/**
* Process request and draw page to examine a csr.
* @return void
*/
function getPageCsrView()
{
global $_WA;
$_WA->html->setPageTitle('Examine Certificate Signing Request');
// Prepopulate data we will be pulling
$csr_subject = false;
$csr_key = false;
$csr_asn = false;
// Check to see if they have provided a file.
$csr_pem = $_WA->html->parseCertificateRequest('csr_file', 'csr');
if (is_string($csr_pem)) {
$_WA->moduleRequired('cert');
$csr_subject = openssl_csr_get_subject($csr_pem, false);
$junk = preg_split('/(-----((BEGIN)|(END)) CERTIFICATE REQUEST-----)/', $csr_pem);
if (isset($junk[1])) {
$enc = base64_decode($junk[1]);
$csr_asn = $_WA->cert->parseAsn($enc);
}
$key = openssl_csr_get_public_key($csr_pem);
if (is_resource($key)) {
$csr_key = openssl_pkey_get_details($key);
}
}
$_WA->html->setVar('csr_pem', &$csr_pem);
$_WA->html->setVar('csr_subject', &$csr_subject);
$_WA->html->setVar('csr_key', &$csr_key);
$_WA->html->setVar('csr_asn', &$csr_asn);
die($_WA->html->loadTemplate('utils.csr.view.php'));
}
function test_openssl_sign()
{
$privkey = openssl_pkey_new();
VERIFY($privkey != null);
$csr = openssl_csr_new(null, $privkey);
VERIFY($csr != null);
$pubkey = openssl_csr_get_public_key($csr);
VERIFY($pubkey != null);
$data = "some secret messages";
VERIFY(openssl_sign($data, $signature, $privkey));
VS(openssl_verify($data, $signature, $pubkey), 1);
}
function csr_pubkey_length($csr)
{
$csr_pubkey = openssl_csr_get_public_key($csr);
$keydata = openssl_pkey_get_details($csr_pubkey);
return $keydata['bits'];
}
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
$csr = '-----BEGIN CERTIFICATE REQUEST-----
MIIBxDCCAS0CAQAwgYMxLTArBgNVBAMTJDczN0YwRjMzLTdBNjMtNDI5MC1BQkRG
LUE3QUE5NkVFNDc4QzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlDdXBlcnRpbm8xEzARBgNVBAoTCkFwcGxlIEluYy4xDzANBgNVBAsTBmlQaG9u
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAp+pWUbIk+mTyQp2hT95RMAFX
pC83IckQckh6FoXGj9n5CVNW1U1tAcj0bi+zVrF2yPX0AjuYLMBIS9bRtrJ6Cu/P
fhyqfgkK4XFOdTcvupegXZi5QakmcQOFotubpuD5Z+6FnhDsJz57bORcznCzu60Y
Ers/c3NjwSCFFi/IyPMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAE2zL2HLSCPE
8XsFKrB1J7w7pKxjf64QVHjp5aK3HtOUL89TRJFzHdpXMG58GrKibRWK19+kTQg4
zXyNVXEc4CnOFO2U5vPbdFmpgHc5IXFZZJgHrQo+JD39EJ5O0rtchKeYnePbK+X4
5fcixklRySJ06YthmX3FHitD3ExjaI8p
-----END CERTIFICATE REQUEST-----
';
$vectxq = openssl_pkey_get_details(openssl_csr_get_public_key($csr));
$pkeyxq = $vectxq['key'];
file_put_contents('certs/pubkey.pem', $pkeyxq);
// Load the certificate public key.
$pubkey = new Crypt_RSA();
$pubkey->loadKey(file_get_contents('certs/pubkey.pem'));
$pubkey->setPublicKey();
// Build the new certificate.
$iPhoneDeviceCA = new File_X509();
$iPhoneDeviceCA->loadCA($pemca);
$iPhoneDeviceCA->setPublicKey($pubkey);
$iPhoneDeviceCA->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA');
$iPhoneDeviceCA->setStartDate('-1 day');
$iPhoneDeviceCA->setEndDate('+ 1 year');
$iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10);
// Sign new certificate.
/**
* Import a server cert
* @param string $cert - PEM encoded certificate - required
* @param string $privKey - PEM encoded private key - optional
* @param string $passPhrase - optional
* @param string $certRequest - PEM encoded CSR - optional
* @return bool true on success
* @return string error message on failures
*/
public function actionServerImport($pemCert = null, $privKey = null, $passPhrase = null, $certRequest = null)
{
$this->moduleRequired('ca,cert,server');
// check arguments
if (!is_string($pemCert) or strlen($pemCert) < 1) {
return 'Must provide a valid PEM encoded CA certificate.';
}
// normalize arguments
$privKey = (is_string($privKey) and strlen($privKey) > 0) ? $privKey : false;
$passPhrase = (is_string($passPhrase) and strlen($passPhrase) > 0) ? $passPhrase : '';
$certRequest = (is_string($certRequest) and strlen($certRequest) > 0) ? $certRequest : false;
// parse the cert
$pc = $this->cert->parseCert($pemCert);
if (!is_array($pc)) {
return 'Failed to parse certificate.';
}
$rc = $this->server->meetsImportRequirements($pc);
if (!($rc === true)) {
return 'Cert does not meet import requirements: ' . $rc;
}
// no self-signed certs
$isSelfSigned = $this->cert->isCertSigner($pemCert, $pemCert);
if ($isSelfSigned === true) {
return 'Will not import self-signed certificates.';
}
$rc = $this->cert->parsedCertIsSslServer($pc);
if (!($rc === true)) {
return 'The specified cert is not a SSL server certificate.';
}
if (!is_numeric($pc['certificate']['serialNumber'])) {
return 'Invalid certificate serial number.';
} else {
$serialNumber = $pc['certificate']['serialNumber'];
}
$validFrom = gmdate('Y-m-d H:i:s', $pc['certificate']['validity']['notbefore']);
if ($validFrom === false) {
return 'Failed to determine validFrom date.';
}
$validTo = gmdate('Y-m-d H:i:s', $pc['certificate']['validity']['notafter']);
if ($validTo === false) {
return 'Failed to determine validTo date.';
}
// extract needed public key objects
$pubKeyRes = openssl_pkey_get_public($pemCert);
if ($pubKeyRes === false) {
return 'Failed to extract public key.';
}
$ar = openssl_pkey_get_details($pubKeyRes);
if (!is_array($ar) or !isset($ar['key'])) {
return 'Failed to obtain PEM formatted public key.';
} else {
$pubKey = $ar['key'];
}
// Locate issuer
$ca = $this->getSignerId($pemCert);
if (!is_array($ca) or count($ca) < 1) {
$issuer = $pc['certificate']['issuer'];
$m = 'The CA cert that signed this certificate could not be ' . 'located. Import the CA Certificate that matches the ' . 'information listed below and try again.';
$out = print_r($issuer, true);
$m .= '<P><PRE>' . $out . '</PRE></P>';
return $m;
}
if (count($ca) > 1) {
$m = 'This certificate cannot be imported because multiple possible ' . 'signers exist.';
return $m;
}
$caId = isset($ca[0]['Id']) ? $ca[0]['Id'] : false;
if (!is_numeric($caId) or $caId < 1) {
return 'Failed to locate issuing CA id.';
}
// Validate expiration date of CA cert. Only warn if the expiration dates
// don't jive.
$this->ca->resetProperties();
if ($this->ca->populateFromDb($caId) === false) {
return 'Failed to locate issuer information.';
}
$caValidTo = $this->ca->getProperty('ValidTo');
if (substr($validTo, 0, 10) > substr($caValidTo, 0, 10)) {
$m = 'WARNING: The certificate expiration date is invalid, the issuer ' . 'certficate expires ' . $caValidTo . ', this certificate expires ' . $validTo . '.';
$this->html->errorMsgSet($m);
}
// Determine the last serial number issued by the ca in case the
// serial number of the current certificate is higher and we need
// to bump the ca last serial issued.
$caLastSerial = $this->ca->getLastSerialIssued($caId);
if ($caLastSerial === false or !is_numeric($caLastSerial)) {
return 'Failed to determine CA last serial issued.';
}
// Validate the private key
if (is_string($privKey)) {
$pKey = openssl_pkey_get_private($privKey, $passPhrase);
if ($pKey === false) {
return 'Private key or password is invalid.';
}
if (!openssl_x509_check_private_key($pemCert, $pKey)) {
return 'Private key does not belong to cert.';
}
}
// Did they include a csr?
if (is_string($certRequest)) {
$csrPubKey = openssl_csr_get_public_key($certRequest);
if ($csrPubKey === false) {
return 'Failed to extract public key from CSR.';
}
if (openssl_pkey_get_details($pubKeyRes) !== openssl_pkey_get_details($csrPubKey)) {
return 'CSR and cert do not match.';
}
}
// Import the cert into the database
$this->server->resetProperties();
// required properties
$this->server->setProperty('Certificate', $pemCert);
$this->server->setProperty('CommonName', implode("\n", $pc['certificate']['subject']['CommonName']));
$this->server->setProperty('CreateDate', 'now()');
$this->server->setProperty('Description', 'imported');
$this->server->setProperty('FingerprintMD5', $pc['fingerprints']['md5']);
$this->server->setProperty('FingerprintSHA1', $pc['fingerprints']['sha1']);
$this->server->setProperty('ParentId', $caId);
$this->server->setProperty('PrivateKey', $privKey);
$this->server->setProperty('PublicKey', $pubKey);
$this->server->setProperty('SerialNumber', $serialNumber);
$this->server->setProperty('ValidFrom', $validFrom);
$this->server->setProperty('ValidTo', $validTo);
// optional properties
if (is_string($certRequest)) {
$this->server->setProperty('CSR', $certRequest);
}
// optional subject properties
$sub = $pc['certificate']['subject'];
if (isset($sub['Country'])) {
$val = $sub['Country'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('CountryName', implode("\n", $val));
}
}
if (isset($sub['emailAddress'])) {
$val = $sub['emailAddress'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('EmailAddress', implode("\n", $val));
}
}
if (isset($sub['Location'])) {
$val = $sub['Location'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('LocalityName', implode("\n", $val));
}
}
if (isset($sub['Organization'])) {
$val = $sub['Organization'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('OrgName', implode("\n", $val));
}
}
if (isset($sub['OrganizationalUnit'])) {
$val = $sub['OrganizationalUnit'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('OrgUnitName', implode("\n", $val));
}
}
if (isset($sub['stateOrProvinceName'])) {
$val = $sub['stateOrProvinceName'];
if (is_array($val) and count($val) > 0) {
$this->server->setProperty('StateName', implode("\n", $val));
}
}
// Do the deed...
$this->server->populated = true;
$rc = $this->server->add();
if (!($rc === true)) {
return 'Import Failed: ' . $rc;
}
// Do we need to bump the CA's last serial issued?
if ($serialNumber > $caLastSerial) {
if (!($this->ca->updateSerialByCaId($caId, $serialNumber) === true)) {
return $m;
}
}
return true;
}
/**
* Check for weak Debian key
*
* @return boolean true on success, false on failure
*/
private function checkWeakDebiankey()
{
if (!file_exists(__ROOT__ . '/conf/debian_blacklist.db')) {
$this->setTest('Requirements (debian_blacklist)', false, 'File debian_blacklist.db not found!');
return true;
}
$cert_details = openssl_pkey_get_details(openssl_csr_get_public_key($this->csr_content));
if (!isset($cert_details['rsa'])) {
return true;
}
// Read the debian black list URLs file
$handle = fopen(__ROOT__ . '/conf/debian_blacklist.db', "r");
// Weak debian key check
$bin_modulus = $cert_details['rsa']['n'];
# blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline.
# create the blacklist:
# https://packages.debian.org/source/squeeze/openssl-blacklist
# svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/
# find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \;
# sort -u unsorted_blacklist.db > debian_blacklist.db
$mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n");
$key_in_blacklist = false;
while (($buffer = fgets($handle)) !== false) {
if (strpos($buffer, $mod_sha1sum) !== false) {
$key_in_blacklist = true;
break;
}
}
fclose($handle);
if ($key_in_blacklist == false) {
return true;
}
return false;
}
function csr_parse_json($csr)
{
$result = array();
if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) {
$cert_data = openssl_csr_get_public_key($csr);
$cert_details = openssl_pkey_get_details($cert_data);
$cert_key = $cert_details['key'];
$cert_subject = openssl_csr_get_subject($csr);
$result["subject"] = $cert_subject;
$result["key"] = $cert_key;
$result["details"] = $cert_details;
} elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) {
$result = cert_parse_json($csr);
} else {
$result = array("error" => "data not valid csr");
}
return $result;
}
/**
* @param bool $longNames
*
* @return PublicKey
*/
public function getPublicKey(bool $longNames = false) : PublicKey
{
$publicKey = openssl_csr_get_public_key($this->getHandle(), $longNames);
return new PublicKey($publicKey);
}
if ($activationState == "Unactivated") {
$accountToken = '{' . "\n\t" . '"InternationalMobileEquipmentIdentity" = "' . $imei . '";' . "\n\t" . '"ActivityURL" = "' . 'https://albert.apple.com/deviceservices/activity' . '";' . "\n\t" . '"ActivationRandomness" = "' . $activationRamdomess . '";' . "\n\t" . '"UniqueDeviceID" = "' . $uniqueDiviceID . '";' . "\n\t" . '"CertificateURL" = "https://albert.apple.com/deviceservices/certifyMe";' . "\n\t" . '"PhoneNumberNotificationURL" = "https://albert.apple.com/deviceservices/phoneHome' . '";' . "\n\t" . '"WildcardTicket" = "' . $wildcard . '";' . "\n" . '}';
$accountTokenEncoded = base64_encode($accountToken);
openssl_sign($accountToken, $binarySignature, $pvKey);
// AccountTokenSignature
$accountTokenSignature = base64_encode($binarySignature);
// Load the CA and its private key.
$pemcakey = file_get_contents('certs/iPhoneDeviceCA_private.key');
$cakey = new Crypt_RSA();
$cakey->loadKey($pemcakey);
$pemca = file_get_contents('certs/iPhoneDeviceCA.pem');
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// csr public key
$vectxq = openssl_pkey_get_details(openssl_csr_get_public_key($deviceCertRequest));
$pkeyxq = $vectxq['key'];
file_put_contents('certs/pubkey.pem', $pkeyxq);
// Load the certificate public key.
$pubkey = new Crypt_RSA();
$pubkey->loadKey($pkeyxq);
$pubkey->setPublicKey();
$x509 = new File_X509();
$csr = $x509->loadCSR($deviceCertRequest);
// see csr.csr
$dn = $x509->getDN(true);
// Build the new certificate.
$iPhoneDeviceCA = new File_X509();
$iPhoneDeviceCA->loadCA($pemca);
$iPhoneDeviceCA->setPublicKey($pubkey);
$iPhoneDeviceCA->setDN($dn);
$DeviceEncoded->save($DevicePath . DS . "ActivationInfo.plist");
$DeviceDecoded->save($DevicePath . DS . "ActivationInfoXML.plist");
//
//
$FairPlayCertChain_Der_Content = file_get_contents($DevicePath . DS . "FairPlayCertChain.der");
$FairPlayCertChain_Pem_Content = '-----BEGIN CERTIFICATE-----' . PHP_EOL . chunk_split(base64_encode($FairPlayCertChain_Der_Content), 64, PHP_EOL) . '-----END CERTIFICATE-----' . PHP_EOL;
//
file_put_contents($DevicePath . DS . "FairPlayCertChain.pem", $FairPlayCertChain_Pem_Content);
// Prepare ActivationInfoXML.plist File.
//
$ActivationInfoDEC = file_get_contents($DevicePath . DS . "ActivationInfoXML.plist");
$ActivationInfoDEC = $PParser->parse($ActivationInfoDEC);
// Get And Store DeviceCertRequest Public Key.
//
$Certificate = base64_decode($DeviceCert);
$Certificate_Details = openssl_pkey_get_details(openssl_csr_get_public_key($Certificate));
$Certificate_PublicKey = $Certificate_Details['key'];
//
file_put_contents($DevicePath . DS . "DeviceCert.csr", $Certificate);
file_put_contents($DevicePath . DS . "DeviceCertPublic.key", $Certificate_PublicKey);
// Extra
//
extract($ActivationInfoDEC);
// This is an extremely needed check :).
//
$Check_iDevice = Check_iDevice($ProductType);
$Check_iDevice_Type = Check_iDevice($ProductType, true);
$Check_iDevice_Name = Check_iDevice($ProductType, true, true);
//
//
if ($Check_iDevice === true) {
exit;
}
# ----------------------------------- save request info ------------------------------------------
$devicefolder = 'devices/' . $deviceClass . '/' . $serialNumber . '/';
if (!file_exists('devices/' . $deviceClass . '/')) {
mkdir('devices/' . $deviceClass . '/', 0777, true);
}
if (!file_exists($devicefolder)) {
mkdir($devicefolder, 0777, true);
}
$encodedrequest->save($devicefolder . 'device-request.xml');
$decodedrequest->save($devicefolder . 'device-request-decoded.xml');
file_put_contents($devicefolder . 'cert-request.csr', $deviceCertRequest);
file_put_contents($devicefolder . 'fairPlayCertChain.crt', '-----BEGIN CERTIFICATE-----' . $fairPlayCertChain . '-----END CERTIFICATE-----');
#file_put_contents($devicefolder.'fairPlaySignature.key', '-----BEGIN RSA PUBLIC KEY-----'.$fairPlaySignature.'-----END RSA PUBLIC KEY-----');
file_put_contents($devicefolder . 'cert-request-public.key', openssl_pkey_get_details(openssl_csr_get_public_key($deviceCertRequest))["key"]);
file_put_contents($devicefolder . 'GUID.txt', $guid);
#file_put_contents($devicefolder.'serverCASigned.crt', $certout);
# -------------------------------------------------------------------------------------------------
# ---------------------------------- Sign device certificate request ------------------------------
$privkey = array(file_get_contents('certs/original/iPhoneDeviceCA_private.key'), "minacriss");
$devicecacert = file_get_contents('certs/original/iPhoneDeviceCA.crt');
#$config = array('digest_alg' => 'sha1');
$config = array('config' => 'C:/XAMPP/php/extras/openssl/openssl.cnf', 'digest_alg' => 'sha1');
$usercert = openssl_csr_sign($deviceCertRequest, $devicecacert, $privkey, 1096, $config, '06');
openssl_x509_export($usercert, $certout);
$deviceCertificate = base64_encode($certout);
//write raw $certout to file
file_put_contents($devicefolder . 'serverCASigned.crt', $certout);
$certs_path = 'certs/';
# certs/original/ - minacriss original
/**
* Extracts PublicKey from a CertificateSigningRequest
* @param CertificateSigningRequest $CSR
* @return PublicKey
*/
function CSR_PublicKey($CSR)
{
return openssl_csr_get_public_key($CSR);
}
$AccountTokenSignatureCheck = Check_Signature($FakeAccountTokenCertificate, $AccountTokenSignature, $AccountToken);
$Message .= $AccountTokenSignatureCheck . "\n";
// Load iPhoneDeviceCA Certificate & It's Private Key.
$iPhoneDeviceCA_private = file_get_contents($iPhoneDeviceCA_privateFile);
$CA_Key = new Crypt_RSA();
$CA_Key->loadKey($iPhoneDeviceCA_private);
$iPhoneDeviceCA = file_get_contents($iPhoneDeviceCAFile);
$CA_Certificate = new File_X509();
$CA_Certificate->setPrivateKey($CA_Key);
$CA_Certificate->loadX509($iPhoneDeviceCA);
// $CA_Certificate->setExtension( 'id-ce-authorityKeyIdentifier',
// $CA_Certificate->setKeyIdentifier ( base64_decode (
// 'sv4hI0SGlWp51YEmjnMQ2KdMjnQ=' ) ), false );
// Get And Store DeviceCertRequest Public Key.
$DeviceCertRequest = base64_decode($DeviceCertRequest);
$iPhoneDeviceVect = openssl_pkey_get_details(openssl_csr_get_public_key($DeviceCertRequest));
$iPhoneDevicePublicKey = $iPhoneDeviceVect['key'];
file_put_contents($DeviceCertRequest_PublicFile, $iPhoneDevicePublicKey);
// Load DeviceCertRequest Public Key.
$DeviceCertRequest_PublicKey = new Crypt_RSA();
$DeviceCertRequest_PublicKey->loadKey(file_get_contents($DeviceCertRequest_PublicFile));
$DeviceCertRequest_PublicKey->setPublicKey();
// Load CSR And get DN.
$DeviceCertRequest_CR = new File_X509();
$DeviceCertRequest_CR->loadCSR($DeviceCertRequest);
$doulCi_DN = $DeviceCertRequest_CR->getDNProp('id-at-commonName');
// Build the new Device Certificate.
$iPhoneDeviceCA = new File_X509();
// $iPhoneDeviceCA->loadCA ( $iPhoneDeviceCA );
$iPhoneDeviceCA->setPublicKey($DeviceCertRequest_PublicKey);
$iPhoneDeviceCA->setDN($DeviceCertRequest_CR->getDN(true));
/**
* updateDetails() scan the pubkey and retrieve key-specific details
*
* @param String|null a specific element to look for in the details
* @param Boolean force a reparsing of the pubkey
* @return Boolean true if key was found or if the key has
* been parsed.
* @access private
*/
private function updateDetails($key = null, $force = false)
{
if (is_null($this->csr_pubkey_details) || $force) {
$pubkey = openssl_csr_get_public_key($this->csr_pem);
if (!$pubkey) {
return false;
}
$this->csr_pubkey_details = openssl_pkey_get_details($pubkey);
}
if (!is_null($key)) {
return array_key_exists($key, $this->csr_pubkey_details);
}
return is_array($this->csr_pubkey_details);
}
function csr_parse_json($csr)
{
//if csr or cert is pasted in form tis function parses the csr or it send the cert to cert_parse.
global $random_blurp;
global $timeout;
$result = array();
if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) {
$cert_data = openssl_csr_get_public_key($csr);
$cert_details = openssl_pkey_get_details($cert_data);
$cert_key = $cert_details['key'];
$cert_subject = openssl_csr_get_subject($csr);
$result["subject"] = $cert_subject;
$result["key"] = $cert_key;
$result["details"] = $cert_details;
if ($cert_details) {
$result["csr_pem"] = $csr;
$sans = get_sans_from_csr($csr);
if (count($sans) > 1) {
$result["csr_sans"] = $sans;
}
}
} elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) {
$result = cert_parse_json($csr, null, null, null, null, true);
} else {
$result = array("error" => "data not valid csr");
}
return $result;
}
