From e1ce5c6bb99f0c47860e7ad7dc9028eeac0639e6 Mon Sep 17 00:00:00 2001
From: Konstantin Shemyak <konstantin@shemyak.com>
Date: Sun, 22 Jul 2018 23:39:29 +0300
Subject: Show detailed OpenSSL error messages

When OpenSSL encounters an error, M2Crypto prints only the "reason string"
(given by ERR_reason_error_string()). This string often contains only very
generic message. For example, for all certificate verification errors, the
string is the same "certificate verify error".

OpenSSL applications (e.g. the command-line utilities from OpenSSL
distribution) additionally show "optional text message" as given by
ERR_get_error_line_data(). This message contains more detailed error
reason, such as for example "certificate revoked".

Added this message (if given by OpenSSL) to the Python error text.
---
 tests/sample-p7.pem | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/test_obj.py   |  22 ++++++++++++
 tests/test_smime.py |  23 ++++++++++++
 3 files changed, 147 insertions(+)
 create mode 100644 tests/sample-p7.pem

(limited to 'tests')

diff --git a/tests/sample-p7.pem b/tests/sample-p7.pem
new file mode 100644
index 0000000..46034f0
--- /dev/null
+++ b/tests/sample-p7.pem
@@ -0,0 +1,102 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----38FBD2321B4A76C8BE88AFD029CDED23"
+
+This is an S/MIME signed message
+
+------38FBD2321B4A76C8BE88AFD029CDED23
+This directory contains unit tests for M2Crypto.
+
+To run all tests, make sure you have installed setuptools and then issue the
+following command from the M2Crypto root directory:
+
+python setup.py test
+
+To run tests in a single file, for example test_ssl.py, do this:
+
+python setup.py test --test-suite=tests.test_ssl
+
+
+Look also in the demo directory for other samples.
+
+
+To create new test certificates:
+
+mkdir certs
+cd certs
+
+Making the CA. You may want to use a locally edited openssl.cnf to
+make sure that X509v3 Basic Constraints CA:TRUE gets set (by default
+it may be false). By default duration may only be just one year; should
+set this for at least 3 years.
+
+CA.sh -newca
+cp demoCA/cacert.pem ../ca.pem
+
+Making the server certificate and private key. make sure commonName
+field is localhost.
+
+CA.sh -newreq
+CA.sh -signreq
+cp newcert.pem ../server.pem
+openssl rsa <newkey.pem >>../server.pem
+
+Making the x509 certificate and key.
+
+CA.sh -newreq
+CA.sh -signreq
+cp newcert.pem ../x509.pem
+openssl rsa <newkey.pem >>../x509.pem
+openssl x509 -in ../x509.pem -out ../x509.der -outform DER
+
+Making the signer certificate. Make sure the email address is 
+signer@example.com.
+
+CA.sh -newreq
+CA.sh -signreq
+cp newcert.pem ../signer.pem
+openssl rsa <newkey.pem >../signer_key.pem
+
+Making the recipient certificate. Make sure the email address is 
+recipient@example.com.
+
+CA.sh -newreq
+CA.sh -signreq
+cp newcert.pem ../recipient.pem
+openssl rsa <newkey.pem >../recipient_key.pem
+
+
+Finally run the tests and edit for new values.
+
+------38FBD2321B4A76C8BE88AFD029CDED23
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIEhQYJKoZIhvcNAQcCoIIEdjCCBHICAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggJkMIICYDCCAcmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBPMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEChMITTJDcnlw
+dG8xGDAWBgNVBAMTD0hlaWtraSBUb2l2b25lbjAeFw0xNTExMjYyMTMzMTJaFw0y
+NTExMjMyMTMzMTJaMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MREwDwYDVQQKEwhNMkNyeXB0bzESMBAGA1UEAxMJUmVjaXBpZW50MSQwIgYJKoZI
+hvcNAQkBFhVyZWNpcGllbnRAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAJaMhIx8GBrTwmJdDwilmD2LkUw0b80Vr1Ycffk2pgE8nGPPIGT6
+dySl4cv+j1rAqJAbmaMCakPv+TGseQH5zEYRfKrRh9+V1PGkesv8TC6LMyL1M/hT
+augiSBiW8kk5/zOZA+U9wiJS8TOWILzRyCG7S3U9Kz1RTqoP1XNdZkS/AgMBAAGj
+LDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFON3U+KXkkZq9wvnavqx8PK9vXUMA0G
+CSqGSIb3DQEBBQUAA4GBABCx3TS7lz4+2ODeapnJvoy3gMcdMNs6aNWk2QJ2K3Zi
+AIYwWgYDZZK5AKRClF90xpRELowHVfPBbnoKF2ZW71Cvo1/x95dmKdO0FBM0eZaY
+rVjbIOb8+nCsHCKQv3vD6uOKCr26SP/lyVCDGNkeYTDAx2zqM/7Q/Kga8Zuj3JEQ
+MYIB5TCCAeECAQEwVDBPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTERMA8GA1UEChMITTJDcnlwdG8xGDAWBgNVBAMTD0hlaWtraSBUb2l2b25lbgIB
+BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
+CSqGSIb3DQEJBTEPFw0xODA3MjMxODExNTNaMC8GCSqGSIb3DQEJBDEiBCAFNpRM
+82d8yvtEyK+nEYuCf5KuyfnooeJYkzIbqUb2yDB5BgkqhkiG9w0BCQ8xbDBqMAsG
+CWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMH
+MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
+9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEEVB6XZeD44cN+6qmj1LR5Jh6JLGnIQ
+eQPGrI8Ygymc1dVDWC72872Xp3UTidhMnCyN36QNBZ7GL63tc2mCZ9rgWE24mvqx
+cj5hCyXF240ty20igJe5BDaXHgzO0JGJPUtoOxNWrM40IhGxh9MSGlfioMOsuRD4
+gDf9hUfjCkvG
+
+------38FBD2321B4A76C8BE88AFD029CDED23--
+
diff --git a/tests/test_obj.py b/tests/test_obj.py
index 737511a..7748492 100644
--- a/tests/test_obj.py
+++ b/tests/test_obj.py
@@ -105,6 +105,28 @@ class ObjectsTestCase(unittest.TestCase):
 
         self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
 
+    # Detailed OpenSSL error message is visible in Python error message:
+    def test_detailed_error_message(self):
+        from M2Crypto import SMIME, X509
+        s = SMIME.SMIME()
+        x509 = X509.load_cert('tests/recipient.pem')
+        sk = X509.X509_Stack()
+        sk.push(x509)
+        s.set_x509_stack(sk)
+
+        st = X509.X509_Store()
+        st.load_info('tests/recipient.pem')
+        s.set_x509_store(st)
+
+        p7, data = SMIME.smime_load_pkcs7('tests/sample-p7.pem')
+        self.assertIsInstance(p7, SMIME.PKCS7, p7)
+
+        try:
+            s.verify(p7, data)
+        except SMIME.PKCS7_Error as e:
+            self.assertRegexpMatches(str(e),
+                                     "unable to get local issuer certificate",
+                                     "Not received expected error message")
 
 def suite():
     t_suite = unittest.TestSuite()
diff --git a/tests/test_smime.py b/tests/test_smime.py
index a0edca8..2d9b105 100644
--- a/tests/test_smime.py
+++ b/tests/test_smime.py
@@ -209,6 +209,29 @@ class SMIMETestCase(unittest.TestCase):
         with self.assertRaises(SMIME.PKCS7_Error):
             s.verify(p7)  # Bad signer
 
+    # This test is not SMIME-specific - it tests that the additional OpenSSL
+    # error message is visible in Python error messages.
+    def test_detailed_error_message(self):
+        s = SMIME.SMIME()
+        x509 = X509.load_cert('tests/recipient.pem')
+        sk = X509.X509_Stack()
+        sk.push(x509)
+        s.set_x509_stack(sk)
+
+        st = X509.X509_Store()
+        st.load_info('tests/recipient.pem')
+        s.set_x509_store(st)
+
+        p7, data = SMIME.smime_load_pkcs7_bio(self.signed)
+        self.assertIsInstance(p7, SMIME.PKCS7, p7)
+
+        try:
+            s.verify(p7, data)
+        except SMIME.PKCS7_Error as e:
+            self.assertRegexpMatches(str(e),
+                                     "unable to get local issuer certificate",
+                                     "Not received expected error message")
+
     def test_encrypt(self):
         buf = BIO.MemoryBuffer(self.cleartext)
         s = SMIME.SMIME()
-- 
cgit v1.2.1