Commit cdcf1a20 authored by Vincent Pelletier's avatar Vincent Pelletier

ca: Intercept CSR parsing errors and convert into a custom exception

So that wsgi layer can convert it into a 4xx error, and it stops being a
5xx error + traceback.
Add a test.
parent 026c5000
...@@ -31,7 +31,10 @@ from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1 ...@@ -31,7 +31,10 @@ from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1
from cryptography.hazmat.primitives import padding from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from . import utils from . import utils
from .exceptions import CertificateVerificationError from .exceptions import (
CertificateVerificationError,
NotACertificateSigningRequest,
)
__all__ = ('CertificateAuthority', ) __all__ = ('CertificateAuthority', )
...@@ -289,7 +292,10 @@ class CertificateAuthority(object): ...@@ -289,7 +292,10 @@ class CertificateAuthority(object):
csr_pem (str) csr_pem (str)
PEM-encoded certificate signing request. PEM-encoded certificate signing request.
""" """
csr = utils.load_certificate_request(csr_pem) try:
csr = utils.load_certificate_request(csr_pem)
except ValueError:
raise NotACertificateSigningRequest
# Note: requested_amount is None when a known CSR is re-submitted # Note: requested_amount is None when a known CSR is re-submitted
csr_id, requested_amount = self._storage.appendCertificateSigningRequest( csr_id, requested_amount = self._storage.appendCertificateSigningRequest(
csr_pem=csr_pem, csr_pem=csr_pem,
......
...@@ -38,3 +38,7 @@ class Found(CertificateAuthorityException): ...@@ -38,3 +38,7 @@ class Found(CertificateAuthorityException):
class CertificateVerificationError(CertificateAuthorityException): class CertificateVerificationError(CertificateAuthorityException):
"""Certificate is not valid, it was not signed by CA""" """Certificate is not valid, it was not signed by CA"""
pass pass
class NotACertificateSigningRequest(CertificateAuthorityException):
"""Provided value is not a certificate signing request"""
pass
...@@ -40,7 +40,7 @@ import unittest ...@@ -40,7 +40,7 @@ import unittest
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from caucase import cli from caucase import cli
from caucase.client import CaucaseError from caucase.client import CaucaseError, CaucaseClient
from caucase import http from caucase import http
from caucase import utils from caucase import utils
from caucase import exceptions from caucase import exceptions
...@@ -714,6 +714,20 @@ class CaucaseTest(unittest.TestCase): ...@@ -714,6 +714,20 @@ class CaucaseTest(unittest.TestCase):
csr_id + ' not found - either csr id has a typo or CSR was rejected' csr_id + ' not found - either csr id has a typo or CSR was rejected'
], out) ], out)
def testBadCSR(self):
"""
Submitting an invalid CSR.
Requires bypassing cli, as it does its own checks.
"""
client = CaucaseClient(self._caucase_url + '/cas')
try:
client.putCSR('Not actually a CSR')
except CaucaseError, e:
self.assertEqual(e.args[0], 400, e)
else:
raise AssertionError('Did not raise CaucaseError(400, ...)')
def testUpdateUser(self): def testUpdateUser(self):
""" """
Verify that CAU certificate and revocation list are created when the Verify that CAU certificate and revocation list are created when the
......
...@@ -285,7 +285,10 @@ class Application(object): ...@@ -285,7 +285,10 @@ class Application(object):
""" """
if subpath: if subpath:
raise NotFound raise NotFound
csr_id = context.appendCertificateSigningRequest(self._read(environ)) try:
csr_id = context.appendCertificateSigningRequest(self._read(environ))
except exceptions.NotACertificateSigningRequest:
raise BadRequest('Not a valid certificate signing request')
return ( return (
STATUS_CREATED, STATUS_CREATED,
[ [
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment