Closed phonexicum closed 2 months ago
Exception handling is beyond the scope of this framework. If you look in sources:
https://github.com/PKISolutions/ADCS-CertMod/blob/f735ac1ba4185cffb7ef63bad34ccea26f2ab533/ADCS.CertMod.Managed/Policy/CertPolicyBase.cs#L51-L54
I'm only calling native (one level below) policy module. This method is virtual
, which means that when you override this method, you are taking all the responsibility to handle all exceptions from native policy module and your own policy module.
Sample implementation can be found here:
https://github.com/PKISolutions/ADCS-SID-Extension-Policy-Module/blob/4109679b24c9431b10e63a077df273371909b5ba/src/ADCS.SidExtension.PolicyModule/Policy.cs#L29
The idea is that in your override, you call base method (get estimated status returned by native policy module), then handle results and override if necessary. It is advised to not override behavior when native policy module returns Deny
, because it will fail anyways eventually by CA engine.
Turns out handling of errors during certificate request processing is performed via COMExceptions.
If the
VerifyRequest
will throw COMException (instead of returningPolicyModuleAction.Deny
), the ADCS will:COMException::ErrorCode
into certificate requestRequest Status Code
property.Request Disposition Message
the fixed message:Denied by Policy Module
Personally, I prefered the mechanics of throwing COMException with some status code more informative for the end-user (e.g. ADCS windows administrator), instead of just silently returning
Deny
with status code 0 (interpreted as success). For example it could be something like this:Microsoft's native policy module (
CertificateAuthority_MicrosoftDefault.Policy
) may also send COMException.Microsoft's native module exceptions is not always "understandable". Here is an example of exception, thrown by native module:
The actual message in exception is weird, and misleading. But if we check the error code
0x80094012
, which translates into:Now the situation become perfectly clear, indeed test user didn't obtain enroll privileges for a specified template.
This issue is infromative in the first place, because I didn't found any information about exception handling neither in microsoft's documentation (1, 2) or ADCS-CertMod docs.
Feel free to close the issue, but maybe you will find it appropriate to append some information about COMException handling in your documentation.