Revision 6dc88d53
Added by Ermal Luçi almost 16 years ago
| etc/inc/certs.inc | ||
|---|---|---|
| 1 |
<?php |
|
| 2 |
/* $Id$ */ |
|
| 3 |
/* |
|
| 4 |
Copyright (C) 2008 Shrew Soft Inc |
|
| 5 |
All rights reserved. |
|
| 6 |
|
|
| 7 |
Redistribution and use in source and binary forms, with or without |
|
| 8 |
modification, are permitted provided that the following conditions are met: |
|
| 9 |
|
|
| 10 |
1. Redistributions of source code must retain the above copyright notice, |
|
| 11 |
this list of conditions and the following disclaimer. |
|
| 12 |
|
|
| 13 |
2. Redistributions in binary form must reproduce the above copyright |
|
| 14 |
notice, this list of conditions and the following disclaimer in the |
|
| 15 |
documentation and/or other materials provided with the distribution. |
|
| 16 |
|
|
| 17 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
|
| 18 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY |
|
| 19 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|
| 20 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, |
|
| 21 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
| 22 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
| 23 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
| 24 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
| 25 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
| 26 |
POSSIBILITY OF SUCH DAMAGE. |
|
| 27 |
|
|
| 28 |
DISABLE_PHP_LINT_CHECKING |
|
| 29 |
*/ |
|
| 30 |
|
|
| 31 |
require_once("functions.inc");
|
|
| 32 |
|
|
| 33 |
function & lookup_ca($refid) {
|
|
| 34 |
global $config; |
|
| 35 |
|
|
| 36 |
if (is_array($config['system']['ca'])) |
|
| 37 |
foreach ($config['system']['ca'] as & $ca) |
|
| 38 |
if ($ca['refid'] == $refid) |
|
| 39 |
return $ca; |
|
| 40 |
|
|
| 41 |
return false; |
|
| 42 |
} |
|
| 43 |
|
|
| 44 |
function & lookup_cert($refid) {
|
|
| 45 |
global $config; |
|
| 46 |
|
|
| 47 |
if (is_array($config['system']['cert'])) |
|
| 48 |
foreach ($config['system']['cert'] as & $cert) |
|
| 49 |
if ($cert['refid'] == $refid) |
|
| 50 |
return $cert; |
|
| 51 |
|
|
| 52 |
return false; |
|
| 53 |
} |
|
| 54 |
|
|
| 55 |
function ca_import(& $ca, $str) {
|
|
| 56 |
|
|
| 57 |
$ca['crt'] = base64_encode($str); |
|
| 58 |
|
|
| 59 |
return true; |
|
| 60 |
} |
|
| 61 |
|
|
| 62 |
function ca_create(& $ca, $keylen, $lifetime, $dn) {
|
|
| 63 |
|
|
| 64 |
$args = array( |
|
| 65 |
"digest_alg" => "sha1", |
|
| 66 |
"private_key_bits" => $keylen, |
|
| 67 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 68 |
"encrypt_key" => false); |
|
| 69 |
|
|
| 70 |
// generate a new key pair |
|
| 71 |
$res_key = openssl_pkey_new(); |
|
| 72 |
|
|
| 73 |
// generate a certificate signing request |
|
| 74 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 75 |
|
|
| 76 |
// self sign the certificate |
|
| 77 |
$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); |
|
| 78 |
|
|
| 79 |
// export our certificate data |
|
| 80 |
openssl_pkey_export($res_key, $str_key); |
|
| 81 |
openssl_x509_export($res_crt, $str_crt); |
|
| 82 |
|
|
| 83 |
// return our ca information |
|
| 84 |
$ca['crt'] = base64_encode($str_crt); |
|
| 85 |
$ca['prv'] = base64_encode($str_key); |
|
| 86 |
$ca['serial'] = 0; |
|
| 87 |
|
|
| 88 |
return true; |
|
| 89 |
} |
|
| 90 |
|
|
| 91 |
function cert_import(& $cert, $crt_str, $key_str) {
|
|
| 92 |
|
|
| 93 |
$cert['crt'] = base64_encode($crt_str); |
|
| 94 |
$cert['prv'] = base64_encode($key_str); |
|
| 95 |
|
|
| 96 |
return true; |
|
| 97 |
} |
|
| 98 |
|
|
| 99 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
|
| 100 |
|
|
| 101 |
$ca =& lookup_ca($caref); |
|
| 102 |
if (!$ca) |
|
| 103 |
return false; |
|
| 104 |
|
|
| 105 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 106 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 107 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 108 |
$ca_res_key = openssl_pkey_get_private($ca_str_key); |
|
| 109 |
$ca_serial = $ca['serial']++; |
|
| 110 |
|
|
| 111 |
$args = array( |
|
| 112 |
"digest_alg" => "sha1", |
|
| 113 |
"private_key_bits" => $keylen, |
|
| 114 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 115 |
"encrypt_key" => false); |
|
| 116 |
|
|
| 117 |
// generate a new key pair |
|
| 118 |
$res_key = openssl_pkey_new(); |
|
| 119 |
|
|
| 120 |
// generate a certificate signing request |
|
| 121 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 122 |
|
|
| 123 |
// self sign the certificate |
|
| 124 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
|
| 125 |
$args, $ca_serial); |
|
| 126 |
|
|
| 127 |
// export our certificate data |
|
| 128 |
openssl_pkey_export($res_key, $str_key); |
|
| 129 |
openssl_x509_export($res_crt, $str_crt); |
|
| 130 |
|
|
| 131 |
// return our certificate information |
|
| 132 |
$cert['caref'] = $caref; |
|
| 133 |
$cert['crt'] = base64_encode($str_crt); |
|
| 134 |
$cert['prv'] = base64_encode($str_key); |
|
| 135 |
|
|
| 136 |
return true; |
|
| 137 |
} |
|
| 138 |
|
|
| 139 |
function csr_generate(& $cert, $keylen, $dn) {
|
|
| 140 |
|
|
| 141 |
$args = array( |
|
| 142 |
"digest_alg" => "sha1", |
|
| 143 |
"private_key_bits" => $keylen, |
|
| 144 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 145 |
"encrypt_key" => false); |
|
| 146 |
|
|
| 147 |
// generate a new key pair |
|
| 148 |
$res_key = openssl_pkey_new(); |
|
| 149 |
|
|
| 150 |
// generate a certificate signing request |
|
| 151 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 152 |
|
|
| 153 |
// export our request data |
|
| 154 |
openssl_pkey_export($res_key, $str_key); |
|
| 155 |
openssl_csr_export($res_csr, $str_csr); |
|
| 156 |
|
|
| 157 |
// return our request information |
|
| 158 |
$cert['csr'] = base64_encode($str_csr); |
|
| 159 |
$cert['prv'] = base64_encode($str_key); |
|
| 160 |
|
|
| 161 |
return true; |
|
| 162 |
} |
|
| 163 |
|
|
| 164 |
function csr_complete(& $cert, $str_crt) {
|
|
| 165 |
|
|
| 166 |
// return our request information |
|
| 167 |
$cert['crt'] = base64_encode($str_crt); |
|
| 168 |
unset($cert['csr']); |
|
| 169 |
|
|
| 170 |
return true; |
|
| 171 |
} |
|
| 172 |
|
|
| 173 |
function csr_get_subject($str_crt, $decode = true) {
|
|
| 174 |
|
|
| 175 |
if ($decode) |
|
| 176 |
$str_crt = base64_decode($str_crt); |
|
| 177 |
|
|
| 178 |
$components = openssl_csr_get_subject($str_crt); |
|
| 179 |
|
|
| 180 |
if (!is_array($components)) |
|
| 181 |
return "unknown"; |
|
| 182 |
|
|
| 183 |
foreach ($components as $a => $v) {
|
|
| 184 |
if (!strlen($subject)) |
|
| 185 |
$subject = "{$a}={$v}";
|
|
| 186 |
else |
|
| 187 |
$subject = "{$a}={$v}, {$subject}";
|
|
| 188 |
} |
|
| 189 |
|
|
| 190 |
return $subject; |
|
| 191 |
} |
|
| 192 |
|
|
| 193 |
function cert_get_subject($str_crt, $decode = true) {
|
|
| 194 |
|
|
| 195 |
if ($decode) |
|
| 196 |
$str_crt = base64_decode($str_crt); |
|
| 197 |
|
|
| 198 |
$inf_crt = openssl_x509_parse($str_crt); |
|
| 199 |
$components = $inf_crt['subject']; |
|
| 200 |
|
|
| 201 |
if (!is_array($components)) |
|
| 202 |
return "unknown"; |
|
| 203 |
|
|
| 204 |
foreach ($components as $a => $v) {
|
|
| 205 |
if (!strlen($subject)) |
|
| 206 |
$subject = "{$a}={$v}";
|
|
| 207 |
else |
|
| 208 |
$subject = "{$a}={$v}, {$subject}";
|
|
| 209 |
} |
|
| 210 |
|
|
| 211 |
return $subject; |
|
| 212 |
} |
|
| 213 |
|
|
| 214 |
function cert_get_subject_array($crt) {
|
|
| 215 |
$str_crt = base64_decode($crt); |
|
| 216 |
$inf_crt = openssl_x509_parse($str_crt); |
|
| 217 |
$components = $inf_crt['subject']; |
|
| 218 |
$subject_array = array(); |
|
| 219 |
|
|
| 220 |
foreach($components as $a => $v) |
|
| 221 |
$subject_array[] = array('a' => $a, 'v' => $v);
|
|
| 222 |
|
|
| 223 |
return $subject_array; |
|
| 224 |
} |
|
| 225 |
|
|
| 226 |
?> |
|
| 1 |
<?php |
|
| 2 |
/* $Id$ */ |
|
| 3 |
/* |
|
| 4 |
Copyright (C) 2008 Shrew Soft Inc |
|
| 5 |
All rights reserved. |
|
| 6 |
|
|
| 7 |
Redistribution and use in source and binary forms, with or without |
|
| 8 |
modification, are permitted provided that the following conditions are met: |
|
| 9 |
|
|
| 10 |
1. Redistributions of source code must retain the above copyright notice, |
|
| 11 |
this list of conditions and the following disclaimer. |
|
| 12 |
|
|
| 13 |
2. Redistributions in binary form must reproduce the above copyright |
|
| 14 |
notice, this list of conditions and the following disclaimer in the |
|
| 15 |
documentation and/or other materials provided with the distribution. |
|
| 16 |
|
|
| 17 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
|
| 18 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY |
|
| 19 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|
| 20 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, |
|
| 21 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
| 22 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
| 23 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
| 24 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
| 25 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
| 26 |
POSSIBILITY OF SUCH DAMAGE. |
|
| 27 |
|
|
| 28 |
DISABLE_PHP_LINT_CHECKING |
|
| 29 |
*/ |
|
| 30 |
|
|
| 31 |
function & lookup_ca($refid) {
|
|
| 32 |
global $config; |
|
| 33 |
|
|
| 34 |
if (is_array($config['system']['ca'])) |
|
| 35 |
foreach ($config['system']['ca'] as & $ca) |
|
| 36 |
if ($ca['refid'] == $refid) |
|
| 37 |
return $ca; |
|
| 38 |
|
|
| 39 |
return false; |
|
| 40 |
} |
|
| 41 |
|
|
| 42 |
function & lookup_cert($refid) {
|
|
| 43 |
global $config; |
|
| 44 |
|
|
| 45 |
if (is_array($config['system']['cert'])) |
|
| 46 |
foreach ($config['system']['cert'] as & $cert) |
|
| 47 |
if ($cert['refid'] == $refid) |
|
| 48 |
return $cert; |
|
| 49 |
|
|
| 50 |
return false; |
|
| 51 |
} |
|
| 52 |
|
|
| 53 |
function ca_import(& $ca, $str) {
|
|
| 54 |
|
|
| 55 |
$ca['crt'] = base64_encode($str); |
|
| 56 |
|
|
| 57 |
return true; |
|
| 58 |
} |
|
| 59 |
|
|
| 60 |
function ca_create(& $ca, $keylen, $lifetime, $dn) {
|
|
| 61 |
|
|
| 62 |
$args = array( |
|
| 63 |
"digest_alg" => "sha1", |
|
| 64 |
"private_key_bits" => $keylen, |
|
| 65 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 66 |
"encrypt_key" => false); |
|
| 67 |
|
|
| 68 |
// generate a new key pair |
|
| 69 |
$res_key = openssl_pkey_new(); |
|
| 70 |
|
|
| 71 |
// generate a certificate signing request |
|
| 72 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 73 |
|
|
| 74 |
// self sign the certificate |
|
| 75 |
$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); |
|
| 76 |
|
|
| 77 |
// export our certificate data |
|
| 78 |
openssl_pkey_export($res_key, $str_key); |
|
| 79 |
openssl_x509_export($res_crt, $str_crt); |
|
| 80 |
|
|
| 81 |
// return our ca information |
|
| 82 |
$ca['crt'] = base64_encode($str_crt); |
|
| 83 |
$ca['prv'] = base64_encode($str_key); |
|
| 84 |
$ca['serial'] = 0; |
|
| 85 |
|
|
| 86 |
return true; |
|
| 87 |
} |
|
| 88 |
|
|
| 89 |
function cert_import(& $cert, $crt_str, $key_str) {
|
|
| 90 |
|
|
| 91 |
$cert['crt'] = base64_encode($crt_str); |
|
| 92 |
$cert['prv'] = base64_encode($key_str); |
|
| 93 |
|
|
| 94 |
return true; |
|
| 95 |
} |
|
| 96 |
|
|
| 97 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
|
|
| 98 |
|
|
| 99 |
$ca =& lookup_ca($caref); |
|
| 100 |
if (!$ca) |
|
| 101 |
return false; |
|
| 102 |
|
|
| 103 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 104 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 105 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 106 |
$ca_res_key = openssl_pkey_get_private($ca_str_key); |
|
| 107 |
$ca_serial = $ca['serial']++; |
|
| 108 |
|
|
| 109 |
$args = array( |
|
| 110 |
"digest_alg" => "sha1", |
|
| 111 |
"private_key_bits" => $keylen, |
|
| 112 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 113 |
"encrypt_key" => false); |
|
| 114 |
|
|
| 115 |
// generate a new key pair |
|
| 116 |
$res_key = openssl_pkey_new(); |
|
| 117 |
|
|
| 118 |
// generate a certificate signing request |
|
| 119 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 120 |
|
|
| 121 |
// self sign the certificate |
|
| 122 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
|
| 123 |
$args, $ca_serial); |
|
| 124 |
|
|
| 125 |
// export our certificate data |
|
| 126 |
openssl_pkey_export($res_key, $str_key); |
|
| 127 |
openssl_x509_export($res_crt, $str_crt); |
|
| 128 |
|
|
| 129 |
// return our certificate information |
|
| 130 |
$cert['caref'] = $caref; |
|
| 131 |
$cert['crt'] = base64_encode($str_crt); |
|
| 132 |
$cert['prv'] = base64_encode($str_key); |
|
| 133 |
|
|
| 134 |
return true; |
|
| 135 |
} |
|
| 136 |
|
|
| 137 |
function csr_generate(& $cert, $keylen, $dn) {
|
|
| 138 |
|
|
| 139 |
$args = array( |
|
| 140 |
"digest_alg" => "sha1", |
|
| 141 |
"private_key_bits" => $keylen, |
|
| 142 |
"private_key_type" => OPENSSL_KEYTYPE_RSA, |
|
| 143 |
"encrypt_key" => false); |
|
| 144 |
|
|
| 145 |
// generate a new key pair |
|
| 146 |
$res_key = openssl_pkey_new(); |
|
| 147 |
|
|
| 148 |
// generate a certificate signing request |
|
| 149 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
|
| 150 |
|
|
| 151 |
// export our request data |
|
| 152 |
openssl_pkey_export($res_key, $str_key); |
|
| 153 |
openssl_csr_export($res_csr, $str_csr); |
|
| 154 |
|
|
| 155 |
// return our request information |
|
| 156 |
$cert['csr'] = base64_encode($str_csr); |
|
| 157 |
$cert['prv'] = base64_encode($str_key); |
|
| 158 |
|
|
| 159 |
return true; |
|
| 160 |
} |
|
| 161 |
|
|
| 162 |
function csr_complete(& $cert, $str_crt) {
|
|
| 163 |
|
|
| 164 |
// return our request information |
|
| 165 |
$cert['crt'] = base64_encode($str_crt); |
|
| 166 |
unset($cert['csr']); |
|
| 167 |
|
|
| 168 |
return true; |
|
| 169 |
} |
|
| 170 |
|
|
| 171 |
function csr_get_subject($str_crt, $decode = true) {
|
|
| 172 |
|
|
| 173 |
if ($decode) |
|
| 174 |
$str_crt = base64_decode($str_crt); |
|
| 175 |
|
|
| 176 |
$components = openssl_csr_get_subject($str_crt); |
|
| 177 |
|
|
| 178 |
if (!is_array($components)) |
|
| 179 |
return "unknown"; |
|
| 180 |
|
|
| 181 |
foreach ($components as $a => $v) {
|
|
| 182 |
if (!strlen($subject)) |
|
| 183 |
$subject = "{$a}={$v}";
|
|
| 184 |
else |
|
| 185 |
$subject = "{$a}={$v}, {$subject}";
|
|
| 186 |
} |
|
| 187 |
|
|
| 188 |
return $subject; |
|
| 189 |
} |
|
| 190 |
|
|
| 191 |
function cert_get_subject($str_crt, $decode = true) {
|
|
| 192 |
|
|
| 193 |
if ($decode) |
|
| 194 |
$str_crt = base64_decode($str_crt); |
|
| 195 |
|
|
| 196 |
$inf_crt = openssl_x509_parse($str_crt); |
|
| 197 |
$components = $inf_crt['subject']; |
|
| 198 |
|
|
| 199 |
if (!is_array($components)) |
|
| 200 |
return "unknown"; |
|
| 201 |
|
|
| 202 |
foreach ($components as $a => $v) {
|
|
| 203 |
if (!strlen($subject)) |
|
| 204 |
$subject = "{$a}={$v}";
|
|
| 205 |
else |
|
| 206 |
$subject = "{$a}={$v}, {$subject}";
|
|
| 207 |
} |
|
| 208 |
|
|
| 209 |
return $subject; |
|
| 210 |
} |
|
| 211 |
|
|
| 212 |
function cert_get_subject_array($crt) {
|
|
| 213 |
$str_crt = base64_decode($crt); |
|
| 214 |
$inf_crt = openssl_x509_parse($str_crt); |
|
| 215 |
$components = $inf_crt['subject']; |
|
| 216 |
$subject_array = array(); |
|
| 217 |
|
|
| 218 |
foreach($components as $a => $v) |
|
| 219 |
$subject_array[] = array('a' => $a, 'v' => $v);
|
|
| 220 |
|
|
| 221 |
return $subject_array; |
|
| 222 |
} |
|
| 223 |
|
|
| 224 |
?> |
|
Also available in: Unified diff
NOTE: There is some more work to be done for pkg-utils.inc to be removed from backend as a dependency.