From 245e1bcd0be0e6d25469a65144a6ef42d450d75e Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Wed, 10 Sep 2025 23:04:01 -0400 Subject: [PATCH] patches applied from our bz and from sourceforge tickets phpki-0.82.bz10622.fixphpwarnings.patch phpki-0.82-empty_pass_php_5.2.patch phpki-0.82-remove_email_from_upload_file_name.patch phpki-0.82-ca_admin_users.patch phpki-0.82-expirey.patch phpki-0.82-remove_security_warning.patch phpki-0.82-ca_help.patch phpki-0.82-fix-dates-2.patch phpki-0.82-sme_admin_user.patch phpki-0.82-disable_download_after_create.patch phpki-0.82-fix-dates-3.patch phpki-0.82-sme_openvpn_bridge_compat.patch phpki-0.82-display_root_pem.patch phpki-0.82-fix-dates.patch phpki-0.82-update_crl_via_cron.patch phpki-0.82-dl_crl_in_pem.patch phpki-0.82-fix-preg_match.patch phpki-0.82-use_sha1.patch phpki-0.82-dl_display_ta_dh.patch phpki-0.82-openvpn_static_key.patch phpki-0.82-email_signing.patch phpki-0.82-potential_xss_php_self.patch --- root/admin/index.php | 4 +- root/ca/main.php | 73 +++++++++++++- root/ca/manage_certs.php | 40 +++----- root/ca/request_cert.php | 29 ++---- root/gen_crl.php | 12 +++ root/include/common.php | 7 +- root/include/my_functions.php | 53 ++++++++--- root/include/openssl_functions.php | 148 +++++++++++++++++++++-------- root/main.php | 7 +- root/openssl.cnf | 8 +- root/search.php | 12 ++- root/setup.php-presetup | 29 ++++-- 12 files changed, 299 insertions(+), 123 deletions(-) create mode 100644 root/gen_crl.php diff --git a/root/admin/index.php b/root/admin/index.php index f3727e6..486e2e3 100644 --- a/root/admin/index.php +++ b/root/admin/index.php @@ -28,7 +28,7 @@ case 'list_users': case 'add_user_form'; printHeader('admin'); ?> - +
method=post name=form> @@ -76,7 +76,7 @@ case 'add_user': case 'del_user_form'; printHeader('admin'); ?> - + method=post name=form>

Add User or Change Password
diff --git a/root/ca/main.php b/root/ca/main.php index ab634c5..50d3d03 100644 --- a/root/ca/main.php +++ b/root/ca/main.php @@ -10,6 +10,14 @@ $stage = gpvar('stage'); switch($stage) { +case 'dl_takey': + upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream'); + break; + +case 'dl_dhparam': + upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream'); + break; + case 'dl_root': upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert'); break; @@ -18,6 +26,10 @@ case 'dl_crl': upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); break; +case 'dl_crl_pem': + upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream'); + break; + case 'gen_crl': list($ret,$errtxt) = CA_generate_crl(); @@ -50,6 +62,46 @@ case 'gen_crl': } break; +case 'display_takey': + printHeader(false); + + ?> +

OpenVPN pre-shared Key

+

+ method=post> + + + '.ta_key_text().''; + break; + +case 'display_dhparam': + printHeader(false); + + ?> +

OpenVPN Diffie-Helman parameters

+

+
method=post> + + + '.dhparam_text().''; + break; + +case 'display_root_pem': + printHeader(false); + + ?> +

Root certificate file (PEM Encoded)

+

+
method=post> + + + '.root_pem_text().''; + break; + + default: printHeader('ca'); ?> @@ -74,18 +126,31 @@ default:

+ Read the online help to learn more about this. + ?stage=dl_root>Download the Root Certificate

+ ?stage=display_root_pem>Display the Root Certificate (PEM Encoded) + browser application is optional. Some applications will automagically reference this list. + (Some will need it in PEM format.) + + + + + +

Remove User

Some applications automagically reference the Certificate Revocation List to determine certificate validity. It is not necessary to perform this update function, as the CRL is updated when certificates are revoked. However, doing so is harmless. - Read the online help to learn more about this.
- ?stage=dl_root>Download the Root Certificate The "Root" certificate must be installed before using any of the - certificates issued here. Read the online help + certificates issued here. Read the online help to learn more about this.
?stage=dl_crl>Download the Certificate Revocation List This is the official list of revoked certificates. Using this list with your e-mail or - browser application is optional. Some applications will automagically reference this list.
+ ?stage=dl_takey>Download the static pre-shared key

+ ?stage=display_takey>Display the static pre-shared key		This key can be used with OpenVPN as a standalone auth mecanism, or as an additionnal TLS authentication.
+ ?stage=dl_dhparam>Download the Diffie-Hellman parameters

+ ?stage=display_dhparam>Display the Diffie-Hellman parameters		This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement + protocol enables two communication partners to exchange a secret key safely.
diff --git a/root/ca/manage_certs.php b/root/ca/manage_certs.php index 836dcb5..b08bca3 100644 --- a/root/ca/manage_certs.php +++ b/root/ca/manage_certs.php @@ -20,12 +20,6 @@ $show_valid = gpvar('show_valid'); $show_revoked = gpvar('show_revoked'); $show_expired = gpvar('show_expired'); - -# Prevent handling certs that don't belong to user -if ($serial && CAdb_issuer($serial) != $PHPki_user && ! in_array($PHPki_user, $PHPki_admins)) { - $stage = 'goaway'; -} - if ( !($show_valid.$show_revoked.$show_expired) ) { $show_valid = 'V'; $show_revoked = 'R'; @@ -92,19 +86,19 @@ case 'download': switch ($dl_type) { case 'PKCS#12': - upload("$config[pfx_dir]/$serial.pfx", "$rec[common_name] ($rec[email]).p12", 'application/x-pkcs12'); + upload("$config[pfx_dir]/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12'); break; case 'PEMCERT': - upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name] ($rec[email]).pem",'application/pkix-cert'); + upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name]-cert.pem",'application/pkix-cert'); break; case 'PEMKEY': - upload("$config[private_dir]/$serial-key.pem", "$rec[common_name] ($rec[email])-key.pem",'application/octet-stream'); + upload("$config[private_dir]/$serial-key.pem", "$rec[common_name]-key.pem",'application/octet-stream'); break; case 'PEMBUNDLE': - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem"), "$rec[common_name] ($rec[email]).pem",'application/octet-stream'); + upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem"), "$rec[common_name]-bundle.pem",'application/octet-stream'); break; case 'PEMCABUNDLE': - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$rec[common_name] ($rec[email]).pem",'application/octet-stream'); + upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$rec[common_name]-bundle-root.pem",'application/octet-stream'); break; default: header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter"); @@ -129,6 +123,7 @@ case 'revoke-form': Locality
State/Province
Country
+

Are you sure?

-

+   @@ -204,7 +199,7 @@ case 'renew-form': printHeader('ca'); ?> - + @@ -252,8 +247,10 @@ case 'renew-form':
'; @@ -121,7 +127,7 @@ default: printHeader('public'); ?> - +

Certificate Search

method=post name=search> diff --git a/root/setup.php-presetup b/root/setup.php-presetup index b0118f7..69ee414 100644 --- a/root/setup.php-presetup +++ b/root/setup.php-presetup @@ -102,6 +102,11 @@ case 'validate': if (! $passwd_file) $er .= 'Missing User Password File Location'; if (! $store_dir) $er .= 'Missing Storage Directory
'; + $countrycode = strtoupper($country); + + if (! preg_match("/\b[A-Z][A-Z]\b/", $countrycode, $match) ) { + $er .= 'Country Code must be ISO 3166 two letters
'; + } if ( $passwd && strlen($passwd) < 8 ) $er .= 'Certificate password is too short.
'; @@ -248,7 +253,7 @@ case 'write': # Default OpenSSL Config File. \$config['openssl_cnf'] = \$config['home_dir'] . '/config/openssl.cnf'; -\$PHPki_admins = Array(md5('pkiadmin')); +\$PHPki_admins = Array(md5('admin')); define('OPENSSL',\$config['openssl_bin'].' '); define('X509', OPENSSL . ' x509 '); @@ -314,7 +319,7 @@ crl_extensions = crl_ext default_days = 365 default_crl_days = 30 preserve = no -default_md = md5 +default_md = sha1 [ ca ] default_ca = email_cert @@ -604,6 +609,17 @@ EOS; flush(); flush_exec($cmd,100); + # + # Create a TLS auth key for OpenVPN. + # + + print '

Creating a TLS authentication key used by OpenVPN.
'; + print "Saving to $store_dir/takey.pem.
"; + $cmd = "openvpn --genkey --secret '$config[private_dir]/takey.pem'"; + print $cmd.'
'; + flush(); + flush_exec($cmd); + #print '

Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
'; #print "Saving to $store_dir/dhparam2048.pem.
"; @@ -624,7 +640,6 @@ EOS; ?>

Setup is complete. Your CA root certificate as been created.

-

SECURITY WARNING!   Be sure to run the secure.sh shell script as the root user.



@@ -752,9 +767,8 @@ E-mail: someone@somewhere.com &nbs

CERTIFICATE MANAGEMENT CONTROL PANEL
" method=get name=filter> Search: -       >Valid +       >Valid   >Revoked   >Expired       @@ -364,12 +359,7 @@ default: $x = "^[$show_valid$show_revoked$show_expired]"; - if (in_array($PHPki_user, $PHPki_admins)) { - $x = "$x.*$search"; - } - else { - $x = "$x.*$search.*$PHPki_user|$x.*$PHPki_user.*$search"; - } + $x = "$x.*$search"; $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC)); diff --git a/root/ca/request_cert.php b/root/ca/request_cert.php index 16c816f..31582e7 100644 --- a/root/ca/request_cert.php +++ b/root/ca/request_cert.php @@ -141,7 +141,7 @@ case 'confirm':

-   +   @@ -165,7 +165,7 @@ case 'confirm': break; case 'final': - if ($submit == "Yes! Create and Download") { + if ($submit == "Yes") { if (! $serial = CAdb_in($email,$common_name)) { list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize); @@ -194,22 +194,9 @@ case 'final': $serial = $errtxt; } } + # CLear common_name fiels + $common_name = ''; - switch($cert_type) { - case 'server': - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); - break; - case 'email': - case 'email_signing': - case 'time_stamping': - case 'vpn_client_server': - case 'vpn_client': - case 'vpn_server': - upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12'); - break; - } - - break; } default: # @@ -229,7 +216,7 @@ default: printHeader(); ?> - +

@@ -276,8 +263,10 @@ default: + this list is optional. Some e-mail programs will reference this list automagically. + (Some will need it in PEM format.)

Certificate Request Form

Key Size
?stage=dl_crl>Download Our Certificate Revocation List The official list of certificates revoked by this site. Installation and use of - this list is optional. Some e-mail programs will reference this list automagically.
diff --git a/root/openssl.cnf b/root/openssl.cnf index 8cbf59e..a1283f6 100644 --- a/root/openssl.cnf +++ b/root/openssl.cnf @@ -14,7 +14,7 @@ crl_extensions = crl_ext default_days = 365 default_crl_days = 30 preserve = no -default_md = md5 +default_md = sha1 [ ca ] default_ca = email_cert @@ -29,8 +29,8 @@ x509_extensions = email_ext default_days = 365 policy = policy_supplied -[ email_codesigning_cert ] -x509_extensions = email_codesigning_ext +[ email_signing_cert ] +x509_extensions = email_signing_ext default_days = 365 policy = policy_supplied @@ -82,7 +82,7 @@ nsRevocationUrl = ns_revoke_query.php? nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html #nsSslServerName = -[ email_codesigning_ext ] +[ email_signing_ext ] basicConstraints = critical, CA:false keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning diff --git a/root/search.php b/root/search.php index f779353..f628bde 100644 --- a/root/search.php +++ b/root/search.php @@ -36,7 +36,12 @@ case display: case 'download': $rec = CAdb_get_entry($serial); - upload("$config[cert_dir]/$serial.der", "$rec[common_name] ($rec[email]).cer", 'application/pkix-cert'); + upload("$config[cert_dir]/$serial.der", "$rec[common_name].cer", 'application/pkix-cert'); + break; + +case 'download_pem': + $rec = CAdb_get_entry($serial); + upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name].pem", 'application/pkix-cert'); break; case search: @@ -44,7 +49,7 @@ case search: $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search"); - print ''; + print ''; if (sizeof($db) == 0) { ?>
@@ -97,6 +102,7 @@ case search: if ($rec['status'] != 'Revoked') { ?> ?stage=download&serial=>Download + ?stage=download_pem&serial=>Download (in PEM format)