|
1
|
<?php
|
|
2
|
/* $Id$ */
|
|
3
|
/*
|
|
4
|
Copyright (C) 2008 Shrew Soft Inc
|
|
5
|
All rights reserved.
|
|
6
|
|
|
7
|
Redistribution and use in source and binary forms, with or without
|
|
8
|
modification, are permitted provided that the following conditions are met:
|
|
9
|
|
|
10
|
1. Redistributions of source code must retain the above copyright notice,
|
|
11
|
this list of conditions and the following disclaimer.
|
|
12
|
|
|
13
|
2. Redistributions in binary form must reproduce the above copyright
|
|
14
|
notice, this list of conditions and the following disclaimer in the
|
|
15
|
documentation and/or other materials provided with the distribution.
|
|
16
|
|
|
17
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
18
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
19
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
20
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
21
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
22
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
23
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
24
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
25
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
26
|
POSSIBILITY OF SUCH DAMAGE.
|
|
27
|
|
|
28
|
DISABLE_PHP_LINT_CHECKING
|
|
29
|
*/
|
|
30
|
|
|
31
|
require_once("functions.inc");
|
|
32
|
|
|
33
|
function & lookup_ca($refid) {
|
|
34
|
global $config;
|
|
35
|
|
|
36
|
if (is_array($config['system']['ca']))
|
|
37
|
foreach ($config['system']['ca'] as & $ca)
|
|
38
|
if ($ca['refid'] == $refid)
|
|
39
|
return $ca;
|
|
40
|
|
|
41
|
return false;
|
|
42
|
}
|
|
43
|
|
|
44
|
function & lookup_cert($refid) {
|
|
45
|
global $config;
|
|
46
|
|
|
47
|
if (is_array($config['system']['cert']))
|
|
48
|
foreach ($config['system']['cert'] as & $cert)
|
|
49
|
if ($cert['refid'] == $refid)
|
|
50
|
return $cert;
|
|
51
|
|
|
52
|
return false;
|
|
53
|
}
|
|
54
|
|
|
55
|
function ca_import(& $ca, $str) {
|
|
56
|
|
|
57
|
$ca['crt'] = base64_encode($str);
|
|
58
|
|
|
59
|
return true;
|
|
60
|
}
|
|
61
|
|
|
62
|
function ca_create(& $ca, $keylen, $lifetime, $dn) {
|
|
63
|
|
|
64
|
$args = array(
|
|
65
|
"digest_alg" => "sha1",
|
|
66
|
"private_key_bits" => $keylen,
|
|
67
|
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
|
68
|
"encrypt_key" => false);
|
|
69
|
|
|
70
|
// generate a new key pair
|
|
71
|
$res_key = openssl_pkey_new();
|
|
72
|
|
|
73
|
// generate a certificate signing request
|
|
74
|
$res_csr = openssl_csr_new($dn, $res_key, $args);
|
|
75
|
|
|
76
|
// self sign the certificate
|
|
77
|
$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args);
|
|
78
|
|
|
79
|
// export our certificate data
|
|
80
|
openssl_pkey_export($res_key, $str_key);
|
|
81
|
openssl_x509_export($res_crt, $str_crt);
|
|
82
|
|
|
83
|
// return our ca information
|
|
84
|
$ca['crt'] = base64_encode($str_crt);
|
|
85
|
$ca['prv'] = base64_encode($str_key);
|
|
86
|
$ca['serial'] = 0;
|
|
87
|
|
|
88
|
return true;
|
|
89
|
}
|
|
90
|
|
|
91
|
function cert_import(& $cert, $crt_str, $key_str) {
|
|
92
|
|
|
93
|
$cert['crt'] = base64_encode($crt_str);
|
|
94
|
$cert['prv'] = base64_encode($key_str);
|
|
95
|
|
|
96
|
return true;
|
|
97
|
}
|
|
98
|
|
|
99
|
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
|
100
|
|
|
101
|
$ca =& lookup_ca($caref);
|
|
102
|
if (!$ca)
|
|
103
|
return false;
|
|
104
|
|
|
105
|
$ca_str_crt = base64_decode($ca['crt']);
|
|
106
|
$ca_str_key = base64_decode($ca['prv']);
|
|
107
|
$ca_res_crt = openssl_x509_read($ca_str_crt);
|
|
108
|
$ca_res_key = openssl_pkey_get_private($ca_str_key);
|
|
109
|
$ca_serial = $ca['serial']++;
|
|
110
|
|
|
111
|
$args = array(
|
|
112
|
"digest_alg" => "sha1",
|
|
113
|
"private_key_bits" => $keylen,
|
|
114
|
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
|
115
|
"encrypt_key" => false);
|
|
116
|
|
|
117
|
// generate a new key pair
|
|
118
|
$res_key = openssl_pkey_new();
|
|
119
|
|
|
120
|
// generate a certificate signing request
|
|
121
|
$res_csr = openssl_csr_new($dn, $res_key, $args);
|
|
122
|
|
|
123
|
// self sign the certificate
|
|
124
|
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
|
|
125
|
$args, $ca_serial);
|
|
126
|
|
|
127
|
// export our certificate data
|
|
128
|
openssl_pkey_export($res_key, $str_key);
|
|
129
|
openssl_x509_export($res_crt, $str_crt);
|
|
130
|
|
|
131
|
// return our certificate information
|
|
132
|
$cert['caref'] = $caref;
|
|
133
|
$cert['crt'] = base64_encode($str_crt);
|
|
134
|
$cert['prv'] = base64_encode($str_key);
|
|
135
|
|
|
136
|
return true;
|
|
137
|
}
|
|
138
|
|
|
139
|
function csr_generate(& $cert, $keylen, $dn) {
|
|
140
|
|
|
141
|
$args = array(
|
|
142
|
"digest_alg" => "sha1",
|
|
143
|
"private_key_bits" => $keylen,
|
|
144
|
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
|
145
|
"encrypt_key" => false);
|
|
146
|
|
|
147
|
// generate a new key pair
|
|
148
|
$res_key = openssl_pkey_new();
|
|
149
|
|
|
150
|
// generate a certificate signing request
|
|
151
|
$res_csr = openssl_csr_new($dn, $res_key, $args);
|
|
152
|
|
|
153
|
// export our request data
|
|
154
|
openssl_pkey_export($res_key, $str_key);
|
|
155
|
openssl_csr_export($res_csr, $str_csr);
|
|
156
|
|
|
157
|
// return our request information
|
|
158
|
$cert['csr'] = base64_encode($str_csr);
|
|
159
|
$cert['prv'] = base64_encode($str_key);
|
|
160
|
|
|
161
|
return true;
|
|
162
|
}
|
|
163
|
|
|
164
|
function csr_complete(& $cert, $str_crt) {
|
|
165
|
|
|
166
|
// return our request information
|
|
167
|
$cert['crt'] = base64_encode($str_crt);
|
|
168
|
unset($cert['csr']);
|
|
169
|
|
|
170
|
return true;
|
|
171
|
}
|
|
172
|
|
|
173
|
function csr_get_subject($str_crt, $decode = true) {
|
|
174
|
|
|
175
|
if ($decode)
|
|
176
|
$str_crt = base64_decode($str_crt);
|
|
177
|
|
|
178
|
$components = openssl_csr_get_subject($str_crt);
|
|
179
|
|
|
180
|
if (!is_array($components))
|
|
181
|
return "unknown";
|
|
182
|
|
|
183
|
foreach ($components as $a => $v) {
|
|
184
|
if (!strlen($subject))
|
|
185
|
$subject = "{$a}={$v}";
|
|
186
|
else
|
|
187
|
$subject = "{$a}={$v}, {$subject}";
|
|
188
|
}
|
|
189
|
|
|
190
|
return $subject;
|
|
191
|
}
|
|
192
|
|
|
193
|
function cert_get_subject($str_crt, $decode = true) {
|
|
194
|
|
|
195
|
if ($decode)
|
|
196
|
$str_crt = base64_decode($str_crt);
|
|
197
|
|
|
198
|
$inf_crt = openssl_x509_parse($str_crt);
|
|
199
|
$components = $inf_crt['subject'];
|
|
200
|
|
|
201
|
if (!is_array($components))
|
|
202
|
return "unknown";
|
|
203
|
|
|
204
|
foreach ($components as $a => $v) {
|
|
205
|
if (!strlen($subject))
|
|
206
|
$subject = "{$a}={$v}";
|
|
207
|
else
|
|
208
|
$subject = "{$a}={$v}, {$subject}";
|
|
209
|
}
|
|
210
|
|
|
211
|
return $subject;
|
|
212
|
}
|
|
213
|
|
|
214
|
function cert_get_subject_array($crt) {
|
|
215
|
$str_crt = base64_decode($crt);
|
|
216
|
$inf_crt = openssl_x509_parse($str_crt);
|
|
217
|
$components = $inf_crt['subject'];
|
|
218
|
$subject_array = array();
|
|
219
|
|
|
220
|
foreach($components as $a => $v)
|
|
221
|
$subject_array[] = array('a' => $a, 'v' => $v);
|
|
222
|
|
|
223
|
return $subject_array;
|
|
224
|
}
|
|
225
|
|
|
226
|
?>
|