Browse code
Spaces between string concat (.) operator, new PER codingstyle
Hanno Böck authored on 31/10/2023 17:49:30
Showing 1 changed files
| ... | ... |
@@ -94,7 +94,7 @@ function csr_details($id) |
| 94 | 94 |
function get_available_CAs() |
| 95 | 95 |
{
|
| 96 | 96 |
$path = '/etc/apache2/certs/cabundle/'; |
| 97 |
- $ret = glob($path.'*.pem'); |
|
| 97 |
+ $ret = glob($path . '*.pem'); |
|
| 98 | 98 |
if (!$ret) {
|
| 99 | 99 |
system_failure("Konnte die CA-Zertifikate nicht laden");
|
| 100 | 100 |
} |
| ... | ... |
@@ -116,7 +116,7 @@ function get_chain($cert) |
| 116 | 116 |
if ($result->rowCount() > 0) {
|
| 117 | 117 |
$c = $result->fetch(); |
| 118 | 118 |
//$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem'; |
| 119 |
- DEBUG("identified fitting certificate chain #".$c['id']);
|
|
| 119 |
+ DEBUG("identified fitting certificate chain #" . $c['id']);
|
|
| 120 | 120 |
return $c['id']; |
| 121 | 121 |
} |
| 122 | 122 |
} |
| ... | ... |
@@ -165,7 +165,7 @@ function validate_certificate($cert, $key) |
| 165 | 165 |
|
| 166 | 166 |
// Prüfe ob Key und Zertifikat zusammen passen |
| 167 | 167 |
if (openssl_x509_check_private_key($cert, $key) !== true) {
|
| 168 |
- DEBUG("Zertifikat und Key passen nicht zusammen: ".openssl_x509_check_private_key($cert, $key));
|
|
| 168 |
+ DEBUG("Zertifikat und Key passen nicht zusammen: " . openssl_x509_check_private_key($cert, $key));
|
|
| 169 | 169 |
return CERT_INVALID; |
| 170 | 170 |
} |
| 171 | 171 |
|
| ... | ... |
@@ -214,12 +214,12 @@ function parse_cert_details($cert) |
| 214 | 214 |
$issuer = $certdata['issuer']['O']; |
| 215 | 215 |
} |
| 216 | 216 |
if (isset($certdata['extensions']['subjectAltName'])) {
|
| 217 |
- DEBUG("SAN: ".$certdata['extensions']['subjectAltName']);
|
|
| 217 |
+ DEBUG("SAN: " . $certdata['extensions']['subjectAltName']);
|
|
| 218 | 218 |
$san = []; |
| 219 | 219 |
$raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
| 220 | 220 |
foreach ($raw_san as $name) {
|
| 221 | 221 |
if (!substr($name, 0, 4) == 'DNS:') {
|
| 222 |
- warning('Unparsable SAN: '.$name);
|
|
| 222 |
+ warning('Unparsable SAN: ' . $name);
|
|
| 223 | 223 |
continue; |
| 224 | 224 |
} |
| 225 | 225 |
$san[] = str_replace('DNS:', '', $name);
|
| ... | ... |
@@ -228,8 +228,8 @@ function parse_cert_details($cert) |
| 228 | 228 |
} else {
|
| 229 | 229 |
$san = "\n"; |
| 230 | 230 |
} |
| 231 |
- DEBUG("SAN: <pre>".$san."</pre>");
|
|
| 232 |
- return ['subject' => $certdata['subject']['CN'].' / '.$issuer, 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']), 'issuer' => $certdata['issuer']['CN'], 'san' => $san];
|
|
| 231 |
+ DEBUG("SAN: <pre>" . $san . "</pre>");
|
|
| 232 |
+ return ['subject' => $certdata['subject']['CN'] . ' / ' . $issuer, 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']), 'issuer' => $certdata['issuer']['CN'], 'san' => $san];
|
|
| 233 | 233 |
} |
| 234 | 234 |
|
| 235 | 235 |
|
| ... | ... |
@@ -311,9 +311,9 @@ function create_csr($cn, $bits) |
| 311 | 311 |
$domains = split_cn($cn); |
| 312 | 312 |
$tmp = []; |
| 313 | 313 |
foreach ($domains as $dom) {
|
| 314 |
- $tmp[] = 'DNS:'.$dom; |
|
| 314 |
+ $tmp[] = 'DNS:' . $dom; |
|
| 315 | 315 |
} |
| 316 |
- $SAN = "[ v3_req ]\nsubjectAltName = ".implode(', ', $tmp);
|
|
| 316 |
+ $SAN = "[ v3_req ]\nsubjectAltName = " . implode(', ', $tmp);
|
|
| 317 | 317 |
DEBUG($SAN); |
| 318 | 318 |
$cn = $domains[0]; |
| 319 | 319 |
$bits = (int) $bits; |
| ... | ... |
@@ -325,7 +325,7 @@ function create_csr($cn, $bits) |
| 325 | 325 |
$csrfile = tempnam(ini_get('upload_tmp_dir'), 'csr');
|
| 326 | 326 |
$config = tempnam(ini_get('upload_tmp_dir'), 'config');
|
| 327 | 327 |
|
| 328 |
- DEBUG("key: ".$keyfile." / csr: ".$csrfile." / config: ".$config);
|
|
| 328 |
+ DEBUG("key: " . $keyfile . " / csr: " . $csrfile . " / config: " . $config);
|
|
| 329 | 329 |
|
| 330 | 330 |
$c = fopen($config, "w"); |
| 331 | 331 |
fwrite($c, "[req] |
| ... | ... |
@@ -358,7 +358,7 @@ commonName_default = {$cn}
|
| 358 | 358 |
DEBUG($output); |
| 359 | 359 |
DEBUG($retval); |
| 360 | 360 |
if ($retval != 0) {
|
| 361 |
- system_failure("Die Erzeugung des CSR ist fehlgeschlagen. Ausgabe des OpenSSL-Befehls: ".print_r($output, true));
|
|
| 361 |
+ system_failure("Die Erzeugung des CSR ist fehlgeschlagen. Ausgabe des OpenSSL-Befehls: " . print_r($output, true));
|
|
| 362 | 362 |
} |
| 363 | 363 |
|
| 364 | 364 |
$csr = file_get_contents($csrfile); |
Browse code
Fix not operator (!) spaces
Hanno Böck authored on 28/10/2023 19:16:53
Showing 1 changed files
| ... | ... |
@@ -95,7 +95,7 @@ function get_available_CAs() |
| 95 | 95 |
{
|
| 96 | 96 |
$path = '/etc/apache2/certs/cabundle/'; |
| 97 | 97 |
$ret = glob($path.'*.pem'); |
| 98 |
- if (! $ret) {
|
|
| 98 |
+ if (!$ret) {
|
|
| 99 | 99 |
system_failure("Konnte die CA-Zertifikate nicht laden");
|
| 100 | 100 |
} |
| 101 | 101 |
DEBUG($ret); |
| ... | ... |
@@ -109,7 +109,7 @@ function get_chain($cert) |
| 109 | 109 |
if ($certdata === false) {
|
| 110 | 110 |
system_failure("Das Zertifikat konnte nicht gelesen werden");
|
| 111 | 111 |
} |
| 112 |
- if (! isset($certdata['issuer']['CN'])) {
|
|
| 112 |
+ if (!isset($certdata['issuer']['CN'])) {
|
|
| 113 | 113 |
return null; |
| 114 | 114 |
} |
| 115 | 115 |
$result = db_query("SELECT id FROM vhosts.certchain WHERE cn=?", [$certdata['issuer']['CN']]);
|
| ... | ... |
@@ -218,7 +218,7 @@ function parse_cert_details($cert) |
| 218 | 218 |
$san = []; |
| 219 | 219 |
$raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
| 220 | 220 |
foreach ($raw_san as $name) {
|
| 221 |
- if (! substr($name, 0, 4) == 'DNS:') {
|
|
| 221 |
+ if (!substr($name, 0, 4) == 'DNS:') {
|
|
| 222 | 222 |
warning('Unparsable SAN: '.$name);
|
| 223 | 223 |
continue; |
| 224 | 224 |
} |
| ... | ... |
@@ -375,7 +375,7 @@ commonName_default = {$cn}
|
| 375 | 375 |
|
| 376 | 376 |
function save_csr($cn, $bits, $replace = null) |
| 377 | 377 |
{
|
| 378 |
- if (! $cn) {
|
|
| 378 |
+ if (!$cn) {
|
|
| 379 | 379 |
system_failure("Sie müssen einen Domainname eingeben!");
|
| 380 | 380 |
} |
| 381 | 381 |
$domains = split_cn($cn); |
Browse code
codingstyle, spaces between operators
Hanno Böck authored on 02/09/2023 07:49:40
Showing 1 changed files
| ... | ... |
@@ -300,7 +300,7 @@ function split_cn($cn) |
| 300 | 300 |
} else {
|
| 301 | 301 |
$domains[] = $cn; |
| 302 | 302 |
} |
| 303 |
- for ($i=0;$i!=count($domains);$i++) {
|
|
| 303 |
+ for ($i = 0;$i != count($domains);$i++) {
|
|
| 304 | 304 |
$domains[$i] = filter_input_hostname($domains[$i], true); |
| 305 | 305 |
} |
| 306 | 306 |
return $domains; |
| ... | ... |
@@ -373,7 +373,7 @@ commonName_default = {$cn}
|
| 373 | 373 |
|
| 374 | 374 |
|
| 375 | 375 |
|
| 376 |
-function save_csr($cn, $bits, $replace=null) |
|
| 376 |
+function save_csr($cn, $bits, $replace = null) |
|
| 377 | 377 |
{
|
| 378 | 378 |
if (! $cn) {
|
| 379 | 379 |
system_failure("Sie müssen einen Domainname eingeben!");
|
Browse code
Change license from CC0 to 0BSD, all contributors agreed
Hanno Böck authored on 20/08/2022 09:22:23
Showing 1 changed files
| ... | ... |
@@ -2,14 +2,11 @@ |
| 2 | 2 |
/* |
| 3 | 3 |
This file belongs to the Webinterface of schokokeks.org Hosting |
| 4 | 4 |
|
| 5 |
-Written 2008-2018 by schokokeks.org Hosting, namely |
|
| 5 |
+Written by schokokeks.org Hosting, namely |
|
| 6 | 6 |
Bernd Wurst <bernd@schokokeks.org> |
| 7 | 7 |
Hanno Böck <hanno@schokokeks.org> |
| 8 | 8 |
|
| 9 |
-To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty. |
|
| 10 |
- |
|
| 11 |
-You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see |
|
| 12 |
-http://creativecommons.org/publicdomain/zero/1.0/ |
|
| 9 |
+This code is published under a 0BSD license. |
|
| 13 | 10 |
|
| 14 | 11 |
Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code. |
| 15 | 12 |
*/ |
Browse code
handle empty SAN properly
Hanno Böck authored on 03/07/2022 09:47:02
Showing 1 changed files
| ... | ... |
@@ -210,30 +210,27 @@ function validate_certificate($cert, $key) |
| 210 | 210 |
function parse_cert_details($cert) |
| 211 | 211 |
{
|
| 212 | 212 |
$certdata = openssl_x509_parse($cert, true); |
| 213 |
- /* |
|
| 214 |
-name => /CN=*.bwurst.org |
|
| 215 |
-validFrom_time_t => 1204118790 |
|
| 216 |
-validTo_time_t => 1267190790 |
|
| 217 |
- |
|
| 218 |
- |
|
| 219 |
- */ |
|
| 220 | 213 |
DEBUG($certdata); |
| 221 |
- DEBUG("SAN: ".$certdata['extensions']['subjectAltName']);
|
|
| 222 |
- //return array('subject' => $certdata['name'], 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']));
|
|
| 214 |
+ |
|
| 223 | 215 |
$issuer = $certdata['issuer']['CN']; |
| 224 | 216 |
if (isset($certdata['issuer']['O'])) {
|
| 225 | 217 |
$issuer = $certdata['issuer']['O']; |
| 226 | 218 |
} |
| 227 |
- $san = []; |
|
| 228 |
- $raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
|
| 229 |
- foreach ($raw_san as $name) {
|
|
| 230 |
- if (! substr($name, 0, 4) == 'DNS:') {
|
|
| 231 |
- warning('Unparsable SAN: '.$name);
|
|
| 232 |
- continue; |
|
| 219 |
+ if (isset($certdata['extensions']['subjectAltName'])) {
|
|
| 220 |
+ DEBUG("SAN: ".$certdata['extensions']['subjectAltName']);
|
|
| 221 |
+ $san = []; |
|
| 222 |
+ $raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
|
| 223 |
+ foreach ($raw_san as $name) {
|
|
| 224 |
+ if (! substr($name, 0, 4) == 'DNS:') {
|
|
| 225 |
+ warning('Unparsable SAN: '.$name);
|
|
| 226 |
+ continue; |
|
| 227 |
+ } |
|
| 228 |
+ $san[] = str_replace('DNS:', '', $name);
|
|
| 233 | 229 |
} |
| 234 |
- $san[] = str_replace('DNS:', '', $name);
|
|
| 230 |
+ $san = implode("\n", $san);
|
|
| 231 |
+ } else {
|
|
| 232 |
+ $san = "\n"; |
|
| 235 | 233 |
} |
| 236 |
- $san = implode("\n", $san);
|
|
| 237 | 234 |
DEBUG("SAN: <pre>".$san."</pre>");
|
| 238 | 235 |
return ['subject' => $certdata['subject']['CN'].' / '.$issuer, 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']), 'issuer' => $certdata['issuer']['CN'], 'san' => $san];
|
| 239 | 236 |
} |
Browse code
Codingstyle PSR12 + array syntax
Hanno Böck authored on 30/10/2021 21:18:17
Showing 1 changed files
| ... | ... |
@@ -24,8 +24,8 @@ define("CERT_NOCHAIN", 2);
|
| 24 | 24 |
function user_certs() |
| 25 | 25 |
{
|
| 26 | 26 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 27 |
- $result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=? ORDER BY cn", array($uid));
|
|
| 28 |
- $ret = array(); |
|
| 27 |
+ $result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=? ORDER BY cn", [$uid]);
|
|
| 28 |
+ $ret = []; |
|
| 29 | 29 |
while ($i = $result->fetch()) {
|
| 30 | 30 |
$ret[] = $i; |
| 31 | 31 |
} |
| ... | ... |
@@ -36,8 +36,8 @@ function user_certs() |
| 36 | 36 |
function user_csr() |
| 37 | 37 |
{
|
| 38 | 38 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 39 |
- $result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=? ORDER BY hostname", array($uid));
|
|
| 40 |
- $ret = array(); |
|
| 39 |
+ $result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=? ORDER BY hostname", [$uid]);
|
|
| 40 |
+ $ret = []; |
|
| 41 | 41 |
while ($i = $result->fetch()) {
|
| 42 | 42 |
$ret[] = $i; |
| 43 | 43 |
} |
| ... | ... |
@@ -63,7 +63,7 @@ function cert_details($id) |
| 63 | 63 |
$id = (int) $id; |
| 64 | 64 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 65 | 65 |
|
| 66 |
- $result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, chain, cert, `key` FROM vhosts.certs WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 66 |
+ $result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, chain, cert, `key` FROM vhosts.certs WHERE uid=:uid AND id=:id", [":uid" => $uid, ":id" => $id]);
|
|
| 67 | 67 |
if ($result->rowCount() != 1) {
|
| 68 | 68 |
system_failure("Ungültiges Zertifikat #{$id}");
|
| 69 | 69 |
} |
| ... | ... |
@@ -86,7 +86,7 @@ function csr_details($id) |
| 86 | 86 |
$id = (int) $id; |
| 87 | 87 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 88 | 88 |
|
| 89 |
- $result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 89 |
+ $result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid=:uid AND id=:id", [":uid" => $uid, ":id" => $id]);
|
|
| 90 | 90 |
if ($result->rowCount() != 1) {
|
| 91 | 91 |
system_failure("Ungültiger CSR");
|
| 92 | 92 |
} |
| ... | ... |
@@ -115,7 +115,7 @@ function get_chain($cert) |
| 115 | 115 |
if (! isset($certdata['issuer']['CN'])) {
|
| 116 | 116 |
return null; |
| 117 | 117 |
} |
| 118 |
- $result = db_query("SELECT id FROM vhosts.certchain WHERE cn=?", array($certdata['issuer']['CN']));
|
|
| 118 |
+ $result = db_query("SELECT id FROM vhosts.certchain WHERE cn=?", [$certdata['issuer']['CN']]);
|
|
| 119 | 119 |
if ($result->rowCount() > 0) {
|
| 120 | 120 |
$c = $result->fetch(); |
| 121 | 121 |
//$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem'; |
| ... | ... |
@@ -162,7 +162,7 @@ function validate_certificate($cert, $key) |
| 162 | 162 |
if ($x509info === false) {
|
| 163 | 163 |
system_failure("Zertifikat konnte nicht verarbeitet werden");
|
| 164 | 164 |
} |
| 165 |
- if (!in_array($x509info['signatureTypeSN'], array("RSA-SHA256", "RSA-SHA385", "RSA-SHA512"))) {
|
|
| 165 |
+ if (!in_array($x509info['signatureTypeSN'], ["RSA-SHA256", "RSA-SHA385", "RSA-SHA512"])) {
|
|
| 166 | 166 |
system_failure("Nicht unterstützer Signatur-Hashalgorithmus!");
|
| 167 | 167 |
} |
| 168 | 168 |
|
| ... | ... |
@@ -181,10 +181,10 @@ function validate_certificate($cert, $key) |
| 181 | 181 |
system_failure("Testsignatur ungültig, Key vermutlich fehlerhaft!");
|
| 182 | 182 |
} |
| 183 | 183 |
|
| 184 |
- $cacerts = array('/etc/ssl/certs');
|
|
| 184 |
+ $cacerts = ['/etc/ssl/certs']; |
|
| 185 | 185 |
$chain = (int) get_chain($cert); |
| 186 | 186 |
if ($chain) {
|
| 187 |
- $result = db_query("SELECT content FROM vhosts.certchain WHERE id=?", array($chain));
|
|
| 187 |
+ $result = db_query("SELECT content FROM vhosts.certchain WHERE id=?", [$chain]);
|
|
| 188 | 188 |
$tmp = $result->fetch(); |
| 189 | 189 |
$chaincert = $tmp['content']; |
| 190 | 190 |
$chainfile = tempnam(sys_get_temp_dir(), 'webinterface'); |
| ... | ... |
@@ -224,7 +224,7 @@ validTo_time_t => 1267190790 |
| 224 | 224 |
if (isset($certdata['issuer']['O'])) {
|
| 225 | 225 |
$issuer = $certdata['issuer']['O']; |
| 226 | 226 |
} |
| 227 |
- $san = array(); |
|
| 227 |
+ $san = []; |
|
| 228 | 228 |
$raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
| 229 | 229 |
foreach ($raw_san as $name) {
|
| 230 | 230 |
if (! substr($name, 0, 4) == 'DNS:') {
|
| ... | ... |
@@ -235,7 +235,7 @@ validTo_time_t => 1267190790 |
| 235 | 235 |
} |
| 236 | 236 |
$san = implode("\n", $san);
|
| 237 | 237 |
DEBUG("SAN: <pre>".$san."</pre>");
|
| 238 |
- return array('subject' => $certdata['subject']['CN'].' / '.$issuer, 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']), 'issuer' => $certdata['issuer']['CN'], 'san' => $san);
|
|
| 238 |
+ return ['subject' => $certdata['subject']['CN'].' / '.$issuer, 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']), 'issuer' => $certdata['issuer']['CN'], 'san' => $san];
|
|
| 239 | 239 |
} |
| 240 | 240 |
|
| 241 | 241 |
|
| ... | ... |
@@ -247,8 +247,8 @@ function save_cert($info, $cert, $key) |
| 247 | 247 |
|
| 248 | 248 |
db_query( |
| 249 | 249 |
"INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
| 250 |
- array(":uid" => $uid, ":subject" => filter_input_oneline($info['subject']), ":cn" => filter_input_oneline($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
|
| 251 |
- ":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key) |
|
| 250 |
+ [":uid" => $uid, ":subject" => filter_input_oneline($info['subject']), ":cn" => filter_input_oneline($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'], |
|
| 251 |
+ ":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key, ] |
|
| 252 | 252 |
); |
| 253 | 253 |
} |
| 254 | 254 |
|
| ... | ... |
@@ -260,14 +260,14 @@ function refresh_cert($id, $info, $cert, $key = null) |
| 260 | 260 |
|
| 261 | 261 |
$id = (int) $id; |
| 262 | 262 |
$oldcert = cert_details($id); |
| 263 |
- $args = array(":subject" => filter_input_oneline($info['subject']),
|
|
| 263 |
+ $args = [":subject" => filter_input_oneline($info['subject']), |
|
| 264 | 264 |
":cn" => filter_input_oneline($info['cn']), |
| 265 | 265 |
":san" => $info['san'], |
| 266 | 266 |
":cert" => $cert, |
| 267 | 267 |
":valid_from" => $info['valid_from'], |
| 268 | 268 |
":valid_until" => $info['valid_until'], |
| 269 | 269 |
":chain" => get_chain($cert), |
| 270 |
- ":id" => $id); |
|
| 270 |
+ ":id" => $id, ]; |
|
| 271 | 271 |
|
| 272 | 272 |
$keyop = ''; |
| 273 | 273 |
if ($key) {
|
| ... | ... |
@@ -284,7 +284,7 @@ function delete_cert($id) |
| 284 | 284 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 285 | 285 |
$id = (int) $id; |
| 286 | 286 |
|
| 287 |
- db_query("DELETE FROM vhosts.certs WHERE uid=? AND id=?", array($uid, $id));
|
|
| 287 |
+ db_query("DELETE FROM vhosts.certs WHERE uid=? AND id=?", [$uid, $id]);
|
|
| 288 | 288 |
} |
| 289 | 289 |
|
| 290 | 290 |
function delete_csr($id) |
| ... | ... |
@@ -292,13 +292,13 @@ function delete_csr($id) |
| 292 | 292 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 293 | 293 |
$id = (int) $id; |
| 294 | 294 |
|
| 295 |
- db_query("DELETE FROM vhosts.csr WHERE uid=? AND id=?", array($uid, $id));
|
|
| 295 |
+ db_query("DELETE FROM vhosts.csr WHERE uid=? AND id=?", [$uid, $id]);
|
|
| 296 | 296 |
} |
| 297 | 297 |
|
| 298 | 298 |
|
| 299 | 299 |
function split_cn($cn) |
| 300 | 300 |
{
|
| 301 |
- $domains = array(); |
|
| 301 |
+ $domains = []; |
|
| 302 | 302 |
if (strstr($cn, ',') or strstr($cn, "\n")) {
|
| 303 | 303 |
$domains = preg_split("/[, \n]+/", $cn);
|
| 304 | 304 |
DEBUG("Domains:");
|
| ... | ... |
@@ -315,7 +315,7 @@ function split_cn($cn) |
| 315 | 315 |
function create_csr($cn, $bits) |
| 316 | 316 |
{
|
| 317 | 317 |
$domains = split_cn($cn); |
| 318 |
- $tmp = array(); |
|
| 318 |
+ $tmp = []; |
|
| 319 | 319 |
foreach ($domains as $dom) {
|
| 320 | 320 |
$tmp[] = 'DNS:'.$dom; |
| 321 | 321 |
} |
| ... | ... |
@@ -374,7 +374,7 @@ commonName_default = {$cn}
|
| 374 | 374 |
unlink($keyfile); |
| 375 | 375 |
unlink($config); |
| 376 | 376 |
|
| 377 |
- return array($csr, $key); |
|
| 377 |
+ return [$csr, $key]; |
|
| 378 | 378 |
} |
| 379 | 379 |
|
| 380 | 380 |
|
| ... | ... |
@@ -389,13 +389,13 @@ function save_csr($cn, $bits, $replace=null) |
| 389 | 389 |
$san = implode("\n", $domains);
|
| 390 | 390 |
$csr = null; |
| 391 | 391 |
$key = null; |
| 392 |
- list($csr, $key) = create_csr(implode(',', $domains), $bits);
|
|
| 392 |
+ [$csr, $key] = create_csr(implode(',', $domains), $bits);
|
|
| 393 | 393 |
|
| 394 | 394 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 395 | 395 |
db_query( |
| 396 | 396 |
"INSERT INTO vhosts.csr (uid, hostname, san, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :san, :bits, :replace, :csr, :key)", |
| 397 |
- array(":uid" => $uid, ":cn" => $cn, ":san" => $san, ":bits" => $bits,
|
|
| 398 |
- ":replace" => $replace, ":csr" => $csr, ":key" => $key) |
|
| 397 |
+ [":uid" => $uid, ":cn" => $cn, ":san" => $san, ":bits" => $bits, |
|
| 398 |
+ ":replace" => $replace, ":csr" => $csr, ":key" => $key, ] |
|
| 399 | 399 |
); |
| 400 | 400 |
$id = db_insert_id(); |
| 401 | 401 |
return $id; |
Browse code
deutlich striktere Checks bei hochgeladenen Zertifikaten, User können sonst mit unsinnigen oder veralteten Zertifikaten den Apache lahmlegen
Hanno Böck authored on 02/05/2021 17:35:45
Showing 1 changed files
| ... | ... |
@@ -138,20 +138,32 @@ function validate_certificate($cert, $key) |
| 138 | 138 |
system_failure("In dem eingetragenen Zertifikat wurde kein öffentlicher Schlüssel gefunden.");
|
| 139 | 139 |
} |
| 140 | 140 |
// Parse Details über den pubkey |
| 141 |
- $certinfo = openssl_pkey_get_details($pubkey); |
|
| 142 |
- DEBUG($certinfo); |
|
| 143 |
- if ($certinfo === false) {
|
|
| 141 |
+ $pubkeyinfo = openssl_pkey_get_details($pubkey); |
|
| 142 |
+ DEBUG($pubkeyinfo); |
|
| 143 |
+ if ($pubkeyinfo === false) {
|
|
| 144 | 144 |
system_failure("Der öffentliche Schlüssel des Zertifikats konnte nicht gelesen werden");
|
| 145 | 145 |
} |
| 146 | 146 |
|
| 147 | 147 |
// Apache unterstützt nur Schlüssel vom Typ RSA oder DSA |
| 148 |
- if (! in_array($certinfo['type'], array(OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA))) {
|
|
| 148 |
+ if ($pubkeyinfo['type'] !== OPENSSL_KEYTYPE_RSA) {
|
|
| 149 | 149 |
system_failure("Dieser Schlüssel nutzt einen nicht unterstützten Algorithmus.");
|
| 150 | 150 |
} |
| 151 | 151 |
|
| 152 | 152 |
// Bei ECC-Keys treten kürzere Schlüssellängen auf, die können wir aktuell aber sowieso nicht unterstützen |
| 153 |
- if ($certinfo['bits'] < 2048) {
|
|
| 154 |
- warning("Dieser Schlüssel hat eine sehr geringe Bitlänge und ist daher als nicht besonders sicher einzustufen!");
|
|
| 153 |
+ // Wir blockieren zu kurze und zu lange Schlüssel hart, da Apache sonst nicht startet |
|
| 154 |
+ if ($pubkeyinfo['bits'] < 2048) {
|
|
| 155 |
+ system_failure("Schlüssellänge ist zu kurz");
|
|
| 156 |
+ } |
|
| 157 |
+ if ($pubkeyinfo['bits'] > 4096) {
|
|
| 158 |
+ system_failure("Schlüssellänge ist zu lang");
|
|
| 159 |
+ } |
|
| 160 |
+ |
|
| 161 |
+ $x509info = openssl_x509_parse($cert); |
|
| 162 |
+ if ($x509info === false) {
|
|
| 163 |
+ system_failure("Zertifikat konnte nicht verarbeitet werden");
|
|
| 164 |
+ } |
|
| 165 |
+ if (!in_array($x509info['signatureTypeSN'], array("RSA-SHA256", "RSA-SHA385", "RSA-SHA512"))) {
|
|
| 166 |
+ system_failure("Nicht unterstützer Signatur-Hashalgorithmus!");
|
|
| 155 | 167 |
} |
| 156 | 168 |
|
| 157 | 169 |
// Prüfe ob Key und Zertifikat zusammen passen |
| ... | ... |
@@ -160,6 +172,15 @@ function validate_certificate($cert, $key) |
| 160 | 172 |
return CERT_INVALID; |
| 161 | 173 |
} |
| 162 | 174 |
|
| 175 |
+ // Check von openssl_x509_check_private_key() ist leider nicht ausreichend |
|
| 176 |
+ $testdata = base64_encode(random_bytes(32)); |
|
| 177 |
+ if (openssl_sign($testdata, $signature, $seckey) !== true) {
|
|
| 178 |
+ system_failure("Kann keine Testsignatur erstellen, Key ungültig!");
|
|
| 179 |
+ } |
|
| 180 |
+ if (openssl_verify($testdata, $signature, $pubkey) !== 1) {
|
|
| 181 |
+ system_failure("Testsignatur ungültig, Key vermutlich fehlerhaft!");
|
|
| 182 |
+ } |
|
| 183 |
+ |
|
| 163 | 184 |
$cacerts = array('/etc/ssl/certs');
|
| 164 | 185 |
$chain = (int) get_chain($cert); |
| 165 | 186 |
if ($chain) {
|
Browse code
Fix codingstyle
Hanno authored on 27/10/2019 08:54:14
Showing 1 changed files
| ... | ... |
@@ -228,7 +228,7 @@ function save_cert($info, $cert, $key) |
| 228 | 228 |
"INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
| 229 | 229 |
array(":uid" => $uid, ":subject" => filter_input_oneline($info['subject']), ":cn" => filter_input_oneline($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
| 230 | 230 |
":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key) |
| 231 |
- ); |
|
| 231 |
+ ); |
|
| 232 | 232 |
} |
| 233 | 233 |
|
| 234 | 234 |
|
| ... | ... |
@@ -375,7 +375,7 @@ function save_csr($cn, $bits, $replace=null) |
| 375 | 375 |
"INSERT INTO vhosts.csr (uid, hostname, san, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :san, :bits, :replace, :csr, :key)", |
| 376 | 376 |
array(":uid" => $uid, ":cn" => $cn, ":san" => $san, ":bits" => $bits,
|
| 377 | 377 |
":replace" => $replace, ":csr" => $csr, ":key" => $key) |
| 378 |
- ); |
|
| 378 |
+ ); |
|
| 379 | 379 |
$id = db_insert_id(); |
| 380 | 380 |
return $id; |
| 381 | 381 |
} |
Browse code
Umstellung von filter_input_general() auf filter_output_html()
Bernd Wurst authored on 21/09/2019 17:07:48
Showing 1 changed files
| ... | ... |
@@ -226,7 +226,7 @@ function save_cert($info, $cert, $key) |
| 226 | 226 |
|
| 227 | 227 |
db_query( |
| 228 | 228 |
"INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
| 229 |
- array(":uid" => $uid, ":subject" => filter_input_general($info['subject']), ":cn" => filter_input_general($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
|
| 229 |
+ array(":uid" => $uid, ":subject" => filter_input_oneline($info['subject']), ":cn" => filter_input_oneline($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
|
| 230 | 230 |
":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key) |
| 231 | 231 |
); |
| 232 | 232 |
} |
| ... | ... |
@@ -239,8 +239,8 @@ function refresh_cert($id, $info, $cert, $key = null) |
| 239 | 239 |
|
| 240 | 240 |
$id = (int) $id; |
| 241 | 241 |
$oldcert = cert_details($id); |
| 242 |
- $args = array(":subject" => filter_input_general($info['subject']),
|
|
| 243 |
- ":cn" => filter_input_general($info['cn']), |
|
| 242 |
+ $args = array(":subject" => filter_input_oneline($info['subject']),
|
|
| 243 |
+ ":cn" => filter_input_oneline($info['cn']), |
|
| 244 | 244 |
":san" => $info['san'], |
| 245 | 245 |
":cert" => $cert, |
| 246 | 246 |
":valid_from" => $info['valid_from'], |
Browse code
Update codingstyle according to latest PHP CS Fixer 2.14.2
Hanno authored on 28/03/2019 18:56:56
Showing 1 changed files
| ... | ... |
@@ -225,7 +225,7 @@ function save_cert($info, $cert, $key) |
| 225 | 225 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 226 | 226 |
|
| 227 | 227 |
db_query( |
| 228 |
- "INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
|
| 228 |
+ "INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
|
| 229 | 229 |
array(":uid" => $uid, ":subject" => filter_input_general($info['subject']), ":cn" => filter_input_general($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
| 230 | 230 |
":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key) |
| 231 | 231 |
); |
| ... | ... |
@@ -372,8 +372,8 @@ function save_csr($cn, $bits, $replace=null) |
| 372 | 372 |
|
| 373 | 373 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 374 | 374 |
db_query( |
| 375 |
- "INSERT INTO vhosts.csr (uid, hostname, san, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :san, :bits, :replace, :csr, :key)", |
|
| 376 |
- array(":uid" => $uid, ":cn" => $cn, ":san" => $san, ":bits" => $bits,
|
|
| 375 |
+ "INSERT INTO vhosts.csr (uid, hostname, san, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :san, :bits, :replace, :csr, :key)", |
|
| 376 |
+ array(":uid" => $uid, ":cn" => $cn, ":san" => $san, ":bits" => $bits,
|
|
| 377 | 377 |
":replace" => $replace, ":csr" => $csr, ":key" => $key) |
| 378 | 378 |
); |
| 379 | 379 |
$id = db_insert_id(); |
Browse code
Fix SAN for refreshed certs
Bernd Wurst authored on 16/01/2019 15:15:18
Showing 1 changed files
| ... | ... |
@@ -241,7 +241,7 @@ function refresh_cert($id, $info, $cert, $key = null) |
| 241 | 241 |
$oldcert = cert_details($id); |
| 242 | 242 |
$args = array(":subject" => filter_input_general($info['subject']),
|
| 243 | 243 |
":cn" => filter_input_general($info['cn']), |
| 244 |
- ":san" => $san, |
|
| 244 |
+ ":san" => $info['san'], |
|
| 245 | 245 |
":cert" => $cert, |
| 246 | 246 |
":valid_from" => $info['valid_from'], |
| 247 | 247 |
":valid_until" => $info['valid_until'], |
Browse code
remove whitespace in empty lines
Hanno authored on 26/06/2018 23:36:40
Showing 1 changed files
| ... | ... |
@@ -62,7 +62,7 @@ function cert_details($id) |
| 62 | 62 |
{
|
| 63 | 63 |
$id = (int) $id; |
| 64 | 64 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 65 |
- |
|
| 65 |
+ |
|
| 66 | 66 |
$result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, chain, cert, `key` FROM vhosts.certs WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
| 67 | 67 |
if ($result->rowCount() != 1) {
|
| 68 | 68 |
system_failure("Ungültiges Zertifikat #{$id}");
|
| ... | ... |
@@ -85,7 +85,7 @@ function csr_details($id) |
| 85 | 85 |
{
|
| 86 | 86 |
$id = (int) $id; |
| 87 | 87 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 88 |
- |
|
| 88 |
+ |
|
| 89 | 89 |
$result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
| 90 | 90 |
if ($result->rowCount() != 1) {
|
| 91 | 91 |
system_failure("Ungültiger CSR");
|
| ... | ... |
@@ -148,7 +148,7 @@ function validate_certificate($cert, $key) |
| 148 | 148 |
if (! in_array($certinfo['type'], array(OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA))) {
|
| 149 | 149 |
system_failure("Dieser Schlüssel nutzt einen nicht unterstützten Algorithmus.");
|
| 150 | 150 |
} |
| 151 |
- |
|
| 151 |
+ |
|
| 152 | 152 |
// Bei ECC-Keys treten kürzere Schlüssellängen auf, die können wir aktuell aber sowieso nicht unterstützen |
| 153 | 153 |
if ($certinfo['bits'] < 2048) {
|
| 154 | 154 |
warning("Dieser Schlüssel hat eine sehr geringe Bitlänge und ist daher als nicht besonders sicher einzustufen!");
|
| ... | ... |
@@ -262,7 +262,7 @@ function delete_cert($id) |
| 262 | 262 |
{
|
| 263 | 263 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 264 | 264 |
$id = (int) $id; |
| 265 |
- |
|
| 265 |
+ |
|
| 266 | 266 |
db_query("DELETE FROM vhosts.certs WHERE uid=? AND id=?", array($uid, $id));
|
| 267 | 267 |
} |
| 268 | 268 |
|
| ... | ... |
@@ -270,7 +270,7 @@ function delete_csr($id) |
| 270 | 270 |
{
|
| 271 | 271 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 272 | 272 |
$id = (int) $id; |
| 273 |
- |
|
| 273 |
+ |
|
| 274 | 274 |
db_query("DELETE FROM vhosts.csr WHERE uid=? AND id=?", array($uid, $id));
|
| 275 | 275 |
} |
| 276 | 276 |
|
| ... | ... |
@@ -345,7 +345,7 @@ commonName_default = {$cn}
|
| 345 | 345 |
if ($retval != 0) {
|
| 346 | 346 |
system_failure("Die Erzeugung des CSR ist fehlgeschlagen. Ausgabe des OpenSSL-Befehls: ".print_r($output, true));
|
| 347 | 347 |
} |
| 348 |
- |
|
| 348 |
+ |
|
| 349 | 349 |
$csr = file_get_contents($csrfile); |
| 350 | 350 |
$key = file_get_contents($keyfile); |
| 351 | 351 |
|
| ... | ... |
@@ -369,7 +369,7 @@ function save_csr($cn, $bits, $replace=null) |
| 369 | 369 |
$csr = null; |
| 370 | 370 |
$key = null; |
| 371 | 371 |
list($csr, $key) = create_csr(implode(',', $domains), $bits);
|
| 372 |
- |
|
| 372 |
+ |
|
| 373 | 373 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 374 | 374 |
db_query( |
| 375 | 375 |
"INSERT INTO vhosts.csr (uid, hostname, san, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :san, :bits, :replace, :csr, :key)", |
Browse code
Fix coding style with php-cs-checker, see https://cs.sensiolabs.org/
Hanno authored on 26/06/2018 13:58:19
Showing 1 changed files
| ... | ... |
@@ -8,7 +8,7 @@ Written 2008-2018 by schokokeks.org Hosting, namely |
| 8 | 8 |
|
| 9 | 9 |
To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty. |
| 10 | 10 |
|
| 11 |
-You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see |
|
| 11 |
+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see |
|
| 12 | 12 |
http://creativecommons.org/publicdomain/zero/1.0/ |
| 13 | 13 |
|
| 14 | 14 |
Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code. |
| ... | ... |
@@ -23,220 +23,223 @@ define("CERT_NOCHAIN", 2);
|
| 23 | 23 |
|
| 24 | 24 |
function user_certs() |
| 25 | 25 |
{
|
| 26 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 27 |
- $result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=? ORDER BY cn", array($uid));
|
|
| 28 |
- $ret = array(); |
|
| 29 |
- while ($i = $result->fetch()) |
|
| 30 |
- $ret[] = $i; |
|
| 31 |
- #DEBUG($ret); |
|
| 32 |
- return $ret; |
|
| 26 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 27 |
+ $result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=? ORDER BY cn", array($uid));
|
|
| 28 |
+ $ret = array(); |
|
| 29 |
+ while ($i = $result->fetch()) {
|
|
| 30 |
+ $ret[] = $i; |
|
| 31 |
+ } |
|
| 32 |
+ #DEBUG($ret); |
|
| 33 |
+ return $ret; |
|
| 33 | 34 |
} |
| 34 | 35 |
|
| 35 | 36 |
function user_csr() |
| 36 | 37 |
{
|
| 37 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 38 |
- $result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=? ORDER BY hostname", array($uid));
|
|
| 39 |
- $ret = array(); |
|
| 40 |
- while ($i = $result->fetch()) |
|
| 41 |
- $ret[] = $i; |
|
| 42 |
- #DEBUG($ret); |
|
| 43 |
- return $ret; |
|
| 38 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 39 |
+ $result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=? ORDER BY hostname", array($uid));
|
|
| 40 |
+ $ret = array(); |
|
| 41 |
+ while ($i = $result->fetch()) {
|
|
| 42 |
+ $ret[] = $i; |
|
| 43 |
+ } |
|
| 44 |
+ #DEBUG($ret); |
|
| 45 |
+ return $ret; |
|
| 44 | 46 |
} |
| 45 | 47 |
|
| 46 | 48 |
function user_has_manual_certs() |
| 47 | 49 |
{
|
| 48 |
- foreach (user_certs() as $c) {
|
|
| 49 |
- if (!cert_is_letsencrypt($c['id'])) {
|
|
| 50 |
- return true; |
|
| 50 |
+ foreach (user_certs() as $c) {
|
|
| 51 |
+ if (!cert_is_letsencrypt($c['id'])) {
|
|
| 52 |
+ return true; |
|
| 53 |
+ } |
|
| 54 |
+ } |
|
| 55 |
+ foreach (user_csr() as $c) {
|
|
| 56 |
+ return true; |
|
| 51 | 57 |
} |
| 52 |
- } |
|
| 53 |
- foreach (user_csr() as $c) {
|
|
| 54 |
- return true; |
|
| 55 |
- } |
|
| 56 | 58 |
} |
| 57 | 59 |
|
| 58 | 60 |
|
| 59 | 61 |
function cert_details($id) |
| 60 | 62 |
{
|
| 61 |
- $id = (int) $id; |
|
| 62 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 63 |
+ $id = (int) $id; |
|
| 64 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 63 | 65 |
|
| 64 |
- $result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, chain, cert, `key` FROM vhosts.certs WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 65 |
- if ($result->rowCount() != 1) |
|
| 66 |
- system_failure("Ungültiges Zertifikat #{$id}");
|
|
| 67 |
- return $result->fetch(); |
|
| 66 |
+ $result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, chain, cert, `key` FROM vhosts.certs WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 67 |
+ if ($result->rowCount() != 1) {
|
|
| 68 |
+ system_failure("Ungültiges Zertifikat #{$id}");
|
|
| 69 |
+ } |
|
| 70 |
+ return $result->fetch(); |
|
| 68 | 71 |
} |
| 69 | 72 |
|
| 70 | 73 |
function cert_is_letsencrypt($id) |
| 71 | 74 |
{
|
| 72 |
- $details = cert_details($id); |
|
| 73 |
- #DEBUG($details); |
|
| 74 |
- if (strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
|
|
| 75 |
- return true; |
|
| 76 |
- } |
|
| 77 |
- return false; |
|
| 75 |
+ $details = cert_details($id); |
|
| 76 |
+ #DEBUG($details); |
|
| 77 |
+ if (strpos($details['subject'], "Let's Encrypt autogenerated") > 0) {
|
|
| 78 |
+ return true; |
|
| 79 |
+ } |
|
| 80 |
+ return false; |
|
| 78 | 81 |
} |
| 79 | 82 |
|
| 80 | 83 |
|
| 81 | 84 |
function csr_details($id) |
| 82 | 85 |
{
|
| 83 |
- $id = (int) $id; |
|
| 84 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 86 |
+ $id = (int) $id; |
|
| 87 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 85 | 88 |
|
| 86 |
- $result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 87 |
- if ($result->rowCount() != 1) |
|
| 88 |
- system_failure("Ungültiger CSR");
|
|
| 89 |
- return $result->fetch(); |
|
| 89 |
+ $result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid=:uid AND id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 90 |
+ if ($result->rowCount() != 1) {
|
|
| 91 |
+ system_failure("Ungültiger CSR");
|
|
| 92 |
+ } |
|
| 93 |
+ return $result->fetch(); |
|
| 90 | 94 |
} |
| 91 | 95 |
|
| 92 | 96 |
|
| 93 | 97 |
function get_available_CAs() |
| 94 | 98 |
{
|
| 95 |
- $path = '/etc/apache2/certs/cabundle/'; |
|
| 96 |
- $ret = glob($path.'*.pem'); |
|
| 97 |
- if (! $ret) |
|
| 98 |
- system_failure("Konnte die CA-Zertifikate nicht laden");
|
|
| 99 |
- DEBUG($ret); |
|
| 100 |
- return $ret; |
|
| 99 |
+ $path = '/etc/apache2/certs/cabundle/'; |
|
| 100 |
+ $ret = glob($path.'*.pem'); |
|
| 101 |
+ if (! $ret) {
|
|
| 102 |
+ system_failure("Konnte die CA-Zertifikate nicht laden");
|
|
| 103 |
+ } |
|
| 104 |
+ DEBUG($ret); |
|
| 105 |
+ return $ret; |
|
| 101 | 106 |
} |
| 102 | 107 |
|
| 103 | 108 |
|
| 104 | 109 |
function get_chain($cert) |
| 105 | 110 |
{
|
| 106 |
- $certdata = openssl_x509_parse($cert, true); |
|
| 107 |
- if ($certdata === FALSE) {
|
|
| 108 |
- system_failure("Das Zertifikat konnte nicht gelesen werden");
|
|
| 109 |
- } |
|
| 110 |
- if (! isset($certdata['issuer']['CN'])) {
|
|
| 111 |
- return NULL; |
|
| 112 |
- } |
|
| 113 |
- $result = db_query("SELECT id FROM vhosts.certchain WHERE cn=?", array($certdata['issuer']['CN']));
|
|
| 114 |
- if ($result->rowCount() > 0) |
|
| 115 |
- {
|
|
| 116 |
- $c = $result->fetch(); |
|
| 117 |
- //$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem'; |
|
| 118 |
- DEBUG("identified fitting certificate chain #".$c['id']);
|
|
| 119 |
- return $c['id']; |
|
| 120 |
- } |
|
| 111 |
+ $certdata = openssl_x509_parse($cert, true); |
|
| 112 |
+ if ($certdata === false) {
|
|
| 113 |
+ system_failure("Das Zertifikat konnte nicht gelesen werden");
|
|
| 114 |
+ } |
|
| 115 |
+ if (! isset($certdata['issuer']['CN'])) {
|
|
| 116 |
+ return null; |
|
| 117 |
+ } |
|
| 118 |
+ $result = db_query("SELECT id FROM vhosts.certchain WHERE cn=?", array($certdata['issuer']['CN']));
|
|
| 119 |
+ if ($result->rowCount() > 0) {
|
|
| 120 |
+ $c = $result->fetch(); |
|
| 121 |
+ //$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem'; |
|
| 122 |
+ DEBUG("identified fitting certificate chain #".$c['id']);
|
|
| 123 |
+ return $c['id']; |
|
| 124 |
+ } |
|
| 121 | 125 |
} |
| 122 | 126 |
|
| 123 | 127 |
|
| 124 | 128 |
function validate_certificate($cert, $key) |
| 125 |
-{
|
|
| 126 |
- // Lade private key |
|
| 127 |
- $seckey = openssl_get_privatekey($key); |
|
| 128 |
- if ($seckey === FALSE) {
|
|
| 129 |
- system_failure("Der private Schlüssel konnte (ohne Passwort) nicht gelesen werden.");
|
|
| 130 |
- } |
|
| 131 |
- // Lade public key |
|
| 132 |
- $pubkey = openssl_get_publickey($cert); |
|
| 133 |
- if ($pubkey === FALSE) {
|
|
| 134 |
- system_failure("In dem eingetragenen Zertifikat wurde kein öffentlicher Schlüssel gefunden.");
|
|
| 135 |
- } |
|
| 136 |
- // Parse Details über den pubkey |
|
| 137 |
- $certinfo = openssl_pkey_get_details($pubkey); |
|
| 138 |
- DEBUG($certinfo); |
|
| 139 |
- if ($certinfo === FALSE) {
|
|
| 140 |
- system_failure("Der öffentliche Schlüssel des Zertifikats konnte nicht gelesen werden");
|
|
| 141 |
- } |
|
| 142 |
- |
|
| 143 |
- // Apache unterstützt nur Schlüssel vom Typ RSA oder DSA |
|
| 144 |
- if (! in_array($certinfo['type'], array(OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA))) {
|
|
| 145 |
- system_failure("Dieser Schlüssel nutzt einen nicht unterstützten Algorithmus.");
|
|
| 146 |
- } |
|
| 129 |
+{
|
|
| 130 |
+ // Lade private key |
|
| 131 |
+ $seckey = openssl_get_privatekey($key); |
|
| 132 |
+ if ($seckey === false) {
|
|
| 133 |
+ system_failure("Der private Schlüssel konnte (ohne Passwort) nicht gelesen werden.");
|
|
| 134 |
+ } |
|
| 135 |
+ // Lade public key |
|
| 136 |
+ $pubkey = openssl_get_publickey($cert); |
|
| 137 |
+ if ($pubkey === false) {
|
|
| 138 |
+ system_failure("In dem eingetragenen Zertifikat wurde kein öffentlicher Schlüssel gefunden.");
|
|
| 139 |
+ } |
|
| 140 |
+ // Parse Details über den pubkey |
|
| 141 |
+ $certinfo = openssl_pkey_get_details($pubkey); |
|
| 142 |
+ DEBUG($certinfo); |
|
| 143 |
+ if ($certinfo === false) {
|
|
| 144 |
+ system_failure("Der öffentliche Schlüssel des Zertifikats konnte nicht gelesen werden");
|
|
| 145 |
+ } |
|
| 146 |
+ |
|
| 147 |
+ // Apache unterstützt nur Schlüssel vom Typ RSA oder DSA |
|
| 148 |
+ if (! in_array($certinfo['type'], array(OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA))) {
|
|
| 149 |
+ system_failure("Dieser Schlüssel nutzt einen nicht unterstützten Algorithmus.");
|
|
| 150 |
+ } |
|
| 147 | 151 |
|
| 148 |
- // Bei ECC-Keys treten kürzere Schlüssellängen auf, die können wir aktuell aber sowieso nicht unterstützen |
|
| 149 |
- if ($certinfo['bits'] < 2048) {
|
|
| 150 |
- warning("Dieser Schlüssel hat eine sehr geringe Bitlänge und ist daher als nicht besonders sicher einzustufen!");
|
|
| 151 |
- } |
|
| 152 |
- |
|
| 153 |
- // Prüfe ob Key und Zertifikat zusammen passen |
|
| 154 |
- if (openssl_x509_check_private_key($cert, $key) !== true) |
|
| 155 |
- {
|
|
| 156 |
- DEBUG("Zertifikat und Key passen nicht zusammen: ".openssl_x509_check_private_key($cert, $key));
|
|
| 157 |
- return CERT_INVALID; |
|
| 158 |
- } |
|
| 159 |
- |
|
| 160 |
- $cacerts = array('/etc/ssl/certs');
|
|
| 161 |
- $chain = (int) get_chain($cert); |
|
| 162 |
- if ($chain) |
|
| 163 |
- {
|
|
| 164 |
- $result = db_query("SELECT content FROM vhosts.certchain WHERE id=?", array($chain));
|
|
| 165 |
- $tmp = $result->fetch(); |
|
| 166 |
- $chaincert = $tmp['content']; |
|
| 167 |
- $chainfile = tempnam(sys_get_temp_dir(), 'webinterface'); |
|
| 168 |
- $f = fopen($chainfile, "w"); |
|
| 169 |
- fwrite($f, $chaincert); |
|
| 170 |
- fclose($f); |
|
| 171 |
- $cacerts[] = $chainfile; |
|
| 172 |
- } |
|
| 173 |
- |
|
| 174 |
- $valid = openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER, $cacerts); |
|
| 175 |
- if ($chain) {
|
|
| 176 |
- unlink($chainfile); |
|
| 177 |
- } |
|
| 178 |
- if ($valid !== true) |
|
| 179 |
- {
|
|
| 180 |
- DEBUG('certificate was not validated as a server certificate with the available chain');
|
|
| 181 |
- return CERT_NOCHAIN; |
|
| 182 |
- } |
|
| 183 |
- |
|
| 184 |
- return CERT_OK; |
|
| 152 |
+ // Bei ECC-Keys treten kürzere Schlüssellängen auf, die können wir aktuell aber sowieso nicht unterstützen |
|
| 153 |
+ if ($certinfo['bits'] < 2048) {
|
|
| 154 |
+ warning("Dieser Schlüssel hat eine sehr geringe Bitlänge und ist daher als nicht besonders sicher einzustufen!");
|
|
| 155 |
+ } |
|
| 156 |
+ |
|
| 157 |
+ // Prüfe ob Key und Zertifikat zusammen passen |
|
| 158 |
+ if (openssl_x509_check_private_key($cert, $key) !== true) {
|
|
| 159 |
+ DEBUG("Zertifikat und Key passen nicht zusammen: ".openssl_x509_check_private_key($cert, $key));
|
|
| 160 |
+ return CERT_INVALID; |
|
| 161 |
+ } |
|
| 162 |
+ |
|
| 163 |
+ $cacerts = array('/etc/ssl/certs');
|
|
| 164 |
+ $chain = (int) get_chain($cert); |
|
| 165 |
+ if ($chain) {
|
|
| 166 |
+ $result = db_query("SELECT content FROM vhosts.certchain WHERE id=?", array($chain));
|
|
| 167 |
+ $tmp = $result->fetch(); |
|
| 168 |
+ $chaincert = $tmp['content']; |
|
| 169 |
+ $chainfile = tempnam(sys_get_temp_dir(), 'webinterface'); |
|
| 170 |
+ $f = fopen($chainfile, "w"); |
|
| 171 |
+ fwrite($f, $chaincert); |
|
| 172 |
+ fclose($f); |
|
| 173 |
+ $cacerts[] = $chainfile; |
|
| 174 |
+ } |
|
| 175 |
+ |
|
| 176 |
+ $valid = openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER, $cacerts); |
|
| 177 |
+ if ($chain) {
|
|
| 178 |
+ unlink($chainfile); |
|
| 179 |
+ } |
|
| 180 |
+ if ($valid !== true) {
|
|
| 181 |
+ DEBUG('certificate was not validated as a server certificate with the available chain');
|
|
| 182 |
+ return CERT_NOCHAIN; |
|
| 183 |
+ } |
|
| 184 |
+ |
|
| 185 |
+ return CERT_OK; |
|
| 185 | 186 |
} |
| 186 | 187 |
|
| 187 | 188 |
|
| 188 | 189 |
function parse_cert_details($cert) |
| 189 | 190 |
{
|
| 190 |
- $certdata = openssl_x509_parse($cert, true); |
|
| 191 |
- /* |
|
| 191 |
+ $certdata = openssl_x509_parse($cert, true); |
|
| 192 |
+ /* |
|
| 192 | 193 |
name => /CN=*.bwurst.org |
| 193 | 194 |
validFrom_time_t => 1204118790 |
| 194 | 195 |
validTo_time_t => 1267190790 |
| 195 | 196 |
|
| 196 | 197 |
|
| 197 |
- */ |
|
| 198 |
- DEBUG($certdata); |
|
| 199 |
- DEBUG("SAN: ".$certdata['extensions']['subjectAltName']);
|
|
| 200 |
- //return array('subject' => $certdata['name'], 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']));
|
|
| 201 |
- $issuer = $certdata['issuer']['CN']; |
|
| 202 |
- if (isset($certdata['issuer']['O'])) {
|
|
| 203 |
- $issuer = $certdata['issuer']['O']; |
|
| 204 |
- } |
|
| 205 |
- $san = array(); |
|
| 206 |
- $raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
|
| 207 |
- foreach ($raw_san as $name) {
|
|
| 208 |
- if (! substr($name, 0, 4) == 'DNS:') {
|
|
| 209 |
- warning('Unparsable SAN: '.$name);
|
|
| 210 |
- continue; |
|
| 198 |
+ */ |
|
| 199 |
+ DEBUG($certdata); |
|
| 200 |
+ DEBUG("SAN: ".$certdata['extensions']['subjectAltName']);
|
|
| 201 |
+ //return array('subject' => $certdata['name'], 'cn' => $certdata['subject']['CN'], 'valid_from' => date('Y-m-d', $certdata['validFrom_time_t']), 'valid_until' => date('Y-m-d', $certdata['validTo_time_t']));
|
|
| 202 |
+ $issuer = $certdata['issuer']['CN']; |
|
| 203 |
+ if (isset($certdata['issuer']['O'])) {
|
|
| 204 |
+ $issuer = $certdata['issuer']['O']; |
|
| 205 |
+ } |
|
| 206 |
+ $san = array(); |
|
| 207 |
+ $raw_san = explode(', ', $certdata['extensions']['subjectAltName']);
|
|
| 208 |
+ foreach ($raw_san as $name) {
|
|
| 209 |
+ if (! substr($name, 0, 4) == 'DNS:') {
|
|
| 210 |
+ warning('Unparsable SAN: '.$name);
|
|
| 211 |
+ continue; |