commit 8b831a809c4ff5e2bea95a9aba1e4d53776c9c60
author Adrien Béraud <adrien.beraud@savoirfairelinux.com> Fri Jul 21 14:13:06 2023 -0400
committer Adrien Béraud <adrien.beraud@savoirfairelinux.com> Fri Jul 21 14:26:40 2023 -0400
tree 77744de4c7d24ce347eab72b0a0beaab7cd6108b
parent 84bf41843600801cd76c045bfba29fa79384f06d

certstore: catch exceptions loading certificates

Change-Id: I341b698bf4feb3fa494124cc614b6014ac24467c

src/connectionmanager.cpp

diff --git a/src/connectionmanager.cpp b/src/connectionmanager.cpp
index 127b55b..94e009d 100644
--- a/src/connectionmanager.cpp
+++ b/src/connectionmanager.cpp
@@ -1452,7 +1452,7 @@
     // Device certificate can't be self-signed
     if (top_issuer == crt) {
         if (logger)
-            logger->warn("Found invalid peer device: {}", crt->getLongId());
+            logger->warn("Found invalid (self-signed) peer device: {}", crt->getLongId());
         return false;
     }
 
@@ -1469,7 +1469,7 @@
     // Check cached OCSP response
     if (crt->ocspResponse and crt->ocspResponse->getCertificateStatus() != GNUTLS_OCSP_CERT_GOOD) {
         if (logger)
-            logger->error("Certificate %s is disabled by cached OCSP response", crt->getLongId());
+            logger->error("Certificate {} is disabled by cached OCSP response", crt->getLongId());
         return false;
     }
 

src/security/certstore.cpp

diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp
index 2ef05e4..9b6bb96 100644
--- a/src/security/certstore.cpp
+++ b/src/security/certstore.cpp
@@ -165,11 +165,16 @@
 std::shared_ptr<crypto::Certificate>
 CertificateStore::getCertificateLegacy(const std::string& dataDir, const std::string& k)
 {
-    auto oldPath = fmt::format("{}/certificates/{}", dataDir, k);
-    if (fileutils::isFile(oldPath)) {
-        auto crt = std::make_shared<crypto::Certificate>(oldPath);
-        pinCertificate(crt, true);
-        return crt;
+    try {
+        auto oldPath = fmt::format("{}/certificates/{}", dataDir, k);
+        if (fileutils::isFile(oldPath)) {
+            auto crt = std::make_shared<crypto::Certificate>(oldPath);
+            pinCertificate(crt, true);
+            return crt;
+        }
+    } catch (const std::exception& e) {
+        if (logger_)
+            logger_->warn("Can't load certificate: {:s}", e.what());
     }
     return {};
 }
@@ -273,12 +278,17 @@
             std::lock_guard<std::mutex> l(lock_);
 
             for (auto& cert : certs) {
-                auto shared = std::make_shared<crypto::Certificate>(std::move(cert));
-                scerts.emplace_back(shared);
-                auto e = certs_.emplace(shared->getId().toString(), shared);
-                ids.emplace_back(e.first->first);
-                e = certs_.emplace(shared->getLongId().toString(), shared);
-                ids.emplace_back(e.first->first);
+                try {
+                    auto shared = std::make_shared<crypto::Certificate>(std::move(cert));
+                    scerts.emplace_back(shared);
+                    auto e = certs_.emplace(shared->getId().toString(), shared);
+                    ids.emplace_back(e.first->first);
+                    e = certs_.emplace(shared->getLongId().toString(), shared);
+                    ids.emplace_back(e.first->first);
+                } catch (const std::exception& e) {
+                    if (logger_)
+                        logger_->warn("Can't load certificate: {:s}", e.what());
+                }
             }
             paths_.emplace(path, std::move(scerts));
         }