Don't spew to stderr if dumpasn1 isn't available when we want to dump

CMS that doesn't validate (see #94).  Switch CMS-dumping code to use
OpenSSL library code rather than dumpasn1 -- dumpasn1 is prettier, but
not enough prettier to be worth making people install yet another
freaking program that's only used to diagnose strange failures.

svn path=/rpkid/rpki/x509.py; revision=4010

1 files changed, 11 insertions, 5 deletions

diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 6e7fdfea..00c7c448 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -836,6 +836,13 @@ class CMS_object(DER_object):
 
   debug_cms_certs = False
 
+  ## @var dump_using_dumpasn1
+  # Set this to use external dumpasn1 program, which is prettier and
+  # more informative than OpenSSL's CMS text dump, but which won't
+  # work if the dumpasn1 program isn't installed.
+
+  dump_using_dumpasn1 = False
+
   ## @var require_crls
   # Set this to False to make CMS CRLs optional in the cases where we
   # would otherwise require them.  Some day this option should go away
@@ -955,14 +962,13 @@ class CMS_object(DER_object):
       raise
     except:
       if self.dump_on_verify_failure:
-        if True:
+        if self.dump_using_dumpasn1:
           dbg = self.dumpasn1()
         else:
           dbg = cms.pprint()
-        try:
-          sys.stderr.write("CMS verification failed, dumping ASN.1 (%d octets):\n%s\n" % (len(self.get_DER()), dbg))
-        except IOError:
-          pass
+        rpki.log.warn("CMS verification failed, dumping ASN.1 (%d octets):" % len(self.get_DER()))
+        for line in dbg.splitlines():
+          rpki.log.warn(line)
       raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed"
 
     self.decode(content)