Provide full certificate to client on error

When a certificate error happens, provide full certificate data to the caller so that they may implement whatever strategy they feel appropriate.
2025-01-18 05:33:17 +00:00 · 2015-11-30 12:32:14 -05:00 · 2015-11-30 12:32:14 -05:00 · e2b79a063d
commit e2b79a063d
parent f6ce9f2c1e
2 changed files with 8 additions and 3 deletions
--- a/confluent_server/confluent/exceptions.py
+++ b/confluent_server/confluent/exceptions.py
@ -15,6 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import base64
 import json


@ -76,10 +77,13 @@ class PubkeyInvalid(ConfluentException):
    apierrorcode = 502
    apierrorstr = '502 - Invalid certificate or key on target'

-    def __init__(self, text, fingerprint, attribname):
+    def __init__(self, text, certificate, fingerprint, attribname):
        super(PubkeyInvalid, self).__init__(self, text)
        self.fingerprint = fingerprint
-        self.errorbody = json.dumps({attribname: fingerprint})
+        bodydata = {'fingerprint': fingerprint,
+                    'fingerprintfield': attribname,
+                    'certificate': base64.b64encode(certificate)}
+        self.errorbody = json.dumps(bodydata)

    def get_error_body(self):
        return self.errorbody
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@ -93,4 +93,5 @@ class TLSCertVerifier(object):
        elif storedprint[self.node][self.fieldname]['value'] == fingerprint:
            return True
        raise cexc.PubKeyInvalid(
-            'Mismatched certificate detected', fingerprint, self.fieldname)
+            'Mismatched certificate detected', certificate, fingerprint,
+            self.fieldname)