From 474ccb03d08aff1d1f321bed9ea089bbe23943bf Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 27 Nov 2016 16:10:34 +0100
Subject: [PATCH] upd: enforce serverAuth EKU for SSL-pings

Change-Id: Ia98447b476eb1e6b60c7471208c7cf965e482aea
---
 .../cacert/gigi/pages/account/domain/PingConfigForm.java    | 2 --
 .../cacert/gigi/pages/account/domain/PingConfigForm.templ   | 6 +++++-
 src/org/cacert/gigi/ping/SSLPinger.java                     | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.java b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.java
index 6d23c3a0..b4c5ac8a 100644
--- a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.java
+++ b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.java
@@ -17,7 +17,6 @@ import org.cacert.gigi.output.template.Form;
 import org.cacert.gigi.output.template.IterableDataset;
 import org.cacert.gigi.output.template.Template;
 import org.cacert.gigi.ping.SSLPinger;
-import org.cacert.gigi.util.HTMLEncoder;
 import org.cacert.gigi.util.RandomToken;
 
 public class PingConfigForm extends Form {
@@ -154,7 +153,6 @@ public class PingConfigForm extends Form {
     protected void outputEmbeddableContent(PrintWriter out, Language l, Map<String, Object> vars) {
         vars.put("tokenName", tokenName);
         vars.put("tokenValue", tokenValue);
-        vars.put("openSSLHelp", "<code>" + HTMLEncoder.encodeHTML("-subj \"/CN=<domain>/OU=" + tokenValue + "\"") + "</code>");
         vars.put("authEmails", new IterableDataset() {
 
             int i = 0;
diff --git a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
index 7d2eb5dc..ff7c824b 100644
--- a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
+++ b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
@@ -28,7 +28,11 @@
   <div class="panel-heading"><input type="checkbox" name="SSLType" value="y"<?=$!ssl?>> <?=_Verify by searching for installed certificate.?></div>
   <div class="panel-body">
     <?=_Please list up to four services using your certificate. You need to have one of them up and using a valid SomeCA certificate or a specific self-signed certificate in order to pass this test?>:
-    <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit. With $!{openSSLHelp} OpenSSL command line utilities can generate such a certificate.?>:
+    <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit.?> <?=_You can use these commands to create such a certificate:?>
+    <code>
+openssl req -newkey rsa:4096 -subj "/CN=<span class='exampleDomain'>example.org</span>/OU=<?=$tokenValue?>" -nodes -out myCSR -keyout myKey<br>
+openssl x509 -req -in myCSR -signkey myKey -out myCert -extfile &lt;(printf 'extendedKeyUsage = serverAuth\n')
+    </code>
     <table>
     <? foreach($ssl-services){ ?>
     <tr><td><select name='ssl-type-<?=$i?>'>
diff --git a/src/org/cacert/gigi/ping/SSLPinger.java b/src/org/cacert/gigi/ping/SSLPinger.java
index 312c8870..7db5a6b1 100644
--- a/src/org/cacert/gigi/ping/SSLPinger.java
+++ b/src/org/cacert/gigi/ping/SSLPinger.java
@@ -180,8 +180,8 @@ public class SSLPinger extends DomainPinger {
                             @Override
                             public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException {
                                 java.security.cert.X509Certificate c = chain[0];
-                                if (c.getExtendedKeyUsage() != null && !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
-                                    throw new java.security.cert.CertificateException("Illegal EKU");
+                                if (c.getExtendedKeyUsage() == null || !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
+                                    throw new java.security.cert.CertificateException("Extended Key Usage for SSL Server Authentication missing");
                                 }
                             }
 
-- 
2.39.2