]> WPIA git - gigi.git/blobdiff - src/org/cacert/gigi/pages/account/CertificateIssueForm.java
projects / gigi.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Better certificate content filtering.
[gigi.git] / src / org / cacert / gigi / pages / account / CertificateIssueForm.java
diff --git a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
index 3f5c1e5c42bdf80ac24b7a31576ee5f75416906c..e6a071e03f9c8a0630f3f0534ecd9b40cf271896 100644 (file)
--- a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
+++ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
@@ -76,7 +76,7 @@ public class CertificateIssueForm extends Form {
 
     String spkacChallenge;
 
-    String CN = DEFAULT_CN;
+    public String CN = DEFAULT_CN;
 
     Set<SubjectAlternateName> SANs = new LinkedHashSet<>();
 
@@ -196,29 +196,67 @@ public class CertificateIssueForm extends Form {
                     }
                     CertificateProfile profile = CertificateProfile.getByName(req.getParameter("profile"));
 
+                    String pDNS = null;
+                    String pMail = null;
                     Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
+                    boolean server = profile.getKeyName().equals("server");
+                    boolean dirty = false;
+                    ;
                     for (SubjectAlternateName san : parseSANBox(req.getParameter("SANs"))) {
                         if (san.getType() == SANType.DNS) {
-                            if (u.isValidDomain(san.getName())) {
+                            if (u.isValidDomain(san.getName()) && server) {
+                                if (pDNS == null) {
+                                    pDNS = san.getName();
+                                }
                                 filteredSANs.add(san);
                                 continue;
                             }
                         } else if (san.getType() == SANType.EMAIL) {
-                            if (u.isValidEmail(san.getName())) {
+                            if (u.isValidEmail(san.getName()) && !server) {
+                                if (pMail == null) {
+                                    pMail = san.getName();
+                                }
                                 filteredSANs.add(san);
                                 continue;
                             }
                         }
-                        // SAN blocked
+                        dirty = true;
+                        outputError(out, req, "The requested Subject alternate name \"%s\" has been removed.",//
+                                san.getType().toString().toLowerCase() + ":" + san.getName());
                     }
                     SANs = filteredSANs;
+                    if ( !u.isValidName(CN) && !server && !CN.equals(DEFAULT_CN)) {
+                        CN = DEFAULT_CN;
+                        outputError(out, req, "The real name entered cannot be verified with your account.");
+                    }
 
+                    final StringBuffer subject = new StringBuffer();
+                    if (server && pDNS != null) {
+                        subject.append("/commonName=");
+                        subject.append(pDNS);
+                        if (pMail != null) {
+                            outputError(out, req, "No email is included in this certificate.");
+                        }
+                        if (CN.equals("")) {
+                            CN = "";
+                            outputError(out, req, "No real name is included in this certificate.");
+                        }
+                    } else {
+                        subject.append("/commonName=");
+                        subject.append(CN);
+                        if (pMail != null) {
+                            subject.append("/emailAddress=");
+                            subject.append(pMail);
+                        }
+                    }
                     if (req.getParameter("CCA") == null) {
                         outputError(out, req, "You need to accept the CCA.");
+                    }
+                    if (isFailed(out)) {
                         return false;
                     }
 
-                    result = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", selectedDigest.toString(), //
+                    result = new Certificate(LoginPage.getUser(req).getId(), subject.toString(), selectedDigest.toString(), //
                             this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
                     result.issue().waitFor(60000);
                     return true;
@@ -226,8 +264,10 @@ public class CertificateIssueForm extends Form {
             } catch (IOException e) {
                 e.printStackTrace();
             } catch (IllegalArgumentException e) {
+                e.printStackTrace();
                 throw new GigiApiException("Certificate Request format is invalid.");
             } catch (GeneralSecurityException e) {
+                e.printStackTrace();
                 throw new GigiApiException("Certificate Request format is invalid.");
             } catch (InterruptedException e) {
                 e.printStackTrace();
@@ -241,7 +281,7 @@ public class CertificateIssueForm extends Form {
     }
 
     private TreeSet<SubjectAlternateName> parseSANBox(String SANs) {
-        String[] SANparts = SANs.split("[\r\n]+");
+        String[] SANparts = SANs.split("[\r\n]+|, *");
         TreeSet<SubjectAlternateName> parsedNames = new TreeSet<>();
         for (String SANline : SANparts) {
             String[] parts = SANline.split(":", 2);
WPIA Certificate Web Issuance Platform