X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2FLoginPage.java;h=06006cf264d7ac9507077a709c49c69874b4c304;hb=03d27b5bdaea6253e674cdf2779465873b657900;hp=ed01ceb6ccc90e9817cbe1fc64546f136ecaa08e;hpb=a1a980dd0cc65f33a6189eb81a164fe79abb647c;p=gigi.git

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index ed01ceb6..06006cf2 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -58,9 +58,9 @@ public class LoginPage extends Page {
     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
         if (req.getSession().getAttribute("loggedin") == null) {
-            X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
-            if (cert != null && cert[0] != null) {
-                tryAuthWithCertificate(req, cert[0]);
+            X509Certificate cert = getCertificateFromRequest(req);
+            if (cert != null) {
+                tryAuthWithCertificate(req, cert);
             }
             if (req.getMethod().equals("POST")) {
                 try {
@@ -118,17 +118,45 @@ public class LoginPage extends Page {
     }
 
     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
-        String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
+        String serial = extractSerialFormCert(x509Certificate);
+        User user = fetchUserBySerial(serial);
+        if (user == null) {
+            return;
+        }
+        loginSession(req, user);
+        req.getSession().setAttribute(CERT_SERIAL, serial);
+        req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
+        req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
+    }
+
+    public static String extractSerialFormCert(X509Certificate x509Certificate) {
+        return x509Certificate.getSerialNumber().toString(16).toUpperCase();
+    }
+
+    public static User fetchUserBySerial(String serial) {
+        if ( !serial.matches("[A-Fa-f0-9]+")) {
+            throw new Error("serial malformed.");
+        }
         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
-        ps.setString(1, serial);
+        ps.setString(1, serial.toLowerCase());
         GigiResultSet rs = ps.executeQuery();
+        User user = null;
         if (rs.next()) {
-            loginSession(req, User.getById(rs.getInt(1)));
-            req.getSession().setAttribute(CERT_SERIAL, serial);
-            req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
-            req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
+            user = User.getById(rs.getInt(1));
+        } else {
+            System.out.println("User with serial " + serial + " not found.");
         }
         rs.close();
+        return user;
+    }
+
+    public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
+        X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
+        X509Certificate uc = null;
+        if (cert != null && cert[0] != null) {
+            uc = cert[0];
+        }
+        return uc;
     }
 
     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");