From bb9c7ce6cb7f914a3a5a351548f3df626f44627c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=82=B1=E5=8D=9A=E4=BA=9E?= <naruto0426@rulingcom.com>
Date: Mon, 20 Mar 2023 23:17:04 +0800
Subject: [PATCH] fix cert validation feature

---
 app/models/site_cert.rb                       | 23 +++++++++++++++++--
 .../admin/site_panel/_certs_table.html.erb    |  5 +++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/app/models/site_cert.rb b/app/models/site_cert.rb
index 5862045..4d12882 100644
--- a/app/models/site_cert.rb
+++ b/app/models/site_cert.rb
@@ -10,6 +10,7 @@ class SiteCert
   field :source_paths , type: Array ,default: []
   field :start_date , type: DateTime
   field :end_date , type: DateTime
+  field :invalid_message, type: String
   has_many :site_constructs, :autosave => true
   after_save :change_data
   def upload_date
@@ -34,8 +35,26 @@ class SiteCert
     	cert_file_md5 = `openssl x509 -noout -modulus -in #{self.cert_file.file.file} | openssl md5`
     	private_key_md5 = `openssl rsa -noout -modulus -in #{self.private_key.file.file} | openssl md5`
     	is_valid = (cert_file_md5 == private_key_md5)
-    	domain_names = `openssl x509 -text <  #{self.cert_file.file.file} | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'`.split('DNS:').map{|s| s.sub(',','').strip}.select{|s| s.present?} rescue []
-    	if domain_names.blank?
+      domain_names = `openssl x509 -text <  #{self.cert_file.file.file} | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'`.split('DNS:').map{|s| s.sub(',','').strip}.select{|s| s.present?} rescue []
+    	if domain_names.length == 0
+        domain_names = [`openssl x509 -text <  #{self.cert_file.file.file} | grep 'Subject' | grep 'CN =' | grep 'Subject' | grep 'CN =' |sed 's/\s*Subject: //g'`[0...-1].split(/, | = /).each_slice(2).to_h['CN']] rescue []
+    	end
+      sign_algo_valid = `openssl x509 -text <  #{self.cert_file.file.file} | grep 'Signature Algorithm: sha1'`[0...-1].blank? rescue false
+      invalid_messages = []
+      if !is_valid
+        invalid_messages << 'cert and key not match'
+      end
+      if !sign_algo_valid
+        invalid_messages << 'Signature Algorithm cannot use sha1, please use sha256'
+      end
+      if domain_names.blank?
+        invalid_messages << 'Domain Names(alt_names) is empty.'
+      end
+      self.invalid_message = invalid_messages.join(', ')
+      if is_valid
+        is_valid = sign_algo_valid
+      end
+      if domain_names.blank?
         self.is_valid = false
         @skip_callback = true
         self.save(:validate=>false)
diff --git a/app/views/admin/site_panel/_certs_table.html.erb b/app/views/admin/site_panel/_certs_table.html.erb
index 0228244..4a7cb48 100644
--- a/app/views/admin/site_panel/_certs_table.html.erb
+++ b/app/views/admin/site_panel/_certs_table.html.erb
@@ -16,7 +16,10 @@
     <% @site_certs.each do |site_cert| %>
       <tr>
         <td><%=site_cert.upload_date %></td>
-        <td><span class="<%=site_cert.is_valid ? 'valid_icon' : 'invalid_icon' %>" aria-hidden="true"></span></td>
+        <td>
+          <span class="<%=site_cert.is_valid ? 'valid_icon' : 'invalid_icon' %>" aria-hidden="true"></span>
+          <%= site_cert.invalid_message %>
+        </td>
         <td><%=site_cert.display_start_date %></td>
         <td><%=site_cert.display_end_date %></td>
         <td><%=site_cert.display_domain_names %></td>