From: Felix Dörre Date: Tue, 19 Apr 2016 09:45:16 +0000 (+0200) Subject: upd: allow signing of OCSP-Certs for internal use X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=3cd0af0244aa6ca22fdc2884e656b22095460858 upd: allow signing of OCSP-Certs for internal use - factor out checking for "own" organisation - adding OCSP EKU to Simple Signer - adding check for certificate "ocsp"-requirement - allow Profile-Ids to be non-consecutive --- diff --git a/src/org/cacert/gigi/api/CATSImport.java b/src/org/cacert/gigi/api/CATSImport.java index 507a4a00..b30658d6 100644 --- a/src/org/cacert/gigi/api/CATSImport.java +++ b/src/org/cacert/gigi/api/CATSImport.java @@ -21,7 +21,7 @@ public class CATSImport extends APIPoint { resp.sendError(500, "Error, invalid cert"); return; } - if ( !"CAcert".equals(((Organisation) u).getName())) { + if ( !((Organisation) u).isSelfOrganisation()) { resp.sendError(500, "Error, invalid cert"); return; diff --git a/src/org/cacert/gigi/dbObjects/CertificateProfile.java b/src/org/cacert/gigi/dbObjects/CertificateProfile.java index c31f6cbf..57044979 100644 --- a/src/org/cacert/gigi/dbObjects/CertificateProfile.java +++ b/src/org/cacert/gigi/dbObjects/CertificateProfile.java @@ -263,6 +263,14 @@ public class CertificateProfile implements IdCachable { if ( !actor.isInGroup(Group.CODESIGNING)) { return false; } + } else if (s.equals("ocsp")) { + if ( !(owner instanceof Organisation)) { + return false; + } + Organisation o = (Organisation) owner; + if ( !o.isSelfOrganisation()) { + return false; + } } else { return false; } diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java index fa6ff1be..66de62d9 100644 --- a/src/org/cacert/gigi/dbObjects/Organisation.java +++ b/src/org/cacert/gigi/dbObjects/Organisation.java @@ -217,4 +217,8 @@ public class Organisation extends CertificateOwner { public boolean isValidEmail(String email) { return isValidDomain(email.split("@", 2)[1]); } + + public boolean isSelfOrganisation() { + return "CAcert".equals(getName()); + } } diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java index 5712190b..7774fd81 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java +++ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java @@ -152,16 +152,19 @@ public class CertificateIssueForm extends Form { vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest())); vars2.put("profiles", new IterableDataset() { - int i = 1; + CertificateProfile[] cps = CertificateProfile.getAll(); + + int i = 0; @Override public boolean next(Language l, Map vars) { CertificateProfile cp; do { - cp = CertificateProfile.getById(i++); - if (cp == null) { + if (i >= cps.length) { return false; } + cp = cps[i]; + i++; } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor())); if (cp.getId() == cr.getProfile().getId()) { diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java index 970c719f..d23b78bc 100644 --- a/util-testing/org/cacert/gigi/util/SimpleSigner.java +++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java @@ -494,6 +494,9 @@ public class SimpleSigner { case "emailProtection": oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4"); break; + case "OCSPSigning": + oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9"); + break; default: throw new Error(name);