* Thu Sep 11 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.84-17.sme

- import from SME10 CVS and rename back to phpki

root/README.md

@@ -10,7 +10,7 @@ No one appears to be maintaining this and I find it very handy.
 
 I discovered some issues and there are some additional bits we have for OpenVPN (if installed) at Koozali SME server so I thought I'd incorporate them in as well.
 
-It tries to detect if it is installed on Koozali which needs a couple of small mods, and if openvpn is installed it will create a takey.
+It tries to detect if it is installed on Koozali whcih needs a couple of small mods, and if openvpn is installed it wil create a takey.
 
 Note... YMMV....
 

root/ca/request_cert.php

@@ -207,29 +207,29 @@ switch ($form_stage) {
 
         <h4>Are you sure? After creation you will be returned to the Create Certificate dialogue.</h4>
         <p><form action='<?php echo $PHP_SELF?>' method=post>
-        <?php echo  $hidden_fields ?>
-        <input type=hidden name=form_stage value=final>
-        <!-- <input type=submit name=submit value='Yes. Create and Download' >&nbsp; -->
-        <input type=submit name=submit value='Yes. Just Create' >&nbsp;
-        <input type=submit name=submit value='Go Back'>
-        </form>
+    <?php echo  $hidden_fields ?>
+    <input type=hidden name=form_stage value=final>
+    <input type=submit name=submit value='Yes. Create and Download' >&nbsp;
+    <input type=submit name=submit value='Yes. Just Create' >&nbsp;
+    <input type=submit name=submit value='Go Back'>
+    </form>
 
-        <?php
-        printFooter();
+    <?php
+    printFooter();
 
-        # Save user's defaults
-        $fp = fopen($user_cnf, 'w');
-        $x = '<?php
-        $country      = \''.addslashes($country).'\';
-        $locality     = \''.addslashes($locality).'\';
-        $province     = \''.addslashes($province).'\';
-        $organization = \''.addslashes($organization).'\';
-        $unit         = \''.addslashes($unit).'\';
-        $expiry       = \''.addslashes($expiry).'\';
-        $keysize      = \''.addslashes($keysize).'\';
-        ?>';
-        fwrite($fp, $x);
-        fclose($fp);
+    # Save user's defaults
+    $fp = fopen($user_cnf, 'w');
+    $x = '<?php
+    $country      = \''.addslashes($country).'\';
+    $locality     = \''.addslashes($locality).'\';
+    $province     = \''.addslashes($province).'\';
+    $organization = \''.addslashes($organization).'\';
+    $unit         = \''.addslashes($unit).'\';
+    $expiry       = \''.addslashes($expiry).'\';
+    $keysize      = \''.addslashes($keysize).'\';
+    ?>';
+    fwrite($fp, $x);
+    fclose($fp);
 
         break;
 
@@ -263,27 +263,21 @@ switch ($form_stage) {
             }
         }
 
-        
-        // This section is disabled in the form above
-        // If we do Download it does not return to Create New cert
-        // I believe this is because the upload function messes the http headers
-        // There may be a solution but I haven't got one
-        
         if ($submit == "Yes. Create and Download") {
             switch ($cert_type) {
                 case 'server':
-                    # upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
+        #               upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
                     upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem",$config['cacert_pem']), $rec['common_name'] . "-Bundle.pem", 'application/pkix-cert');
-                    break; # << Here
+                    break;
                 case 'email':
                 case 'email_signing':
                 case 'time_stamping':
                 case 'vpn_client_server':
                 case 'vpn_client':
                 case 'vpn_server':
-                    # upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
+        #               upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
                     upload($config['pfx_dir'] . "/$serial.pfx", $rec['common_name'] . ".p12", 'application/x-pkcs12');
-                    break; # << here
+                    break;
             }
 
             # Clear common_name fields

root/dl_crl.php

@@ -0,0 +1,8 @@
+<?php
+include('./config.php');
+include(STORE_DIR.'/config/config.php');
+include('./include/common.php');
+include('./include/my_functions.php');
+include('./include/openssl_functions.php');
+upload($config['cacrl_der'], $config['ca_prefix'] . "cacrl.crl", 'application/pkix-crl');
+?>

root/dl_crl_pem.php

@@ -0,0 +1,8 @@
+<?php
+include('./config.php');
+include(STORE_DIR.'/config/config.php');
+include('./include/common.php');
+include('./include/my_functions.php');
+include('./include/openssl_functions.php');
+upload($config['cacrl_pem'], $config['ca_prefix'] . "cacrl.crl", 'application/octet-stream');
+?>

root/help.php

@@ -11,7 +11,6 @@ printHeader(about);
   <p><a href="<?php echo BASE_URL?>help/cacert_install_ie.html"><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a></p>
   <p><a href="<?php echo BASE_URL?>help/usercert_install_ie.html"><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a></p>
   <p><a href="<?php echo BASE_URL?>help/glossary.html"><h3>Glossary</h3></a></p>
-
 </center>
 <?php
 printFooter();

root/include/openssl_functions.php

@@ -601,7 +601,7 @@ function CA_revoke_cert($serial)
     $cmd_output[] = 'Revoking the certificate.';
     $configCa_pwd = $config['ca_pwd'];
     $configOpenssl_cnf = $config['openssl_cnf'];
-    exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$configCa_pwd 2>&1", $cmd_output, $ret);
+    exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
 
     if ($ret == 0) {
         unset($cmd_output);
@@ -652,7 +652,7 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
     $cmd_output[] = 'Creating certificate request.';
 
     if (($_passwd) && ($_passwd != "''")) {
-        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+        exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
     } else {
         exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes  2>&1", $cmd_output, $ret);
     }
@@ -681,8 +681,8 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
         $configRandom = $config['random'];
 
         if (($_passwd) && ($_passwd != "''")) {
-            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
-            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass:'$_passwd'";
+            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
         } else {
             $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
             // reetp - this needs looking at
@@ -823,8 +823,8 @@ function CA_renew_cert($old_serial, $expiry, $passwd)
         unset($cmd_output);
         $cmd_output[] = "Creating PKCS12 format certificate.";
         if (($_passwd) && ($_passwd != "''")) {
-            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass: $_passwd";
-            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd  2>&1", $cmd_output, $ret);
+            $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx  pass:'$_passwd'";
+            exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd'  2>&1", $cmd_output, $ret);
         } else {
             $cmd_output[] = "infile: $usercert   keyfile: $userkey   outfile: $userpfx";
             // reetp - this needs looking at

root/index.php

@@ -1 +0,0 @@
-readme.php

root/index.php

@@ -0,0 +1 @@
+readme.php

root/ns_revoke_query.php

@@ -16,13 +16,16 @@
 #
 include('./config.php');
 include(STORE_DIR.'/config/config.php');
-
-$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
+$serial=trim($_SERVER['QUERY_STRING']);
+if ( ! is_numeric($serial) ) {
+    # if it is not a numerical serial, then it is not revoked!
+    print '0';
+    exit;
+}
+$serial = escapeshellcmd($serial);
 #header("Content-type: application/x-netscape-revocation");
 
-# old Reg Ex doesnt work, new should do the work
-#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
-$regexp = "^R.*$serial.*$";
+$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
 $configIndex = $config['index'];
 
 if (exec("egrep '$regexp' '$configIndex'")) {

root/openssl.cnf

@@ -60,7 +60,7 @@ keyUsage               = cRLSign, keyCertSign
 nsCertType             = sslCA, emailCA, objCA
 subjectKeyIdentifier   = hash
 subjectAltName         = email:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Root Certificate Authority"
 #nsCaRevocationUrl	= ns_revoke_query.php?
 nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html
@@ -74,7 +74,7 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
 nsBaseUrl              = http://www.somewhere.com/phpki/
 nsRevocationUrl	       = ns_revoke_query.php?
@@ -91,7 +91,7 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always, issuer:always
 subjectAltName         = email:copy
 issuerAltName          = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
 nsBaseUrl              = http://www.somewhere.com/phpki/
 nsRevocationUrl	       = ns_revoke_query.php?
@@ -109,7 +109,7 @@ subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
 subjectAltName          = email:copy
 issuerAltName           = issuer:copy
-crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
+crlDistributionPoints  = URI:http://www.somewhere.com/phpki/dl_crl.php
 nsComment		= "PHPki/OpenSSL Generated Secure Server Certificate"
 nsBaseUrl		= http://www.somewhere.com/phpki/
 nsRevocationUrl		= ns_revoke_query.php?

root/search.php

@@ -102,7 +102,7 @@ switch ($stage) {
         <td><?php echo htvar($rec['unit'])?></td>
         <td><?php echo htvar($rec['locality'])?></td>
         <td><?php echo htvar($rec['province'])?></td>
-        <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
+        <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
         <?php
         if ($rec['status'] != 'Revoked') {
             ?>

root/setup.php

@@ -1 +0,0 @@
-setup.php-presetup

root/setup.php

@@ -0,0 +1 @@
+setup.php-presetup

root/setup.php-presetup

@@ -801,7 +801,7 @@ EOS;
 
     case 'finished':
         // We get here if we complete the previous section
-        // if OS = SME the go to server manager else, reload
+        // if OS = SME then go to server manager else, reload
         if (getOSInformation){
             $location = "/server-manager/cgi-bin/phpki";
         } else {
@@ -887,7 +887,7 @@ E-mail: <a href=mailto:someone@somewhere.com>someone@somewhere.com</a>&nbsp;&nbs
         }
 
         if (! $crl_distrib) {
-            $crl_distrib = 'index.php?stage=dl_crl';
+            $crl_distrib = 'dl_crl.php';
         }
         if (! $revoke_url) {
             $revoke_url = 'ns_revoke_query.php?';