Commit 362a3f7a authored by Vincent Pelletier's avatar Vincent Pelletier

wsgi: Catch JSON payload decoding errors.

parent d1fbca1f
......@@ -42,3 +42,7 @@ class CertificateVerificationError(CertificateAuthorityException):
class NotACertificateSigningRequest(CertificateAuthorityException):
"""Provided value is not a certificate signing request"""
pass
class NotJSON(CertificateAuthorityException):
"""Provided value does not decode properly as JSON"""
pass
......@@ -1175,6 +1175,7 @@ class CaucaseTest(unittest.TestCase):
"""
Mock CAU.
"""
digest_list = ['sha256']
def getCACertificateList(self):
"""
Return cau ca list.
......@@ -1319,6 +1320,12 @@ class CaucaseTest(unittest.TestCase):
'CONTENT_TYPE': 'application/json',
'wsgi.input': StringIO('{"digest": null}'),
})[0], UNAUTHORISED_STATUS)
self.assertEqual(request({
'PATH_INFO': '/cau/crt/revoke',
'REQUEST_METHOD': 'PUT',
'CONTENT_TYPE': 'application/json',
'wsgi.input': StringIO('{"digest":"sha256","payload":""}'),
})[0], 400)
self.assertEqual(request({
'PATH_INFO': '/cau/crt/revoke',
'REQUEST_METHOD': 'PUT',
......
......@@ -33,7 +33,10 @@ from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding
import cryptography.exceptions
import pem
from .exceptions import CertificateVerificationError
from .exceptions import (
CertificateVerificationError,
NotJSON,
)
DEFAULT_DIGEST_LIST = ('sha256', 'sha384', 'sha512')
DEFAULT_DIGEST = DEFAULT_DIGEST_LIST[0]
......@@ -262,7 +265,10 @@ def unwrap(wrapped, getCertificate, digest_list):
'%r is not in allowed digest list',
)
hash_class = getattr(hashes, digest.upper())
payload = json.loads(wrapped['payload'])
try:
payload = json.loads(wrapped['payload'])
except ValueError:
raise NotJSON
x509.load_pem_x509_certificate(
getCertificate(payload).encode('ascii'),
_cryptography_backend,
......@@ -283,7 +289,10 @@ def nullUnwrap(wrapped):
an authenticated user (and hence over a secure channel, HTTPS).
"""
assert wrapped['digest'] is None
return json.loads(wrapped['payload'])
try:
return json.loads(wrapped['payload'])
except ValueError:
raise NotJSON
def load_ca_certificate(data):
"""
......
......@@ -169,6 +169,8 @@ class Application(object):
raise Conflict
except exceptions.NoStorage:
raise InsufficientStorage
except exceptions.NotJSON:
raise BadRequest('Invalid json payload')
except exceptions.CertificateAuthorityException, e:
raise BadRequest(str(e))
except Exception:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment