IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

cert: do not crash on invalid data in cert-find

Browse Source 
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This commit is contained in:
Jan Cholasta 2016-08-01 09:55:58 +02:00 committed by Martin Basti
parent c718ef0588
commit 8ad03259fe
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ipaserver/plugins/cert.py
View File

@ -32,7 +32,7 @@ import six
from ipalib import Command, Str, Int, Flag from ipalib import Command, Str, Int, Flag
from ipalib import api from ipalib import api
from ipalib import errors from ipalib import errors, messages
from ipalib import pkcs10 from ipalib import pkcs10
from ipalib import x509 from ipalib import x509
from ipalib import ngettext from ipalib import ngettext
@ -994,7 +994,15 @@ class cert_find(Search, CertMethod):
) )
def _get_cert_key(self, cert): def _get_cert_key(self, cert):
nss_cert = x509.load_certificate(cert, x509.DER) try:
nss_cert = x509.load_certificate(cert, x509.DER)
except NSPRError as e:
message = messages.SearchResultTruncated(
reason=_("failed to load certificate: %s") % e,
)
self.add_message(message)
raise ValueError("failed to load certificate")
return (DN(unicode(nss_cert.issuer)), nss_cert.serial_number) return (DN(unicode(nss_cert.issuer)), nss_cert.serial_number)
@ -1017,7 +1025,10 @@ class cert_find(Search, CertMethod):
except KeyError: except KeyError:
return result, False, False return result, False, False
key = self._get_cert_key(cert) try:
key = self._get_cert_key(cert)
except ValueError:
return result, True, True
result[key] = self._get_cert_obj(cert, all, raw, pkey_only) result[key] = self._get_cert_obj(cert, all, raw, pkey_only)
@ -1132,12 +1143,21 @@ class cert_find(Search, CertMethod):
entries = [] entries = []
truncated = False truncated = False
else: else:
try:
ldap.handle_truncated_result(truncated)
except errors.LimitsExceeded as e:
self.add_message(messages.SearchResultTruncated(reason=e))
truncated = bool(truncated) truncated = bool(truncated)
for entry in entries: for entry in entries:
for attr in ('usercertificate', 'usercertificate;binary'): for attr in ('usercertificate', 'usercertificate;binary'):
for cert in entry.get(attr, []): for cert in entry.get(attr, []):
key = self._get_cert_key(cert) try:
key = self._get_cert_key(cert)
except ValueError:
truncated = True
continue
try: try:
obj = result[key] obj = result[key]