public function pre_process($person)
{
parent::pre_process($person);
$authvar = "";
$csr = null;
if (isset($_POST['signCSR'])) {
$this->signCSR(Input::sanitizeCertKey($_POST['signCSR']));
return;
}
/* Testing for uploaded files */
if (isset($_FILES['user_csr']['name'])) {
try {
$csr = CSRUpload::receiveUploadedCSR('user_csr', true);
} catch (FileException $fileEx) {
$msg = $this->translateTag('l10n_err_csrproc', 'processcsr');
Framework::error_output($msg . $fileEx->getMessage());
$this->csr = null;
return;
}
} else {
if (isset($_POST['user_csr'])) {
try {
$csr = CSRUPload::receivePastedCSR('user_csr');
} catch (ConfusaGenException $cge) {
$msg = $this->translateTag('l10n_err_no_csr', 'processcsr');
Framework::error_output($msg . $cg - e > getMessage());
$this->csr = null;
return;
}
} else {
/* No CSR present, neither paste nor file, kindly bump user */
Framework::error_output($this->translateTag('l10n_err_no_csr', 'processcsr'));
return;
}
}
if (!$csr->isValid()) {
$msg = $this->translateTag('l10n_err_csrinvalid1', 'processcsr');
$msg .= Config::get_config('min_key_length');
$msg .= $this->translateTag('l10n_err_csrinvalid2', 'processcsr');
Framework::error_output($msg);
$this->csr = null;
return;
}
if (Config::get_config('ca_mode') == CA_COMODO || match_dn($csr->getSubject(), $this->ca->getFullDN())) {
$csr->setUploadedDate(date("Y-m-d H:i:s"));
$csr->setUploadedFromIP($_SERVER['REMOTE_ADDR']);
$csr->storeDB($this->person);
$this->csr = $csr;
}
}
/**
* verifyCSR()
*
* This function will test the CSR against several fields.
* It will test the subject against the person-attributes (which in turn are
* gathered from simplesamlphp-attributes (Feide, surfnet etc).
*
* @param String The CSR in base64 PEM format
* @return Boolean True if valid CSR
*/
private function verifyCSR($csr)
{
/* by default, the CSR is valid, we then try to prove that it's invalid
*
* A better approach could be to distrust all CSRs and try to prove that
* they are OK, however this leads to messy code (as the tests becomes
* somewhat more involved) and I'm not convinced that it will be any safer.
*/
if (!isset($csr)) {
Framework::error_output(__FILE__ . ":" . __LINE__ . " CSR not provided by caller1");
return false;
}
$subject = openssl_csr_get_subject($csr);
/* check fields of CSR to predefined values and user-specific values
* Make sure that the emailAddress is not set, as this is
* non-compatible with ARC.
*/
if (isset($subject['emailAddress'])) {
Framework::error_output("will not accept email in DN of certificate. Download latest version of script.");
return false;
} else {
if (!match_dn($subject, $this->getFullDN())) {
$msg = "";
$msg .= "Error in subject! <BR/>\n";
$msg .= "The fields in your CSR was not set properly.<BR>\n";
$msg .= "To try again, please download a new version of the script, ";
$msg .= "generate a new key and upload again.<BR>\n";
Framework::error_output($msg);
return false;
}
}
return true;
}
