UPD: also pin the certificate's issuer DN

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index cf75bf58335fbcc8c3b502f213d133442ae6d49b..82012a5096418602d83e75860719ef155f311ddc 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -62,6 +62,8 @@ public class Gigi extends HttpServlet {
 
     public static final String CERT_SERIAL = "org.cacert.gigi.serial";
 
+    public static final String CERT_ISSUER = "org.cacert.gigi.issuer";
+
     public static final String USER = "user";
 
     private static final long serialVersionUID = -6386785421902852904L;
@@ -233,7 +235,9 @@ public class Gigi extends HttpServlet {
         String clientSerial = (String) hs.getAttribute(CERT_SERIAL);
         if (clientSerial != null) {
             X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
-            if (cert == null || cert[0] == null || !cert[0].getSerialNumber().toString(16).toUpperCase().equals(clientSerial)) {
+            if (cert == null || cert[0] == null//
+                    || !cert[0].getSerialNumber().toString(16).toUpperCase().equals(clientSerial) //
+                    || !cert[0].getIssuerDN().equals(hs.getAttribute(CERT_ISSUER))) {
                 hs.invalidate();
                 resp.sendError(403, "Certificate mismatch.");
                 return;

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index 7f34f071bb72581aae38ab9299abecf621f28d0c..d8d0d4d37932c82edbf38397877fdb1206c0dad9 100644 (file)
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -116,6 +116,7 @@ public class LoginPage extends Page {
         if (rs.next()) {
             loginSession(req, User.getById(rs.getInt(1)));
             req.getSession().setAttribute(CERT_SERIAL, serial);
+            req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
         }
         rs.close();
     }