cert-request: avoid internal error when cert malformed

When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs.  Handle the exception by notifying about
the malformed certificate in the response messages.

Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index f40d0f943..db624357a 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -468,6 +468,10 @@ class BaseCertObject(Object):
             attribute when ``True`` in addition to the specialised
             attribute.
 
+        Raise ``ValueError`` if the certificate is malformed.
+        (Note: only the main certificate structure and Subject Alt
+        Name extension are examined.)
+
         """
         if 'certificate' in obj:
             cert = x509.load_der_x509_certificate(
@@ -876,7 +880,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                 raise e
 
         if not raw:
-            self.obj._parse(result, all)
+            try:
+                self.obj._parse(result, all)
+            except ValueError as e:
+                self.add_message(
+                    messages.CertificateInvalid(
+                        subject=principal,
+                        reason=e,
+                    )
+                )
             result['request_id'] = int(result['request_id'])
             result['cacn'] = ca_obj['cn'][0]