import club.wpia.gigi.GigiApiException;
import club.wpia.gigi.crypto.SPKAC;
+import club.wpia.gigi.crypto.key.KeyCheck;
import club.wpia.gigi.dbObjects.Certificate;
+import club.wpia.gigi.dbObjects.Certificate.CSRType;
+import club.wpia.gigi.dbObjects.Certificate.SANType;
+import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
import club.wpia.gigi.dbObjects.CertificateOwner;
import club.wpia.gigi.dbObjects.CertificateProfile;
+import club.wpia.gigi.dbObjects.CertificateProfile.PropertyTemplate;
import club.wpia.gigi.dbObjects.Digest;
import club.wpia.gigi.dbObjects.Group;
import club.wpia.gigi.dbObjects.Organisation;
import club.wpia.gigi.dbObjects.User;
-import club.wpia.gigi.dbObjects.Certificate.CSRType;
-import club.wpia.gigi.dbObjects.Certificate.SANType;
-import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
-import club.wpia.gigi.dbObjects.CertificateProfile.PropertyTemplate;
import club.wpia.gigi.output.template.SprintfCommand;
import club.wpia.gigi.util.AuthorizationContext;
import club.wpia.gigi.util.CAA;
import club.wpia.gigi.util.DomainAssessment;
import club.wpia.gigi.util.PEM;
import club.wpia.gigi.util.RateLimit;
+import club.wpia.gigi.util.ServerConstants;
+import club.wpia.gigi.util.TimeConditions;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs10.PKCS10;
import sun.security.pkcs10.PKCS10Attribute;
public class CertificateRequest {
- public static final String DEFAULT_CN = "SomeCA User";
+ public static final String DEFAULT_CN = ServerConstants.getAppName() + " User";
public static final ObjectIdentifier OID_KEY_USAGE_SSL_SERVER = ObjectIdentifier.newInternal(new int[] {
1, 3, 6, 1, 5, 5, 7, 3, 1
this(c, csr, (CertificateProfile) null);
}
- public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
+ public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException, GigiApiException {
this.ctx = ctx;
if (cp != null) {
profile = cp;
- } else if (ctx.getActor().getAssurancePoints() > 50) {
+ } else if (ctx.getActor().getVerificationPoints() > 50) {
profile = CertificateProfile.getByName("client-a");
}
byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
} else if (c instanceof ExtendedKeyUsageExtension) {
ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
String appendix = "";
- if (ctx.getActor().getAssurancePoints() >= 50) {
+ if (ctx.getActor().getVerificationPoints() >= 50) {
appendix = "-a";
}
for (String s : ekue.getExtendedKeyUsage()) {
}
this.SANs = SANs;
pk = parsed.getSubjectPublicKeyInfo();
+ KeyCheck.checkKey(pk);
+
String sign = getSignatureAlgorithm(data);
guessDigest(sign);
throw new GigiApiException("Challenge mismatch");
}
pk = parsed.getPubkey();
+ KeyCheck.checkKey(pk);
+
String sign = getSignatureAlgorithm(data);
guessDigest(sign);
this.SANs = new HashSet<>();
this.csr = "SPKAC=" + cleanedSPKAC;
this.csrType = CSRType.SPKAC;
-
}
private static String getSignatureAlgorithm(byte[] data) throws IOException {
valid = false;
}
}
- } else if (san.getType() == SANType.EMAIL) {
- if (emailTemp != null && owner.isValidEmail(san.getName())) {
+ } else if (san.getType() == SANType.EMAIL && emailTemp != null) {
+ if (owner.isValidEmail(san.getName())) {
if (pMail != null && !emailTemp.isMultiple()) {
// remove
} else {
filteredSANs.add(san);
continue;
}
+ } else {
+ // remove
+ error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
+ "The requested subject alternate name email address \"{0}\" needs a verification via email ping within the past {1} months.", san.getType().toString().toLowerCase() + ":" + san.getName(), TimeConditions.getInstance().getEmailPingMonths())));
+ break;
}
}
error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
subject.put("OU", ou);
}
}
- System.out.println(subject);
+
if ( !error.isEmpty()) {
throw error;
}
User u = (User) ctx.getTarget();
if (name != null && u.isValidName(name)) {
if (realIsOK) {
- verifiedCN = name;
+ if (u.isValidNameVerification(name)) {
+ verifiedCN = name;
+ } else {
+ error.mergeInto(new GigiApiException(SprintfCommand.createSimple("The entered name needs a valid verification within the last {0} months.", TimeConditions.getInstance().getVerificationMonths())));
+ }
} else {
error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
if (defaultIsOK) {