1 package org.cacert.gigi.pages.account;
3 import java.io.IOException;
4 import java.io.PrintWriter;
5 import java.security.GeneralSecurityException;
6 import java.security.PublicKey;
7 import java.security.interfaces.DSAPublicKey;
8 import java.security.interfaces.ECPublicKey;
9 import java.security.interfaces.RSAPublicKey;
10 import java.sql.SQLException;
11 import java.util.Base64;
12 import java.util.HashMap;
15 import javax.servlet.http.HttpServletRequest;
17 import org.cacert.gigi.Certificate;
18 import org.cacert.gigi.Certificate.CSRType;
19 import org.cacert.gigi.CertificateProfile;
20 import org.cacert.gigi.Digest;
21 import org.cacert.gigi.EmailAddress;
22 import org.cacert.gigi.GigiApiException;
23 import org.cacert.gigi.Language;
24 import org.cacert.gigi.User;
25 import org.cacert.gigi.crypto.SPKAC;
26 import org.cacert.gigi.output.Form;
27 import org.cacert.gigi.output.template.HashAlgorithms;
28 import org.cacert.gigi.output.template.IterableDataset;
29 import org.cacert.gigi.output.template.Template;
30 import org.cacert.gigi.pages.LoginPage;
31 import org.cacert.gigi.pages.Page;
32 import org.cacert.gigi.util.PEM;
33 import org.cacert.gigi.util.RandomToken;
35 import sun.security.pkcs10.PKCS10;
36 import sun.security.util.DerInputStream;
37 import sun.security.util.DerValue;
38 import sun.security.x509.AlgorithmId;
41 * This class represents a form that is used for issuing certificates. This
42 * class uses "sun.security" and therefore needs "-XDignore.symbol.file"
44 public class CertificateIssueForm extends Form {
48 Digest selectedDigest = Digest.getDefault();
54 private final static Template t = new Template(CertificateIssueForm.class.getResource("CertificateIssueForm.templ"));
56 private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ"));
58 String spkacChallenge;
60 public CertificateIssueForm(HttpServletRequest hsr) {
62 u = Page.getUser(hsr);
63 spkacChallenge = RandomToken.generateToken(16);
68 private CSRType csrType;
70 public Certificate getResult() {
75 public boolean submit(PrintWriter out, HttpServletRequest req) {
76 String csr = req.getParameter("CSR");
77 String spkac = req.getParameter("SPKAC");
81 byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
82 PKCS10 parsed = new PKCS10(data);
84 out.println(parsed.getSubjectName().getCommonName());
85 out.println(parsed.getSubjectName().getCountry());
86 out.println("CSR DN: " + parsed.getSubjectName() + "<br/>");
87 PublicKey pk = parsed.getSubjectPublicKeyInfo();
88 checkKeyStrength(pk, out);
89 String sign = getSignatureAlgorithm(data);
90 out.println("<br/>digest: " + sign + "<br/>");
93 this.csrType = CSRType.CSR;
94 } else if (spkac != null) {
95 String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
96 byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
97 SPKAC parsed = new SPKAC(data);
98 if ( !parsed.getChallenge().equals(spkacChallenge)) {
99 throw new GigiApiException("Challenge mismatch");
101 checkKeyStrength(parsed.getPubkey(), out);
102 String sign = getSignatureAlgorithm(data);
103 out.println("<br/>digest: " + sign + "<br/>");
106 this.csr = "SPKAC=" + cleanedSPKAC;
107 this.csrType = CSRType.SPKAC;
110 login = "1".equals(req.getParameter("login"));
111 String hashAlg = req.getParameter("hash_alg");
112 if (hashAlg != null) {
113 selectedDigest = Digest.valueOf(hashAlg);
115 if (req.getParameter("CCA") == null) {
116 outputError(out, req, "You need to accept the CCA.");
119 System.out.println("issuing " + selectedDigest);
120 result = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", selectedDigest.toString(), this.csr, this.csrType, CertificateProfile.getById(1));
121 result.issue().waitFor(60000);
124 } catch (IOException e) {
126 } catch (IllegalArgumentException e) {
127 throw new GigiApiException("Certificate Request format is invalid.");
128 } catch (GeneralSecurityException e) {
129 throw new GigiApiException("Certificate Request format is invalid.");
130 } catch (InterruptedException e) {
132 } catch (SQLException e) {
133 throw new GigiApiException(e);
135 } catch (GigiApiException e) {
136 e.format(out, Page.getLanguage(req));
141 private void checkKeyStrength(PublicKey pk, PrintWriter out) {
142 out.println("Type: " + pk.getAlgorithm() + "<br/>");
143 if (pk instanceof RSAPublicKey) {
144 out.println("Exponent: " + ((RSAPublicKey) pk).getPublicExponent() + "<br/>");
145 out.println("Length: " + ((RSAPublicKey) pk).getModulus().bitLength());
146 } else if (pk instanceof DSAPublicKey) {
147 DSAPublicKey dpk = (DSAPublicKey) pk;
148 out.println("Length: " + dpk.getY().bitLength() + "<br/>");
149 out.println(dpk.getParams());
150 } else if (pk instanceof ECPublicKey) {
151 ECPublicKey epk = (ECPublicKey) pk;
152 out.println("Length-x: " + epk.getW().getAffineX().bitLength() + "<br/>");
153 out.println("Length-y: " + epk.getW().getAffineY().bitLength() + "<br/>");
154 out.println(epk.getParams().getCurve());
158 private static PKCS10 parseCSR(String csr) throws IOException, GeneralSecurityException {
159 return new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", csr));
162 private static String getSignatureAlgorithm(byte[] data) throws IOException {
163 DerInputStream in = new DerInputStream(data);
164 DerValue[] seq = in.getSequence(3);
165 return AlgorithmId.parse(seq[1]).getName();
169 public void output(PrintWriter out, Language l, Map<String, Object> vars) {
171 HashMap<String, Object> vars2 = new HashMap<String, Object>(vars);
172 vars2.put("csrf", getCSRFToken());
173 vars2.put("csrf_name", getCsrfFieldName());
174 vars2.put("spkacChallenge", spkacChallenge);
175 tIni.output(out, l, vars2);
178 super.output(out, l, vars);
183 protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
184 HashMap<String, Object> vars2 = new HashMap<String, Object>(vars);
185 vars2.put("CCA", "<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>");
187 final EmailAddress[] ea = u.getEmails();
188 vars2.put("emails", new IterableDataset() {
193 public boolean next(Language l, Map<String, Object> vars) {
194 if (count >= ea.length) {
197 vars.put("id", ea[count].getId());
198 vars.put("value", ea[count].getAddress());
203 vars2.put("hashs", new HashAlgorithms(selectedDigest));
204 vars2.put("profiles", new IterableDataset() {
209 public boolean next(Language l, Map<String, Object> vars) {
210 CertificateProfile cp = CertificateProfile.getById(i++);
214 vars.put("key", cp.getKeyName());
215 vars.put("name", cp.getVisibleName());
219 t.output(out, l, vars2);