provide better output for spkiCertVerify

Author: sarcasticadmin

fetcher/scion_cppki_verify.go

@@ -70,8 +70,8 @@ func verifyTopologySignature(cfg *config.Config) error {
 
 	// verify the AS certificate chain (but not the payload signature) back to the TRCs of the ISD follows the
 	// SCION CP PKI rules about cert type, key usage:
-	if err = spkiCertVerify(ctx, sortedTRCsPaths, asCertChainPath); err != nil {
-		return fmt.Errorf("unable to validate certificate chain: %w", err)
+	if stdoutStderr, err := spkiCertVerify(ctx, sortedTRCsPaths, asCertChainPath); err != nil {
+		return fmt.Errorf("unable to validate certificate chain: %s %w", stdoutStderr, err)
 	}
 
 	var unvalidatedTopologyPath string

fetcher/scion_pki_tool_cmds.go

@@ -16,9 +16,9 @@ func spkiTRCExtractCerts(ctx context.Context, trustAnchorTRC, rootCertsBundlePat
 
 // spkiCertVerify verifies the AS certificate asCertChainPath
 // against the sorted TRCs in the update chain trcsUpdateChain.
-func spkiCertVerify(ctx context.Context, trcsUpdateChain []string, asCertChainPath string) error {
+func spkiCertVerify(ctx context.Context, trcsUpdateChain []string, asCertChainPath string) ([]byte, error) {
 	return exec.CommandContext(ctx, "scion-pki", "certificate", "verify",
-		"--trc", strings.Join(trcsUpdateChain, ","), asCertChainPath).Run()
+		"--trc", strings.Join(trcsUpdateChain, ","), asCertChainPath).CombinedOutput()
 }
 
 // spkiTRCVerify verifies the TRC update chain for candidateTRCPath anchored in the TRCs trcUpdateChainPaths