diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2018-02-05 15:06:49 +1100 |
---|---|---|
committer | Christian Heimes <cheimes@redhat.com> | 2018-02-06 11:42:34 +0100 |
commit | 01c534c229d808d497f866c3c704701c8c57f894 (patch) | |
tree | 723e0222367ac10db606cf5c214b84aae15bd202 | |
parent | fa5394cc62be5e48265985fedd452a824d46f1b7 (diff) | |
download | freeipa-01c534c229d808d497f866c3c704701c8c57f894.tar.gz freeipa-01c534c229d808d497f866c3c704701c8c57f894.tar.xz freeipa-01c534c229d808d497f866c3c704701c8c57f894.zip |
cert-request: avoid internal error when cert malformed
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
-rw-r--r-- | ipaserver/plugins/cert.py | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index f40d0f943..db624357a 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -468,6 +468,10 @@ class BaseCertObject(Object): attribute when ``True`` in addition to the specialised attribute. + Raise ``ValueError`` if the certificate is malformed. + (Note: only the main certificate structure and Subject Alt + Name extension are examined.) + """ if 'certificate' in obj: cert = x509.load_der_x509_certificate( @@ -876,7 +880,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): raise e if not raw: - self.obj._parse(result, all) + try: + self.obj._parse(result, all) + except ValueError as e: + self.add_message( + messages.CertificateInvalid( + subject=principal, + reason=e, + ) + ) result['request_id'] = int(result['request_id']) result['cacn'] = ca_obj['cn'][0] |