import org.cacert.gigi.database.DatabaseConnection;
import org.cacert.gigi.dbObjects.CACertificate;
+import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.CertificateProfile;
import org.cacert.gigi.dbObjects.DomainPingConfiguration;
+import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.Menu;
import org.cacert.gigi.pages.wot.MyPoints;
import org.cacert.gigi.pages.wot.RequestTTPPage;
import org.cacert.gigi.ping.PingerDaemon;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.ServerConstants;
public class Gigi extends HttpServlet {
putPage(TTPAdminPage.PATH + "/*", new TTPAdminPage(), "Admin");
putPage(CreateOrgPage.DEFAULT_PATH, new CreateOrgPage(), "Organisation Admin");
putPage(ViewOrgPage.DEFAULT_PATH + "/*", new ViewOrgPage(), "Organisation Admin");
- putPage(FindDomainPage.PATH, new FindDomainPage("Find Domain"), "System Admin");
putPage(FindUserPage.PATH, new FindUserPage("Find User"), "System Admin");
+ putPage(FindDomainPage.PATH, new FindDomainPage("Find Domain"), "System Admin");
putPage(SupportUserDetailsPage.PATH + "*", new SupportUserDetailsPage("Support: User Details"), null);
if (testing) {
try {
public static final String CERT_ISSUER = "org.cacert.gigi.issuer";
- public static final String USER = "user";
+ public static final String AUTH_CONTEXT = "auth";
public static final String LOGIN_METHOD = "org.cacert.gigi.loginMethod";
resp.sendRedirect("https://" + ServerConstants.getWwwHostNamePortSecure() + req.getPathInfo());
return;
}
+ AuthorizationContext currentAuthContext = LoginPage.getAuthorizationContext(req);
User currentPageUser = LoginPage.getUser(req);
if ( !p.isPermitted(currentPageUser)) {
if (hs.getAttribute("loggedin") == null) {
vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
vars.put("content", content);
if (currentPageUser != null) {
- vars.put("loggedInAs", currentPageUser.getName().toString());
+ CertificateOwner target = currentAuthContext.getTarget();
+ if (target != currentPageUser) {
+ vars.put("loggedInAs", ((Organisation) target).getName() + " (" + currentPageUser.getName().toString() + ")");
+ } else {
+ vars.put("loggedInAs", currentPageUser.getName().toString());
+ }
vars.put("loginMethod", lang.getTranslation((String) req.getSession().getAttribute(LOGIN_METHOD)));
}
resp.setContentType("text/html; charset=utf-8");
import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.dbObjects.Certificate;
-import org.cacert.gigi.dbObjects.Job;
import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
+import org.cacert.gigi.dbObjects.Job;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.account.certs.CertificateRequest;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.PEM;
public class GigiAPI extends HttpServlet {
return;
}
try {
- CertificateRequest cr = new CertificateRequest(u, csr);
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
Certificate result = cr.draft();
- Job job = result.issue(null, "2y");
+ Job job = result.issue(null, "2y", u);
job.waitFor(60000);
if (result.getStatus() != CertificateStatus.ISSUED) {
resp.sendError(510, "Error, issuing timed out");
private int id;
- private User owner;
+ private CertificateOwner owner;
private String serial;
private CACertificate ca;
- public Certificate(User owner, HashMap<String, String> dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) throws GigiApiException, IOException {
- if ( !profile.canBeIssuedBy(owner)) {
+ public Certificate(CertificateOwner owner, User actor, HashMap<String, String> dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) throws GigiApiException, IOException {
+ if ( !profile.canBeIssuedBy(owner, actor)) {
throw new GigiApiException("You are not allowed to issue these certificates.");
}
this.owner = owner;
}
private Certificate(GigiResultSet rs) {
- //
- if ( !rs.next()) {
- throw new IllegalArgumentException("Invalid mid " + serial);
- }
this.id = rs.getInt("id");
dnString = rs.getString("subject");
md = rs.getString("md");
csrName = rs.getString("csr_name");
crtName = rs.getString("crt_name");
- owner = User.getById(rs.getInt("memid"));
+ owner = CertificateOwner.getById(rs.getInt("memid"));
profile = CertificateProfile.getById(rs.getInt("profile"));
this.serial = rs.getString("serial");
* @throws GigiApiException
* if the period is bogus
*/
- public Job issue(Date start, String period) throws IOException, GigiApiException {
+ public Job issue(Date start, String period, User actor) throws IOException, GigiApiException {
if (getStatus() != CertificateStatus.DRAFT) {
throw new IllegalStateException();
}
- Notary.writeUserAgreement(owner, "CCA", "issue certificate", "", true, 0);
+ Notary.writeUserAgreement(actor, "CCA", "issue certificate", "", true, 0);
return Job.sign(this, start, period);
return md;
}
- public User getOwner() {
+ public CertificateOwner getOwner() {
return owner;
}
GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as `subject`, `md`, `csr_name`, `crt_name`,`memid`, `profile`, `certs`.`serial` FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=`certs`.`id` WHERE `serial`=? GROUP BY `certs`.`id`");
ps.setString(1, serial);
GigiResultSet rs = ps.executeQuery();
+ if ( !rs.next()) {
+ return null;
+ }
int id = rs.getInt(1);
Certificate c1 = cache.get(id);
if (c1 != null) {
GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as subject, md, csr_name, crt_name,memid, profile, certs.serial FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=certs.id WHERE certs.id=? GROUP BY certs.id");
ps.setInt(1, id);
GigiResultSet rs = ps.executeQuery();
+ if ( !rs.next()) {
+ return null;
+ }
Certificate c = new Certificate(rs);
cache.put(c);
return byId.values().toArray(new CertificateProfile[byId.size()]);
}
- public boolean canBeIssuedBy(User u) {
+ public boolean canBeIssuedBy(CertificateOwner owner, User actor) {
+ if (pt.containsKey("orga")) {
+ if ( !(owner instanceof Organisation)) {
+ return false;
+ }
+ } else {
+ if (owner instanceof Organisation) {
+ return false;
+ }
+ }
for (String s : req) {
if (s.equals("points>=50")) {
- if (u.getAssurancePoints() < 50) {
+ if (actor.getAssurancePoints() < 50) {
return false;
}
} else if (s.equals("points>=100")) {
- if (u.getAssurancePoints() < 100) {
+ if (actor.getAssurancePoints() < 100) {
return false;
}
} else if (s.equals("codesign")) {
- if (u.isInGroup(Group.CODESIGNING)) {
+ if (actor.isInGroup(Group.CODESIGNING)) {
return false;
}
} else {
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.PasswordHash;
public class LoginPage extends Page {
}
public static User getUser(HttpServletRequest req) {
- return (User) req.getSession().getAttribute(USER);
+ AuthorizationContext ac = getAuthorizationContext(req);
+ if (ac == null) {
+ return null;
+ }
+ return ac.getActor();
+ }
+
+ public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
+ return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
}
private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
HttpSession hs = req.getSession();
hs.setAttribute(LOGGEDIN, true);
hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
- hs.setAttribute(USER, user);
+ hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
}
@Override
import javax.servlet.http.HttpServletResponse;
import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.Page;
public class MyDetails extends Page {
MyListingForm listingForm = new MyListingForm(req, getUser(req));
map.put("detailsForm", form);
map.put("contactMeForm", listingForm);
+ if (LoginPage.getUser(req).getOrganisations().size() != 0) {
+ map.put("orgaForm", new MyOrganisationsForm(req));
+ }
getDefaultTemplate().output(out, getLanguage(req), map);
}
@Override
- public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- if(req.getParameter("processDetails") != null) {
+ public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ if (req.getParameter("orgaForm") != null) {
+ Form.getForm(req, MyOrganisationsForm.class).submit(resp.getWriter(), req);
+ } else if (req.getParameter("processDetails") != null) {
MyDetailsForm form = Form.getForm(req, MyDetailsForm.class);
form.submit(resp.getWriter(), req);
} else if (req.getParameter("processContact") != null) {
MyListingForm form = Form.getForm(req, MyListingForm.class);
form.submit(resp.getWriter(), req);
+ } else {
+ return false;
}
- super.doPost(req, resp);
+ resp.sendRedirect(PATH);
+ return true;
}
+
}
<?=$detailsForm?>
<h2><?=_My Listing?></h2>
-<?=$contactMeForm?>
\ No newline at end of file
+<?=$contactMeForm?>
+<? if($orgaForm) { ?>
+<?=$orgaForm?>
+<? } ?>
--- /dev/null
+package org.cacert.gigi.pages.account;
+
+import java.io.PrintWriter;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.cacert.gigi.Gigi;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.IterableDataset;
+import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
+import org.cacert.gigi.util.AuthorizationContext;
+
+public class MyOrganisationsForm extends Form {
+
+ private AuthorizationContext target;
+
+ public MyOrganisationsForm(HttpServletRequest hsr) {
+ super(hsr);
+ target = LoginPage.getAuthorizationContext(hsr);
+ }
+
+ private static Template template;
+
+ static {
+ template = new Template(MyListingForm.class.getResource("MyOrganisationsForm.templ"));
+ }
+
+ @Override
+ public boolean submit(PrintWriter out, HttpServletRequest req) {
+ if (req.getParameter("org-leave") != null) {
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(target.getActor(), target.getActor()));
+ return true;
+ }
+ Enumeration<String> i = req.getParameterNames();
+ int orgId = -1;
+ while (i.hasMoreElements()) {
+ String s = i.nextElement();
+ if (s.startsWith("org:")) {
+ int id = Integer.parseInt(s.substring(4));
+ if (orgId == -1) {
+ orgId = id;
+ } else {
+ out.println(LoginPage.getLanguage(req).getTranslation("Error: invalid parameter."));
+ return false;
+ }
+ }
+ }
+ for (Organisation org : target.getActor().getOrganisations()) {
+ if (org.getId() == orgId) {
+
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(org, target.getActor()));
+ return true;
+ }
+ }
+ System.out.println("Switch fialed");
+ return false;
+ }
+
+ @Override
+ protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
+ final List<Organisation> o = target.getActor().getOrganisations();
+ if (target.getTarget() != target.getActor()) {
+ vars.put("personal", target.getTarget() != target.getActor());
+ }
+ vars.put("orgas", new IterableDataset() {
+
+ Iterator<Organisation> it = o.iterator();
+
+ @Override
+ public boolean next(Language l, Map<String, Object> vars) {
+ if ( !it.hasNext()) {
+ return false;
+ }
+ Organisation o = it.next();
+ vars.put("orgName", o.getName());
+ vars.put("orgID", o.getId());
+ return true;
+ }
+ });
+ template.output(out, l, vars);
+
+ }
+
+}
--- /dev/null
+<input type='hidden' name='orgaForm' value='orga'/>
+<h2><?=_My Organisations?></h2>
+<table class="wrapper dataTable" width="400">
+<? foreach($orgas) { ?>
+<tr><td><?=$orgName?></td><td><?=$orgID?></td><td><input type='submit' value='<?=_switch to this organisation?>' name='org:<?=$orgID?>'/></td></tr>
+<? } ?>
+</table>
+<? if($personal) { ?>
+<input type='submit' value='<?=_switch back to personal use?>' name='org-leave'/>
+<? } ?>
import java.io.PrintWriter;
import java.security.GeneralSecurityException;
import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
import org.cacert.gigi.dbObjects.CertificateProfile;
import org.cacert.gigi.dbObjects.Organisation;
-import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.CertificateValiditySelector;
import org.cacert.gigi.output.HashAlgorithms;
import org.cacert.gigi.output.template.Form;
import org.cacert.gigi.output.template.IterableDataset;
import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.RandomToken;
/**
private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ"));
- private User u;
+ private AuthorizationContext c;
private String spkacChallenge;
public CertificateIssueForm(HttpServletRequest hsr) {
super(hsr);
- u = Page.getUser(hsr);
+ c = LoginPage.getAuthorizationContext(hsr);
spkacChallenge = RandomToken.generateToken(16);
}
try {
try {
if (csr != null) {
- cr = new CertificateRequest(u, csr);
+ cr = new CertificateRequest(c, csr);
cr.checkKeyStrength(out);
} else if (spkac != null) {
- cr = new CertificateRequest(u, spkac, spkacChallenge);
+ cr = new CertificateRequest(c, spkac, spkacChallenge);
cr.checkKeyStrength(out);
} else if (cr != null) {
login = "1".equals(req.getParameter("login"));
error.format(out, Page.getLanguage(req));
return false;
}
- result.issue(issueDate.getFrom(), issueDate.getTo()).waitFor(60000);
+ result.issue(issueDate.getFrom(), issueDate.getTo(), c.getActor()).waitFor(60000);
this.result = result;
return true;
} else {
}
vars2.put("CN", cr.getName());
- vars2.put("department", cr.getOu());
+ if (c.getTarget() instanceof Organisation) {
+ vars2.put("orga", "true");
+ vars2.put("department", cr.getOu());
+ }
vars2.put("validity", issueDate);
vars2.put("emails", content.toString());
vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
if (cp == null) {
return false;
}
- } while ( !cp.canBeIssuedBy(u));
+ } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor()));
if (cp.getId() == cr.getProfile().getId()) {
vars.put("selected", " selected");
return true;
}
});
- final List<Organisation> orgs = u.getOrganisations();
- vars2.put("orga", orgs.size() == 0 ? null : new IterableDataset() {
-
- Iterator<Organisation> iter = orgs.iterator();
-
- @Override
- public boolean next(Language l, Map<String, Object> vars) {
- if ( !iter.hasNext()) {
- return false;
- }
- Organisation orga = iter.next();
- vars.put("key", orga.getId());
- vars.put("name", orga.getName());
- if (orga == cr.getOrg()) {
- vars.put("selected", " selected");
- } else {
- vars.put("selected", "");
- }
- return true;
- }
- });
t.output(out, l, vars2);
}
</select>
</td>
</tr>
- <? if($orga) { ?>
- <tr>
- <td>
- <label for='org'><?=_Organisation?></label>
- </td>
- <td><select name="org" id='org'>
- <option value="-1"><?=_(none)?></option>
- <? foreach($orga) { ?>
- <option value="<?=$key?>"<?=$!selected?>><?=$name?></option>
- <? } ?>
- </select></td>
- </tr>
- <? } ?>
<tr>
<td>
<label for='CN'><?=_Your name?></label>
import javax.servlet.http.HttpServletRequest;
import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.Job;
-import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.CertificateIterable;
import org.cacert.gigi.output.template.Form;
public class CertificateModificationForm extends Form {
- User target;
+ CertificateOwner target;
final boolean withRevoked;
public CertificateModificationForm(HttpServletRequest hsr, boolean withRevoked) {
super(hsr);
this.withRevoked = withRevoked;
- target = LoginPage.getUser(hsr);
+ target = LoginPage.getAuthorizationContext(hsr).getTarget();
}
private static final Template certTable = new Template(CertificateIterable.class.getResource("CertificateTable.templ"));
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.output.template.Scope;
import org.cacert.gigi.output.template.SprintfCommand;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.PEM;
import sun.security.pkcs.PKCS9Attribute;
private String ou = "";
- private Organisation org = null;
-
- private User u;
+ private AuthorizationContext ctx;
private String pDNS, pMail;
- public CertificateRequest(User issuer, String csr) throws IOException, GeneralSecurityException, GigiApiException {
- this(issuer, csr, (CertificateProfile) null);
+ public CertificateRequest(AuthorizationContext c, String csr) throws IOException, GeneralSecurityException, GigiApiException {
+ this(c, csr, (CertificateProfile) null);
}
- public CertificateRequest(User issuer, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
- u = issuer;
+ public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
+ this.ctx = ctx;
if (cp != null) {
profile = cp;
- } else if (u.getAssurancePoints() > 50) {
+ } else if (ctx.getActor().getAssurancePoints() > 50) {
profile = CertificateProfile.getByName("client-a");
}
byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
} else if (c instanceof ExtendedKeyUsageExtension) {
ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
String appendix = "";
- if (u.getAssurancePoints() >= 50) {
+ if (ctx.getActor().getAssurancePoints() >= 50) {
appendix = "-a";
}
for (String s : ekue.getExtendedKeyUsage()) {
this.csrType = CSRType.CSR;
}
- public CertificateRequest(User issuer, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException {
- u = issuer;
+ public CertificateRequest(AuthorizationContext ctx, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException {
+ this.ctx = ctx;
String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
SPKAC parsed = new SPKAC(data);
return name;
}
- public Organisation getOrg() {
- return org;
- }
-
public String getOu() {
- return ou;
+ if (ctx.getTarget() instanceof Organisation) {
+ return ou;
+ }
+ throw new IllegalStateException();
}
public Digest getSelectedDigest() {
selectedDigest = Digest.valueOf(hashAlg);
}
this.profile = CertificateProfile.getByName(profileStr);
- if (newOrgStr != null) {
- Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr));
- if (neworg == null || u.getOrganisations().contains(neworg)) {
- PropertyTemplate orga = profile.getTemplates().get("orga");
- if (orga != null) {
- org = neworg;
- } else {
- org = null;
- error.mergeInto(new GigiApiException("No organisations for this certificate profile."));
- }
- } else {
- error.mergeInto(new GigiApiException("Selected organisation is not part of your account."));
- }
+ if (ctx.getTarget() instanceof Organisation) {
+ this.ou = ou;
}
- this.ou = ou;
-
- if ( !this.profile.canBeIssuedBy(u)) {
+ if ( !this.profile.canBeIssuedBy(ctx.getTarget(), ctx.getActor())) {
this.profile = CertificateProfile.getById(1);
error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
throw error;
}
- CertificateOwner owner = org != null ? org : u;
-
- verifySANs(error, profile, parseSANBox(SANsStr), owner);
+ verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget());
if ( !error.isEmpty()) {
throw error;
PropertyTemplate emailTemp = profile.getTemplates().get("email");
PropertyTemplate nameTemp = profile.getTemplates().get("name");
PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
- verifySANs(error, profile, SANs, org != null ? org : u);
+ verifySANs(error, profile, SANs, ctx.getTarget());
// Ok, let's determine the CN
// the CN is
// primary domain. (domainTemp != null)
String verifiedCN = null;
- if (org == null) {
- verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
- } else {
+ if (ctx.getTarget() instanceof Organisation) {
if ( !name.equals("")) {
verifiedCN = name;
}
+ } else {
+ verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
}
if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
}
}
- if (org != null) {
+ if (ctx.getTarget() instanceof Organisation) {
+ Organisation org = (Organisation) ctx.getTarget();
subject.put("O", org.getName());
subject.put("C", org.getState());
subject.put("ST", org.getProvince());
throw error;
}
try {
- return new Certificate(u, subject, selectedDigest.toString(), //
+ return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest.toString(), //
this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
} catch (IOException e) {
e.printStackTrace();
} else {
error.mergeInto(new GigiApiException("Internal configuration error detected."));
}
- if (name != null && u.isValidName(name)) {
- if (realIsOK) {
- verifiedCN = name;
- } else {
- error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
+ if (ctx.getTarget() instanceof User) {
+ User u = (User) ctx.getTarget();
+ if (name != null && u.isValidName(name)) {
+ if (realIsOK) {
+ verifiedCN = name;
+ } else {
+ error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
+ if (defaultIsOK) {
+ name = DEFAULT_CN;
+ } else if (nullIsOK) {
+ name = "";
+ }
+ }
+ } else if (name != null && name.equals(DEFAULT_CN)) {
if (defaultIsOK) {
- name = DEFAULT_CN;
- } else if (nullIsOK) {
- name = "";
+ verifiedCN = name;
+ } else {
+ error.mergeInto(new GigiApiException("The default name is not allowed in this certificate."));
+ if (nullIsOK) {
+ name = "";
+ } else if (realIsOK) {
+ name = u.getName().toString();
+ }
}
- }
- } else if (name != null && name.equals(DEFAULT_CN)) {
- if (defaultIsOK) {
- verifiedCN = name;
- } else {
- error.mergeInto(new GigiApiException("The default name is not allowed in this certificate."));
+ } else if (name == null || name.equals("")) {
if (nullIsOK) {
- name = "";
- } else if (realIsOK) {
- name = u.getName().toString();
+ verifiedCN = "";
+ } else {
+ error.mergeInto(new GigiApiException("A name is required in this certificate."));
+ if (defaultIsOK) {
+ name = DEFAULT_CN;
+ } else if (realIsOK) {
+ name = u.getName().toString();
+ }
}
- }
- } else if (name == null || name.equals("")) {
- if (nullIsOK) {
- verifiedCN = "";
} else {
- error.mergeInto(new GigiApiException("A name is required in this certificate."));
- if (defaultIsOK) {
+ error.mergeInto(new GigiApiException("The name you entered was invalid."));
+
+ }
+ if (wotUserTemp != null) {
+ if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) {
+ error.mergeInto(new GigiApiException("Internal configuration error detected."));
+ }
+ if ( !name.equals(DEFAULT_CN)) {
name = DEFAULT_CN;
- } else if (realIsOK) {
- name = u.getName().toString();
+ error.mergeInto(new GigiApiException("You may not change the name for this certificate type."));
+ } else {
+ verifiedCN = DEFAULT_CN;
}
- }
- } else {
- error.mergeInto(new GigiApiException("The name you entered was invalid."));
- }
- if (wotUserTemp != null) {
- if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) {
- error.mergeInto(new GigiApiException("Internal configuration error detected."));
- }
- if ( !name.equals(DEFAULT_CN)) {
- name = DEFAULT_CN;
- error.mergeInto(new GigiApiException("You may not change the name for this certificate type."));
} else {
- verifiedCN = DEFAULT_CN;
- }
+ if (nameTemp != null) {
+ if (name.equals("")) {
+ if (nameTemp.isRequired()) {
+ // nothing, but required
+ name = DEFAULT_CN;
+ error.mergeInto(new GigiApiException("No name entered, but one was required."));
+ } else {
+ // nothing and not required
- } else {
- if (nameTemp != null) {
- if (name.equals("")) {
- if (nameTemp.isRequired()) {
- // nothing, but required
- name = DEFAULT_CN;
- error.mergeInto(new GigiApiException("No name entered, but one was required."));
+ }
+ } else if (u.isValidName(name)) {
+ verifiedCN = name;
} else {
- // nothing and not required
-
+ if (nameTemp.isRequired()) {
+ error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
+ } else if (name.equals(DEFAULT_CN)) {
+ verifiedCN = DEFAULT_CN;
+ } else {
+ name = DEFAULT_CN;
+ error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+ }
}
- } else if (u.isValidName(name)) {
- verifiedCN = name;
} else {
- if (nameTemp.isRequired()) {
- error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
- } else if (name.equals(DEFAULT_CN)) {
- verifiedCN = DEFAULT_CN;
- } else {
- name = DEFAULT_CN;
- error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+ if ( !name.equals("")) {
+ name = "";
+ error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
}
}
+ }
+ } else {
+ if (realIsOK) {
+ verifiedCN = name;
} else {
- if ( !name.equals("")) {
- name = "";
- error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
- }
+ verifiedCN = "";
+ name = "";
+ error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
}
}
+
return verifiedCN;
}
}
String serial = pi;
try {
Certificate c = Certificate.getBySerial(serial);
- if (c == null || getUser(req).getId() != c.getOwner().getId()) {
+ if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
resp.sendError(404);
return true;
}
String serial = pi;
Certificate c = Certificate.getBySerial(serial);
- if (c == null || LoginPage.getUser(req).getId() != c.getOwner().getId()) {
+ if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
resp.sendError(404);
return;
}
import javax.servlet.http.HttpServletRequest;
import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.Domain;
-import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.template.Form;
import org.cacert.gigi.output.template.IterableDataset;
private static final Template t = new Template(DomainManagementForm.class.getResource("DomainManagementForm.templ"));
- private User target;
+ private CertificateOwner target;
- public DomainManagementForm(HttpServletRequest hsr, User target) {
+ public DomainManagementForm(HttpServletRequest hsr, CertificateOwner target) {
super(hsr);
this.target = target;
}
import javax.servlet.http.HttpServletResponse;
import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.Domain;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.Page;
public class DomainOverview extends Page {
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- User u = getUser(req);
+ CertificateOwner u = LoginPage.getAuthorizationContext(req).getTarget();
String pi = req.getPathInfo();
if (pi.length() - PATH.length() > 0) {
int i = Integer.parseInt(pi.substring(PATH.length()));
}
try {
DomainManagementForm domMan = new DomainManagementForm(req, u);
- DomainAddForm domAdd = new DomainAddForm(req, u);
HashMap<String, Object> vars = new HashMap<>();
vars.put("doms", u.getDomains());
vars.put("domainman", domMan);
- vars.put("domainadd", domAdd);
+ if (u instanceof User) {
+ DomainAddForm domAdd = new DomainAddForm(req, (User) u);
+ vars.put("domainadd", domAdd);
+ }
getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
} catch (GigiApiException e) {
e.format(resp.getWriter(), getLanguage(req));
<?=$domainman?>
<h2><?=_Add Domain?></h2>
+<? if($domainadd) { ?>
<p>
<?=_Please Note: You only need to enter the main part of your domain, eg. mydomain.com rather then www.mydomain.com. Once you have verified your domain you are able to enter any sub-domain, such as www.mydomain.com or www.this.is.mydomain.com as the system checks from right to left, rather then specific hostnames when you upload a CSR to the system.?>
</p>
<p>
<?=_Currently we only issue certificates for Punycode domains if the person requesting them has code signing attributes attached to their account, as these have potentially slightly higher security risk.?>
</p>
+<? } else { ?>
+Please contact your Organisation Assurer to add a domain.
+<? } ?>
}
super.doPost(req, resp);
}
-
}
if (byEmail != null && byEmail.canAssure()) {
o.addAdmin(byEmail, LoginPage.getUser(req), req.getParameter("master") != null);
return true;
+ } else {
+ out.println(Page.getLanguage(req).getTranslation("Requested user is not an assurer. We need an assurer here."));
}
}
out.println(Page.getLanguage(req).getTranslation("No action could have been carried out."));
--- /dev/null
+package org.cacert.gigi.util;
+
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Group;
+import org.cacert.gigi.dbObjects.User;
+
+public class AuthorizationContext {
+
+ CertificateOwner target;
+
+ User actor;
+
+ public AuthorizationContext(CertificateOwner target, User actor) {
+ this.target = target;
+ this.actor = actor;
+ }
+
+ public CertificateOwner getTarget() {
+ return target;
+ }
+
+ public User getActor() {
+ return actor;
+ }
+
+ public boolean hasRight(Group g) {
+ return actor.isInGroup(g);
+ }
+}
public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
KeyPair kp = generateKeypair();
String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
final X509Certificate ce = c.cert();
assertNotNull(login(pk, ce));
}
public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
KeyPair kp = generateKeypair();
String key = generatePEMCSR(kp, "CN=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1),//
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1),//
new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
testFails(CertificateStatus.DRAFT, c);
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
X509Certificate cert = c.cert();
Collection<List<?>> sans = cert.getSubjectAlternativeNames();
assertEquals(2, sans.size());
public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
KeyPair kp = generateKeypair();
String key = generatePEMCSR(kp, "CN=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
testFails(CertificateStatus.DRAFT, c);
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
testFails(CertificateStatus.ISSUED, c);
X509Certificate cert = c.cert();
}
if (status != CertificateStatus.DRAFT) {
try {
- c.issue(null, "2y");
+ c.issue(null, "2y", u);
fail(status + " is in invalid state");
} catch (IllegalStateException ise) {
User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD));
KeyPair kp = generateKeypair();
String key = generatePEMCSR(kp, "CN=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
String cookie = login(mail, TEST_PASSWORD);
KeyPair kp = generateKeypair();
String csr = generatePEMCSR(kp, "CN=hans");
- Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ User u = User.getById(user);
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
final X509Certificate ce = c.cert();
String scookie = login(pk, ce);
int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD);
KeyPair kp = generateKeypair();
String csr = generatePEMCSR(kp, "CN=hans");
- Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
- Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ User u = User.getById(user);
+ Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c2 = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
- Job j1 = c.issue(null, "2y");
- c2.issue(null, "2y").waitFor(60000);
+ Job j1 = c.issue(null, "2y", u);
+ c2.issue(null, "2y", u).waitFor(60000);
j1.waitFor(60000);
final X509Certificate ce = c.cert();
String scookie = login(pk, ce);
public void testIssueCert() throws Exception {
KeyPair kp = generateKeypair();
String key1 = generatePEMCSR(kp, "EMAIL=testmail@example.com");
- Certificate c = new Certificate(u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
+ Certificate c = new Certificate(u, u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
final PrivateKey pk = kp.getPrivate();
- c.issue(null, "2y").waitFor(60000);
+ c.issue(null, "2y", u).waitFor(60000);
final X509Certificate ce = c.cert();
HttpURLConnection connection = (HttpURLConnection) new URL("https://" + getServerName().replaceFirst("^www.", "api.") + "/account/certs/new").openConnection();
authenticateClientCert(pk, ce, connection);
import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.pages.account.certs.CertificateRequest;
import org.cacert.gigi.testUtils.ClientTest;
+import org.cacert.gigi.util.AuthorizationContext;
import org.junit.Test;
public class TestCertificateRequest extends ClientTest {
KeyPair kp = generateKeypair();
+ AuthorizationContext ac;
+
public TestCertificateRequest() throws GeneralSecurityException, IOException {
+ ac = new AuthorizationContext(u, u);
makeAssurer(u.getId());
grant(email, Group.CODESIGNING);
@Test
public void testIssuingOtherName() throws Exception {
try {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=hansi")).draft();
+ new CertificateRequest(ac, generatePEMCSR(kp, "CN=hansi")).draft();
fail();
} catch (GigiApiException e) {
assertThat(e.getMessage(), containsString("name you entered was invalid"));
@Test
public void testIssuingDefault() throws Exception {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
+ new CertificateRequest(ac, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
}
@Test
public void testIssuingRealName() throws Exception {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
+ new CertificateRequest(ac, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
}
@Test
public void testIssuingModifiedName() throws Exception {
try {
- new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")).draft();
+ new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab")).draft();
fail();
} catch (GigiApiException e) {
assertThat(e.getMessage(), containsString("name you entered was invalid"));
@Test
public void testCodesignModifiedName() throws Exception {
try {
- CertificateRequest cr = new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab"));
+ CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null);
} catch (GigiApiException e) {
assertThat(e.getMessage(), containsString("does not match the details"));
private void createCertificate(String test, CertificateProfile profile) throws GeneralSecurityException, IOException, SQLException, InterruptedException, GigiApiException {
kp = generateKeypair();
String csr = generatePEMCSR(kp, "CN=" + test);
- c = new Certificate(User.getById(id), Certificate.buildDN("CN", test), "sha256", csr, CSRType.CSR, profile);
- c.issue(null, "2y").waitFor(60000);
+ User u = User.getById(id);
+ c = new Certificate(u, u, Certificate.buildDN("CN", test), "sha256", csr, CSRType.CSR, profile);
+ c.issue(null, "2y", u).waitFor(60000);
}
private boolean acceptSSLServer(SSLServerSocket sss) throws IOException {
import org.cacert.gigi.localisation.Language;
import org.cacert.gigi.output.template.Template;
import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.ServerConstants;
import org.kamranzafar.jtar.TarEntry;
import org.kamranzafar.jtar.TarHeader;
}
sess.setAttribute(LOGGEDIN, true);
sess.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
- sess.setAttribute(USER, user);
+ sess.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
req.getSession().setAttribute(LOGIN_METHOD, "Ticket");
resp.getWriter().println("ticket consumed");
ticketUsed = true;
import org.cacert.gigi.output.template.IterableDataset;
import org.cacert.gigi.output.template.Template;
import org.cacert.gigi.pages.account.certs.CertificateRequest;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.Notary;
import sun.security.x509.X509Key;
byte[] res = s.getEncoded(sign);
- CertificateRequest cr = new CertificateRequest(u, Base64.getEncoder().encodeToString(res), "challange");
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), Base64.getEncoder().encodeToString(res), "challange");
cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, "", "email:" + u.getEmail(), resp.getWriter(), req);
Certificate draft = cr.draft();
- draft.issue(null, "2y").waitFor(10000);
+ draft.issue(null, "2y", u).waitFor(10000);
if (draft.getStatus() == CertificateStatus.ISSUED) {
resp.getWriter().println("added certificate");
} else {
2, 5, 4, 11
};
break;
+ case "ST":
+ oid = new int[] {
+ 2, 5, 4, 8
+ };
+ break;
+ case "L":
+ oid = new int[] {
+ 2, 5, 4, 7
+ };
+ break;
+ case "C":
+ oid = new int[] {
+ 2, 5, 4, 6
+ };
+ break;
default:
throw new Error("unknown RDN-type: " + key);
}