fix: optimize the error message for unmatchable certificate bundle (#113

) Fix: - optimize the error message for unmatchable certificate bundle (correct DNs but incorrect public key) - optimize error message for partial chain Test: Previous error message: ```json { "errorCode": "ERROR", "errorMessage": "Error occurred during a cryptographic operation." } ``` Current error message: ```json { "errorCode": "VALIDATION_ERROR", "errorMessage": "Failed to build the X509 chain. Error occurred during a cryptographic operation. The certificate bundle is unreadable. Please ensure the certificate bundle matches the specific certifcate." } ``` Resolves #114 Signed-off-by: Junjie Gao <[email protected]> --------- Signed-off-by: Junjie Gao <[email protected]>
Azure · May 24, 2023 · b284687 · b284687
1 parent d49ee99
commit b284687
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 4 deletions.
diff --git a/Notation.Plugin.AzureKeyVault.Tests/Certificate/CertificateChainTests.cs b/Notation.Plugin.AzureKeyVault.Tests/Certificate/CertificateChainTests.cs
@@ -44,5 +44,16 @@ public void Build_WithIncompleteCertificateBundle_ThrowsValidationException()
             // Act and Assert
             Assert.Throws<ValidationException>(() => CertificateChain.Build(invalidLeafCert, certificateBundle));
         }
+
+        [Fact]
+        public void Build_WithValidLeafAndUnmatchableCertificateBundle_BuildsCertificateChain()
+        {
+            // Arrange
+            X509Certificate2 leafCert = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "leaf.crt"));
+            X509Certificate2Collection certificateBundle = CertificateBundle.Create(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "unmatchable_root.pem"));
+
+            // Act and Assert
+            Assert.Throws<ValidationException>(() => CertificateChain.Build(leafCert, certificateBundle));
+        }
     }
 }
diff --git a/Notation.Plugin.AzureKeyVault.Tests/TestData/unmatchable_root.pem b/Notation.Plugin.AzureKeyVault.Tests/TestData/unmatchable_root.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAe+gAwIBAgIUIx7ad2iEjmGO+dMOMcE8bEJUH1AwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAgFw0yMzA1MjQwODQxMTJaGA8yMTIzMDQz
+MDA4NDExMlowEjEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJY6tHwYDw4MhBD/5lGymyIkCnsaOHFf8OiZwgTTpstvFVH/
+go9kr//BR9B/q7uewXVM4z+2/30xmtxN37mv+T45jFXkJwK00P5B8wFt9+oeGroh
+0eM8692we76NqTXPC6P2Td9dysyJ2f4ELLC7alinpLc2R6VaX5HLbJxZegrrP/w/
+CF0hiUzbdP9TfLqlmPcV29Tp4S3sLHhM3vmezF7XML4ciUybu3HlQKHA99edGxRs
+wh6aqxY/NmD+YtRg/9j3T7kmNLfXx0lbsQ5gKvMRSUGf3F5GLw/eGwz4vbTWmHTD
+xxWD07NSilvEhMjXzT0IymLSnecCPfWses7CvX0CAwEAAaNTMFEwHQYDVR0OBBYE
+FNsu62tfPB+kluRc4WrhN2kBQfdEMB8GA1UdIwQYMBaAFNsu62tfPB+kluRc4Wrh
+N2kBQfdEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHtVhbvR
+Fo26F+KmGRUgJgbz/0MIj5uOvynY6fpT8SynBYpx4z21esWCGAtt7X563prUfGXb
+rxQFYZ7FVAByOBxnGXEMfvcr1ON5wpnMsWE9WA2KA0I/uQFNKgBJedbGsvaptbeu
+zXIzMHWF/jblN5lmnRSW0QKqbY9D9B3Nfr6RW25X1E6zgabBoVEZBtqAT/pLFVIh
+es6kXh3+/i1K+F/olAyna0t+xAQjCgZaBKatEpaj95eiPQB6ODfi57xWeKuA7IPn
+a2obfC6s9Y2RhzUNSlre8/e56qzF7j0H8/rilkv1s6C425PfcSlAmybB8CL91XA6
+uxfr1nYPtXzHr/s=
+-----END CERTIFICATE-----
diff --git a/Notation.Plugin.AzureKeyVault/Certificate/CertificateChain.cs b/Notation.Plugin.AzureKeyVault/Certificate/CertificateChain.cs
@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Notation.Plugin.Protocol;
 
@@ -24,17 +25,24 @@ public static List<byte[]> Build(X509Certificate2 leafCert, X509Certificate2Coll
             chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
             chain.ChainPolicy.CustomTrustStore.AddRange(certificateBundle);
 
-            bool isValid = chain.Build(leafCert);
-            if (!isValid)
+            try
             {
-                throw new ValidationException("Certificate is invalid");
+                bool isValid = chain.Build(leafCert);
+                if (!isValid)
+                {
+                    throw new ValidationException("Certificate is invalid");
+                }
+            }
+            catch (CryptographicException e)
+            {
+                throw new ValidationException($"Failed to build the X509 chain. {e.Message} The certificate bundle is unreadable. Please ensure the certificate bundle matches the specific certifcate.");
             }
 
             foreach (X509ChainStatus status in chain.ChainStatus)
             {
                 if (status.Status == X509ChainStatusFlags.PartialChain)
                 {
-                    throw new ValidationException("Failed to build the X509 chain up to the root certificate. To resolve this issue, provide the intermediate and root certificates by passing the certificate bundle file's path to the `ca_certs` key in the pluginConfig");
+                    throw new ValidationException("Failed to build the X509 chain up to the root certificate. The provided certificate bundle either does not match or does not contain enough certificates to build a complete chain. To resolve this issue, provide the intermediate and root certificates by passing the certificate bundle file's path to the `ca_certs` key in the pluginConfig");
                 }
 
                 if (status.Status != X509ChainStatusFlags.NoError && status.Status != X509ChainStatusFlags.UntrustedRoot)