Subject: | Crypt::OpenSSL::CA::Error should contain more context |
When building a certificate, set/add_extension will be called many times.
When there's a problem, a Crypt::OpenSSL::CA::Error exception object is (usually) thrown.
Unfortunately, it looks something like this:
x $@
0 Crypt::OpenSSL::CA::Error=HASH(0xa8a2190)
'-message' => 'X509V3_EXT_conf_nid failed'
'-openssl' => ARRAY(0xa8da224)
0 'error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option'
In order to produce and log an informative error message, what I really want to know (at least) is the name of the extension with the issue.
This means that every call has to be wrapped in a unique eval block, rather than wrapping the entire build_a_certificate method in a global eval. This rather defeats the point of an exception architecture, which is not to have to check for errors at every method call.
Thus, it would be helpful if the exception object contained more data.
E.g.
'-item' => 'subjectAltName' # for set/add_extension, from the first argument.
and from methods like set_subject_DN, something useful, like
'-item' => 'subject_DN'
For cases where a string is thrown (e.g. invalid extension name), please also include an item name.
It would be ideal if the faulting values/options were also included.
I currently use the rather ugly hack of calling wrapper routines, such as:
set_extension( $cert, ... );
sub set_extension {
my( $cert, $name, $value, @options ) = @_;
eval {
$cert->set_extension( $name, $value, @options );
};
if( $@ ) {
if( ref $@ ) {
$@->{-item} = $name;
$@->{-args} = [ $value, @options ];
} else {
chomp $@;
$@ =~ s/ at .*\z//;
$@ = "$name: $@\n";
}
die $@;
}
return;
}
Thanks.