fix: return clear error for unsupported ECDSA/EC provisioning certificates

* Detect when node-forge cannot parse EC certificates from a PFX and return a descriptive error instead of a generic decrypt failure.
* Add null guards for empty cert arrays and missing CN fields in domainSuffixChecker.
* Route cert errors through a dedicated middleware to bypass express-validator field-level formatting.

Addresses #2505

Author: sinchubhat

src/certManager.test.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  **********************************************************************/
 
-import { CertManager } from './certManager.js'
+import { CertManager, UnsupportedCertificateError } from './certManager.js'
 import { NodeForge } from './NodeForge.js'
 import { type AMTKeyUsage, type CertAttributes, type CertificateObject } from './models/index.js'
 import Logger from './Logger.js'
@@ -63,6 +63,29 @@ describe('certManager tests', () => {
       expect(pfxobj.certs).toHaveLength(2)
       expect(pfxobj.keys).toHaveLength(1)
     })
+
+    test('throws UnsupportedCertificateError when cert bags contain no parseable certs (e.g. ECDSA)', () => {
+      const nodeForge = new NodeForge()
+      const certManager = new CertManager(new Logger('CertManager'), nodeForge)
+      const certBagOid = nodeForge.pkiOidsCertBag
+      const keyBagOid = nodeForge.pkcs8ShroudedKeyBag
+
+      spyOn(nodeForge, 'pkcs12FromAsn1').mockReturnValue({
+        getBags: (opts: any) => {
+          if (opts.bagType === certBagOid) {
+            return { [certBagOid]: [{ cert: null }, { cert: null }] }
+          }
+
+          return { [keyBagOid]: [] }
+        }
+      } as any)
+
+      expect(() => certManager.convertPfxToObject(TEST_PFXCERT, 'P@ssw0rd')).toThrow(UnsupportedCertificateError)
+
+      expect(() => certManager.convertPfxToObject(TEST_PFXCERT, 'P@ssw0rd')).toThrow(
+        /ECDSA\/EC certificates are not supported/
+      )
+    })
   })
 
   describe('dumpPfx tests', () => {

src/certManager.ts

@@ -23,6 +23,15 @@ interface Attribute {
   value: string
 }
 
+export class UnsupportedCertificateError extends Error {
+  public readonly code = 'UNSUPPORTED_CERTIFICATE'
+
+  constructor(message: string) {
+    super(message)
+    this.name = 'UnsupportedCertificateError'
+  }
+}
+
 export class CertManager {
   private readonly nodeForge: NodeForge
   private readonly logger: ILogger
@@ -165,6 +174,12 @@ export class CertManager {
       throw new Error('No certificate bags found')
     }
 
+    if (pfxOut.certs.length === 0) {
+      throw new UnsupportedCertificateError(
+        'No certificates could be parsed from the provisioning certificate. ECDSA/EC certificates are not supported. Please use an RSA certificate. To generate an RSA key: openssl genrsa -out key.pem 2048'
+      )
+    }
+
     // Process key bags
     const keyBags = pfx.getBags({ bagType: this.nodeForge.pkcs8ShroudedKeyBag })
     const keyBagArray = keyBags[this.nodeForge.pkcs8ShroudedKeyBag]

src/custom.d.ts

@@ -5,11 +5,14 @@
 
 import { type IDB } from './interfaces/database/IDb.js'
 import { type ISecretManagerService } from './interfaces/ISecretManagerService.js'
+import { type CertsAndKeys } from './models/index.js'
 
 declare module 'express' {
   export interface Request {
     secretsManager: ISecretManagerService
     tenantId?: string
     db: IDB
+    certError?: string
+    pfxobj?: CertsAndKeys | null
   }
 }

src/routes/admin/domains/domain.test.ts

@@ -184,6 +184,23 @@ describe('Domain Profile Validation', () => {
     }).toThrowError(new Error('FQDN not associated with provisioning certificate'))
   })
 
+  test('domainSuffixChecker - empty certs array', () => {
+    const emptyCertsPfx = { certs: [], keys: [] }
+    expect(() => {
+      domainSuffixChecker(emptyCertsPfx as any, 'vprodemo.com')
+    }).toThrowError(new Error('No certificates found in the provisioning certificate'))
+  })
+
+  test('domainSuffixChecker - cert without CN', () => {
+    const noCnPfx = {
+      certs: [{ subject: { getField: () => null } }],
+      keys: []
+    }
+    expect(() => {
+      domainSuffixChecker(noCnPfx as any, 'vprodemo.com')
+    }).toThrowError(new Error('Provisioning certificate does not contain a Common Name (CN) in the subject'))
+  })
+
   test('expirationChecker - success', () => {
     expect(() => {
       expirationChecker(pfxobj)

src/routes/admin/domains/domain.ts

@@ -3,15 +3,15 @@
  * SPDX-License-Identifier: Apache-2.0
  **********************************************************************/
 
-import { check, type CustomValidator } from 'express-validator'
+import { check, validationResult, type CustomValidator } from 'express-validator'
+import { type Request, type Response, type NextFunction } from 'express'
 import { NodeForge } from '../../../NodeForge.js'
-import { CertManager } from '../../../certManager.js'
+import { CertManager, UnsupportedCertificateError } from '../../../certManager.js'
 import Logger from '../../../Logger.js'
 import { type CertsAndKeys } from '../../../models/index.js'
 
 const nodeForge = new NodeForge()
 const certManager = new CertManager(new Logger('CertManager'), nodeForge)
-let pfxobj
 
 export const domainInsertValidator = (): any => [
   check('profileName')
@@ -60,13 +60,43 @@ export const domainUpdateValidator = (): any => [
 
 function passwordValidator(): CustomValidator {
   return (value, { req }) => {
-    pfxobj = passwordChecker(certManager, req)
+    try {
+      req.pfxobj = passwordChecker(certManager, req)
+    } catch (error) {
+      req.pfxobj = null
+      if (error instanceof UnsupportedCertificateError) {
+        req.certError = error.message
+        return true
+      }
+      throw error
+    }
     return true
   }
 }
 
+export function certErrorMiddleware(req: Request, res: Response, next: NextFunction): void {
+  const errors = validationResult(req)
+
+  // If there are other validation errors, let the normal validation handling run.
+  if (!errors.isEmpty()) {
+    next()
+
+    return
+  }
+
+  if (req.certError) {
+    res.status(400).json({ message: req.certError }).end()
+
+    return
+  }
+
+  next()
+}
+
 function domainSuffixValidator(): CustomValidator {
   return (value, { req }) => {
+    const pfxobj = req.pfxobj
+
     if (pfxobj != null) {
       domainSuffixChecker(pfxobj, value)
     }
@@ -76,6 +106,8 @@ function domainSuffixValidator(): CustomValidator {
 
 function expirationValidator(): CustomValidator {
   return (value, { req }) => {
+    const pfxobj = req.pfxobj
+
     if (pfxobj != null) {
       expirationChecker(pfxobj)
     }
@@ -88,6 +120,10 @@ export function passwordChecker(certManager: CertManager, req: any): CertsAndKey
     const pfxobj = certManager.convertPfxToObject(req.body.provisioningCert, req.body.provisioningCertPassword)
     return pfxobj
   } catch (error) {
+    if (error instanceof UnsupportedCertificateError) {
+      throw error
+    }
+
     throw new Error(
       'Unable to decrypt provisioning certificate. Please check that the password is correct, and that the certificate is a valid certificate.',
       { cause: error }
@@ -96,7 +132,17 @@ export function passwordChecker(certManager: CertManager, req: any): CertsAndKey
 }
 
 export function domainSuffixChecker(pfxobj: CertsAndKeys, value: any): void {
-  const certCommonName = pfxobj.certs[0].subject.getField('CN').value
+  if (!pfxobj.certs || pfxobj.certs.length === 0) {
+    throw new Error('No certificates found in the provisioning certificate')
+  }
+
+  const cnField = pfxobj.certs[0].subject.getField('CN')
+
+  if (!cnField) {
+    throw new Error('Provisioning certificate does not contain a Common Name (CN) in the subject')
+  }
+
+  const certCommonName = cnField.value
   const splittedCertCommonName: string[] = certCommonName.split('.')
   const parsedCertCommonName = (
     splittedCertCommonName[splittedCertCommonName.length - 2] +

src/routes/admin/domains/index.ts

@@ -9,14 +9,14 @@ import { getDomain } from './get.js'
 import { DomainCreate } from './create.js'
 import { deleteDomain } from './delete.js'
 import { editDomain } from './edit.js'
-import { domainInsertValidator, domainUpdateValidator } from './domain.js'
+import { domainInsertValidator, domainUpdateValidator, certErrorMiddleware } from './domain.js'
 import { odataValidator } from '../odataValidator.js'
 import validateMiddleware from '../../../middleware/validate.js'
 const domainRouter: Router = Router()
 const dc = new DomainCreate()
 domainRouter.get('/', odataValidator(), validateMiddleware, getAllDomains)
 domainRouter.get('/:domainName', getDomain)
-domainRouter.post('/', domainInsertValidator(), validateMiddleware, dc.createDomain)
+domainRouter.post('/', domainInsertValidator(), certErrorMiddleware, validateMiddleware, dc.createDomain)
 domainRouter.patch('/', domainUpdateValidator(), validateMiddleware, editDomain)
 domainRouter.delete('/:domainName', deleteDomain)