import club.wpia.gigi.pages.LoginPage;
import club.wpia.gigi.util.AuthorizationContext;
import club.wpia.gigi.util.HTMLEncoder;
-import club.wpia.gigi.util.RandomToken;
import club.wpia.gigi.util.ServerConstants;
import club.wpia.gigi.util.ServerConstants.Host;
private AuthorizationContext c;
- private String spkacChallenge;
-
private boolean login;
public CertificateIssueForm(HttpServletRequest hsr) {
super(hsr);
c = LoginPage.getAuthorizationContext(hsr);
- spkacChallenge = RandomToken.generateToken(16);
}
private Certificate result;
@Override
public SubmissionResult submit(HttpServletRequest req) throws GigiApiException {
String csr = req.getParameter("CSR");
- String spkac = req.getParameter("SPKAC");
try {
if (csr != null) {
cr = new CertificateRequest(c, csr);
// TODO cr.checkKeyStrength(out);
return new FormContinue();
- } else if (spkac != null) {
- cr = new CertificateRequest(c, spkac, spkacChallenge);
- // TODO cr.checkKeyStrength(out);
- return new FormContinue();
} else if (cr != null) {
login = "1".equals(req.getParameter("login"));
issueDate.update(req);
HashMap<String, Object> vars2 = new HashMap<String, Object>(vars);
vars2.put("csrf", getCSRFToken());
vars2.put("csrf_name", getCsrfFieldName());
- vars2.put("spkacChallenge", spkacChallenge);
tIni.output(out, l, vars2);
return;
} else {
<h3><?=_${appName} Acceptable Use Policy?></h3>
<p><?=_I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to ${appName} to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.?></p>
-<p><?=_${appName}'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with ${appName}'s CPS and supporting documentation published !(/policy/CPS)here!'</a>'.?></p>
+<p><?=_${appName}'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use client and server certificates in accordance with ${appName}'s CPS and supporting documentation published !(/policy/CPS)here!'</a>'.?></p>
<p><?=_If the Subscriber's name and/or domain name registration change the subscriber will immediately inform ${appName} Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.?></p>
<span id="placeholderName" class="js-hint"><?=$placeholderName?></span>
</tr>
<? if($orga) { ?>
<tr>
- <td><?=_Department?></td>
+ <td><?=_Department (OU)?></td>
<td align="left"><input type='text' name='OU' value='<?=$department?>'/></td>
</tr>
<? } ?>
<p><?=_${appName} offers two ways to create a certificate.?>
-<?=_One is to paste a certificate signing request (CSR) created from an existing or newly created private key.?> <?=_If you do not know what a CSR is or how to create one take a look at the !(/kb/CSR)FAQ!'</a>'.?>
-<?=_As an alternative you can generate the private key inside your browser and export it once the certificate has been issued.?></p>
+<?=_One is to paste a certificate signing request (CSR) created from an existing or newly created private key.?> <?=_If you do not know what a CSR is or how to create one take a look at the !(/kb/CSR)FAQ!'</a>'.?></p>
+<p><?=_For inexperienced users the usage of !(/kb/XCA)XCA!'</a>' is recommended and described in !(/kb/XCADocu)XCA usage documentation!'</a>'?></p>
<form method="post">
<table class="table">
<thead>
</tbody>
</table>
</form>
-<form method="post">
-<table class="table">
- <thead>
- <tr>
- <th colspan="2" class="title"><?=_Create a fresh key in the browser (SPKAC)?></th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td><?=_I do not have a CSR.?></td>
- <td align="left">
- <?=_key size (2048 recommended)?>: <keygen name="SPKAC" challenge="<?=$spkacChallenge?>"/>
- </td>
- </tr>
- <tr>
- <td colspan="2">
- <input class="btn btn-primary" type="submit" name="process" value="<?=_Next?>" />
- <input type='hidden' name='<?=$csrf_name?>' value='<?=$csrf?>'>
- </td>
- </tr>
- </tbody>
-</table>
-</form>
+
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Arrays;
-import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
import org.junit.Test;
-import club.wpia.gigi.crypto.SPKAC;
import club.wpia.gigi.dbObjects.CertificateOwner;
import club.wpia.gigi.dbObjects.Digest;
import club.wpia.gigi.pages.account.certs.CertificateAdd;
import sun.security.x509.GeneralNames;
import sun.security.x509.RFC822Name;
import sun.security.x509.SubjectAlternativeNameExtension;
-import sun.security.x509.X509Key;
public class TestCertificateAdd extends ClientTest {
}, res);
}
- @Test
- public void testSPKAC() throws GeneralSecurityException, IOException {
- testSPKAC(false);
- testSPKAC(true);
- }
-
@Test
public void testIssue() throws IOException, GeneralSecurityException {
HttpURLConnection huc = sendCertificateForm("description");
return uc;
}
- protected String testSPKAC(boolean correctChallenge) throws GeneralSecurityException, IOException {
- HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
- uc.setRequestProperty("Cookie", cookie);
- String s = IOUtils.readURL(uc);
-
- csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
- String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
-
- SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallenge ? "" : "b"));
- Signature sign = Signature.getInstance("SHA512WithRSA");
- sign.initSign(kp.getPrivate());
- try {
- String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
- if ( !correctChallenge) {
- fail("Should not succeed with wrong challenge.");
- }
- assertArrayEquals(new String[] {
- "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
- }, res);
- } catch (OnPageError e) {
- String error = fetchStartErrorMessage(e.getMessage());
- assertTrue(error, error.startsWith("<p>Challenge mismatch"));
- }
- return csrf;
- }
-
private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
CertificateExtensions attributeValue = new CertificateExtensions();
GeneralNames names = new GeneralNames();
projects / gigi.git / commitdiff