X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateIssueForm.java;h=5712190bcd8f84e66329637fd9644e1e78806abe;hp=f6b35f9644d0c61a5c430db7bd87740034d133e6;hb=dc10b875c132eb7840a6b9827ec93916076d34f7;hpb=da72882d9ff14bd4077d9f71ae134a67581c49cb diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java index f6b35f96..5712190b 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java +++ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java @@ -3,127 +3,46 @@ package org.cacert.gigi.pages.account.certs; import java.io.IOException; import java.io.PrintWriter; import java.security.GeneralSecurityException; -import java.security.PublicKey; -import java.security.interfaces.DSAPublicKey; -import java.security.interfaces.ECPublicKey; -import java.security.interfaces.RSAPublicKey; -import java.util.Base64; import java.util.HashMap; -import java.util.Iterator; -import java.util.LinkedHashSet; -import java.util.List; import java.util.Map; -import java.util.Set; -import java.util.TreeSet; import javax.servlet.http.HttpServletRequest; import org.cacert.gigi.GigiApiException; -import org.cacert.gigi.crypto.SPKAC; import org.cacert.gigi.dbObjects.Certificate; -import org.cacert.gigi.dbObjects.Certificate.CSRType; -import org.cacert.gigi.dbObjects.Certificate.SANType; import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName; import org.cacert.gigi.dbObjects.CertificateProfile; -import org.cacert.gigi.dbObjects.Digest; import org.cacert.gigi.dbObjects.Organisation; -import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.localisation.Language; import org.cacert.gigi.output.CertificateValiditySelector; -import org.cacert.gigi.output.Form; -import org.cacert.gigi.output.template.HashAlgorithms; +import org.cacert.gigi.output.HashAlgorithms; +import org.cacert.gigi.output.template.Form; import org.cacert.gigi.output.template.IterableDataset; import org.cacert.gigi.output.template.Template; import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; -import org.cacert.gigi.util.PEM; +import org.cacert.gigi.util.AuthorizationContext; import org.cacert.gigi.util.RandomToken; -import sun.security.pkcs.PKCS9Attribute; -import sun.security.pkcs10.PKCS10; -import sun.security.pkcs10.PKCS10Attribute; -import sun.security.pkcs10.PKCS10Attributes; -import sun.security.util.DerInputStream; -import sun.security.util.DerValue; -import sun.security.util.ObjectIdentifier; -import sun.security.x509.AVA; -import sun.security.x509.AlgorithmId; -import sun.security.x509.CertificateExtensions; -import sun.security.x509.DNSName; -import sun.security.x509.ExtendedKeyUsageExtension; -import sun.security.x509.Extension; -import sun.security.x509.GeneralName; -import sun.security.x509.GeneralNameInterface; -import sun.security.x509.GeneralNames; -import sun.security.x509.PKIXExtensions; -import sun.security.x509.RDN; -import sun.security.x509.RFC822Name; -import sun.security.x509.SubjectAlternativeNameExtension; -import sun.security.x509.X500Name; - /** * This class represents a form that is used for issuing certificates. This * class uses "sun.security" and therefore needs "-XDignore.symbol.file" */ public class CertificateIssueForm extends Form { - public static final String DEFAULT_CN = "CAcert WoT User"; - private final static Template t = new Template(CertificateIssueForm.class.getResource("CertificateIssueForm.templ")); private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ")); - public static final ObjectIdentifier OID_KEY_USAGE_SSL_SERVER = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 1 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_SSL_CLIENT = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 2 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_CODESIGN = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 3 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_EMAIL_PROTECTION = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 4 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_TIMESTAMP = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 8 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_OCSP = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 9 - }); - - private User u; - - private CSRType csrType; - - private String csr; + private AuthorizationContext c; private String spkacChallenge; - public String CN = DEFAULT_CN; - - private Set SANs = new LinkedHashSet<>(); - - private Digest selectedDigest = Digest.getDefault(); - - CertificateValiditySelector issueDate = new CertificateValiditySelector(); - private boolean login; - private CertificateProfile profile = CertificateProfile.getById(1); - - private String ou = ""; - - private Organisation org = null; - public CertificateIssueForm(HttpServletRequest hsr) { super(hsr); - u = Page.getUser(hsr); + c = LoginPage.getAuthorizationContext(hsr); spkacChallenge = RandomToken.generateToken(16); } @@ -133,10 +52,9 @@ public class CertificateIssueForm extends Form { return result; } - public static String escapeAVA(String value) { + private CertificateRequest cr; - return value.replace("\\", "\\\\").replace("/", "\\/"); - } + CertificateValiditySelector issueDate = new CertificateValiditySelector(); @Override public boolean submit(PrintWriter out, HttpServletRequest req) { @@ -145,201 +63,40 @@ public class CertificateIssueForm extends Form { try { try { if (csr != null) { - byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr); - PKCS10 parsed = new PKCS10(data); - PKCS10Attributes atts = parsed.getAttributes(); - - for (PKCS10Attribute b : atts.getAttributes()) { - - if ( !b.getAttributeId().equals((Object) PKCS9Attribute.EXTENSION_REQUEST_OID)) { - // unknown attrib - continue; - } - - for (RDN r : parsed.getSubjectName().rdns()) { - for (AVA a : r.avas()) { - if (a.getObjectIdentifier().equals((Object) PKCS9Attribute.EMAIL_ADDRESS_OID)) { - SANs.add(new SubjectAlternateName(SANType.EMAIL, a.getValueString())); - } else if (a.getObjectIdentifier().equals((Object) X500Name.commonName_oid)) { - String value = a.getValueString(); - if (value.contains(".") && !value.contains(" ")) { - SANs.add(new SubjectAlternateName(SANType.DNS, value)); - } else { - CN = value; - } - } else if (a.getObjectIdentifier().equals((Object) PKIXExtensions.SubjectAlternativeName_Id)) { - // parse invalid SANs - } - } - } - - for (Extension c : ((CertificateExtensions) b.getAttributeValue()).getAllExtensions()) { - if (c instanceof SubjectAlternativeNameExtension) { - - SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension) c; - GeneralNames obj = san.get(SubjectAlternativeNameExtension.SUBJECT_NAME); - for (int i = 0; i < obj.size(); i++) { - GeneralName generalName = obj.get(i); - GeneralNameInterface peeled = generalName.getName(); - if (peeled instanceof DNSName) { - SANs.add(new SubjectAlternateName(SANType.DNS, ((DNSName) peeled).getName())); - } else if (peeled instanceof RFC822Name) { - SANs.add(new SubjectAlternateName(SANType.EMAIL, ((RFC822Name) peeled).getName())); - } - } - } else if (c instanceof ExtendedKeyUsageExtension) { - ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c; - for (String s : ekue.getExtendedKeyUsage()) { - if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) { - // server - profile = CertificateProfile.getByName("server"); - } else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) { - // client - profile = CertificateProfile.getByName("client"); - } else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) { - // code sign - } else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) { - // emailProtection - profile = CertificateProfile.getByName("mail"); - } else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) { - // timestamp - } else if (s.equals(OID_KEY_USAGE_OCSP.toString())) { - // OCSP - } - } - } else { - // Unknown requested extension - } - } - - } - out.println(parsed.getSubjectName().getCommonName()); - out.println(parsed.getSubjectName().getCountry()); - - out.println("CSR DN: " + parsed.getSubjectName() + "
"); - PublicKey pk = parsed.getSubjectPublicKeyInfo(); - checkKeyStrength(pk, out); - String sign = getSignatureAlgorithm(data); - guessDigest(sign); - - out.println("
digest: " + sign + "
"); - - this.csr = csr; - this.csrType = CSRType.CSR; + cr = new CertificateRequest(c, csr); + cr.checkKeyStrength(out); } else if (spkac != null) { - String cleanedSPKAC = spkac.replaceAll("[\r\n]", ""); - byte[] data = Base64.getDecoder().decode(cleanedSPKAC); - SPKAC parsed = new SPKAC(data); - if ( !parsed.getChallenge().equals(spkacChallenge)) { - throw new GigiApiException("Challenge mismatch"); - } - checkKeyStrength(parsed.getPubkey(), out); - String sign = getSignatureAlgorithm(data); - guessDigest(sign); - out.println("
digest: " + sign + "
"); - - // spkacChallenge - this.csr = "SPKAC=" + cleanedSPKAC; - this.csrType = CSRType.SPKAC; - - } else { + cr = new CertificateRequest(c, spkac, spkacChallenge); + cr.checkKeyStrength(out); + } else if (cr != null) { login = "1".equals(req.getParameter("login")); issueDate.update(req); - CN = req.getParameter("CN"); - String hashAlg = req.getParameter("hash_alg"); - if (hashAlg != null) { - selectedDigest = Digest.valueOf(hashAlg); - } - profile = CertificateProfile.getByName(req.getParameter("profile")); - String newOrgStr = req.getParameter("org"); - if (newOrgStr != null) { - Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr)); - if (neworg == null || u.getOrganisations().contains(neworg)) { - org = neworg; - } else { - outputError(out, req, "Selected Organisation is not part of your account."); - } - } - ou = req.getParameter("OU"); - if ( !u.canIssue(profile)) { - profile = CertificateProfile.getById(1); - outputError(out, req, "Certificate Profile is invalid."); - return false; - } + GigiApiException error = new GigiApiException(); - String pDNS = null; - String pMail = null; - Set filteredSANs = new LinkedHashSet<>(); - boolean server = profile.getKeyName().equals("server"); - for (SubjectAlternateName san : parseSANBox(req.getParameter("SANs"))) { - if (san.getType() == SANType.DNS) { - if (u.isValidDomain(san.getName()) && server) { - if (pDNS == null) { - pDNS = san.getName(); - } - filteredSANs.add(san); - continue; - } - } else if (san.getType() == SANType.EMAIL) { - if (u.isValidEmail(san.getName()) && !server) { - if (pMail == null) { - pMail = san.getName(); - } - filteredSANs.add(san); - continue; - } - } - outputError(out, req, "The requested Subject alternate name \"%s\" has been removed.",// - san.getType().toString().toLowerCase() + ":" + san.getName()); - } - SANs = filteredSANs; - if ( !u.isValidName(CN) && !server && !CN.equals(DEFAULT_CN)) { - CN = DEFAULT_CN; - outputError(out, req, "The real name entered cannot be verified with your account."); - } - - final StringBuffer subject = new StringBuffer(); - if (server && pDNS != null) { - subject.append("/commonName="); - subject.append(escapeAVA(pDNS)); - if (pMail != null) { - outputError(out, req, "No email is included in this certificate."); - } - if (CN.equals("")) { - CN = ""; - outputError(out, req, "No real name is included in this certificate."); - } - } else { - subject.append("/commonName="); - subject.append(escapeAVA(CN)); - if (pMail != null) { - subject.append("/emailAddress="); - subject.append(escapeAVA(pMail)); - } - } - if (org != null) { - subject.append("/O="); - subject.append(escapeAVA(org.getName())); - subject.append("/C="); - subject.append(escapeAVA(org.getState())); - subject.append("/ST="); - subject.append(escapeAVA(org.getProvince())); - subject.append("/L="); - subject.append(escapeAVA(org.getCity())); - subject.append("/OU="); - subject.append(escapeAVA(ou)); + try { + cr.update(req.getParameter("CN"), req.getParameter("hash_alg"), req.getParameter("profile"), // + req.getParameter("org"), req.getParameter("OU"), req.getParameter("SANs"), out, req); + } catch (GigiApiException e) { + error.mergeInto(e); } if (req.getParameter("CCA") == null) { - outputError(out, req, "You need to accept the CCA."); + error.mergeInto(new GigiApiException("You need to accept the CCA.")); } - if (isFailed(out)) { + Certificate result = null; + try { + result = cr.draft(); + } catch (GigiApiException e) { + error.mergeInto(e); + } + if ( !error.isEmpty() || result == null) { + error.format(out, Page.getLanguage(req)); return false; } - - result = new Certificate(LoginPage.getUser(req), subject.toString(), selectedDigest.toString(), // - this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()])); - result.issue(issueDate.getFrom(), issueDate.getTo()).waitFor(60000); + result.issue(issueDate.getFrom(), issueDate.getTo(), c.getActor()).waitFor(60000); + this.result = result; return true; + } else { + throw new GigiApiException("Error no action."); } } catch (IOException e) { e.printStackTrace(); @@ -358,70 +115,9 @@ public class CertificateIssueForm extends Form { return false; } - private void guessDigest(String sign) { - if (sign.toLowerCase().startsWith("sha512")) { - selectedDigest = Digest.SHA512; - } else if (sign.toLowerCase().startsWith("sha384")) { - selectedDigest = Digest.SHA384; - } - } - - private TreeSet parseSANBox(String SANs) { - String[] SANparts = SANs.split("[\r\n]+|, *"); - TreeSet parsedNames = new TreeSet<>(); - for (String SANline : SANparts) { - String[] parts = SANline.split(":", 2); - if (parts.length == 1) { - if (parts[0].trim().equals("")) { - continue; - } - if (parts[0].contains("@")) { - parsedNames.add(new SubjectAlternateName(SANType.EMAIL, parts[0])); - } else { - parsedNames.add(new SubjectAlternateName(SANType.DNS, parts[0])); - } - continue; - } - try { - SANType t = Certificate.SANType.valueOf(parts[0].toUpperCase()); - if (t == null) { - continue; - } - parsedNames.add(new SubjectAlternateName(t, parts[1])); - } catch (IllegalArgumentException e) { - // invalid enum type - continue; - } - } - return parsedNames; - } - - private void checkKeyStrength(PublicKey pk, PrintWriter out) { - out.println("Type: " + pk.getAlgorithm() + "
"); - if (pk instanceof RSAPublicKey) { - out.println("Exponent: " + ((RSAPublicKey) pk).getPublicExponent() + "
"); - out.println("Length: " + ((RSAPublicKey) pk).getModulus().bitLength()); - } else if (pk instanceof DSAPublicKey) { - DSAPublicKey dpk = (DSAPublicKey) pk; - out.println("Length: " + dpk.getY().bitLength() + "
"); - out.println(dpk.getParams()); - } else if (pk instanceof ECPublicKey) { - ECPublicKey epk = (ECPublicKey) pk; - out.println("Length-x: " + epk.getW().getAffineX().bitLength() + "
"); - out.println("Length-y: " + epk.getW().getAffineY().bitLength() + "
"); - out.println(epk.getParams().getCurve()); - } - } - - private static String getSignatureAlgorithm(byte[] data) throws IOException { - DerInputStream in = new DerInputStream(data); - DerValue[] seq = in.getSequence(3); - return AlgorithmId.parse(seq[1]).getName(); - } - @Override public void output(PrintWriter out, Language l, Map vars) { - if (csr == null) { + if (cr == null) { HashMap vars2 = new HashMap(vars); vars2.put("csrf", getCSRFToken()); vars2.put("csrf_name", getCsrfFieldName()); @@ -439,18 +135,21 @@ public class CertificateIssueForm extends Form { vars2.put("CCA", "CCA"); StringBuffer content = new StringBuffer(); - for (SubjectAlternateName SAN : SANs) { + for (SubjectAlternateName SAN : cr.getSANs()) { content.append(SAN.getType().toString().toLowerCase()); content.append(':'); content.append(SAN.getName()); content.append('\n'); } - vars2.put("CN", CN); - vars2.put("department", ou); + vars2.put("CN", cr.getName()); + if (c.getTarget() instanceof Organisation) { + vars2.put("orga", "true"); + vars2.put("department", cr.getOu()); + } vars2.put("validity", issueDate); vars2.put("emails", content.toString()); - vars2.put("hashs", new HashAlgorithms(selectedDigest)); + vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest())); vars2.put("profiles", new IterableDataset() { int i = 1; @@ -463,9 +162,9 @@ public class CertificateIssueForm extends Form { if (cp == null) { return false; } - } while ( !u.canIssue(cp)); + } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor())); - if (cp.getId() == profile.getId()) { + if (cp.getId() == cr.getProfile().getId()) { vars.put("selected", " selected"); } else { vars.put("selected", ""); @@ -475,27 +174,6 @@ public class CertificateIssueForm extends Form { return true; } }); - final List orgs = u.getOrganisations(); - vars2.put("orga", orgs.size() == 0 ? null : new IterableDataset() { - - Iterator iter = orgs.iterator(); - - @Override - public boolean next(Language l, Map vars) { - if ( !iter.hasNext()) { - return false; - } - Organisation orga = iter.next(); - vars.put("key", orga.getId()); - vars.put("name", orga.getName()); - if (orga == org) { - vars.put("selected", " selected"); - } else { - vars.put("selected", ""); - } - return true; - } - }); t.output(out, l, vars2); }