file /etc/keystone/ssl/private/signing_key.pem
 140380567730016:error:0200100D:system library:fopen:Permission
 denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
 140380567730016:error:20074002:BIO routines:FILE_CTRL:system
 lib:bss_file.c:400:
 unable to load signing key file

Previously you'd just get an error that looked like this:

 CalledProcessError: Command 'openssl' returned non-zero exit status 3

Fixes LP Bug #1031317.

Change-Id: I8990ef057488fe71d077a02b443da464f99fcd94
---
 keystone/common/cms.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/keystone/common/cms.py b/keystone/common/cms.py
index 1f0b8fc0..22dadfcc 100644
--- a/keystone/common/cms.py
+++ b/keystone/common/cms.py
@@ -2,13 +2,16 @@ import os
 import stat
 import subprocess
 
+from keystone.common import logging
 
+
+LOG = logging.getLogger(__name__)
 UUID_TOKEN_LENGTH = 32
 
 
 def cms_verify(formatted, signing_cert_file_name, ca_file_name):
     """
-        verifies the signature of the contensts IAW CMS syntax
+        verifies the signature of the contents IAW CMS syntax
     """
     process = subprocess.Popen(["openssl", "cms", "-verify",
                                 "-certfile", signing_cert_file_name,
@@ -22,6 +25,7 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name):
     output, err = process.communicate(formatted)
     retcode = process.poll()
     if retcode:
+        LOG.error('Verify error: %s' % err)
         raise subprocess.CalledProcessError(retcode, "openssl", output=err)
     return output
 
@@ -64,10 +68,12 @@ def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
                                 "-nosmimecap", "-nodetach",
                                 "-nocerts", "-noattr"],
                                stdin=subprocess.PIPE,
-                               stdout=subprocess.PIPE)
-    output, unused_err = process.communicate(text)
+                               stdout=subprocess.PIPE,
+                               stderr=subprocess.PIPE)
+    output, err = process.communicate(text)
     retcode = process.poll()
     if retcode:
+        LOG.error('Signing error: %s' % err)
         raise subprocess.CalledProcessError(retcode,
                                             "openssl", output=output)
     return cms_to_token(output)
-- 
cgit