From 42466c8f42d997ae9abd583ad9eaeef512b62f1f Mon Sep 17 00:00:00 2001
From: INOPIAE <m.maengel@inopiae.de>
Date: Sat, 23 Feb 2019 05:04:57 +0100
Subject: [PATCH] fix: remove SPKAC from certificate request routine

fixes issue #137

Change-Id: I67f71265c8b675c8a746539db66f534660d8cd55
---
 .../account/certs/CertificateIssueForm.java   | 10 ------
 .../account/certs/RequestCertificate.templ    | 28 ++-------------
 .../pages/account/TestCertificateAdd.java     | 35 -------------------
 3 files changed, 3 insertions(+), 70 deletions(-)

diff --git a/src/club/wpia/gigi/pages/account/certs/CertificateIssueForm.java b/src/club/wpia/gigi/pages/account/certs/CertificateIssueForm.java
index 81925716..31be06f4 100644
--- a/src/club/wpia/gigi/pages/account/certs/CertificateIssueForm.java
+++ b/src/club/wpia/gigi/pages/account/certs/CertificateIssueForm.java
@@ -26,7 +26,6 @@ import club.wpia.gigi.output.template.Template;
 import club.wpia.gigi.pages.LoginPage;
 import club.wpia.gigi.util.AuthorizationContext;
 import club.wpia.gigi.util.HTMLEncoder;
-import club.wpia.gigi.util.RandomToken;
 import club.wpia.gigi.util.ServerConstants;
 import club.wpia.gigi.util.ServerConstants.Host;
 
@@ -42,14 +41,11 @@ public class CertificateIssueForm extends Form {
 
     private AuthorizationContext c;
 
-    private String spkacChallenge;
-
     private boolean login;
 
     public CertificateIssueForm(HttpServletRequest hsr) {
         super(hsr);
         c = LoginPage.getAuthorizationContext(hsr);
-        spkacChallenge = RandomToken.generateToken(16);
     }
 
     private Certificate result;
@@ -65,16 +61,11 @@ public class CertificateIssueForm extends Form {
     @Override
     public SubmissionResult submit(HttpServletRequest req) throws GigiApiException {
         String csr = req.getParameter("CSR");
-        String spkac = req.getParameter("SPKAC");
         try {
             if (csr != null) {
                 cr = new CertificateRequest(c, csr);
                 // TODO cr.checkKeyStrength(out);
                 return new FormContinue();
-            } else if (spkac != null) {
-                cr = new CertificateRequest(c, spkac, spkacChallenge);
-                // TODO cr.checkKeyStrength(out);
-                return new FormContinue();
             } else if (cr != null) {
                 login = "1".equals(req.getParameter("login"));
                 issueDate.update(req);
@@ -138,7 +129,6 @@ public class CertificateIssueForm extends Form {
             HashMap<String, Object> vars2 = new HashMap<String, Object>(vars);
             vars2.put("csrf", getCSRFToken());
             vars2.put("csrf_name", getCsrfFieldName());
-            vars2.put("spkacChallenge", spkacChallenge);
             tIni.output(out, l, vars2);
             return;
         } else {
diff --git a/src/club/wpia/gigi/pages/account/certs/RequestCertificate.templ b/src/club/wpia/gigi/pages/account/certs/RequestCertificate.templ
index 89abb8df..274ad8eb 100644
--- a/src/club/wpia/gigi/pages/account/certs/RequestCertificate.templ
+++ b/src/club/wpia/gigi/pages/account/certs/RequestCertificate.templ
@@ -1,6 +1,6 @@
 <p><?=_${appName} offers two ways to create a certificate.?>
-<?=_One is to paste a certificate signing request (CSR) created from an existing or newly created private key.?> <?=_If you do not know what a CSR is or how to create one take a look at the !(/kb/CSR)FAQ!'</a>'.?>
-<?=_As an alternative you can generate the private key inside your browser and export it once the certificate has been issued.?></p>
+<?=_One is to paste a certificate signing request (CSR) created from an existing or newly created private key.?> <?=_If you do not know what a CSR is or how to create one take a look at the !(/kb/CSR)FAQ!'</a>'.?></p>
+<p><?=_For inexperienced users the usage of !(/kb/XCA)XCA!'</a>' is recommended and described in !(/kb/XCADocu)XCA usage documentation!'</a>'?></p>
 <form method="post">
 <table class="table">
   <thead>
@@ -24,26 +24,4 @@
   </tbody>
 </table>
 </form>
-<form method="post">
-<table class="table">
-  <thead>
-  <tr>
-    <th colspan="2" class="title"><?=_Create a fresh key in the browser (SPKAC)?></th>
-  </tr>
-  </thead>
-  <tbody>
-  <tr>
-    <td><?=_I do not have a CSR.?></td>
-    <td align="left">
-      <?=_key size (2048 recommended)?>: <keygen name="SPKAC" challenge="<?=$spkacChallenge?>"/>
-    </td>
-  </tr>
-  <tr>
-    <td colspan="2">
-     <input class="btn btn-primary" type="submit" name="process" value="<?=_Next?>" />
-     <input type='hidden' name='<?=$csrf_name?>' value='<?=$csrf?>'>
-    </td>
-  </tr>
-  </tbody>
-</table>
-</form>
+
diff --git a/tests/club/wpia/gigi/pages/account/TestCertificateAdd.java b/tests/club/wpia/gigi/pages/account/TestCertificateAdd.java
index 0d83f301..16594e1b 100644
--- a/tests/club/wpia/gigi/pages/account/TestCertificateAdd.java
+++ b/tests/club/wpia/gigi/pages/account/TestCertificateAdd.java
@@ -23,7 +23,6 @@ import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.TimeZone;
@@ -33,7 +32,6 @@ import java.util.regex.Pattern;
 
 import org.junit.Test;
 
-import club.wpia.gigi.crypto.SPKAC;
 import club.wpia.gigi.dbObjects.CertificateOwner;
 import club.wpia.gigi.dbObjects.Digest;
 import club.wpia.gigi.pages.account.certs.CertificateAdd;
@@ -56,7 +54,6 @@ import sun.security.x509.GeneralNameInterface;
 import sun.security.x509.GeneralNames;
 import sun.security.x509.RFC822Name;
 import sun.security.x509.SubjectAlternativeNameExtension;
-import sun.security.x509.X509Key;
 
 public class TestCertificateAdd extends ClientTest {
 
@@ -125,12 +122,6 @@ public class TestCertificateAdd extends ClientTest {
         }, res);
     }
 
-    @Test
-    public void testSPKAC() throws GeneralSecurityException, IOException {
-        testSPKAC(false);
-        testSPKAC(true);
-    }
-
     @Test
     public void testIssue() throws IOException, GeneralSecurityException {
         HttpURLConnection huc = sendCertificateForm("description");
@@ -312,32 +303,6 @@ public class TestCertificateAdd extends ClientTest {
         return uc;
     }
 
-    protected String testSPKAC(boolean correctChallenge) throws GeneralSecurityException, IOException {
-        HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
-        uc.setRequestProperty("Cookie", cookie);
-        String s = IOUtils.readURL(uc);
-
-        csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
-        String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
-
-        SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallenge ? "" : "b"));
-        Signature sign = Signature.getInstance("SHA512WithRSA");
-        sign.initSign(kp.getPrivate());
-        try {
-            String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
-            if ( !correctChallenge) {
-                fail("Should not succeed with wrong challenge.");
-            }
-            assertArrayEquals(new String[] {
-                    "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
-            }, res);
-        } catch (OnPageError e) {
-            String error = fetchStartErrorMessage(e.getMessage());
-            assertTrue(error, error.startsWith("<p>Challenge mismatch"));
-        }
-        return csrf;
-    }
-
     private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
         CertificateExtensions attributeValue = new CertificateExtensions();
         GeneralNames names = new GeneralNames();
-- 
2.39.2