upd: for installation send certificate chains as p7 encoded cert set

author Felix Dörre <felix@dogcraft.de>

Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)

committer Felix Dörre <felix@dogcraft.de>

Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)
author Felix Dörre <felix@dogcraft.de>
Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)
committer Felix Dörre <felix@dogcraft.de>
Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ b/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ

index 99ae5d3122fe3f6907a79d216ac01ecaa9e3dc3e..1e66e85f3923b2c68491963f926049b25b301d0d 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ
@@ -5,7 +5,7 @@
  <a href='<?=$serial?>.crt?chain'><?=_PEM encoded Certificate Cain?></a><br/>
  <a href='<?=$serial?>.crt?chain&noAnchor'><?=_PEM encoded Certificate Cain (Excluding Anchor)?></a><br/>
  <a href='<?=$serial?>.cer'><?=_DER encoded Certificate?></a><br/>
-<a href='<?=$serial?>.cer?install'><?=_Install into browser.?></a><br/>
+<a href='<?=$serial?>.cer?install&chain'><?=_Install into browser.?></a><br/>
  <pre>
  <?=$cert?>
  </pre>
diff --git a/src/org/cacert/gigi/pages/account/certs/Certificates.java b/src/org/cacert/gigi/pages/account/certs/Certificates.java

index 766d21ea0ab7e6b5ba50f678721084d76b6cd35f..312e7dc634840368225a1afa45530c58b05fb162 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/Certificates.java
+++ b/src/org/cacert/gigi/pages/account/certs/Certificates.java
@@ -6,6 +6,7 @@ import java.net.URLEncoder;
  import java.security.GeneralSecurityException;
  import java.security.cert.X509Certificate;
  import java.util.HashMap;
+import java.util.LinkedList;
  import java.util.Map;
  
  import javax.servlet.ServletOutputStream;
@@ -23,6 +24,11 @@ import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.Page;
  import org.cacert.gigi.util.PEM;
  
+import sun.security.pkcs.ContentInfo;
+import sun.security.pkcs.PKCS7;
+import sun.security.pkcs.SignerInfo;
+import sun.security.x509.AlgorithmId;
+
  public class Certificates extends Page implements HandlesMixedRequest {
  
      private Template certDisplay = new Template(Certificates.class.getResource("CertificateDisplay.templ"));
@@ -69,13 +75,13 @@ public class Certificates extends Page implements HandlesMixedRequest {
          boolean crt = false;
          boolean cer = false;
          resp.setContentType("application/pkix-cert");
+        if (req.getParameter("install") != null) {
+            resp.setContentType("application/x-x509-user-cert");
+        }
          if (pi.endsWith(".crt")) {
              crt = true;
              pi = pi.substring(0, pi.length() - 4);
          } else if (pi.endsWith(".cer")) {
-            if (req.getParameter("install") != null) {
-                resp.setContentType("application/x-x509-user-cert");
-            }
              cer = true;
              pi = pi.substring(0, pi.length() - 4);
          } else if (pi.endsWith(".cer")) {
@@ -107,7 +113,17 @@ public class Certificates extends Page implements HandlesMixedRequest {
                      }
                  }
              } else if (cer) {
-                out.write(cert.getEncoded());
+                if (req.getParameter("install") != null) {
+                    PKCS7 p7 = toP7Chain(c);
+                    p7.encodeSignedData(out);
+                    /*
+                     * ContentInfo ci = toCIChain(c); try (DerOutputStream dos =
+                     * new DerOutputStream()) { ci.encode(dos);
+                     * out.write(dos.toByteArray()); }
+                     */
+                } else {
+                    out.write(cert.getEncoded());
+                }
              }
          } catch (IllegalArgumentException e) {
              resp.sendError(404);
@@ -120,6 +136,24 @@ public class Certificates extends Page implements HandlesMixedRequest {
          return true;
      }
  
+    private static PKCS7 toP7Chain(Certificate c) throws IOException, GeneralSecurityException {
+        LinkedList<X509Certificate> ll = getChain(c);
+        PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(ContentInfo.DATA_OID, null), ll.toArray(new X509Certificate[ll.size()]), new SignerInfo[0]);
+        return p7;
+    }
+
+    private static LinkedList<X509Certificate> getChain(Certificate c) throws IOException, GeneralSecurityException {
+        LinkedList<X509Certificate> ll = new LinkedList<>();
+        ll.add(c.cert());
+        CACertificate ca = c.getParent();
+        while ( !ca.isSelfsigned()) {
+            ll.add(ca.getCertificate());
+            ca = ca.getParent();
+        }
+        ll.add(ca.getCertificate());
+        return ll;
+    }
+
      @Override
      public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
          if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) {
author	Felix Dörre <felix@dogcraft.de>
	Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)
committer	Felix Dörre <felix@dogcraft.de>
	Wed, 4 Nov 2015 12:51:51 +0000 (13:51 +0100)
src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/Certificates.java		patch \| blob \| history