X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;fp=src%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;h=0000000000000000000000000000000000000000;hp=5edf362e4877ef2c505ca5c6636e60b91b9b0b42;hb=bccd4cc0dba0f89aa045b113bac46eb8cc1dab4e;hpb=c9ed09f0007fc2c813815be927a5a24b23dab83c diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java deleted file mode 100644 index 5edf362e..00000000 --- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java +++ /dev/null @@ -1,574 +0,0 @@ -package org.cacert.gigi.pages.account.certs; - -import java.io.IOException; -import java.io.PrintWriter; -import java.security.GeneralSecurityException; -import java.security.PublicKey; -import java.security.interfaces.DSAPublicKey; -import java.security.interfaces.ECPublicKey; -import java.security.interfaces.RSAPublicKey; -import java.util.Base64; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedHashSet; -import java.util.Set; -import java.util.TreeSet; - -import org.cacert.gigi.GigiApiException; -import org.cacert.gigi.crypto.SPKAC; -import org.cacert.gigi.dbObjects.Certificate; -import org.cacert.gigi.dbObjects.Certificate.CSRType; -import org.cacert.gigi.dbObjects.Certificate.SANType; -import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName; -import org.cacert.gigi.dbObjects.CertificateOwner; -import org.cacert.gigi.dbObjects.CertificateProfile; -import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate; -import org.cacert.gigi.dbObjects.Digest; -import org.cacert.gigi.dbObjects.Group; -import org.cacert.gigi.dbObjects.Organisation; -import org.cacert.gigi.dbObjects.User; -import org.cacert.gigi.output.template.SprintfCommand; -import org.cacert.gigi.util.AuthorizationContext; -import org.cacert.gigi.util.CAA; -import org.cacert.gigi.util.DomainAssessment; -import org.cacert.gigi.util.PEM; -import org.cacert.gigi.util.RateLimit; - -import sun.security.pkcs.PKCS9Attribute; -import sun.security.pkcs10.PKCS10; -import sun.security.pkcs10.PKCS10Attribute; -import sun.security.pkcs10.PKCS10Attributes; -import sun.security.util.DerInputStream; -import sun.security.util.DerValue; -import sun.security.util.ObjectIdentifier; -import sun.security.x509.AVA; -import sun.security.x509.AlgorithmId; -import sun.security.x509.CertificateExtensions; -import sun.security.x509.DNSName; -import sun.security.x509.ExtendedKeyUsageExtension; -import sun.security.x509.Extension; -import sun.security.x509.GeneralName; -import sun.security.x509.GeneralNameInterface; -import sun.security.x509.GeneralNames; -import sun.security.x509.PKIXExtensions; -import sun.security.x509.RDN; -import sun.security.x509.RFC822Name; -import sun.security.x509.SubjectAlternativeNameExtension; -import sun.security.x509.X500Name; - -public class CertificateRequest { - - public static final String DEFAULT_CN = "SomeCA User"; - - public static final ObjectIdentifier OID_KEY_USAGE_SSL_SERVER = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 1 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_SSL_CLIENT = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 2 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_CODESIGN = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 3 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_EMAIL_PROTECTION = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 4 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_TIMESTAMP = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 8 - }); - - public static final ObjectIdentifier OID_KEY_USAGE_OCSP = ObjectIdentifier.newInternal(new int[] { - 1, 3, 6, 1, 5, 5, 7, 3, 9 - }); - - private CSRType csrType; - - private final PublicKey pk; - - private String csr; - - public String name = DEFAULT_CN; - - private Set SANs; - - private Digest selectedDigest = Digest.getDefault(); - - private CertificateProfile profile = CertificateProfile.getById(1); - - private String ou = ""; - - private AuthorizationContext ctx; - - private String pDNS, pMail; - - public CertificateRequest(AuthorizationContext c, String csr) throws IOException, GeneralSecurityException, GigiApiException { - this(c, csr, (CertificateProfile) null); - } - - public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException { - this.ctx = ctx; - if (cp != null) { - profile = cp; - } else if (ctx.getActor().getAssurancePoints() > 50) { - profile = CertificateProfile.getByName("client-a"); - } - byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr); - PKCS10 parsed = new PKCS10(data); - PKCS10Attributes atts = parsed.getAttributes(); - - TreeSet SANs = new TreeSet<>(); - for (RDN r : parsed.getSubjectName().rdns()) { - for (AVA a : r.avas()) { - if (a.getObjectIdentifier().equals((Object) PKCS9Attribute.EMAIL_ADDRESS_OID)) { - SANs.add(new SubjectAlternateName(SANType.EMAIL, a.getValueString())); - } else if (a.getObjectIdentifier().equals((Object) X500Name.commonName_oid)) { - String value = a.getValueString(); - if (value.contains(".") && !value.contains(" ")) { - SANs.add(new SubjectAlternateName(SANType.DNS, value)); - } else { - name = value; - } - } else if (a.getObjectIdentifier().equals((Object) PKIXExtensions.SubjectAlternativeName_Id)) { - // TODO? parse invalid SANs - } - } - } - - for (PKCS10Attribute b : atts.getAttributes()) { - - if ( !b.getAttributeId().equals((Object) PKCS9Attribute.EXTENSION_REQUEST_OID)) { - // unknown attrib - continue; - } - - for (Extension c : ((CertificateExtensions) b.getAttributeValue()).getAllExtensions()) { - if (c instanceof SubjectAlternativeNameExtension) { - - SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension) c; - GeneralNames obj = san.get(SubjectAlternativeNameExtension.SUBJECT_NAME); - for (int i = 0; i < obj.size(); i++) { - GeneralName generalName = obj.get(i); - GeneralNameInterface peeled = generalName.getName(); - if (peeled instanceof DNSName) { - SANs.add(new SubjectAlternateName(SANType.DNS, ((DNSName) peeled).getName())); - } else if (peeled instanceof RFC822Name) { - SANs.add(new SubjectAlternateName(SANType.EMAIL, ((RFC822Name) peeled).getName())); - } - } - } else if (c instanceof ExtendedKeyUsageExtension) { - ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c; - String appendix = ""; - if (ctx.getActor().getAssurancePoints() >= 50) { - appendix = "-a"; - } - for (String s : ekue.getExtendedKeyUsage()) { - if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) { - // server - profile = CertificateProfile.getByName("server" + appendix); - } else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) { - // client - profile = CertificateProfile.getByName("client" + appendix); - } else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) { - // code sign - } else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) { - // emailProtection - profile = CertificateProfile.getByName("mail" + appendix); - } else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) { - // timestamp - } else if (s.equals(OID_KEY_USAGE_OCSP.toString())) { - // OCSP - } - } - } else { - // Unknown requested extension - } - } - - } - this.SANs = SANs; - pk = parsed.getSubjectPublicKeyInfo(); - String sign = getSignatureAlgorithm(data); - guessDigest(sign); - - this.csr = csr; - this.csrType = CSRType.CSR; - } - - public CertificateRequest(AuthorizationContext ctx, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException { - this.ctx = ctx; - String cleanedSPKAC = spkac.replaceAll("[\r\n]", ""); - byte[] data = Base64.getDecoder().decode(cleanedSPKAC); - SPKAC parsed = new SPKAC(data); - if ( !parsed.getChallenge().equals(spkacChallenge)) { - throw new GigiApiException("Challenge mismatch"); - } - pk = parsed.getPubkey(); - String sign = getSignatureAlgorithm(data); - guessDigest(sign); - this.SANs = new HashSet<>(); - this.csr = "SPKAC=" + cleanedSPKAC; - this.csrType = CSRType.SPKAC; - - } - - private static String getSignatureAlgorithm(byte[] data) throws IOException { - DerInputStream in = new DerInputStream(data); - DerValue[] seq = in.getSequence(3); - return AlgorithmId.parse(seq[1]).getName(); - } - - private void guessDigest(String sign) { - if (sign.toLowerCase().startsWith("sha512")) { - selectedDigest = Digest.SHA512; - } else if (sign.toLowerCase().startsWith("sha384")) { - selectedDigest = Digest.SHA384; - } else if (sign.toLowerCase().startsWith("sha256")) { - selectedDigest = Digest.SHA256; - } - } - - public void checkKeyStrength(PrintWriter out) { - out.println("Type: " + pk.getAlgorithm() + "
"); - if (pk instanceof RSAPublicKey) { - out.println("Exponent: " + ((RSAPublicKey) pk).getPublicExponent() + "
"); - out.println("Length: " + ((RSAPublicKey) pk).getModulus().bitLength()); - } else if (pk instanceof DSAPublicKey) { - DSAPublicKey dpk = (DSAPublicKey) pk; - out.println("Length: " + dpk.getY().bitLength() + "
"); - out.println(dpk.getParams()); - } else if (pk instanceof ECPublicKey) { - ECPublicKey epk = (ECPublicKey) pk; - out.println("Length-x: " + epk.getW().getAffineX().bitLength() + "
"); - out.println("Length-y: " + epk.getW().getAffineY().bitLength() + "
"); - out.println(epk.getParams().getCurve()); - } - } - - private Set parseSANBox(String SANs) { - String[] SANparts = SANs.split("[\r\n]+|, *"); - Set parsedNames = new LinkedHashSet<>(); - for (String SANline : SANparts) { - String[] parts = SANline.split(":", 2); - if (parts.length == 1) { - if (parts[0].trim().equals("")) { - continue; - } - if (parts[0].contains("@")) { - parsedNames.add(new SubjectAlternateName(SANType.EMAIL, parts[0])); - } else { - parsedNames.add(new SubjectAlternateName(SANType.DNS, parts[0])); - } - continue; - } - try { - SANType t = Certificate.SANType.valueOf(parts[0].toUpperCase().trim()); - if (t == null) { - continue; - } - parsedNames.add(new SubjectAlternateName(t, parts[1].trim())); - } catch (IllegalArgumentException e) { - // invalid enum type - continue; - } - } - return parsedNames; - } - - public Set getSANs() { - return SANs; - } - - public String getName() { - return name; - } - - public synchronized String getOu() { - if (ctx.getTarget() instanceof Organisation) { - return ou; - } - throw new IllegalStateException(); - } - - public Digest getSelectedDigest() { - return selectedDigest; - } - - public CertificateProfile getProfile() { - return profile; - } - - public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr) throws GigiApiException { - GigiApiException error = new GigiApiException(); - this.name = nameIn; - if (hashAlg != null) { - selectedDigest = Digest.valueOf(hashAlg); - } - this.profile = CertificateProfile.getByName(profileStr); - if (ctx.getTarget() instanceof Organisation) { - this.ou = ou; - } - - if ( !this.profile.canBeIssuedBy(ctx.getTarget(), ctx.getActor())) { - this.profile = CertificateProfile.getById(1); - error.mergeInto(new GigiApiException("Certificate Profile is invalid.")); - throw error; - } - - verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget(), ctx.getActor()); - - if ( !error.isEmpty()) { - throw error; - } - return true; - } - - private void verifySANs(GigiApiException error, CertificateProfile p, Set sANs2, CertificateOwner owner, User user) { - Set filteredSANs = new LinkedHashSet<>(); - PropertyTemplate domainTemp = p.getTemplates().get("domain"); - PropertyTemplate emailTemp = p.getTemplates().get("email"); - pDNS = null; - pMail = null; - for (SubjectAlternateName san : sANs2) { - if (san.getType() == SANType.DNS) { - if (domainTemp != null && owner.isValidDomain(san.getName())) { - boolean valid; - try { - DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false); - valid = true; - if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) { - // remove - } else { - if (pDNS == null) { - pDNS = san.getName(); - } - filteredSANs.add(san); - continue; - } - } catch (GigiApiException e) { - error.mergeInto(e); - valid = false; - } - } - } else if (san.getType() == SANType.EMAIL) { - if (emailTemp != null && owner.isValidEmail(san.getName())) { - if (pMail != null && !emailTemp.isMultiple()) { - // remove - } else { - if (pMail == null) { - pMail = san.getName(); - } - filteredSANs.add(san); - continue; - } - } - } - error.mergeInto(new GigiApiException(SprintfCommand.createSimple(// - "The requested subject alternate name (SAN) \"{0}\" has been removed.", san.getType().toString().toLowerCase() + ":" + san.getName()))); - } - SANs = filteredSANs; - } - - // domain email name name=WoTUser orga - public synchronized Certificate draft() throws GigiApiException { - - GigiApiException error = new GigiApiException(); - - HashMap subject = new HashMap<>(); - PropertyTemplate domainTemp = profile.getTemplates().get("domain"); - PropertyTemplate emailTemp = profile.getTemplates().get("email"); - PropertyTemplate nameTemp = profile.getTemplates().get("name"); - PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser"); - verifySANs(error, profile, SANs, ctx.getTarget(), ctx.getActor()); - - // Ok, let's determine the CN - // the CN is - // 1. the user's "real name", iff the real name is to be included i.e. - // not empty (name), or to be forced to WOTUser - - // 2. the user's "primary domain", iff "1." doesn't match and there is a - // primary domain. (domainTemp != null) - - String verifiedCN = null; - if (ctx.getTarget() instanceof Organisation) { - if ( !name.equals("")) { - verifiedCN = name; - } - } else { - verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN); - } - if (pDNS == null && domainTemp != null && domainTemp.isRequired()) { - error.mergeInto(new GigiApiException("Server Certificates require a DNS name.")); - } else if (domainTemp != null && verifiedCN == null) { - // user may add domains - verifiedCN = pDNS; - } - if (verifiedCN != null) { - subject.put("CN", verifiedCN); - } - - if (pMail != null) { - if (emailTemp != null) { - subject.put("EMAIL", pMail); - } else { - // verify SANs should prevent this - pMail = null; - error.mergeInto(new GigiApiException("You may not include an email in this certificate.")); - } - } else { - if (emailTemp != null && emailTemp.isRequired()) { - error.mergeInto(new GigiApiException("You need to include an email in this certificate.")); - } - } - - if (ctx.getTarget() instanceof Organisation) { - Organisation org = (Organisation) ctx.getTarget(); - subject.put("O", org.getName()); - subject.put("C", org.getCountry().getCode()); - subject.put("ST", org.getProvince()); - subject.put("L", org.getCity()); - if (ou != null) { - subject.put("OU", ou); - } - } - System.out.println(subject); - if ( !error.isEmpty()) { - throw error; - } - try { - if (RATE_LIMIT.isLimitExceeded(Integer.toString(ctx.getActor().getId()))) { - throw new GigiApiException("Rate Limit Exceeded"); - } - return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest, // - this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()])); - } catch (IOException e) { - e.printStackTrace(); - } - return null; - } - - // 100 per 10 minutes - public static final RateLimit RATE_LIMIT = new RateLimit(100, 10 * 60 * 1000); - - private String verifyName(GigiApiException error, PropertyTemplate nameTemp, PropertyTemplate wotUserTemp, String verifiedCN) { - // real names, - // possible configurations: name {y,null,?}, name=WoTUser {y,null} - // semantics: - // y * -> real - // null y -> default - // null null -> null - // ? y -> real, default - // ? null -> real, default, null - boolean realIsOK = false; - boolean nullIsOK = false; - boolean defaultIsOK = false; - if (wotUserTemp != null && ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple())) { - error.mergeInto(new GigiApiException("Internal configuration error detected.")); - } - if (nameTemp != null && nameTemp.isRequired() && !nameTemp.isMultiple()) { - realIsOK = true; - } else if (nameTemp == null) { - defaultIsOK = wotUserTemp != null; - nullIsOK = !defaultIsOK; - } else if (nameTemp != null && !nameTemp.isRequired() && !nameTemp.isMultiple()) { - realIsOK = true; - defaultIsOK = true; - nullIsOK = wotUserTemp == null; - } else { - error.mergeInto(new GigiApiException("Internal configuration error detected.")); - } - if (ctx.getTarget() instanceof User) { - User u = (User) ctx.getTarget(); - if (name != null && u.isValidName(name)) { - if (realIsOK) { - verifiedCN = name; - } else { - error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate.")); - if (defaultIsOK) { - name = DEFAULT_CN; - } else if (nullIsOK) { - name = ""; - } - } - } else if (name != null && name.equals(DEFAULT_CN)) { - if (defaultIsOK) { - verifiedCN = name; - } else { - error.mergeInto(new GigiApiException("The default name is not allowed in this certificate.")); - if (nullIsOK) { - name = ""; - } else if (realIsOK) { - name = u.getPreferredName().toString(); - } - } - } else if (name == null || name.equals("")) { - if (nullIsOK) { - verifiedCN = ""; - } else { - error.mergeInto(new GigiApiException("A name is required in this certificate.")); - if (defaultIsOK) { - name = DEFAULT_CN; - } else if (realIsOK) { - name = u.getPreferredName().toString(); - } - } - } else { - error.mergeInto(new GigiApiException("The name you entered was invalid.")); - - } - if (wotUserTemp != null) { - if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) { - error.mergeInto(new GigiApiException("Internal configuration error detected.")); - } - if ( !name.equals(DEFAULT_CN)) { - name = DEFAULT_CN; - error.mergeInto(new GigiApiException("You may not change the name for this certificate type.")); - } else { - verifiedCN = DEFAULT_CN; - } - - } else { - if (nameTemp != null) { - if (name.equals("")) { - if (nameTemp.isRequired()) { - // nothing, but required - name = DEFAULT_CN; - error.mergeInto(new GigiApiException("No name entered, but one was required.")); - } else { - // nothing and not required - - } - } else if (u.isValidName(name)) { - verifiedCN = name; - } else { - if (nameTemp.isRequired()) { - error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account, because a name is required for this certificate type.")); - } else if (name.equals(DEFAULT_CN)) { - verifiedCN = DEFAULT_CN; - } else { - name = DEFAULT_CN; - error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account or keep the default name.")); - } - } - } else { - if ( !name.equals("")) { - name = ""; - error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored.")); - } - } - } - } else { - if (realIsOK) { - verifiedCN = name; - } else { - verifiedCN = ""; - name = ""; - error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored.")); - } - } - - return verifiedCN; - } -}