X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2Fcerts%2FCertificateRequest.java;h=bae43d589e6fae2dab514b3b925872e6289856cf;hp=eba64f17a484a8dff96078cadd496e5f03a15057;hb=15c3594cf26458503691dc1993bdd6b414cf83c6;hpb=07f74d10bddc819f4524e2e0c1a2815eb4e7ec79

diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
index eba64f17..bae43d58 100644
--- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
@@ -7,7 +7,6 @@ import java.security.PublicKey;
 import java.security.interfaces.DSAPublicKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -15,8 +14,6 @@ import java.util.LinkedHashSet;
 import java.util.Set;
 import java.util.TreeSet;
 
-import javax.servlet.http.HttpServletRequest;
-
 import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.crypto.SPKAC;
 import org.cacert.gigi.dbObjects.Certificate;
@@ -27,11 +24,13 @@ import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.CertificateProfile;
 import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
 import org.cacert.gigi.dbObjects.Digest;
+import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.output.template.Scope;
 import org.cacert.gigi.output.template.SprintfCommand;
 import org.cacert.gigi.util.AuthorizationContext;
+import org.cacert.gigi.util.CAA;
+import org.cacert.gigi.util.DomainAssessment;
 import org.cacert.gigi.util.PEM;
 import org.cacert.gigi.util.RateLimit;
 
@@ -299,7 +298,7 @@ public class CertificateRequest {
         return profile;
     }
 
-    public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr, PrintWriter out, HttpServletRequest req) throws GigiApiException {
+    public synchronized boolean update(String nameIn, String hashAlg, String profileStr, String newOrgStr, String ou, String SANsStr) throws GigiApiException {
         GigiApiException error = new GigiApiException();
         this.name = nameIn;
         if (hashAlg != null) {
@@ -316,7 +315,7 @@ public class CertificateRequest {
             throw error;
         }
 
-        verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget());
+        verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget(), ctx.getActor());
 
         if ( !error.isEmpty()) {
             throw error;
@@ -324,7 +323,7 @@ public class CertificateRequest {
         return true;
     }
 
-    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner) {
+    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner, User user) {
         Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
         PropertyTemplate domainTemp = p.getTemplates().get("domain");
         PropertyTemplate emailTemp = p.getTemplates().get("email");
@@ -333,7 +332,14 @@ public class CertificateRequest {
         for (SubjectAlternateName san : sANs2) {
             if (san.getType() == SANType.DNS) {
                 if (domainTemp != null && owner.isValidDomain(san.getName())) {
-                    if (pDNS != null && !domainTemp.isMultiple()) {
+                    boolean valid;
+                    try {
+                        DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
+                        valid = true;
+                    } catch (GigiApiException e) {
+                        valid = false;
+                    }
+                    if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
                         // remove
                     } else {
                         if (pDNS == null) {
@@ -356,10 +362,8 @@ public class CertificateRequest {
                     }
                 }
             }
-            HashMap<String, Object> vars = new HashMap<>();
-            vars.put("SAN", san.getType().toString().toLowerCase() + ":" + san.getName());
-            error.mergeInto(new GigiApiException(new Scope(new SprintfCommand(//
-                    "The requested Subject alternate name \"{0}\" has been removed.", Arrays.asList("${SAN}")), vars)));
+            error.mergeInto(new GigiApiException(SprintfCommand.createSimple(//
+                    "The requested subject alternate name (SAN) \"{0}\" has been removed.", san.getType().toString().toLowerCase() + ":" + san.getName())));
         }
         SANs = filteredSANs;
     }
@@ -374,7 +378,7 @@ public class CertificateRequest {
         PropertyTemplate emailTemp = profile.getTemplates().get("email");
         PropertyTemplate nameTemp = profile.getTemplates().get("name");
         PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
-        verifySANs(error, profile, SANs, ctx.getTarget());
+        verifySANs(error, profile, SANs, ctx.getTarget(), ctx.getActor());
 
         // Ok, let's determine the CN
         // the CN is
@@ -493,7 +497,7 @@ public class CertificateRequest {
                     if (nullIsOK) {
                         name = "";
                     } else if (realIsOK) {
-                        name = u.getName().toString();
+                        name = u.getPreferredName().toString();
                     }
                 }
             } else if (name == null || name.equals("")) {
@@ -504,7 +508,7 @@ public class CertificateRequest {
                     if (defaultIsOK) {
                         name = DEFAULT_CN;
                     } else if (realIsOK) {
-                        name = u.getName().toString();
+                        name = u.getPreferredName().toString();
                     }
                 }
             } else {
@@ -537,12 +541,12 @@ public class CertificateRequest {
                         verifiedCN = name;
                     } else {
                         if (nameTemp.isRequired()) {
-                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account, because a name is required for this certificate type."));
                         } else if (name.equals(DEFAULT_CN)) {
                             verifiedCN = DEFAULT_CN;
                         } else {
                             name = DEFAULT_CN;
-                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been verified in your account or keep the default name."));
                         }
                     }
                 } else {