URL: https://github.com/freeipa/freeipa/pull/1518
Author: frasertweedale
 Title: #1518: cert-request: avoid internal error when cert malformed
Action: opened

PR body:
"""
When executing cert-request, if Dogtag successfully issues a certificate
but python-cryptography cannot parse the certificate, an unhandled
exception occurs.  Handle the exception by notifying about the malformed
certificate in the response messages.

Fixes: https://pagure.io/freeipa/issue/7390
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1518/head:pr1518
git checkout pr1518
From ee089f941cd35b8c23424605b7be4ad364b3d43d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 5 Feb 2018 15:03:11 +1100
Subject: [PATCH 1/2] Improve warning message for malformed certificates

The 'CertificateInvalid' message is used for malformed certificates.
The user error messages says "Invalid certificate...", but in X.509
"validity" has a specific meaning that does not encompass
well-formedness.  For clarify, change the user-visible message to
say "Malformed".

Part of: https://pagure.io/freeipa/issue/7390
---
 ipalib/messages.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index fd458a1757..2e44da3a27 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -472,7 +472,7 @@ class CertificateInvalid(PublicMessage):
     """
     errno = 13029
     type = "error"
-    format = _("%(subject)s: Invalid certificate. "
+    format = _("%(subject)s: Malformed certificate. "
                "%(reason)s")
 
 

From 4a18ebc331c698d4aba60e9e7e82d9677d1a93cd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 5 Feb 2018 15:06:49 +1100
Subject: [PATCH 2/2] cert-request: avoid internal error when cert malformed

When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs.  Handle the exception by notifying about
the malformed certificate in the response messages.

Fixes: https://pagure.io/freeipa/issue/7390
---
 ipaserver/plugins/cert.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index f40d0f9439..db624357af 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -468,6 +468,10 @@ def _parse(self, obj, full=True):
             attribute when ``True`` in addition to the specialised
             attribute.
 
+        Raise ``ValueError`` if the certificate is malformed.
+        (Note: only the main certificate structure and Subject Alt
+        Name extension are examined.)
+
         """
         if 'certificate' in obj:
             cert = x509.load_der_x509_certificate(
@@ -876,7 +880,15 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
                 raise e
 
         if not raw:
-            self.obj._parse(result, all)
+            try:
+                self.obj._parse(result, all)
+            except ValueError as e:
+                self.add_message(
+                    messages.CertificateInvalid(
+                        subject=principal,
+                        reason=e,
+                    )
+                )
             result['request_id'] = int(result['request_id'])
             result['cacn'] = ca_obj['cn'][0]
 
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to