add: cert-rules closer to reality

author Felix Dörre <felix@dogcraft.de>

Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)

committer Felix Dörre <felix@dogcraft.de>

Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)
author Felix Dörre <felix@dogcraft.de>
Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)
committer Felix Dörre <felix@dogcraft.de>
Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)
diff --git a/src/org/cacert/gigi/dbObjects/CertificateOwner.java b/src/org/cacert/gigi/dbObjects/CertificateOwner.java

index e9fb53fae45921804685bd44303790205944df05..26a70b67101019f36dc089531f9c7221904a45f9 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/CertificateOwner.java
+++ b/src/org/cacert/gigi/dbObjects/CertificateOwner.java
@@ -57,21 +57,6 @@ public abstract class CertificateOwner implements IdCachable {
          return id;
      }
  
          return id;
      }
  
-    public EmailAddress[] getEmails() {
-        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM emails WHERE memid=? AND deleted is NULL");
-        ps.setInt(1, getId());
-
-        try (GigiResultSet rs = ps.executeQuery()) {
-            LinkedList<EmailAddress> data = new LinkedList<EmailAddress>();
-
-            while (rs.next()) {
-                data.add(EmailAddress.getById(rs.getInt(1)));
-            }
-
-            return data.toArray(new EmailAddress[0]);
-        }
-    }
-
      public Domain[] getDomains() {
          GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM domains WHERE memid=? AND deleted IS NULL");
          ps.setInt(1, getId());
      public Domain[] getDomains() {
          GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM domains WHERE memid=? AND deleted IS NULL");
          ps.setInt(1, getId());
@@ -118,15 +103,7 @@ public abstract class CertificateOwner implements IdCachable {
          return false;
      }
  
          return false;
      }
  
-    public boolean isValidEmail(String email) {
-        for (EmailAddress em : getEmails()) {
-            if (em.getAddress().equals(email)) {
-                return true;
-            }
-        }
-
-        return false;
-    }
+    public abstract boolean isValidEmail(String email);
  
      public void delete() {
          GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("UPDATE certOwners SET deleted=NOW() WHERE id=?");
  
      public void delete() {
          GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("UPDATE certOwners SET deleted=NOW() WHERE id=?");
diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java

index 60957e51696afc40bd831ed7f63c4c66e54275e7..9beb0f57823e65e57d7c683c4aafaa2de69378ac 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/Organisation.java
+++ b/src/org/cacert/gigi/dbObjects/Organisation.java
@@ -202,4 +202,9 @@ public class Organisation extends CertificateOwner {
          }
          return false;
      }
          }
          return false;
      }
+
+    @Override
+    public boolean isValidEmail(String email) {
+        return isValidDomain(email.split("@", 2)[1]);
+    }
  }
  }
diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java

index 1d7526677eef692edbab3f0407b1467f29b1da14..42457db543a625540be62b5deff109321fd72778 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -441,4 +441,30 @@ public class User extends CertificateOwner {
          }
      }
  
          }
      }
  
+    public EmailAddress[] getEmails() {
+        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM emails WHERE memid=? AND deleted is NULL");
+        ps.setInt(1, getId());
+
+        try (GigiResultSet rs = ps.executeQuery()) {
+            LinkedList<EmailAddress> data = new LinkedList<EmailAddress>();
+
+            while (rs.next()) {
+                data.add(EmailAddress.getById(rs.getInt(1)));
+            }
+
+            return data.toArray(new EmailAddress[0]);
+        }
+    }
+
+    @Override
+    public boolean isValidEmail(String email) {
+        for (EmailAddress em : getEmails()) {
+            if (em.getAddress().equals(email)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
  }
  }
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java

index 187c7cb8eea7a7effa18498b2c299548930afc0b..0bf0bd2ff63b844b79bf8f5f8867b201f0a9a5db 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
@@ -23,6 +23,7 @@ import org.cacert.gigi.dbObjects.Certificate;
  import org.cacert.gigi.dbObjects.Certificate.CSRType;
  import org.cacert.gigi.dbObjects.Certificate.SANType;
  import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  import org.cacert.gigi.dbObjects.Certificate.CSRType;
  import org.cacert.gigi.dbObjects.Certificate.SANType;
  import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateOwner;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
  import org.cacert.gigi.dbObjects.Digest;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate;
  import org.cacert.gigi.dbObjects.Digest;
@@ -296,14 +297,29 @@ public class CertificateRequest {
          if (newOrgStr != null) {
              Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr));
              if (neworg == null || u.getOrganisations().contains(neworg)) {
          if (newOrgStr != null) {
              Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr));
              if (neworg == null || u.getOrganisations().contains(neworg)) {
-                org = neworg;
+                PropertyTemplate orga = profile.getTemplates().get("orga");
+                if (orga != null) {
+                    org = neworg;
+                } else {
+                    org = null;
+                    error.mergeInto(new GigiApiException("No organisations for this certificate profile."));
+                }
              } else {
              } else {
-                error.mergeInto(new GigiApiException("Selected Organisation is not part of your account."));
+                error.mergeInto(new GigiApiException("Selected organisation is not part of your account."));
              }
          }
              }
          }
+
          this.ou = ou;
  
          this.ou = ou;
  
-        verifySANs(error, profile, parseSANBox(SANsStr));
+        if ( !this.profile.canBeIssuedBy(u)) {
+            this.profile = CertificateProfile.getById(1);
+            error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
+            throw error;
+        }
+
+        CertificateOwner owner = org != null ? org : u;
+
+        verifySANs(error, profile, parseSANBox(SANsStr), owner);
  
          if ( !error.isEmpty()) {
              throw error;
  
          if ( !error.isEmpty()) {
              throw error;
@@ -311,7 +327,7 @@ public class CertificateRequest {
          return true;
      }
  
          return true;
      }
  
-    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2) {
+    private void verifySANs(GigiApiException error, CertificateProfile p, Set<SubjectAlternateName> sANs2, CertificateOwner owner) {
          Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
          PropertyTemplate domainTemp = p.getTemplates().get("domain");
          PropertyTemplate emailTemp = p.getTemplates().get("email");
          Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
          PropertyTemplate domainTemp = p.getTemplates().get("domain");
          PropertyTemplate emailTemp = p.getTemplates().get("email");
@@ -319,7 +335,7 @@ public class CertificateRequest {
          pMail = null;
          for (SubjectAlternateName san : sANs2) {
              if (san.getType() == SANType.DNS) {
          pMail = null;
          for (SubjectAlternateName san : sANs2) {
              if (san.getType() == SANType.DNS) {
-                if (domainTemp != null && u.isValidDomain(san.getName())) {
+                if (domainTemp != null && owner.isValidDomain(san.getName())) {
                      if (pDNS != null && !domainTemp.isMultiple()) {
                          // remove
                      } else {
                      if (pDNS != null && !domainTemp.isMultiple()) {
                          // remove
                      } else {
@@ -331,7 +347,7 @@ public class CertificateRequest {
                      }
                  }
              } else if (san.getType() == SANType.EMAIL) {
                      }
                  }
              } else if (san.getType() == SANType.EMAIL) {
-                if (emailTemp != null && u.isValidEmail(san.getName())) {
+                if (emailTemp != null && owner.isValidEmail(san.getName())) {
                      if (pMail != null && !emailTemp.isMultiple()) {
                          // remove
                      } else {
                      if (pMail != null && !emailTemp.isMultiple()) {
                          // remove
                      } else {
@@ -355,13 +371,6 @@ public class CertificateRequest {
      public synchronized Certificate draft() throws GigiApiException {
  
          GigiApiException error = new GigiApiException();
      public synchronized Certificate draft() throws GigiApiException {
  
          GigiApiException error = new GigiApiException();
-        if ( !this.profile.canBeIssuedBy(u)) {
-            this.profile = CertificateProfile.getById(1);
-            error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
-            throw error;
-        }
-
-        verifySANs(error, profile, SANs);
  
          HashMap<String, String> subject = new HashMap<>();
          PropertyTemplate domainTemp = profile.getTemplates().get("domain");
  
          HashMap<String, String> subject = new HashMap<>();
          PropertyTemplate domainTemp = profile.getTemplates().get("domain");
@@ -378,8 +387,13 @@ public class CertificateRequest {
          // primary domain. (domainTemp != null)
  
          String verifiedCN = null;
          // primary domain. (domainTemp != null)
  
          String verifiedCN = null;
-
-        verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
+        if (org == null) {
+            verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
+        } else {
+            if ( !name.equals("")) {
+                verifiedCN = name;
+            }
+        }
          if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
              error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
          } else if (domainTemp != null && verifiedCN == null) {
          if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
              error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
          } else if (domainTemp != null && verifiedCN == null) {
@@ -404,25 +418,13 @@ public class CertificateRequest {
              }
          }
  
              }
          }
  
-        PropertyTemplate orga = profile.getTemplates().get("orga");
-        if (orga != null) {
-            if (orga.isMultiple() || !orga.isRequired()) {
-                error.mergeInto(new GigiApiException("This is an internal error."));
-            } else if (org == null) {
-                error.mergeInto(new GigiApiException("You need to select an organisation for this profile type."));
-            } else {
-                subject.put("O", org.getName());
-                subject.put("C", org.getState());
-                subject.put("ST", org.getProvince());
-                subject.put("L", org.getCity());
-                if (ou != null) {
-                    subject.put("OU", ou);
-                }
-            }
-        } else {
-            if (org != null) {
-                org = null;
-                error.mergeInto(new GigiApiException("You may only include organisations in orga-certs."));
+        if (org != null) {
+            subject.put("O", org.getName());
+            subject.put("C", org.getState());
+            subject.put("ST", org.getProvince());
+            subject.put("L", org.getCity());
+            if (ou != null) {
+                subject.put("OU", ou);
              }
          }
          System.out.println(subject);
              }
          }
          System.out.println(subject);
author	Felix Dörre <felix@dogcraft.de>
	Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Fri, 15 May 2015 01:08:37 +0000 (03:08 +0200)
src/org/cacert/gigi/dbObjects/CertificateOwner.java		patch \| blob \| history
src/org/cacert/gigi/dbObjects/Organisation.java		patch \| blob \| history
src/org/cacert/gigi/dbObjects/User.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/CertificateRequest.java		patch \| blob \| history