deprecated/phpki-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #6 from majestick/master

Browse Source 
added alt_names feature for ssl certs
This commit is contained in:
Nick Pappas
2013-09-18 04:39:32 -07:00
parent 2bbe33474c 8d3e0f7699
commit 4a460afbf3
5 changed files with 147 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
ca/request_cert.php
View File

@@ -25,7 +25,8 @@ $passwdv = gpvar('passwdv');
$expiry = gpvar('expiry');
$keysize = gpvar('keysize');
$cert_type = gpvar('cert_type');
$dns_names = gpvar('dns_names');
$ip_addr = gpvar('ip_addr');
# To repopulate form after error.
$hidden_fields = '
@@ -41,6 +42,8 @@ $hidden_fields = '
<input type=hidden name=expiry value="' . htvar($expiry) . '">
<input type=hidden name=keysize value="' . htvar($keysize) . '">
<input type=hidden name=cert_type value="' . htvar($cert_type) . '">
<input type=hidden name=dns_names value="' . htvar($dns_names) . '">
<input type=hidden name=ip_addr value="' . htvar($ip_addr) . '">
';
@@ -72,10 +75,21 @@ case 'validate':
if ( $email && ! is_email($email) )
$er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';
$ip_ar=explode("\n", $ip_addr);
foreach ($ip_ar as $value){
if ( $value && ! is_ip($value) )
$er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
}
$dns_n=explode("\n", $dns_names);
foreach ($dns_n as $value){
if ( $value && ! is_fqdn(trim($value)) )
$er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
}
if ( $er )
$er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
if ($email && ($serial = CAdb_in($email,$common_name))) {
$er = '';
$certtext = CA_cert_text($serial);
@@ -119,6 +133,8 @@ case 'confirm':
Certificate Life<br>
Key Size<br>
Certificate Use<br>
IP Addresses<br>
DNS Alt Names<br>
</td>
<td>
@@ -133,6 +149,8 @@ case 'confirm':
print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
print htvar($keysize). ' bits<br>';
print htvar($cert_type). '<br>';
print htvar($dns_names). '<br>';
print htvar($ip_addr). '<br>';
?>
</td>
@@ -168,7 +186,7 @@ case 'confirm':
case 'final':
if ($submit == "Yes! Create and Download") {
if (! $serial = CAdb_in($email,$common_name)) {
list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize);
list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize,$dns_names,$ip_addr);
if (! $ret) {
printHeader();
@@ -227,6 +245,8 @@ default:
if (! $expiry) $expiry = 1;
if (! $keysize) $keysize = 1024;
if (! $cert_type) $cert_type = 'email';
if (! $dns_names) $dns_names = "";
if (! $ip_addr) $ip_addr = "";
printHeader();
?>
@@ -236,44 +256,44 @@ default:
<th colspan=2><h3>Certificate Request Form</h3></th>
<tr>
<td width=30%>Common Name<br>(i.e. User real name or computer hostname) </td>
<td width=30%>Common Name<font color=red size=3>*</font><br>(i.e. User real name or computer hostname) </td>
<td><input type=text name=common_name value="<?php echo htvar($common_name)?>" size=50 maxlength=60></td>
</tr>
<tr>
<td>E-mail Address </td>
<td>E-mail Address <font color=red size=3>*</font></td>
<td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
</tr>
<tr>
<td>Organization (Company/Agency)</td>
<td>Organization (Company/Agency)<font color=red size=3>*</font></td>
<td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
</tr>
<tr>
<td>Department/Unit </td><td><input type=text name=unit value="<?php echo htvar($unit) ?>" size=40 maxlength=60></td>
<td>Department/Unit<font color=red size=3>*</font> </td><td><input type=text name=unit value="<?php echo htvar($unit) ?>" size=40 maxlength=60></td>
</tr>
<tr>
<td>Locality (City/County)</td><td><input type=text name=locality value="<?php echo htvar($locality) ?>" size=30 maxlength=30></td>
<td>Locality (City/County)<font color=red size=3>*</font></td><td><input type=text name=locality value="<?php echo htvar($locality) ?>" size=30 maxlength=30></td>
</tr>
<tr>
<td>State/Province</td><td><input type=text name=province value="<?php echo htvar($province) ?>" size=30 maxlength=30></td>
<td>State/Province<font color=red size=3>*</font></td><td><input type=text name=province value="<?php echo htvar($province) ?>" size=30 maxlength=30></td>
</tr>
<tr>
<td>Country</td>
<td>Country<font color=red size=3>*</font></td>
<td><input type=text name=country value="<?php echo htvar($country) ?>" size=2 maxlength=2></td>
</tr>
<tr>
<td>Certificate Password </td>
<td>Certificate Password<font color=red size=3>*</font> </td>
<td><input type=password name=passwd value="<?php echo htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv value="<?php echo htvar($passwdv) ?>" size=30></td>
</tr>
<tr>
<td>Certificate Life </td>
<td>Certificate Life<font color=red size=3>*</font> </td>
<td><select name=expiry>
<?php
@@ -291,7 +311,7 @@ default:
</tr>
<tr>
<td>Key Size </td>
<td>Key Size<font color=red size=3>*</font> </td>
<td><select name=keysize>
<?php
for ( $i = 512 ; $i <= 4096 ; $i+= 512 ) {
@@ -303,8 +323,9 @@ default:
</tr>
<tr>
<td>Certificate Use: </td>
<td><select name=cert_type>
<td>Certificate Use:<font color=red size=3>*</font> </td>
<td><select name=cert_type onchange="if (this.value=='server')
{setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
<?php
print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
@@ -317,8 +338,16 @@ default:
</select></td>
</tr>
<tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
<td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?= htvar($dns_names) ?></textarea></td>
</tr>
<tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
<td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?= htvar($ip_addr) ?></textarea></td>
</tr>
<tr>
<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* All fields are required</td>
<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* Fields are required</td>
</tr>
</table>
</form>

18
include/common.php
View File

@@ -36,8 +36,26 @@ function printHeader($withmenu="default") {
?>
<!DOCTYPE html>
<head>
<meta charset="utf-8">
<title>PHPki: <?php echo $title?> </title>
<link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
<script type="text/javascript" language="javascript">
function setVisibility(rowName, show) {
// Tabellenzelle ermitteln
var actualVisibility=document.getElementById(rowName).style.visibility;
if(show==false) {
document.getElementById(rowName).style.visibility = "hidden";
document.getElementById(rowName).style.display = "none";
} else {
document.getElementById(rowName).style.visibility = "visible";
document.getElementById(rowName).style.display = "";
}
}
</script>
</head>
<body>
<?php

29
include/my_functions.php
View File

@@ -90,10 +90,9 @@ function csort($array, $column, $ascdec=SORT_ASC){
#
function htvar($v, $strip=false) {
if ($strip)
return htmlentities(stripslashes($v));
return htmlentities(stripslashes($v), 0, "UTF-8");
else
return htmlentities($v);
return htmlentities($v, 0, "UTF-8");
}
@@ -185,6 +184,30 @@ function is_email($v) {
return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
}
#
# Returns True if the given string is a IP address
#
function is_ip( $ip = null ) {
if( !$ip or strlen(trim($ip)) == 0){
return false;
}
$ip=trim($ip);
if(preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/",$ip)) {
foreach(explode(".", $ip) as $block)
if($block<0 || $block>255 )
return false;
return true;
}
return false;
}
#
# Returns True if the given string is a valid FQDN
#
function is_fqdn($FQDN) {
return (!empty($FQDN) && preg_match('/(?=^.{1,254}$)(^(?:(?!\d|-)[a-z0-9\-]{1,63}(?<!-)\.)+(?:[a-z]{2,})$)/i', $FQDN) > 0);
}
#
# Checks regexp in every element of an array, returns TRUE as soon
# as a match is found.

56
include/openssl_functions.php
View File

@@ -5,10 +5,44 @@
// File name is placed in ./tmp with a random name. It lingers unless
// removed manually.
//
function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096) {
function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096,$dns_names='',$ip_addr='',$serial='') {
global $config, $PHPki_user;
$issuer = $PHPki_user;
$count_dns = 0;
$count_ip = 0;
$alt_names = "";
if (! $dns_names == '') {
$dns_n=explode("\n", $dns_names);
$count_dns = $count_dns + 1;
$alt_names .= "DNS.$count_dns = $common_name\n";
foreach ($dns_n as $value) {
if (! $value == '') {
$count_dns = $count_dns + 1;
$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
}
}
}
if (! $ip_addr == '') {
$ip_ar=explode("\n", $ip_addr);
foreach ($ip_ar as $value) {
if (! $value == '') {
$count_dns = $count_dns + 1;
$count_ip = $count_ip + 1;
$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
$alt_names .= "IP.$count_ip = ".trim($value)."\n";
}
}
}
if (($count_dns > 0) || ($count_ip > 0)) {
$server_altnames = "@alt_names";
} else {
$server_altnames = "DNS:$common_name,email:copy";
}
$cnf_contents = "
HOME = $config[home_dir]
@@ -104,7 +138,7 @@ subjectKeyIdentifier = hash
subjectAltName = email:copy
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
nsComment = \"PHPki/OpenSSL Generated Root Certificate\"
#nsCaRevocationUrl = ns_revoke_query.php?
#nsCaRevocationUrl = $config[base_url]ns_revoke_query.php?$serial
nsCaPolicyUrl = $config[base_url]policy.html
[ email_ext ]
@@ -119,7 +153,7 @@ issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
nsComment = \"PHPki/OpenSSL Generated Personal Certificate\"
nsBaseUrl = $config[base_url]
nsRevocationUrl = ns_revoke_query.php?
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial
nsCaPolicyUrl = $config[base_url]policy.html
[ email_signing_ext ]
@@ -134,7 +168,7 @@ issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
nsComment = \"PHPki/OpenSSL Generated Personal Certificate\"
nsBaseUrl = $config[base_url]
nsRevocationUrl = ns_revoke_query.php?
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial
nsCaPolicyUrl = $config[base_url]policy.html
[ server_ext ]
@@ -144,12 +178,12 @@ nsCertType = critical, server
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
subjectAltName = $server_altnames
issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
nsComment = \"PHPki/OpenSSL Generated Server Certificate\"
nsBaseUrl = $config[base_url]
nsRevocationUrl = ns_revoke_query.php?
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial
nsCaPolicyUrl = $config[base_url]policy.html
[ time_stamping_ext ]
@@ -163,7 +197,7 @@ issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
nsBaseUrl = $config[base_url]
nsRevocationUrl = ns_revoke_query.php?
nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial
[ vpn_client_ext ]
basicConstraints = critical, CA:false
@@ -191,8 +225,12 @@ nsCertType = critical, server, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy
[alt_names]
$alt_names
";
# Write out the config file.
$cnf_file = tempnam('./tmp','cnf-');
$handle = fopen($cnf_file,"w");
@@ -466,7 +504,7 @@ function CA_revoke_cert($serial) {
//
// Returns an array containing the output of failed openssl commands.
//
function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) {
function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024,$dns_names,$ip_addr) {
global $config;
# Wait here if another user has the database locked.
@@ -484,7 +522,7 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
$expiry_days = round($expiry * 365.25, 0);
$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize);
$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize,$dns_names,$ip_addr,$serial);
# Escape certain dangerous characters in user input
$email = escshellcmd($email);

12
ns_revoke_query.php
View File

@@ -14,13 +14,17 @@
# application/x-netscape-revocation containing a single character
# '1' if the certificate is revoked, '0' if it is valid.
#
include('./config.in.php');
include('./config.php');
include(STORE_DIR.'/config/config.php');
$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
header("Content-type: application/x-netscape-revocation");
$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
if (exec("egrep '$regexp' ca/$config[index]"))
#header("Content-type: application/x-netscape-revocation");
# old Reg Ex doesnt work, new should do the work
#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
$regexp = "^R.*$serial.*$";
if (exec("egrep '$regexp' $config[index]"))
print '1';
else
print '0';