import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
import java.util.TreeSet;
-import javax.servlet.http.HttpServletRequest;
-
import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.crypto.SPKAC;
import org.cacert.gigi.dbObjects.Certificate;
import org.cacert.gigi.dbObjects.CertificateProfile;
import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
import org.cacert.gigi.dbObjects.Digest;
+import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.output.template.Scope;
import org.cacert.gigi.output.template.SprintfCommand;
import org.cacert.gigi.util.AuthorizationContext;
+import org.cacert.gigi.util.CAA;
+import org.cacert.gigi.util.DomainAssessment;
import org.cacert.gigi.util.PEM;
+import org.cacert.gigi.util.RateLimit;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs10.PKCS10;
return profile;
}
- public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr, PrintWriter out, HttpServletRequest req) throws GigiApiException {
+ public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr) throws GigiApiException {
GigiApiException error = new GigiApiException();
this.name = nameIn;
if (hashAlg != null) {
throw error;
}
- verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget());
+ verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget(), ctx.getActor());
if ( !error.isEmpty()) {
throw error;
return true;
}
- private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner) {
+ private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner, User user) {
Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
PropertyTemplate domainTemp = p.getTemplates().get("domain");
PropertyTemplate emailTemp = p.getTemplates().get("email");
for (SubjectAlternateName san : sANs2) {
if (san.getType() == SANType.DNS) {
if (domainTemp != null && owner.isValidDomain(san.getName())) {
- if (pDNS != null && !domainTemp.isMultiple()) {
+ boolean valid;
+ try {
+ DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
+ valid = true;
+ } catch (GigiApiException e) {
+ valid = false;
+ }
+ if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
// remove
} else {
if (pDNS == null) {
}
}
}
- HashMap<String, Object> vars = new HashMap<>();
- vars.put("SAN", san.getType().toString().toLowerCase() + ":" + san.getName());
- error.mergeInto(new GigiApiException(new Scope(new SprintfCommand(//
- "The requested Subject alternate name \"{0}\" has been removed.", Arrays.asList("${SAN}")), vars)));
+ error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
+ "The requested subject alternate name (SAN) \"{0}\" has been removed.", san.getType().toString().toLowerCase() + ":" + san.getName())));
}
SANs = filteredSANs;
}
PropertyTemplate emailTemp = profile.getTemplates().get("email");
PropertyTemplate nameTemp = profile.getTemplates().get("name");
PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
- verifySANs(error, profile, SANs, ctx.getTarget());
+ verifySANs(error, profile, SANs, ctx.getTarget(), ctx.getActor());
// Ok, let's determine the CN
// the CN is
throw error;
}
try {
+ if (RATE_LIMIT.isLimitExceeded(Integer.toString(ctx.getActor().getId()))) {
+ throw new GigiApiException("Rate Limit Exceeded");
+ }
return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest, //
this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
} catch (IOException e) {
return null;
}
+ // 100 per 10 minutes
+ public static final RateLimit RATE_LIMIT = new RateLimit(100, 10 * 60 * 1000);
+
private String verifyName(GigiApiException error, PropertyTemplate nameTemp, PropertyTemplate wotUserTemp, String verifiedCN) {
// real names,
// possible configurations: name {y,null,?}, name=WoTUser {y,null}
if (nullIsOK) {
name = "";
} else if (realIsOK) {
- name = u.getName().toString();
+ name = u.getPreferredName().toString();
}
}
} else if (name == null || name.equals("")) {
if (defaultIsOK) {
name = DEFAULT_CN;
} else if (realIsOK) {
- name = u.getName().toString();
+ name = u.getPreferredName().toString();
}
}
} else {
verifiedCN = name;
} else {
if (nameTemp.isRequired()) {
- error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
+ error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account, because a name is required for this certificate type."));
} else if (name.equals(DEFAULT_CN)) {
verifiedCN = DEFAULT_CN;
} else {
name = DEFAULT_CN;
- error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+ error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account or keep the default name."));
}
}
} else {
projects / gigi.git / blobdiff