smecontribs/phpki
6
0
Fork 0
generated from smedev/Template-for-SMEServer-Contribs-Package
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Thu Sep 11 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.84-17.sme

Browse Source 
- import from SME10 CVS and rename back to phpki
This commit is contained in:
Jean-Philippe Pialasse
2025-09-11 00:08:25 -04:00
parent a747530268
commit 0611ace533
14 changed files with 93 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
phpki.spec
View File

@@ -1,10 +1,10 @@
# $Id: phpki-ng.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $
# $Id: phpki.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $
# Authority: vip-ire
# Name: Daniel Berteaud
%define name phpki
%define version 0.84
%define release 12
%define release 17
Summary: Phpki is a simple certificate management suite
Name: %{name}
Version: %{version}
@@ -14,14 +14,16 @@ URL: http://sourceforge.net/projects/phpki/
Group: SMEserver/addon
#wget http://www.fooweb.com/downloads/foo-3.6.431.tar.gz
Source: %{name}-%{version}.tar.gz
Patch1: phpki-ng-0.84-fix-for-php74-code-tidy.patch
Patch2: phpki-ng-0.84-fix-pregmatch-revoke-certs.patch
Patch3: phpki-ng-0.84-fix-crl.patch
Patch4: phpki-ng-0.84-fix-missing-slash-certtype-detection.patch
Patch5: phpki-ng-0.84-fix-html-directory-check.patch
Patch6: phpki-ng-0.84-fix-download-cert.patch
Patch7: phpki-ng-0.84-fix-html-syntax-in-help.patch
Patch8: phpki-ng-0.84-fix-final-redirect.patch
#Patch1: phpki-ng-0.84-fix-for-php74-code-tidy.patch
#Patch2: phpki-ng-0.84-fix-pregmatch-revoke-certs.patch
#Patch3: phpki-ng-0.84-fix-crl.patch
#Patch4: phpki-ng-0.84-fix-missing-slash-certtype-detection.patch
#Patch5: phpki-ng-0.84-fix-html-directory-check.patch
#Patch6: phpki-ng-0.84-fix-download-cert.patch
#Patch7: phpki-ng-0.84-fix-html-syntax-in-help.patch
#Patch8: phpki-ng-0.84-fix-final-redirect.patch
#Patch9: phpki-ng-bz12272-bz12273-crl-whitespacepass.patch
#Patch10: phpki-ng-bz12274-regex-secu.patch
BuildArch: noarch
BuildRoot: /var/tmp/%{name}-%{version}
@@ -44,6 +46,24 @@ With it, you may create and centrally manage X.509 certificates for use with S/M
e-mail clients, SSL servers, and VPN applications.
%changelog
* Thu Sep 11 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.84-17.sme
- import from SME10 CVS and rename back to phpki
* Sat Dec 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-16.sme
- add dl_crl_pem.php [SME: 12272]
* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-15.sme
- fix regex and potential code injection [SME: 12274]
* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-14.sme
- add easy and safe access to crl download [SME: 12272]
- fix revoke certificate failing on whitespace pass [SME: 12273]
- fix missing default_md in config.php from previous versions [SME: 12267]
- updated scriptlet to ease backup and restore
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.84-13.sme
- remove extra space in URL in search.php [SME: 12232]
* Thu Sep 30 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-12.sme
- Attempt to fix the final reload after CA creation [SME: 11192]
@@ -198,14 +218,6 @@ e-mail clients, SSL servers, and VPN applications.
%prep
%setup -c -n %{name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
%{__mkdir_p} root/opt/phpki/html

2
root/README.md
View File

@@ -10,7 +10,7 @@ No one appears to be maintaining this and I find it very handy.
I discovered some issues and there are some additional bits we have for OpenVPN (if installed) at Koozali SME server so I thought I'd incorporate them in as well.
It tries to detect if it is installed on Koozali which needs a couple of small mods, and if openvpn is installed it will create a takey.
It tries to detect if it is installed on Koozali whcih needs a couple of small mods, and if openvpn is installed it wil create a takey.
Note... YMMV....

12
root/ca/request_cert.php
View File

@@ -209,7 +209,7 @@ switch ($form_stage) {
<p><form action='<?php echo $PHP_SELF?>' method=post>
<?php echo $hidden_fields ?>
<input type=hidden name=form_stage value=final>
<!-- <input type=submit name=submit value='Yes. Create and Download' >&nbsp; -->
<input type=submit name=submit value='Yes. Create and Download' >&nbsp;
<input type=submit name=submit value='Yes. Just Create' >&nbsp;
<input type=submit name=submit value='Go Back'>
</form>
@@ -263,18 +263,12 @@ switch ($form_stage) {
}
}
// This section is disabled in the form above
// If we do Download it does not return to Create New cert
// I believe this is because the upload function messes the http headers
// There may be a solution but I haven't got one
if ($submit == "Yes. Create and Download") {
switch ($cert_type) {
case 'server':
# upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem",$config['cacert_pem']), $rec['common_name'] . "-Bundle.pem", 'application/pkix-cert');
break; # << Here
break;
case 'email':
case 'email_signing':
case 'time_stamping':
@@ -283,7 +277,7 @@ switch ($form_stage) {
case 'vpn_server':
# upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
upload($config['pfx_dir'] . "/$serial.pfx", $rec['common_name'] . ".p12", 'application/x-pkcs12');
break; # << here
break;
}
# Clear common_name fields

8
root/dl_crl.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
include('./config.php');
include(STORE_DIR.'/config/config.php');
include('./include/common.php');
include('./include/my_functions.php');
include('./include/openssl_functions.php');
upload($config['cacrl_der'], $config['ca_prefix'] . "cacrl.crl", 'application/pkix-crl');
?>

8
root/dl_crl_pem.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
include('./config.php');
include(STORE_DIR.'/config/config.php');
include('./include/common.php');
include('./include/my_functions.php');
include('./include/openssl_functions.php');
upload($config['cacrl_pem'], $config['ca_prefix'] . "cacrl.crl", 'application/octet-stream');
?>

1
root/help.php
View File

@@ -11,7 +11,6 @@ printHeader(about);
<p><a href="<?php echo BASE_URL?>help/cacert_install_ie.html"><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a></p>
<p><a href="<?php echo BASE_URL?>help/usercert_install_ie.html"><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a></p>
<p><a href="<?php echo BASE_URL?>help/glossary.html"><h3>Glossary</h3></a></p>
</center>
<?php
printFooter();

12
root/include/openssl_functions.php
View File

@@ -601,7 +601,7 @@ function CA_revoke_cert($serial)
$cmd_output[] = 'Revoking the certificate.';
$configCa_pwd = $config['ca_pwd'];
$configOpenssl_cnf = $config['openssl_cnf'];
exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$configCa_pwd 2>&1", $cmd_output, $ret);
exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
if ($ret == 0) {
unset($cmd_output);
@@ -652,7 +652,7 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
$cmd_output[] = 'Creating certificate request.';
if (($_passwd) && ($_passwd != "''")) {
exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd 2>&1", $cmd_output, $ret);
exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:'$_passwd' 2>&1", $cmd_output, $ret);
} else {
exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes 2>&1", $cmd_output, $ret);
}
@@ -681,8 +681,8 @@ function CA_create_cert($cert_type = 'email', $country, $province, $locality, $o
$configRandom = $config['random'];
if (($_passwd) && ($_passwd != "''")) {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass:'$_passwd'";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd' 2>&1", $cmd_output, $ret);
} else {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
// reetp - this needs looking at
@@ -823,8 +823,8 @@ function CA_renew_cert($old_serial, $expiry, $passwd)
unset($cmd_output);
$cmd_output[] = "Creating PKCS12 format certificate.";
if (($_passwd) && ($_passwd != "''")) {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass:'$_passwd'";
exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:'$_passwd' -passout pass:'$_passwd' 2>&1", $cmd_output, $ret);
} else {
$cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
// reetp - this needs looking at

1
root/index.php
View File

@@ -1 +0,0 @@
readme.php

1
root/index.php Symbolic link
View File

@@ -0,0 +1 @@
readme.php

13
root/ns_revoke_query.php
View File

@@ -16,13 +16,16 @@
#
include('./config.php');
include(STORE_DIR.'/config/config.php');
$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING']));
$serial=trim($_SERVER['QUERY_STRING']);
if ( ! is_numeric($serial) ) {
# if it is not a numerical serial, then it is not revoked!
print '0';
exit;
}
$serial = escapeshellcmd($serial);
#header("Content-type: application/x-netscape-revocation");
# old Reg Ex doesnt work, new should do the work
#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
$regexp = "^R.*$serial.*$";
$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
$configIndex = $config['index'];
if (exec("egrep '$regexp' '$configIndex'")) {

8
root/openssl.cnf
View File

@@ -60,7 +60,7 @@ keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
subjectAltName = email:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
crlDistributionPoints = URI:http://www.somewhere.com/phpki/dl_crl.php
nsComment = "PHPki/OpenSSL Generated Root Certificate Authority"
#nsCaRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
@@ -74,7 +74,7 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
crlDistributionPoints = URI:http://www.somewhere.com/phpki/dl_crl.php
nsComment = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
@@ -91,7 +91,7 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
crlDistributionPoints = URI:http://www.somewhere.com/phpki/dl_crl.php
nsComment = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
@@ -109,7 +109,7 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_crl
crlDistributionPoints = URI:http://www.somewhere.com/phpki/dl_crl.php
nsComment = "PHPki/OpenSSL Generated Secure Server Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?

2
root/search.php
View File

@@ -102,7 +102,7 @@ switch ($stage) {
<td><?php echo htvar($rec['unit'])?></td>
<td><?php echo htvar($rec['locality'])?></td>
<td><?php echo htvar($rec['province'])?></td>
<td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
<td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
<?php
if ($rec['status'] != 'Revoked') {
?>

0
root/secure.sh Normal file → Executable file
View File

1
root/setup.php
View File

@@ -1 +0,0 @@
setup.php-presetup

1
root/setup.php Symbolic link
View File

@@ -0,0 +1 @@
setup.php-presetup

4
root/setup.php-presetup
View File

@@ -801,7 +801,7 @@ EOS;
case 'finished':
// We get here if we complete the previous section
// if OS = SME the go to server manager else, reload
// if OS = SME then go to server manager else, reload
if (getOSInformation){
$location = "/server-manager/cgi-bin/phpki";
} else {
@@ -887,7 +887,7 @@ E-mail: <a href=mailto:someone@somewhere.com>someone@somewhere.com</a>&nbsp;&nbs
}
if (! $crl_distrib) {
$crl_distrib = 'index.php?stage=dl_crl';
$crl_distrib = 'dl_crl.php';
}
if (! $revoke_url) {
$revoke_url = 'ns_revoke_query.php?';