Implement serial based retrival and certificate access control.

diff --git a/src/org/cacert/gigi/Certificate.java b/src/org/cacert/gigi/Certificate.java
index 9d6d5d8d39f30a1fb36c04aa9fa377454749b5ed..a9d1288283d639babe52d97f0789bf7980854333 100644 (file)
--- a/src/org/cacert/gigi/Certificate.java
+++ b/src/org/cacert/gigi/Certificate.java
@@ -17,6 +17,7 @@ import org.cacert.gigi.util.KeyStorage;
 
 public class Certificate {
        private int id;
 
 public class Certificate {
        private int id;

+       private int ownerId;

        private int serial;
        private String dn;
        private String md;
        private int serial;
        private String dn;
        private String md;


@@ -24,7 +25,8 @@ public class Certificate {
        private String crtName;
        private String csr = null;
 
        private String crtName;
        private String csr = null;
 

-       public Certificate(String dn, String md, String csr) {
+       public Certificate(int ownerId, String dn, String md, String csr) {
+               this.ownerId = ownerId;

                this.dn = dn;
                this.md = md;
                this.csr = csr;
                this.dn = dn;
                this.md = md;
                this.csr = csr;


@@ -33,17 +35,19 @@ public class Certificate {
        public Certificate(int id) {
                try {
                        PreparedStatement ps = DatabaseConnection.getInstance().prepare(
        public Certificate(int id) {
                try {
                        PreparedStatement ps = DatabaseConnection.getInstance().prepare(

-                               "SELECT subject, md, csr_name, crt_name FROM `emailcerts` WHERE id=?");
+                               "SELECT id,subject, md, csr_name, crt_name,memid FROM `emailcerts` WHERE serial=?");

                        ps.setInt(1, id);
                        ResultSet rs = ps.executeQuery();
                        if (!rs.next()) {
                                throw new IllegalArgumentException("Invalid mid " + id);
                        }
                        ps.setInt(1, id);
                        ResultSet rs = ps.executeQuery();
                        if (!rs.next()) {
                                throw new IllegalArgumentException("Invalid mid " + id);
                        }

-                       this.id = id;
-                       dn = rs.getString(1);
-                       md = rs.getString(2);
-                       csrName = rs.getString(3);
-                       crtName = rs.getString(4);
+                       this.id = rs.getInt(1);
+                       dn = rs.getString(2);
+                       md = rs.getString(3);
+                       csrName = rs.getString(4);
+                       crtName = rs.getString(5);
+                       ownerId = rs.getInt(6);
+                       serial = id;

                        rs.close();
                } catch (SQLException e) {
                        e.printStackTrace();
                        rs.close();
                } catch (SQLException e) {
                        e.printStackTrace();


@@ -135,9 +139,10 @@ public class Certificate {
                                throw new IllegalStateException();
                        }
                        PreparedStatement inserter = DatabaseConnection.getInstance().prepare(
                                throw new IllegalStateException();
                        }
                        PreparedStatement inserter = DatabaseConnection.getInstance().prepare(

-                               "INSERT INTO emailcerts SET md=?, subject=?, coll_found=0, crt_name=''");
+                               "INSERT INTO emailcerts SET md=?, subject=?, coll_found=0, crt_name='', memid=?");

                        inserter.setString(1, md);
                        inserter.setString(2, dn);
                        inserter.setString(1, md);
                        inserter.setString(2, dn);

+                       inserter.setInt(3, ownerId);

                        inserter.execute();
                        id = DatabaseConnection.lastInsertId(inserter);
                        File csrFile = KeyStorage.locateCsr(id);
                        inserter.execute();
                        id = DatabaseConnection.lastInsertId(inserter);
                        File csrFile = KeyStorage.locateCsr(id);


@@ -222,4 +227,8 @@ public class Certificate {
                return md;
        }
 
                return md;
        }
 

+       public int getOwnerId() {
+               return ownerId;
+       }
+

 }
 }

diff --git a/src/org/cacert/gigi/pages/account/MailCertificateAdd.java b/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
index f01b8f0c79dad505fa6b88b8160cba6737ebbfe4..836f48c4f13c1ff1e035ff5a9f7accb4d20ee1e8 100644 (file)
--- a/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
+++ b/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
@@ -10,6 +10,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.Certificate;
 import org.cacert.gigi.output.ClientCSRGenerate;
 
 import org.cacert.gigi.Certificate;
 import org.cacert.gigi.output.ClientCSRGenerate;

+import org.cacert.gigi.pages.LoginPage;

 import org.cacert.gigi.pages.Page;
 
 public class MailCertificateAdd extends Page {
 import org.cacert.gigi.pages.Page;
 
 public class MailCertificateAdd extends Page {


@@ -38,11 +39,11 @@ public class MailCertificateAdd extends Page {
                        // Error.
                        return;
                }
                        // Error.
                        return;
                }

-               Certificate c = new Certificate("/commonName=CAcert WoT User", "sha256", csr);
+               Certificate c = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", "sha256", csr);

                c.issue();
                try {
                        c.waitFor(60000);
                c.issue();
                try {
                        c.waitFor(60000);

-                       resp.sendRedirect(MailCertificates.PATH + "/" + c.getId());
+                       resp.sendRedirect(MailCertificates.PATH + "/" + c.getSerial());

                } catch (SQLException e) {
                        e.printStackTrace();
                } catch (InterruptedException e) {
                } catch (SQLException e) {
                        e.printStackTrace();
                } catch (InterruptedException e) {

diff --git a/src/org/cacert/gigi/pages/account/MailCertificates.java b/src/org/cacert/gigi/pages/account/MailCertificates.java
index 72a14a312b94bf5e41773c17f61ef353c6116434..2fa6ac097e249b35628bf23312c2f5c5302ecdaf 100644 (file)
--- a/src/org/cacert/gigi/pages/account/MailCertificates.java
+++ b/src/org/cacert/gigi/pages/account/MailCertificates.java
@@ -34,7 +34,10 @@ public class MailCertificates extends Page {
                        pi = pi.substring(1);
                        int id = Integer.parseInt(pi);
                        Certificate c = new Certificate(id);
                        pi = pi.substring(1);
                        int id = Integer.parseInt(pi);
                        Certificate c = new Certificate(id);

-                       // TODO check ownership
+                       if (LoginPage.getUser(req).getId() != c.getOwnerId()) {
+                               out.println(translate(req, "You do not own this certificate."));
+                               return;
+                       }

                        out.println("<pre>");
                        try {
                                out.print(c.cert());
                        out.println("<pre>");
                        try {
                                out.print(c.cert());