try {
DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false);
valid = true;
+ if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
+ // remove
+ } else {
+ if (pDNS == null) {
+ pDNS = san.getName();
+ }
+ filteredSANs.add(san);
+ continue;
+ }
} catch (GigiApiException e) {
+ error.mergeInto(e);
valid = false;
}
- if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) {
- // remove
- } else {
- if (pDNS == null) {
- pDNS = san.getName();
- }
- filteredSANs.add(san);
- continue;
- }
}
} else if (san.getType() == SANType.EMAIL) {
if (emailTemp != null && owner.isValidEmail(san.getName())) {
import javax.naming.NamingException;
+import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.CertificateProfile;
+import org.cacert.gigi.output.template.SprintfCommand;
public class CAA {
}
}
- public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) {
+ public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) throws GigiApiException {
try {
if (name.startsWith("*.")) {
return verifyDomainAccess(owner, p, name.substring(2), true);
}
return verifyDomainAccess(owner, p, name, false);
} catch (NamingException e) {
- return false;
+ throw new GigiApiException(SprintfCommand.createSimple("Internal Name Server/Resolution Error: {0}", e.getMessage()));
}
}
private static CAARecord[] getEffectiveCAARecords(String name) throws NamingException {
CAARecord[] caa = DNSUtil.getCAAEntries(name);
+ String publicSuffix = PublicSuffixes.getInstance().getRegistrablePart(name);
// TODO missing alias processing
while (caa.length == 0 && name.contains(".")) {
name = name.split("\\.", 2)[1];
caa = DNSUtil.getCAAEntries(name);
+ if (name.equals(publicSuffix)) {
+ return caa;
+ }
}
return caa;
}
projects / gigi.git / commitdiff