From b6dea2faa5a225e44159475d22713db8c81dffe7 Mon Sep 17 00:00:00 2001
From: Brian Bockelman <bbockelman@morgridge.org>
Date: Wed, 26 Apr 2023 08:51:13 -0500
Subject: [PATCH] If a detailed error message is available, do not overwrite

When verification of ACs fails, the prior behavior is to always have
this message:

```
Cannot verify AC signature!
```

This can be difficult to debug as there's no indication of whether
its a problem with the proxy itself or with the host configuration.

This patch appends the underlying error message if one was provided.
For example,

```
Cannot verify AC signature!  Underlying error: Certificate verification \
  failed for certificate '/CN=voms.example.com': certificate has expired.
```

(newlines added for readability)
---
 src/api/ccapi/api_util.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc
index b4c52bff..28c7288e 100644
--- a/src/api/ccapi/api_util.cc
+++ b/src/api/ccapi/api_util.cc
@@ -327,7 +327,12 @@ vomsdata::verifydata(AC *ac, UNUSED(const std::string& subject),
     issuer = check((void *)ac);
 
     if (!issuer) {
-      seterror(VERR_SIGN, "Cannot verify AC signature!");
+      std::string oldmessage = ErrorMessage();
+      if (oldmessage.empty()) {
+          seterror(VERR_SIGN, "Cannot verify AC signature!");
+      } else {
+          seterror(VERR_SIGN, "Cannot verify AC signature!  Underlying error: " + oldmessage);
+      }
       return false;
     }
   }