From 0fad27fa1dbd119648945ec77cd8e4a1b7965885 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Wed, 20 May 2015 18:26:19 +0200 Subject: [PATCH] fix: several testcases to the new configuration/structure --- .../cacert/gigi/database/SQLFileManager.java | 3 ++ .../cacert/gigi/database/tableStructure.sql | 1 + .../cacert/gigi/dbObjects/Certificate.java | 2 +- .../account/certs/CertificateRequest.java | 34 +++++++++++----- tests/org/cacert/gigi/TestOrga.java | 17 +++++--- .../cacert/gigi/TestSeparateSessionScope.java | 10 ++--- tests/org/cacert/gigi/api/IssueCert.java | 11 +++--- .../pages/account/TestCertificateAdd.java | 6 +-- .../pages/account/TestCertificateRequest.java | 28 +++++++++++-- .../TestSEAdminPageUserDomainSearch.java | 5 ++- .../admin/TestSEAdminPageUserMailSearch.java | 5 ++- .../org/cacert/gigi/util/SimpleSigner.java | 39 ++++++++++++------- 12 files changed, 109 insertions(+), 52 deletions(-) diff --git a/src/org/cacert/gigi/database/SQLFileManager.java b/src/org/cacert/gigi/database/SQLFileManager.java index 62083c74..e51e5216 100644 --- a/src/org/cacert/gigi/database/SQLFileManager.java +++ b/src/org/cacert/gigi/database/SQLFileManager.java @@ -36,6 +36,9 @@ public class SQLFileManager { if (string.equals("")) { continue; } + if ((string.contains("profiles") || string.contains("cacerts")) && type != ImportType.PRODUCTION) { + continue; + } if (m.matches() && type == ImportType.TRUNCATE) { String sql2 = "TRUNCATE `" + m.group(1) + "`"; stmt.addBatch(sql2); diff --git a/src/org/cacert/gigi/database/tableStructure.sql b/src/org/cacert/gigi/database/tableStructure.sql index 234ecc06..98133297 100644 --- a/src/org/cacert/gigi/database/tableStructure.sql +++ b/src/org/cacert/gigi/database/tableStructure.sql @@ -207,6 +207,7 @@ DROP TABLE IF EXISTS `cacerts`; CREATE TABLE `cacerts` ( `id` int(3) NOT NULL AUTO_INCREMENT, `keyname` varchar(60) NOT NULL, + `link` varchar(160) NOT NULL, `parentRoot` int(3) NOT NULL, `validFrom` datetime NULL DEFAULT NULL, `validTo` datetime NULL DEFAULT NULL, diff --git a/src/org/cacert/gigi/dbObjects/Certificate.java b/src/org/cacert/gigi/dbObjects/Certificate.java index ed3d5b4a..ada9ca90 100644 --- a/src/org/cacert/gigi/dbObjects/Certificate.java +++ b/src/org/cacert/gigi/dbObjects/Certificate.java @@ -221,10 +221,10 @@ public class Certificate { crtName = rs.getString(1); serial = rs.getString(4); - ca = CACertificate.getById(rs.getInt("caid")); if (rs.getTimestamp(2) == null) { return CertificateStatus.DRAFT; } + ca = CACertificate.getById(rs.getInt("caid")); if (rs.getTimestamp(2) != null && rs.getTimestamp(3) == null) { return CertificateStatus.ISSUED; } diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java index 0bf0bd2f..9efbceb5 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java +++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java @@ -106,7 +106,16 @@ public class CertificateRequest { private String pDNS, pMail; public CertificateRequest(User issuer, String csr) throws IOException, GeneralSecurityException, GigiApiException { + this(issuer, csr, (CertificateProfile) null); + } + + public CertificateRequest(User issuer, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException { u = issuer; + if (cp != null) { + profile = cp; + } else if (u.getAssurancePoints() > 50) { + profile = CertificateProfile.getByName("client-a"); + } byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr); PKCS10 parsed = new PKCS10(data); PKCS10Attributes atts = parsed.getAttributes(); @@ -152,18 +161,22 @@ public class CertificateRequest { } } else if (c instanceof ExtendedKeyUsageExtension) { ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c; + String appendix = ""; + if (u.getAssurancePoints() >= 50) { + appendix = "-a"; + } for (String s : ekue.getExtendedKeyUsage()) { if (s.equals(OID_KEY_USAGE_SSL_SERVER.toString())) { // server - profile = CertificateProfile.getByName("server"); + profile = CertificateProfile.getByName("server" + appendix); } else if (s.equals(OID_KEY_USAGE_SSL_CLIENT.toString())) { // client - profile = CertificateProfile.getByName("client"); + profile = CertificateProfile.getByName("client" + appendix); } else if (s.equals(OID_KEY_USAGE_CODESIGN.toString())) { // code sign } else if (s.equals(OID_KEY_USAGE_EMAIL_PROTECTION.toString())) { // emailProtection - profile = CertificateProfile.getByName("mail"); + profile = CertificateProfile.getByName("mail" + appendix); } else if (s.equals(OID_KEY_USAGE_TIMESTAMP.toString())) { // timestamp } else if (s.equals(OID_KEY_USAGE_OCSP.toString())) { @@ -377,6 +390,7 @@ public class CertificateRequest { PropertyTemplate emailTemp = profile.getTemplates().get("email"); PropertyTemplate nameTemp = profile.getTemplates().get("name"); PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser"); + verifySANs(error, profile, SANs, org != null ? org : u); // Ok, let's determine the CN // the CN is @@ -443,7 +457,7 @@ public class CertificateRequest { // null y -> default // null null -> null // ? y -> real, default - // ? null -> real, null + // ? null -> real, default, null boolean realIsOK = false; boolean nullIsOK = false; boolean defaultIsOK = false; @@ -457,12 +471,12 @@ public class CertificateRequest { nullIsOK = !defaultIsOK; } else if (nameTemp != null && !nameTemp.isRequired() && !nameTemp.isMultiple()) { realIsOK = true; - defaultIsOK = wotUserTemp != null; - nullIsOK = !defaultIsOK; + defaultIsOK = true; + nullIsOK = wotUserTemp == null; } else { error.mergeInto(new GigiApiException("Internal configuration error detected.")); } - if (u.isValidName(name)) { + if (name != null && u.isValidName(name)) { if (realIsOK) { verifiedCN = name; } else { @@ -473,7 +487,7 @@ public class CertificateRequest { name = ""; } } - } else if (name.equals(DEFAULT_CN)) { + } else if (name != null && name.equals(DEFAULT_CN)) { if (defaultIsOK) { verifiedCN = name; } else { @@ -484,9 +498,9 @@ public class CertificateRequest { name = u.getName().toString(); } } - } else if (name.equals("")) { + } else if (name == null || name.equals("")) { if (nullIsOK) { - verifiedCN = name; + verifiedCN = ""; } else { error.mergeInto(new GigiApiException("A name is required in this certificate.")); if (defaultIsOK) { diff --git a/tests/org/cacert/gigi/TestOrga.java b/tests/org/cacert/gigi/TestOrga.java index 5f93228b..bf4f9def 100644 --- a/tests/org/cacert/gigi/TestOrga.java +++ b/tests/org/cacert/gigi/TestOrga.java @@ -2,6 +2,9 @@ package org.cacert.gigi; import static org.junit.Assert.*; +import java.io.IOException; + +import org.cacert.gigi.dbObjects.Group; import org.cacert.gigi.dbObjects.Organisation; import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.testUtils.ManagedTest; @@ -10,11 +13,15 @@ import org.junit.Test; public class TestOrga extends ManagedTest { @Test - public void testAddRm() throws GigiApiException { - User u1 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); - User u2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); - User u3 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); - User u4 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); + public void testAddRm() throws GigiApiException, IOException { + User u1 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); + u1.grantGroup(u1, Group.ORGASSURER); + User u2 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); + u2.grantGroup(u1, Group.ORGASSURER); + User u3 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); + u3.grantGroup(u1, Group.ORGASSURER); + User u4 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD)); + u4.grantGroup(u1, Group.ORGASSURER); Organisation o1 = new Organisation("name", "ST", "prov", "city", "email", u1); assertEquals(0, o1.getAllAdmins().size()); o1.addAdmin(u2, u1, false); diff --git a/tests/org/cacert/gigi/TestSeparateSessionScope.java b/tests/org/cacert/gigi/TestSeparateSessionScope.java index ba5579ff..66688ebd 100644 --- a/tests/org/cacert/gigi/TestSeparateSessionScope.java +++ b/tests/org/cacert/gigi/TestSeparateSessionScope.java @@ -29,8 +29,8 @@ public class TestSeparateSessionScope extends ManagedTest { int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD); String cookie = login(mail, TEST_PASSWORD); KeyPair kp = generateKeypair(); - String csr = generatePEMCSR(kp, "CN=felix@dogcraft.de"); - Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); + String csr = generatePEMCSR(kp, "CN=hans"); + Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); final PrivateKey pk = kp.getPrivate(); c.issue(null, "2y").waitFor(60000); final X509Certificate ce = c.cert(); @@ -48,9 +48,9 @@ public class TestSeparateSessionScope extends ManagedTest { String mail = "thisgo" + createUniqueName() + "@example.com"; int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD); KeyPair kp = generateKeypair(); - String csr = generatePEMCSR(kp, "CN=felix@dogcraft.de"); - Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); - Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "testmail@example.com"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); + String csr = generatePEMCSR(kp, "CN=hans"); + Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); + Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1)); final PrivateKey pk = kp.getPrivate(); Job j1 = c.issue(null, "2y"); c2.issue(null, "2y").waitFor(60000); diff --git a/tests/org/cacert/gigi/api/IssueCert.java b/tests/org/cacert/gigi/api/IssueCert.java index 007edb56..74240b26 100644 --- a/tests/org/cacert/gigi/api/IssueCert.java +++ b/tests/org/cacert/gigi/api/IssueCert.java @@ -12,7 +12,6 @@ import java.security.KeyPair; import java.security.PrivateKey; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.Collection; import org.cacert.gigi.dbObjects.Certificate; import org.cacert.gigi.dbObjects.Certificate.CSRType; @@ -28,8 +27,8 @@ public class IssueCert extends ClientTest { @Test public void testIssueCert() throws Exception { KeyPair kp = generateKeypair(); - String key1 = generatePEMCSR(kp, "CN=testmail@example.com"); - Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1)); + String key1 = generatePEMCSR(kp, "EMAIL=testmail@example.com"); + Certificate c = new Certificate(u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1)); final PrivateKey pk = kp.getPrivate(); c.issue(null, "2y").waitFor(60000); final X509Certificate ce = c.cert(); @@ -37,12 +36,12 @@ public class IssueCert extends ClientTest { authenticateClientCert(pk, ce, connection); connection.setDoOutput(true); OutputStream os = connection.getOutputStream(); - os.write(("csr=" + URLEncoder.encode(generatePEMCSR(kp, "CN=a b"), "UTF-8")).getBytes("UTF-8")); + os.write(("profile=client&csr=" + URLEncoder.encode(generatePEMCSR(kp, "EMAIL=" + email + ",CN=CAcert WoT User"), "UTF-8")).getBytes("UTF-8")); os.flush(); assertEquals(connection.getResponseCode(), 200); String cert = IOUtils.readURL(new InputStreamReader(connection.getInputStream(), "UTF-8")); CertificateFactory cf = CertificateFactory.getInstance("X509"); - Collection certs = cf.generateCertificates(new ByteArrayInputStream(cert.getBytes("UTF-8"))); - assertEquals("a b", ((X500Name) ((X509Certificate) certs.iterator().next()).getSubjectDN()).getCommonName()); + java.security.cert.Certificate xcert = cf.generateCertificate(new ByteArrayInputStream(cert.getBytes("UTF-8"))); + assertEquals("CAcert WoT User", ((X500Name) ((X509Certificate) xcert).getSubjectDN()).getCommonName()); } } diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java index e29dcacd..6fcfb1d4 100644 --- a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java +++ b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java @@ -129,7 +129,7 @@ public class TestCertificateAdd extends ClientTest { huc.setDoOutput(true); OutputStream out = huc.getOutputStream(); out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8")); - out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); + out.write(("&CN=CAcert+WoT+User&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); out.write(("&hash_alg=SHA512&CCA=y").getBytes("UTF-8")); URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt")); String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8")); @@ -146,7 +146,7 @@ public class TestCertificateAdd extends ClientTest { uc = authenticate(new URL(huc.getHeaderField("Location"))); String gui = IOUtils.readURL(uc); assertThat(gui, containsString("clientAuth")); - assertThat(gui, containsString("CN=a b")); + assertThat(gui, containsString("CN=CAcert WoT User")); assertThat(gui, containsString("SHA512withRSA")); assertThat(gui, containsString("RFC822Name: " + email)); @@ -213,7 +213,7 @@ public class TestCertificateAdd extends ClientTest { huc.setDoOutput(true); OutputStream out = huc.getOutputStream(); out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8")); - out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); + out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); out.write(("&hash_alg=SHA512&CCA=y&").getBytes("UTF-8")); out.write(validity.getBytes("UTF-8")); diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java index ecea2326..4d668b74 100644 --- a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java +++ b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java @@ -3,10 +3,12 @@ package org.cacert.gigi.pages.account; import static org.hamcrest.CoreMatchers.*; import static org.junit.Assert.*; +import java.io.IOException; import java.security.GeneralSecurityException; import java.security.KeyPair; import org.cacert.gigi.GigiApiException; +import org.cacert.gigi.dbObjects.Group; import org.cacert.gigi.pages.account.certs.CertificateRequest; import org.cacert.gigi.testUtils.ClientTest; import org.junit.Test; @@ -15,31 +17,49 @@ public class TestCertificateRequest extends ClientTest { KeyPair kp = generateKeypair(); - public TestCertificateRequest() throws GeneralSecurityException {} + public TestCertificateRequest() throws GeneralSecurityException, IOException { + makeAssurer(u.getId()); + grant(email, Group.CODESIGNING); + + } @Test public void testIssuingOtherName() throws Exception { try { new CertificateRequest(u, generatePEMCSR(kp, "CN=hansi")).draft(); + fail(); } catch (GigiApiException e) { - assertThat(e.getMessage(), containsString("does not match the details")); + assertThat(e.getMessage(), containsString("name you entered was invalid")); } } @Test public void testIssuingDefault() throws Exception { - new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN)).draft(); + new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft(); } @Test public void testIssuingRealName() throws Exception { - new CertificateRequest(u, generatePEMCSR(kp, "CN=a b")).draft(); + new CertificateRequest(u, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft(); } @Test public void testIssuingModifiedName() throws Exception { try { new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")).draft(); + fail(); + } catch (GigiApiException e) { + assertThat(e.getMessage(), containsString("name you entered was invalid")); + } + + } + + // TODO annotate that this depends on default config + @Test + public void testCodesignModifiedName() throws Exception { + try { + CertificateRequest cr = new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")); + cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null); } catch (GigiApiException e) { assertThat(e.getMessage(), containsString("does not match the details")); } diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java index 35e7bf74..034feaf7 100644 --- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java +++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java @@ -19,6 +19,7 @@ import org.cacert.gigi.pages.admin.support.FindDomainPage; import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage; import org.cacert.gigi.testUtils.ClientTest; import org.cacert.gigi.testUtils.IOUtils; +import org.cacert.gigi.util.ServerConstants; import org.junit.Test; public class TestSEAdminPageUserDomainSearch extends ClientTest { @@ -46,7 +47,7 @@ public class TestSEAdminPageUserDomainSearch extends ClientTest { os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" // + "process&domain=" + URLEncoder.encode(domainName, "UTF-8")).getBytes("UTF-8")); os.flush(); - assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); + assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); } @Test @@ -68,7 +69,7 @@ public class TestSEAdminPageUserDomainSearch extends ClientTest { os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" // + "process&domain=#" + d.getId()).getBytes("UTF-8")); os.flush(); - assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); + assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); } @Test diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java index 427f37fe..232084dc 100644 --- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java +++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java @@ -16,6 +16,7 @@ import org.cacert.gigi.pages.admin.support.FindUserPage; import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage; import org.cacert.gigi.testUtils.ClientTest; import org.cacert.gigi.testUtils.IOUtils; +import org.cacert.gigi.util.ServerConstants; import org.junit.Test; public class TestSEAdminPageUserMailSearch extends ClientTest { @@ -39,7 +40,7 @@ public class TestSEAdminPageUserMailSearch extends ClientTest { os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" // + "process&email=" + URLEncoder.encode(mail, "UTF-8")).getBytes("UTF-8")); os.flush(); - assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); + assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); } @Test @@ -57,7 +58,7 @@ public class TestSEAdminPageUserMailSearch extends ClientTest { os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" // + "process&email=" + URLEncoder.encode("%@example.tld", "UTF-8")).getBytes("UTF-8")); os.flush(); - assertEquals("https://" + getServerName() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); + assertEquals("https://" + ServerConstants.getWwwHostNamePort() + SupportUserDetailsPage.PATH + id, uc.getHeaderField("Location")); } @Test diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java index eba8f852..2d4445b0 100644 --- a/util-testing/org/cacert/gigi/util/SimpleSigner.java +++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java @@ -86,7 +86,7 @@ public class SimpleSigner { throw new IllegalStateException("already running"); } running = true; - readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, executeFrom, executeTo, rootcert FROM jobs " + // + readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, executeFrom, executeTo, profile FROM jobs " + // "INNER JOIN certs ON certs.id=jobs.targetId " + // "INNER JOIN profiles ON profiles.id=certs.profile " + // "WHERE jobs.state='open' "// @@ -95,7 +95,7 @@ public class SimpleSigner { getSANSs = DatabaseConnection.getInstance().prepare("SELECT contents, type FROM subjectAlternativeNames " + // "WHERE certId=?"); - updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=? WHERE id=?"); + updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=1 WHERE id=?"); warnMail = DatabaseConnection.getInstance().prepare("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?"); revoke = DatabaseConnection.getInstance().prepare("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.targetId=certs.id" + " WHERE jobs.state='open' AND task='revoke'"); @@ -200,12 +200,14 @@ public class SimpleSigner { private static int counter = 0; private static void signCertificates() throws SQLException { + System.out.println("Checking..."); GigiResultSet rs = readyCerts.executeQuery(); Calendar c = Calendar.getInstance(); c.setTimeZone(TimeZone.getTimeZone("UTC")); while (rs.next()) { + System.out.println("Task"); String csrname = rs.getString("csr_name"); int id = rs.getInt("id"); System.out.println("sign: " + csrname); @@ -214,9 +216,6 @@ public class SimpleSigner { CSRType ct = CSRType.valueOf(csrType); File crt = KeyStorage.locateCrt(id); - String keyUsage = rs.getString("keyUsage"); - String ekeyUsage = rs.getString("extendedKeyUsage"); - Timestamp from = rs.getTimestamp("executeFrom"); String length = rs.getString("executeTo"); Date fromDate; @@ -258,15 +257,16 @@ public class SimpleSigner { cfg.print(san.getString("contents")); } cfg.println(); - cfg.println("keyUsage=critical," + keyUsage); - cfg.println("extendedKeyUsage=critical," + ekeyUsage); + // TODO look them up! + cfg.println("keyUsage=critical," + "digitalSignature, keyEncipherment, keyAgreement"); + cfg.println("extendedKeyUsage=critical," + "clientAuth"); cfg.close(); - int rootcert = rs.getInt("rootcert"); + int profile = rs.getInt("profile"); String ca = "unassured"; - if (rootcert == 0) { + if (profile == 1) { ca = "unassured"; - } else if (rootcert == 1) { + } else if (profile != 1) { ca = "assured"; } HashMap subj = new HashMap<>(); @@ -274,12 +274,17 @@ public class SimpleSigner { ps.setInt(1, rs.getInt("id")); GigiResultSet rs2 = ps.executeQuery(); while (rs2.next()) { - subj.put(rs2.getString("name"), rs2.getString("value")); + String name = rs2.getString("name"); + if (name.equals("EMAIL")) { + name = "emailAddress"; + } + subj.put(name, rs2.getString("value")); } if (subj.size() == 0) { subj.put("CN", ""); System.out.println("WARNING: DN was empty"); } + System.out.println(subj); String[] call; synchronized (sdf) { call = new String[] { @@ -308,6 +313,10 @@ public class SimpleSigner { "-config", "../selfsign.config"// }; + for (String string : call) { + System.out.print(" " + string); + } + System.out.println(); } if (ct == CSRType.SPKAC) { @@ -317,9 +326,11 @@ public class SimpleSigner { Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); int waitFor = p1.waitFor(); - if ( !f.delete()) { - System.err.println("Could not delete SAN-File " + f.getAbsolutePath()); - } + /* + * if ( !f.delete()) { + * System.err.println("Could not delete SAN-File " + + * f.getAbsolutePath()); } + */ if (waitFor == 0) { try (InputStream is = new FileInputStream(crt)) { CertificateFactory cf = CertificateFactory.getInstance("X.509"); -- 2.39.2