Bug#844928: python-keystoneclient FTBFS with openssl 1.1.0

[Ondřej Kobližek]

FTBFS due to failing tests:
FAIL: keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify
FAIL:
keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify_token_no_files

Both tests fail because: Command 'openssl' returned non-zero exit status 1

I think its OpenSSL >= 1.1 bug, which returns wrong exit code (1 insted of
2) if input file not exists.

I prepared quilt patch and going to upload new release of
python-keystoneclient.

====
Description: Workaround for FTBFS with OpenSSL >= 1.1.0
 OpenSSL1.1 returns exit code 1 if certfile or CAfile not exists.
 This is possibly OpenSSL bug
 https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
Author: Ondřej Kobližek <kobliz...@gmail.com>
Forwarded: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844928

--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -42,9 +42,10 @@


 # The openssl cms command exits with these status codes.
-# See https://www.openssl.org/docs/apps/cms.html#EXIT_CODES
+# See https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
 class OpensslCmsExitStatus(object):
     SUCCESS = 0
+    COMMAND_OPTIONS_PARSING_ERROR = 1
     INPUT_FILE_READ_ERROR = 2
     CREATE_CMS_READ_MIME_ERROR = 3

@@ -180,21 +181,28 @@
     # Do not log errors, as some happen in the positive thread
     # instead, catch them in the calling code and log them there.

-    # When invoke the openssl with not exist file, return code 2
-    # and error msg will be returned.
+    # When invoke the openssl >= 1.1.0 with not exist file, return code
should
+    # be 2 instead of 1 and error msg will be returned.
     # You can get more from
-    # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
+    # https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
     #
     # $ openssl cms -verify -certfile not_exist_file -CAfile
     #       not_exist_file -inform PEM -nosmimecap -nodetach
     #       -nocerts -noattr
-    # Error opening certificate file not_exist_file
+    # cms: Cannot open input file not_exist_file, No such file or directory
     #
     if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
         if err.startswith('Error reading S/MIME message'):
             raise exceptions.CMSError(err)
         else:
             raise exceptions.CertificateConfigError(err)
+    # workaround for OpenSSL >= 1.1.0,
+    # should return OpensslCmsExitStatus.INPUT_FILE_READ_ERROR
+    if retcode == OpensslCmsExitStatus.COMMAND_OPTIONS_PARSING_ERROR:
+        if err.startswith('cms: Cannot open input file'):
+            raise exceptions.CertificateConfigError(err)
+        else:
+            raise subprocess.CalledProcessError(retcode, 'openssl',
output=err)
     elif retcode != OpensslCmsExitStatus.SUCCESS:
         raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
     return output
====