fix: stop checking CAA on public suffix (and report error better)

[gigi.git] / src / org / cacert / gigi / pages / account / certs / CertificateRequest.java

diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
index 43e4fbd8205591ef31639689995cc7786f67a8e3..e1bf47cc9bde9de5d1b56252f07bbca96f6b675f 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
@@ -336,18 +336,19 @@ public class CertificateRequest {
                     try {
                         DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
                         valid = true;
+                        if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
+                            // remove
+                        } else {
+                            if (pDNS == null) {
+                                pDNS = san.getName();
+                            }
+                            filteredSANs.add(san);
+                            continue;
+                        }
                     } catch (GigiApiException e) {
+                        error.mergeInto(e);
                         valid = false;
                     }
-                    if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
-                        // remove
-                    } else {
-                        if (pDNS == null) {
-                            pDNS = san.getName();
-                        }
-                        filteredSANs.add(san);
-                        continue;
-                    }
                 }
             } else if (san.getType() == SANType.EMAIL) {
                 if (emailTemp != null && owner.isValidEmail(san.getName())) {