search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
359 stars 134 forks source link

Misleading exception message in EnrollProfile #1938

Closed pki-bot closed 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #1376. Originally filed by edewata (@edewata) on 2015-05-12 22:28:01:

Under certain circumstances the EnrollProfile might throw an EProfileException with a message saying "Invalid Request" whereas the actual error may be something completely different, thus misleading the investigation of the actual error and delaying the resolution.

In the following example the actual error is NoSuchTokenException: https://www.redhat.com/archives/freeipa-users/2015-May/msg00195.html

[11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10:
signature verification enabled
[11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10
org.mozilla.jss.NoSuchTokenException
[11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10
restoring thread token
Invalid Request
        at
com.netscape.cms.profile.common.EnrollProfile.parsePKCS10(EnrollProfile.java:953)
        at
...

Here is the code:

try {
    cm = CryptoManager.getInstance();
    sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
    if (sigver) {
        CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled");
        String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
            "Internal Key Storage Token");
        savedToken = cm.getThreadToken();
        CryptoToken signToken = cm.getTokenByName(tokenName);
        CMS.debug("EnrollProfile: parsePKCS10 setting thread token");
        cm.setThreadToken(signToken);
        pkcs10 = new PKCS10(data);
    } else {
        CMS.debug("EnrollProfile: parsePKCS10: signature verification disabled");
        pkcs10 = new PKCS10(data, sigver);
    }
} catch (Exception e) {
    CMS.debug("EnrollProfile: parsePKCS10 " + e.toString());
    throw new EProfileException(
        CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
} finally {
    if (sigver) {
        CMS.debug("EnrollProfile: parsePKCS10 restoring thread token");
        cm.setThreadToken(savedToken);
    }
}

Possible solutions:

  1. The message should be changed into "Parsing Error" or just "Error" instead of "Invalid Request".
  2. The EProfileException should be chained to the original exception so the cause will appear in the stack trace.
  3. Do not catch JSS exceptions and let them be handled by the caller.
  4. Fix similar issues in EnrollProfile.

Proposed milestone: 9.0.x

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2017-02-27 14:12:01

Metadata Update from @edewata: