From: Felix Dörre Date: Tue, 18 Nov 2014 17:29:06 +0000 (+0100) Subject: UPD: also pin the certificate's issuer DN X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=e8802b0aa6f096f62f027d2092a2398c7b51a855 UPD: also pin the certificate's issuer DN --- diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java index cf75bf58..82012a50 100644 --- a/src/org/cacert/gigi/Gigi.java +++ b/src/org/cacert/gigi/Gigi.java @@ -62,6 +62,8 @@ public class Gigi extends HttpServlet { public static final String CERT_SERIAL = "org.cacert.gigi.serial"; + public static final String CERT_ISSUER = "org.cacert.gigi.issuer"; + public static final String USER = "user"; private static final long serialVersionUID = -6386785421902852904L; @@ -233,7 +235,9 @@ public class Gigi extends HttpServlet { String clientSerial = (String) hs.getAttribute(CERT_SERIAL); if (clientSerial != null) { X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); - if (cert == null || cert[0] == null || !cert[0].getSerialNumber().toString(16).toUpperCase().equals(clientSerial)) { + if (cert == null || cert[0] == null// + || !cert[0].getSerialNumber().toString(16).toUpperCase().equals(clientSerial) // + || !cert[0].getIssuerDN().equals(hs.getAttribute(CERT_ISSUER))) { hs.invalidate(); resp.sendError(403, "Certificate mismatch."); return; diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java index 7f34f071..d8d0d4d3 100644 --- a/src/org/cacert/gigi/pages/LoginPage.java +++ b/src/org/cacert/gigi/pages/LoginPage.java @@ -116,6 +116,7 @@ public class LoginPage extends Page { if (rs.next()) { loginSession(req, User.getById(rs.getInt(1))); req.getSession().setAttribute(CERT_SERIAL, serial); + req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN()); } rs.close(); }