feat: added detailed infos for errors (planning#864)

When certificate chain cannot be verified the chain ist printed. When the jwk chain contains an inccorect chain the problem part is printed. This should allow for better support.

feat: added detailed infos for errors (planning#864)
5be9a4e3 · Pascal Osterwinter · 211968f6 · 5be9a4e3
Commit 5be9a4e3 authored 2 years ago by Pascal Osterwinter
--- a/certificateValidation.py
+++ b/certificateValidation.py
@@ -83,6 +83,9 @@ def validate_jwk_x5c_chain(jwks, base_cert):
                        "Error, each subsequent certificate in jwk x5c chain "
                        "has to be the one issuing the previous certificate."
                    )
+                    print(
+                        f"Issuer {issuer.rfc4514_string()} and subject {cert.subject.rfc4514_string()} don't match!"
+                    )
                    return False
                else:
                    issuer = cert.issuer
@@ -178,7 +181,18 @@ def verify_certificate_chain(cert, certificate_chain, environment):

    except Exception as e:
        print("Error", e)
+        print("Certificate chain: ")
+        for cert in certificate_chain:
+            print(get_certificate_issuer_and_subject_string(cert))
        return False

    # `store_ctx.verify_certificate()` will either return None or raise an exception
    raise RuntimeError("Unexpected Error: This code should never be reached")
+
+
+def get_certificate_issuer_and_subject_string(cert):
+    subject = str(cert.get_subject()).replace("<X509Name object '", "Subject: ")
+    subject = "Subject: " + subject.replace("'>", " ")
+    issuer = str(cert.get_issuer()).replace("<X509Name object '", "Subject: ")
+    issuer = "Issuer: " + issuer.replace("'>", "")
+    return subject + issuer