[Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid
Fraser Tweedale
ftweedal at redhat.com
Fri May 13 02:24:48 UTC 2016
On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote:
> The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
> It will result in better error messages and help users to diagnose
> bad profile configurations (especially with IPA).
>
> Thanks,
> Fraser
>
Acked by alee (thanks!); pushed to master
(54c18d85a778775c86bcddab4eee929719ac4d23)
> From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Mon, 9 May 2016 12:57:32 +1000
> Subject: [PATCH] Reject cert request if resultant subject DN is invalid
>
> An unparseable subject DN is ignored, causing NPE in subsequent
> processing becaues the subject DN was not set. Throw
> ERejectException if the subject DN is invalid, to ensure that a
> useful response can be returned to the requestor.
>
> Fixes: https://fedorahosted.org/pki/ticket/2317
> ---
> .../com/netscape/certsrv/profile/ERejectException.java | 8 ++++++++
> .../com/netscape/cms/profile/def/SubjectNameDefault.java | 16 ++++++----------
> 2 files changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/base/common/src/com/netscape/certsrv/profile/ERejectException.java b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> index cceeb12ab8354b05dec0d0212d7a0f04de9e6184..1ada1c4ebca50ed79a443e2e47b3251a7303ff37 100644
> --- a/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> +++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> @@ -43,4 +43,12 @@ public class ERejectException extends EProfileException {
> public ERejectException(String msg) {
> super(msg);
> }
> +
> + public ERejectException(String msg, Throwable cause) {
> + super(msg, cause);
> + }
> +
> + public ERejectException(Throwable cause) {
> + super(cause.getMessage(), cause);
> + }
> }
> diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> index 31aee6dd6d9299438fb62493f61879f9a01dd9ed..629f4bcc10869518ff890a96fa6657565df00abe 100644
> --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> @@ -27,6 +27,7 @@ import netscape.security.x509.X509CertInfo;
> import com.netscape.certsrv.apps.CMS;
> import com.netscape.certsrv.base.IConfigStore;
> import com.netscape.certsrv.profile.EProfileException;
> +import com.netscape.certsrv.profile.ERejectException;
> import com.netscape.certsrv.profile.IProfile;
> import com.netscape.certsrv.property.Descriptor;
> import com.netscape.certsrv.property.EPropertyException;
> @@ -166,19 +167,14 @@ public class SubjectNameDefault extends EnrollDefault {
> return;
> try {
> name = new X500Name(subjectName);
> - } catch (IOException e) {
> - // failed to build x500 name
> - CMS.debug("SubjectNameDefault: populate " + e.toString());
> - }
> - if (name == null) {
> - // failed to build x500 name
> - }
> - try {
> info.set(X509CertInfo.SUBJECT,
> new CertificateSubjectName(name));
> } catch (Exception e) {
> - // failed to insert subject name
> - CMS.debug("SubjectNameDefault: populate " + e.toString());
> + CMS.debug("SubjectNameDefault: failed to populate: " + e);
> + throw new ERejectException(CMS.getUserMessage(
> + getLocale(request),
> + "CMS_PROFILE_INVALID_SUBJECT_NAME",
> + subjectName), e);
> }
> }
> }
> --
> 2.5.5
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list