From: Felix Dörre Date: Sat, 9 Aug 2014 18:21:57 +0000 (+0200) Subject: Merge branch 'master' into csrParse X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=aa1827120e7034a2247b015e91dbd29ed3cf4db5;hp=077243040a71dd5c81d761153c9776c0c82c5418 Merge branch 'master' into csrParse --- diff --git a/src/org/cacert/gigi/Certificate.java b/src/org/cacert/gigi/Certificate.java index f06247cf..433e60e4 100644 --- a/src/org/cacert/gigi/Certificate.java +++ b/src/org/cacert/gigi/Certificate.java @@ -38,7 +38,7 @@ public class Certificate { } } - public static class SubjectAlternateName { + public static class SubjectAlternateName implements Comparable { private SANType type; @@ -57,6 +57,49 @@ public class Certificate { return type; } + @Override + public int compareTo(SubjectAlternateName o) { + int i = type.compareTo(o.type); + if (i != 0) { + return i; + } + return name.compareTo(o.name); + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((name == null) ? 0 : name.hashCode()); + result = prime * result + ((type == null) ? 0 : type.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + SubjectAlternateName other = (SubjectAlternateName) obj; + if (name == null) { + if (other.name != null) { + return false; + } + } else if ( !name.equals(other.name)) { + return false; + } + if (type != other.type) { + return false; + } + return true; + } + } public enum CSRType { diff --git a/src/org/cacert/gigi/output/CertificateIterable.java b/src/org/cacert/gigi/output/CertificateIterable.java index 11c4a507..62e7f705 100644 --- a/src/org/cacert/gigi/output/CertificateIterable.java +++ b/src/org/cacert/gigi/output/CertificateIterable.java @@ -32,6 +32,7 @@ public class CertificateIterable implements IterableDataset { vars.put("CN", c.getDistinguishedName()); vars.put("serial", c.getSerial()); vars.put("digest", c.getMessageDigest()); + vars.put("profile", c.getProfile().getVisibleName()); vars.put("issued", "TODO"); // TODO output dates vars.put("revoked", "TODO"); diff --git a/src/org/cacert/gigi/output/CertificateTable.templ b/src/org/cacert/gigi/output/CertificateTable.templ index f2870bba..29c53eb0 100644 --- a/src/org/cacert/gigi/output/CertificateTable.templ +++ b/src/org/cacert/gigi/output/CertificateTable.templ @@ -6,6 +6,7 @@ + @@ -19,6 +20,7 @@ + diff --git a/src/org/cacert/gigi/output/template/OutputVariableCommand.java b/src/org/cacert/gigi/output/template/OutputVariableCommand.java index 382d0597..1a304d89 100644 --- a/src/org/cacert/gigi/output/template/OutputVariableCommand.java +++ b/src/org/cacert/gigi/output/template/OutputVariableCommand.java @@ -10,20 +10,20 @@ public final class OutputVariableCommand implements Outputable { private final String raw; - private final boolean escaped; + private final boolean unescaped; public OutputVariableCommand(String raw) { if (raw.charAt(0) == '!') { - escaped = true; + unescaped = true; this.raw = raw.substring(1); } else { - escaped = true; + unescaped = false; this.raw = raw; } } @Override public void output(PrintWriter out, Language l, Map vars) { - Template.outputVar(out, l, vars, raw, escaped); + Template.outputVar(out, l, vars, raw, unescaped); } } diff --git a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java index 847aac88..6b5dee9a 100644 --- a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java +++ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java @@ -10,15 +10,19 @@ import java.security.interfaces.RSAPublicKey; import java.sql.SQLException; import java.util.Base64; import java.util.HashMap; +import java.util.LinkedHashSet; import java.util.Map; +import java.util.Set; +import java.util.TreeSet; import javax.servlet.http.HttpServletRequest; import org.cacert.gigi.Certificate; import org.cacert.gigi.Certificate.CSRType; +import org.cacert.gigi.Certificate.SANType; +import org.cacert.gigi.Certificate.SubjectAlternateName; import org.cacert.gigi.CertificateProfile; import org.cacert.gigi.Digest; -import org.cacert.gigi.EmailAddress; import org.cacert.gigi.GigiApiException; import org.cacert.gigi.User; import org.cacert.gigi.crypto.SPKAC; @@ -32,10 +36,25 @@ import org.cacert.gigi.pages.Page; import org.cacert.gigi.util.PEM; import org.cacert.gigi.util.RandomToken; +import sun.security.pkcs.PKCS9Attribute; import sun.security.pkcs10.PKCS10; +import sun.security.pkcs10.PKCS10Attribute; +import sun.security.pkcs10.PKCS10Attributes; import sun.security.util.DerInputStream; import sun.security.util.DerValue; +import sun.security.x509.AVA; import sun.security.x509.AlgorithmId; +import sun.security.x509.CertificateExtensions; +import sun.security.x509.DNSName; +import sun.security.x509.ExtendedKeyUsageExtension; +import sun.security.x509.Extension; +import sun.security.x509.GeneralName; +import sun.security.x509.GeneralNameInterface; +import sun.security.x509.GeneralNames; +import sun.security.x509.RDN; +import sun.security.x509.RFC822Name; +import sun.security.x509.SubjectAlternativeNameExtension; +import sun.security.x509.X500Name; /** * This class represents a form that is used for issuing certificates. This @@ -43,19 +62,25 @@ import sun.security.x509.AlgorithmId; */ public class CertificateIssueForm extends Form { - User u; + private final static Template t = new Template(CertificateIssueForm.class.getResource("CertificateIssueForm.templ")); - Digest selectedDigest = Digest.getDefault(); + private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ")); - boolean login; + User u; + + private CSRType csrType; String csr; - private final static Template t = new Template(CertificateIssueForm.class.getResource("CertificateIssueForm.templ")); + String spkacChallenge; - private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ")); + String CN = ""; - String spkacChallenge; + Set SANs = new LinkedHashSet<>(); + + Digest selectedDigest = Digest.getDefault(); + + boolean login; public CertificateIssueForm(HttpServletRequest hsr) { super(hsr); @@ -65,8 +90,6 @@ public class CertificateIssueForm extends Form { Certificate result; - private CSRType csrType; - public Certificate getResult() { return result; } @@ -80,9 +103,65 @@ public class CertificateIssueForm extends Form { if (csr != null) { byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr); PKCS10 parsed = new PKCS10(data); + PKCS10Attributes atts = parsed.getAttributes(); + + for (PKCS10Attribute b : atts.getAttributes()) { + + if ( !b.getAttributeId().equals((Object) PKCS9Attribute.EXTENSION_REQUEST_OID)) { + // unknown attrib + continue; + } + + for (RDN r : parsed.getSubjectName().rdns()) { + for (AVA a : r.avas()) { + if (a.getObjectIdentifier().equals((Object) PKCS9Attribute.EMAIL_ADDRESS_OID)) { + SANs.add(new SubjectAlternateName(SANType.EMAIL, a.getValueString())); + } else if (a.getObjectIdentifier().equals((Object) X500Name.commonName_oid)) { + CN = a.getValueString(); + } + } + } + + for (Extension c : ((CertificateExtensions) b.getAttributeValue()).getAllExtensions()) { + if (c instanceof SubjectAlternativeNameExtension) { + + SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension) c; + GeneralNames obj = san.get(SubjectAlternativeNameExtension.SUBJECT_NAME); + for (int i = 0; i < obj.size(); i++) { + GeneralName generalName = obj.get(i); + GeneralNameInterface peeled = generalName.getName(); + if (peeled instanceof DNSName) { + SANs.add(new SubjectAlternateName(SANType.DNS, ((DNSName) peeled).getName())); + } else if (peeled instanceof RFC822Name) { + SANs.add(new SubjectAlternateName(SANType.EMAIL, ((RFC822Name) peeled).getName())); + } + } + } else if (c instanceof ExtendedKeyUsageExtension) { + ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c; + for (String s : ekue.getExtendedKeyUsage()) { + if (s.equals("1.3.6.1.5.5.7.3.1")) { + // server + } else if (s.equals("1.3.6.1.5.5.7.3.2")) { + // client + } else if (s.equals("1.3.6.1.5.5.7.3.3")) { + // code sign + } else if (s.equals("1.3.6.1.5.5.7.3.4")) { + // emailProtection + } else if (s.equals("1.3.6.1.5.5.7.3.8")) { + // timestamp + } else if (s.equals("1.3.6.1.5.5.7.3.9")) { + // OCSP + } + } + } else { + // Unknown requested extension + } + } + } out.println(parsed.getSubjectName().getCommonName()); out.println(parsed.getSubjectName().getCountry()); + out.println("CSR DN: " + parsed.getSubjectName() + "
"); PublicKey pk = parsed.getSubjectPublicKeyInfo(); checkKeyStrength(pk, out); @@ -108,6 +187,8 @@ public class CertificateIssueForm extends Form { } else { login = "1".equals(req.getParameter("login")); + CN = req.getParameter("CN"); + SANs = parseSANBox(req.getParameter("SANs")); String hashAlg = req.getParameter("hash_alg"); if (hashAlg != null) { selectedDigest = Digest.valueOf(hashAlg); @@ -118,8 +199,8 @@ public class CertificateIssueForm extends Form { } CertificateProfile profile = CertificateProfile.getByName(req.getParameter("profile")); - System.out.println("issuing " + selectedDigest); - result = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", selectedDigest.toString(), this.csr, this.csrType, profile); + result = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", selectedDigest.toString(), // + this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()])); result.issue().waitFor(60000); return true; } @@ -140,6 +221,20 @@ public class CertificateIssueForm extends Form { return false; } + private TreeSet parseSANBox(String SANs) { + String[] SANparts = SANs.split("[\r\n]+"); + TreeSet parsedNames = new TreeSet<>(); + for (String SANline : SANparts) { + String[] parts = SANline.split(":", 2); + SANType t = Certificate.SANType.valueOf(parts[0].toUpperCase()); + if (t == null || parts.length == 1) { + continue; + } + parsedNames.add(new SubjectAlternateName(t, parts[1])); + } + return parsedNames; + } + private void checkKeyStrength(PublicKey pk, PrintWriter out) { out.println("Type: " + pk.getAlgorithm() + "
"); if (pk instanceof RSAPublicKey) { @@ -157,10 +252,6 @@ public class CertificateIssueForm extends Form { } } - private static PKCS10 parseCSR(String csr) throws IOException, GeneralSecurityException { - return new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", csr)); - } - private static String getSignatureAlgorithm(byte[] data) throws IOException { DerInputStream in = new DerInputStream(data); DerValue[] seq = in.getSequence(3); @@ -186,22 +277,16 @@ public class CertificateIssueForm extends Form { HashMap vars2 = new HashMap(vars); vars2.put("CCA", "CCA"); - final EmailAddress[] ea = u.getEmails(); - vars2.put("emails", new IterableDataset() { - - int count; + StringBuffer content = new StringBuffer(); + for (SubjectAlternateName SAN : SANs) { + content.append(SAN.getType().toString().toLowerCase()); + content.append(':'); + content.append(SAN.getName()); + content.append('\n'); + } - @Override - public boolean next(Language l, Map vars) { - if (count >= ea.length) { - return false; - } - vars.put("id", ea[count].getId()); - vars.put("value", ea[count].getAddress()); - count++; - return true; - } - }); + vars2.put("CN", CN); + vars2.put("emails", content.toString()); vars2.put("hashs", new HashAlgorithms(selectedDigest)); vars2.put("profiles", new IterableDataset() { diff --git a/src/org/cacert/gigi/pages/account/CertificateIssueForm.templ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.templ index 55eb1219..ec7fe1cb 100644 --- a/src/org/cacert/gigi/pages/account/CertificateIssueForm.templ +++ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.templ @@ -27,15 +27,13 @@ - - + + - - - + SANs + - @@ -48,21 +46,6 @@ - - - - - - - - - - -
- - - @@ -82,6 +65,22 @@ +   + + + + + + + + + + +
+ + +