Browse code

Speichere und zeige Seriennummer von Client-Zertifikaten

Bernd Wurst authored on07/04/2016 05:37:36
Showing5 changed files
... ...
@@ -31,15 +31,8 @@ require_once('inc/error.php');
31 31
 require_once('inc/theme.php');
32 32
 
33 33
 
34
-function prepare_cert($cert)
35
-{
36
-	return str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
37
-}
38
-
39
-
40 34
 function get_logins_by_cert($cert) 
41 35
 {
42
-	$cert = prepare_cert($cert);
43 36
 	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=? ORDER BY type,username", array($cert));
44 37
 	if ($result->rowCount() < 1)
45 38
 		return NULL;
... ...
@@ -63,11 +56,13 @@ if (! isset($_SERVER['SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_
63 56
 if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
64 57
 {
65 58
   DEBUG('recording client-cert');
66
-  if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']))
59
+  if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && 
60
+      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']))
67 61
   {
68
-    $_SESSION['clientcert_cert'] = prepare_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
62
+    $_SESSION['clientcert_cert'] = $_SERVER[$redirect.'SSL_CLIENT_CERT'];
69 63
     $_SESSION['clientcert_dn'] = $_SERVER[$redirect.'SSL_CLIENT_S_DN'];
70 64
     $_SESSION['clientcert_issuer'] = $_SERVER[$redirect.'SSL_CLIENT_I_DN'];
65
+    $_SESSION['clientcert_serial'] = $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'];
71 66
     header('Location: '.$prefix.$_REQUEST['backto'].encode_querystring(''));
72 67
     die();
73 68
   }
... ...
@@ -109,7 +104,8 @@ else
109 104
 {
110 105
   if (isset($_SERVER[$redirect.'SSL_CLIENT_CERT']) && 
111 106
       isset($_SERVER[$redirect.'SSL_CLIENT_S_DN']) && $_SERVER[$redirect.'SSL_CLIENT_S_DN'] != '' && 
112
-      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '') {
107
+      isset($_SERVER[$redirect.'SSL_CLIENT_I_DN']) && $_SERVER[$redirect.'SSL_CLIENT_I_DN'] != '' &&
108
+      isset($_SERVER[$redirect.'SSL_CLIENT_M_SERIAL']) && $_SERVER[$redirect.'SSL_CLIENT_M_SERIAL'] != '') {
113 109
     $ret = get_logins_by_cert($_SERVER[$redirect.'SSL_CLIENT_CERT']);
114 110
     if ($ret === NULL) {
115 111
       login_screen('Ihr Browser hat ein Client-Zertifikat gesendet, dieses ist aber noch nicht für den Zugang hinterlegt. Melden Sie sich bitte per Benutzername und Passwort an.');
... ...
@@ -31,6 +31,7 @@ if (isset($_GET['clear']))
31 31
   unset($_SESSION['clientcert_cert']);
32 32
   unset($_SESSION['clientcert_dn']);
33 33
   unset($_SESSION['clientcert_issuer']);
34
+  unset($_SESSION['clientcert_serial']);
34 35
 }
35 36
 
36 37
 $username = NULL;
... ...
@@ -50,7 +51,8 @@ if (isset($_SESSION['clientcert_cert']))
50 51
   output('<div style="margin: 1em; padding: 1em; border: 2px solid green;">');
51 52
   output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
52 53
 <div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
53
-<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
54
+<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'<br />
55
+<strong>Seriennummer:</strong> '.filter_input_general($_SESSION['clientcert_serial']).'</div>
54 56
 <p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
55 57
   output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" /> &#160; '.internal_link('cert', 'Nein', 'clear').'</p>'));
56 58
   output('</div>');
... ...
@@ -63,7 +65,7 @@ if ($certs != NULL) {
63 65
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
64 66
   <ul>');
65 67
   foreach ($certs AS $cert) {
66
-   	output('<li>'.$cert['dn'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
68
+   	output('<li>'.$cert['dn'].' / Seriennummer '.$cert['serial'].'<br /><em>ausgestellt von </em>'.$cert['issuer']);
67 69
     output('<br />'.internal_link('certsave', 'Dieses Zertifikat löschen', 'action=delete&id='.$cert['id']));
68 70
     output('</li>');
69 71
   }
... ...
@@ -26,12 +26,13 @@ if ($_GET['action'] == 'new')
26 26
   if (! isset($_SESSION['clientcert_cert']))
27 27
     system_failure('Kein Zertifikat');
28 28
   
29
-  add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer']);
29
+  add_clientcert($_SESSION['clientcert_cert'], $_SESSION['clientcert_dn'], $_SESSION['clientcert_issuer'], $_SESSION['clientcert_serial']);
30 30
 
31 31
   // Räume session auf
32 32
   unset($_SESSION['clientcert_cert']);
33 33
   unset($_SESSION['clientcert_dn']);
34 34
   unset($_SESSION['clientcert_issuer']);
35
+  unset($_SESSION['clientcert_serial']);
35 36
   header('Location: cert');
36 37
 }
37 38
 elseif ($_GET['action'] == 'delete')
... ...
@@ -53,7 +54,7 @@ elseif ($_GET['action'] == 'delete')
53 54
   $sure = user_is_sure();
54 55
   if ($sure === NULL)
55 56
   {
56
-    are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« wirklich löschen?");
57
+    are_you_sure("action=delete&id={$cert['id']}", "Möchten Sie das Zertifikat »{$cert['dn']}« (Seriennummer {$cert['serial']}) wirklich löschen?");
57 58
   }
58 59
   elseif ($sure === true)
59 60
   {
... ...
@@ -24,7 +24,6 @@ function do_ajax_cert_login() {
24 24
 
25 25
 function get_logins_by_cert($cert) 
26 26
 {
27
-	$cert = str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
28 27
 	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
29 28
 	if ($result->rowCount() < 1)
30 29
 		return NULL;
... ...
@@ -42,7 +41,7 @@ function get_cert_by_id($id)
42 41
   $id = (int) $id;
43 42
 	if ($id == 0)
44 43
 	  system_failure('no ID');
45
-	$result = db_query("SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
44
+	$result = db_query("SELECT id,dn,issuer,serial,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
46 45
 	if ($result->rowCount() < 1)
47 46
 		return NULL;
48 47
 	$ret = $result->fetch();
... ...
@@ -55,7 +54,7 @@ function get_certs_by_username($username)
55 54
 {
56 55
 	if ($username == '')
57 56
 	  system_failure('empty username');
58
-	$result = db_query("SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
57
+	$result = db_query("SELECT id,dn,issuer,serial,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
59 58
 	if ($result->rowCount() < 1)
60 59
 		return NULL;
61 60
 	while ($row = $result->fetch()) {
... ...
@@ -65,7 +64,7 @@ function get_certs_by_username($username)
65 64
 }
66 65
 
67 66
 
68
-function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
67
+function add_clientcert($certdata, $dn, $issuer, $serial, $startpage=NULL)
69 68
 {
70 69
   $type = NULL;
71 70
   $username = NULL;
... ...
@@ -91,14 +90,15 @@ function add_clientcert($certdata, $dn, $issuer, $startpage=NULL)
91 90
 
92 91
   $args = array(":dn" => $dn,
93 92
                 ":issuer" => $issuer,
93
+                ":serial" => $serial,
94 94
                 ":certdata" => $certdata,
95 95
                 ":type" => $type,
96 96
                 ":username" => $username,
97 97
                 ":startpage" => $startpage);
98 98
   DEBUG($args);
99 99
 
100
-  db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`) 
101
-VALUES (:dn, :issuer, :certdata, :type, :username, :startpage)", $args);
100
+  db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `serial`, `cert`, `type`, `username`, `startpage`) 
101
+VALUES (:dn, :issuer, :serial, :certdata, :type, :username, :startpage)", $args);
102 102
 
103 103
 }
104 104
 
... ...
@@ -58,8 +58,7 @@ function cert_is_letsencrypt($id)
58 58
 {
59 59
   $details = cert_details($id);
60 60
   DEBUG($details);
61
-  if ($details['chain'] == config('letsencrypt_chain') &&
62
-      strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
61
+  if (strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
63 62
     return true;
64 63
   }
65 64
   return false;