smecontribs/phpki
6
0
Fork 0
generated from smedev/Template-for-SMEServer-Contribs-Package
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

patches applied from our bz and from sourceforge tickets

Browse Source 
phpki-0.82.bz10622.fixphpwarnings.patch         phpki-0.82-empty_pass_php_5.2.patch      phpki-0.82-remove_email_from_upload_file_name.patch
phpki-0.82-ca_admin_users.patch                 phpki-0.82-expirey.patch                 phpki-0.82-remove_security_warning.patch
phpki-0.82-ca_help.patch                        phpki-0.82-fix-dates-2.patch             phpki-0.82-sme_admin_user.patch
phpki-0.82-disable_download_after_create.patch  phpki-0.82-fix-dates-3.patch             phpki-0.82-sme_openvpn_bridge_compat.patch
phpki-0.82-display_root_pem.patch               phpki-0.82-fix-dates.patch               phpki-0.82-update_crl_via_cron.patch
phpki-0.82-dl_crl_in_pem.patch                  phpki-0.82-fix-preg_match.patch          phpki-0.82-use_sha1.patch
phpki-0.82-dl_display_ta_dh.patch               phpki-0.82-openvpn_static_key.patch
phpki-0.82-email_signing.patch                  phpki-0.82-potential_xss_php_self.patch
This commit is contained in:
Jean-Philippe Pialasse
2025-09-10 23:04:01 -04:00
parent 66ea908568
commit 245e1bcd0b
12 changed files with 299 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
root/include/openssl_functions.php
View File

@@ -13,7 +13,7 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
$cnf_contents = "
HOME = $config[home_dir]
RANDFILE = $config[random]
dir = $config[ca_dir]
dir = $config[ca_dir]
certs = $config[cert_dir]
crl_dir = $config[crl_dir]
database = $config[index]
@@ -27,7 +27,7 @@ crl_extentions = crl_ext
default_days = 365
default_crl_days = 30
preserve = no
default_md = md5
default_md = sha1
[ req ]
default_bits = $keysize
@@ -59,8 +59,8 @@ x509_extensions = email_ext
default_days = 365
policy = policy_supplied
[ email_codesigning_cert ]
x509_extensions = email_codesigning_ext
[ email_signing_cert ]
x509_extensions = email_signing_ext
default_days = 365
policy = policy_supplied
@@ -122,7 +122,7 @@ nsBaseUrl = $config[base_url]
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = $config[base_url]policy.html
[ email_codesigning_ext ]
[ email_signing_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
@@ -194,7 +194,7 @@ subjectAltName = DNS:$common_name,email:copy
";
# Write out the config file.
$cnf_file = tempnam('./tmp','cnf-');
$cnf_file = tempnam('../../tmp','cnf-');
$handle = fopen($cnf_file,"w");
fwrite($handle, $cnf_contents);
fclose($handle);
@@ -212,18 +212,22 @@ function CAdb_to_array($search = '.*') {
global $config;
# Prepend a default status to search string if missing.
if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
#if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
if (! preg_match("/^\^\[.*\]/", $search)) $search = '^[VRE].*'.$search;
# Include valid certs?
if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
#if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
if (preg_match('/^\^\[.*V.*\]/',$search)) $inclval = true;
# Include revoked certs?
if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
#if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
if (preg_match('/^\^\[.*R.*\]/',$search)) $inclrev = true;
# Include expired certs?
if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
#if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
if (preg_match('/^\^\[.*E.*\]/',$search)) $inclexp = true;
# There isn't really a status of 'E' in the openssl index.
# Change (E)xpired to (V)alid within the search string.
$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
#$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
$search = preg_replace('/^(\^\[.*)E(.*\])/','${1}V${2}',$search);
$db = array();
exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
@@ -315,24 +319,59 @@ function CAdb_explode_entry($dbentry) {
break;
}
sscanf(CA_cert_startdate($a[3]),"%s %s %s %s", $mm,$dd,$tt,$yy);
$db['issued'] = strftime("%y-%b-%d", strtotime("$dd $mm $yy"));
// CA_cert_start/enddate
// A date will be returned in this format
// Feb 27 16:00:09 2020 GMT
// Add a 'digital' sort key for digital date sorting later
sscanf(CA_cert_startdate($a[3]),"%s%s%s%s", $mm,$dd,$tt,$yy);
$db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
$db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
sscanf($a[1], "%2s%2s%2s",$yy,$mm,$dd);
$db['expires'] = strftime("%y-%b-%d", strtotime("$mm/$dd/$yy"));
sscanf(CA_cert_enddate($a[3]), "%s%s%s%s",$mm,$dd,$tt,$yy);
$db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
$db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
if (time() > strtotime("$mm/$dd/$yy"))
$db['status'] = "Expired";
if (time() > strtotime("$yy-$mm-$dd")) {
$db['status'] = "Expired";
}
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = $b[3];
$db['organization'] = $b[4];
$db['issuer'] = $b[5];
$db['unit'] = $b[6];
$db['common_name'] = $b[7];
$db['email'] = $b[8];
// Compatibility with migrated certs from openvpn-bridge
if(count($b) == 7){
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = '';
$db['organization'] = $b[3];
$db['issuer'] = '';
$db['unit'] = $b[4];
$db['common_name'] = $b[5];
$db['email'] = $b[6];
}
// Compatibility with renewed certs from openvpn-bridge
elseif(count($b) == 8){
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = $b[3];
$db['organization'] = $b[4];
$db['issuer'] = '';
$db['unit'] = $b[5];
$db['common_name'] = $b[6];
$db['email'] = $b[7];
}
// Else, it's a certificate created with phpki
else{
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = $b[3];
$db['organization'] = $b[4];
$db['issuer'] = $b[5];
$db['unit'] = $b[6];
$db['common_name'] = $b[7];
$db['email'] = $b[8];
}
return $db;
}
@@ -349,7 +388,7 @@ function CAdb_is_revoked($serial) {
if ($x) {
list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
sscanf($revoke_date, "%2s%2s%2s",$yy,$mm,$dd);
return strftime("%b %d, %Y", strtotime("$mm/$dd/$yy"));
return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
}
else
return false;
@@ -388,6 +427,24 @@ function CA_crl_text() {
return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
}
// Returns the static takey.pem file
function ta_key_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
}
// Returns the dhparam file
function dhparam_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1'));
}
// Returns the root CA certificate file (PEM Encoded)
function root_pem_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
}
//
// Returns the subject of a certificate.
//
@@ -403,7 +460,9 @@ function CA_cert_subject($serial) {
//
function CA_cert_cname($serial) {
global $config;
return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
#return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
return(preg_replace('/^.*\/CN=(.*)\/.*/','${1}',CA_cert_subject($serial)));
}
//
@@ -497,7 +556,7 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
unset($cmd_output);
$cmd_output[] = 'Creating certifcate request.';
if ($passwd) {
if (($passwd) && ($passwd != "''")) {
exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$passwd 2>&1", $cmd_output, $ret);
}
else {
@@ -665,6 +724,14 @@ function CA_renew_cert($old_serial,$expiry,$passwd) {
#Unlock the CA database
fclose($fd);
# https://github.com/radicand/phpki/issues/14
if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) {
$cert_type = 'email_signing';
}
if (preg_match('E-mail Protection', $certtext)) {
$cert_type = 'email';
}
#Remove temporary openssl config file.
if (file_exists($cnf_file)) unlink($cnf_file);
@@ -748,25 +815,32 @@ function CA_cert_type($serial) {
$certtext = CA_cert_text($serial);
if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) {
#if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) {
if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtest)) {
$cert_type = 'email_codesigning';
}
if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) {
#if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) {
if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) {
$cert_type = 'email';
}
elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) {
#elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) {
elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) {
$cert_type = 'server';
}
elseif (ereg('timeStamping|Time Stamping', $certtext)) {
#elseif (ereg('timeStamping|Time Stamping', $certtext)) {
elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) {
$cert_type = 'time_stamping';
}
elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) {
#elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) {
elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) {
$cert_type = 'vpn_client_server';
}
elseif (ereg('TLS Web Client Authentication', $certtext)) {
#elseif (ereg('TLS Web Client Authentication', $certtext)) {
elseif (preg_match('~TLS Web Client Authentication~', $certtext)) {
$cert_type = 'vpn_client';
}
elseif (ereg('TLS Web Server Authentication', $certtext)) {
#elseif (ereg('TLS Web Server Authentication', $certtext)) {
elseif (preg_match('~TLS Web Server Authentication~', $certtext)) {
$cert_type = 'vpn_server';
}
else {