$username = preg_replace("/@/", "", $username); $currPrivateKey = "/tmp/{$username}.txt"; if (file_exists($currPrivateKey)) { unlink($currPrivateKey); } // Open the new file to write the existing private key to. $fh = fopen($currPrivateKey, 'w') or die("Can't open file"); fwrite($fh, $privatekey); chmod($currPrivateKey, 0400); fclose($fh); // Passphrase to pass to Openssl command to change the passphrase for the private key $upassword = escapeshellcmd($upassword); // new passphrase $new_password = $password; $new_password = escapeshellcmd($new_password); $new_password = generatePassphrase($new_password); // Temporary key files $no_pass_temp = "{$currPrivateKey}.tmp"; $has_pass_temp = "{$currPrivateKey}.new"; $remove_password = ""; $change_password = ""; // Remove the passphrase from the key and output the new temporary key. // system() function below $remove_password = "******"; // Prepare the command to safely pass the passphrases to the "system" command. // Add new passphrase to key // system() function below $change_password = "******"; // Remove passphrase from the current private key system($remove_password, $rem_retval); chmod($no_pass_temp, 0600);
function gen_cert($upassword) { // Values automatically populated for the SSL certificate for anonymity $country = "YY"; $state = "XX"; $city = "Somewhere"; $orgName = "no org"; $orgUnitName = "no org unit"; $businessname = "mind your own business"; $commonName = "no name"; // Get email address $emailAddress = $_SESSION['s_email1']; /** Create Private and Public Key pairs */ /** sumadhuracool at gmail dot com 23-Jun-2011 04:22 => http://www.php.net/manual/en/function.openssl-public-encrypt.php */ $dn = array("countryName" => $country, "stateOrProvinceName" => $state, "localityName" => $city, "organizationName" => $orgName, "organizationalUnitName" => $orgUnitName, "commonName" => $commonName, "emailAddress" => $emailAddress); // Users may be required to change their passphrase on a routine basis, due to organizational policies. // PHP currently doesn't have an option to allow users to change their private key passphrase // Accordingly, the passphrase has to be changed via the commandline. :-/ // Password to insert into the database. $upassword = escapeshellcmd($upassword); // Password to encrypt the private key and its passphrase while stored in the database. $enc_pass = $upassword; // Private Key credentials $privkeypass = generatePassphrase($upassword); // Keys expire after 5 years $numberofdays = 1826; // Create the 2048-bit RSA key /** sumadhuracool at gmail dot com 23-Jun-2011 04:22 => http://www.php.net/manual/en/function.openssl-public-encrypt.php */ $privkey = openssl_pkey_new(array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA)); $csr = openssl_csr_new($dn, $privkey); $sscert = openssl_csr_sign($csr, null, $privkey, $numberofdays); openssl_x509_export($sscert, $publickey); openssl_pkey_export($privkey, $privatekey, $privkeypass); openssl_csr_export($csr, $csrStr); // Here is where the hash from generatePassphrase (passphrase for the private key) and the private key are delimited by an @ // and encrypted using the unsalted and unhashed passphrase (the cleartext passphrase) the user uses to authenticate, $enc_pass. // This is done because the hashed password is stored in cleartext in the DB. Accordingly, if the DB was jacked, then the // 'acker would have the passphrase to decrypt the private key and its accompanying passphrase. // With this setup, they'd have to try and crack the hash to get the cleartext passphrase, to do their deed. // The hash for authentication is salted, which makes rainbow tables computationally infeasible. // Updated to encrypt the phone number and SMS gateway of the user. $phone_no = $_SESSION['s_phone']; $sms_gateway = $_SESSION['s_sms_gateway']; /** Encrypt the private key and base64_encode it to store in the database. */ $sealed_priv = trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $enc_pass, $privkeypass . "@" . $privatekey . "@" . $phone_no . "@" . $sms_gateway, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)))); //return $encryptedPrivate; // Generate hashed pass to store in db, this is the salted and hashed passphrase for the user to authenticate. $hashed = generateHash($upassword); // DB connection $connection = connection(); // Insert user account information $clean_email = mysql_real_escape_string($emailAddress); $clean_two_fa = mysql_real_escape_string($_SESSION['s_two_fa']); // I will be 100 on 2075-03-01. hehehe $sql = "INSERT INTO users VALUES('','{$emailAddress}', '{$clean_two_fa}', '{$hashed}', '{$sealed_priv}', '{$publickey}')"; $sql_result = mysql_query($sql, $connection) or die("Unable to execute mysql query." . mysql_error()); if ($sql_result) { echo "Your account has been successfully created.<p>"; echo "Click <a href=\"index.php\">here</a> to login."; $_SESSION['s_businessname'] = ""; $_SESSION['s_first_name'] = ""; $_SESSION['s_last_name'] = ""; $_SESSION['s_city'] = ""; $_SESSION['s_state'] = ""; $_SESSION['s_email1'] = ""; $_SESSION['s_country'] = ""; $_SESSION['s_reg_password'] = ""; $_SESSION['s_reg_email'] = ""; $_SESSION['s_phone'] = ""; $_SESSION['s_two_fa'] = ""; $_SESSION['s_codeToEnter'] = ""; $_SESSION['s_reg_gateway'] = ""; $_SESSION['s_sms_gateway'] = ""; $_SESSION = array(); exit; } else { echo "Error creating account."; } }