Improve error reporting for certificate issuance in CAT NRO interface

[spaetow]

Issue type

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.
• Enhancement

Defect/Feature description

The error reporting when submitting a certificate request in the NRO interface is... suboptimal. The CSR looks ok, but no certificate is issued (and no information is provided). The submission process stops and you are none the wiser whether it was successfully submitted to the CA for signing/issuing or not.

We need to improve this because it's not particularly helpful to me right now when I'm trying to submit member CSRs. Scan the CSR and check if there's anything wrong. If there is, flag it up. If there isn't, provide feedback whether the CSR has been submitted, and the CA (eduPKI) should report back if the cert has been issued, or, if there was an error, what was wrong with the CSR, so it can be corrected.

How to reproduce issue

I have a CSR, signed with SHA1, organisation details are right. Extended Key Usage as below:

        X509v3 Extended Key Usage:
            TLS Web Server Authentication, Code Signing, 1.3.6.1.5.5.7.3.14

Subject is not in the correct format, so no feedback given? It should at the very least feed back if the subject is wrong, or the signing algorithm is wrong, or the public key is too short... or... or...

Detail of issue

See above

[restena-sw]

I understand the frustration. FWIW, most of the errors are only detected after submission to the CA, and come from the CA itself.

It would certainly be helpful to state at least: the CSR looks okay, submitting it to the CA.

Everything that comes back from the CA is in a crude SOAPException. We can work on getting the corresponding text out of the Exception and display it on screen instead, but the content of that string is in the discretion of the CA (and there are many details being checked, and many things to complain about).

In this particular case, Code Signing? That will certainly not be retained for the certificate. But it's perfectly possible that the CA loathes about CSRs that dare to contain a request for something that it won't issue (rather than just ignoring that property), and rejected because of that.

[spaetow]

Well, yes, there are things that CAT can check before submission, and, if it thinks it's ok to submit, then submit. If the CA is not happy, and there is a message in the SOAPException, then yes, display this (or massage it appropriately before displaying) to the NRO admin. We're all admins and we all understand that there might be errors in submission, but showing something is much more appreciated than just... Blank. IYKWIM.