From 22f27f39d5b62ca5b264b2016daae7e870f78fd8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Thu, 10 Jul 2014 08:45:04 +0200
Subject: [PATCH] Implement serial based retrival and certificate access
 control.

---
 src/org/cacert/gigi/Certificate.java          | 25 +++++++++++++------
 .../pages/account/MailCertificateAdd.java     |  5 ++--
 .../gigi/pages/account/MailCertificates.java  |  5 +++-
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/src/org/cacert/gigi/Certificate.java b/src/org/cacert/gigi/Certificate.java
index 9d6d5d8d..a9d12882 100644
--- a/src/org/cacert/gigi/Certificate.java
+++ b/src/org/cacert/gigi/Certificate.java
@@ -17,6 +17,7 @@ import org.cacert.gigi.util.KeyStorage;
 
 public class Certificate {
 	private int id;
+	private int ownerId;
 	private int serial;
 	private String dn;
 	private String md;
@@ -24,7 +25,8 @@ public class Certificate {
 	private String crtName;
 	private String csr = null;
 
-	public Certificate(String dn, String md, String csr) {
+	public Certificate(int ownerId, String dn, String md, String csr) {
+		this.ownerId = ownerId;
 		this.dn = dn;
 		this.md = md;
 		this.csr = csr;
@@ -33,17 +35,19 @@ public class Certificate {
 	public Certificate(int id) {
 		try {
 			PreparedStatement ps = DatabaseConnection.getInstance().prepare(
-				"SELECT subject, md, csr_name, crt_name FROM `emailcerts` WHERE id=?");
+				"SELECT id,subject, md, csr_name, crt_name,memid FROM `emailcerts` WHERE serial=?");
 			ps.setInt(1, id);
 			ResultSet rs = ps.executeQuery();
 			if (!rs.next()) {
 				throw new IllegalArgumentException("Invalid mid " + id);
 			}
-			this.id = id;
-			dn = rs.getString(1);
-			md = rs.getString(2);
-			csrName = rs.getString(3);
-			crtName = rs.getString(4);
+			this.id = rs.getInt(1);
+			dn = rs.getString(2);
+			md = rs.getString(3);
+			csrName = rs.getString(4);
+			crtName = rs.getString(5);
+			ownerId = rs.getInt(6);
+			serial = id;
 			rs.close();
 		} catch (SQLException e) {
 			e.printStackTrace();
@@ -135,9 +139,10 @@ public class Certificate {
 				throw new IllegalStateException();
 			}
 			PreparedStatement inserter = DatabaseConnection.getInstance().prepare(
-				"INSERT INTO emailcerts SET md=?, subject=?, coll_found=0, crt_name=''");
+				"INSERT INTO emailcerts SET md=?, subject=?, coll_found=0, crt_name='', memid=?");
 			inserter.setString(1, md);
 			inserter.setString(2, dn);
+			inserter.setInt(3, ownerId);
 			inserter.execute();
 			id = DatabaseConnection.lastInsertId(inserter);
 			File csrFile = KeyStorage.locateCsr(id);
@@ -222,4 +227,8 @@ public class Certificate {
 		return md;
 	}
 
+	public int getOwnerId() {
+		return ownerId;
+	}
+
 }
diff --git a/src/org/cacert/gigi/pages/account/MailCertificateAdd.java b/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
index f01b8f0c..836f48c4 100644
--- a/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
+++ b/src/org/cacert/gigi/pages/account/MailCertificateAdd.java
@@ -10,6 +10,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.Certificate;
 import org.cacert.gigi.output.ClientCSRGenerate;
+import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.pages.Page;
 
 public class MailCertificateAdd extends Page {
@@ -38,11 +39,11 @@ public class MailCertificateAdd extends Page {
 			// Error.
 			return;
 		}
-		Certificate c = new Certificate("/commonName=CAcert WoT User", "sha256", csr);
+		Certificate c = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", "sha256", csr);
 		c.issue();
 		try {
 			c.waitFor(60000);
-			resp.sendRedirect(MailCertificates.PATH + "/" + c.getId());
+			resp.sendRedirect(MailCertificates.PATH + "/" + c.getSerial());
 		} catch (SQLException e) {
 			e.printStackTrace();
 		} catch (InterruptedException e) {
diff --git a/src/org/cacert/gigi/pages/account/MailCertificates.java b/src/org/cacert/gigi/pages/account/MailCertificates.java
index 72a14a31..2fa6ac09 100644
--- a/src/org/cacert/gigi/pages/account/MailCertificates.java
+++ b/src/org/cacert/gigi/pages/account/MailCertificates.java
@@ -34,7 +34,10 @@ public class MailCertificates extends Page {
 			pi = pi.substring(1);
 			int id = Integer.parseInt(pi);
 			Certificate c = new Certificate(id);
-			// TODO check ownership
+			if (LoginPage.getUser(req).getId() != c.getOwnerId()) {
+				out.println(translate(req, "You do not own this certificate."));
+				return;
+			}
 			out.println("<pre>");
 			try {
 				out.print(c.cert());
-- 
2.39.2