From dd5a2952eaee54521863a1176c4a3fddbda99a6d Mon Sep 17 00:00:00 2001 From: Denis Fateyev Date: Mon, 14 Oct 2013 03:58:12 +0600 Subject: [PATCH] phpki: interface enhancement, generalize keysize --- include/openssl_functions.php | 42 +++---- setup.php-presetup | 204 ++++++++++++++++++++++++++-------- 2 files changed, 179 insertions(+), 67 deletions(-) diff --git a/include/openssl_functions.php b/include/openssl_functions.php index e2597fd..f8000ad 100644 --- a/include/openssl_functions.php +++ b/include/openssl_functions.php @@ -5,7 +5,7 @@ // File name is placed in ./tmp with a random name. It lingers unless // removed manually. // -function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096,$dns_names='',$ip_addr='',$serial='') { +function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=2048,$dns_names='',$ip_addr='',$serial='') { global $config, $PHPki_user; $issuer = $PHPki_user; @@ -136,10 +136,10 @@ keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA subjectKeyIdentifier = hash subjectAltName = email:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Root Certificate\" -#nsCaRevocationUrl = $config[base_url]ns_revoke_query.php?$serial -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_root] +#nsCaRevocationUrl = +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ email_ext ] basicConstraints = critical, CA:false @@ -150,11 +150,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Personal Certificate\" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_email] nsBaseUrl = $config[base_url] -nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial -nsCaPolicyUrl = $config[base_url]policy.html +nsRevocationUrl = $config[base_url]$config[revoke_url]$serial +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ email_signing_ext ] basicConstraints = critical, CA:false @@ -165,11 +165,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Personal Certificate\" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_sign] nsBaseUrl = $config[base_url] -nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial -nsCaPolicyUrl = $config[base_url]policy.html +nsRevocationUrl = $config[base_url]$config[revoke_url]$serial +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ server_ext ] basicConstraints = critical, CA:false @@ -180,11 +180,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = $server_altnames issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Server Certificate\" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_srv] nsBaseUrl = $config[base_url] -nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial -nsCaPolicyUrl = $config[base_url]policy.html +nsRevocationUrl = $config[base_url]$config[revoke_url]$serial +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ time_stamping_ext ] basicConstraints = CA:false @@ -194,10 +194,10 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = DNS:$common_name,email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_stamp] nsBaseUrl = $config[base_url] -nsRevocationUrl = $config[base_url]ns_revoke_query.php?$serial +nsRevocationUrl = $config[base_url]$config[revoke_url]$serial [ vpn_client_ext ] basicConstraints = critical, CA:false @@ -504,7 +504,7 @@ function CA_revoke_cert($serial) { // // Returns an array containing the output of failed openssl commands. // -function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024,$dns_names,$ip_addr) { +function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=2048,$dns_names,$ip_addr) { global $config; # Wait here if another user has the database locked. diff --git a/setup.php-presetup b/setup.php-presetup index 3c4fe4a..7bde902 100644 --- a/setup.php-presetup +++ b/setup.php-presetup @@ -54,6 +54,14 @@ $passwdv = gpvar('passwdv'); $expiry = gpvar('expiry'); $keysize = gpvar('keysize'); $base_url = gpvar('base_url'); +$crl_distrib = gpvar('crl_distrib'); +$revoke_url = gpvar('revoke_url'); +$policy_url = gpvar('policy_url'); +$comment_root = gpvar('comment_root'); +$comment_email = gpvar('comment_email'); +$comment_sign = gpvar('comment_sign'); +$comment_srv = gpvar('comment_srv'); +$comment_stamp = gpvar('comment_stamp'); $openssl_bin = gpvar('openssl_bin'); $passwd_file = gpvar('passwd_file'); $getting_help = gpvar('getting_help'); @@ -76,6 +84,14 @@ $hidden_fields = ' + + + + + + + + @@ -221,6 +237,22 @@ case 'write': # Base URL \$config['base_url'] = '$base_url'; +# CRL Distribution points path +\$config['crl_distrib'] = '$crl_distrib'; + +# Certificate Revocation URL +\$config['revoke_url'] = '$revoke_url'; + +# Certificate Authority Policy URL +\$config['policy_url'] = '$policy_url'; + +# Certificate Comment Fields +\$config['comment_root'] = '$comment_root'; +\$config['comment_email'] = '$comment_email'; +\$config['comment_sign'] = '$comment_sign'; +\$config['comment_srv'] = '$comment_srv'; +\$config['comment_stamp'] = '$comment_stamp'; + # Who users should contact if they have technical difficulty with # your certificate authority site. \$config['getting_help'] = '$getting_help'; @@ -364,10 +396,10 @@ keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA subjectKeyIdentifier = hash subjectAltName = email:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Root Certificate Authority" -#nsCaRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_root] +#nsCaRevocationUrl = +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ email_ext ] basicConstraints = critical, CA:false @@ -378,12 +410,12 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Personal Certificate" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_email] nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? +nsRevocationUrl = $config[revoke_url] #nsRenewalUrl = -nsCaPolicyUrl = $config[base_url]policy.html +nsCaPolicyUrl = $config[base_url]$config[policy_url] #nsSslServerName = [ email_signing_ext ] @@ -395,12 +427,12 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Personal Certificate" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_sign] nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? +nsRevocationUrl = $config[revoke_url] #nsRenewalUrl = -nsCaPolicyUrl = $config[base_url]policy.html +nsCaPolicyUrl = $config[base_url]$config[policy_url] #nsSslServerName = [ server_ext ] @@ -412,11 +444,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = DNS:$common_name,email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Secure Server Certificate" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_srv] +nsBaseUrl = $config[base_url] +nsRevocationUrl = $config[revoke_url] +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ time_stamping_ext ] basicConstraints = CA:false @@ -426,12 +458,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = DNS:$common_name,email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\" +crlDistributionPoints = URI:$config[base_url]$config[crl_distrib] +nsComment = $config[comment_stamp] nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html - +nsRevocationUrl = $config[revoke_url] +nsCaPolicyUrl = $config[base_url]$config[policy_url] [ vpn_client_ext ] basicConstraints = critical, CA:false @@ -469,7 +500,7 @@ EOS; $config_txt2 = <<< EOS [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_name string_mask = nombstr @@ -508,7 +539,7 @@ EOS; $config_txt3 = <<< EOS [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_name string_mask = nombstr @@ -593,25 +624,6 @@ EOS; # if (! unlink("$store_dir/tmp/openssl.cnf")) print "Can't unlink $store_dir/tmp/openssl.cnf"; - - # - # Create dhparam files for OpenVPN and others. - # - print '

Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.
'; - print "Saving to $store_dir/dhparam1024.pem.
"; - $cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024"; - print $cmd.'
'; - flush(); - flush_exec($cmd,100); - - - #print '

Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
'; - #print "Saving to $store_dir/dhparam2048.pem.
"; - #$cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam2048.pem' 2048"; - #print $cmd.'
'; - #flush(); - #flush_exec($cmd,200); - # # Step aside and let the users in (create index.php files). # @@ -643,7 +655,7 @@ default: if (! $expiry) $expiry = $config['expiry']; if (! $expiry) $expiry = 10; if (! $keysize) $keysize = $config['keysize']; - if (! $keysize) $keysize = 1024; + if (! $keysize) $keysize = 2048; if (! $passwd) $passwd = $config['ca_pwd']; if (! $passwdv) $passwdv = $passwd; @@ -670,6 +682,16 @@ E-mail: someone@somewhere.com &nbs if (! $base_url) $base_url = $config['base_url']; if (! $base_url) $base_url = 'http://www.somewhere.com/phpki/'; + if (! $crl_distrib) $crl_distrib = 'index.php?stage=dl_crl'; + if (! $revoke_url) $revoke_url = 'ns_revoke_query.php?'; + if (! $policy_url) $policy_url = 'policy.html'; + + if (! $comment_root) $comment_root = 'PHPki/OpenSSL Generated Root Certificate Authority'; + if (! $comment_email) $comment_email = 'PHPki/OpenSSL Generated Personal Certificate'; + if (! $comment_sign) $comment_sign = 'PHPki/OpenSSL Generated Personal Certificate'; + if (! $comment_srv) $comment_srv = 'PHPki/OpenSSL Generated Secure Server Certificate'; + if (! $comment_stamp) $comment_stamp = 'PHPki/OpenSSL Generated Time Stamping Certificate'; + if (! $ca_prefix) $ca_prefix = $config['ca_prefix']; if (! $openssl_bin) $openssl_bin = $config['openssl_bin']; @@ -770,8 +792,7 @@ E-mail: someone@somewhere.com &nbs $i bits\n" ; + print "\n" ; } ?> @@ -791,6 +812,97 @@ E-mail: someone@somewhere.com &nbs + + + Certificate Authority CRL Distribution Points
+ Provide the public URL where Certificate Revocation List (CRL) of + your CA will reside. This path is relative to Base URL above. + You may leave it by default if your clients have direct access to PHPki. + + + + + + + + + Certificate Authority Revocation Check URL
+ Provide the public URL where clients of your CA can check if the requested + certificate has been revoked. This path is relative to Base URL above. + You may leave it by default if your clients have direct access to PHPki. + + + + + + + + + Certificate Authority Policy URL
+ Provide the public URL where your CA policy will reside. + This path is relative to Base URL above. + You may leave it by default or adjust to your environment. + + + + + + + + + Root Certificate Comment
+ Root certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Email Certificate Comment
+ Email certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Email/Signing Certificate Comment
+ Email and signing certificate Comment attribute. You may change it + to something or use the default value set by PHPki. + + + + + + + + + SSL Server Certificate Comment
+ SSL server certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Time Stamping Certificate Comment
+ Time stamping certificate Comment attribute. You may change it + to something or use the default value set by PHPki. + + + + + +