import org.cacert.gigi.output.template.IterableDataset;
import org.cacert.gigi.output.template.Template;
import org.cacert.gigi.ping.SSLPinger;
-import org.cacert.gigi.util.HTMLEncoder;
import org.cacert.gigi.util.RandomToken;
public class PingConfigForm extends Form {
protected void outputEmbeddableContent(PrintWriter out, Language l, Map<String, Object> vars) {
vars.put("tokenName", tokenName);
vars.put("tokenValue", tokenValue);
- vars.put("openSSLHelp", "<code>" + HTMLEncoder.encodeHTML("-subj \"/CN=<domain>/OU=" + tokenValue + "\"") + "</code>");
vars.put("authEmails", new IterableDataset() {
int i = 0;
<div class="panel-heading"><input type="checkbox" name="SSLType" value="y"<?=$!ssl?>> <?=_Verify by searching for installed certificate.?></div>
<div class="panel-body">
<?=_Please list up to four services using your certificate. You need to have one of them up and using a valid SomeCA certificate or a specific self-signed certificate in order to pass this test?>:
- <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit. With $!{openSSLHelp} OpenSSL command line utilities can generate such a certificate.?>:
+ <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit.?> <?=_You can use these commands to create such a certificate:?>
+ <code>
+openssl req -newkey rsa:4096 -subj "/CN=<span class='exampleDomain'>example.org</span>/OU=<?=$tokenValue?>" -nodes -out myCSR -keyout myKey<br>
+openssl x509 -req -in myCSR -signkey myKey -out myCert -extfile <(printf 'extendedKeyUsage = serverAuth\n')
+ </code>
<table>
<? foreach($ssl-services){ ?>
<tr><td><select name='ssl-type-<?=$i?>'>
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException {
java.security.cert.X509Certificate c = chain[0];
- if (c.getExtendedKeyUsage() != null && !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
- throw new java.security.cert.CertificateException("Illegal EKU");
+ if (c.getExtendedKeyUsage() == null || !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
+ throw new java.security.cert.CertificateException("Extended Key Usage for SSL Server Authentication missing");
}
}