From 24ad811460949ead774d0d7c6b09d905f555b439 Mon Sep 17 00:00:00 2001
From: Gerhard Jungwirth <gjungwirth@sipwise.com>
Date: Thu, 24 Apr 2014 16:23:32 +0200
Subject: [PATCH] MT#6695 error checks on generating certificates

---
 lib/NGCP/Panel/Controller/Administrator.pm | 11 ++++++++-
 lib/NGCP/Panel/Model/CA.pm                 | 26 +++++++++++++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/lib/NGCP/Panel/Controller/Administrator.pm b/lib/NGCP/Panel/Controller/Administrator.pm
index 26473b842a..9464079268 100644
--- a/lib/NGCP/Panel/Controller/Administrator.pm
+++ b/lib/NGCP/Panel/Controller/Administrator.pm
@@ -227,7 +227,16 @@ sub api_key :Chained('base') :PathPart('api_key') :Args(0) {
     my $cert;
     if ($c->req->body_parameters->{'gen.generate'}) {
         $serial = time;
-        $cert = $c->model('CA')->make_client($c, $serial);
+        try {
+            $cert = $c->model('CA')->make_client($c, $serial);
+        } catch ($e) {
+            NGCP::Panel::Utils::Message->error(
+                c => $c,
+                error => $e,
+                desc  => $c->loc("Failed to generate client certificate."),
+            );
+            NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator'));
+        }
         my $updated;
         while (!$updated) {
             try {
diff --git a/lib/NGCP/Panel/Model/CA.pm b/lib/NGCP/Panel/Model/CA.pm
index 5f90e4a92f..a73af256c7 100644
--- a/lib/NGCP/Panel/Model/CA.pm
+++ b/lib/NGCP/Panel/Model/CA.pm
@@ -29,7 +29,17 @@ sub COMPONENT {
 sub make_client {
     my ($self, $c, $serial) = @_;
     my $client_key = Path::Tiny->tempfile;
-    my $command = sprintf 'certtool -p --bits 3248 --outfile %s 1>&- 2>&-', $client_key->stringify;
+    my $command = 'openssl x509 -noout -purpose -in ' . ($c->config->{ssl}->{rest_api_certfile} || $c->config->{ssl}->{certfile});
+    $c->log->debug($command);
+    my ($stdout, $stderr) = capture {
+        try {
+            system $command;
+        };
+    };
+    unless ($stdout =~ m/SSL (client|server) CA : Yes/) {
+        die [$c->loc('Cannot use the configured certificate for signing client certificates'), "showdetails"];
+    }
+    $command = sprintf 'certtool -p --bits 3248 --outfile %s 1>&- 2>&-', $client_key->stringify;
     $c->log->debug($command);
     system $command;
     my $client_signing_template = Path::Tiny->tempfile;
@@ -38,13 +48,23 @@ sub make_client {
     $client_signing_template->spew($tmpl);
     my $client_cert = Path::Tiny->tempfile;
     $command = sprintf
-        'certtool -c --load-privkey %s --outfile %s --load-ca-certificate %s --load-ca-privkey %s --template %s 1>&- 2>&-',
+        'certtool -c --load-privkey %s --outfile %s --load-ca-certificate %s --load-ca-privkey %s --template %s',
         $client_key->stringify, $client_cert->stringify,
         ($c->config->{ssl}->{rest_api_certfile} || $c->config->{ssl}->{certfile}),
         ($c->config->{ssl}->{rest_api_keyfile}  || $c->config->{ssl}->{keyfile}),
         $client_signing_template->stringify;
     $c->log->debug($command);
-    system $command;
+    my $exep;
+    ($stdout, $stderr) = capture {
+        try {
+            system $command;
+        } catch ($e) {
+            $exep = $e;
+        };
+    };
+    $c->log->debug($stdout) if $stdout;
+    $c->log->warn($stderr) if $stderr;
+    die $exep if $exep;
     my $cert = $client_cert->slurp . $client_key->slurp =~ s/.*(?=-----BEGIN RSA PRIVATE KEY-----)//mrs;
     $client_cert->remove;
     $client_key->remove;