Respond 400 if lightweight CA cert issuance fails

If certificate issuance fails during lightweight CA creation (e.g. due to a profile constraint violation such as Subject DN not matching pattern) the API responds with status 500. Raise BadRequestDataException if cert issuance fails in a way that indicates bad or invalid CSR data, and catch it to respond with status 400. Also do some drive-by exception chaining. Fixes: https://fedorahosted.org/pki/ticket/2388
author: Fraser Tweedale <ftweedal@redhat.com> 2016-07-01 10:25:15 +1000
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-07-01 10:32:54 +1000
commit: c7f9e6c4e0711dfafc81d201dcfadee3e0efa335 (patch)
tree: 870802b8b213d57deb2003d78397365adbd4ce79 /base/ca
parent: 3fdc686c9a4bab492d50cef707beef1f5f043153 (diff)
download: pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.tar.gz
pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.tar.xz
pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.zip
2 files changed, 17 insertions, 4 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index e501380c8..502ab1856 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -74,6 +74,7 @@ import org.mozilla.jss.pkix.primitive.Name;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
@@ -2680,8 +2681,16 @@ public class CertificateAuthority
             if (result != null && !result.equals(IRequest.RES_SUCCESS))
                 throw new EBaseException("createSubCA: certificate request submission resulted in error: " + result);
             RequestStatus requestStatus = request.getRequestStatus();
-            if (requestStatus != RequestStatus.COMPLETE)
-                throw new EBaseException("createSubCA: certificate request did not complete; status: " + requestStatus);
+            if (requestStatus != RequestStatus.COMPLETE) {
+                // The request did not complete.  Inference: something
+                // incorrect in the request (e.g. profile constraint
+                // violated).
+                String msg = "Failed to issue CA certificate. Final status: " + requestStatus + ".";
+                String errorMsg = request.getExtDataInString(IRequest.ERROR);
+                if (errorMsg != null)
+                    msg += " Additional info: " + errorMsg;
+                throw new BadRequestDataException(msg);
+            }
 
             // Add certificate to nssdb
             cert = request.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
@@ -2697,7 +2706,10 @@ public class CertificateAuthority
                 // log this error.
                 CMS.debug("Error deleting new authority entry after failure during certificate generation: " + e2);
             }
-            throw new ECAException("Error creating lightweight CA certificate: " + e);
+            if (e instanceof BadRequestDataException)
+                throw (BadRequestDataException) e;  // re-throw
+            else
+                throw new ECAException("Error creating lightweight CA certificate: " + e, e);
         }
 
         CertificateAuthority ca = new CertificateAuthority(
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 5ecabacd9..7bca10fa1 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -38,6 +38,7 @@ import javax.ws.rs.core.UriInfo;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authority.AuthorityData;
 import com.netscape.certsrv.authority.AuthorityResource;
+import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
@@ -207,7 +208,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
             audit(ILogger.SUCCESS, OpDef.OP_ADD,
                     subCA.getAuthorityID().toString(), auditParams);
             return createOKResponse(readAuthorityData(subCA));
-        } catch (IllegalArgumentException e) {
+        } catch (IllegalArgumentException | BadRequestDataException e) {
             throw new BadRequestException(e.toString());
         } catch (CANotFoundException e) {
             throw new ResourceNotFoundException(e.toString());
author	Fraser Tweedale <ftweedal@redhat.com>	2016-07-01 10:25:15 +1000
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-07-01 10:32:54 +1000
commit	c7f9e6c4e0711dfafc81d201dcfadee3e0efa335 (patch)
tree	870802b8b213d57deb2003d78397365adbd4ce79 /base/ca
parent	3fdc686c9a4bab492d50cef707beef1f5f043153 (diff)
download	pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.tar.gz pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.tar.xz pki-c7f9e6c4e0711dfafc81d201dcfadee3e0efa335.zip