1 package org.cacert.gigi.util;
3 import javax.naming.NamingException;
5 import org.cacert.gigi.dbObjects.CertificateOwner;
6 import org.cacert.gigi.dbObjects.CertificateProfile;
10 public static class CAARecord {
18 public CAARecord(byte[] rec) {
19 byte length = (byte) (rec[1] & 0xFF);
20 tag = new String(rec, 2, length);
21 data = new String(rec, 2 + length, rec.length - 2 - length);
26 public String toString() {
27 return "CAA " + (flags & 0xFF) + " " + tag + " " + data;
30 public String getData() {
34 public byte getFlags() {
38 public String getTag() {
42 public boolean isCritical() {
43 return (flags & (byte) 0x80) == (byte) 0x80;
47 public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) {
49 if (name.startsWith("*.")) {
50 return verifyDomainAccess(owner, p, name.substring(2), true);
52 return verifyDomainAccess(owner, p, name, false);
53 } catch (NamingException e) {
58 private static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name, boolean wild) throws NamingException {
59 CAARecord[] caa = getEffectiveCAARecords(name);
60 if (caa.length == 0) {
61 return true; // default assessment is beeing granted
63 for (int i = 0; i < caa.length; i++) {
65 if (r.getTag().equals("issuewild")) {
66 if (wild && authorized(owner, p, r.getData())) {
69 } else if (r.getTag().equals("iodef")) {
70 // TODO send mail/form
71 } else if (r.getTag().equals("issue")) {
72 if ( !wild && authorized(owner, p, r.getData())) {
77 return false; // found critical, unkown entry
85 private static CAARecord[] getEffectiveCAARecords(String name) throws NamingException {
86 CAARecord[] caa = DNSUtil.getCAAEntries(name);
87 // TODO missing alias processing
88 while (caa.length == 0 && name.contains(".")) {
89 name = name.split("\\.", 2)[1];
90 caa = DNSUtil.getCAAEntries(name);
95 private static boolean authorized(CertificateOwner owner, CertificateProfile p, String data) {
96 String[] parts = data.split(";");
97 String ca = parts[0].trim();
98 if ( !ca.equals("cacert.org")) {
101 for (int i = 1; i < parts.length; i++) {
102 String[] pa = parts[i].split("=");
103 String key = pa[0].trim();
104 String v = pa[1].trim();
105 if (key.equals("account")) {
106 int id = Integer.parseInt(v);
107 if (id != owner.getId()) {
110 } else { // unknown key... be conservative