if (string.equals("")) {
continue;
}
+ if ((string.contains("profiles") || string.contains("cacerts")) && type != ImportType.PRODUCTION) {
+ continue;
+ }
if (m.matches() && type == ImportType.TRUNCATE) {
String sql2 = "TRUNCATE `" + m.group(1) + "`";
stmt.addBatch(sql2);
CREATE TABLE `cacerts` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`keyname` varchar(60) NOT NULL,
+ `link` varchar(160) NOT NULL,
`parentRoot` int(3) NOT NULL,
`validFrom` datetime NULL DEFAULT NULL,
`validTo` datetime NULL DEFAULT NULL,
crtName = rs.getString(1);
serial = rs.getString(4);
- ca = CACertificate.getById(rs.getInt("caid"));
if (rs.getTimestamp(2) == null) {
return CertificateStatus.DRAFT;
}
+ ca = CACertificate.getById(rs.getInt("caid"));
if (rs.getTimestamp(2) != null && rs.getTimestamp(3) == null) {
return CertificateStatus.ISSUED;
}
private String pDNS, pMail;
public CertificateRequest(User issuer, String csr) throws IOException, GeneralSecurityException, GigiApiException {
+ this(issuer, csr, (CertificateProfile) null);
+ }
+
+ public CertificateRequest(User issuer, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
u = issuer;
+ if (cp != null) {
+ profile = cp;
+ } else if (u.getAssurancePoints() > 50) {
+ profile = CertificateProfile.getByName("client-a");
+ }
byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
PKCS10 parsed = new PKCS10(data);
PKCS10Attributes atts = parsed.getAttributes();
}
} else if (c instanceof ExtendedKeyUsageExtension) {
ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
+ String appendix = "";
+ if (u.getAssurancePoints() >= 50) {
+ appendix = "-a";
+ }
for (String s : ekue.getExtendedKeyUsage()) {
if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) {
// server
- profile = CertificateProfile.getByName("server");
+ profile = CertificateProfile.getByName("server" + appendix);
} else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) {
// client
- profile = CertificateProfile.getByName("client");
+ profile = CertificateProfile.getByName("client" + appendix);
} else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) {
// code sign
} else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) {
// emailProtection
- profile = CertificateProfile.getByName("mail");
+ profile = CertificateProfile.getByName("mail" + appendix);
} else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) {
// timestamp
} else if (s.equals(OID_KEY_USAGE_OCSP.toString())) {
PropertyTemplate emailTemp = profile.getTemplates().get("email");
PropertyTemplate nameTemp = profile.getTemplates().get("name");
PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
+ verifySANs(error, profile, SANs, org != null ? org : u);
// Ok, let's determine the CN
// the CN is
// null y -> default
// null null -> null
// ? y -> real, default
- // ? null -> real, null
+ // ? null -> real, default, null
boolean realIsOK = false;
boolean nullIsOK = false;
boolean defaultIsOK = false;
nullIsOK = !defaultIsOK;
} else if (nameTemp != null && !nameTemp.isRequired() && !nameTemp.isMultiple()) {
realIsOK = true;
- defaultIsOK = wotUserTemp != null;
- nullIsOK = !defaultIsOK;
+ defaultIsOK = true;
+ nullIsOK = wotUserTemp == null;
} else {
error.mergeInto(new GigiApiException("Internal configuration error detected."));
}
- if (u.isValidName(name)) {
+ if (name != null && u.isValidName(name)) {
if (realIsOK) {
verifiedCN = name;
} else {
name = "";
}
}
- } else if (name.equals(DEFAULT_CN)) {
+ } else if (name != null && name.equals(DEFAULT_CN)) {
if (defaultIsOK) {
verifiedCN = name;
} else {
name = u.getName().toString();
}
}
- } else if (name.equals("")) {
+ } else if (name == null || name.equals("")) {
if (nullIsOK) {
- verifiedCN = name;
+ verifiedCN = "";
} else {
error.mergeInto(new GigiApiException("A name is required in this certificate."));
if (defaultIsOK) {
import static org.junit.Assert.*;
+import java.io.IOException;
+
+import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.testUtils.ManagedTest;
public class TestOrga extends ManagedTest {
@Test
- public void testAddRm() throws GigiApiException {
- User u1 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- User u2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- User u3 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- User u4 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
+ public void testAddRm() throws GigiApiException, IOException {
+ User u1 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
+ u1.grantGroup(u1, Group.ORGASSURER);
+ User u2 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
+ u2.grantGroup(u1, Group.ORGASSURER);
+ User u3 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
+ u3.grantGroup(u1, Group.ORGASSURER);
+ User u4 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
+ u4.grantGroup(u1, Group.ORGASSURER);
Organisation o1 = new Organisation("name", "ST", "prov", "city", "email", u1);
assertEquals(0, o1.getAllAdmins().size());
o1.addAdmin(u2, u1, false);
int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD);
String cookie = login(mail, TEST_PASSWORD);
KeyPair kp = generateKeypair();
- String csr = generatePEMCSR(kp, "CN=felix@dogcraft.de");
- Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ String csr = generatePEMCSR(kp, "CN=hans");
+ Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
c.issue(null, "2y").waitFor(60000);
final X509Certificate ce = c.cert();
String mail = "thisgo" + createUniqueName() + "@example.com";
int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD);
KeyPair kp = generateKeypair();
- String csr = generatePEMCSR(kp, "CN=felix@dogcraft.de");
- Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
- Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ String csr = generatePEMCSR(kp, "CN=hans");
+ Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
Job j1 = c.issue(null, "2y");
c2.issue(null, "2y").waitFor(60000);
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-import java.util.Collection;
import org.cacert.gigi.dbObjects.Certificate;
import org.cacert.gigi.dbObjects.Certificate.CSRType;
@Test
public void testIssueCert() throws Exception {
KeyPair kp = generateKeypair();
- String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
+ String key1 = generatePEMCSR(kp, "EMAIL=testmail@example.com");
+ Certificate c = new Certificate(u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
c.issue(null, "2y").waitFor(60000);
final X509Certificate ce = c.cert();
authenticateClientCert(pk, ce, connection);
connection.setDoOutput(true);
OutputStream os = connection.getOutputStream();
- os.write(("csr=" + URLEncoder.encode(generatePEMCSR(kp, "CN=a b"), "UTF-8")).getBytes("UTF-8"));
+ os.write(("profile=client&csr=" + URLEncoder.encode(generatePEMCSR(kp, "EMAIL=" + email + ",CN=CAcert WoT User"), "UTF-8")).getBytes("UTF-8"));
os.flush();
assertEquals(connection.getResponseCode(), 200);
String cert = IOUtils.readURL(new InputStreamReader(connection.getInputStream(), "UTF-8"));
CertificateFactory cf = CertificateFactory.getInstance("X509");
- Collection<? extends java.security.cert.Certificate> certs = cf.generateCertificates(new ByteArrayInputStream(cert.getBytes("UTF-8")));
- assertEquals("a b", ((X500Name) ((X509Certificate) certs.iterator().next()).getSubjectDN()).getCommonName());
+ java.security.cert.Certificate xcert = cf.generateCertificate(new ByteArrayInputStream(cert.getBytes("UTF-8")));
+ assertEquals("CAcert WoT User", ((X500Name) ((X509Certificate) xcert).getSubjectDN()).getCommonName());
}
}
huc.setDoOutput(true);
OutputStream out = huc.getOutputStream();
out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
- out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
+ out.write(("&CN=CAcert+WoT+User&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
out.write(("&hash_alg=SHA512&CCA=y").getBytes("UTF-8"));
URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
uc = authenticate(new URL(huc.getHeaderField("Location")));
String gui = IOUtils.readURL(uc);
assertThat(gui, containsString("clientAuth"));
- assertThat(gui, containsString("CN=a b"));
+ assertThat(gui, containsString("CN=CAcert WoT User"));
assertThat(gui, containsString("SHA512withRSA"));
assertThat(gui, containsString("RFC822Name: " + email));
huc.setDoOutput(true);
OutputStream out = huc.getOutputStream();
out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
- out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
+ out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
out.write(("&hash_alg=SHA512&CCA=y&").getBytes("UTF-8"));
out.write(validity.getBytes("UTF-8"));
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.*;
+import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.pages.account.certs.CertificateRequest;
import org.cacert.gigi.testUtils.ClientTest;
import org.junit.Test;
KeyPair kp = generateKeypair();
- public TestCertificateRequest() throws GeneralSecurityException {}
+ public TestCertificateRequest() throws GeneralSecurityException, IOException {
+ makeAssurer(u.getId());
+ grant(email, Group.CODESIGNING);
+
+ }
@Test
public void testIssuingOtherName() throws Exception {
try {
new CertificateRequest(u, generatePEMCSR(kp, "CN=hansi")).draft();
+ fail();
} catch (GigiApiException e) {
- assertThat(e.getMessage(), containsString("does not match the details"));
+ assertThat(e.getMessage(), containsString("name you entered was invalid"));
}
}
@Test
public void testIssuingDefault() throws Exception {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN)).draft();
+ new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
}
@Test
public void testIssuingRealName() throws Exception {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=a b")).draft();
+ new CertificateRequest(u, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
}
@Test
public void testIssuingModifiedName() throws Exception {
try {
new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")).draft();
+ fail();
+ } catch (GigiApiException e) {
+ assertThat(e.getMessage(), containsString("name you entered was invalid"));
+ }
+
+ }
+
+ // TODO annotate that this depends on default config
+ @Test
+ public void testCodesignModifiedName() throws Exception {
+ try {
+ CertificateRequest cr = new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab"));
+ cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null);
} catch (GigiApiException e) {
assertThat(e.getMessage(), containsString("does not match the details"));
}
import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage;
import org.cacert.gigi.testUtils.ClientTest;
import org.cacert.gigi.testUtils.IOUtils;
+import org.cacert.gigi.util.ServerConstants;
import org.junit.Test;
public class TestSEAdminPageUserDomainSearch extends ClientTest {
os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" //
+ "process&domain=" + URLEncoder.encode(domainName, "UTF-8")).getBytes("UTF-8"));
os.flush();
- assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
+ assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
}
@Test
os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" //
+ "process&domain=#" + d.getId()).getBytes("UTF-8"));
os.flush();
- assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
+ assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
}
@Test
import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage;
import org.cacert.gigi.testUtils.ClientTest;
import org.cacert.gigi.testUtils.IOUtils;
+import org.cacert.gigi.util.ServerConstants;
import org.junit.Test;
public class TestSEAdminPageUserMailSearch extends ClientTest {
os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" //
+ "process&email=" + URLEncoder.encode(mail, "UTF-8")).getBytes("UTF-8"));
os.flush();
- assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
+ assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
}
@Test
os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" //
+ "process&email=" + URLEncoder.encode("%@example.tld", "UTF-8")).getBytes("UTF-8"));
os.flush();
- assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
+ assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location"));
}
@Test
throw new IllegalStateException("already running");
}
running = true;
- readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, executeFrom, executeTo, rootcert FROM jobs " + //
+ readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, executeFrom, executeTo, profile FROM jobs " + //
"INNER JOIN certs ON certs.id=jobs.targetId " + //
"INNER JOIN profiles ON profiles.id=certs.profile " + //
"WHERE jobs.state='open' "//
getSANSs = DatabaseConnection.getInstance().prepare("SELECT contents, type FROM subjectAlternativeNames " + //
"WHERE certId=?");
- updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=? WHERE id=?");
+ updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=1 WHERE id=?");
warnMail = DatabaseConnection.getInstance().prepare("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
revoke = DatabaseConnection.getInstance().prepare("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.targetId=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
private static int counter = 0;
private static void signCertificates() throws SQLException {
+ System.out.println("Checking...");
GigiResultSet rs = readyCerts.executeQuery();
Calendar c = Calendar.getInstance();
c.setTimeZone(TimeZone.getTimeZone("UTC"));
while (rs.next()) {
+ System.out.println("Task");
String csrname = rs.getString("csr_name");
int id = rs.getInt("id");
System.out.println("sign: " + csrname);
CSRType ct = CSRType.valueOf(csrType);
File crt = KeyStorage.locateCrt(id);
- String keyUsage = rs.getString("keyUsage");
- String ekeyUsage = rs.getString("extendedKeyUsage");
-
Timestamp from = rs.getTimestamp("executeFrom");
String length = rs.getString("executeTo");
Date fromDate;
cfg.print(san.getString("contents"));
}
cfg.println();
- cfg.println("keyUsage=critical," + keyUsage);
- cfg.println("extendedKeyUsage=critical," + ekeyUsage);
+ // TODO look them up!
+ cfg.println("keyUsage=critical," + "digitalSignature, keyEncipherment, keyAgreement");
+ cfg.println("extendedKeyUsage=critical," + "clientAuth");
cfg.close();
- int rootcert = rs.getInt("rootcert");
+ int profile = rs.getInt("profile");
String ca = "unassured";
- if (rootcert == 0) {
+ if (profile == 1) {
ca = "unassured";
- } else if (rootcert == 1) {
+ } else if (profile != 1) {
ca = "assured";
}
HashMap<String, String> subj = new HashMap<>();
ps.setInt(1, rs.getInt("id"));
GigiResultSet rs2 = ps.executeQuery();
while (rs2.next()) {
- subj.put(rs2.getString("name"), rs2.getString("value"));
+ String name = rs2.getString("name");
+ if (name.equals("EMAIL")) {
+ name = "emailAddress";
+ }
+ subj.put(name, rs2.getString("value"));
}
if (subj.size() == 0) {
subj.put("CN", "<empty>");
System.out.println("WARNING: DN was empty");
}
+ System.out.println(subj);
String[] call;
synchronized (sdf) {
call = new String[] {
"-config",
"../selfsign.config"//
};
+ for (String string : call) {
+ System.out.print(" " + string);
+ }
+ System.out.println();
}
if (ct == CSRType.SPKAC) {
Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
int waitFor = p1.waitFor();
- if ( !f.delete()) {
- System.err.println("Could not delete SAN-File " + f.getAbsolutePath());
- }
+ /*
+ * if ( !f.delete()) {
+ * System.err.println("Could not delete SAN-File " +
+ * f.getAbsolutePath()); }
+ */
if (waitFor == 0) {
try (InputStream is = new FileInputStream(crt)) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");