X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;h=bae43d589e6fae2dab514b3b925872e6289856cf;hp=e8a53df03449e6e07fcb6d5e1b51820927220872;hb=15c3594cf26458503691dc1993bdd6b414cf83c6;hpb=41a647e1c20b5182928e9d2178693aa943e56146

diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
index e8a53df0..bae43d58 100644
--- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
@@ -7,7 +7,6 @@ import java.security.PublicKey;
 import java.security.interfaces.DSAPublicKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -15,8 +14,6 @@ import java.util.LinkedHashSet;
 import java.util.Set;
 import java.util.TreeSet;
 
-import javax.servlet.http.HttpServletRequest;
-
 import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.crypto.SPKAC;
 import org.cacert.gigi.dbObjects.Certificate;
@@ -27,12 +24,15 @@ import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.CertificateProfile;
 import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
 import org.cacert.gigi.dbObjects.Digest;
+import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.output.template.Scope;
 import org.cacert.gigi.output.template.SprintfCommand;
 import org.cacert.gigi.util.AuthorizationContext;
+import org.cacert.gigi.util.CAA;
+import org.cacert.gigi.util.DomainAssessment;
 import org.cacert.gigi.util.PEM;
+import org.cacert.gigi.util.RateLimit;
 
 import sun.security.pkcs.PKCS9Attribute;
 import sun.security.pkcs10.PKCS10;
@@ -298,7 +298,7 @@ public class CertificateRequest {
         return profile;
     }
 
-    public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr, PrintWriter out, HttpServletRequest req) throws GigiApiException {
+    public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr) throws GigiApiException {
         GigiApiException error = new GigiApiException();
         this.name = nameIn;
         if (hashAlg != null) {
@@ -315,7 +315,7 @@ public class CertificateRequest {
             throw error;
         }
 
-        verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget());
+        verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget(), ctx.getActor());
 
         if ( !error.isEmpty()) {
             throw error;
@@ -323,7 +323,7 @@ public class CertificateRequest {
         return true;
     }
 
-    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner) {
+    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner, User user) {
         Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
         PropertyTemplate domainTemp = p.getTemplates().get("domain");
         PropertyTemplate emailTemp = p.getTemplates().get("email");
@@ -332,7 +332,14 @@ public class CertificateRequest {
         for (SubjectAlternateName san : sANs2) {
             if (san.getType() == SANType.DNS) {
                 if (domainTemp != null && owner.isValidDomain(san.getName())) {
-                    if (pDNS != null && !domainTemp.isMultiple()) {
+                    boolean valid;
+                    try {
+                        DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
+                        valid = true;
+                    } catch (GigiApiException e) {
+                        valid = false;
+                    }
+                    if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
                         // remove
                     } else {
                         if (pDNS == null) {
@@ -355,10 +362,8 @@ public class CertificateRequest {
                     }
                 }
             }
-            HashMap<String, Object> vars = new HashMap<>();
-            vars.put("SAN", san.getType().toString().toLowerCase() + ":" + san.getName());
-            error.mergeInto(new GigiApiException(new Scope(new SprintfCommand(//
-                    "The requested Subject alternate name \"{0}\" has been removed.", Arrays.asList("${SAN}")), vars)));
+            error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
+                    "The requested subject alternate name (SAN) \"{0}\" has been removed.", san.getType().toString().toLowerCase() + ":" + san.getName())));
         }
         SANs = filteredSANs;
     }
@@ -373,7 +378,7 @@ public class CertificateRequest {
         PropertyTemplate emailTemp = profile.getTemplates().get("email");
         PropertyTemplate nameTemp = profile.getTemplates().get("name");
         PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
-        verifySANs(error, profile, SANs, ctx.getTarget());
+        verifySANs(error, profile, SANs, ctx.getTarget(), ctx.getActor());
 
         // Ok, let's determine the CN
         // the CN is
@@ -430,7 +435,10 @@ public class CertificateRequest {
             throw error;
         }
         try {
-            return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest.toString(), //
+            if (RATE_LIMIT.isLimitExceeded(Integer.toString(ctx.getActor().getId()))) {
+                throw new GigiApiException("Rate Limit Exceeded");
+            }
+            return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest, //
                     this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
         } catch (IOException e) {
             e.printStackTrace();
@@ -438,6 +446,9 @@ public class CertificateRequest {
         return null;
     }
 
+    // 100 per 10 minutes
+    public static final RateLimit RATE_LIMIT = new RateLimit(100, 10 * 60 * 1000);
+
     private String verifyName(GigiApiException error, PropertyTemplate nameTemp, PropertyTemplate wotUserTemp, String verifiedCN) {
         // real names,
         // possible configurations: name {y,null,?}, name=WoTUser {y,null}
@@ -486,7 +497,7 @@ public class CertificateRequest {
                     if (nullIsOK) {
                         name = "";
                     } else if (realIsOK) {
-                        name = u.getName().toString();
+                        name = u.getPreferredName().toString();
                     }
                 }
             } else if (name == null || name.equals("")) {
@@ -497,7 +508,7 @@ public class CertificateRequest {
                     if (defaultIsOK) {
                         name = DEFAULT_CN;
                     } else if (realIsOK) {
-                        name = u.getName().toString();
+                        name = u.getPreferredName().toString();
                     }
                 }
             } else {
@@ -530,12 +541,12 @@ public class CertificateRequest {
                         verifiedCN = name;
                     } else {
                         if (nameTemp.isRequired()) {
-                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account, because a name is required for this certificate type."));
                         } else if (name.equals(DEFAULT_CN)) {
                             verifiedCN = DEFAULT_CN;
                         } else {
                             name = DEFAULT_CN;
-                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account or keep the default name."));
                         }
                     }
                 } else {