Provide output for all external commands in subsequent error messages

Author: FR4NK-W

fetcher/crypto_cmds.go

@@ -7,35 +7,35 @@ import (
 
 // Verify the signature of signedTopology
 // using the CA bundle rootCertsBundlePath, and output the verified payload to verifiedTopology.
-func cmsVerifyOutput(ctx context.Context, signedTopology, rootCertsBundlePath, verifiedTopology string) (err error) {
+func cmsVerifyOutput(ctx context.Context, signedTopology, rootCertsBundlePath, verifiedTopology string) (output []byte, err error) {
 	if !ctx.Value("nativeCrypto").(bool) {
 		if err = checkExecutable("openssl"); err != nil {
 			return
 		}
 		return opensslCMSVerifyOutput(ctx, signedTopology, rootCertsBundlePath, verifiedTopology)
 	}
-	return fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
+	return []byte{}, fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
 }
 
 // Detach the signature on signedTopology in the PKCS#7 format.
-func smimePk7out(ctx context.Context, signedTopology, detachedSignaturePath string) (err error) {
+func smimePk7out(ctx context.Context, signedTopology, detachedSignaturePath string) (output []byte, err error) {
 	if !ctx.Value("nativeCrypto").(bool) {
 		if err = checkExecutable("openssl"); err != nil {
 			return
 		}
 		return opensslSMIMEPk7out(ctx, signedTopology, detachedSignaturePath)
 	}
-	return fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
+	return []byte{}, fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
 }
 
 // Extract the certificate bundle into asCertHumanChain
 // from the detached signature at detachedSignaturePath.
-func pkcs7Certs(ctx context.Context, detachedSignaturePath, asCertHumanChain string) (err error) {
+func pkcs7Certs(ctx context.Context, detachedSignaturePath, asCertHumanChain string) (output []byte, err error) {
 	if !ctx.Value("nativeCrypto").(bool) {
 		if err = checkExecutable("openssl"); err != nil {
 			return
 		}
 		return opensslPKCS7Certs(ctx, detachedSignaturePath, asCertHumanChain)
 	}
-	return fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
+	return []byte{}, fmt.Errorf("not implemented crypto engine: nativeCrypto=%t", ctx.Value("nativeCrypto"))
 }

fetcher/openssl_cmds.go

@@ -7,20 +7,20 @@ import (
 
 // opensslCMSVerifyOutput uses the openssl cms module to verify the signature of signedTopology
 // using the CA bundle rootCertsBundlePath, and outputs the verified payload to verifiedTopology.
-func opensslCMSVerifyOutput(ctx context.Context, signedTopology, rootCertsBundlePath, verifiedTopology string) error {
-	return exec.CommandContext(ctx, "openssl", "cms", "-verify", "-in", signedTopology,
-		"-CAfile", rootCertsBundlePath, "-purpose", "any", "-noout", "-text", "-out", verifiedTopology).Run()
+func opensslCMSVerifyOutput(ctx context.Context, signedTopo, rootCertsBundlePath, verifiedTopo string) ([]byte, error) {
+	return exec.CommandContext(ctx, "openssl", "cms", "-verify", "-in", signedTopo,
+		"-CAfile", rootCertsBundlePath, "-purpose", "any", "-noout", "-text", "-out", verifiedTopo).CombinedOutput()
 }
 
 // opensslSMIMEPk7out uses the openssl smime module to detach the signature on signedTopology in the PKCS#7 format.
-func opensslSMIMEPk7out(ctx context.Context, signedTopology, detachedSignaturePath string) error {
+func opensslSMIMEPk7out(ctx context.Context, signedTopo, detachedSignaturePath string) ([]byte, error) {
 	return exec.CommandContext(ctx, "openssl", "smime", "-pk7out",
-		"-in", signedTopology, "-out", detachedSignaturePath).Run()
+		"-in", signedTopo, "-out", detachedSignaturePath).CombinedOutput()
 }
 
 // opensslPKCS7Certs uses the openssl pkcs7 module to extract the certificate bundle into asCertHumanChain
 // from the detached signature at detachedSignaturePath.
-func opensslPKCS7Certs(ctx context.Context, detachedSignaturePath, asCertHumanChain string) error {
+func opensslPKCS7Certs(ctx context.Context, detachedSignaturePath, asCertHumanChain string) ([]byte, error) {
 	return exec.CommandContext(ctx, "openssl", "pkcs7", "-in", detachedSignaturePath,
-		"-inform", "PEM", "-print_certs", "-out", asCertHumanChain).Run()
+		"-inform", "PEM", "-print_certs", "-out", asCertHumanChain).CombinedOutput()
 }

fetcher/scion_cppki_verify.go

@@ -71,7 +71,7 @@ func verifyTopologySignature(cfg *config.Config) error {
 	// verify the AS certificate chain (but not the payload signature) back to the TRCs of the ISD follows the
 	// SCION CP PKI rules about cert type, key usage:
 	if stdoutStderr, err := spkiCertVerify(ctx, sortedTRCsPaths, asCertChainPath); err != nil {
-		return fmt.Errorf("unable to validate certificate chain: %s %w", stdoutStderr, err)
+		return fmt.Errorf("unable to validate certificate chain: %w: scion-pki output: %s", err, stdoutStderr)
 	}
 
 	var unvalidatedTopologyPath string
@@ -149,13 +149,15 @@ func verifyWithRootBundle(ctx context.Context,
 	_, trcFileName := filepath.Split(trustAnchorTRC)
 	rootCertsBundlePath := filepath.Join(verifyPath, trcFileName+".certs.pem")
 	// extract TRC certificates:
-	if err = spkiTRCExtractCerts(ctx, trustAnchorTRC, rootCertsBundlePath); err != nil {
-		return fmt.Errorf("unable to extract root certificates from TRC %s: %w",
-			trustAnchorTRC, err)
+	var stdoutStderr []byte
+	if stdoutStderr, err = spkiTRCExtractCerts(ctx, trustAnchorTRC, rootCertsBundlePath); err != nil {
+		return fmt.Errorf("unable to extract root certificates from TRC %s: %w: scion-pki output: %s",
+			trustAnchorTRC, err, stdoutStderr)
 	}
 	// verify the signature and certificate chain back to a root certs bundle, write out the payload:
-	if err = cmsVerifyOutput(ctx, signedTopology, rootCertsBundlePath, unvalidatedTopologyPath); err != nil {
-		return fmt.Errorf("verifying and extracting signed payload failed: %w", err)
+	if stdoutStderr, err = cmsVerifyOutput(ctx, signedTopology, rootCertsBundlePath, unvalidatedTopologyPath); err != nil {
+		return fmt.Errorf("verifying and extracting signed payload failed: %w: Verification output: %s",
+			err, stdoutStderr)
 	}
 	return
 }
@@ -167,17 +169,19 @@ func extractSignerInfo(ctx context.Context, signedTopology, verifyPath string) (
 
 	detachedSignaturePath := filepath.Join(verifyPath, "detached_signature.p7s")
 	// detach signature for further validation:
-	err = smimePk7out(ctx, signedTopology, detachedSignaturePath)
+	var stdoutStderr []byte
+	stdoutStderr, err = smimePk7out(ctx, signedTopology, detachedSignaturePath)
 	if err != nil {
-		err = fmt.Errorf("unable to detach signature: %w", err)
+		err = fmt.Errorf("unable to detach signature: %w: Verification output: %s", err, stdoutStderr)
 		return
 	}
 
 	asCertHumanChain := filepath.Join(verifyPath, "as_cert_chain.human.pem")
 	// collect included certificates from detached signature:
-	err = pkcs7Certs(ctx, detachedSignaturePath, asCertHumanChain)
+	stdoutStderr, err = pkcs7Certs(ctx, detachedSignaturePath, asCertHumanChain)
 	if err != nil {
-		err = fmt.Errorf("unable to gather included certificates from signature: %w", err)
+		err = fmt.Errorf("unable to gather included certificates from signature: %w: Verification output: %s",
+			err, stdoutStderr)
 		return
 	}
 
@@ -256,9 +260,10 @@ func verifyTRCUpdateChain(outputPath, candidateTRCPath string, strict bool) erro
 	}
 	trcUpdateChainPaths := sortTRCsFiles(trcs).Paths()
 	trcUpdateChainPaths = append(trcUpdateChainPaths, candidateTRCPath)
-	err = spkiTRCVerify(ctx, trcUpdateChainPaths[0], trcUpdateChainPaths[1:])
+	var stdoutStderr []byte
+	stdoutStderr, err = spkiTRCVerify(ctx, trcUpdateChainPaths[0], trcUpdateChainPaths[1:])
 	if err != nil {
-		return fmt.Errorf("validating TRC update chain failed: %w", err)
+		return fmt.Errorf("validating TRC update chain failed: %w: scion-pki output: %s", err, stdoutStderr)
 	}
 	return nil
 }

fetcher/scion_pki_tool_cmds.go

@@ -9,9 +9,9 @@ import (
 // scion-pki commands
 
 // spkiTRCExtractCerts extracts the certificates contained in the TRC trustAnchorTRC into rootCertsBundlePath.
-func spkiTRCExtractCerts(ctx context.Context, trustAnchorTRC, rootCertsBundlePath string) error {
+func spkiTRCExtractCerts(ctx context.Context, trustAnchorTRC, rootCertsBundlePath string) ([]byte, error) {
 	return exec.CommandContext(ctx, "scion-pki", "trc", "extract", "certificates",
-		trustAnchorTRC, "-o", rootCertsBundlePath).Run()
+		trustAnchorTRC, "-o", rootCertsBundlePath).CombinedOutput()
 }
 
 // spkiCertVerify verifies the AS certificate asCertChainPath
@@ -22,9 +22,9 @@ func spkiCertVerify(ctx context.Context, trcsUpdateChain []string, asCertChainPa
 }
 
 // spkiTRCVerify verifies the TRC update chain for candidateTRCPath anchored in the TRCs trcUpdateChainPaths
-func spkiTRCVerify(ctx context.Context, trcAnchorPath string, updateChainCandidatePaths []string) error {
+func spkiTRCVerify(ctx context.Context, trcAnchorPath string, updateChainCandidatePaths []string) ([]byte, error) {
 	cmdArgs := []string{"trc", "verify", "--anchor"}
 	cmdArgs = append(cmdArgs, trcAnchorPath)
 	cmdArgs = append(cmdArgs, updateChainCandidatePaths...)
-	return exec.CommandContext(ctx, "scion-pki", cmdArgs...).Run()
+	return exec.CommandContext(ctx, "scion-pki", cmdArgs...).CombinedOutput()
 }