Revision 6dc88d53
Added by Ermal Luçi almost 16 years ago
etc/inc/certs.inc | ||
---|---|---|
1 |
<?php |
|
2 |
/* $Id$ */ |
|
3 |
/* |
|
4 |
Copyright (C) 2008 Shrew Soft Inc |
|
5 |
All rights reserved. |
|
6 |
|
|
7 |
Redistribution and use in source and binary forms, with or without |
|
8 |
modification, are permitted provided that the following conditions are met: |
|
9 |
|
|
10 |
1. Redistributions of source code must retain the above copyright notice, |
|
11 |
this list of conditions and the following disclaimer. |
|
12 |
|
|
13 |
2. Redistributions in binary form must reproduce the above copyright |
|
14 |
notice, this list of conditions and the following disclaimer in the |
|
15 |
documentation and/or other materials provided with the distribution. |
|
16 |
|
|
17 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
|
18 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY |
|
19 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|
20 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, |
|
21 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
22 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
23 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
24 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
25 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
26 |
POSSIBILITY OF SUCH DAMAGE. |
|
27 |
|
|
28 |
DISABLE_PHP_LINT_CHECKING |
|
29 |
*/ |
|
30 |
|
|
31 |
require_once("functions.inc"); |
|
32 |
|
|
33 |
function & lookup_ca($refid) { |
|
34 |
global $config; |
|
35 |
|
|
36 |
if (is_array($config['system']['ca'])) |
|
37 |
foreach ($config['system']['ca'] as & $ca) |
|
38 |
if ($ca['refid'] == $refid) |
|
39 |
return $ca; |
|
40 |
|
|
41 |
return false; |
|
42 |
} |
|
43 |
|
|
44 |
function & lookup_cert($refid) { |
|
45 |
global $config; |
|
46 |
|
|
47 |
if (is_array($config['system']['cert'])) |
|
48 |
foreach ($config['system']['cert'] as & $cert) |
|
49 |
if ($cert['refid'] == $refid) |
|
50 |
return $cert; |
|
51 |
|
|
52 |
return false; |
|
53 |
} |
|
54 |
|
|
55 |
function ca_import(& $ca, $str) { |
|
56 |
|
|
57 |
$ca['crt'] = base64_encode($str); |
|
58 |
|
|
59 |
return true; |
|
60 |
} |
|
61 |
|
|
62 |
function ca_create(& $ca, $keylen, $lifetime, $dn) { |
|
63 |
|
|
64 |
$args = array( |
|
65 |
"digest_alg" => "sha1", |
|
66 |
"private_key_bits" => $keylen, |
|
67 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
68 |
"encrypt_key" => false); |
|
69 |
|
|
70 |
// generate a new key pair |
|
71 |
$res_key = openssl_pkey_new(); |
|
72 |
|
|
73 |
// generate a certificate signing request |
|
74 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
75 |
|
|
76 |
// self sign the certificate |
|
77 |
$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); |
|
78 |
|
|
79 |
// export our certificate data |
|
80 |
openssl_pkey_export($res_key, $str_key); |
|
81 |
openssl_x509_export($res_crt, $str_crt); |
|
82 |
|
|
83 |
// return our ca information |
|
84 |
$ca['crt'] = base64_encode($str_crt); |
|
85 |
$ca['prv'] = base64_encode($str_key); |
|
86 |
$ca['serial'] = 0; |
|
87 |
|
|
88 |
return true; |
|
89 |
} |
|
90 |
|
|
91 |
function cert_import(& $cert, $crt_str, $key_str) { |
|
92 |
|
|
93 |
$cert['crt'] = base64_encode($crt_str); |
|
94 |
$cert['prv'] = base64_encode($key_str); |
|
95 |
|
|
96 |
return true; |
|
97 |
} |
|
98 |
|
|
99 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { |
|
100 |
|
|
101 |
$ca =& lookup_ca($caref); |
|
102 |
if (!$ca) |
|
103 |
return false; |
|
104 |
|
|
105 |
$ca_str_crt = base64_decode($ca['crt']); |
|
106 |
$ca_str_key = base64_decode($ca['prv']); |
|
107 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
108 |
$ca_res_key = openssl_pkey_get_private($ca_str_key); |
|
109 |
$ca_serial = $ca['serial']++; |
|
110 |
|
|
111 |
$args = array( |
|
112 |
"digest_alg" => "sha1", |
|
113 |
"private_key_bits" => $keylen, |
|
114 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
115 |
"encrypt_key" => false); |
|
116 |
|
|
117 |
// generate a new key pair |
|
118 |
$res_key = openssl_pkey_new(); |
|
119 |
|
|
120 |
// generate a certificate signing request |
|
121 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
122 |
|
|
123 |
// self sign the certificate |
|
124 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
|
125 |
$args, $ca_serial); |
|
126 |
|
|
127 |
// export our certificate data |
|
128 |
openssl_pkey_export($res_key, $str_key); |
|
129 |
openssl_x509_export($res_crt, $str_crt); |
|
130 |
|
|
131 |
// return our certificate information |
|
132 |
$cert['caref'] = $caref; |
|
133 |
$cert['crt'] = base64_encode($str_crt); |
|
134 |
$cert['prv'] = base64_encode($str_key); |
|
135 |
|
|
136 |
return true; |
|
137 |
} |
|
138 |
|
|
139 |
function csr_generate(& $cert, $keylen, $dn) { |
|
140 |
|
|
141 |
$args = array( |
|
142 |
"digest_alg" => "sha1", |
|
143 |
"private_key_bits" => $keylen, |
|
144 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
145 |
"encrypt_key" => false); |
|
146 |
|
|
147 |
// generate a new key pair |
|
148 |
$res_key = openssl_pkey_new(); |
|
149 |
|
|
150 |
// generate a certificate signing request |
|
151 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
152 |
|
|
153 |
// export our request data |
|
154 |
openssl_pkey_export($res_key, $str_key); |
|
155 |
openssl_csr_export($res_csr, $str_csr); |
|
156 |
|
|
157 |
// return our request information |
|
158 |
$cert['csr'] = base64_encode($str_csr); |
|
159 |
$cert['prv'] = base64_encode($str_key); |
|
160 |
|
|
161 |
return true; |
|
162 |
} |
|
163 |
|
|
164 |
function csr_complete(& $cert, $str_crt) { |
|
165 |
|
|
166 |
// return our request information |
|
167 |
$cert['crt'] = base64_encode($str_crt); |
|
168 |
unset($cert['csr']); |
|
169 |
|
|
170 |
return true; |
|
171 |
} |
|
172 |
|
|
173 |
function csr_get_subject($str_crt, $decode = true) { |
|
174 |
|
|
175 |
if ($decode) |
|
176 |
$str_crt = base64_decode($str_crt); |
|
177 |
|
|
178 |
$components = openssl_csr_get_subject($str_crt); |
|
179 |
|
|
180 |
if (!is_array($components)) |
|
181 |
return "unknown"; |
|
182 |
|
|
183 |
foreach ($components as $a => $v) { |
|
184 |
if (!strlen($subject)) |
|
185 |
$subject = "{$a}={$v}"; |
|
186 |
else |
|
187 |
$subject = "{$a}={$v}, {$subject}"; |
|
188 |
} |
|
189 |
|
|
190 |
return $subject; |
|
191 |
} |
|
192 |
|
|
193 |
function cert_get_subject($str_crt, $decode = true) { |
|
194 |
|
|
195 |
if ($decode) |
|
196 |
$str_crt = base64_decode($str_crt); |
|
197 |
|
|
198 |
$inf_crt = openssl_x509_parse($str_crt); |
|
199 |
$components = $inf_crt['subject']; |
|
200 |
|
|
201 |
if (!is_array($components)) |
|
202 |
return "unknown"; |
|
203 |
|
|
204 |
foreach ($components as $a => $v) { |
|
205 |
if (!strlen($subject)) |
|
206 |
$subject = "{$a}={$v}"; |
|
207 |
else |
|
208 |
$subject = "{$a}={$v}, {$subject}"; |
|
209 |
} |
|
210 |
|
|
211 |
return $subject; |
|
212 |
} |
|
213 |
|
|
214 |
function cert_get_subject_array($crt) { |
|
215 |
$str_crt = base64_decode($crt); |
|
216 |
$inf_crt = openssl_x509_parse($str_crt); |
|
217 |
$components = $inf_crt['subject']; |
|
218 |
$subject_array = array(); |
|
219 |
|
|
220 |
foreach($components as $a => $v) |
|
221 |
$subject_array[] = array('a' => $a, 'v' => $v); |
|
222 |
|
|
223 |
return $subject_array; |
|
224 |
} |
|
225 |
|
|
226 |
?> |
|
1 |
<?php |
|
2 |
/* $Id$ */ |
|
3 |
/* |
|
4 |
Copyright (C) 2008 Shrew Soft Inc |
|
5 |
All rights reserved. |
|
6 |
|
|
7 |
Redistribution and use in source and binary forms, with or without |
|
8 |
modification, are permitted provided that the following conditions are met: |
|
9 |
|
|
10 |
1. Redistributions of source code must retain the above copyright notice, |
|
11 |
this list of conditions and the following disclaimer. |
|
12 |
|
|
13 |
2. Redistributions in binary form must reproduce the above copyright |
|
14 |
notice, this list of conditions and the following disclaimer in the |
|
15 |
documentation and/or other materials provided with the distribution. |
|
16 |
|
|
17 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
|
18 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY |
|
19 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|
20 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, |
|
21 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
22 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
23 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
24 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
25 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
26 |
POSSIBILITY OF SUCH DAMAGE. |
|
27 |
|
|
28 |
DISABLE_PHP_LINT_CHECKING |
|
29 |
*/ |
|
30 |
|
|
31 |
function & lookup_ca($refid) { |
|
32 |
global $config; |
|
33 |
|
|
34 |
if (is_array($config['system']['ca'])) |
|
35 |
foreach ($config['system']['ca'] as & $ca) |
|
36 |
if ($ca['refid'] == $refid) |
|
37 |
return $ca; |
|
38 |
|
|
39 |
return false; |
|
40 |
} |
|
41 |
|
|
42 |
function & lookup_cert($refid) { |
|
43 |
global $config; |
|
44 |
|
|
45 |
if (is_array($config['system']['cert'])) |
|
46 |
foreach ($config['system']['cert'] as & $cert) |
|
47 |
if ($cert['refid'] == $refid) |
|
48 |
return $cert; |
|
49 |
|
|
50 |
return false; |
|
51 |
} |
|
52 |
|
|
53 |
function ca_import(& $ca, $str) { |
|
54 |
|
|
55 |
$ca['crt'] = base64_encode($str); |
|
56 |
|
|
57 |
return true; |
|
58 |
} |
|
59 |
|
|
60 |
function ca_create(& $ca, $keylen, $lifetime, $dn) { |
|
61 |
|
|
62 |
$args = array( |
|
63 |
"digest_alg" => "sha1", |
|
64 |
"private_key_bits" => $keylen, |
|
65 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
66 |
"encrypt_key" => false); |
|
67 |
|
|
68 |
// generate a new key pair |
|
69 |
$res_key = openssl_pkey_new(); |
|
70 |
|
|
71 |
// generate a certificate signing request |
|
72 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
73 |
|
|
74 |
// self sign the certificate |
|
75 |
$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); |
|
76 |
|
|
77 |
// export our certificate data |
|
78 |
openssl_pkey_export($res_key, $str_key); |
|
79 |
openssl_x509_export($res_crt, $str_crt); |
|
80 |
|
|
81 |
// return our ca information |
|
82 |
$ca['crt'] = base64_encode($str_crt); |
|
83 |
$ca['prv'] = base64_encode($str_key); |
|
84 |
$ca['serial'] = 0; |
|
85 |
|
|
86 |
return true; |
|
87 |
} |
|
88 |
|
|
89 |
function cert_import(& $cert, $crt_str, $key_str) { |
|
90 |
|
|
91 |
$cert['crt'] = base64_encode($crt_str); |
|
92 |
$cert['prv'] = base64_encode($key_str); |
|
93 |
|
|
94 |
return true; |
|
95 |
} |
|
96 |
|
|
97 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { |
|
98 |
|
|
99 |
$ca =& lookup_ca($caref); |
|
100 |
if (!$ca) |
|
101 |
return false; |
|
102 |
|
|
103 |
$ca_str_crt = base64_decode($ca['crt']); |
|
104 |
$ca_str_key = base64_decode($ca['prv']); |
|
105 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
106 |
$ca_res_key = openssl_pkey_get_private($ca_str_key); |
|
107 |
$ca_serial = $ca['serial']++; |
|
108 |
|
|
109 |
$args = array( |
|
110 |
"digest_alg" => "sha1", |
|
111 |
"private_key_bits" => $keylen, |
|
112 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
113 |
"encrypt_key" => false); |
|
114 |
|
|
115 |
// generate a new key pair |
|
116 |
$res_key = openssl_pkey_new(); |
|
117 |
|
|
118 |
// generate a certificate signing request |
|
119 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
120 |
|
|
121 |
// self sign the certificate |
|
122 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
|
123 |
$args, $ca_serial); |
|
124 |
|
|
125 |
// export our certificate data |
|
126 |
openssl_pkey_export($res_key, $str_key); |
|
127 |
openssl_x509_export($res_crt, $str_crt); |
|
128 |
|
|
129 |
// return our certificate information |
|
130 |
$cert['caref'] = $caref; |
|
131 |
$cert['crt'] = base64_encode($str_crt); |
|
132 |
$cert['prv'] = base64_encode($str_key); |
|
133 |
|
|
134 |
return true; |
|
135 |
} |
|
136 |
|
|
137 |
function csr_generate(& $cert, $keylen, $dn) { |
|
138 |
|
|
139 |
$args = array( |
|
140 |
"digest_alg" => "sha1", |
|
141 |
"private_key_bits" => $keylen, |
|
142 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
143 |
"encrypt_key" => false); |
|
144 |
|
|
145 |
// generate a new key pair |
|
146 |
$res_key = openssl_pkey_new(); |
|
147 |
|
|
148 |
// generate a certificate signing request |
|
149 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
150 |
|
|
151 |
// export our request data |
|
152 |
openssl_pkey_export($res_key, $str_key); |
|
153 |
openssl_csr_export($res_csr, $str_csr); |
|
154 |
|
|
155 |
// return our request information |
|
156 |
$cert['csr'] = base64_encode($str_csr); |
|
157 |
$cert['prv'] = base64_encode($str_key); |
|
158 |
|
|
159 |
return true; |
|
160 |
} |
|
161 |
|
|
162 |
function csr_complete(& $cert, $str_crt) { |
|
163 |
|
|
164 |
// return our request information |
|
165 |
$cert['crt'] = base64_encode($str_crt); |
|
166 |
unset($cert['csr']); |
|
167 |
|
|
168 |
return true; |
|
169 |
} |
|
170 |
|
|
171 |
function csr_get_subject($str_crt, $decode = true) { |
|
172 |
|
|
173 |
if ($decode) |
|
174 |
$str_crt = base64_decode($str_crt); |
|
175 |
|
|
176 |
$components = openssl_csr_get_subject($str_crt); |
|
177 |
|
|
178 |
if (!is_array($components)) |
|
179 |
return "unknown"; |
|
180 |
|
|
181 |
foreach ($components as $a => $v) { |
|
182 |
if (!strlen($subject)) |
|
183 |
$subject = "{$a}={$v}"; |
|
184 |
else |
|
185 |
$subject = "{$a}={$v}, {$subject}"; |
|
186 |
} |
|
187 |
|
|
188 |
return $subject; |
|
189 |
} |
|
190 |
|
|
191 |
function cert_get_subject($str_crt, $decode = true) { |
|
192 |
|
|
193 |
if ($decode) |
|
194 |
$str_crt = base64_decode($str_crt); |
|
195 |
|
|
196 |
$inf_crt = openssl_x509_parse($str_crt); |
|
197 |
$components = $inf_crt['subject']; |
|
198 |
|
|
199 |
if (!is_array($components)) |
|
200 |
return "unknown"; |
|
201 |
|
|
202 |
foreach ($components as $a => $v) { |
|
203 |
if (!strlen($subject)) |
|
204 |
$subject = "{$a}={$v}"; |
|
205 |
else |
|
206 |
$subject = "{$a}={$v}, {$subject}"; |
|
207 |
} |
|
208 |
|
|
209 |
return $subject; |
|
210 |
} |
|
211 |
|
|
212 |
function cert_get_subject_array($crt) { |
|
213 |
$str_crt = base64_decode($crt); |
|
214 |
$inf_crt = openssl_x509_parse($str_crt); |
|
215 |
$components = $inf_crt['subject']; |
|
216 |
$subject_array = array(); |
|
217 |
|
|
218 |
foreach($components as $a => $v) |
|
219 |
$subject_array[] = array('a' => $a, 'v' => $v); |
|
220 |
|
|
221 |
return $subject_array; |
|
222 |
} |
|
223 |
|
|
224 |
?> |
Also available in: Unified diff
NOTE: There is some more work to be done for pkg-utils.inc to be removed from backend as a dependency.