Speichere und zeige Seriennummer von Client-Zertifikaten (84f379c)

Speichere und zeige Seriennummer von Client-Zertifikaten

Bernd Wurst commited on 2016-04-07 05:37:36
Zeige 5 geänderte Dateien mit 20 Einfügungen und 22 Löschungen.

certlogin/index.php b2a77fe..54f73cb
modules/index/cert.php 10bc42f..b9e9c01
modules/index/certsave.php 1381750..9304c28
modules/index/include/x509.php 074624e..740da28
modules/vhosts/include/certs.php 4c7d1b5..4e4a292

certlogin/index.php

@@ -31,15 +31,8 @@ require_once('inc/error.php');
 require_once('inc/theme.php');
 
 
-function prepare_cert($cert)
-{
-	return str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
-}
-
-
 function get_logins_by_cert($cert) 
 {
-	$cert = prepare_cert($cert);
 	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=? ORDER BY type,username", array($cert));
 	if ($result->rowCount() < 1)
 		return NULL;
@@ -63,11 +56,13 @@ if (! isset($_SERVER['SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_
 if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
 {
   DEBUG('recording client-cert');
-  if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']))
+  if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && 
+      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']))
   {
-    $_SESSION['clientcert_cert'] = prepare_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
+    $_SESSION['clientcert_cert'] = $_SERVER[$redirect.'SSL_CLIENT_CERT'];
     $_SESSION['clientcert_dn'] = $_SERVER[$redirect.'SSL_CLIENT_S_DN'];
     $_SESSION['clientcert_issuer'] = $_SERVER[$redirect.'SSL_CLIENT_I_DN'];
+    $_SESSION['clientcert_serial'] = $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'];
     header('Location: '.$prefix.$_REQUEST['backto'].encode_querystring(''));
     die();
   }
@@ -109,7 +104,8 @@ else
 {
   if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && 
       isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && $_SERVER[$redirect.'SSL_CLIENT_S_DN'] != '' && 
-      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '') {
+      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '' &&
+      isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']) && $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'] != '') {
     $ret = get_logins_by_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
     if ($ret === NULL) {
       login_screen('Ihr Browser hat ein Client-Zertifikat gesendet, dieses ist aber noch nicht für den Zugang hinterlegt. Melden Sie sich bitte per Benutzername und Passwort an.');

modules/index/cert.php

Zeige Datei @ 84f379c

@@ -31,6 +31,7 @@ if (isset($_GET['clear']))
   unset($_SESSION['clientcert_cert']);
   unset($_SESSION['clientcert_dn']);
   unset($_SESSION['clientcert_issuer']);
+  unset($_SESSION['clientcert_serial']);
 }
 
 $username = NULL;
@@ -50,7 +51,8 @@ if (isset($_SESSION['clientcert_cert']))
   output('<div style="margin: 1em; padding: 1em; border: 2px solid green;">');
   output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
 <div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
-<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
+<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'<br />
+<strong>Seriennummer:</strong> '.filter_input_general($_SESSION['clientcert_serial']).'</div>
 <p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
   output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" /> &#160; '.internal_link('cert', 'Nein', 'clear').'</p>'));
   output('</div>');
@@ -63,7 +65,7 @@ if ($certs != NULL) {
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
   <ul>');
   foreach ($certs AS $cert) {
-   	output('<li>'.$cert['dn'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
+   	output('<li>'.$cert['dn'].' / Seriennummer '.$cert['serial'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
     output('<br />'.internal_link('certsave', 'Dieses Zertifikat löschen', 'action=delete&id='.$cert['id']));
     output('</li>');
   }

modules/index/certsave.php

Zeige Datei @ 84f379c

@@ -26,12 +26,13 @@ if ($_GET['action'] == 'new')
   if (! isset($_SESSION['clientcert_cert']))
     system_failure('Kein Zertifikat');
   
-  add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer']);
+  add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer'], $_SESSION['clientcert_serial']);
 
   // Räume session auf
   unset($_SESSION['clientcert_cert']);
   unset($_SESSION['clientcert_dn']);
   unset($_SESSION['clientcert_issuer']);
+  unset($_SESSION['clientcert_serial']);
   header('Location: cert');
 }
 elseif ($_GET['action'] == 'delete')
@@ -53,7 +54,7 @@ elseif ($_GET['action'] == 'delete')
   $sure = user_is_sure();
   if ($sure === NULL)
   {
-    are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« wirklich löschen?");
+    are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« (Seriennummer {$cert['serial']}) wirklich löschen?");
   }
   elseif ($sure === true)
   {

modules/index/include/x509.php

Zeige Datei @ 84f379c

@@ -24,7 +24,6 @@ function do_ajax_cert_login() {
 
 function get_logins_by_cert($cert) 
 {
-	$cert = str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
 	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
 	if ($result->rowCount() < 1)
 		return NULL;
@@ -42,7 +41,7 @@ function get_cert_by_id($id)
   $id = (int) $id;
 	if ($id == 0)
 	  system_failure('no ID');
-	$result = db_query("SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
+	$result = db_query("SELECT id,dn,issuer,serial,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
 	if ($result->rowCount() < 1)
 		return NULL;
 	$ret = $result->fetch();
@@ -55,7 +54,7 @@ function get_certs_by_username($username)
 {
 	if ($username == '')
 	  system_failure('empty username');
-	$result = db_query("SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
+	$result = db_query("SELECT id,dn,issuer,serial,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
 	if ($result->rowCount() < 1)
 		return NULL;
 	while ($row = $result->fetch()) {
@@ -65,7 +64,7 @@ function get_certs_by_username($username)
 }
 
 
-function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
+function add_clientcert($certdata, $dn, $issuer, $serial, $startpage=NULL)
 {
   $type = NULL;
   $username = NULL;
@@ -91,14 +90,15 @@ function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
 
   $args = array(":dn" => $dn,
                 ":issuer" => $issuer,
+                ":serial" => $serial,
                 ":certdata" => $certdata,
                 ":type" => $type,
                 ":username" => $username,
                 ":startpage" => $startpage);
   DEBUG($args);
 
-  db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`) 
-VALUES (:dn, :issuer, :certdata, :type, :username, :startpage)", $args);
+  db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `serial`, `cert`, `type`, `username`, `startpage`) 
+VALUES (:dn, :issuer, :serial, :certdata, :type, :username, :startpage)", $args);
 
 }
 

modules/vhosts/include/certs.php

Zeige Datei @ 84f379c

@@ -58,8 +58,7 @@ function cert_is_letsencrypt($id)
 {
   $details = cert_details($id);
   DEBUG($details);
-  if ($details['chain'] == config('letsencrypt_chain') &&
-      strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
+  if (strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
     return true;
   }
   return false;


...	...	@@ -31,15 +31,8 @@ require_once('inc/error.php');
31	31	require_once('inc/theme.php');
32	32
33	33
34		-function prepare_cert($cert)
35		-{
36		- return str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
37		-}
38		-
39		-
40	34	function get_logins_by_cert($cert)
41	35	{
42		- $cert = prepare_cert($cert);
43	36	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=? ORDER BY type,username", array($cert));
44	37	if ($result->rowCount() < 1)
45	38	return NULL;
...	...	@@ -63,11 +56,13 @@ if (! isset($_SERVER['SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_
63	56	if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
64	57	{
65	58	DEBUG('recording client-cert');
66		- if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']))
	59	+ if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) &&
	60	+ isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']))
67	61	{
68		- $_SESSION['clientcert_cert'] = prepare_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
	62	+ $_SESSION['clientcert_cert'] = $_SERVER[$redirect.'SSL_CLIENT_CERT'];
69	63	$_SESSION['clientcert_dn'] = $_SERVER[$redirect.'SSL_CLIENT_S_DN'];
70	64	$_SESSION['clientcert_issuer'] = $_SERVER[$redirect.'SSL_CLIENT_I_DN'];
	65	+ $_SESSION['clientcert_serial'] = $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'];
71	66	header('Location: '.$prefix.$_REQUEST['backto'].encode_querystring(''));
72	67	die();
73	68	}
...	...	@@ -109,7 +104,8 @@ else
109	104	{
110	105	if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) &&
111	106	isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && $_SERVER[$redirect.'SSL_CLIENT_S_DN'] != '' &&
112		- isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '') {
	107	+ isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '' &&
	108	+ isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']) && $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'] != '') {
113	109	$ret = get_logins_by_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
114	110	if ($ret === NULL) {
115	111	login_screen('Ihr Browser hat ein Client-Zertifikat gesendet, dieses ist aber noch nicht für den Zugang hinterlegt. Melden Sie sich bitte per Benutzername und Passwort an.');

...	...	@@ -31,6 +31,7 @@ if (isset($_GET['clear']))
31	31	unset($_SESSION['clientcert_cert']);
32	32	unset($_SESSION['clientcert_dn']);
33	33	unset($_SESSION['clientcert_issuer']);
	34	+ unset($_SESSION['clientcert_serial']);
34	35	}
35	36
36	37	$username = NULL;
...	...	@@ -50,7 +51,8 @@ if (isset($_SESSION['clientcert_cert']))
50	51	output('<div style="margin: 1em; padding: 1em; border: 2px solid green;">');
51	52	output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
52	53	<div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
53		-<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
	54	+<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'<br />
	55	+<strong>Seriennummer:</strong> '.filter_input_general($_SESSION['clientcert_serial']).'</div>
54	56	<p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
55	57	output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" />   '.internal_link('cert', 'Nein', 'clear').'</p>'));
56	58	output('</div>');
...	...	@@ -63,7 +65,7 @@ if ($certs != NULL) {
63	65	output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
64	66	<ul>');
65	67	foreach ($certs AS $cert) {
66		- output('<li>'.$cert['dn'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
	68	+ output('<li>'.$cert['dn'].' / Seriennummer '.$cert['serial'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
67	69	output('<br />'.internal_link('certsave', 'Dieses Zertifikat löschen', 'action=delete&id='.$cert['id']));
68	70	output('</li>');
69	71	}

...	...	@@ -26,12 +26,13 @@ if ($_GET['action'] == 'new')
26	26	if (! isset($_SESSION['clientcert_cert']))
27	27	system_failure('Kein Zertifikat');
28	28
29		- add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer']);
	29	+ add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer'], $_SESSION['clientcert_serial']);
30	30
31	31	// Räume session auf
32	32	unset($_SESSION['clientcert_cert']);
33	33	unset($_SESSION['clientcert_dn']);
34	34	unset($_SESSION['clientcert_issuer']);
	35	+ unset($_SESSION['clientcert_serial']);
35	36	header('Location: cert');
36	37	}
37	38	elseif ($_GET['action'] == 'delete')
...	...	@@ -53,7 +54,7 @@ elseif ($_GET['action'] == 'delete')
53	54	$sure = user_is_sure();
54	55	if ($sure === NULL)
55	56	{
56		- are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« wirklich löschen?");
	57	+ are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« (Seriennummer {$cert['serial']}) wirklich löschen?");
57	58	}
58	59	elseif ($sure === true)
59	60	{

...	...	@@ -24,7 +24,6 @@ function do_ajax_cert_login() {
24	24
25	25	function get_logins_by_cert($cert)
26	26	{
27		- $cert = str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
28	27	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
29	28	if ($result->rowCount() < 1)
30	29	return NULL;
...	...	@@ -42,7 +41,7 @@ function get_cert_by_id($id)
42	41	$id = (int) $id;
43	42	if ($id == 0)
44	43	system_failure('no ID');
45		- $result = db_query("SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
	44	+ $result = db_query("SELECT id,dn,issuer,serial,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
46	45	if ($result->rowCount() < 1)
47	46	return NULL;
48	47	$ret = $result->fetch();
...	...	@@ -55,7 +54,7 @@ function get_certs_by_username($username)
55	54	{
56	55	if ($username == '')
57	56	system_failure('empty username');
58		- $result = db_query("SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
	57	+ $result = db_query("SELECT id,dn,issuer,serial,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
59	58	if ($result->rowCount() < 1)
60	59	return NULL;
61	60	while ($row = $result->fetch()) {
...	...	@@ -65,7 +64,7 @@ function get_certs_by_username($username)
65	64	}
66	65
67	66
68		-function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
	67	+function add_clientcert($certdata, $dn, $issuer, $serial, $startpage=NULL)
69	68	{
70	69	$type = NULL;
71	70	$username = NULL;
...	...	@@ -91,14 +90,15 @@ function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
91	90
92	91	$args = array(":dn" => $dn,
93	92	":issuer" => $issuer,
	93	+ ":serial" => $serial,
94	94	":certdata" => $certdata,
95	95	":type" => $type,
96	96	":username" => $username,
97	97	":startpage" => $startpage);
98	98	DEBUG($args);
99	99
100		- db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`)
101		-VALUES (:dn, :issuer, :certdata, :type, :username, :startpage)", $args);
	100	+ db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `serial`, `cert`, `type`, `username`, `startpage`)
	101	+VALUES (:dn, :issuer, :serial, :certdata, :type, :username, :startpage)", $args);
102	102
103	103	}
104	104

...	...	@@ -58,8 +58,7 @@ function cert_is_letsencrypt($id)
58	58	{
59	59	$details = cert_details($id);
60	60	DEBUG($details);
61		- if ($details['chain'] == config('letsencrypt_chain') &&
62		- strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
	61	+ if (strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
63	62	return true;
64	63	}
65	64	return false;
66	65

webinterface.git