Commit cdcf1a20 authored by Vincent Pelletier's avatar Vincent Pelletier

ca: Intercept CSR parsing errors and convert into a custom exception

So that wsgi layer can convert it into a 4xx error, and it stops being a
5xx error + traceback.
Add a test.
parent 026c5000
......@@ -31,7 +31,10 @@ from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from . import utils
from .exceptions import CertificateVerificationError
from .exceptions import (
CertificateVerificationError,
NotACertificateSigningRequest,
)
__all__ = ('CertificateAuthority', )
......@@ -289,7 +292,10 @@ class CertificateAuthority(object):
csr_pem (str)
PEM-encoded certificate signing request.
"""
try:
csr = utils.load_certificate_request(csr_pem)
except ValueError:
raise NotACertificateSigningRequest
# Note: requested_amount is None when a known CSR is re-submitted
csr_id, requested_amount = self._storage.appendCertificateSigningRequest(
csr_pem=csr_pem,
......
......@@ -38,3 +38,7 @@ class Found(CertificateAuthorityException):
class CertificateVerificationError(CertificateAuthorityException):
"""Certificate is not valid, it was not signed by CA"""
pass
class NotACertificateSigningRequest(CertificateAuthorityException):
"""Provided value is not a certificate signing request"""
pass
......@@ -40,7 +40,7 @@ import unittest
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from caucase import cli
from caucase.client import CaucaseError
from caucase.client import CaucaseError, CaucaseClient
from caucase import http
from caucase import utils
from caucase import exceptions
......@@ -714,6 +714,20 @@ class CaucaseTest(unittest.TestCase):
csr_id + ' not found - either csr id has a typo or CSR was rejected'
], out)
def testBadCSR(self):
"""
Submitting an invalid CSR.
Requires bypassing cli, as it does its own checks.
"""
client = CaucaseClient(self._caucase_url + '/cas')
try:
client.putCSR('Not actually a CSR')
except CaucaseError, e:
self.assertEqual(e.args[0], 400, e)
else:
raise AssertionError('Did not raise CaucaseError(400, ...)')
def testUpdateUser(self):
"""
Verify that CAU certificate and revocation list are created when the
......
......@@ -285,7 +285,10 @@ class Application(object):
"""
if subpath:
raise NotFound
try:
csr_id = context.appendCertificateSigningRequest(self._read(environ))
except exceptions.NotACertificateSigningRequest:
raise BadRequest('Not a valid certificate signing request')
return (
STATUS_CREATED,
[
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment