Show detailed OpenSSL error messages

When OpenSSL encounters an error, M2Crypto prints only the "reason string"
(given by ERR_reason_error_string()). This string often contains only very
generic message. For example, for all certificate verification errors, the
string is the same "certificate verify error".

OpenSSL applications (e.g. the command-line utilities from OpenSSL
distribution) additionally show "optional text message" as given by
ERR_get_error_line_data(). This message contains more detailed error
reason, such as for example "certificate revoked".

Added this message (if given by OpenSSL) to the Python error text.

3 files changed, 147 insertions, 0 deletions

diff --git a/tests/sample-p7.pem b/tests/sample-p7.pem
new file mode 100644
index 0000000..46034f0
--- /dev/null
+++ b/tests/sample-p7.pem
@@ -0,0 +1,102 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----38FBD2321B4A76C8BE88AFD029CDED23"
+
+This is an S/MIME signed message
+
+------38FBD2321B4A76C8BE88AFD029CDED23
+This directory contains unit tests for M2Crypto.

+

+To run all tests, make sure you have installed setuptools and then issue the

+following command from the M2Crypto root directory:

+

+python setup.py test

+

+To run tests in a single file, for example test_ssl.py, do this:

+

+python setup.py test --test-suite=tests.test_ssl

+

+

+Look also in the demo directory for other samples.

+

+

+To create new test certificates:

+

+mkdir certs

+cd certs

+

+Making the CA. You may want to use a locally edited openssl.cnf to

+make sure that X509v3 Basic Constraints CA:TRUE gets set (by default

+it may be false). By default duration may only be just one year; should

+set this for at least 3 years.

+

+CA.sh -newca

+cp demoCA/cacert.pem ../ca.pem

+

+Making the server certificate and private key. make sure commonName

+field is localhost.

+

+CA.sh -newreq

+CA.sh -signreq

+cp newcert.pem ../server.pem

+openssl rsa <newkey.pem >>../server.pem

+

+Making the x509 certificate and key.

+

+CA.sh -newreq

+CA.sh -signreq

+cp newcert.pem ../x509.pem

+openssl rsa <newkey.pem >>../x509.pem

+openssl x509 -in ../x509.pem -out ../x509.der -outform DER

+

+Making the signer certificate. Make sure the email address is 

+signer@example.com.

+

+CA.sh -newreq

+CA.sh -signreq

+cp newcert.pem ../signer.pem

+openssl rsa <newkey.pem >../signer_key.pem

+

+Making the recipient certificate. Make sure the email address is 

+recipient@example.com.

+

+CA.sh -newreq

+CA.sh -signreq

+cp newcert.pem ../recipient.pem

+openssl rsa <newkey.pem >../recipient_key.pem

+

+

+Finally run the tests and edit for new values.

+
+------38FBD2321B4A76C8BE88AFD029CDED23
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIEhQYJKoZIhvcNAQcCoIIEdjCCBHICAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggJkMIICYDCCAcmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBPMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEChMITTJDcnlw
+dG8xGDAWBgNVBAMTD0hlaWtraSBUb2l2b25lbjAeFw0xNTExMjYyMTMzMTJaFw0y
+NTExMjMyMTMzMTJaMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MREwDwYDVQQKEwhNMkNyeXB0bzESMBAGA1UEAxMJUmVjaXBpZW50MSQwIgYJKoZI
+hvcNAQkBFhVyZWNpcGllbnRAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAJaMhIx8GBrTwmJdDwilmD2LkUw0b80Vr1Ycffk2pgE8nGPPIGT6
+dySl4cv+j1rAqJAbmaMCakPv+TGseQH5zEYRfKrRh9+V1PGkesv8TC6LMyL1M/hT
+augiSBiW8kk5/zOZA+U9wiJS8TOWILzRyCG7S3U9Kz1RTqoP1XNdZkS/AgMBAAGj
+LDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFON3U+KXkkZq9wvnavqx8PK9vXUMA0G
+CSqGSIb3DQEBBQUAA4GBABCx3TS7lz4+2ODeapnJvoy3gMcdMNs6aNWk2QJ2K3Zi
+AIYwWgYDZZK5AKRClF90xpRELowHVfPBbnoKF2ZW71Cvo1/x95dmKdO0FBM0eZaY
+rVjbIOb8+nCsHCKQv3vD6uOKCr26SP/lyVCDGNkeYTDAx2zqM/7Q/Kga8Zuj3JEQ
+MYIB5TCCAeECAQEwVDBPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTERMA8GA1UEChMITTJDcnlwdG8xGDAWBgNVBAMTD0hlaWtraSBUb2l2b25lbgIB
+BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
+CSqGSIb3DQEJBTEPFw0xODA3MjMxODExNTNaMC8GCSqGSIb3DQEJBDEiBCAFNpRM
+82d8yvtEyK+nEYuCf5KuyfnooeJYkzIbqUb2yDB5BgkqhkiG9w0BCQ8xbDBqMAsG
+CWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMH
+MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
+9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEEVB6XZeD44cN+6qmj1LR5Jh6JLGnIQ
+eQPGrI8Ygymc1dVDWC72872Xp3UTidhMnCyN36QNBZ7GL63tc2mCZ9rgWE24mvqx
+cj5hCyXF240ty20igJe5BDaXHgzO0JGJPUtoOxNWrM40IhGxh9MSGlfioMOsuRD4
+gDf9hUfjCkvG
+
+------38FBD2321B4A76C8BE88AFD029CDED23--
+
diff --git a/tests/test_obj.py b/tests/test_obj.py
index 737511a..7748492 100644
--- a/tests/test_obj.py
+++ b/tests/test_obj.py
@@ -105,6 +105,28 @@ class ObjectsTestCase(unittest.TestCase):
 
         self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
 
+    # Detailed OpenSSL error message is visible in Python error message:
+    def test_detailed_error_message(self):
+        from M2Crypto import SMIME, X509
+        s = SMIME.SMIME()
+        x509 = X509.load_cert('tests/recipient.pem')
+        sk = X509.X509_Stack()
+        sk.push(x509)
+        s.set_x509_stack(sk)
+
+        st = X509.X509_Store()
+        st.load_info('tests/recipient.pem')
+        s.set_x509_store(st)
+
+        p7, data = SMIME.smime_load_pkcs7('tests/sample-p7.pem')
+        self.assertIsInstance(p7, SMIME.PKCS7, p7)
+
+        try:
+            s.verify(p7, data)
+        except SMIME.PKCS7_Error as e:
+            self.assertRegexpMatches(str(e),
+                                     "unable to get local issuer certificate",
+                                     "Not received expected error message")
 
 def suite():
     t_suite = unittest.TestSuite()
diff --git a/tests/test_smime.py b/tests/test_smime.py
index a0edca8..2d9b105 100644
--- a/tests/test_smime.py
+++ b/tests/test_smime.py
@@ -209,6 +209,29 @@ class SMIMETestCase(unittest.TestCase):
         with self.assertRaises(SMIME.PKCS7_Error):
             s.verify(p7)  # Bad signer
 
+    # This test is not SMIME-specific - it tests that the additional OpenSSL
+    # error message is visible in Python error messages.
+    def test_detailed_error_message(self):
+        s = SMIME.SMIME()
+        x509 = X509.load_cert('tests/recipient.pem')
+        sk = X509.X509_Stack()
+        sk.push(x509)
+        s.set_x509_stack(sk)
+
+        st = X509.X509_Store()
+        st.load_info('tests/recipient.pem')
+        s.set_x509_store(st)
+
+        p7, data = SMIME.smime_load_pkcs7_bio(self.signed)
+        self.assertIsInstance(p7, SMIME.PKCS7, p7)
+
+        try:
+            s.verify(p7, data)
+        except SMIME.PKCS7_Error as e:
+            self.assertRegexpMatches(str(e),
+                                     "unable to get local issuer certificate",
+                                     "Not received expected error message")
+
     def test_encrypt(self):
         buf = BIO.MemoryBuffer(self.cleartext)
         s = SMIME.SMIME()