upd: allow signing of OCSP-Certs for internal use
authorFelix Dörre <felix@dogcraft.de>
Tue, 19 Apr 2016 09:45:16 +0000 (11:45 +0200)
committerFelix Dörre <felix@dogcraft.de>
Tue, 19 Apr 2016 12:24:47 +0000 (14:24 +0200)
- factor out checking for "own" organisation
- adding OCSP EKU to Simple Signer
- adding check for certificate "ocsp"-requirement
- allow Profile-Ids to be non-consecutive

src/org/cacert/gigi/api/CATSImport.java
src/org/cacert/gigi/dbObjects/CertificateProfile.java
src/org/cacert/gigi/dbObjects/Organisation.java
src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
util-testing/org/cacert/gigi/util/SimpleSigner.java

index 507a4a000f0e822134f38a400e16dc0576960385..b30658d6ecd484307d32b29c94347af068802e14 100644 (file)
@@ -21,7 +21,7 @@ public class CATSImport extends APIPoint {
             resp.sendError(500, "Error, invalid cert");
             return;
         }
-        if ( !"CAcert".equals(((Organisation) u).getName())) {
+        if ( !((Organisation) u).isSelfOrganisation()) {
             resp.sendError(500, "Error, invalid cert");
             return;
 
index c31f6cbfa3449dbaebb4ceb2e7f2564765da2640..5704497986388f70123d5bf7230839bed85fde0d 100644 (file)
@@ -263,6 +263,14 @@ public class CertificateProfile implements IdCachable {
                 if ( !actor.isInGroup(Group.CODESIGNING)) {
                     return false;
                 }
+            } else if (s.equals("ocsp")) {
+                if ( !(owner instanceof Organisation)) {
+                    return false;
+                }
+                Organisation o = (Organisation) owner;
+                if ( !o.isSelfOrganisation()) {
+                    return false;
+                }
             } else {
                 return false;
             }
index fa6ff1bee357d4ed52050e2226ad312f40b3bec3..66de62d9500d12a4e5c8b00fd5cdb59ed47dcf8f 100644 (file)
@@ -217,4 +217,8 @@ public class Organisation extends CertificateOwner {
     public boolean isValidEmail(String email) {
         return isValidDomain(email.split("@", 2)[1]);
     }
+
+    public boolean isSelfOrganisation() {
+        return "CAcert".equals(getName());
+    }
 }
index 5712190bcd8f84e66329637fd9644e1e78806abe..7774fd814ea8007b619df1c67d9c75216aff0232 100644 (file)
@@ -152,16 +152,19 @@ public class CertificateIssueForm extends Form {
         vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
         vars2.put("profiles", new IterableDataset() {
 
-            int i = 1;
+            CertificateProfile[] cps = CertificateProfile.getAll();
+
+            int i = 0;
 
             @Override
             public boolean next(Language l, Map<String, Object> vars) {
                 CertificateProfile cp;
                 do {
-                    cp = CertificateProfile.getById(i++);
-                    if (cp == null) {
+                    if (i >= cps.length) {
                         return false;
                     }
+                    cp = cps[i];
+                    i++;
                 } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor()));
 
                 if (cp.getId() == cr.getProfile().getId()) {
index 970c719f468b222dfb9c7eec2b2fa39eb508d84d..d23b78bc6d83fd1f7a0c8a008183159b7403c882 100644 (file)
@@ -494,6 +494,9 @@ public class SimpleSigner {
             case "emailProtection":
                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
                 break;
+            case "OCSPSigning":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
+                break;
 
             default:
                 throw new Error(name);