$username = preg_replace("/@/", "", $username);
$currPrivateKey = "/tmp/{$username}.txt";
if (file_exists($currPrivateKey)) {
unlink($currPrivateKey);
}
// Open the new file to write the existing private key to.
$fh = fopen($currPrivateKey, 'w') or die("Can't open file");
fwrite($fh, $privatekey);
chmod($currPrivateKey, 0400);
fclose($fh);
// Passphrase to pass to Openssl command to change the passphrase for the private key
$upassword = escapeshellcmd($upassword);
// new passphrase
$new_password = $password;
$new_password = escapeshellcmd($new_password);
$new_password = generatePassphrase($new_password);
// Temporary key files
$no_pass_temp = "{$currPrivateKey}.tmp";
$has_pass_temp = "{$currPrivateKey}.new";
$remove_password = "";
$change_password = "";
// Remove the passphrase from the key and output the new temporary key.
// system() function below
$remove_password = "******";
// Prepare the command to safely pass the passphrases to the "system" command.
// Add new passphrase to key
// system() function below
$change_password = "******";
// Remove passphrase from the current private key
system($remove_password, $rem_retval);
chmod($no_pass_temp, 0600);
function gen_cert($upassword)
{
// Values automatically populated for the SSL certificate for anonymity
$country = "YY";
$state = "XX";
$city = "Somewhere";
$orgName = "no org";
$orgUnitName = "no org unit";
$businessname = "mind your own business";
$commonName = "no name";
// Get email address
$emailAddress = $_SESSION['s_email1'];
/** Create Private and Public Key pairs */
/** sumadhuracool at gmail dot com 23-Jun-2011 04:22 => http://www.php.net/manual/en/function.openssl-public-encrypt.php */
$dn = array("countryName" => $country, "stateOrProvinceName" => $state, "localityName" => $city, "organizationName" => $orgName, "organizationalUnitName" => $orgUnitName, "commonName" => $commonName, "emailAddress" => $emailAddress);
// Users may be required to change their passphrase on a routine basis, due to organizational policies.
// PHP currently doesn't have an option to allow users to change their private key passphrase
// Accordingly, the passphrase has to be changed via the commandline. :-/
// Password to insert into the database.
$upassword = escapeshellcmd($upassword);
// Password to encrypt the private key and its passphrase while stored in the database.
$enc_pass = $upassword;
// Private Key credentials
$privkeypass = generatePassphrase($upassword);
// Keys expire after 5 years
$numberofdays = 1826;
// Create the 2048-bit RSA key
/** sumadhuracool at gmail dot com 23-Jun-2011 04:22 => http://www.php.net/manual/en/function.openssl-public-encrypt.php */
$privkey = openssl_pkey_new(array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA));
$csr = openssl_csr_new($dn, $privkey);
$sscert = openssl_csr_sign($csr, null, $privkey, $numberofdays);
openssl_x509_export($sscert, $publickey);
openssl_pkey_export($privkey, $privatekey, $privkeypass);
openssl_csr_export($csr, $csrStr);
// Here is where the hash from generatePassphrase (passphrase for the private key) and the private key are delimited by an @
// and encrypted using the unsalted and unhashed passphrase (the cleartext passphrase) the user uses to authenticate, $enc_pass.
// This is done because the hashed password is stored in cleartext in the DB. Accordingly, if the DB was jacked, then the
// 'acker would have the passphrase to decrypt the private key and its accompanying passphrase.
// With this setup, they'd have to try and crack the hash to get the cleartext passphrase, to do their deed.
// The hash for authentication is salted, which makes rainbow tables computationally infeasible.
// Updated to encrypt the phone number and SMS gateway of the user.
$phone_no = $_SESSION['s_phone'];
$sms_gateway = $_SESSION['s_sms_gateway'];
/** Encrypt the private key and base64_encode it to store in the database. */
$sealed_priv = trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $enc_pass, $privkeypass . "@" . $privatekey . "@" . $phone_no . "@" . $sms_gateway, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
//return $encryptedPrivate;
// Generate hashed pass to store in db, this is the salted and hashed passphrase for the user to authenticate.
$hashed = generateHash($upassword);
// DB connection
$connection = connection();
// Insert user account information
$clean_email = mysql_real_escape_string($emailAddress);
$clean_two_fa = mysql_real_escape_string($_SESSION['s_two_fa']);
// I will be 100 on 2075-03-01. hehehe
$sql = "INSERT INTO users VALUES('','{$emailAddress}', '{$clean_two_fa}', '{$hashed}', '{$sealed_priv}', '{$publickey}')";
$sql_result = mysql_query($sql, $connection) or die("Unable to execute mysql query." . mysql_error());
if ($sql_result) {
echo "Your account has been successfully created.<p>";
echo "Click <a href=\"index.php\">here</a> to login.";
$_SESSION['s_businessname'] = "";
$_SESSION['s_first_name'] = "";
$_SESSION['s_last_name'] = "";
$_SESSION['s_city'] = "";
$_SESSION['s_state'] = "";
$_SESSION['s_email1'] = "";
$_SESSION['s_country'] = "";
$_SESSION['s_reg_password'] = "";
$_SESSION['s_reg_email'] = "";
$_SESSION['s_phone'] = "";
$_SESSION['s_two_fa'] = "";
$_SESSION['s_codeToEnter'] = "";
$_SESSION['s_reg_gateway'] = "";
$_SESSION['s_sms_gateway'] = "";
$_SESSION = array();
exit;
} else {
echo "Error creating account.";
}
}
