1 package club.wpia.gigi.util;
3 import javax.naming.NamingException;
5 import club.wpia.gigi.GigiApiException;
6 import club.wpia.gigi.dbObjects.CertificateOwner;
7 import club.wpia.gigi.dbObjects.CertificateProfile;
8 import club.wpia.gigi.output.template.SprintfCommand;
12 public static class CAARecord {
20 public CAARecord(byte[] rec) {
21 byte length = (byte) (rec[1] & 0xFF);
22 tag = new String(rec, 2, length);
23 data = new String(rec, 2 + length, rec.length - 2 - length);
28 public String toString() {
29 return "CAA " + (flags & 0xFF) + " " + tag + " " + data;
32 public String getData() {
36 public byte getFlags() {
40 public String getTag() {
44 public boolean isCritical() {
45 return (flags & (byte) 0x80) == (byte) 0x80;
49 public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) throws GigiApiException {
51 if (name.startsWith("*.")) {
52 return verifyDomainAccess(owner, p, name.substring(2), true);
54 return verifyDomainAccess(owner, p, name, false);
55 } catch (NamingException e) {
56 throw new GigiApiException(SprintfCommand.createSimple("Internal Name Server/Resolution Error: {0}", e.getMessage()));
60 private static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name, boolean wild) throws NamingException {
61 CAARecord[] caa = getEffectiveCAARecords(name);
62 if (caa.length == 0) {
63 return true; // default assessment is beeing granted
65 for (int i = 0; i < caa.length; i++) {
67 if (r.getTag().equals("issuewild")) {
68 if (wild && authorized(owner, p, r.getData())) {
71 } else if (r.getTag().equals("iodef")) {
72 // TODO send mail/form
73 } else if (r.getTag().equals("issue")) {
74 if ( !wild && authorized(owner, p, r.getData())) {
79 return false; // found critical, unkown entry
87 private static CAARecord[] getEffectiveCAARecords(String name) throws NamingException {
88 CAARecord[] caa = DNSUtil.getCAAEntries(name);
89 String publicSuffix = PublicSuffixes.getInstance().getRegistrablePart(name);
90 if (name.equals(publicSuffix)) {
93 // TODO missing alias processing
94 while (caa.length == 0 && name.contains(".")) {
95 name = name.split("\\.", 2)[1];
96 caa = DNSUtil.getCAAEntries(name);
97 if (name.equals(publicSuffix)) {
104 private static boolean authorized(CertificateOwner owner, CertificateProfile p, String data) {
105 String[] parts = data.split(";");
106 String ca = parts[0].trim();
107 if ( !ca.equals(SystemKeywords.CAA_NAME)) {
110 for (int i = 1; i < parts.length; i++) {
111 String[] pa = parts[i].split("=");
112 String key = pa[0].trim();
113 String v = pa[1].trim();
114 if (key.equals("account")) {
115 int id = Integer.parseInt(v);
116 if (id != owner.getId()) {
119 } else { // unknown key... be conservative