Skip to content

fix: return clear error for unsupported ECDSA/EC provisioning certificates#2604

Draft
sinchubhat wants to merge 1 commit intomainfrom
issue2505-rps
Draft

fix: return clear error for unsupported ECDSA/EC provisioning certificates#2604
sinchubhat wants to merge 1 commit intomainfrom
issue2505-rps

Conversation

@sinchubhat
Copy link
Contributor

@sinchubhat sinchubhat commented Mar 17, 2026

  • Detect when node-forge cannot parse EC certificates from a PFX and return a descriptive error instead of a generic decrypt failure.
  • Add null guards for empty cert arrays and missing CN fields in domainSuffixChecker.
  • Route cert errors through a dedicated middleware to bypass express-validator field-level formatting.

Addresses #2505

PR Checklist

  • Unit Tests have been added for new changes
  • API tests have been updated if applicable
  • All commented code has been removed
  • If you've added a dependency, you've ensured license is compatible with Apache 2.0 and clearly outlined the added dependency.

What are you changing?

Anything the reviewer should know when reviewing this PR?

If the there are associated PRs in other repositories, please link them here (i.e. device-management-toolkit/repo#365 )

@sinchubhat sinchubhat linked an issue Mar 17, 2026 that may be closed by this pull request
[Bug]: Certificate will not parse "Cannot read properties of undefined (reading 'subject'): undefined" #2505
Open
@sinchubhat sinchubhat requested a review from Copilot March 17, 2026 08:52
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves domain provisioning certificate handling by detecting when PKCS#12 parsing yields no certificates (commonly with ECDSA/EC certs in node-forge) and returning a clearer client-facing 400 error, while also hardening domain suffix validation against empty/malformed cert data.

Changes:

  • Add a specific error in CertManager.convertPfxToObject when no certs can be extracted from a PFX (with guidance to use RSA).
  • Add guards in domainSuffixChecker for empty cert arrays and missing CN fields, with accompanying unit tests.
  • Introduce certErrorMiddleware and route domain-create cert parsing errors through it to bypass express-validator’s field-level formatting.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/routes/admin/domains/index.ts Adds certErrorMiddleware into the domain create route chain.
src/routes/admin/domains/domain.ts Captures unsupported-cert parse errors, adds cert error middleware, and hardens CN/certs access.
src/routes/admin/domains/domain.test.ts Adds unit tests for empty cert array and missing CN scenarios in domainSuffixChecker.
src/custom.d.ts Extends express.Request with an optional certError field.
src/certManager.ts Throws a descriptive error when PFX parsing yields zero certificates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sinchubhat sinchubhat force-pushed the issue2505-rps branch 2 times, most recently from 5f370ab to ffd0d4f Compare March 18, 2026 05:04
@sinchubhat sinchubhat requested a review from Copilot March 18, 2026 05:08
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves domain provisioning certificate handling by detecting unsupported EC/ECDSA PKCS#12 certificates and returning a clearer, user-facing error instead of a generic decrypt failure, while also hardening domain suffix validation against missing certificate fields.

Changes:

  • Add UnsupportedCertificateError and throw it when PKCS#12 cert bags contain no parseable certs.
  • Store parsed PFX object on req and introduce certErrorMiddleware to return a dedicated 400 response for unsupported cert errors.
  • Add guards in domainSuffixChecker for empty cert arrays / missing CN, with corresponding unit tests.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/routes/admin/domains/index.ts Inserts certErrorMiddleware into the domain create route to return clearer cert errors.
src/routes/admin/domains/domain.ts Moves PFX parsing state to req, adds cert-error middleware, and adds CN/empty-certs guards.
src/routes/admin/domains/domain.test.ts Adds unit tests for the new domainSuffixChecker guard paths.
src/custom.d.ts Extends express.Request to include pfxobj and certError.
src/certManager.ts Introduces UnsupportedCertificateError and throws it when no certs are parseable from the PFX.
src/certManager.test.ts Adds a unit test asserting the new unsupported-certificate error path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sinchubhat sinchubhat force-pushed the issue2505-rps branch 2 times, most recently from 5760894 to 978c5e6 Compare March 18, 2026 05:53
@sinchubhat
Copy link
Contributor Author

sinchubhat commented Mar 18, 2026
edited
Loading

Reproducing the error:

Uploaded an ECDSA PKCS12 certificate (ec_only.p12) generated with:

Generate ECDSA key
openssl ecparam -genkey -name prime256v1 -out ec_key.pem

Generate self-signed ECDSA certificate
openssl req -new -x509 -key ec_key.pem -out ec_leaf.crt -days 90 -subj "/CN=test.vprodemo.com"

Package as PKCS12
openssl pkcs12 -export -inkey ec_key.pem -in ec_leaf.crt -out ec_only.p12 -passout pass:P@ssw0rd

Root cause:

ECDSA certificates (EC keys like P-256, P-384) packaged as PKCS12 trigger this error.
node-forge cannot parse ECDSA/EC public keys in X.509 certificates — it only supports RSA.
When it encounters an EC cert, it finds the cert bag but sets .cert = null, leaving the parsed certs[] array empty.
Accessing certs[0].subject then crashes with Cannot read properties of undefined (reading 'subject').

Fix:

Returns a descriptive 400 error instead of an unhandled 500 crash:

No certificates could be parsed from the provisioning certificate. This may occur if the certificate uses an unsupported key algorithm (e.g. ECDSA/EC) or if the PKCS#12 structure is malformed. Please use a certificate with an RSA key.

issue2505-rps

@sinchubhat
fix: return clear error for unsupported ECDSA/EC provisioning certifi…
6086d58 
…cates

* Detect when node-forge cannot parse EC certificates from a PFX and return a descriptive error instead of a generic decrypt failure.
* Add null guards for empty cert arrays and missing CN fields in domainSuffixChecker.
* Route cert errors through a dedicated middleware to bypass express-validator field-level formatting.

Addresses #2505
@sinchubhat sinchubhat requested a review from amarnath-ac March 23, 2026 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nbmaiti nbmaiti Awaiting requested review from nbmaiti

@sudhir-intc sudhir-intc Awaiting requested review from sudhir-intc

@amarnath-ac amarnath-ac Awaiting requested review from amarnath-ac

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Certificate will not parse "Cannot read properties of undefined (reading 'subject'): undefined"

2 participants

@sinchubhat