Merge pull request #6 from majestick/master

added alt_names feature for ssl certs
2013-09-18 04:39:32 -07:00
parent 2bbe33474c 8d3e0f7699
commit 4a460afbf3
5 changed files with 147 additions and 35 deletions
--- a/ca/request_cert.php
+++ b/ca/request_cert.php
@@ -25,7 +25,8 @@ $passwdv      = gpvar('passwdv');
 $expiry       = gpvar('expiry');
 $keysize      = gpvar('keysize');
 $cert_type    = gpvar('cert_type');
-
+$dns_names    = gpvar('dns_names');
+$ip_addr      = gpvar('ip_addr');

 # To repopulate form after error.
 $hidden_fields = '
@@ -41,6 +42,8 @@ $hidden_fields = '
    <input type=hidden name=expiry value="' . htvar($expiry) . '">
    <input type=hidden name=keysize value="' . htvar($keysize) . '">
    <input type=hidden name=cert_type value="' . htvar($cert_type) . '">
+    <input type=hidden name=dns_names value="' . htvar($dns_names) . '">
+    <input type=hidden name=ip_addr value="' . htvar($ip_addr) . '">
 ';


@@ -72,10 +75,21 @@ case 'validate':
 	if ( $email && ! is_email($email) )
 		$er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';

+	$ip_ar=explode("\n", $ip_addr);
+	foreach ($ip_ar as $value){
+		if ( $value && ! is_ip($value) )
+			$er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
+	}
+
+	$dns_n=explode("\n", $dns_names);
+	foreach ($dns_n as $value){
+		if ( $value && ! is_fqdn(trim($value)) )
+			$er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
+	}
+
 	if ( $er )
 		$er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';

-
 	if ($email && ($serial = CAdb_in($email,$common_name))) { 	
 		$er = '';
 		$certtext = CA_cert_text($serial);
@@ -119,6 +133,8 @@ case 'confirm':
 	Certificate Life<br>
 	Key Size<br>
 	Certificate Use<br>
+	IP Addresses<br>
+	DNS Alt Names<br>
    	</td>

    	<td>
@@ -133,6 +149,8 @@ case 'confirm':
 	print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
 	print htvar($keysize). ' bits<br>';
 	print htvar($cert_type). '<br>';
+    print htvar($dns_names). '<br>';
+    print htvar($ip_addr). '<br>';
 	?>
    	</td>

@@ -168,7 +186,7 @@ case 'confirm':
 case 'final':
 	if ($submit == "Yes!  Create and Download") {
 		if (! $serial = CAdb_in($email,$common_name)) {
-			list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize);
+			list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize,$dns_names,$ip_addr);

 			if (! $ret) {
 	                	printHeader();
@@ -227,6 +245,8 @@ default:
 	if (! $expiry)        $expiry = 1;
 	if (! $keysize)       $keysize = 1024;
 	if (! $cert_type)     $cert_type = 'email';
+	if (! $dns_names)     $dns_names = "";
+	if (! $ip_addr)       $ip_addr = "";

 	printHeader();
 	?>
@@ -236,44 +256,44 @@ default:
 	<th colspan=2><h3>Certificate Request Form</h3></th>

 	<tr>
-	<td width=30%>Common Name<br>(i.e. User real name or computer hostname) </td>
+	<td width=30%>Common Name<font color=red size=3>*</font><br>(i.e. User real name or computer hostname) </td>
 	<td><input type=text name=common_name value="<?php echo  htvar($common_name)?>" size=50 maxlength=60></td>
 	</tr>

 	<tr>
-	<td>E-mail Address </td>
+	<td>E-mail Address <font color=red size=3>*</font></td>
 	<td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
 	</tr>

 	<tr>
-	<td>Organization (Company/Agency)</td>
+	<td>Organization (Company/Agency)<font color=red size=3>*</font></td>
 	<td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
 	</tr>

 	<tr>
-	<td>Department/Unit </td><td><input type=text name=unit value="<?php echo  htvar($unit) ?>" size=40 maxlength=60></td>
+	<td>Department/Unit<font color=red size=3>*</font> </td><td><input type=text name=unit value="<?php echo  htvar($unit) ?>" size=40 maxlength=60></td>
 	</tr>

 	<tr>
-	<td>Locality (City/County)</td><td><input type=text name=locality value="<?php echo  htvar($locality) ?>" size=30 maxlength=30></td>
+	<td>Locality (City/County)<font color=red size=3>*</font></td><td><input type=text name=locality value="<?php echo  htvar($locality) ?>" size=30 maxlength=30></td>
 	</tr>

 	<tr>
-	<td>State/Province</td><td><input type=text name=province value="<?php echo  htvar($province) ?>" size=30 maxlength=30></td>
+	<td>State/Province<font color=red size=3>*</font></td><td><input type=text name=province value="<?php echo  htvar($province) ?>" size=30 maxlength=30></td>
 	</tr>

 	<tr>
-	<td>Country</td>
+	<td>Country<font color=red size=3>*</font></td>
 	<td><input type=text name=country value="<?php echo  htvar($country) ?>" size=2 maxlength=2></td>
 	</tr>

 	<tr>
-	<td>Certificate Password </td>
+	<td>Certificate Password<font color=red size=3>*</font> </td>
 	<td><input type=password name=passwd value="<?php echo  htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv  value="<?php echo  htvar($passwdv) ?>" size=30></td>
 	</tr>

 	<tr>
-	<td>Certificate Life </td>
+	<td>Certificate Life<font color=red size=3>*</font> </td>
 	<td><select name=expiry>
 	<?php

@@ -291,7 +311,7 @@ default:
 	</tr>

 	<tr>
-	<td>Key Size </td>
+	<td>Key Size<font color=red size=3>*</font> </td>
 	<td><select name=keysize>
 	<?php
 	for ( $i = 512 ; $i <= 4096 ; $i+= 512 ) {
@@ -303,8 +323,9 @@ default:
 	</tr>

 	<tr>
-	<td>Certificate Use: </td>
-	<td><select name=cert_type>
+	<td>Certificate Use:<font color=red size=3>*</font> </td>
+	<td><select name=cert_type onchange="if (this.value=='server') 
+        {setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
 	<?php
 	print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
 	print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
@@ -317,8 +338,16 @@ default:
 	</select></td>
 	</tr>

+	<tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
+	<td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?= htvar($dns_names) ?></textarea></td>
+	</tr>
+
+	<tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
+	<td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?= htvar($ip_addr) ?></textarea></td>
+	</tr>
+	
 	<tr>
-	<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* All fields are required</td>
+	<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* Fields are required</td>
 	</tr>
 	</table>
 	</form>
--- a/include/common.php
+++ b/include/common.php
@@ -36,8 +36,26 @@ function printHeader($withmenu="default") {
 	?>
 	<!DOCTYPE html>
 	<head>
+	<meta charset="utf-8">
 	<title>PHPki: <?php echo $title?> </title>
 	<link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
+	<script type="text/javascript" language="javascript">
+
+	function setVisibility(rowName, show) {
+        // Tabellenzelle ermitteln
+ 
+        var actualVisibility=document.getElementById(rowName).style.visibility;
+ 
+        if(show==false) {
+                document.getElementById(rowName).style.visibility = "hidden";
+                document.getElementById(rowName).style.display = "none";
+        } else {
+                document.getElementById(rowName).style.visibility = "visible";
+                document.getElementById(rowName).style.display = "";
+        }
+	}
+
+	</script>
 	</head>
 	<body>
 	<?php
--- a/include/my_functions.php
+++ b/include/my_functions.php
@@ -31,7 +31,7 @@ function upload($source, $destination, $content_type="application/octet-stream")
 #	header("Cache-Control: no-store, no-cache, must-revalidate");
 #	header("Cache-Control: post-check=0, pre-check=0", false);
 #	header("Pragma: no-cache");
-        header("Content-Type: $content_type");
+    header("Content-Type: $content_type");

 	if (is_array($source)) {
 		$fsize = 0;
@@ -90,10 +90,9 @@ function csort($array, $column, $ascdec=SORT_ASC){
 #
 function htvar($v, $strip=false) {
 	if ($strip) 
-		return  htmlentities(stripslashes($v));
+		return  htmlentities(stripslashes($v), 0, "UTF-8");
 	else
-		return  htmlentities($v);
-	
+		return  htmlentities($v, 0, "UTF-8");
 }


@@ -185,6 +184,30 @@ function is_email($v) {
 	return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
 }

+#
+# Returns True if the given string is a IP address
+#
+function is_ip( $ip = null ) {
+    if( !$ip or strlen(trim($ip)) == 0){
+        return false;
+    }
+    $ip=trim($ip);
+    if(preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/",$ip)) {
+        foreach(explode(".", $ip) as $block)
+            if($block<0 || $block>255 )
+                return false;
+        return true;
+    }
+    return false;
+}
+
+#
+# Returns True if the given string is a valid FQDN
+#
+function is_fqdn($FQDN) {
+    return (!empty($FQDN) && preg_match('/(?=^.{1,254}$)(^(?:(?!\d|-)[a-z0-9\-]{1,63}(?<!-)\.)+(?:[a-z]{2,})$)/i', $FQDN) > 0);
+}
+
 #
 # Checks regexp in every element of an array, returns TRUE as soon
 # as a match is found.
--- a/include/openssl_functions.php
+++ b/include/openssl_functions.php
@@ -5,15 +5,49 @@
 // File name is placed in ./tmp with a random name. It lingers unless
 // removed manually.
 //
-function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096) {
+function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096,$dns_names='',$ip_addr='',$serial='') {
 	global $config, $PHPki_user;

 	$issuer = $PHPki_user;
+	$count_dns = 0;
+	$count_ip = 0;
+	$alt_names = "";
+	
+	if (! $dns_names == '') {
+	
+		$dns_n=explode("\n", $dns_names);
+		$count_dns  = $count_dns + 1;
+		$alt_names .= "DNS.$count_dns = $common_name\n";
+		foreach ($dns_n as $value) {
+			if (! $value == '') {
+				$count_dns  = $count_dns + 1;
+				$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+			}
+		}
+	}
+	
+	if (! $ip_addr == '') {
+		$ip_ar=explode("\n", $ip_addr);
+		foreach ($ip_ar as $value) {
+			if (! $value == '') {
+				$count_dns  = $count_dns + 1;
+				$count_ip   = $count_ip + 1;
+				$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+				$alt_names .= "IP.$count_ip = ".trim($value)."\n";
+			}
+		}
+	}

+	if (($count_dns > 0) || ($count_ip > 0)) {
+		$server_altnames = "@alt_names";
+	} else {
+		$server_altnames = "DNS:$common_name,email:copy";
+	}
+	
 	$cnf_contents = "
 HOME             = $config[home_dir] 
 RANDFILE         = $config[random]
-dir	             = $config[ca_dir]
+dir	         = $config[ca_dir]
 certs            = $config[cert_dir]
 crl_dir	         = $config[crl_dir]
 database         = $config[index]
@@ -104,7 +138,7 @@ subjectKeyIdentifier   = hash
 subjectAltName         = email:copy
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Root Certificate\"
-#nsCaRevocationUrl      = ns_revoke_query.php?
+#nsCaRevocationUrl     = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html

 [ email_ext ]
@@ -119,7 +153,7 @@ issuerAltName          = issuer:copy
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html

 [ email_signing_ext ]
@@ -134,7 +168,7 @@ issuerAltName          = issuer:copy
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html

 [ server_ext ]
@@ -144,12 +178,12 @@ nsCertType              = critical, server
 extendedKeyUsage        = critical, serverAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
-subjectAltName          = DNS:$common_name,email:copy
+subjectAltName          = $server_altnames
 issuerAltName           = issuer:copy
 crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 nsComment               = \"PHPki/OpenSSL Generated Server Certificate\"
 nsBaseUrl               = $config[base_url]
-nsRevocationUrl         = ns_revoke_query.php?
+nsRevocationUrl         = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl           = $config[base_url]policy.html

 [ time_stamping_ext ]
@@ -163,7 +197,7 @@ issuerAltName          = issuer:copy
 crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial

 [ vpn_client_ext ]
 basicConstraints        = critical, CA:false
@@ -191,8 +225,12 @@ nsCertType              = critical, server, client
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
 subjectAltName          = DNS:$common_name,email:copy
+
+[alt_names]
+$alt_names
 ";

+
 	# Write out the config file.
 	$cnf_file  = tempnam('./tmp','cnf-');
 	$handle = fopen($cnf_file,"w");
@@ -466,7 +504,7 @@ function CA_revoke_cert($serial) {
 //
 // Returns an array containing the output of failed openssl commands.
 //
-function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) {
+function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024,$dns_names,$ip_addr) {
 	global $config;

 	# Wait here if another user has the database locked.
@@ -484,11 +522,11 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz

 	$expiry_days = round($expiry * 365.25, 0);

-	$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize);
+	$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize,$dns_names,$ip_addr,$serial);

 	# Escape certain dangerous characters in user input
 	$email         = escshellcmd($email);
-	$_passwd        = escshellarg($passwd);
+	$_passwd       = escshellarg($passwd);
 	$friendly_name = escshellarg($common_name);
 	$extensions    = escshellarg($cert_type.'_ext');
 	
--- a/ns_revoke_query.php
+++ b/ns_revoke_query.php
@@ -14,13 +14,17 @@
 # application/x-netscape-revocation containing a single character
 # '1' if the certificate is revoked, '0' if it is valid.
 #
-include('./config.in.php');
+include('./config.php');
 include(STORE_DIR.'/config/config.php');

 $serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
-header("Content-type: application/x-netscape-revocation");
-$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
-if (exec("egrep '$regexp' ca/$config[index]"))
+#header("Content-type: application/x-netscape-revocation");
+
+# old Reg Ex doesnt work, new should do the work
+#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
+$regexp = "^R.*$serial.*$";
+
+if (exec("egrep '$regexp' $config[index]"))
 	print '1';
 else
 	print '0';