From ac33d7b1bf78da3879a4e6238fcdcebc833d17f4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Wed, 4 Nov 2015 13:51:51 +0100 Subject: [PATCH 1/1] upd: for installation send certificate chains as p7 encoded cert set --- .../account/certs/CertificateDisplay.templ | 2 +- .../pages/account/certs/Certificates.java | 42 +++++++++++++++++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ b/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ index 99ae5d31..1e66e85f 100644 --- a/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ +++ b/src/org/cacert/gigi/pages/account/certs/CertificateDisplay.templ @@ -5,7 +5,7 @@


-
+
diff --git a/src/org/cacert/gigi/pages/account/certs/Certificates.java b/src/org/cacert/gigi/pages/account/certs/Certificates.java index 766d21ea..312e7dc6 100644 --- a/src/org/cacert/gigi/pages/account/certs/Certificates.java +++ b/src/org/cacert/gigi/pages/account/certs/Certificates.java @@ -6,6 +6,7 @@ import java.net.URLEncoder; import java.security.GeneralSecurityException; import java.security.cert.X509Certificate; import java.util.HashMap; +import java.util.LinkedList; import java.util.Map; import javax.servlet.ServletOutputStream; @@ -23,6 +24,11 @@ import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; import org.cacert.gigi.util.PEM; +import sun.security.pkcs.ContentInfo; +import sun.security.pkcs.PKCS7; +import sun.security.pkcs.SignerInfo; +import sun.security.x509.AlgorithmId; + public class Certificates extends Page implements HandlesMixedRequest { private Template certDisplay = new Template(Certificates.class.getResource("CertificateDisplay.templ")); @@ -69,13 +75,13 @@ public class Certificates extends Page implements HandlesMixedRequest { boolean crt = false; boolean cer = false; resp.setContentType("application/pkix-cert"); + if (req.getParameter("install") != null) { + resp.setContentType("application/x-x509-user-cert"); + } if (pi.endsWith(".crt")) { crt = true; pi = pi.substring(0, pi.length() - 4); } else if (pi.endsWith(".cer")) { - if (req.getParameter("install") != null) { - resp.setContentType("application/x-x509-user-cert"); - } cer = true; pi = pi.substring(0, pi.length() - 4); } else if (pi.endsWith(".cer")) { @@ -107,7 +113,17 @@ public class Certificates extends Page implements HandlesMixedRequest { } } } else if (cer) { - out.write(cert.getEncoded()); + if (req.getParameter("install") != null) { + PKCS7 p7 = toP7Chain(c); + p7.encodeSignedData(out); + /* + * ContentInfo ci = toCIChain(c); try (DerOutputStream dos = + * new DerOutputStream()) { ci.encode(dos); + * out.write(dos.toByteArray()); } + */ + } else { + out.write(cert.getEncoded()); + } } } catch (IllegalArgumentException e) { resp.sendError(404); @@ -120,6 +136,24 @@ public class Certificates extends Page implements HandlesMixedRequest { return true; } + private static PKCS7 toP7Chain(Certificate c) throws IOException, GeneralSecurityException { + LinkedList ll = getChain(c); + PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(ContentInfo.DATA_OID, null), ll.toArray(new X509Certificate[ll.size()]), new SignerInfo[0]); + return p7; + } + + private static LinkedList getChain(Certificate c) throws IOException, GeneralSecurityException { + LinkedList ll = new LinkedList<>(); + ll.add(c.cert()); + CACertificate ca = c.getParent(); + while ( !ca.isSelfsigned()) { + ll.add(ca.getCertificate()); + ca = ca.getParent(); + } + ll.add(ca.getCertificate()); + return ll; + } + @Override public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) { -- 2.39.2