From 0206a8e18afd089c232defcebf5a6315a35a1541 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 26 Aug 2016 17:18:05 +0200 Subject: [PATCH] fix: stop checking CAA on public suffix (and report error better) Change-Id: Ifb7000db540e6e89c5b8e7c2bdccb6656c5ebe50 --- .../account/certs/CertificateRequest.java | 19 ++++++++++--------- src/org/cacert/gigi/util/CAA.java | 10 ++++++++-- .../cacert/gigi/util/TestCAAValidation.java | 2 +- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java index 43e4fbd8..e1bf47cc 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java +++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java @@ -336,18 +336,19 @@ public class CertificateRequest { try { DomainAssessment.checkCertifiableDomain(san.getName(), user.isInGroup(Group.CODESIGNING), false); valid = true; + if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) { + // remove + } else { + if (pDNS == null) { + pDNS = san.getName(); + } + filteredSANs.add(san); + continue; + } } catch (GigiApiException e) { + error.mergeInto(e); valid = false; } - if ( !valid || !CAA.verifyDomainAccess(owner, p, san.getName()) || (pDNS != null && !domainTemp.isMultiple())) { - // remove - } else { - if (pDNS == null) { - pDNS = san.getName(); - } - filteredSANs.add(san); - continue; - } } } else if (san.getType() == SANType.EMAIL) { if (emailTemp != null && owner.isValidEmail(san.getName())) { diff --git a/src/org/cacert/gigi/util/CAA.java b/src/org/cacert/gigi/util/CAA.java index a95977e7..33e78e89 100644 --- a/src/org/cacert/gigi/util/CAA.java +++ b/src/org/cacert/gigi/util/CAA.java @@ -2,8 +2,10 @@ package org.cacert.gigi.util; import javax.naming.NamingException; +import org.cacert.gigi.GigiApiException; import org.cacert.gigi.dbObjects.CertificateOwner; import org.cacert.gigi.dbObjects.CertificateProfile; +import org.cacert.gigi.output.template.SprintfCommand; public class CAA { @@ -44,14 +46,14 @@ public class CAA { } } - public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) { + public static boolean verifyDomainAccess(CertificateOwner owner, CertificateProfile p, String name) throws GigiApiException { try { if (name.startsWith("*.")) { return verifyDomainAccess(owner, p, name.substring(2), true); } return verifyDomainAccess(owner, p, name, false); } catch (NamingException e) { - return false; + throw new GigiApiException(SprintfCommand.createSimple("Internal Name Server/Resolution Error: {0}", e.getMessage())); } } @@ -84,10 +86,14 @@ public class CAA { private static CAARecord[] getEffectiveCAARecords(String name) throws NamingException { CAARecord[] caa = DNSUtil.getCAAEntries(name); + String publicSuffix = PublicSuffixes.getInstance().getRegistrablePart(name); // TODO missing alias processing while (caa.length == 0 && name.contains(".")) { name = name.split("\\.", 2)[1]; caa = DNSUtil.getCAAEntries(name); + if (name.equals(publicSuffix)) { + return caa; + } } return caa; } diff --git a/tests/org/cacert/gigi/util/TestCAAValidation.java b/tests/org/cacert/gigi/util/TestCAAValidation.java index 1b4c3953..b483a68f 100644 --- a/tests/org/cacert/gigi/util/TestCAAValidation.java +++ b/tests/org/cacert/gigi/util/TestCAAValidation.java @@ -53,7 +53,7 @@ public class TestCAAValidation extends ClientTest { public Boolean success; @Test - public void testCAA() { + public void testCAA() throws GigiApiException { assertEquals(success, CAA.verifyDomainAccess(u, CertificateProfile.getByName("server"), domain)); } -- 2.39.2