X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Fclub%2Fwpia%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;h=cdf4dd41eed765b5959cb979d571a9462d0bd89f;hp=2755b18f974870902e1bdde2b8286c03db883d12;hb=753ce950283248b931ee9da5158c88156c21e17d;hpb=bccd4cc0dba0f89aa045b113bac46eb8cc1dab4e

diff --git a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java
index 2755b18f..cdf4dd41 100644
--- a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java
@@ -16,23 +16,26 @@ import java.util.TreeSet;
 
 import club.wpia.gigi.GigiApiException;
 import club.wpia.gigi.crypto.SPKAC;
+import club.wpia.gigi.crypto.key.KeyCheck;
 import club.wpia.gigi.dbObjects.Certificate;
+import club.wpia.gigi.dbObjects.Certificate.CSRType;
+import club.wpia.gigi.dbObjects.Certificate.SANType;
+import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
 import club.wpia.gigi.dbObjects.CertificateOwner;
 import club.wpia.gigi.dbObjects.CertificateProfile;
+import club.wpia.gigi.dbObjects.CertificateProfile.PropertyTemplate;
 import club.wpia.gigi.dbObjects.Digest;
 import club.wpia.gigi.dbObjects.Group;
 import club.wpia.gigi.dbObjects.Organisation;
 import club.wpia.gigi.dbObjects.User;
-import club.wpia.gigi.dbObjects.Certificate.CSRType;
-import club.wpia.gigi.dbObjects.Certificate.SANType;
-import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
-import club.wpia.gigi.dbObjects.CertificateProfile.PropertyTemplate;
 import club.wpia.gigi.output.template.SprintfCommand;
 import club.wpia.gigi.util.AuthorizationContext;
 import club.wpia.gigi.util.CAA;
 import club.wpia.gigi.util.DomainAssessment;
 import club.wpia.gigi.util.PEM;
 import club.wpia.gigi.util.RateLimit;
+import club.wpia.gigi.util.ServerConstants;
+import club.wpia.gigi.util.TimeConditions;
 import sun.security.pkcs.PKCS9Attribute;
 import sun.security.pkcs10.PKCS10;
 import sun.security.pkcs10.PKCS10Attribute;
@@ -57,7 +60,7 @@ import sun.security.x509.X500Name;
 
 public class CertificateRequest {
 
-    public static final String DEFAULT_CN = "SomeCA User";
+    public static final String DEFAULT_CN = ServerConstants.getAppName() + " User";
 
     public static final ObjectIdentifier OID_KEY_USAGE_SSL_SERVER = ObjectIdentifier.newInternal(new int[] {
             1, 3, 6, 1, 5, 5, 7, 3, 1
@@ -107,11 +110,11 @@ public class CertificateRequest {
         this(c, csr, (CertificateProfile) null);
     }
 
-    public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
+    public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException, GigiApiException {
         this.ctx = ctx;
         if (cp != null) {
             profile = cp;
-        } else if (ctx.getActor().getAssurancePoints() > 50) {
+        } else if (ctx.getActor().getVerificationPoints() > 50) {
             profile = CertificateProfile.getByName("client-a");
         }
         byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
@@ -160,7 +163,7 @@ public class CertificateRequest {
                 } else if (c instanceof ExtendedKeyUsageExtension) {
                     ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
                     String appendix = "";
-                    if (ctx.getActor().getAssurancePoints() >= 50) {
+                    if (ctx.getActor().getVerificationPoints() >= 50) {
                         appendix = "-a";
                     }
                     for (String s : ekue.getExtendedKeyUsage()) {
@@ -189,6 +192,8 @@ public class CertificateRequest {
         }
         this.SANs = SANs;
         pk = parsed.getSubjectPublicKeyInfo();
+        KeyCheck.checkKey(pk);
+
         String sign = getSignatureAlgorithm(data);
         guessDigest(sign);
 
@@ -205,12 +210,13 @@ public class CertificateRequest {
             throw new GigiApiException("Challenge mismatch");
         }
         pk = parsed.getPubkey();
+        KeyCheck.checkKey(pk);
+
         String sign = getSignatureAlgorithm(data);
         guessDigest(sign);
         this.SANs = new HashSet<>();
         this.csr = "SPKAC=" + cleanedSPKAC;
         this.csrType = CSRType.SPKAC;
-
     }
 
     private static String getSignatureAlgorithm(byte[] data) throws IOException {
@@ -351,8 +357,8 @@ public class CertificateRequest {
                         valid = false;
                     }
                 }
-            } else if (san.getType() == SANType.EMAIL) {
-                if (emailTemp != null && owner.isValidEmail(san.getName())) {
+            } else if (san.getType() == SANType.EMAIL && emailTemp != null) {
+                if (owner.isValidEmail(san.getName())) {
                     if (pMail != null && !emailTemp.isMultiple()) {
                         // remove
                     } else {
@@ -362,6 +368,11 @@ public class CertificateRequest {
                         filteredSANs.add(san);
                         continue;
                     }
+                } else {
+                    // remove
+                    error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
+                            "The requested subject alternate name email address \"{0}\" needs an email ping within the past {1} months.", san.getType().toString().toLowerCase() + ":" + san.getName(), TimeConditions.getInstance().getEmailPingMonths())));
+                    break;
                 }
             }
             error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//