public function pre_process($person)
{
parent::pre_process($person);
$this->tpl->assign('extraScripts', array('js/jquery-1.6.1.min.js'));
$this->tpl->assign('rawScript', file_get_contents('../include/rawToggleExpand.js'));
if (isset($_GET['status_poll'])) {
$order_number = Input::sanitizeCertKey($_GET['status_poll']);
/* assign the order_number again */
$this->tpl->assign('order_number', $order_number);
$this->tpl->assign('status_poll', true);
$anticsrf = "anticsrf=" . Input::sanitizeAntiCSRFToken($_GET['anticsrf']);
$this->tpl->assign('ganticsrf', $anticsrf);
if ($this->ca->pollCertStatus($order_number)) {
/* redirect to certificate download area */
CS::setSessionKey("browserCert", $order_number);
header("Location: download_certificate.php");
}
}
/* when the key has been generated in the browser and the
* resulting CSR has been uploaded to the server, we end up
* here.
*/
if (isset($_POST['browserRequest'])) {
$ua = Output::getUserAgent();
switch ($ua) {
case "opera":
case "safari":
case "mozilla":
case "chrome":
$csr = new CSR_SPKAC(trim(Input::sanitizeBase64($_POST['browserRequest'])));
break;
case "msie_pre_vista":
case "msie_post_vista":
$csrContent = CSR::$PEM_PREFIX . "\n" . trim(Input::sanitizeBase64($_POST['browserRequest'])) . "\n" . CSR::$PEM_SUFFIX;
$csr = new CSR_PKCS10($csrContent);
break;
}
if (!empty($csr) && $csr->isValid()) {
try {
$order_number = $this->signCSR($csr);
$this->tpl->assign('order_number', $order_number);
} catch (KeySignException $kse) {
Framework::error_output($this->translateTag('l10n_sign_error', 'processcsr') . "<br /><br />" . $kse->getMessage());
Logger::logEvent(LOG_WARNING, "CP_Browser_CSR", "pre_process()", "Could not sign CSR because of " . $kse->getMessage() . " User: "******"CP_Browser_CSR", "pre_process()", "Received browser-CSR that could not be parsed!" . " User: " . $this->person->getEPPN(), __LINE__);
}
}
}
/**
* Process a request to this endpoint. Usually those requests are about
* requesting, downloading and listing certificates
*
* The API is mostly easy for the caller, detecting what the caller meant
* on our side is unfortunately not so easy. So what the function does
*
* 1.) Does the request generate a POST? If so and if it includes POST['csr']
* ship the CSR to signing
* 2.) Does the path to script have suffix parameters? If so, the first
* suffix parameter is the auth-key/order-number of the certificate
* which should be returned
* 3.) If there is no suffix, list all the available certificates of the
* authN user
*/
public function processRequest()
{
if (!$this->person->isAuth()) {
$this->errorAuth();
}
/* ship the CSR to signing */
if (isset($_POST['request'])) {
$this->processSigningRequest(Input::sanitizeBase64($_POST['request']));
}
$path = $_SERVER['PATH_INFO'];
$path = trim($path, "/");
if (strlen($path) > 0) {
$this->parameters = explode("/", $path);
}
if (count($this->parameters) >= 1) {
$this->processDownloadSingle();
}
$this->processListCerts();
}
/**
* handleFileCertificate() Insert new RI-cert from FILE-upload
*
* This function is called whenever a certificate is uploaded via the
* FILE-interface. Simple validation is performed before passing the
* content on to the generic insertCertificate()-function
*
* It will use the comment provided via Post, so a mixture of FILE and
* POST is used here.
*
* @param String $comment The comment associated with the certificate
* @param Bolean $res indication if the certificate was uploaded successfully
*/
private function handleFileCertificate($comment)
{
$res = false;
if (FileUpload::testError('cert')) {
$cert = openssl_x509_read(FileUpload::getContent('cert'));
if (openssl_x509_export($cert, $certDump, true)) {
$cert = Input::sanitizeBase64($cert);
$res = $this->insertCertificate($certDump, $comment);
}
}
return $res;
}
/**
* Test whether the CSR in $content contains a public key that is
* blacklisted (due to the Debian prime number generator flaw).
*
* If the key is blacklisted, this method will throw an exception
* @param $content String containing CSR to be tested
* @throws ConfusaGenException if key is blacklisted
*/
static function testBlacklist($content)
{
$shellContent = Input::sanitizeBase64(escapeshellarg($content));
$fp = popen("echo {$shellContent} | openssl-vulnkey -", "r");
if (!$fp) {
Logger::log_event(LOG_ALERT, __CLASS__ . "::testBlacklist()", " Could not open process file-pointer in order to test for blacklisted CSR!");
/* if we cannot open openssl-vulnkey, we must assume that all uploaded
* keys are blacklisted */
/* FIXME: add l10n */
throw new ConfusaGenException("Could not verify CSR against blacklist!");
}
$res = fread($fp, 1024);
fclose($fp);
if (stripos($res, "not blacklisted", 0) === 0) {
return;
} else {
if (stripos($res, "COMPROMISED", 0) === 0) {
throw new ConfusaGenException("Key is blacklisted!");
}
}
Logger::log_event(LOG_DEBUG, __CLASS__ . "::testBlacklist()", " Unknown return ({$res}) value from shell");
}
