src/org/cacert/gigi/pages/account/certs/Certificates.java

   1 package org.cacert.gigi.pages.account.certs;
   2
   3 import java.io.IOException;
   4 import java.io.PrintWriter;
   5 import java.net.URLEncoder;
   6 import java.security.GeneralSecurityException;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.List;
  10 import java.util.Map;
  11
  12 import javax.servlet.ServletOutputStream;
  13 import javax.servlet.http.HttpServletRequest;
  14 import javax.servlet.http.HttpServletResponse;
  15
  16 import org.cacert.gigi.dbObjects.Certificate;
  17 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
  18 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  19 import org.cacert.gigi.dbObjects.CertificateOwner;
  20 import org.cacert.gigi.dbObjects.Organisation;
  21 import org.cacert.gigi.dbObjects.SupportedUser;
  22 import org.cacert.gigi.dbObjects.User;
  23 import org.cacert.gigi.localisation.Language;
  24 import org.cacert.gigi.output.TrustchainIterable;
  25 import org.cacert.gigi.output.template.Form;
  26 import org.cacert.gigi.output.template.IterableDataset;
  27 import org.cacert.gigi.output.template.Template;
  28 import org.cacert.gigi.pages.HandlesMixedRequest;
  29 import org.cacert.gigi.pages.LoginPage;
  30 import org.cacert.gigi.pages.Page;
  31 import org.cacert.gigi.util.AuthorizationContext;
  32 import org.cacert.gigi.util.CertExporter;
  33 import org.cacert.gigi.util.PEM;
  34
  35 public class Certificates extends Page implements HandlesMixedRequest {
  36
  37     private static final Template certDisplay = new Template(Certificates.class.getResource("CertificateDisplay.templ"));
  38
  39     public static final String PATH = "/account/certs";
  40
  41     public static final String SUPPORT_PATH = "/support/certs";
  42
  43     private final boolean support;
  44
  45     public Certificates(boolean support) {
  46         super(support ? "Support Certificates" : "Certificates");
  47         this.support = support;
  48     }
  49
  50     @Override
  51     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  52         if ("POST".equals(req.getMethod())) {
  53             return beforePost(req, resp);
  54         }
  55
  56         String pi = req.getPathInfo().substring(PATH.length());
  57         if (pi.length() == 0) {
  58             return false;
  59         }
  60         pi = pi.substring(1);
  61         boolean crt = false;
  62         boolean cer = false;
  63         resp.setContentType("application/pkix-cert");
  64         if (req.getParameter("install") != null) {
  65             resp.setContentType("application/x-x509-user-cert");
  66         }
  67         if (pi.endsWith(".crt")) {
  68             crt = true;
  69             pi = pi.substring(0, pi.length() - 4);
  70         } else if (pi.endsWith(".cer")) {
  71             cer = true;
  72             pi = pi.substring(0, pi.length() - 4);
  73         }
  74         String serial = pi;
  75         try {
  76             Certificate c = Certificate.getBySerial(serial);
  77             if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
  78                 resp.sendError(404);
  79                 return true;
  80             }
  81             if ( !crt && !cer) {
  82                 return false;
  83             }
  84             ServletOutputStream out = resp.getOutputStream();
  85             boolean doChain = req.getParameter("chain") != null;
  86             boolean includeAnchor = req.getParameter("noAnchor") == null;
  87             boolean includeLeaf = req.getParameter("noLeaf") == null;
  88             if (crt) {
  89                 CertExporter.writeCertCrt(c, out, doChain, includeAnchor, includeLeaf);
  90             } else if (cer) {
  91                 CertExporter.writeCertCer(c, out, doChain, includeAnchor);
  92             }
  93         } catch (IllegalArgumentException e) {
  94             resp.sendError(404);
  95             return true;
  96         } catch (GeneralSecurityException e) {
  97             resp.sendError(404);
  98             return true;
  99         }
 100
 101         return true;
 102     }
 103
 104     @Override
 105     public boolean beforePost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 106         if (support && "revoke".equals(req.getParameter("action"))) {
 107             if (Form.getForm(req, RevokeSingleCertForm.class).submitExceptionProtected(req)) {
 108                 resp.sendRedirect(req.getPathInfo());
 109                 return true;
 110             }
 111             return false;
 112         }
 113         if ( !req.getPathInfo().equals(PATH)) {
 114             resp.sendError(500);
 115             return true;
 116         }
 117         if (Form.getForm(req, CertificateModificationForm.class).submitExceptionProtected(req)) {
 118             resp.sendRedirect(PATH);
 119             return true;
 120         }
 121         return false;
 122     }
 123
 124     @Override
 125     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 126         if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) {
 127             return;// Block actions by get parameters.
 128         }
 129
 130         if (support && "revoke".equals(req.getParameter("action"))) {
 131             if (Form.printFormErrors(req, resp.getWriter())) {
 132                 Form.getForm(req, RevokeSingleCertForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 133             }
 134             return;
 135         }
 136         if ( !req.getPathInfo().equals(PATH)) {
 137             resp.sendError(500);
 138             return;
 139         }
 140         Form.getForm(req, CertificateModificationForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 141     }
 142
 143     @Override
 144     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 145         PrintWriter out = resp.getWriter();
 146         String pi = req.getPathInfo().substring(PATH.length());
 147         if (pi.length() != 0) {
 148             pi = pi.substring(1);
 149
 150             String serial = pi;
 151             Certificate c = Certificate.getBySerial(serial);
 152             Language l = LoginPage.getLanguage(req);
 153
 154             if ( !support && (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
 155                 resp.sendError(404);
 156                 return;
 157             }
 158             HashMap<String, Object> vars = new HashMap<>();
 159             vars.put("serial", URLEncoder.encode(serial, "UTF-8"));
 160
 161             CertificateStatus st = c.getStatus();
 162
 163             if (support) {
 164                 vars.put("support", "support");
 165                 CertificateOwner user = c.getOwner();
 166                 if (st == CertificateStatus.ISSUED) {
 167                     if (user instanceof User) {
 168                         vars.put("revokeForm", new RevokeSingleCertForm(req, c, new SupportedUser((User) user, getUser(req), LoginPage.getAuthorizationContext(req).getSupporterTicketId())));
 169                     }
 170                 }
 171             }
 172
 173             CertificateOwner co = c.getOwner();
 174             int ownerId = co.getId();
 175             vars.put("certid", c.getStatus());
 176             if (co instanceof Organisation) {
 177                 vars.put("type", l.getTranslation("Organisation Acount"));
 178                 vars.put("name", Organisation.getById(ownerId).getName());
 179                 vars.put("link", ""); // TODO
 180             } else {
 181                 vars.put("type", l.getTranslation("Personal Account"));
 182                 vars.put("name", User.getById(ownerId).getPreferredName());
 183                 vars.put("link", "/support/user/" + ownerId + "/");
 184             }
 185             vars.put("status", c.getStatus());
 186             vars.put("DN", c.getDistinguishedName());
 187             vars.put("digest", c.getMessageDigest());
 188             vars.put("profile", c.getProfile().getVisibleName());
 189             vars.put("fingerprint", "TBD"); // TODO function needs to be
 190                                             // implemented in Certificate.java
 191             try {
 192
 193                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
 194                     X509Certificate certx = c.cert();
 195                     vars.put("issued", certx.getNotBefore());
 196                     vars.put("expire", certx.getNotAfter());
 197                     vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
 198                 } else {
 199                     vars.put("issued", l.getTranslation("N/A"));
 200                     vars.put("expire", l.getTranslation("N/A"));
 201                     vars.put("cert", l.getTranslation("N/A"));
 202                 }
 203                 if (st == CertificateStatus.REVOKED) {
 204                     vars.put("revoked", c.getRevocationDate());
 205                 } else {
 206                     vars.put("revoked", l.getTranslation("N/A"));
 207                 }
 208                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
 209                     vars.put("trustchain", new TrustchainIterable(c.getParent()));
 210                     try {
 211                         vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
 212                     } catch (GeneralSecurityException e) {
 213                         e.printStackTrace();
 214                     }
 215                 } else {
 216                     vars.put("trustchain", l.getTranslation("N/A"));
 217                     vars.put("cert", l.getTranslation("N/A"));
 218                 }
 219                 final List<SubjectAlternateName> san = c.getSANs();
 220                 vars.put("san", new IterableDataset() {
 221
 222                     int j = 0;
 223
 224                     @Override
 225                     public boolean next(Language l, Map<String, Object> vars) {
 226                         if (j == san.size()) {
 227                             return false;
 228                         }
 229                         vars.put("entry", san.get(j).getName() + (j < san.size() - 1 ? ", " : ""));
 230                         j++;
 231                         return true;
 232                     }
 233                 });
 234                 vars.put("login", c.isLoginEnabled());
 235             } catch (GeneralSecurityException e) {
 236                 e.printStackTrace();
 237             }
 238             certDisplay.output(out, getLanguage(req), vars);
 239
 240             return;
 241         }
 242
 243         HashMap<String, Object> vars = new HashMap<String, Object>();
 244         new CertificateModificationForm(req, req.getParameter("withRevoked") != null).output(out, getLanguage(req), vars);
 245     }
 246
 247     @Override
 248     public boolean isPermitted(AuthorizationContext ac) {
 249         if (ac == null) {
 250             return false;
 251         }
 252         if (support) {
 253             return ac.canSupport();
 254         } else {
 255             return true;
 256         }
 257     }
 258 }