X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Fclub%2Fwpia%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;h=d9d090caa3e36aee24eb1296b50c41edc14b002e;hp=4158e9ba751bce4f06d9f65f9f02045c8d80e31f;hb=6ffbf3917844ee6e20f65db7f0b15cfc42315e5e;hpb=746ad94df76c1ea6ae017f8e56075fcdf0cf0d1f diff --git a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java index 4158e9ba..d9d090ca 100644 --- a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java +++ b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java @@ -16,6 +16,7 @@ import java.util.TreeSet; import club.wpia.gigi.GigiApiException; import club.wpia.gigi.crypto.SPKAC; +import club.wpia.gigi.crypto.key.KeyCheck; import club.wpia.gigi.dbObjects.Certificate; import club.wpia.gigi.dbObjects.Certificate.CSRType; import club.wpia.gigi.dbObjects.Certificate.SANType; @@ -34,6 +35,7 @@ import club.wpia.gigi.util.DomainAssessment; import club.wpia.gigi.util.PEM; import club.wpia.gigi.util.RateLimit; import club.wpia.gigi.util.ServerConstants; +import club.wpia.gigi.util.TimeConditions; import sun.security.pkcs.PKCS9Attribute; import sun.security.pkcs10.PKCS10; import sun.security.pkcs10.PKCS10Attribute; @@ -108,7 +110,7 @@ public class CertificateRequest { this(c, csr, (CertificateProfile) null); } - public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException { + public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException, GigiApiException { this.ctx = ctx; if (cp != null) { profile = cp; @@ -190,6 +192,8 @@ public class CertificateRequest { } this.SANs = SANs; pk = parsed.getSubjectPublicKeyInfo(); + KeyCheck.checkKey(pk); + String sign = getSignatureAlgorithm(data); guessDigest(sign); @@ -206,12 +210,13 @@ public class CertificateRequest { throw new GigiApiException("Challenge mismatch"); } pk = parsed.getPubkey(); + KeyCheck.checkKey(pk); + String sign = getSignatureAlgorithm(data); guessDigest(sign); this.SANs = new HashSet<>(); this.csr = "SPKAC=" + cleanedSPKAC; this.csrType = CSRType.SPKAC; - } private static String getSignatureAlgorithm(byte[] data) throws IOException { @@ -352,8 +357,8 @@ public class CertificateRequest { valid = false; } } - } else if (san.getType() == SANType.EMAIL) { - if (emailTemp != null && owner.isValidEmail(san.getName())) { + } else if (san.getType() == SANType.EMAIL && emailTemp != null) { + if (owner.isValidEmail(san.getName())) { if (pMail != null && !emailTemp.isMultiple()) { // remove } else { @@ -363,6 +368,11 @@ public class CertificateRequest { filteredSANs.add(san); continue; } + } else { + // remove + error.mergeInto(new GigiApiException(SprintfCommand.createSimple(// + "The requested subject alternate name email address \"{0}\" needs a verification via email ping within the past {1} months.", san.getType().toString().toLowerCase() + ":" + san.getName(), TimeConditions.getInstance().getEmailPingMonths()))); + break; } } error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//