From d5a01492f88cd0b87dfaae4701e7f5d25fba50a2 Mon Sep 17 00:00:00 2001
From: INOPIAE <m.maengel@inopiae.de>
Date: Sun, 4 Feb 2018 07:16:12 +0100
Subject: [PATCH] chg: add p7b to download all intermediate certificates in one
 file

fixes issue #148

Change-Id: Idcc73b9dfa093f5e32c3642987a190d9a975349e
---
 links.txt                                   |  1 +
 src/club/wpia/gigi/pages/RootCertPage.java  | 21 +++++++++++++++++++--
 src/club/wpia/gigi/pages/RootCertPage.templ |  7 +++++--
 src/club/wpia/gigi/util/CertExporter.java   | 21 ++++++++++++++++++++-
 4 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/links.txt b/links.txt
index ec99a4d8..d9dd6808 100644
--- a/links.txt
+++ b/links.txt
@@ -11,6 +11,7 @@
 /kb/lostPassword
 /kb/goodPassword
 /kb/verificationHandbook
+/kb/truststores
 /ttp/user
 /ttp/country
 /blog
diff --git a/src/club/wpia/gigi/pages/RootCertPage.java b/src/club/wpia/gigi/pages/RootCertPage.java
index 25c02413..b065463d 100644
--- a/src/club/wpia/gigi/pages/RootCertPage.java
+++ b/src/club/wpia/gigi/pages/RootCertPage.java
@@ -2,13 +2,13 @@ package club.wpia.gigi.pages;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.util.Collections;
 import java.util.Comparator;
-import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.Map;
 
@@ -16,9 +16,11 @@ import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import club.wpia.gigi.GigiApiException;
 import club.wpia.gigi.dbObjects.CACertificate;
 import club.wpia.gigi.localisation.Language;
 import club.wpia.gigi.output.template.Outputable;
+import club.wpia.gigi.util.CertExporter;
 import club.wpia.gigi.util.HTMLEncoder;
 import club.wpia.gigi.util.PEM;
 import club.wpia.gigi.util.ServerConstants;
@@ -108,6 +110,20 @@ public class RootCertPage extends Page {
                 e.printStackTrace();
             }
             return true;
+        } else if (req.getParameter("bundle") != null && root != null) {
+            resp.setContentType("application/x-x509-ca-cert");
+            resp.setHeader("Content-Disposition", "attachment; filename=\"" + appName + "_intermediate_bundle.p7b\"");
+            ServletOutputStream out = resp.getOutputStream();
+            try {
+                CertExporter.writeCertBundle(out);
+            } catch (CertificateEncodingException e) {
+                e.printStackTrace();
+            } catch (GeneralSecurityException e) {
+                e.printStackTrace();
+            } catch (GigiApiException e) {
+                e.printStackTrace();
+            }
+            return true;
         } else if (req.getParameter("cer") != null && root != null) {
             resp.setContentType("application/x-x509-ca-cert");
             resp.setHeader("Content-Disposition", "attachment; filename=\"" + appName + "_roots.cer\"");
@@ -124,8 +140,9 @@ public class RootCertPage extends Page {
 
     @Override
     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        HashMap<String, Object> map = new HashMap<String, Object>();
+        Map<String, Object> map = Page.getDefaultVars(req);
         map.put("root", rootP);
+        map.put("bundle", appName + "_intermediate_bundle.p7b");
         getDefaultTemplate().output(resp.getWriter(), getLanguage(req), map);
 
     }
diff --git a/src/club/wpia/gigi/pages/RootCertPage.templ b/src/club/wpia/gigi/pages/RootCertPage.templ
index 0f6a8f05..899470ec 100644
--- a/src/club/wpia/gigi/pages/RootCertPage.templ
+++ b/src/club/wpia/gigi/pages/RootCertPage.templ
@@ -1,5 +1,8 @@
-<?=_The Root certificate is available for download here. Choose your preferred format:?><br/>
-<a href="?pem">PEM</a> <a href="?cer">DER</a>
+<p><?=_The Root certificate is available for download here. Choose your preferred format:?><br/>
+<a href="?pem">PEM</a> <a href="?cer">DER</a></p>
+<p><?=_A p7b file with all intermediate certificates is available for download here:?><br/>
+<a href="?bundle"><?=$bundle?></a></p>
+<p><?=_Find information how to add the root and intermediate certificates to the truststore of your browser or operating system in our !(/kb/truststores)knowledge base!'</a>'.?></p>
 <p>
 <?=_A full list of all DER-encoded intermediate certificates is provided below:?>
 </p>
diff --git a/src/club/wpia/gigi/util/CertExporter.java b/src/club/wpia/gigi/util/CertExporter.java
index 06102fc0..5d465919 100644
--- a/src/club/wpia/gigi/util/CertExporter.java
+++ b/src/club/wpia/gigi/util/CertExporter.java
@@ -1,6 +1,7 @@
 package club.wpia.gigi.util;
 
 import java.io.IOException;
+import java.io.OutputStream;
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
 import java.security.cert.CRLException;
@@ -58,7 +59,12 @@ public class CertExporter {
     }
 
     private static PKCS7 toP7Chain(Certificate c) throws IOException, GeneralSecurityException, GigiApiException {
-        LinkedList<X509Certificate> ll = getChain(c);
+
+        return generateP7Bundle(getChain(c));
+
+    }
+
+    private static PKCS7 generateP7Bundle(LinkedList<X509Certificate> ll) {
         PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(ContentInfo.DATA_OID, null), ll.toArray(new X509Certificate[ll.size()]), new SignerInfo[0]) {
 
             @Override
@@ -164,4 +170,17 @@ public class CertExporter {
         return ll;
     }
 
+    public static void writeCertBundle(OutputStream out) throws IOException, GeneralSecurityException, GigiApiException {
+
+        CACertificate[] cs = CACertificate.getAll();
+        LinkedList<X509Certificate> ll = new LinkedList<>();
+        for (CACertificate cb : cs) {
+            if ( !cb.isSelfsigned()) {
+                ll.add(cb.getCertificate());
+            }
+        }
+
+        PKCS7 p7 = generateP7Bundle(ll);
+        p7.encodeSignedData(out);
+    }
 }
-- 
2.39.2