From: Felix Dörre Date: Mon, 30 Jun 2014 02:31:02 +0000 (+0200) Subject: Merge branch 'policyFixes' X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=b1461525aa6e429bf741dae73d20ac7c84237582;hp=6f888ca8a1bbb6aa7669c02fc640077646de2ae8 Merge branch 'policyFixes' --- diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java index 551c9be0..445fe365 100644 --- a/src/org/cacert/gigi/Gigi.java +++ b/src/org/cacert/gigi/Gigi.java @@ -20,7 +20,6 @@ import org.cacert.gigi.email.EmailProvider; import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.MainPage; import org.cacert.gigi.pages.Page; -import org.cacert.gigi.pages.PolicyRedir; import org.cacert.gigi.pages.TestSecure; import org.cacert.gigi.pages.Verify; import org.cacert.gigi.pages.account.MailAdd; @@ -52,7 +51,6 @@ public class Gigi extends HttpServlet { pages.put(MailCertificates.PATH, new MailCertificates()); pages.put(MyDetails.PATH, new MyDetails()); pages.put(RegisterPage.PATH, new RegisterPage()); - pages.put(PolicyRedir.PATH, new PolicyRedir()); pages.put(MailOverview.DEFAULT_PATH, new MailOverview( "My email addresses")); pages.put(MailAdd.DEFAULT_PATH, new MailAdd("Add new email")); diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java index 47530254..f8c7f783 100644 --- a/src/org/cacert/gigi/Launcher.java +++ b/src/org/cacert/gigi/Launcher.java @@ -7,7 +7,6 @@ import java.util.Properties; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManagerFactory; - import org.cacert.gigi.natives.SetUID; import org.cacert.gigi.util.CipherInfo; import org.eclipse.jetty.server.Connector; @@ -21,6 +20,7 @@ import org.eclipse.jetty.server.SessionManager; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.HandlerList; +import org.eclipse.jetty.server.handler.HandlerWrapper; import org.eclipse.jetty.server.handler.ResourceHandler; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; @@ -71,12 +71,16 @@ public class Launcher { return servlet; } - private static ContextHandler generateStaticContext() { - ResourceHandler rh = new ResourceHandler(); + private static Handler generateStaticContext() { + final ResourceHandler rh = new ResourceHandler(); rh.setResourceBase("static"); + HandlerWrapper hw = new PolicyRedirector(); + hw.setHandler(rh); + ContextHandler ch = new ContextHandler(); - ch.setHandler(rh); ch.setContextPath("/static"); + ch.setHandler(hw); + return ch; } diff --git a/src/org/cacert/gigi/PolicyRedirector.java b/src/org/cacert/gigi/PolicyRedirector.java new file mode 100644 index 00000000..8714d959 --- /dev/null +++ b/src/org/cacert/gigi/PolicyRedirector.java @@ -0,0 +1,25 @@ +package org.cacert.gigi; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.handler.HandlerWrapper; + +public class PolicyRedirector extends HandlerWrapper { + @Override + public void handle(String target, Request baseRequest, + HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + if (target.startsWith("/policy/") && target.endsWith(".php")) { + target = target.replace(".php", ".html"); + response.sendRedirect("/static" + target); + baseRequest.setHandled(true); + return; + } + super.handle(target, baseRequest, request, response); + } +} diff --git a/src/org/cacert/gigi/pages/PolicyRedir.java b/src/org/cacert/gigi/pages/PolicyRedir.java deleted file mode 100644 index e4e065ca..00000000 --- a/src/org/cacert/gigi/pages/PolicyRedir.java +++ /dev/null @@ -1,32 +0,0 @@ -package org.cacert.gigi.pages; - -import java.io.IOException; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -public class PolicyRedir extends Page { - public PolicyRedir() { - super("Policy"); - } - - public static final String PATH = "/policy/*"; - @Override - public boolean beforeTemplate(HttpServletRequest req, - HttpServletResponse resp) throws IOException { - String substring = req.getPathInfo().substring(PATH.length() - 1); - resp.sendRedirect("/static/policy/" - + substring.replace(".php", ".html")); - return true; - } - @Override - public boolean needsLogin() { - return false; - } - @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) - throws IOException { - - } - -} diff --git a/static/policy/AssurancePolicy.html b/static/policy/AssurancePolicy.html index 4998de54..752da2dc 100644 --- a/static/policy/AssurancePolicy.html +++ b/static/policy/AssurancePolicy.html @@ -23,7 +23,7 @@ TH P { color: #000000 }

Assurance Policy for CAcert Community Members

-

CAcert Policy Status == POLICY +

CAcert Policy Status == POLICY
Editor: Teus Hagen
Creation date: 2008-05-30
@@ -38,7 +38,7 @@ Status: POLICY p20090105.2

Member
A Member is an individual who has agreed to the CAcert Community Agreement -(CCA) +(CCA) and has created successfully a CAcert login account on the CAcert web site.
Assurance
@@ -81,15 +81,15 @@ Handbook. The policy is controlled by Configuration Control Specification (CCS) under Policy on Policy -(PoP) +(PoP) policy document regime. Because Assurance is an active area, much of the practice is handed over to the Assurance Handbook, which is not a controlled policy document, and can more easily respond to experience and circumstances. It is also more readable.

-See also Organisation Assurance Policy (OAP) -and CAcert Policy Statement (CPS). +See also Organisation Assurance Policy (OAP) +and CAcert Policy Statement (CPS).

1. Assurance Purpose

@@ -109,7 +109,7 @@ about a person:

  • The person is a bona fide Member. In other words, the person is a member of the CAcert Community as defined by the CAcert -Community Agreement (CCA);

    +Community Agreement (CCA);

  • The Member has a (login) account with CAcert's on-line @@ -135,7 +135,7 @@ the Assurance Points.

    The primary goal of the Assurance Statement is for the express purpose of certificates to meet the needs of the Relying Party Statement, which latter is found in the Certification Practice -Statement (CPS). +Statement (CPS).

    When a certificate is issued, some of the Assurance Statement may be incorporated, e.g. Name. Other parts may be implied, e.g. @@ -290,7 +290,7 @@ The number of Assurance Points for each Member is not published.

    The CAcert Policy Statement -(CPS) +(CPS) and other policies may list other capabilities that rely on Assurance Points.

    @@ -600,7 +600,7 @@ Education Team;

  • Updating this Assurance Policy, under the process -established by Policy on Policy (PoP);

    +established by Policy on Policy (PoP);

  • Management of all Subsidiary Policies (see below) for @@ -703,7 +703,7 @@ internal purposes.

    circumstances:

    @@ -302,7 +302,7 @@ The Association details are at the

    CAcert is a Community formed of Members who agree to the - + CAcert Community Agreement. The CA is technically operated by the Community, under the direction of the Board of CAcert Incorporated. @@ -320,7 +320,7 @@ intermediate CAs under the present CPS.

    1.3.2. Registration authorities

    Registration Authorities (RAs) are controlled under Assurance Policy -(COD13). +(COD13).

    1.3.3. Subscribers

    @@ -337,7 +337,7 @@ Such Members then become Subscribers. A relying party is a Member, having agreed to the CAcert Community Agreement -(COD9), +(COD9), who, in the act of using a CAcert certificate, makes a decision on the basis of that certificate.

    @@ -347,7 +347,7 @@ makes a decision on the basis of that certificate.

    Member. Membership of the Community is as defined in the -COD9. +COD9. Only Members may RELY or may become Subscribers. Membership is free.

    @@ -358,7 +358,7 @@ A senior and experienced Member of the CAcert Community who resolves disputes between Members, including ones of certificate reliance, under Dispute Resolution Policy -(COD7). +(COD7).

    @@ -381,7 +381,7 @@ are unaware of the ramifications of usage. Their relationship with CAcert is described by the Non-related Persons - Disclaimer and Licence -(COD4). +(COD4). No other rights nor relationship is implied or offered.

    @@ -416,8 +416,8 @@ and risks, liabilities and obligations in
    - - + @@ -674,7 +674,7 @@ and will be submitted to vendors via the (Top-level) Root.
    Type
    Appropriate Certificate uses
    +
    Type
    Appropriate Certificate uses
    General
    - + @@ -691,12 +691,12 @@ and will be submitted to vendors via the (Top-level) Root. - + - + @@ -705,7 +705,7 @@ and will be submitted to vendors via the (Top-level) Root. - @@ -713,8 +713,8 @@ and will be submitted to vendors via the (Top-level) Root. - + @@ -722,8 +722,8 @@ and will be submitted to vendors via the (Top-level) Root. - + @@ -731,14 +731,14 @@ and will be submitted to vendors via the (Top-level) Root. - + - + +
    Level of Assurance
    Level of Assurance
    Anon Name Name+Anon
    Remarks
    Remarks
    Top level
    Root
    -
    +
    Member
    SubRoot
    +
    Assured
    SubRoot
    -
    +
    Organisation
    SubRoot
    -
    +
    Expiry of Certificates
    6 months
    -
    24 months
    +
    6 months
    24 months
    Types
    client, server
    -
    wildcard, subjectAltName
    -
    code-signing
    +
    client, server
    wildcard, subjectAltName
    code-signing
    		 (Inclusive to the left.)
    @@ -763,7 +763,7 @@ look at the CPS to figure it out. - + @@ -778,7 +778,7 @@ look at the CPS to figure it out. - + @@ -790,21 +790,21 @@ look at the CPS to figure it out. - + - + - + - +
    Level of Assurance
    Level of Assurance
    Named Anonymous Named
    Remarks
    Remarks
    Class
    1
    Class
    3
    -
    +
    		Assured Members only.
    Intended for Reliance.     		Assured Members only.
    Intended for Reliance.
    Expiry of Certificates
    6 months
    -
    24 months
    +
    6 months
    24 months
    Types available
    simple only
    -
    wildcard, subjectAltName
    +
    simple only
    wildcard, subjectAltName
    @@ -848,7 +848,7 @@ and will only be used where new roots do not serve:

    This document is administered by the policy group of -the CAcert Community under Policy on Policy (COD1). +the CAcert Community under Policy on Policy (COD1).

    1.5.2. Contact person

    @@ -875,7 +875,7 @@ Community found at policy forum. See discussion forums above.

    CPS is controlled and updated according to the Policy on Policy -(COD1) +(COD1) which is part of Configuration-Control Specification (COD2).

    @@ -913,7 +913,7 @@ As per above. Member. Everyone who agrees to the CAcert Community Agreement - (COD9). + (COD9). This generally implies having an account registered at CAcert and making use of CAcert's data, programs or services. A Member may be an individual ("natural person") @@ -923,7 +923,7 @@ As per above. Community. The group of Members who agree to the CAcert Community Agreement - (COD9) + (COD9) or equivalent agreements.

    @@ -938,7 +938,7 @@ As per above. Assured Member. A Member whose identity has been sufficiently verified by Assurers or other - approved methods under Assurance Policy.

    + approved methods under Assurance Policy.

    Assurer. @@ -949,7 +949,7 @@ As per above. Name. As defined in the Assurance Policy - (COD13), + (COD13), to describe a name of a Member that is verified by the Assurance process.

    @@ -972,7 +972,7 @@ As per above. CAcert or the certificates that they may use, and are unaware of the ramifications of usage. They are not permitted to RELY, but may USE, under the - Non-Related Persons - Disclaimer and Licence (COD4). + Non-Related Persons - Disclaimer and Licence (COD4).

    Reliance. @@ -1058,7 +1058,7 @@ for the general public.

    -Under the Assurance Policy (COD13), +Under the Assurance Policy (COD13), there are means for Members to search, retrieve and verify certain data about themselves and others.

    @@ -1196,7 +1196,7 @@ does not go into the certificate.

    Each Member's Name (CN= field) -is assured under the Assurance Policy (COD13) +is assured under the Assurance Policy (COD13) or subsidiary policies (such as Organisation Assurance Policy). Refer to those documents for meanings and variations.

    @@ -1237,7 +1237,7 @@ Uniqueness of Names within certificates is not guaranteed. Each certificate has a unique serial number which maps to a unique account, and thus maps to a unique Member. See the Assurance Statement within Assurance Policy -(COD13). +(COD13).

    @@ -1249,7 +1249,7 @@ can only be registered to one Member.

    Organisation Assurance Policy -(COD11) +(COD11) controls issues such as trademarks where applicable. A trademark can be disputed by filing a dispute. See @@ -1263,6 +1263,7 @@ Certificates containing International Domain Names, being those containing a ACE prefix (RFC3490 Section 5), will only be issued to domains satisfying one or more of the following conditions: +

    • The Top Level Domain (TLD) Registrar associated with the domain has a policy that has taken measures to prevent two homographic domains being registered to @@ -1273,14 +1274,14 @@ excluding the "Common" script, with the additionally allowed numberic characters [0-9], and an ACSII hyphen '-'.
    -

    +

    Email address containing International Domain Names in the domain portion of the email address will also be required to satisfy one of the above conditions.

    -The following is a list of accepted TLD Registrars: +The following is a list of accepted TLD Registrars:

    @@ -1479,7 +1480,7 @@ The following is a list of accepted TLD Registrars:
    Policy (character list)
    -

    +

    This criteria will apply to the email address and server host name fields for all certificate types. @@ -1494,7 +1495,7 @@ The CAcert Inc. Board has the authority to decide to add or remove accepted TLD

    Identity verification is controlled by the -Assurance Policy (COD13). +Assurance Policy (COD13). The reader is refered to the Assurance Policy, the following is representative and brief only.

    @@ -1524,7 +1525,7 @@ to check the private key dynamically. Agreement. An Internet user becomes a Member by agreeing to the CAcert Community Agreement -(COD9) +(COD9) and registering an account on the online website. During the registration process Members are asked to supply information about themselves: @@ -1546,7 +1547,7 @@ for all service requests such as certificates.

    Assurance. Each Member is assured according to Assurance Policy -(COD13). +(COD13).

    @@ -1617,7 +1618,7 @@ certificates that state their Assured Name(s). Verification of organisations is delegated by the Assurance Policy to the Organisation Assurance Policy -(COD11). +(COD11). The reader is refered to the Organisation Assurance Policy, the following is representative and brief only.

    @@ -1645,7 +1646,7 @@ stated in the OAP, briefly presented here:
  • the organisation has agreed to the terms of the CAcert Community Agreement - (COD9), + (COD9), and is therefore subject to Arbitration.
    • @@ -1682,7 +1683,7 @@ when adding the address, §4.1.2. Individuals. The authority to participate as a Member is established by the CAcert Community Agreement -(COD9). +(COD9). Assurances are requested by means of the signed CAP form.

    @@ -1731,7 +1732,7 @@ process or file a dispute.

    The general life-cycle for a new certificate for an Individual Member is: - +

    1. Member adds claim to an address (domain/email).
    2. @@ -1751,7 +1752,7 @@ The general life-cycle for a new certificate for an Individual Member is: Member accepts certificate.
    -

    +

    (Some steps are not applicable, such as anonymous certificates.) @@ -1774,6 +1775,7 @@ The Member can claim ownership or authorised control of a domain or email address on the online system. This is a necessary step towards issuing a certificate. There are these controls: +

    -

    +

    4.1.3. Preparing CSR

    Members generate their own key-pairs. The CAcert Community Agreement -(COD9) +(COD9) obliges the Member as responsible for security. See CCA2.5, §9.6.

    @@ -1894,7 +1896,7 @@ following checks:

    -Notes. +Notes.

    -

    +