smecontribs/smeserver-phpki-ng
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for smeserver-phpki-ng on Sat Sep 7 20:50:40 AEST 2024

Browse Source
This commit is contained in:
Trevor Batley 2024-09-07 20:50:40 +10:00
parent 216095c0ea
commit c46ac6300b
35 changed files with 1065 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.rpm
*.log
*spec-20*
*.tar.xz

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: smeserver-phpki-ng
# $Id: Makefile,v 1.1 2020/11/24 16:28:21 jcrisp Exp $
NAME := smeserver-phpki-ng
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

16
README.md
View File

@ -1,3 +1,15 @@
# smeserver-phpki-ng # <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-phpki-ng
SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs
## Wiki
<br />https://wiki.koozali.org/
## Bugzilla
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-phpki-ng&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />

1
contriborbase Normal file
View File

@ -0,0 +1 @@
contribs10

60
createlinks Normal file
View File

@ -0,0 +1,60 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
# Start and stop links
#service_link_enhanced("httpd-pki", "S86", "7");
#service_link_enhanced("httpd-pki", "K15", "6");
#service_link_enhanced("httpd-pki", "K15", "0");
#service_link_enhanced("httpd-pki", "K15", "1");
#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/httpd-pki');
#safe_symlink("/var/service/httpd-pki" , 'root/service/httpd-pki');
# Panel links
panel_link("phpki", 'manager');
# Events links
event_link("phpki-fixtakey", qw(bootstrap-console-save post-upgrade), "50");
event_link("phpki-fixownership", qw(bootstrap-console-save post-upgrade), "02");
templates2events("/etc/httpd/pki-conf/httpd.conf", qw(bootstrap-console-save conf-userpanel domain-modify));
safe_symlink("restart", "root/etc/e-smith/events/conf-userpanel/services2adjust/httpd-pki");
safe_symlink("restart", "root/etc/e-smith/events/domain-modify/services2adjust/httpd-pki");
safe_symlink("restart", "root/etc/e-smith/events/logrotate/services2adjust/httpd-pki");
# our event specific for updating with yum without reboot
$event = "smeserver-phpki-ng-update";
#add here the path to your templates needed to expand
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
foreach my $file (qw(
/etc/systemd/system-preset/49-koozali.preset
/etc/httpd/conf/httpd.conf
/etc/httpd/pki-conf/httpd.conf
/etc/opt/remi/php73/php-fpm.d/www.conf
/opt/phpki/html/config.php
))
{
templates2events( $file, $event );
}
#action needed in case we have a systemd unit
event_link("systemd-default", $event, "10");
event_link("systemd-reload", $event, "50");
#action specific to this package
event_link("phpki-fixownership", $event, "02");
event_link("phpki-fixtakey", $event, "50");
#event_link("conf-timezone", $event, "30");
#services we need to restart
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-pki");
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/php73-php-fpm");
use esmith::Build::Backup qw(:all);
backup_includes("smeserver-phpki-ng", qw(
/opt/phpki/
));

1
root/etc/e-smith/db/accounts/defaults/phpki/type Normal file
View File

@ -0,0 +1 @@
system

1
root/etc/e-smith/db/configuration/defaults/httpd-pki/TCPPort Normal file
View File

@ -0,0 +1 @@
940

1
root/etc/e-smith/db/configuration/defaults/httpd-pki/status Normal file
View File

@ -0,0 +1 @@
enabled

1
root/etc/e-smith/db/configuration/defaults/httpd-pki/type Normal file
View File

@ -0,0 +1 @@
service

9
root/etc/e-smith/events/actions/phpki-fixownership Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
chown root:phpki /opt/phpki/html/config.php
chown root:phpki /opt/phpki/html/openssl.cnf
chown phpki:phpki -R /opt/phpki/phpki-store*
chown root:phpki /opt/phpki/html/ca
chmod +x /opt/phpki/html/
chmod +x /opt/phpki/html/ca

8
root/etc/e-smith/events/actions/phpki-fixtakey Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
if [[ -f /opt/phpki/phpki-store/CA/private/cakey.pem && ! -f /opt/phpki/phpki-store/CA/private/takey.pem ]]
then
echo "creating missing takey.pem"
runuser -u phpki -- openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem
fi

8
root/etc/e-smith/locale/fr/etc/e-smith/web/functions/phpki Normal file
View File

@ -0,0 +1,8 @@
<lexicon lang="fr" params="lexicon_params()">
<!-- vim: ft=xml
-->
<entry>
<base>Certificate Management</base>
<trans>Gestion des certificats</trans>
</entry>
</lexicon>

3
root/etc/e-smith/templates.metadata/opt/phpki/html/config.php Normal file
View File

@ -0,0 +1,3 @@
FILTER=sub { $_[0] =~ /^\s*$/ ? '' : $_[0] }
GID='phpki'
PERMS=0660

69
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass Normal file
View File

@ -0,0 +1,69 @@
{
# vim: ft=perl:
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
$OUT = '';
if ((${'httpd-pki'}{'status'} || 'disabled') eq 'enabled'){
if (($port eq "80") && ($haveSSL eq 'yes')){
$OUT .= " RewriteRule ^/phpki(/.*|\$) https://%{HTTP_HOST}/phpki\$1 [L,R]\n";
}
else{
$OUT .= " ProxyPass /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
$OUT .= " ProxyPassReverse /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
}
$OUT .=<<"HERE";
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
<Location /phpki>
SSLRequireSSL on
Require ip $localAccess $externalSSLAccess
</Location>
# we want Public access to ns_revoke_query.php
<Location /phpki/ns_revoke_query.php>
Require all granted
</Location>
# we want Public access to policy
<Location /phpki/policy.html>
Require all granted
</Location>
# we want Public access to help
<Location /phpki/help>
Require all granted
</Location>
<Location /phpki/help.php>
Require all granted
</Location>
# we want Public access to crl list
<Location /phpki/dl_crl.php>
Require all granted
</Location>
<Location /phpki/dl_crl_pem.php>
Require all granted
</Location>
# and we redirect old config to our new safer script
RewriteEngine On
RewriteCond %{QUERY_STRING} stage=dl_crl(&|\$)
RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L]
RewriteCond %{QUERY_STRING} stage=dl_crl_pem(&|\$)
RewriteRule ^ /phpki/dl_crl_pem.php [QSD,R=302,L]
HERE
# safely redirect crl request to php script striping all GET requests
# but would leave POST
#RewriteEngine On
#RewriteCond %{REQUEST_URI} ^/?phpki/dl_crl/?\$
#RewriteRule ^ /phpki/index.php?stage=dl_crl [P,NC]
}
}

28
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/00functions Normal file
View File

@ -0,0 +1,28 @@
{
use esmith::AccountsDB;
sub getUsersList ($){
my ($panelName) = @_;
my $a = esmith::AccountsDB->open_ro || die "Error opening accounts db";
my @users = $a->users();
my @groups = $a->groups();
my @Users = ();
foreach my $user (@users){
my $panels = $user->prop('AdminPanels') || '';
push(@Users,$user->key) if ($panels =~ /^(.*,)?$panelName(,.*)?$/);
}
foreach my $group (@groups){
$panels = $group->prop('AdminPanels') || '';
if ($panels =~ /^(.*,)?$panelName(,.*)?$/){
my @members = split(/,/,($group->prop('Members') || ''));
push(@Users,@members);
}
}
my %seen = ();
my $u = join (' ', grep { ! $seen{ $_ }++ } @Users);
return $u;
}
}

23
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/01localAccessString Normal file
View File

@ -0,0 +1,23 @@
{
#---------------------------------------------------------------------
# Grab ValidFrom access list property of httpd-admin
# SSL enabled virtual hosts should only allow access from IP's in
# this list, as well as local networks.
#---------------------------------------------------------------------
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
my @localAccess = $ndb->local_access_spec();
my $validFrom = ${'httpd-admin'}{'ValidFrom'};
if ($validFrom)
{
push @localAccess, split /,/, $validFrom;
}
$localAccess .= join ' ',
map { s:/255.255.255.255::; $_ }
@localAccess;
"";
}

8
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/19AuthTKT Normal file
View File

@ -0,0 +1,8 @@
{
$OUT .= "LoadModule auth_tkt_module modules/mod_auth_tkt.so\n";
my $secret = ${'httpd-admin'}{TKTAuthSecret} || "34322500-7330-4400-423A-3A00434F5245";
$OUT .= "TKTAuthSecret \"$secret\"\n";
$OUT .= "TKTAuthDigestType SHA256\n";
}

162
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/20Modules Normal file
View File

@ -0,0 +1,162 @@
{
my $port = ${'httpd-pki'}{TCPPort} || '940';
$OUT .= "Listen 127.0.0.1:$port\n";
$OUT .= <<HERE;
HostnameLookups off
ServerAdmin admin@$DomainName
ServerRoot /etc/httpd
ServerTokens ProductOnly
User phpki
Group phpki
ErrorLog /var/log/httpd/pki_error_log
LogLevel warn
HERE
foreach (qw(
env
log_config
mime
negotiation
status
info
include
autoindex
dir
asis
imagemap
actions
userdir
proxy
proxy_http
alias
rewrite
auth
auth_anon
auth_digest
expires
headers
usertrack
setenvif
ssl
cgi
mpm_prefork
unixd
authn_core
authz_core
authz_user
authz_host
proxy_ajp
proxy_connect
proxy_express
proxy_fcgi
proxy_ftp
proxy_html
proxy_scgi
proxy_wstunnel
))
{
next unless -f "/usr/lib/httpd/modules/mod_${_}.so" ||
-f "/usr/lib64/httpd/modules/mod_${_}.so";
$OUT .= "LoadModule ${_}_module modules/mod_${_}.so\n";
}
$OUT .= "# we do not use php module anymore, but php-fpm";
$OUT .=<<"HERE";
PidFile /var/run/httpd-pki.pid
ScoreBoardFile /var/run/httpd-pki.scoreboard
UseCanonicalName off
LogFormat "%h %l %u %t \\"%r\\" %>s %b" common
LogFormat "%{User-agent}i" agent
CustomLog /var/log/httpd/pki_access_log common
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MaxClients 150
MaxRequestsPerChild 100
ServerName www.$DomainName
MinSpareServers 1
MaxSpareServers 5
StartServers 1
Timeout 300
DefaultIcon /icons/unknown.gif
DirectoryIndex index.htm index.html index.php index.cgi
IndexOptions FancyIndexing VersionSort NameWidth=*
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AccessFileName .htaccess
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
TypesConfig /etc/mime.types
AddEncoding x-compress Z
AddEncoding x-gzip gz
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
LanguagePriority en fr de
AddType text/html .shtml
AddType application/x-pkcs7-crl .crl
AddType application/x-x509-ca-cert .crt
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
AddHandler cgi-script .cgi
AddHandler server-parsed .shtml
AddHandler imap-file map
DocumentRoot /opt/phpki/html
HERE
}

11
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/85DefaultAccess Normal file
View File

@ -0,0 +1,11 @@
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>

52
root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki Normal file
View File

@ -0,0 +1,52 @@
Alias /phpki /opt/phpki/html/
# Main access allowed for valid user
<Directory /opt/phpki/html>
AddType application/x-httpd-php .php
Options FollowSymLinks
{
my $key = "phpki";
my $pool_name = lc $key;
my $version = ${httpd-pki}{'PHPVersion'} || '73';
$OUT .="
<FilesMatch .php\$>
SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\"
</FilesMatch>\n";
}
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
AddType application/x-x509-ca-cert .crt .pem
AddType application/pkix-crl .crl
AddType application/pkix-cert .cer .der
AllowOverride None
Require ip 127.0.0.1
</Directory>
# /ca is only allowed for admin and explicitely authorized users
<Location /phpki/ca>
AuthName "PHPKI Admin"
AuthType Basic
TKTAuthLoginURL /server-common/cgi-bin/login
<RequireAll>
Require user admin {getUsersList("phpki");}
Require ip 127.0.0.1
</RequireAll>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
{
my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m";
$OUT = " TKTAuthTimeout $ManagerTimeout\n";
my $Cookie = ${'httpd-admin'}{Cookie} || "disabled";
$OUT .= " TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled";
my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66";
$OUT .= " TKTAuthTimeoutRefresh $ManagerTimeoutReset\n";
}
</Location>
# Disable access to /admin, which is used to configure user/password
# via an htaccess file
<Directory /opt/phpki/html/admin>
Require all denied
</Directory>

69
root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki Normal file
View File

@ -0,0 +1,69 @@
{
use esmith::ConfigDB;
my $c = esmith::ConfigDB->open_ro || die "Couldn't open the configuration database\n";
my $httpdpki = $c->get( 'httpd-pki' );
my $version = $httpdpki->prop('PHPVersion') || '73';
# we enable both the httpd server and php pool with same status
my $status = $httpdpki->prop('status') || 'disabled';
return unless ($status eq 'enabled' && $version eq $PHP_VERSION);
my $key = 'phpki';
my $pool_name = lc $key;
my $include_path = ".:/usr/share/pear-addons:/usr/share/pear:/usr/share/pear-data:/usr/share/php:/usr/sbin/:/usr/bin:/opt/phpki/html:/opt/phpki/html/include";
my $open_basedir = "/opt/phpki:/var/lib/php/phpki:/usr/sbin/openvpn:/usr/bin/which:/usr/bin/cat:/usr/bin/egrep:$include_path";
my $disabled_functions = 'show_source,dl,passthru'
;
# Format vars
$disabled_functions = join(', ', split /[,;:]/, $disabled_functions);
$open_basedir = join(':', split(/[,;:]/, $open_basedir . ",/usr/share/php"));
$OUT .=<<"_EOF" if ($version eq $PHP_VERSION);
[$pool_name]
user = phpki
group = phpki
listen.owner = root
listen.group = phpki
listen.mode = 0660
listen = /var/run/php-fpm/php$version-$pool_name.sock
catch_workers_output = yes
pm = dynamic
pm.max_children = 15
pm.start_servers = 3
pm.min_spare_servers = 3
pm.max_spare_servers = 4
pm.max_requests = 1000
slowlog = /var/log/$key/slow.log
php_admin_value[session.save_path] = /var/lib/php/$key/session
php_admin_value[opcache.file_cache] = /var/lib/php/$key/opcache
php_admin_value[upload_tmp_dir] = /var/lib/php/$key/tmp
php_admin_value[sys_temp_dir] = /var/lib/php/$key/tmp
php_admin_flag[display_errors] = off
php_admin_value[error_reporting] =E_ERROR | E_WARNING | E_PARSE
php_admin_value[error_log] = /var/log/$key/error.log
php_admin_flag[log_errors] = on
; php_admin_value[max_execution_time] = $max_execution_time
php_admin_value[disable_functions] = $disabled_functions
php_admin_flag[allow_url_fopen] = off
php_admin_flag[file_upload] = off
php_admin_flag[session.cookie_httponly] = on
php_admin_flag[allow_url_include] = off
php_admin_value[session.save_handler] = files
php_admin_value[open_basedir] = $open_basedir
php_admin_value[auto_prepend_file] = /usr/share/php/auth_translation.php
php_value[include_path] = $include_path
php_flag[magic_quotes_gpc] = off
php_flag[track_vars] = on
php_flag[session.use_trans_sid] = off
php_flag[register_globals] = off
php_flag[register_long_arrays] = on
; Needed so shell_exec does it right
env[PATH] = $include_path
_EOF
}

38
root/etc/e-smith/templates/opt/phpki/html/config.php/01config Normal file
View File

@ -0,0 +1,38 @@
{
# use Data::Validate::IP;
use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
our $KeySize = $modSSL{KeySize} ||'4096';
our $FQDN = "$SystemName.$DomainName";
our $Country = $modSSL{Country} || "--";
our $State = $modSSL{State} || "----";
our $commonName = $modSSL{CommonName} || $FQDN;
our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
our $key = "/home/e-smith/ssl.key/$FQDN.key";
our $defaultCity = $ldap{defaultCity} || '-';
our $defaultCompany = $ldap{defaultCompany} || $commonName ;
our $defaultDepartment = $ldap{defaultDepartment} || '-';
our $email = "admin\@$DomainName";
our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
chomp @subjectAlt;
our $subjectAltName = "";
my $i=0;
for my $elem (@subjectAlt) {
$subjectAltName .= ", " if $i>0;
$i++;
if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
$subjectAltName .= "IP:$elem";
next;
}
$subjectAltName .= "DNS:$elem";
}
$subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
# crop fields that are too long for X509:
$Country = substr($Country, 0, 2);
$defaultCity = substr($defaultCity, 0, 128);
$defaultCompany = substr($defaultCompany, 0, 64);
$defaultDepartment = substr($defaultDepartment, 0, 64);
$email = substr($email, 0, 64);
$commonName = substr($commonName, 0, 64);
$OUT="";
}

30
root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields Normal file
View File

@ -0,0 +1,30 @@
{
my $phone = ${ldap}{defaultPhoneNumber} || "none";
my $zip = ${ldap}{postalCode} || "H0H 0H0";
my $street = ${ldap}{defaultStreet} || "Address Line #1";
@lines = map {
m:\$config\['common_name'\]: && s/.*/\$config['common_name']='$commonName';/;
m:\$config\['unit'\]: && s/.*/\$config['unit']='$defaultDepartment';/;
m:\$config\['keysize'\]: && s/.*/\$config['keysize']='4096';/;
m:\$config\['country'\]: && s/.*/\$config['country']='$Country';/;
m:\$config\['province'\]: && s/.*/\$config['province']='$State';/;
m:\$config\['locality'\]: && s/.*/\$config['locality']='$defaultCity';/;
m:\$config\['organization'\]: && s/.*/\$config['organization']='$defaultCompany';/;
m:\$config\['contact'\]: && s/.*/\$config['contact']='$email';/;
m:\$config\['base_url'\]: && s/.*/\$config['base_url']='https:\/\/$commonName\/phpki\/';/;
s/(^|\n)[\n\s]*/$1/g;;
$_
} @lines;
push @lines, "\$config['common_name']='$commonName';" unless grep( /\$config\['common_name'\]/ ,@lines);
push @lines, "\$config['unit']='$defaultDepartment';" unless grep( /\$config\['unit'\]/ ,@lines);
push @lines, "\$config['keysize']='4096';" unless grep( /\$config\['keysize'\]/ ,@lines);
push @lines, "\$config['country']='$Country';" unless grep( /\$config\['country'\]/ ,@lines);
push @lines, "\$config['province']='$State';" unless grep( /\$config\['province'\]/ ,@lines);
push @lines, "\$config['locality']='$defaultCity';" unless grep( /\$config\['locality'\]/ ,@lines);
push @lines, "\$config['organization']='$defaultCompany';" unless grep( /\$config\['organization'\]/ ,@lines);
push @lines, "\$config['contact']='$email';" unless grep( /\$config\['contact'\]/ ,@lines);
push @lines, "\$config['base_url']='https://$commonName/phpki/';" unless grep( /\$config\['base_url'\]/ ,@lines);
# we do not update the following as it will mess up the file.
push @lines, "\$config[\'getting_help\']=\'<b>Contact:</b><br>\nFirst-Name Last-Name<br>\n$defaultCompany/$defaultDepartment<br>\n$street<br>\n$defaultCity, $State, $zip<br>\n<br>\nPhone: $phone<br>\nE-mail: <a href=mailto:$email>$email</a>&nbsp;&nbsp;&nbsp;<i><b>E-mail is preferred.</b></i><br>\';" unless grep( /\$config\['getting_help'\]/ ,@lines);
"";
}

12
root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile Normal file
View File

@ -0,0 +1,12 @@
{
$OUT .= "";
foreach my $line (@lines)
{
chomp $line;
next if grep { /^$/ } $line ;
push @lines, $_;
$OUT .= "$line\n";
}
$OUT .= "?>";
}

17
root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin Normal file
View File

@ -0,0 +1,17 @@
{
# vim: ft=perl:
%lines = ();
@lines = ();
open (RD, "</opt/phpki/html/config.php")
|| warn "Cannot open input file /opt/phpki/html/config.php: $!\n";
while (<RD>)
{
chomp;
next if grep { /^$/ } $_ ;
next if grep { /^\?/ } $_;
push @lines, $_;
$lines{$_} = 1;
}
close(RD);
"";
}

32
root/etc/e-smith/web/functions/phpki Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/perl
#----------------------------------------------------------------------
# heading : Security
# description : Certificate Management
# navigation : 4000 4200
#----------------------------------------------------------------------
use strict;
use CGI':all';
use CGI::Carp qw(fatalsToBrowser);
BEGIN
{
$ENV {'PATH'} = '/bin:/usr/bin:/sbin';
$ENV {'SHELL'} = '/bin/bash';
delete $ENV {'ENV'};
}
my $q = new CGI;
my $content="0; url=https://".$ENV {'HTTP_X_FORWARDED_HOST'}."/phpki/ca/";
$q->default_dtd('-//W3C//DTD XHTML 1.0 Transitional//EN');
print $q->header ('text/html');
print $q->start_html (-head=>meta({-http_equiv=>'refresh', -content=>$content}));
print $q->end_html;

163
root/etc/httpd/pki-conf/httpd.conf Normal file
View File

@ -0,0 +1,163 @@
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
LoadModule auth_tkt_module modules/mod_auth_tkt.so
TKTAuthSecret "1234"
Listen 127.0.0.1:940
HostnameLookups off
ServerAdmin admin
ServerRoot /etc/httpd
ServerTokens ProductOnly
User phpki
Group phpki
ErrorLog /var/log/httpd/pki_error_log
LogLevel warn
LoadModule env_module modules/mod_env.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule include_module modules/mod_include.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule asis_module modules/mod_asis.so
#LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
#LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
PidFile /var/run/httpd-bkpc.pid
ScoreBoardFile /var/run/httpd-bkpc.scoreboard
UseCanonicalName off
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{User-agent}i" agent
CustomLog /var/log/httpd/pki_access_log common
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MaxClients 150
MaxRequestsPerChild 100
ServerName www.domain.tld
MinSpareServers 1
MaxSpareServers 5
StartServers 1
Timeout 300
DefaultIcon /icons/unknown.gif
DirectoryIndex index.htm index.html index.php index.cgi
IndexOptions FancyIndexing VersionSort NameWidth=*
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AccessFileName .htaccess
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
DefaultType text/plain
TypesConfig /etc/mime.types
AddEncoding x-compress Z
AddEncoding x-gzip gz
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
LanguagePriority en fr de
AddType text/html .shtml
AddType application/x-pkcs7-crl .crl
AddType application/x-x509-ca-cert .crt
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4.0" force-response-1.0
BrowserMatch "Java/1.0" force-response-1.0
BrowserMatch "JDK/1.0" force-response-1.0
AddHandler cgi-script .cgi
AddHandler server-parsed .shtml
AddHandler imap-file map
DocumentRoot /opt/phpki/
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
Options None
AllowOverride None
order deny,allow
deny from all
allow from none
</Directory>

9
root/usr/lib/systemd/system/httpd-pki.service Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=Certificate management
After=network.service
[Service]
Type=forking
ExecStart=/usr/sbin/systemd/httpd-pki
[Install]
WantedBy=sme-server.target

12
root/usr/sbin/systemd/httpd-pki Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
#----------------------------------------------------------------------
# copyright (C) 1999-2004 Mitel Networks Corporation
#----------------------------------------------------------------------
config=/etc/httpd/pki-conf/httpd.conf
[ -e $config ] || exit 1
exec 2>&1
exec chpst -P /usr/sbin/httpd -f $config -D FOREGROUND &

0
root/var/lib/php/phpki/opcache/.gitignore vendored Normal file
View File

0
root/var/lib/php/phpki/session/.gitignore vendored Normal file
View File

0
root/var/lib/php/phpki/tmp/.gitignore vendored Normal file
View File

0
root/var/log/phpki/.gitignore vendored Normal file
View File

0
root/var/service/.gitignore vendored Normal file
View File

198
smeserver-phpki-ng.spec Normal file
View File

@ -0,0 +1,198 @@
# $Id: smeserver-phpki.spec,v 1.6 2017/05/03 21:08:27 unnilennium Exp $
# Authority: vip-ire
# Name: Daniel Berteaud
Name: smeserver-phpki-ng
Version: 0.3
Release: 23%{?dist}
Summary: php integration into SME server
Group: Applications/System
License: GPL
URL: http://phpki.sourceforge.net/
Source: %{name}-%{version}.tar.xz
#Patch0: smeserver-phpki-0.2-fix_redirect_with_user-manager_and_sso.patch
#Patch1: smeserver-phpki-0.2.bz10267.updatetktauth.patch
BuildRoot: %{_tmppath}/%{name}-%{version}
BuildArch: noarch
BuildRequires: e-smith-devtools
Requires: mod_auth_tkt
Requires: openvpn
Requires: e-smith-base
Requires: phpki-ng >= 0.84-14
Requires: php-process
Requires: e-smith-manager >= 2.6.0-22
Requires: e-smith-apache >= 2.6.0-19
Requires: smeserver-php >= 3.0.0-44
Provides: smeserver-phpki
#Obsoletes: smeserver-phpki
%description
PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance.
With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled
e-mail clients, SSL servers, and VPN applications.
This package contains specific configuration for SME server
%changelog
* Sat Sep 07 2024 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.3-23.sme
- Roll up patches and move to git repo [SME: 12338]
* Sat Sep 07 2024 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
* Thu May 11 2023 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-22.sme
- fix httpd needs QSD in place of ? [SME: 12354]
* Wed Dec 28 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-21.sme
- fix chop isntead of chomp for config.php [SME: 12293]
fix PATH not right for exec
* Sat Dec 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-19.sme
- small fixes for config.php and httpd
* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-18.sme
- revert log/phpki [SME: 12266]
- phpki-ng autopopulate base info from ldap [SME: 11440]
- ensure user are seen by php-pool [SME: 12268]
- safe remote access for crl [SME: 11439]
- 17-18: applying patches
* Tue Dec 13 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-15.sme
- fix typo preventing httpd-pki to start 2
* Sun Nov 20 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-14.sme
- fix typo preventing httpd-pki to start
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-13.sme
- add some more needed bins which cat and egrep [SME: 11438]
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-11.sme
- fix missing takey [SME: 11438]
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-10.sme
- ease migration from smeserver-phpki smeserver-phpki-ng using Provides [SME: 12222]
- fix ownership on migration (backup/restore) [SME: 12228]
- remove /var/service/httpd-pki [SME: 12229]
- remove old logrotate [SME: 11873]
- remove /var/log/phpki and /var/log/httpd-pki [SME: 12198]
* Tue Oct 04 2022 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-9.sme
- Fix spec file versioning
* Sat Jul 30 2022 Brian Read <brianr@bjsystems.co.uk> 0.3-8.sme
- Re-build and link to latest devtools [SME: 11997]
* Thu Jul 21 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-7.sme
- add to core backup [SME: 12021]
- httpd 2.4 access syntax [SME: 12054]
* Thu Aug 05 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-6.sme
- remove modules from patch file [SME: 11402]
* Sun Mar 07 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-5.sme
- modify dirs in spec file
* Thu Feb 25 2021 Jean-Philipe Pialasse <tests@pialasse.com> 0.3-4.sme
- configure php73 pool [SME: 11207]
tidy httpd.conf file
reuse phpki user and group
* Sat Feb 13 2021 Brian Read <brianr@bjsystems.co.uk> 0.3-3.sme
- Set execution bit on /opt/phpki/html/ca in spec file[SME: 11207]
* Tue Feb 09 2021 Brian Read <brianr@bjsystems.co.uk> 0.3-3.sme
- Add-in-systemd-startup [SME: 11207]
* Thu Nov 26 2020 Brian Read <brianr@bjsystems.co.uk> 0.3-2.sme
- Add in Loadmodules needed to pki-conf/httpd.conf [SME: 11207]
* Fri Apr 03 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-1.sme
- New release for phpki-ng-0.84 based on phpki-0.83
* Wed May 03 2017 Jean-Philipe Pialasse <tests@pialasse.com> 0.2-3.sme
- update TKT auth parameter for SME 9.2 update [SME: 10267]
* Mon Nov 18 2013 Daniel B. <daniel@firewall-services.com> - 0.2-2.sme
- Fix a redirect issue with user-manager and LemonLDAP::NG as SSO
* Mon Nov 11 2013 Daniel B. <daniel@firewall-services.com> - 0.2-1.sme
- Rebuild for SME9
- Do not disable httpd-pki service on uninstall
* Fri May 24 2013 JP Pialasse <tests@pialasse.com> - 0.1-6.sme
- added php-process as dependency [SME: 7439]
* Thu Oct 13 2011 Daniel B. <daniel@firewall-services.com> - 0.1-5.sme
- Change session path [SME: 6661]
* Wed Jul 20 2011 Daniel B. <daniel@firewall-services.com> - 0.1-5.sme
- Protect by location (so we can set another location protected by LemonLDAP::NG)
* Mon Feb 23 2009 Daniel B. <daniel@firewall-services.com> [0.1-4]
- Fix logrotate issue (send a sigusr1 signal to httpd-pki)
* Mon Dec 15 2008 Daniel B. <daniel@firewall-services.com> [0.1-3]
- Move server-manager panel to "security" section
* Wed Dec 10 2008 Daniel B. <daniel@firewall-services.com> [0.1-2]
- expand-templates in bootstrap-console-save instead of post-upgrade
- Disable authentication for the public part (so CRL can be updated automatically)
- Change the name of the menue in server-manager to certificate Management
* Tue Dec 02 2008 Daniel B. <daniel@firewall-services.com> [0.1-1]
- Restrict access to /phpki/ca for admin, ask for a valid user for /phpki
- expand-templates on signal events conf-userpanels and domain-modify
* Thu Nov 27 2008 Daniel B. <daniel@firewall-services.com> [0.1-0]
- initial release
%prep
%setup -q -n %{name}-%{version}
mkdir -p root/var/lib/php/phpki/{tmp,session,opcache}
rm -rf root/var/lib/php/pki-session
mkdir -p root/var/log/phpki
rm -rf root/var/service/httpd-pki
%build
perl createlinks
%install
%{__mkdir_p} $RPM_BUILD_ROOT/var/lib/php/pki-session
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
chmod +x $RPM_BUILD_ROOT/usr/sbin/systemd/httpd-pki
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--dir /var/lib/php/phpki 'attr(0770,root,phpki)' \
--dir /var/lib/php/phpki/session 'attr(0770,root,phpki)' \
--dir /var/lib/php/phpki/opcache 'attr(0770,root,phpki)' \
--dir /var/lib/php/phpki/tmp 'attr(0770,root,phpki)' \
--dir /var/log/phpki 'attr(0770,phpki,phpki)' \
> %{name}-%{version}-filelist
%post
%clean
rm -rf $RPM_BUILD_ROOT
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%pre
#/sbin/e-smith/create-system-user phpki 455 'Phpki User' /opt/phpki /bin/false >& /dev/null || :
%preun