cert: do not crash on invalid data in cert-find

https://fedorahosted.org/freeipa/ticket/6150 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2016-08-01 09:55:58 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-08-17 13:45:50 +0200
commit: 8ad03259fe770b222e70286fd00c3416b4ed197d (patch)
tree: a8e45d49b867b619d65ae378fc3051ba1d813a45 /ipaserver/plugins/cert.py
parent: c718ef058847bb39e78236e8af0ad69ac961bbcf (diff)
download: freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.tar.gz
freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.tar.xz
freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.zip
1 files changed, 24 insertions, 4 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 47dccf15a..b8df074a1 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -32,7 +32,7 @@ import six
 
 from ipalib import Command, Str, Int, Flag
 from ipalib import api
-from ipalib import errors
+from ipalib import errors, messages
 from ipalib import pkcs10
 from ipalib import x509
 from ipalib import ngettext
@@ -994,7 +994,15 @@ class cert_find(Search, CertMethod):
             )
 
     def _get_cert_key(self, cert):
-        nss_cert = x509.load_certificate(cert, x509.DER)
+        try:
+            nss_cert = x509.load_certificate(cert, x509.DER)
+        except NSPRError as e:
+            message = messages.SearchResultTruncated(
+                reason=_("failed to load certificate: %s") % e,
+            )
+            self.add_message(message)
+
+            raise ValueError("failed to load certificate")
 
         return (DN(unicode(nss_cert.issuer)), nss_cert.serial_number)
 
@@ -1017,7 +1025,10 @@ class cert_find(Search, CertMethod):
         except KeyError:
             return result, False, False
 
-        key = self._get_cert_key(cert)
+        try:
+            key = self._get_cert_key(cert)
+        except ValueError:
+            return result, True, True
 
         result[key] = self._get_cert_obj(cert, all, raw, pkey_only)
 
@@ -1132,12 +1143,21 @@ class cert_find(Search, CertMethod):
             entries = []
             truncated = False
         else:
+            try:
+                ldap.handle_truncated_result(truncated)
+            except errors.LimitsExceeded as e:
+                self.add_message(messages.SearchResultTruncated(reason=e))
+
             truncated = bool(truncated)
 
         for entry in entries:
             for attr in ('usercertificate', 'usercertificate;binary'):
                 for cert in entry.get(attr, []):
-                    key = self._get_cert_key(cert)
+                    try:
+                        key = self._get_cert_key(cert)
+                    except ValueError:
+                        truncated = True
+                        continue
 
                     try:
                         obj = result[key]
author	Jan Cholasta <jcholast@redhat.com>	2016-08-01 09:55:58 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-08-17 13:45:50 +0200
commit	8ad03259fe770b222e70286fd00c3416b4ed197d (patch)
tree	a8e45d49b867b619d65ae378fc3051ba1d813a45 /ipaserver/plugins/cert.py
parent	c718ef058847bb39e78236e8af0ad69ac961bbcf (diff)
download	freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.tar.gz freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.tar.xz freeipa-8ad03259fe770b222e70286fd00c3416b4ed197d.zip