- try {
- if (csr != null) {
- byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
- PKCS10 parsed = new PKCS10(data);
- PKCS10Attributes atts = parsed.getAttributes();
-
- for (PKCS10Attribute b : atts.getAttributes()) {
-
- if ( !b.getAttributeId().equals((Object) PKCS9Attribute.EXTENSION_REQUEST_OID)) {
- // unknown attrib
- continue;
- }
-
- for (RDN r : parsed.getSubjectName().rdns()) {
- for (AVA a : r.avas()) {
- if (a.getObjectIdentifier().equals((Object) PKCS9Attribute.EMAIL_ADDRESS_OID)) {
- SANs.add(new SubjectAlternateName(SANType.EMAIL, a.getValueString()));
- } else if (a.getObjectIdentifier().equals((Object) X500Name.commonName_oid)) {
- String value = a.getValueString();
- if (value.contains(".") && !value.contains(" ")) {
- SANs.add(new SubjectAlternateName(SANType.DNS, value));
- } else {
- CN = value;
- }
- } else if (a.getObjectIdentifier().equals((Object) PKIXExtensions.SubjectAlternativeName_Id)) {
- // parse invalid SANs
- }
- }
- }
-
- for (Extension c : ((CertificateExtensions) b.getAttributeValue()).getAllExtensions()) {
- if (c instanceof SubjectAlternativeNameExtension) {
-
- SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension) c;
- GeneralNames obj = san.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
- for (int i = 0; i < obj.size(); i++) {
- GeneralName generalName = obj.get(i);
- GeneralNameInterface peeled = generalName.getName();
- if (peeled instanceof DNSName) {
- SANs.add(new SubjectAlternateName(SANType.DNS, ((DNSName) peeled).getName()));
- } else if (peeled instanceof RFC822Name) {
- SANs.add(new SubjectAlternateName(SANType.EMAIL, ((RFC822Name) peeled).getName()));
- }
- }
- } else if (c instanceof ExtendedKeyUsageExtension) {
- ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
- for (String s : ekue.getExtendedKeyUsage()) {
- if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) {
- // server
- profile = CertificateProfile.getByName("server");
- } else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) {
- // client
- profile = CertificateProfile.getByName("client");
- } else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) {
- // code sign
- } else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) {
- // emailProtection
- profile = CertificateProfile.getByName("mail");
- } else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) {
- // timestamp
- } else if (s.equals(OID_KEY_USAGE_OCSP.toString())) {
- // OCSP
- }
- }
- } else {
- // Unknown requested extension
- }
- }
-
- }
- out.println(parsed.getSubjectName().getCommonName());
- out.println(parsed.getSubjectName().getCountry());
-
- out.println("CSR DN: " + parsed.getSubjectName() + "<br/>");
- PublicKey pk = parsed.getSubjectPublicKeyInfo();
- checkKeyStrength(pk, out);
- String sign = getSignatureAlgorithm(data);
- guessDigest(sign);
-
- out.println("<br/>digest: " + sign + "<br/>");
-
- this.csr = csr;
- this.csrType = CSRType.CSR;
- } else if (spkac != null) {
- String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
- byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
- SPKAC parsed = new SPKAC(data);
- if ( !parsed.getChallenge().equals(spkacChallenge)) {
- throw new GigiApiException("Challenge mismatch");
- }
- checkKeyStrength(parsed.getPubkey(), out);
- String sign = getSignatureAlgorithm(data);
- guessDigest(sign);
- out.println("<br/>digest: " + sign + "<br/>");
-
- // spkacChallenge
- this.csr = "SPKAC=" + cleanedSPKAC;
- this.csrType = CSRType.SPKAC;
-
- } else {
- login = "1".equals(req.getParameter("login"));
- issueDate.update(req);
- CN = req.getParameter("CN");
- String hashAlg = req.getParameter("hash_alg");
- if (hashAlg != null) {
- selectedDigest = Digest.valueOf(hashAlg);
- }
- profile = CertificateProfile.getByName(req.getParameter("profile"));
- String newOrgStr = req.getParameter("org");
- if (newOrgStr != null) {
- Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr));
- if (neworg == null || u.getOrganisations().contains(neworg)) {
- org = neworg;
- } else {
- outputError(out, req, "Selected Organisation is not part of your account.");
- }
- }
- ou = req.getParameter("OU");
- if ( !u.canIssue(profile)) {
- profile = CertificateProfile.getById(1);
- outputError(out, req, "Certificate Profile is invalid.");
- return false;
- }
-
- String pDNS = null;
- String pMail = null;
- Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
- boolean server = profile.getKeyName().equals("server");
- for (SubjectAlternateName san : parseSANBox(req.getParameter("SANs"))) {
- if (san.getType() == SANType.DNS) {
- if (u.isValidDomain(san.getName()) && server) {
- if (pDNS == null) {
- pDNS = san.getName();
- }
- filteredSANs.add(san);
- continue;
- }
- } else if (san.getType() == SANType.EMAIL) {
- if (u.isValidEmail(san.getName()) && !server) {
- if (pMail == null) {
- pMail = san.getName();
- }
- filteredSANs.add(san);
- continue;
- }
- }
- outputError(out, req, "The requested Subject alternate name \"%s\" has been removed.",//
- san.getType().toString().toLowerCase() + ":" + san.getName());
- }
- SANs = filteredSANs;
- if ( !u.isValidName(CN) && !server && !CN.equals(DEFAULT_CN)) {
- CN = DEFAULT_CN;
- outputError(out, req, "The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account.");
- }
-
- HashMap<String, String> subject = new HashMap<>();
- if (server && pDNS != null) {
- subject.put("CN", pDNS);
- if (pMail != null) {
- outputError(out, req, "No email is included in this certificate.");
- }
- if (CN.equals("")) {
- CN = "";
- outputError(out, req, "No real name is included in this certificate. The real name, you entered will be ignored.");
- }
- } else {
- subject.put("CN", CN);
- if (pMail != null) {
- subject.put("EMAIL", pMail);
- }
- }
- if (org != null) {
- subject.put("O", org.getName());
- subject.put("C", org.getState());
- subject.put("ST", org.getProvince());
- subject.put("L", org.getCity());
- subject.put("OU", ou);
- }
- if (req.getParameter("CCA") == null) {
- outputError(out, req, "You need to accept the CCA.");
- }
- if (isFailed(out)) {
- return false;
- }
-
- result = new Certificate(LoginPage.getUser(req), subject, selectedDigest.toString(), //
- this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
- result.issue(issueDate.getFrom(), issueDate.getTo()).waitFor(60000);
- return true;