From 96a7a72cf414a3dc5c8587d34e80838cc64b71a4 Mon Sep 17 00:00:00 2001
From: John Mulligan <jmulligan@redhat.com>
Date: Wed, 23 Apr 2025 11:25:07 -0400
Subject: [PATCH] python-common/cryptotools: fix error path in verify tls
 function

The remote verify_tls function was not raising errors when it should.
Fix the function so that it always returns an object when it succeeds or
fails gracefully. Always parse that function in the crypto caller class.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---
 src/python-common/ceph/cryptotools/cryptotools.py | 6 +++---
 src/python-common/ceph/cryptotools/remote.py      | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/python-common/ceph/cryptotools/cryptotools.py b/src/python-common/ceph/cryptotools/cryptotools.py
index e021cf82ad6..c38ee44fec4 100644
--- a/src/python-common/ceph/cryptotools/cryptotools.py
+++ b/src/python-common/ceph/cryptotools/cryptotools.py
@@ -129,12 +129,11 @@ def get_cert_issuer_info(args: Namespace) -> None:
 
 
 def _fail_message(msg: str) -> None:
-    json.dump({'error': msg}, sys.stderr)
-    sys.exit(1)
+    json.dump({'error': msg}, sys.stdout)
+    sys.exit(0)
 
 
 def verify_tls(args: Namespace) -> None:
-
     data = json.loads(sys.stdin.read())
 
     crt = data['crt']
@@ -163,6 +162,7 @@ def verify_tls(args: Namespace) -> None:
         _fail_message('Private key and certificate do not match up: %s' % str(e))
     except SSL.Error as e:
         _fail_message(f'Invalid cert/key pair: {e}')
+    json.dump({'ok': True}, sys.stdout)  # need to emit something on success
 
 
 if __name__ == "__main__":
diff --git a/src/python-common/ceph/cryptotools/remote.py b/src/python-common/ceph/cryptotools/remote.py
index 9a668ca4bfa..3271ac847a8 100644
--- a/src/python-common/ceph/cryptotools/remote.py
+++ b/src/python-common/ceph/cryptotools/remote.py
@@ -121,12 +121,13 @@ class CryptoCaller:
         """Given a TLS certificate and a private key raise an error
         if the combination is not valid.
         """
-        self._run(
+        result = self._run(
             ['verify_tls'],
             input_data=json.dumps({'crt': crt, 'key': key}),
             capture_output=True,
             check=True,
         )
+        self._result_json(result)  # for errors only
 
     def verify_cacrt_content(self, crt: str) -> int:
         """Verify a CA Certificate return the number of days until expiration."""
-- 
2.39.5