Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4386

Exception thrown when listing user certificates for subject DN with incomplete fields

    Details

    • Issue discovered during:
      Customer

      Description

      When listing user certificates on the public web page, if the subject DN provided is slightly malformed, a java.lang.StringIndexOutOfBoundsException will be thrown.

      The issue seems to be related to parsing of incomplete subject DNs (trailing commas, incomplete fields - with no values etc).

      Reproduction steps:

      1. Open page Public Web -> Retrieve -> List User's Certificates.

      2. Set "Subject DN" to one of the following values:

      • ,CN=john
      • CN=john,
      • CN=john,C
      • C,CN=john

      3. Click on the "OK" button.

      Expected results:

      1. An error is reported. The message is "No certificates exist for 'SUBJECT_DN'".

      Actual results:

      1. Exception is thrown. See attached error page.

      Additional notes:

      Some other similar expressions seem to work. For example, these seem to work ok:

      • C=,,CN==john
      • CN=john,,C=

      Bump this issue up if you think it is a security problem.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            branko Branko Majic (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: