deprecated/phpki-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix undefined constants

Browse Source
This commit is contained in:
John Crisp
2021-03-02 13:05:19 +01:00
parent 9acede5a2f
commit a82b5ab5dd
1 changed files with 108 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
include/openssl_functions.php
View File

@@ -45,24 +45,48 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
$server_altnames = "DNS:$common_name,email:copy"; $server_altnames = "DNS:$common_name,email:copy";
} }
$cnf_contents = " $configHOME = $config['home_dir'];
HOME = $config[home_dir] $configRANDFILE = $config['random'];
RANDFILE = $config[random] $configCa_dir = $config['ca_dir'];
dir = $config[ca_dir] $configCert_dir = $config['cert_dir'];
certs = $config[cert_dir] $configCrl_dir = $config['crl_dir'];
crl_dir = $config[crl_dir] $configDatabase = $config['index'];
database = $config[index] $configNew_certs_dir = $config['new_certs_dir'];
new_certs_dir = $config[new_certs_dir] $configPrivate_dir = $config['private_dir'];
private_dir = $config[private_dir] $configSerial = $config['serial'];
serial = $config[serial] $configCacert_pem = $config['cacert_pem'];
certificate = $config[cacert_pem] $configCacrl_pem = $config['cacrl_pem'];
crl = $config[cacrl_pem] $configCakey = $config['cakey'];
private_key = $config[cakey] $configDefault_md = $config['default_md'];
$configBase_url = $config['base_url'];
$configCrl_dist = $config['crl_distrib'];
$configComment_root = $config['comment_root'];
$configPolicy_url = $config['policy_url'];
$configRevoke_url = $config['revoke_url'];
$configComment_email = $config['comment_email'];
$configComment_sign = $config['comment_sign'];
$configComment_srv = $config['comment_srv'];
$cnf_contents = "
HOME = $configHOME
RANDFILE = $configRANDFILE
dir = $configCa_dir
certs = $configCert_dir
crl_dir = $configCrl_dir
database = $configDatabase
new_certs_dir = $configNew_certs_dir
private_dir = $configPrivate_dir
serial = $configSerial
certificate = $configCacert_pem
crl = $configCacrl_pem
private_key = $configCakey
crl_extentions = crl_ext crl_extentions = crl_ext
default_days = 365 default_days = 365
default_crl_days = 30 default_crl_days = 30
preserve = no preserve = no
default_md = $config[default_md] default_md = $configDefault_md
[ req ] [ req ]
default_bits = $keysize default_bits = $keysize
@@ -137,10 +161,10 @@ keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
subjectAltName = email:copy subjectAltName = email:copy
crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_root] nsComment = $configComment_root
#nsCaRevocationUrl = #nsCaRevocationUrl =
nsCaPolicyUrl = $config[base_url]$config[policy_url] nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_ext ] [ email_ext ]
basicConstraints = critical, CA:false basicConstraints = critical, CA:false
@@ -151,11 +175,11 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy subjectAltName = email:copy
issuerAltName = issuer:copy issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_email] nsComment = $configComment_email
nsBaseUrl = $config[base_url] nsBaseUrl = $configBase_url
nsRevocationUrl = $config[base_url]$config[revoke_url]$serial nsRevocationUrl = $configBase_url$configRevoke_url$serial
nsCaPolicyUrl = $config[base_url]$config[policy_url] nsCaPolicyUrl = $configBase_url$configPolicy_url
[ email_signing_ext ] [ email_signing_ext ]
basicConstraints = critical, CA:false basicConstraints = critical, CA:false
@@ -166,11 +190,11 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy subjectAltName = email:copy
issuerAltName = issuer:copy issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_sign] nsComment = $configComment_sign
nsBaseUrl = $config[base_url] nsBaseUrl = $configBase_url
nsRevocationUrl = $config[base_url]$config[revoke_url]$serial nsRevocationUrl = $configBase_url$configRevoke_url$serial
nsCaPolicyUrl = $config[base_url]$config[policy_url] nsCaPolicyUrl = $configBase_url$configPolicy_url
[ server_ext ] [ server_ext ]
basicConstraints = critical, CA:false basicConstraints = critical, CA:false
@@ -181,11 +205,11 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = $server_altnames subjectAltName = $server_altnames
issuerAltName = issuer:copy issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_srv] nsComment = $configComment_srv
nsBaseUrl = $config[base_url] nsBaseUrl = $configBase_url
nsRevocationUrl = $config[base_url]$config[revoke_url]$serial nsRevocationUrl = $configBase_url$configRevoke_url$serial
nsCaPolicyUrl = $config[base_url]$config[policy_url] nsCaPolicyUrl = $configBase_url$configPolicy_url
[ time_stamping_ext ] [ time_stamping_ext ]
basicConstraints = CA:false basicConstraints = CA:false
@@ -195,10 +219,10 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:$common_name,email:copy subjectAltName = DNS:$common_name,email:copy
issuerAltName = issuer:copy issuerAltName = issuer:copy
crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] crlDistributionPoints = URI:$configBase_url$configCrl_dist
nsComment = $config[comment_stamp] nsComment = $config[comment_stamp]
nsBaseUrl = $config[base_url] nsBaseUrl = $configBase_url
nsRevocationUrl = $config[base_url]$config[revoke_url]$serial nsRevocationUrl = $configBase_url$configRevoke_url$serial
[ vpn_client_ext ] [ vpn_client_ext ]
basicConstraints = critical, CA:false basicConstraints = critical, CA:false
@@ -546,10 +570,11 @@ function CA_revoke_cert($serial) {
$fd = fopen($config['index'],'a'); $fd = fopen($config['index'],'a');
flock($fd, LOCK_EX); flock($fd, LOCK_EX);
$certfile = "$config[new_certs_dir]/$serial.pem"; $certfile = $config['new_certs_dir'] . "/$serial.pem";
$cmd_output[] = 'Revoking the certificate.'; $cmd_output[] = 'Revoking the certificate.';
exec(CA." -config '$config[openssl_cnf]' -revoke ".escshellarg($certfile)." -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret); $configCa_pwd = $config['ca_pwd'];
$configOpenssl_cnf = $config['openssl_cnf'];
exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$ConfigCa_pwd 2>&1", $cmd_output, $ret);
if ($ret == 0) { if ($ret == 0) {
unset($cmd_output); unset($cmd_output);
@@ -578,11 +603,10 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
# Get the next available serial number # Get the next available serial number
$serial = trim(implode('',file($config['serial']))); $serial = trim(implode('',file($config['serial'])));
$userkey = $config['private_dir'].'/'.$serial.'-key.pem'; $userkey = $config['private_dir'] . "/$serial-key.pem";
$userreq = $config['req_dir'].'/'.$serial.'-req.pem'; $userreq = $config['req_dir'] ."/$serial-req.pem";
$usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; $userder = $config['cert_dir'] . "/$serial.der";
$userder = $config['cert_dir'].'/'.$serial.'.der'; $userpfx = $config['pfx_dir'] . "/$serial.pfx";
$userpfx = $config['pfx_dir'].'/'.$serial.'.pfx';
$expiry_days = round($expiry * 365.25, 0); $expiry_days = round($expiry * 365.25, 0);
@@ -609,7 +633,8 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
if ($ret == 0) { if ($ret == 0) {
unset($cmd_output); unset($cmd_output);
$cmd_output[] = "Signing $cert_type certificate request."; $cmd_output[] = "Signing $cert_type certificate request.";
exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret); $configCa_pwd = $config['ca_pwd'];
exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
}; };
# Create DER format certificate # Create DER format certificate
@@ -623,14 +648,18 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
if ($ret == 0) { if ($ret == 0) {
unset($cmd_output); unset($cmd_output);
$cmd_output[] = "Creating PKCS12 format certificate."; $cmd_output[] = "Creating PKCS12 format certificate.";
$configCacert_pem = $config['cacert_pem'];
$configOrganization = $config['organization'];
$configRandom = $config['random'];
if (($_passwd) && ($_passwd != "''")) { if (($_passwd) && ($_passwd != "''")) {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd"; $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret); exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
} }
else { else {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
// reetp - this needs looking at // reetp - this needs looking at
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret); exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
//exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret); //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
} }
}; };
@@ -692,7 +721,7 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
$country = $rec['country']; $country = $rec['country'];
$province = $rec['province']; $province = $rec['province'];
$locality = $rec['locality']; $locality = $rec['locality'];
$organization = $rec['organiztion']; $organization = $rec['organization'];
$unit = $rec['unit']; $unit = $rec['unit'];
$common_name = $rec['common_name']; $common_name = $rec['common_name'];
$email = $rec['email']; $email = $rec['email'];
@@ -704,13 +733,14 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
# Get the next available serial number # Get the next available serial number
$serial = trim(implode('',file($config['serial']))); $serial = trim(implode('',file($config['serial'])));
$old_userkey = $config['private_dir'].'/'.$old_serial.'-key.pem'; $old_userkey = $config['private_dir'] . "$old_serial-key.pem";
$old_userreq = $config['req_dir'].'/'.$old_serial.'-req.pem'; $old_userreq = $config['req_dir'] . "/$old_serial-req.pem";
$userkey = $config['private_dir'].'/'.$serial.'-key.pem'; $userkey = $config['private_dir'] . "/$serial-key.pem";
$userreq = $config['req_dir'].'/'.$serial.'-req.pem'; $userreq = $config['req_dir'] . "/$serial-req.pem";
$usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; $usercert = $config['new_certs_dir'] . "/$serial.pem";
$userder = $config['cert_dir'].'/'.$serial.'.der'; $userder = $config['cert_dir'] . "/$serial.der";
$userpfx = $config['pfx_dir'].'/'.$serial.'.pfx'; $userpfx = $config['pfx_dir'] . "/$serial.pfx";
$expiry_days = round($expiry * 365.25, 0); $expiry_days = round($expiry * 365.25, 0);
@@ -737,11 +767,16 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
# Escape dangerous characters in user input. # Escape dangerous characters in user input.
$_passwd = escshellarg($passwd); $_passwd = escshellarg($passwd);
$configCa_pwd = $config['ca_pwd'];
$configCacert_pem = $config['cacert_pem'];
$configOrganization = $config['organization'];
$configRandom = $config['random'];
# Sign the certificate request and create the certificate. # Sign the certificate request and create the certificate.
if ($ret == 0) { if ($ret == 0) {
unset($cmd_output); unset($cmd_output);
$cmd_output[] = "Signing the $cert_type certificate request."; $cmd_output[] = "Signing the $cert_type certificate request.";
exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret); exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
}; };
# Create DER format certificate # Create DER format certificate
@@ -757,12 +792,12 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
$cmd_output[] = "Creating PKCS12 format certificate."; $cmd_output[] = "Creating PKCS12 format certificate.";
if (($_passwd) && ($_passwd != "''")) { if (($_passwd) && ($_passwd != "''")) {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd"; $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret); exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
} }
else { else {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
// reetp - this needs looking at // reetp - this needs looking at
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret); exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
//exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret); //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
} }
@@ -805,15 +840,19 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
function CA_generate_crl() { function CA_generate_crl() {
global $config; global $config;
$configOpenssl_cnf = $config['openssl_cnf'];
$configCacrl_pem = $config['cacrl_pem'];
$configCa_pwd = $config['ca_pwd'];
$configCacrl_der = $config['cacrl_der'];
$ret = 0; $ret = 0;
$cmd_output[] = "Generating Certificate Revocation List."; $cmd_output[] = "Generating Certificate Revocation List.";
exec(CA. " -gencrl -config '$config[openssl_cnf]' -out '$config[cacrl_pem]' -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret); exec(CA. " -gencrl -config '$configOpenssl_cnf' -out '$configCacrl_pem' -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
if ($ret == 0) { if ($ret == 0) {
unset($cmd_output); unset($cmd_output);
$cmd_output[] = "Creating DER format Certificate Revocation List."; $cmd_output[] = "Creating DER format Certificate Revocation List.";
exec(CRL." -in '$config[cacrl_pem]' -out '$config[cacrl_der]' -inform PEM -outform DER 2>&1", $cmd_output, $ret); exec(CRL." -in '$configCacrl_der' -out '$configCacrl_der' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
} }
return array(($ret == 0 ? true : false), implode('<br>',$cmd_output)); return array(($ret == 0 ? true : false), implode('<br>',$cmd_output));
@@ -826,15 +865,16 @@ function CA_generate_crl() {
function CA_remove_cert($serial) { function CA_remove_cert($serial) {
global $config; global $config;
$userreq = $config['req_dir'].'/'.$serial.'-req.pem'; $userreq = $config['req_dir'] . "/$serial-req.pem";
$userkey = $config['private_dir'].'/'.$serial.'-key.pem'; $userkey = $config['private_dir'] . "/$serial-key.pem";
$usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; $usercert = $config['new_certs_dir'] . "/$serial.pem";
$userder = $config['cert_dir'].'/'.$serial.'.der'; $userder = $config['cert_dir'] . "/$serial.der";
$userpfx = $config['pfx_dir'].'/'.$serial.'.pfx'; $userpfx = $config['pfx_dir'] ."/$serial.pfx";
$configIndex = $config['index'];
# Wait here if another user has the database locked. # Wait here if another user has the database locked.
$fd = fopen($config['index'],'a'); $fd = fopen($configIndex,'a');
flock($fd, LOCK_EX); flock($fd, LOCK_EX);
if( file_exists($userreq)) unlink($userreq); if( file_exists($userreq)) unlink($userreq);
@@ -843,11 +883,11 @@ function CA_remove_cert($serial) {
if( file_exists($userder)) unlink($userder); if( file_exists($userder)) unlink($userder);
if( file_exists($userpfx)) unlink($userpfx); if( file_exists($userpfx)) unlink($userpfx);
$tmpfile = $config['index'].'.tmp'; $tmpfile = $configIndex .'.tmp';
copy($config['index'], $tmpfile); copy($configIndex , $tmpfile);
$regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$"; $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$";
exec('egrep -v '.escshellarg($regexp)." $tmpfile > $config[index] 2>/dev/null"); exec('egrep -v '.escshellarg($regexp)." $tmpfile > $configIndex 2>/dev/null");
unlink($tmpfile); unlink($tmpfile);
fclose($fd); fclose($fd);