From 8292e5ad5ce69dec035d7337760cb7a4150ef533 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 10 Aug 2014 00:50:22 +0200
Subject: [PATCH] Implement SAN filtering.

---
 .../pages/account/CertificateIssueForm.java   | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
index 6b5dee9a..3f5c1e5c 100644
--- a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
+++ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java
@@ -62,6 +62,8 @@ import sun.security.x509.X500Name;
  */
 public class CertificateIssueForm extends Form {
 
+    private static final String DEFAULT_CN = "CAcert WoT User";
+
     private final static Template t = new Template(CertificateIssueForm.class.getResource("CertificateIssueForm.templ"));
 
     private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ"));
@@ -74,7 +76,7 @@ public class CertificateIssueForm extends Form {
 
     String spkacChallenge;
 
-    String CN = "";
+    String CN = DEFAULT_CN;
 
     Set<SubjectAlternateName> SANs = new LinkedHashSet<>();
 
@@ -188,16 +190,33 @@ public class CertificateIssueForm extends Form {
                 } else {
                     login = "1".equals(req.getParameter("login"));
                     CN = req.getParameter("CN");
-                    SANs = parseSANBox(req.getParameter("SANs"));
                     String hashAlg = req.getParameter("hash_alg");
                     if (hashAlg != null) {
                         selectedDigest = Digest.valueOf(hashAlg);
                     }
+                    CertificateProfile profile = CertificateProfile.getByName(req.getParameter("profile"));
+
+                    Set<SubjectAlternateName> filteredSANs = new LinkedHashSet<>();
+                    for (SubjectAlternateName san : parseSANBox(req.getParameter("SANs"))) {
+                        if (san.getType() == SANType.DNS) {
+                            if (u.isValidDomain(san.getName())) {
+                                filteredSANs.add(san);
+                                continue;
+                            }
+                        } else if (san.getType() == SANType.EMAIL) {
+                            if (u.isValidEmail(san.getName())) {
+                                filteredSANs.add(san);
+                                continue;
+                            }
+                        }
+                        // SAN blocked
+                    }
+                    SANs = filteredSANs;
+
                     if (req.getParameter("CCA") == null) {
                         outputError(out, req, "You need to accept the CCA.");
                         return false;
                     }
-                    CertificateProfile profile = CertificateProfile.getByName(req.getParameter("profile"));
 
                     result = new Certificate(LoginPage.getUser(req).getId(), "/commonName=CAcert WoT User", selectedDigest.toString(), //
                             this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
-- 
2.39.2