From: Felix Dörre Date: Fri, 15 May 2015 01:08:37 +0000 (+0200) Subject: add: cert-rules closer to reality X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=6f951295dfd62c5fa1ddb0977febeb58728bec50 add: cert-rules closer to reality --- diff --git a/src/org/cacert/gigi/dbObjects/CertificateOwner.java b/src/org/cacert/gigi/dbObjects/CertificateOwner.java index e9fb53fa..26a70b67 100644 --- a/src/org/cacert/gigi/dbObjects/CertificateOwner.java +++ b/src/org/cacert/gigi/dbObjects/CertificateOwner.java @@ -57,21 +57,6 @@ public abstract class CertificateOwner implements IdCachable { return id; } - public EmailAddress[] getEmails() { - GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM emails WHERE memid=? AND deleted is NULL"); - ps.setInt(1, getId()); - - try (GigiResultSet rs = ps.executeQuery()) { - LinkedList data = new LinkedList(); - - while (rs.next()) { - data.add(EmailAddress.getById(rs.getInt(1))); - } - - return data.toArray(new EmailAddress[0]); - } - } - public Domain[] getDomains() { GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM domains WHERE memid=? AND deleted IS NULL"); ps.setInt(1, getId()); @@ -118,15 +103,7 @@ public abstract class CertificateOwner implements IdCachable { return false; } - public boolean isValidEmail(String email) { - for (EmailAddress em : getEmails()) { - if (em.getAddress().equals(email)) { - return true; - } - } - - return false; - } + public abstract boolean isValidEmail(String email); public void delete() { GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("UPDATE certOwners SET deleted=NOW() WHERE id=?"); diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java index 60957e51..9beb0f57 100644 --- a/src/org/cacert/gigi/dbObjects/Organisation.java +++ b/src/org/cacert/gigi/dbObjects/Organisation.java @@ -202,4 +202,9 @@ public class Organisation extends CertificateOwner { } return false; } + + @Override + public boolean isValidEmail(String email) { + return isValidDomain(email.split("@", 2)[1]); + } } diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java index 1d752667..42457db5 100644 --- a/src/org/cacert/gigi/dbObjects/User.java +++ b/src/org/cacert/gigi/dbObjects/User.java @@ -441,4 +441,30 @@ public class User extends CertificateOwner { } } + public EmailAddress[] getEmails() { + GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT id FROM emails WHERE memid=? AND deleted is NULL"); + ps.setInt(1, getId()); + + try (GigiResultSet rs = ps.executeQuery()) { + LinkedList data = new LinkedList(); + + while (rs.next()) { + data.add(EmailAddress.getById(rs.getInt(1))); + } + + return data.toArray(new EmailAddress[0]); + } + } + + @Override + public boolean isValidEmail(String email) { + for (EmailAddress em : getEmails()) { + if (em.getAddress().equals(email)) { + return true; + } + } + + return false; + } + } diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java index 187c7cb8..0bf0bd2f 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java +++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java @@ -23,6 +23,7 @@ import org.cacert.gigi.dbObjects.Certificate; import org.cacert.gigi.dbObjects.Certificate.CSRType; import org.cacert.gigi.dbObjects.Certificate.SANType; import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName; +import org.cacert.gigi.dbObjects.CertificateOwner; import org.cacert.gigi.dbObjects.CertificateProfile; import org.cacert.gigi.dbObjects.CertificateProfile.PropertyTemplate; import org.cacert.gigi.dbObjects.Digest; @@ -296,14 +297,29 @@ public class CertificateRequest { if (newOrgStr != null) { Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr)); if (neworg == null || u.getOrganisations().contains(neworg)) { - org = neworg; + PropertyTemplate orga = profile.getTemplates().get("orga"); + if (orga != null) { + org = neworg; + } else { + org = null; + error.mergeInto(new GigiApiException("No organisations for this certificate profile.")); + } } else { - error.mergeInto(new GigiApiException("Selected Organisation is not part of your account.")); + error.mergeInto(new GigiApiException("Selected organisation is not part of your account.")); } } + this.ou = ou; - verifySANs(error, profile, parseSANBox(SANsStr)); + if ( !this.profile.canBeIssuedBy(u)) { + this.profile = CertificateProfile.getById(1); + error.mergeInto(new GigiApiException("Certificate Profile is invalid.")); + throw error; + } + + CertificateOwner owner = org != null ? org : u; + + verifySANs(error, profile, parseSANBox(SANsStr), owner); if ( !error.isEmpty()) { throw error; @@ -311,7 +327,7 @@ public class CertificateRequest { return true; } - private void verifySANs(GigiApiException error, CertificateProfile p, Set sANs2) { + private void verifySANs(GigiApiException error, CertificateProfile p, Set sANs2, CertificateOwner owner) { Set filteredSANs = new LinkedHashSet<>(); PropertyTemplate domainTemp = p.getTemplates().get("domain"); PropertyTemplate emailTemp = p.getTemplates().get("email"); @@ -319,7 +335,7 @@ public class CertificateRequest { pMail = null; for (SubjectAlternateName san : sANs2) { if (san.getType() == SANType.DNS) { - if (domainTemp != null && u.isValidDomain(san.getName())) { + if (domainTemp != null && owner.isValidDomain(san.getName())) { if (pDNS != null && !domainTemp.isMultiple()) { // remove } else { @@ -331,7 +347,7 @@ public class CertificateRequest { } } } else if (san.getType() == SANType.EMAIL) { - if (emailTemp != null && u.isValidEmail(san.getName())) { + if (emailTemp != null && owner.isValidEmail(san.getName())) { if (pMail != null && !emailTemp.isMultiple()) { // remove } else { @@ -355,13 +371,6 @@ public class CertificateRequest { public synchronized Certificate draft() throws GigiApiException { GigiApiException error = new GigiApiException(); - if ( !this.profile.canBeIssuedBy(u)) { - this.profile = CertificateProfile.getById(1); - error.mergeInto(new GigiApiException("Certificate Profile is invalid.")); - throw error; - } - - verifySANs(error, profile, SANs); HashMap subject = new HashMap<>(); PropertyTemplate domainTemp = profile.getTemplates().get("domain"); @@ -378,8 +387,13 @@ public class CertificateRequest { // primary domain. (domainTemp != null) String verifiedCN = null; - - verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN); + if (org == null) { + verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN); + } else { + if ( !name.equals("")) { + verifiedCN = name; + } + } if (pDNS == null && domainTemp != null && domainTemp.isRequired()) { error.mergeInto(new GigiApiException("Server Certificates require a DNS name.")); } else if (domainTemp != null && verifiedCN == null) { @@ -404,25 +418,13 @@ public class CertificateRequest { } } - PropertyTemplate orga = profile.getTemplates().get("orga"); - if (orga != null) { - if (orga.isMultiple() || !orga.isRequired()) { - error.mergeInto(new GigiApiException("This is an internal error.")); - } else if (org == null) { - error.mergeInto(new GigiApiException("You need to select an organisation for this profile type.")); - } else { - subject.put("O", org.getName()); - subject.put("C", org.getState()); - subject.put("ST", org.getProvince()); - subject.put("L", org.getCity()); - if (ou != null) { - subject.put("OU", ou); - } - } - } else { - if (org != null) { - org = null; - error.mergeInto(new GigiApiException("You may only include organisations in orga-certs.")); + if (org != null) { + subject.put("O", org.getName()); + subject.put("C", org.getState()); + subject.put("ST", org.getProvince()); + subject.put("L", org.getCity()); + if (ou != null) { + subject.put("OU", ou); } } System.out.println(subject);