|
 |
403b09 |
From adb6802b1b4dec30f19c3bf76089b6bc60ac0454 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
403b09 |
Date: Mon, 1 Aug 2016 09:55:58 +0200
|
|
|
403b09 |
Subject: [PATCH] cert: do not crash on invalid data in cert-find
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6150
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
403b09 |
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipaserver/plugins/cert.py | 28 ++++++++++++++++++++++++----
|
|
|
403b09 |
1 file changed, 24 insertions(+), 4 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
|
403b09 |
index 47dccf15a4010f2766642aedd2cc16e0a1eb1dd4..b8df074a186ca91daa8e8f5e725724ea7bc5a663 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/cert.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/cert.py
|
|
|
403b09 |
@@ -32,7 +32,7 @@ import six
|
|
|
403b09 |
|
|
|
403b09 |
from ipalib import Command, Str, Int, Flag
|
|
|
403b09 |
from ipalib import api
|
|
|
403b09 |
-from ipalib import errors
|
|
|
403b09 |
+from ipalib import errors, messages
|
|
|
403b09 |
from ipalib import pkcs10
|
|
|
403b09 |
from ipalib import x509
|
|
|
403b09 |
from ipalib import ngettext
|
|
|
403b09 |
@@ -994,7 +994,15 @@ class cert_find(Search, CertMethod):
|
|
|
403b09 |
)
|
|
|
403b09 |
|
|
|
403b09 |
def _get_cert_key(self, cert):
|
|
|
403b09 |
- nss_cert = x509.load_certificate(cert, x509.DER)
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ nss_cert = x509.load_certificate(cert, x509.DER)
|
|
|
403b09 |
+ except NSPRError as e:
|
|
|
403b09 |
+ message = messages.SearchResultTruncated(
|
|
|
403b09 |
+ reason=_("failed to load certificate: %s") % e,
|
|
|
403b09 |
+ )
|
|
|
403b09 |
+ self.add_message(message)
|
|
|
403b09 |
+
|
|
|
403b09 |
+ raise ValueError("failed to load certificate")
|
|
|
403b09 |
|
|
|
403b09 |
return (DN(unicode(nss_cert.issuer)), nss_cert.serial_number)
|
|
|
403b09 |
|
|
|
403b09 |
@@ -1017,7 +1025,10 @@ class cert_find(Search, CertMethod):
|
|
|
403b09 |
except KeyError:
|
|
|
403b09 |
return result, False, False
|
|
|
403b09 |
|
|
|
403b09 |
- key = self._get_cert_key(cert)
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ key = self._get_cert_key(cert)
|
|
|
403b09 |
+ except ValueError:
|
|
|
403b09 |
+ return result, True, True
|
|
|
403b09 |
|
|
|
403b09 |
result[key] = self._get_cert_obj(cert, all, raw, pkey_only)
|
|
|
403b09 |
|
|
|
403b09 |
@@ -1132,12 +1143,21 @@ class cert_find(Search, CertMethod):
|
|
|
403b09 |
entries = []
|
|
|
403b09 |
truncated = False
|
|
|
403b09 |
else:
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ ldap.handle_truncated_result(truncated)
|
|
|
403b09 |
+ except errors.LimitsExceeded as e:
|
|
|
403b09 |
+ self.add_message(messages.SearchResultTruncated(reason=e))
|
|
|
403b09 |
+
|
|
|
403b09 |
truncated = bool(truncated)
|
|
|
403b09 |
|
|
|
403b09 |
for entry in entries:
|
|
|
403b09 |
for attr in ('usercertificate', 'usercertificate;binary'):
|
|
|
403b09 |
for cert in entry.get(attr, []):
|
|
|
403b09 |
- key = self._get_cert_key(cert)
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ key = self._get_cert_key(cert)
|
|
|
403b09 |
+ except ValueError:
|
|
|
403b09 |
+ truncated = True
|
|
|
403b09 |
+ continue
|
|
|
403b09 |
|
|
|
403b09 |
try:
|
|
|
403b09 |
obj = result[key]
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|