]> WPIA git - gigi.git/blob - src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
projects / gigi.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
upd: modified text displayed during certificate creation process
[gigi.git] / src / org / cacert / gigi / pages / account / certs / CertificateRequest.java
1 package org.cacert.gigi.pages.account.certs;
2
3 import java.io.IOException;
4 import java.io.PrintWriter;
5 import java.security.GeneralSecurityException;
6 import java.security.PublicKey;
7 import java.security.interfaces.DSAPublicKey;
8 import java.security.interfaces.ECPublicKey;
9 import java.security.interfaces.RSAPublicKey;
10 import java.util.Base64;
11 import java.util.HashMap;
12 import java.util.HashSet;
13 import java.util.LinkedHashSet;
14 import java.util.Set;
15 import java.util.TreeSet;
16
17 import org.cacert.gigi.GigiApiException;
18 import org.cacert.gigi.crypto.SPKAC;
19 import org.cacert.gigi.dbObjects.Certificate;
20 import org.cacert.gigi.dbObjects.Certificate.CSRType;
21 import org.cacert.gigi.dbObjects.Certificate.SANType;
22 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
23 import org.cacert.gigi.dbObjects.CertificateOwner;
24 import org.cacert.gigi.dbObjects.CertificateProfile;
25 import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
26 import org.cacert.gigi.dbObjects.Digest;
27 import org.cacert.gigi.dbObjects.Group;
28 import org.cacert.gigi.dbObjects.Organisation;
29 import org.cacert.gigi.dbObjects.User;
30 import org.cacert.gigi.output.template.SprintfCommand;
31 import org.cacert.gigi.util.AuthorizationContext;
32 import org.cacert.gigi.util.CAA;
33 import org.cacert.gigi.util.DomainAssessment;
34 import org.cacert.gigi.util.PEM;
35 import org.cacert.gigi.util.RateLimit;
36
37 import sun.security.pkcs.PKCS9Attribute;
38 import sun.security.pkcs10.PKCS10;
39 import sun.security.pkcs10.PKCS10Attribute;
40 import sun.security.pkcs10.PKCS10Attributes;
41 import sun.security.util.DerInputStream;
42 import sun.security.util.DerValue;
43 import sun.security.util.ObjectIdentifier;
44 import sun.security.x509.AVA;
45 import sun.security.x509.AlgorithmId;
46 import sun.security.x509.CertificateExtensions;
47 import sun.security.x509.DNSName;
48 import sun.security.x509.ExtendedKeyUsageExtension;
49 import sun.security.x509.Extension;
50 import sun.security.x509.GeneralName;
51 import sun.security.x509.GeneralNameInterface;
52 import sun.security.x509.GeneralNames;
53 import sun.security.x509.PKIXExtensions;
54 import sun.security.x509.RDN;
55 import sun.security.x509.RFC822Name;
56 import sun.security.x509.SubjectAlternativeNameExtension;
57 import sun.security.x509.X500Name;
58
59 public class CertificateRequest {
60
61     public static final String DEFAULT_CN = "SomeCA User";
62
63     public static final ObjectIdentifier OID_KEY_USAGE_SSL_SERVER = ObjectIdentifier.newInternal(new int[] {
64             1, 3, 6, 1, 5, 5, 7, 3, 1
65     });
66
67     public static final ObjectIdentifier OID_KEY_USAGE_SSL_CLIENT = ObjectIdentifier.newInternal(new int[] {
68             1, 3, 6, 1, 5, 5, 7, 3, 2
69     });
70
71     public static final ObjectIdentifier OID_KEY_USAGE_CODESIGN = ObjectIdentifier.newInternal(new int[] {
72             1, 3, 6, 1, 5, 5, 7, 3, 3
73     });
74
75     public static final ObjectIdentifier OID_KEY_USAGE_EMAIL_PROTECTION = ObjectIdentifier.newInternal(new int[] {
76             1, 3, 6, 1, 5, 5, 7, 3, 4
77     });
78
79     public static final ObjectIdentifier OID_KEY_USAGE_TIMESTAMP = ObjectIdentifier.newInternal(new int[] {
80             1, 3, 6, 1, 5, 5, 7, 3, 8
81     });
82
83     public static final ObjectIdentifier OID_KEY_USAGE_OCSP = ObjectIdentifier.newInternal(new int[] {
84             1, 3, 6, 1, 5, 5, 7, 3, 9
85     });
86
87     private CSRType csrType;
88
89     private final PublicKey pk;
90
91     private String csr;
92
93     public String name = DEFAULT_CN;
94
95     private Set<SubjectAlternateName> SANs;
96
97     private Digest selectedDigest = Digest.getDefault();
98
99     private CertificateProfile profile = CertificateProfile.getById(1);
100
101     private String ou = "";
102
103     private AuthorizationContext ctx;
104
105     private String pDNS, pMail;
106
107     public CertificateRequest(AuthorizationContext c, String csr) throws IOException, GeneralSecurityException, GigiApiException {
108         this(c, csr, (CertificateProfile) null);
109     }
110
111     public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
112         this.ctx = ctx;
113         if (cp != null) {
114             profile = cp;
115         } else if (ctx.getActor().getAssurancePoints() > 50) {
116             profile = CertificateProfile.getByName("client-a");
117         }
118         byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
119         PKCS10 parsed = new PKCS10(data);
120         PKCS10Attributes atts = parsed.getAttributes();
121
122         TreeSet<SubjectAlternateName> SANs = new TreeSet<>();
123         for (RDN r : parsed.getSubjectName().rdns()) {
124             for (AVA a : r.avas()) {
125                 if (a.getObjectIdentifier().equals((Object) PKCS9Attribute.EMAIL_ADDRESS_OID)) {
126                     SANs.add(new SubjectAlternateName(SANType.EMAIL, a.getValueString()));
127                 } else if (a.getObjectIdentifier().equals((Object) X500Name.commonName_oid)) {
128                     String value = a.getValueString();
129                     if (value.contains(".") && !value.contains(" ")) {
130                         SANs.add(new SubjectAlternateName(SANType.DNS, value));
131                     } else {
132                         name = value;
133                     }
134                 } else if (a.getObjectIdentifier().equals((Object) PKIXExtensions.SubjectAlternativeName_Id)) {
135                     // TODO? parse invalid SANs
136                 }
137             }
138         }
139
140         for (PKCS10Attribute b : atts.getAttributes()) {
141
142             if ( !b.getAttributeId().equals((Object) PKCS9Attribute.EXTENSION_REQUEST_OID)) {
143                 // unknown attrib
144                 continue;
145             }
146
147             for (Extension c : ((CertificateExtensions) b.getAttributeValue()).getAllExtensions()) {
148                 if (c instanceof SubjectAlternativeNameExtension) {
149
150                     SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension) c;
151                     GeneralNames obj = san.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
152                     for (int i = 0; i < obj.size(); i++) {
153                         GeneralName generalName = obj.get(i);
154                         GeneralNameInterface peeled = generalName.getName();
155                         if (peeled instanceof DNSName) {
156                             SANs.add(new SubjectAlternateName(SANType.DNS, ((DNSName) peeled).getName()));
157                         } else if (peeled instanceof RFC822Name) {
158                             SANs.add(new SubjectAlternateName(SANType.EMAIL, ((RFC822Name) peeled).getName()));
159                         }
160                     }
161                 } else if (c instanceof ExtendedKeyUsageExtension) {
162                     ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
163                     String appendix = "";
164                     if (ctx.getActor().getAssurancePoints() >= 50) {
165                         appendix = "-a";
166                     }
167                     for (String s : ekue.getExtendedKeyUsage()) {
168                         if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) {
169                             // server
170                             profile = CertificateProfile.getByName("server" + appendix);
171                         } else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) {
172                             // client
173                             profile = CertificateProfile.getByName("client" + appendix);
174                         } else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) {
175                             // code sign
176                         } else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) {
177                             // emailProtection
178                             profile = CertificateProfile.getByName("mail" + appendix);
179                         } else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) {
180                             // timestamp
181                         } else if (s.equals(OID_KEY_USAGE_OCSP.toString())) {
182                             // OCSP
183                         }
184                     }
185                 } else {
186                     // Unknown requested extension
187                 }
188             }
189
190         }
191         this.SANs = SANs;
192         pk = parsed.getSubjectPublicKeyInfo();
193         String sign = getSignatureAlgorithm(data);
194         guessDigest(sign);
195
196         this.csr = csr;
197         this.csrType = CSRType.CSR;
198     }
199
200     public CertificateRequest(AuthorizationContext ctx, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException {
201         this.ctx = ctx;
202         String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
203         byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
204         SPKAC parsed = new SPKAC(data);
205         if ( !parsed.getChallenge().equals(spkacChallenge)) {
206             throw new GigiApiException("Challenge mismatch");
207         }
208         pk = parsed.getPubkey();
209         String sign = getSignatureAlgorithm(data);
210         guessDigest(sign);
211         this.SANs = new HashSet<>();
212         this.csr = "SPKAC=" + cleanedSPKAC;
213         this.csrType = CSRType.SPKAC;
214
215     }
216
217     private static String getSignatureAlgorithm(byte[] data) throws IOException {
218         DerInputStream in = new DerInputStream(data);
219         DerValue[] seq = in.getSequence(3);
220         return AlgorithmId.parse(seq[1]).getName();
221     }
222
223     private void guessDigest(String sign) {
224         if (sign.toLowerCase().startsWith("sha512")) {
225             selectedDigest = Digest.SHA512;
226         } else if (sign.toLowerCase().startsWith("sha384")) {
227             selectedDigest = Digest.SHA384;
228         }
229     }
230
231     public void checkKeyStrength(PrintWriter out) {
232         out.println("Type: " + pk.getAlgorithm() + "<br/>");
233         if (pk instanceof RSAPublicKey) {
234             out.println("Exponent: " + ((RSAPublicKey) pk).getPublicExponent() + "<br/>");
235             out.println("Length: " + ((RSAPublicKey) pk).getModulus().bitLength());
236         } else if (pk instanceof DSAPublicKey) {
237             DSAPublicKey dpk = (DSAPublicKey) pk;
238             out.println("Length: " + dpk.getY().bitLength() + "<br/>");
239             out.println(dpk.getParams());
240         } else if (pk instanceof ECPublicKey) {
241             ECPublicKey epk = (ECPublicKey) pk;
242             out.println("Length-x: " + epk.getW().getAffineX().bitLength() + "<br/>");
243             out.println("Length-y: " + epk.getW().getAffineY().bitLength() + "<br/>");
244             out.println(epk.getParams().getCurve());
245         }
246     }
247
248     private Set<SubjectAlternateName> parseSANBox(String SANs) {
249         String[] SANparts = SANs.split("[\r\n]+|, *");
250         Set<SubjectAlternateName> parsedNames = new LinkedHashSet<>();
251         for (String SANline : SANparts) {
252             String[] parts = SANline.split(":", 2);
253             if (parts.length == 1) {
254                 if (parts[0].trim().equals("")) {
255                     continue;
256                 }
257                 if (parts[0].contains("@")) {
258                     parsedNames.add(new SubjectAlternateName(SANType.EMAIL, parts[0]));
259                 } else {
260                     parsedNames.add(new SubjectAlternateName(SANType.DNS, parts[0]));
261                 }
262                 continue;
263             }
264             try {
265                 SANType t = Certificate.SANType.valueOf(parts[0].toUpperCase().trim());
266                 if (t == null) {
267                     continue;
268                 }
269                 parsedNames.add(new SubjectAlternateName(t, parts[1].trim()));
270             } catch (IllegalArgumentException e) {
271                 // invalid enum type
272                 continue;
273             }
274         }
275         return parsedNames;
276     }
277
278     public Set<SubjectAlternateName> getSANs() {
279         return SANs;
280     }
281
282     public String getName() {
283         return name;
284     }
285
286     public synchronized String getOu() {
287         if (ctx.getTarget() instanceof Organisation) {
288             return ou;
289         }
290         throw new IllegalStateException();
291     }
292
293     public Digest getSelectedDigest() {
294         return selectedDigest;
295     }
296
297     public CertificateProfile getProfile() {
298         return profile;
299     }
300
301     public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr) throws GigiApiException {
302         GigiApiException error = new GigiApiException();
303         this.name = nameIn;
304         if (hashAlg != null) {
305             selectedDigest = Digest.valueOf(hashAlg);
306         }
307         this.profile = CertificateProfile.getByName(profileStr);
308         if (ctx.getTarget() instanceof Organisation) {
309             this.ou = ou;
310         }
311
312         if ( !this.profile.canBeIssuedBy(ctx.getTarget(), ctx.getActor())) {
313             this.profile = CertificateProfile.getById(1);
314             error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
315             throw error;
316         }
317
318         verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget(), ctx.getActor());
319
320         if ( !error.isEmpty()) {
321             throw error;
322         }
323         return true;
324     }
325
326     private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner, User user) {
327         Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
328         PropertyTemplate domainTemp = p.getTemplates().get("domain");
329         PropertyTemplate emailTemp = p.getTemplates().get("email");
330         pDNS = null;
331         pMail = null;
332         for (SubjectAlternateName san : sANs2) {
333             if (san.getType() == SANType.DNS) {
334                 if (domainTemp != null && owner.isValidDomain(san.getName())) {
335                     boolean valid;
336                     try {
337                         DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
338                         valid = true;
339                         if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
340                             // remove
341                         } else {
342                             if (pDNS == null) {
343                                 pDNS = san.getName();
344                             }
345                             filteredSANs.add(san);
346                             continue;
347                         }
348                     } catch (GigiApiException e) {
349                         error.mergeInto(e);
350                         valid = false;
351                     }
352                 }
353             } else if (san.getType() == SANType.EMAIL) {
354                 if (emailTemp != null && owner.isValidEmail(san.getName())) {
355                     if (pMail != null && !emailTemp.isMultiple()) {
356                         // remove
357                     } else {
358                         if (pMail == null) {
359                             pMail = san.getName();
360                         }
361                         filteredSANs.add(san);
362                         continue;
363                     }
364                 }
365             }
366             error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
367                     "The requested subject alternate name (SAN) \"{0}\" has been removed.", san.getType().toString().toLowerCase() + ":" + san.getName())));
368         }
369         SANs = filteredSANs;
370     }
371
372     // domain email name name=WoTUser orga
373     public synchronized Certificate draft() throws GigiApiException {
374
375         GigiApiException error = new GigiApiException();
376
377         HashMap<String, String> subject = new HashMap<>();
378         PropertyTemplate domainTemp = profile.getTemplates().get("domain");
379         PropertyTemplate emailTemp = profile.getTemplates().get("email");
380         PropertyTemplate nameTemp = profile.getTemplates().get("name");
381         PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
382         verifySANs(error, profile, SANs, ctx.getTarget(), ctx.getActor());
383
384         // Ok, let's determine the CN
385         // the CN is
386         // 1. the user's "real name", iff the real name is to be included i.e.
387         // not empty (name), or to be forced to WOTUser
388
389         // 2. the user's "primary domain", iff "1." doesn't match and there is a
390         // primary domain. (domainTemp != null)
391
392         String verifiedCN = null;
393         if (ctx.getTarget() instanceof Organisation) {
394             if ( !name.equals("")) {
395                 verifiedCN = name;
396             }
397         } else {
398             verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
399         }
400         if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
401             error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
402         } else if (domainTemp != null && verifiedCN == null) {
403             // user may add domains
404             verifiedCN = pDNS;
405         }
406         if (verifiedCN != null) {
407             subject.put("CN", verifiedCN);
408         }
409
410         if (pMail != null) {
411             if (emailTemp != null) {
412                 subject.put("EMAIL", pMail);
413             } else {
414                 // verify SANs should prevent this
415                 pMail = null;
416                 error.mergeInto(new GigiApiException("You may not include an email in this certificate."));
417             }
418         } else {
419             if (emailTemp != null && emailTemp.isRequired()) {
420                 error.mergeInto(new GigiApiException("You need to include an email in this certificate."));
421             }
422         }
423
424         if (ctx.getTarget() instanceof Organisation) {
425             Organisation org = (Organisation) ctx.getTarget();
426             subject.put("O", org.getName());
427             subject.put("C", org.getState().getCode());
428             subject.put("ST", org.getProvince());
429             subject.put("L", org.getCity());
430             if (ou != null) {
431                 subject.put("OU", ou);
432             }
433         }
434         System.out.println(subject);
435         if ( !error.isEmpty()) {
436             throw error;
437         }
438         try {
439             if (RATE_LIMIT.isLimitExceeded(Integer.toString(ctx.getActor().getId()))) {
440                 throw new GigiApiException("Rate Limit Exceeded");
441             }
442             return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest, //
443                     this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
444         } catch (IOException e) {
445             e.printStackTrace();
446         }
447         return null;
448     }
449
450     // 100 per 10 minutes
451     public static final RateLimit RATE_LIMIT = new RateLimit(100, 10 * 60 * 1000);
452
453     private String verifyName(GigiApiException error, PropertyTemplate nameTemp, PropertyTemplate wotUserTemp, String verifiedCN) {
454         // real names,
455         // possible configurations: name {y,null,?}, name=WoTUser {y,null}
456         // semantics:
457         // y * -> real
458         // null y -> default
459         // null null -> null
460         // ? y -> real, default
461         // ? null -> real, default, null
462         boolean realIsOK = false;
463         boolean nullIsOK = false;
464         boolean defaultIsOK = false;
465         if (wotUserTemp != null && ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple())) {
466             error.mergeInto(new GigiApiException("Internal configuration error detected."));
467         }
468         if (nameTemp != null && nameTemp.isRequired() && !nameTemp.isMultiple()) {
469             realIsOK = true;
470         } else if (nameTemp == null) {
471             defaultIsOK = wotUserTemp != null;
472             nullIsOK = !defaultIsOK;
473         } else if (nameTemp != null && !nameTemp.isRequired() && !nameTemp.isMultiple()) {
474             realIsOK = true;
475             defaultIsOK = true;
476             nullIsOK = wotUserTemp == null;
477         } else {
478             error.mergeInto(new GigiApiException("Internal configuration error detected."));
479         }
480         if (ctx.getTarget() instanceof User) {
481             User u = (User) ctx.getTarget();
482             if (name != null && u.isValidName(name)) {
483                 if (realIsOK) {
484                     verifiedCN = name;
485                 } else {
486                     error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
487                     if (defaultIsOK) {
488                         name = DEFAULT_CN;
489                     } else if (nullIsOK) {
490                         name = "";
491                     }
492                 }
493             } else if (name != null && name.equals(DEFAULT_CN)) {
494                 if (defaultIsOK) {
495                     verifiedCN = name;
496                 } else {
497                     error.mergeInto(new GigiApiException("The default name is not allowed in this certificate."));
498                     if (nullIsOK) {
499                         name = "";
500                     } else if (realIsOK) {
501                         name = u.getPreferredName().toString();
502                     }
503                 }
504             } else if (name == null || name.equals("")) {
505                 if (nullIsOK) {
506                     verifiedCN = "";
507                 } else {
508                     error.mergeInto(new GigiApiException("A name is required in this certificate."));
509                     if (defaultIsOK) {
510                         name = DEFAULT_CN;
511                     } else if (realIsOK) {
512                         name = u.getPreferredName().toString();
513                     }
514                 }
515             } else {
516                 error.mergeInto(new GigiApiException("The name you entered was invalid."));
517
518             }
519             if (wotUserTemp != null) {
520                 if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) {
521                     error.mergeInto(new GigiApiException("Internal configuration error detected."));
522                 }
523                 if ( !name.equals(DEFAULT_CN)) {
524                     name = DEFAULT_CN;
525                     error.mergeInto(new GigiApiException("You may not change the name for this certificate type."));
526                 } else {
527                     verifiedCN = DEFAULT_CN;
528                 }
529
530             } else {
531                 if (nameTemp != null) {
532                     if (name.equals("")) {
533                         if (nameTemp.isRequired()) {
534                             // nothing, but required
535                             name = DEFAULT_CN;
536                             error.mergeInto(new GigiApiException("No name entered, but one was required."));
537                         } else {
538                             // nothing and not required
539
540                         }
541                     } else if (u.isValidName(name)) {
542                         verifiedCN = name;
543                     } else {
544                         if (nameTemp.isRequired()) {
545                             error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account, because a name is required for this certificate type."));
546                         } else if (name.equals(DEFAULT_CN)) {
547                             verifiedCN = DEFAULT_CN;
548                         } else {
549                             name = DEFAULT_CN;
550                             error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account or keep the default name."));
551                         }
552                     }
553                 } else {
554                     if ( !name.equals("")) {
555                         name = "";
556                         error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
557                     }
558                 }
559             }
560         } else {
561             if (realIsOK) {
562                 verifiedCN = name;
563             } else {
564                 verifiedCN = "";
565                 name = "";
566                 error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
567             }
568         }
569
570         return verifiedCN;
571     }
572 }
WPIA Certificate Web Issuance Platform