cert-request: avoid internal error when cert malformed

When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs.  Handle the exception by notifying about
the malformed certificate in the response messages.

Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This commit is contained in:
Fraser Tweedale 2018-02-05 15:06:49 +11:00 committed by Christian Heimes
parent fa5394cc62
commit 01c534c229

View File

@ -468,6 +468,10 @@ class BaseCertObject(Object):
attribute when ``True`` in addition to the specialised
attribute.
Raise ``ValueError`` if the certificate is malformed.
(Note: only the main certificate structure and Subject Alt
Name extension are examined.)
"""
if 'certificate' in obj:
cert = x509.load_der_x509_certificate(
@ -876,7 +880,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
raise e
if not raw:
self.obj._parse(result, all)
try:
self.obj._parse(result, all)
except ValueError as e:
self.add_message(
messages.CertificateInvalid(
subject=principal,
reason=e,
)
)
result['request_id'] = int(result['request_id'])
result['cacn'] = ca_obj['cn'][0]