public function pre_process($person) { parent::pre_process($person); $authvar = ""; $csr = null; if (isset($_POST['signCSR'])) { $this->signCSR(Input::sanitizeCertKey($_POST['signCSR'])); return; } /* Testing for uploaded files */ if (isset($_FILES['user_csr']['name'])) { try { $csr = CSRUpload::receiveUploadedCSR('user_csr', true); } catch (FileException $fileEx) { $msg = $this->translateTag('l10n_err_csrproc', 'processcsr'); Framework::error_output($msg . $fileEx->getMessage()); $this->csr = null; return; } } else { if (isset($_POST['user_csr'])) { try { $csr = CSRUPload::receivePastedCSR('user_csr'); } catch (ConfusaGenException $cge) { $msg = $this->translateTag('l10n_err_no_csr', 'processcsr'); Framework::error_output($msg . $cg - e > getMessage()); $this->csr = null; return; } } else { /* No CSR present, neither paste nor file, kindly bump user */ Framework::error_output($this->translateTag('l10n_err_no_csr', 'processcsr')); return; } } if (!$csr->isValid()) { $msg = $this->translateTag('l10n_err_csrinvalid1', 'processcsr'); $msg .= Config::get_config('min_key_length'); $msg .= $this->translateTag('l10n_err_csrinvalid2', 'processcsr'); Framework::error_output($msg); $this->csr = null; return; } if (Config::get_config('ca_mode') == CA_COMODO || match_dn($csr->getSubject(), $this->ca->getFullDN())) { $csr->setUploadedDate(date("Y-m-d H:i:s")); $csr->setUploadedFromIP($_SERVER['REMOTE_ADDR']); $csr->storeDB($this->person); $this->csr = $csr; } }
/** * verifyCSR() * * This function will test the CSR against several fields. * It will test the subject against the person-attributes (which in turn are * gathered from simplesamlphp-attributes (Feide, surfnet etc). * * @param String The CSR in base64 PEM format * @return Boolean True if valid CSR */ private function verifyCSR($csr) { /* by default, the CSR is valid, we then try to prove that it's invalid * * A better approach could be to distrust all CSRs and try to prove that * they are OK, however this leads to messy code (as the tests becomes * somewhat more involved) and I'm not convinced that it will be any safer. */ if (!isset($csr)) { Framework::error_output(__FILE__ . ":" . __LINE__ . " CSR not provided by caller1"); return false; } $subject = openssl_csr_get_subject($csr); /* check fields of CSR to predefined values and user-specific values * Make sure that the emailAddress is not set, as this is * non-compatible with ARC. */ if (isset($subject['emailAddress'])) { Framework::error_output("will not accept email in DN of certificate. Download latest version of script."); return false; } else { if (!match_dn($subject, $this->getFullDN())) { $msg = ""; $msg .= "Error in subject! <BR/>\n"; $msg .= "The fields in your CSR was not set properly.<BR>\n"; $msg .= "To try again, please download a new version of the script, "; $msg .= "generate a new key and upload again.<BR>\n"; Framework::error_output($msg); return false; } } return true; }