function cert_serial($raw_cert_data) { $cert_data = openssl_x509_parse($raw_cert_data); if (isset($cert_data['serialNumber'])) { $serial = []; $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); $sn_len = count($sn); foreach ($sn as $key => $s) { $serial[] = htmlspecialchars($s); if ($key != $sn_len - 1) { $serial[] = ":"; } } $result = implode("", $serial); return $result; } }
} else { $fixed_diff = floatval($hash_rate * $CheckShareData * 4); } $fixed_diff = $fixed_diff * $miner_diff; $fixed_diff = new Math_BigInteger($fixed_diff); $current .= "\nFixed diff value:" . $fixed_diff; } else { die('You need to specify your hashrate!'); } $a256 = new Math_BigInteger('115792089237316195423570985008687907853269984665640564039457584007913129639936'); //2^256 //Convert diff decimal to hex 256bit $new_block_diff = new Math_BigInteger($fixed_diff); list($quotient, $remainder) = $a256->divide($new_block_diff); $target_diff = $quotient->toString(); $target_diff = bcdechex($target_diff); $currentLenght = strlen($target_diff); $desiredLenght = 64; if ($currentLenght < $desiredLenght) { $toadd = $desiredLenght - $currentLenght; for ($i = 0; $i < $toadd; $i++) { $fix .= '0'; } $target_diff = '0x' . $fix . $target_diff; } //Save Getwork for user to validate later with submit work $appKey = md5($hash_rate . $payout_addr); $current .= "\nAPPKEY:" . $appKey; $block_number = hexdec($block_number) + 1; $dataWrite = array($payout_addr, $target_diff, $fixed_diff, $last_block_diff, $targetBlockResult[0], $targetBlockResult[2], $block_number, $targetBlockResult[1]); //$m->set($appKey,$dataWrite,120);
while ($row = mysqli_fetch_row($existResult)) { $payer_adr = $row[0]; echo "\n-------------------------------------------"; echo "\n" . $payer_adr; echo "\nBalance: " . sprintf('%f', $row[1]) . " wei"; echo "\nBalance: " . sprintf('%f', $row[1] / $ether_wei) . " ether"; $current .= "\n-------------------------------------------"; $current .= "\n" . $payer_adr; $current .= "\nBalance: " . sprintf('%f', $row[1]) . " wei"; $current .= "\nBalance: " . sprintf('%f', $row[1] / $ether_wei) . " ether"; if ($row[1] / $ether_wei >= 0.5) { $escapeDot = explode('.', sprintf('%f', $row[1])); $balancetopay = new Math_BigInteger($escapeDot[0]); $free2pay = new Math_BigInteger($gasprice); $resultPayment = $balancetopay->subtract($free2pay); $validBigHex = bcdechex($resultPayment->toString()); echo "HexReverse:\n\n" . sprintf('%f', hexdec($validBigHex)); $current .= "HexReverse:\n\n" . sprintf('%f', hexdec($validBigHex)); $sendValue = '0x' . $validBigHex; $transactionState = 0; $transaction = array("from" => $coinbase, "to" => $payer_adr, "value" => $sendValue); $data = array("jsonrpc" => "2.0", "method" => "eth_sendTransaction", "params" => [$transaction], "id" => 1); $data_string = json_encode($data); $ch1 = curl_init('http://127.0.0.1:8983'); curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch1, CURLOPT_POSTFIELDS, $data_string); curl_setopt($ch1, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch1, CURLOPT_HTTPHEADER, array('Content-Type: application/json', 'Content-Length: ' . strlen($data_string))); $result3 = curl_exec($ch1); $block_info_last = json_decode($result3, true); $txid = $block_info_last['result'];
function crl_verify_json($raw_cert_data) { global $random_blurp, $timeout; $result = []; $cert_data = openssl_x509_parse($raw_cert_data); $cert_serial_nm = strtoupper(bcdechex($cert_data['serialNumber'])); $crl_uris = []; $crl_uri = explode("\nFull Name:\n ", $cert_data['extensions']['crlDistributionPoints']); foreach ($crl_uri as $key => $uri) { if (isset($uri)) { $uri = explode("URI:", $uri); $uri = $uri[1]; if (isset($uri)) { $crl_uris[] = preg_replace('/\\s+/', '', $uri); } } } foreach ($crl_uris as $key => $uri) { $crl_no = $key + 1; if (0 === strpos($uri, 'http')) { $result[$crl_no]["crl_uri"] = $uri; $fp = fopen("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+'); $ch = curl_init($uri); curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); if (curl_exec($ch) === false) { $result[$crl_no]["error"] = 'Curl error: ' . htmlspecialchars(curl_error($ch)); } curl_close($ch); if (stat("/tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl")['size'] < 10) { $result[$crl_no]["error"] = "crl could not be retreived"; } $crl_text = shell_exec("openssl crl -noout -text -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl 2>&1"); $crl_last_update = shell_exec("openssl crl -noout -lastupdate -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl"); $crl_last_update = explode("=", $crl_last_update)[1]; $crl_next_update = shell_exec("openssl crl -noout -nextupdate -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl"); $crl_next_update = explode("=", $crl_next_update)[1]; unlink("/tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl"); if (strpos($crl_text, "unable to load CRL") === 0) { $result[$crl_no]["status"] = "invalid"; } $crl_info = explode("Revoked Certificates:", $crl_text)[0]; $crl_certificates = explode("Revoked Certificates:", $crl_text)[1]; $crl_certificates = explode("Serial Number:", $crl_certificates); $revcert = array(); foreach ($crl_certificates as $key => $revoked_certificate) { if (!empty($revoked_certificate)) { $revcert[str_replace(" ", "", explode("\n", $revoked_certificate)[0])] = str_replace(" Revocation Date: ", "", explode("\n", $revoked_certificate)[1]); } } if (array_key_exists($cert_serial_nm, $revcert)) { $result[$crl_no]["status"] = "revoked"; $result[$crl_no]["revoked_on"] = $revcert[$cert_serial_nm]; $result[$crl_no]["crl_last_update"] = $crl_last_update; $result[$crl_no]["crl_next_update"] = $crl_next_update; } else { $result[$crl_no]["status"] = "ok"; $result[$crl_no]["crl_last_update"] = $crl_last_update; $result[$crl_no]["crl_next_update"] = $crl_next_update; } } } return $result; }
function bcdechex($dec) { $last = bcmod($dec, 16); $remain = bcdiv(bcsub($dec, $last), 16); if ($remain == 0) { return dechex($last); } else { return bcdechex($remain) . dechex($last); } }
function cert_parse_json($raw_cert_data, $raw_next_cert_data = null, $host = null, $validate_hostname = false) { global $random_blurp; global $ev_oids; $result = array(); $cert_data = openssl_x509_parse($raw_cert_data); if (isset($raw_next_cert_data)) { $next_cert_data = openssl_x509_parse($raw_next_cert_data); } $today = date("Y-m-d"); //cert if (isset($cert_data)) { // purposes $purposes = array(); foreach ($cert_data['purposes'] as $key => $purpose) { $purposes[$purpose[2]]["ca"] = $purpose[1]; $purposes[$purpose[2]]["general"] = $purpose[0]; } unset($cert_data['purposes']); $cert_data['purposes'] = $purposes; $result["cert_data"] = $cert_data; } // valid from if (!empty($result['cert_data']['validFrom_time_t'])) { if ($today < date(DATE_RFC2822, $result['cert_data']['validFrom_time_t'])) { $result['cert_issued_in_future'] = false; } else { $result['cert_issued_in_future'] = true; $result['warning'][] = "Certificate issue date is in the future: " . date(DATE_RFC2822, $data['cert_data']['validFrom_time_t']); } } // expired if (!empty($cert_data['validTo_time_t'])) { if ($today > date(DATE_RFC2822, $cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t']))) { $result['cert_expired'] = false; } else { $result['cert_expired'] = true; $result['warning'][] = "Certificate expired! Expiration date: " . date(DATE_RFC2822, $cert_data['validTo_time_t']); } } // almost expired if (!empty($cert_data['validTo_time_t'])) { $certExpiryDate = strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t'])); $certExpiryDiff = $certExpiryDate - strtotime($today); if ($certExpiryDiff < 2592000) { $result['cert_expires_in_less_than_thirty_days'] = true; $result['warning'][] = "Certificate expires in " . round($certExpiryDiff / 84600) . " days!. Expiration date: " . date(DATE_RFC2822, $certExpiryDate); } else { $result['cert_expires_in_less_than_thirty_days'] = false; } } if (array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids)) { $result["validation_type"] = "extended"; } else { if (isset($cert_data['subject']['O'])) { $result["validation_type"] = "organization"; } else { if (isset($cert_data['subject']['CN'])) { $result["validation_type"] = "domain"; } } } // issuer if ($raw_next_cert_data) { if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data)) { $result["issuer_valid"] = true; } else { $result["issuer_valid"] = false; $result['warning'][] = "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong."; } } // crl if (isset($cert_data['extensions']['crlDistributionPoints'])) { $result["crl"] = crl_verify_json($raw_cert_data); if (is_array($result["crl"])) { foreach ($result["crl"] as $key => $value) { if ($value["status"] == "revoked") { $result['warning'][] = "Certificate revoked on CRL: " . $value['crl_uri'] . ". Revocation time: " . $value['revoked_on'] . "."; } } } } else { $result["crl"] = "No CRL URI found in certificate"; } // ocsp if (isset($cert_data['extensions']['authorityInfoAccess'])) { $ocsp_uris = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess']); unset($ocsp_uris[0]); if (isset($ocsp_uris)) { if (isset($raw_next_cert_data)) { foreach ($ocsp_uris as $key => $ocsp_uri) { $ocsp_uri = explode("\n", $ocsp_uri)[0]; $ocsp_uri = explode(" ", $ocsp_uri)[0]; $result["ocsp"]["{$key}"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri); if ($result['ocsp'][$key]["status"] == "revoked") { $result['warning'][] = "Certificate revoked on OCSP: " . $result['ocsp'][$key]['ocsp_uri'] . ". Revocation time: " . $result['ocsp'][$key]['revocation_time'] . "."; } elseif ($result['ocsp'][$key]["status"] == "unknown") { $result['warning'][] = "OCSP error on: " . $result['ocsp'][$key]['ocsp_uri'] . "."; } } } else { $result["ocsp"] = "No issuer cert provided. Unable to send OCSP request."; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } // hostname validation if ($validate_hostname == true) { $result["hostname_checked"] = $host; if (isset($cert_data['subject']['CN'])) { if (verify_certificate_hostname($raw_cert_data, $host)) { $result["hostname_in_san_or_cn"] = "true"; } else { $result["hostname_in_san_or_cn"] = "false"; $result['warning'][] = "Hostname " . $host . " not found in certificate."; } } } else { $result["hostname_in_san_or_cn"] = "n/a; ca signing certificate"; } //serial number if (isset($cert_data['serialNumber'])) { $serial = []; $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); $sn_len = count($sn); foreach ($sn as $key => $s) { $serial[] = htmlspecialchars($s); if ($key != $sn_len - 1) { $serial[] = ":"; } } $result["serialNumber"] = implode("", $serial); } // key details $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data)); $export_pem = ""; openssl_x509_export($raw_cert_data, $export_pem); if (isset($key_details['rsa'])) { $result["key"]["type"] = "rsa"; $result["key"]["bits"] = $key_details['bits']; if ($key_details['bits'] < 2048) { $result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits."; } } else { if (isset($key_details['dsa'])) { $result["key"]["type"] = "dsa"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['dh'])) { $result["key"]["type"] = "dh"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['ec'])) { $result["key"]["type"] = "ecdsa"; $result["key"]["bits"] = $key_details['bits']; } else { $result["key"]["type"] = "unknown"; $result["key"]["bits"] = $key_details['bits']; } } } } // signature algorithm $result["key"]["signature_algorithm"] = cert_signature_algorithm($raw_cert_data); if ($result["key"]["signature_algorithm"] == "sha1WithRSAEncryption") { $result['warning'][] = "SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better."; } if (isset($export_pem)) { $result["key"]["certificate_pem"] = $export_pem; } if (isset($key_details['key'])) { $result["key"]["public_key_pem"] = $key_details['key']; $result["key"]["spki_hash"] = spki_hash($export_pem); } return $result; }
function rsa_decrypt($input) { global $private_key; $check = bchexdec($input); $modulus = bin2int($private_key["modulus"]); $exponent = bchexdec("010001"); $result = bcpowmod($check, $exponent, $modulus); $rb = bcdechex($result); return strtoupper(padstr($rb)); }
function cert_parse_json($raw_cert_data, $raw_next_cert_data = null, $host = null, $validate_hostname = false) { global $random_blurp; global $ev_oids; $result = array(); $cert_data = openssl_x509_parse($raw_cert_data); if (isset($raw_next_cert_data)) { $next_cert_data = openssl_x509_parse($raw_next_cert_data); } $today = date("Y-m-d"); //cert if (isset($cert_data)) { // purposes $purposes = array(); foreach ($cert_data['purposes'] as $key => $purpose) { $purposes[$purpose[2]]["ca"] = $purpose[1]; $purposes[$purpose[2]]["general"] = $purpose[0]; } unset($cert_data['purposes']); $cert_data['purposes'] = $purposes; $result["cert_data"] = $cert_data; } // valid from if (!empty($result['cert_data']['validFrom_time_t'])) { if ($today < date(DATE_RFC2822, $result['cert_data']['validFrom_time_t'])) { $result['cert_issued_in_future'] = false; } else { $result['cert_issued_in_future'] = true; $result['warning'][] = "Certificate issue date is in the future: " . date(DATE_RFC2822, $data['cert_data']['validFrom_time_t']); } } // expired if (!empty($cert_data['validTo_time_t'])) { if ($today > date(DATE_RFC2822, $cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t']))) { $result['cert_expired'] = false; } else { $result['cert_expired'] = true; $result['warning'][] = "Certificate expired! Expiration date: " . date(DATE_RFC2822, $cert_data['validTo_time_t']); } } // almost expired if (!empty($cert_data['validTo_time_t'])) { $certExpiryDate = strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t'])); $certExpiryDiff = $certExpiryDate - strtotime($today); if ($certExpiryDiff < 2592000) { $result['cert_expires_in_less_than_thirty_days'] = true; $result['warning'][] = "Certificate expires in " . round($certExpiryDiff / 84600) . " days!. Expiration date: " . date(DATE_RFC2822, $certExpiryDate); } else { $result['cert_expires_in_less_than_thirty_days'] = false; } } if (array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids)) { $result["validation_type"] = "extended"; } else { if (isset($cert_data['subject']['O'])) { $result["validation_type"] = "organization"; } else { if (isset($cert_data['subject']['CN'])) { $result["validation_type"] = "domain"; } } } // issuer if ($raw_next_cert_data) { if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data)) { $result["issuer_valid"] = true; } else { $result["issuer_valid"] = false; $result['warning'][] = "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong."; } } // crl if (isset($cert_data['extensions']['crlDistributionPoints'])) { $result["crl"] = crl_verify_json($raw_cert_data); if (is_array($result["crl"])) { foreach ($result["crl"] as $key => $value) { if ($value["status"] == "revoked") { $result['warning'][] = "Certificate revoked on CRL: " . $value['crl_uri'] . ". Revocation time: " . $value['revoked_on'] . "."; } } } } else { $result["crl"] = "No CRL URI found in certificate"; } // ocsp if (isset($cert_data['extensions']['authorityInfoAccess'])) { $ocsp_uris = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess']); unset($ocsp_uris[0]); if (isset($ocsp_uris)) { if (isset($raw_next_cert_data)) { foreach ($ocsp_uris as $key => $ocsp_uri) { $ocsp_uri = explode("\n", $ocsp_uri)[0]; $ocsp_uri = explode(" ", $ocsp_uri)[0]; $result["ocsp"]["{$key}"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri); if ($result['ocsp'][$key]["status"] == "revoked") { $result['warning'][] = "Certificate revoked on OCSP: " . $result['ocsp'][$key]['ocsp_uri'] . ". Revocation time: " . $result['ocsp'][$key]['revocation_time'] . "."; } elseif ($result['ocsp'][$key]["status"] == "unknown") { $result['warning'][] = "OCSP error on: " . $result['ocsp'][$key]['ocsp_uri'] . "."; } } } else { $result["ocsp"] = "No issuer cert provided. Unable to send OCSP request."; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } // hostname validation if ($validate_hostname == true) { $result["hostname_checked"] = $host; if (isset($cert_data['subject']['CN'])) { if (verify_certificate_hostname($raw_cert_data, $host)) { $result["hostname_in_san_or_cn"] = "true"; } else { $result["hostname_in_san_or_cn"] = "false"; $result['warning'][] = "Hostname " . $host . " not found in certificate."; } } } else { $result["hostname_in_san_or_cn"] = "n/a; ca signing certificate"; } //serial number if (isset($cert_data['serialNumber'])) { $serial = []; $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); $sn_len = count($sn); foreach ($sn as $key => $s) { $serial[] = htmlspecialchars($s); if ($key != $sn_len - 1) { $serial[] = ":"; } } $result["serialNumber"] = implode("", $serial); } // key details $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data)); $export_pem = ""; openssl_x509_export($raw_cert_data, $export_pem); if (isset($key_details['rsa'])) { $result["key"]["type"] = "rsa"; $result["key"]["bits"] = $key_details['bits']; if ($key_details['bits'] < 2048) { $result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits."; } // weak debian key check $bin_modulus = $key_details['rsa']['n']; # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline. # create the blacklist: # https://packages.debian.org/source/squeeze/openssl-blacklist # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/ # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \; # sort -u unsorted_blacklist.db > debian_blacklist.db $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n"); #pre_dump($mod_sha1sum); $blacklist_file = fopen('inc/debian_blacklist.db', 'r'); $key_in_blacklist = false; while (($buffer = fgets($blacklist_file)) !== false) { if (strpos($buffer, $mod_sha1sum) !== false) { $key_in_blacklist = true; break; } } fclose($blacklist_file); if ($key_in_blacklist == true) { $result["key"]["weak_debian_rsa_key"] = "true"; $result['warning'][] = "Weak Debian key found. Remove this key right now and create a new one."; } } else { if (isset($key_details['dsa'])) { $result["key"]["type"] = "dsa"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['dh'])) { $result["key"]["type"] = "dh"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['ec'])) { $result["key"]["type"] = "ecdsa"; $result["key"]["bits"] = $key_details['bits']; } else { $result["key"]["type"] = "unknown"; $result["key"]["bits"] = $key_details['bits']; } } } } // signature algorithm $result["key"]["signature_algorithm"] = cert_signature_algorithm($raw_cert_data); if ($result["key"]["signature_algorithm"] == "sha1WithRSAEncryption") { $result['warning'][] = "SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better."; } if (isset($export_pem)) { $result["key"]["certificate_pem"] = $export_pem; } if (isset($key_details['key'])) { $result["key"]["public_key_pem"] = $key_details['key']; $result["key"]["spki_hash"] = spki_hash($export_pem); } return $result; }
function bcashex($operation, $x, $y) { $x = bchexdec($x); $y = bchexdec($y); return bcdechex($operation($x, $y)); }
/** * Get the hash code of the specified SSL certificate * @param string $cert String containing the certificate data. * @param boolean $pkcs12 Set this variable to true if the certificate is in PKCS12 format. * @return array containing the hash code and the validity end date in unix epoch. * @author Nicola Asuni * @since 2013-07-01 */ function F_getSSLCertificateHash($cert, $pkcs12 = false) { if ($pkcs12) { $certs = array(); openssl_pkcs12_read($cert, $certs, ''); $cert = $certs['cert']; } $ssldata = openssl_x509_parse($cert); $sslhash = ''; $sslhash .= isset($ssldata['serialNumber']) ? bcdechex($ssldata['serialNumber']) : ''; $sslhash .= isset($ssldata['issuer']['C']) ? $ssldata['issuer']['C'] : ''; $sslhash .= isset($ssldata['issuer']['ST']) ? $ssldata['issuer']['ST'] : ''; $sslhash .= isset($ssldata['issuer']['O']) ? $ssldata['issuer']['O'] : ''; $sslhash .= isset($ssldata['issuer']['OU']) ? $ssldata['issuer']['OU'] : ''; $sslhash .= isset($ssldata['issuer']['CN']) ? $ssldata['issuer']['CN'] : ''; $sslhash .= isset($ssldata['issuer']['emailAddress']) ? $ssldata['issuer']['emailAddress'] : ''; $sslhash .= isset($ssldata['subject']['C']) ? $ssldata['subject']['C'] : ''; $sslhash .= isset($ssldata['subject']['ST']) ? $ssldata['subject']['ST'] : ''; $sslhash .= isset($ssldata['subject']['O']) ? $ssldata['subject']['O'] : ''; $sslhash .= isset($ssldata['subject']['OU']) ? $ssldata['subject']['OU'] : ''; $sslhash .= isset($ssldata['subject']['CN']) ? $ssldata['subject']['CN'] : ''; $sslhash .= isset($ssldata['subject']['emailAddress']) ? $ssldata['subject']['emailAddress'] : ''; if (isset($ssldata['validTo_time_t'])) { $endtime = $ssldata['validTo_time_t']; } else { $endtime = time(); } $sslhash .= $endtime; return array(md5($sslhash), date(K_TIMESTAMP_FORMAT, $endtime)); }
return strrev($hex); } for ($i = 0; $isset($hex[$i]); $i++) { $hex[$i] = dechex(15 - hexdec($hex[$i])); } for ($i = 0; isset($hex[$i]) && $hex[$i] == 'f'; $i++) { $hex[$i] = '0'; } if (isset($hex[$i])) { $hex[$i] = dechex(hexdec($hex[$i]) + 1); } return strrev($hex); } function uint256_from_compact($c) { $nbytes = $c >> 24 & 0xff; return bcmul($c & 0xffffff, bcpow(2, 8 * ($nbytes - 3))); } unset($data); while (!isset($data) || $data == "") { $data = file("blockdata", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); sleep(0.1); } array_pop($data); $last = array_pop($data); strtok($last, " "); strtok(" "); strtok(" "); $data = strtok(" "); echo "0x" . bcdechex(uint256_from_compact($data));
function hash2location($hash) { $value = bchexdec($hash); $bits128 = $this->bits128; $location = bcxor(bcrightshift($value, 128), bcand($value, $bits128)); return $this->leftPadHex(bcdechex($location), 32); }
function cert_parse_json($raw_cert_data, $raw_next_cert_data = null, $host = null, $validate_hostname = false, $port = "443", $include_chain = null) { global $random_blurp; global $ev_oids; global $timeout; $result = array(); $cert_data = openssl_x509_parse($raw_cert_data); if (isset($raw_next_cert_data)) { $next_cert_data = openssl_x509_parse($raw_next_cert_data); } $today = date("Y-m-d"); //cert if (isset($cert_data)) { // purposes $purposes = array(); foreach ($cert_data['purposes'] as $key => $purpose) { $purposes[$purpose[2]]["ca"] = $purpose[1]; $purposes[$purpose[2]]["general"] = $purpose[0]; } unset($cert_data['purposes']); $cert_data['purposes'] = $purposes; $result["cert_data"] = $cert_data; } // valid from if (!empty($result['cert_data']['validFrom_time_t'])) { if ($today < date(DATE_RFC2822, $result['cert_data']['validFrom_time_t'])) { $result['cert_issued_in_future'] = false; } else { $result['cert_issued_in_future'] = true; $result['warning'][] = "Certificate issue date is in the future: " . date(DATE_RFC2822, $data['cert_data']['validFrom_time_t']); } } // expired if (!empty($cert_data['validTo_time_t'])) { if ($today > date(DATE_RFC2822, $cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t']))) { $result['cert_expired'] = false; } else { $result['cert_expired'] = true; $result['warning'][] = "Certificate expired! Expiration date: " . date(DATE_RFC2822, $cert_data['validTo_time_t']); } } // almost expired if (!empty($cert_data['validTo_time_t'])) { $certExpiryDate = strtotime(date(DATE_RFC2822, $cert_data['validTo_time_t'])); $certExpiryDiff = $certExpiryDate - strtotime($today); if ($certExpiryDiff < 2592000) { $result['cert_expires_in_less_than_thirty_days'] = true; $result['warning'][] = "Certificate expires in " . round($certExpiryDiff / 84600) . " days!. Expiration date: " . date(DATE_RFC2822, $certExpiryDate); } else { $result['cert_expires_in_less_than_thirty_days'] = false; } } if (array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids)) { $result["validation_type"] = "extended"; } else { if (isset($cert_data['subject']['O'])) { $result["validation_type"] = "organization"; } else { if (isset($cert_data['subject']['CN'])) { $result["validation_type"] = "domain"; } } } // issuer if ($raw_next_cert_data) { if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data)) { $result["issuer_valid"] = true; } else { $result["issuer_valid"] = false; $result['warning'][] = "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong."; } } // crl if (isset($cert_data['extensions']['crlDistributionPoints'])) { $result["crl"] = crl_verify_json($raw_cert_data); if (is_array($result["crl"])) { foreach ($result["crl"] as $key => $value) { if ($value["status"] == "revoked") { $result['warning'][] = "Certificate revoked on CRL: " . $value['crl_uri'] . ". Revocation time: " . $value['revoked_on'] . "."; } } } } else { $result["crl"] = "No CRL URI found in certificate"; } // ocsp if (isset($cert_data['extensions']['authorityInfoAccess'])) { $ocsp_uris = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess']); unset($ocsp_uris[0]); if (isset($ocsp_uris)) { if (isset($raw_next_cert_data)) { foreach ($ocsp_uris as $key => $ocsp_uri) { $ocsp_uri = explode("\n", $ocsp_uri)[0]; $ocsp_uri = explode(" ", $ocsp_uri)[0]; $result["ocsp"]["{$key}"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri); if ($result['ocsp'][$key]["status"] == "revoked") { $result['warning'][] = "Certificate revoked on OCSP: " . $result['ocsp'][$key]['ocsp_uri'] . ". Revocation time: " . $result['ocsp'][$key]['revocation_time'] . "."; } elseif ($result['ocsp'][$key]["status"] == "unknown") { $result['warning'][] = "OCSP error on: " . $result['ocsp'][$key]['ocsp_uri'] . "."; } } } else { $result["ocsp"] = "No issuer cert provided. Unable to send OCSP request."; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } } else { $result["ocsp"] = "No OCSP URI found in certificate"; } // hostname validation if ($validate_hostname == true) { $result["hostname_checked"] = $host; if (isset($cert_data['subject']['CN'])) { if (verify_certificate_hostname($raw_cert_data, $host)) { $result["hostname_in_san_or_cn"] = "true"; } else { $result["hostname_in_san_or_cn"] = "false"; $result['warning'][] = "Hostname " . $host . " not found in certificate."; } } } else { $result["hostname_in_san_or_cn"] = "n/a; ca signing certificate"; } //serial number if (isset($cert_data['serialNumber'])) { $serial = []; $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); $sn_len = count($sn); foreach ($sn as $key => $s) { $serial[] = htmlspecialchars($s); if ($key != $sn_len - 1) { $serial[] = ":"; } } $result["serialNumber"] = implode("", $serial); } // key details $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data)); $export_pem = ""; openssl_x509_export($raw_cert_data, $export_pem); // save pem. this because the reconstruct chain function works better // this way. not all certs have authorityinfoaccess. We first check if // we already have a matching cert. if (!is_dir('crt_hash')) { mkdir('crt_hash'); } // filenames of saved certs are hashes of the asort full subject. $sort_subject = $cert_data['subject']; asort($sort_subject); foreach ($sort_subject as $key => $value) { $name_full = "/" . $key . "=" . $value . $name_full; } $crt_hash = hash("sha256", $name_full); $crt_hash_folder = "crt_hash/"; $crt_hash_file = $crt_hash_folder . $crt_hash . ".pem"; if (file_exists($crt_hash_file)) { if (time() - filemtime($crt_hash_file) > 5 * 84600) { // file older than 5 days. crt might have changed, retry. $content_hash = sha1_file($crt_hash_file); rename($crt_hash_file, $crt_hash_folder . $content_hash . "content_hash_save.pem"); file_put_contents($crt_hash_file, $export_pem); } } else { file_put_contents($crt_hash_file, $export_pem); } if (stat($crt_hash_file)['size'] < 10) { //probably a corrupt file. sould be at least +100KB. unlink($crt_hash_file); } //chain reconstruction if ($include_chain && $raw_cert_data) { $return_chain = array(); $export_pem = ""; openssl_x509_export($raw_cert_data, $export_pem); $crt_cn = openssl_x509_parse($raw_cert_data)['name']; $export_pem = "#start " . $crt_cn . "\n" . $export_pem . "\n#end " . $crt_cn . "\n"; array_push($return_chain, $export_pem); $certificate_chain = array(); $issuer_crt = get_issuer_chain($raw_cert_data); if (count($issuer_crt['certs']) >= 1) { $issuercrts = array_unique($issuer_crt['certs']); foreach ($issuercrts as $key => $value) { array_push($return_chain, $value); } } $return_chain = array_unique($return_chain); if (count($return_chain) > 1) { $result["correct_chain"]["cns"] = array(); $crt_cn = array(); foreach ($return_chain as $retc_key => $retc_value) { $issuer_full = ""; $subject_full = ""; $sort_issuer = openssl_x509_parse($retc_value)['issuer']; $sort_subject = openssl_x509_parse($retc_value)['subject']; asort($sort_subject); foreach ($sort_subject as $sub_key => $sub_value) { $subject_full = "/" . $sub_key . "=" . $sub_value . $subject_full; } asort($sort_issuer); foreach ($sort_issuer as $iss_key => $iss_value) { $issuer_full = "/" . $iss_key . "=" . $iss_value . $issuer_full; } $crt_cn['cn'] = $subject_full; $crt_cn['issuer'] = $issuer_full; array_push($result["correct_chain"]["cns"], $crt_cn); } $result["correct_chain"]["chain"] = $return_chain; } } //hashes $string = $export_pem; $pattern = '/-----(.*)-----/'; $replacement = ''; $string = preg_replace($pattern, $replacement, $string); $pattern = '/\\n/'; $replacement = ''; $export_pem_preg = preg_replace($pattern, $replacement, $string); $export_pem_preg = wordwrap($export_pem_preg, 77, "\n", TRUE); $result['hash']['md5'] = cert_hash('md5', $export_pem_preg); $result['hash']['sha1'] = cert_hash('sha1', $export_pem_preg); $result['hash']['sha256'] = cert_hash('sha256', $export_pem_preg); $result['hash']['sha384'] = cert_hash('sha384', $export_pem_preg); $result['hash']['sha512'] = cert_hash('sha512', $export_pem_preg); //TLSA check if (!empty($cert_data['subject']['CN']) && !empty($host)) { if ($validate_hostname == true) { $tlsa_record = shell_exec("timeout " . $timeout . " dig +short +dnssec +time=" . $timeout . " TLSA _" . escapeshellcmd($port) . "._tcp." . escapeshellcmd($host) . " 2>&1 | head -n 1"); if (!empty($tlsa_record)) { $tlsa = explode(" ", $tlsa_record, 4); $pattern = '/ /'; $replacement = ''; $result['tlsa']['tlsa_hash'] = trim(strtolower(preg_replace($pattern, $replacement, $tlsa[3]))); $result['tlsa']['tlsa_usage'] = $tlsa[0]; $result['tlsa']['tlsa_selector'] = $tlsa[1]; $result['tlsa']['tlsa_matching_type'] = $tlsa[2]; $result['tlsa']['error'] = 'none'; } else { $result['tlsa']['error'] = 'No TLSA record found.'; $result['tlsa']['example'] = '_' . htmlspecialchars($port) . '._tcp.' . htmlspecialchars($host) . ' IN TLSA 3 0 1 ' . $result['hash']['sha256'] . ';'; } } else { $result['tlsa']['error'] = 'CA certificate, TLSA not applicable.'; } } if (isset($key_details['rsa'])) { $result["key"]["type"] = "rsa"; $result["key"]["bits"] = $key_details['bits']; if ($key_details['bits'] < 2048) { $result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits."; } // weak debian key check $bin_modulus = $key_details['rsa']['n']; # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline. # create the blacklist: # https://packages.debian.org/source/squeeze/openssl-blacklist # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/ # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \; # sort -u unsorted_blacklist.db > debian_blacklist.db $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n"); $blacklist_file = fopen('inc/debian_blacklist.db', 'r'); $key_in_blacklist = false; while (($buffer = fgets($blacklist_file)) !== false) { if (strpos($buffer, $mod_sha1sum) !== false) { $key_in_blacklist = true; break; } } fclose($blacklist_file); if ($key_in_blacklist == true) { $result["key"]["weak_debian_rsa_key"] = "true"; $result['warning'][] = "Weak debian key found. Remove this key right now and create a new one."; } } else { if (isset($key_details['dsa'])) { $result["key"]["type"] = "dsa"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['dh'])) { $result["key"]["type"] = "dh"; $result["key"]["bits"] = $key_details['bits']; } else { if (isset($key_details['ec'])) { $result["key"]["type"] = "ecdsa"; $result["key"]["bits"] = $key_details['bits']; } else { $result["key"]["type"] = "unknown"; $result["key"]["bits"] = $key_details['bits']; } } } } // signature algorithm $result["key"]["signature_algorithm"] = cert_signature_algorithm($raw_cert_data); if ($result["key"]["signature_algorithm"] == "sha1WithRSAEncryption") { $result['warning'][] = "SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better."; } if (isset($export_pem)) { $result["key"]["certificate_pem"] = $export_pem; } if (isset($key_details['key'])) { $result["key"]["public_key_pem"] = $key_details['key']; $result["key"]["spki_hash"] = spki_hash($export_pem); } return $result; }