src/club/wpia/gigi/pages/account/certs/Certificates.java

   1 package club.wpia.gigi.pages.account.certs;
   2
   3 import java.io.IOException;
   4 import java.io.PrintWriter;
   5 import java.math.BigInteger;
   6 import java.net.URLEncoder;
   7 import java.security.GeneralSecurityException;
   8 import java.security.cert.X509Certificate;
   9 import java.util.HashMap;
  10 import java.util.List;
  11 import java.util.Map;
  12
  13 import javax.servlet.ServletOutputStream;
  14 import javax.servlet.http.HttpServletRequest;
  15 import javax.servlet.http.HttpServletResponse;
  16
  17 import club.wpia.gigi.GigiApiException;
  18 import club.wpia.gigi.dbObjects.Certificate;
  19 import club.wpia.gigi.dbObjects.Certificate.CertificateStatus;
  20 import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
  21 import club.wpia.gigi.dbObjects.CertificateOwner;
  22 import club.wpia.gigi.dbObjects.Organisation;
  23 import club.wpia.gigi.dbObjects.SupportedUser;
  24 import club.wpia.gigi.dbObjects.User;
  25 import club.wpia.gigi.localisation.Language;
  26 import club.wpia.gigi.output.TrustchainIterable;
  27 import club.wpia.gigi.output.template.Form;
  28 import club.wpia.gigi.output.template.IterableDataset;
  29 import club.wpia.gigi.output.template.Template;
  30 import club.wpia.gigi.pages.HandlesMixedRequest;
  31 import club.wpia.gigi.pages.LoginPage;
  32 import club.wpia.gigi.pages.Page;
  33 import club.wpia.gigi.util.AuthorizationContext;
  34 import club.wpia.gigi.util.CertExporter;
  35 import club.wpia.gigi.util.PEM;
  36
  37 public class Certificates extends Page implements HandlesMixedRequest {
  38
  39     private static final Template certDisplay = new Template(Certificates.class.getResource("CertificateDisplay.templ"));
  40
  41     public static final String PATH = "/account/certs";
  42
  43     public static final String SUPPORT_PATH = "/support/certs";
  44
  45     private final boolean support;
  46
  47     public Certificates(boolean support) {
  48         super(support ? "Support Certificates" : "Certificates");
  49         this.support = support;
  50     }
  51
  52     @Override
  53     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  54         if ("POST".equals(req.getMethod())) {
  55             return beforePost(req, resp);
  56         }
  57
  58         String pi = req.getPathInfo().substring(PATH.length());
  59         if (pi.length() == 0) {
  60             return false;
  61         }
  62         pi = pi.substring(1);
  63         boolean crt = false;
  64         boolean cer = false;
  65         resp.setContentType("application/pkix-cert");
  66         if (req.getParameter("install") != null) {
  67             resp.setContentType("application/x-x509-user-cert");
  68         }
  69         if (pi.endsWith(".crt")) {
  70             crt = true;
  71             pi = pi.substring(0, pi.length() - 4);
  72         } else if (pi.endsWith(".cer")) {
  73             cer = true;
  74             pi = pi.substring(0, pi.length() - 4);
  75         }
  76         BigInteger serial = new BigInteger(pi, 16);
  77         try {
  78             Certificate c = Certificate.getBySerial(serial);
  79             if (c == null || ( !support && LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
  80                 resp.sendError(404);
  81                 return true;
  82             }
  83             if ( !crt && !cer) {
  84                 return false;
  85             }
  86             ServletOutputStream out = resp.getOutputStream();
  87             boolean doChain = req.getParameter("chain") != null;
  88             boolean includeAnchor = req.getParameter("noAnchor") == null;
  89             boolean includeLeaf = req.getParameter("noLeaf") == null;
  90             if (crt) {
  91                 CertExporter.writeCertCrt(c, out, doChain, includeAnchor, includeLeaf);
  92             } else if (cer) {
  93                 CertExporter.writeCertCer(c, out, doChain, includeAnchor);
  94             }
  95         } catch (IllegalArgumentException e) {
  96             resp.sendError(404);
  97             return true;
  98         } catch (GigiApiException e) {
  99             resp.sendError(404);
 100             return true;
 101         } catch (GeneralSecurityException e) {
 102             resp.sendError(404);
 103             return true;
 104         }
 105
 106         return true;
 107     }
 108
 109     @Override
 110     public boolean beforePost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 111         if (support && "revoke".equals(req.getParameter("action"))) {
 112             return Form.getForm(req, RevokeSingleCertForm.class).submitExceptionProtected(req, resp);
 113         }
 114         if ( !req.getPathInfo().equals(PATH)) {
 115             resp.sendError(500);
 116             return true;
 117         }
 118         return Form.getForm(req, CertificateModificationForm.class).submitExceptionProtected(req, resp);
 119     }
 120
 121     @Override
 122     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 123         if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) {
 124             return;// Block actions by get parameters.
 125         }
 126
 127         if (support && "revoke".equals(req.getParameter("action"))) {
 128             if (Form.printFormErrors(req, resp.getWriter())) {
 129                 Form.getForm(req, RevokeSingleCertForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 130             }
 131             return;
 132         }
 133         if ( !req.getPathInfo().equals(PATH)) {
 134             resp.sendError(500);
 135             return;
 136         }
 137         Form.getForm(req, CertificateModificationForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 138     }
 139
 140     @Override
 141     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 142         PrintWriter out = resp.getWriter();
 143         String pi = req.getPathInfo().substring(PATH.length());
 144         if (pi.length() != 0) {
 145             pi = pi.substring(1);
 146
 147             String serial = pi;
 148             Certificate c = Certificate.getBySerial(new BigInteger(serial, 16));
 149             Language l = LoginPage.getLanguage(req);
 150
 151             if (c == null || ( !support && LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
 152                 resp.sendError(404);
 153                 return;
 154             }
 155             Map<String, Object> vars = getDefaultVars(req);
 156             vars.put("serial", URLEncoder.encode(serial, "UTF-8"));
 157
 158             CertificateStatus st = c.getStatus();
 159
 160             if (support) {
 161                 vars.put("support", "support");
 162                 CertificateOwner user = c.getOwner();
 163                 if (st == CertificateStatus.ISSUED) {
 164                     if (user instanceof User) {
 165                         vars.put("revokeForm", new RevokeSingleCertForm(req, c, new SupportedUser((User) user, getUser(req), LoginPage.getAuthorizationContext(req).getSupporterTicketId())));
 166                     }
 167                 }
 168             }
 169
 170             CertificateOwner co = c.getOwner();
 171             int ownerId = co.getId();
 172             vars.put("certid", c.getStatus());
 173             if (co instanceof Organisation) {
 174                 vars.put("type", l.getTranslation("Organisation Acount"));
 175                 vars.put("name", Organisation.getById(ownerId).getName());
 176                 vars.put("link", ""); // TODO
 177             } else {
 178                 vars.put("type", l.getTranslation("Personal Account"));
 179                 vars.put("name", User.getById(ownerId).getPreferredName());
 180                 vars.put("link", "/support/user/" + ownerId + "/");
 181             }
 182             vars.put("status", c.getStatus());
 183             vars.put("DN", c.getDistinguishedName());
 184             vars.put("digest", c.getMessageDigest());
 185             vars.put("profile", c.getProfile().getVisibleName());
 186             try {
 187                 vars.put("fingerprintSHA1", c.getFingerprint("sha-1"));
 188                 vars.put("fingerprintSHA256", c.getFingerprint("sha-256"));
 189             } catch (GeneralSecurityException e) {
 190                 e.printStackTrace();
 191             } catch (GigiApiException e) {
 192                 e.format(out, l, getDefaultVars(req));
 193             }
 194
 195             try {
 196
 197                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
 198                     X509Certificate certx = c.cert();
 199                     vars.put("issued", certx.getNotBefore());
 200                     vars.put("expire", certx.getNotAfter());
 201                     vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
 202                 } else {
 203                     vars.put("issued", l.getTranslation("N/A"));
 204                     vars.put("expire", l.getTranslation("N/A"));
 205                     vars.put("cert", l.getTranslation("N/A"));
 206                 }
 207                 if (st == CertificateStatus.REVOKED) {
 208                     vars.put("revoked", c.getRevocationDate());
 209                 } else {
 210                     vars.put("revoked", l.getTranslation("N/A"));
 211                 }
 212                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
 213                     vars.put("trustchain", new TrustchainIterable(c.getParent()));
 214                     try {
 215                         vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
 216                     } catch (GeneralSecurityException e) {
 217                         e.printStackTrace();
 218                     }
 219                 } else {
 220                     vars.put("trustchain", l.getTranslation("N/A"));
 221                     vars.put("cert", l.getTranslation("N/A"));
 222                 }
 223                 final List<SubjectAlternateName> san = c.getSANs();
 224                 vars.put("san", new IterableDataset() {
 225
 226                     int j = 0;
 227
 228                     @Override
 229                     public boolean next(Language l, Map<String, Object> vars) {
 230                         if (j == san.size()) {
 231                             return false;
 232                         }
 233                         vars.put("entry", san.get(j).getName() + (j < san.size() - 1 ? ", " : ""));
 234                         j++;
 235                         return true;
 236                     }
 237                 });
 238                 vars.put("login", c.isLoginEnabled());
 239             } catch (GeneralSecurityException e) {
 240                 e.printStackTrace();
 241             } catch (GigiApiException e) {
 242                 e.format(out, l, getDefaultVars(req));
 243             }
 244             certDisplay.output(out, getLanguage(req), vars);
 245
 246             return;
 247         }
 248
 249         HashMap<String, Object> vars = new HashMap<String, Object>();
 250         new CertificateModificationForm(req, req.getParameter("withRevoked") != null).output(out, getLanguage(req), vars);
 251     }
 252
 253     @Override
 254     public boolean isPermitted(AuthorizationContext ac) {
 255         if (ac == null) {
 256             return false;
 257         }
 258         if (support) {
 259             return ac.canSupport();
 260         } else {
 261             return true;
 262         }
 263     }
 264 }