Merge pull request #6015 from LibreSign/fix/validate-empty-common-name

vitormattos · web-flow · commit a8074231a1b3 · 2025-12-06T17:52:12.000-03:00
fix: validate empty commonName in certificate generation
diff --git a/lib/Handler/CertificateEngine/CfsslHandler.php b/lib/Handler/CertificateEngine/CfsslHandler.php
@@ -15,6 +15,7 @@
 use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Db\CrlMapper;
 use OCA\Libresign\Enum\CertificateType;
+use OCA\Libresign\Exception\EmptyCertificateException;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CfsslServerHandler;
 use OCA\Libresign\Helper\ConfigureCheckHelper;
@@ -78,6 +79,10 @@ public function generateRootCert(
 		string $commonName,
 		array $names = [],
 	): void {
+		if (empty($commonName)) {
+			throw new EmptyCertificateException('Common Name (CN) cannot be empty for root certificate');
+		}
+
 		$this->cfsslServerHandler->createConfigServer(
 			$commonName,
 			$names,
diff --git a/lib/Handler/CertificateEngine/OpenSslHandler.php b/lib/Handler/CertificateEngine/OpenSslHandler.php
@@ -10,6 +10,7 @@
 
 use OCA\Libresign\Db\CrlMapper;
 use OCA\Libresign\Enum\CertificateType;
+use OCA\Libresign\Exception\EmptyCertificateException;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Service\CaIdentifierService;
 use OCA\Libresign\Service\CertificatePolicyService;
@@ -61,6 +62,10 @@ public function generateRootCert(
 		string $commonName,
 		array $names = [],
 	): void {
+		if (empty($commonName)) {
+			throw new EmptyCertificateException('Common Name (CN) cannot be empty for root certificate');
+		}
+
 		$privateKey = openssl_pkey_new([
 			'private_key_bits' => 2048,
 			'private_key_type' => OPENSSL_KEYTYPE_RSA,
diff --git a/tests/php/Unit/Handler/CertificateEngine/OpenSslHandlerTest.php b/tests/php/Unit/Handler/CertificateEngine/OpenSslHandlerTest.php
@@ -77,6 +77,13 @@ public function testEmptyCertificate(): void {
 		$signerInstance->readCertificate('', '');
 	}
 
+	public function testEmptyCommonNameThrowsException(): void {
+		$rootInstance = $this->getInstance();
+		$this->expectException(EmptyCertificateException::class);
+		$this->expectExceptionMessage('Common Name (CN) cannot be empty for root certificate');
+		$rootInstance->generateRootCert('', []);
+	}
+
 	public function testInvalidPassword(): void {
 		// Create root cert
 		$rootInstance = $this->getInstance();
diff --git a/tests/php/Unit/Handler/SignEngine/JSignPdfHandlerTest.php b/tests/php/Unit/Handler/SignEngine/JSignPdfHandlerTest.php
@@ -50,7 +50,7 @@ public static function setUpBeforeClass(): void {
 			$certificateEngine = self::$certificateEngineFactory->getEngine();
 			$certificateEngine
 				->setConfigPath(\OCP\Server::get(ITempManager::class)->getTemporaryFolder('certificate'))
-				->generateRootCert('', []);
+				->generateRootCert('Test Root CA', []);
 
 			self::$certificateContent = $certificateEngine
 				->setHosts(['user@email.tld'])
@@ -92,6 +92,7 @@ private function getInstance(array $methods = []): JSignPdfHandler|MockObject {
 				$this->signatureBackgroundService,
 				$certificateEngineFactory,
 				$this->javaHelper,
+				$this->createMock(\OCA\Libresign\Service\DocMdpConfigService::class),
 			);
 		}
 		return $this->getMockBuilder(JSignPdfHandler::class)
@@ -103,6 +104,7 @@ private function getInstance(array $methods = []): JSignPdfHandler|MockObject {
 				$this->signatureBackgroundService,
 				$certificateEngineFactory,
 				$this->javaHelper,
+				$this->createMock(\OCA\Libresign\Service\DocMdpConfigService::class),
 			])
 			->onlyMethods($methods)
 			->getMock();
