public function pre_process($person) { parent::pre_process($person); $this->tpl->assign('extraScripts', array('js/jquery-1.6.1.min.js')); $this->tpl->assign('rawScript', file_get_contents('../include/rawToggleExpand.js')); if (isset($_GET['status_poll'])) { $order_number = Input::sanitizeCertKey($_GET['status_poll']); /* assign the order_number again */ $this->tpl->assign('order_number', $order_number); $this->tpl->assign('status_poll', true); $anticsrf = "anticsrf=" . Input::sanitizeAntiCSRFToken($_GET['anticsrf']); $this->tpl->assign('ganticsrf', $anticsrf); if ($this->ca->pollCertStatus($order_number)) { /* redirect to certificate download area */ CS::setSessionKey("browserCert", $order_number); header("Location: download_certificate.php"); } } /* when the key has been generated in the browser and the * resulting CSR has been uploaded to the server, we end up * here. */ if (isset($_POST['browserRequest'])) { $ua = Output::getUserAgent(); switch ($ua) { case "opera": case "safari": case "mozilla": case "chrome": $csr = new CSR_SPKAC(trim(Input::sanitizeBase64($_POST['browserRequest']))); break; case "msie_pre_vista": case "msie_post_vista": $csrContent = CSR::$PEM_PREFIX . "\n" . trim(Input::sanitizeBase64($_POST['browserRequest'])) . "\n" . CSR::$PEM_SUFFIX; $csr = new CSR_PKCS10($csrContent); break; } if (!empty($csr) && $csr->isValid()) { try { $order_number = $this->signCSR($csr); $this->tpl->assign('order_number', $order_number); } catch (KeySignException $kse) { Framework::error_output($this->translateTag('l10n_sign_error', 'processcsr') . "<br /><br />" . $kse->getMessage()); Logger::logEvent(LOG_WARNING, "CP_Browser_CSR", "pre_process()", "Could not sign CSR because of " . $kse->getMessage() . " User: "******"CP_Browser_CSR", "pre_process()", "Received browser-CSR that could not be parsed!" . " User: " . $this->person->getEPPN(), __LINE__); } } }
/** * Process a request to this endpoint. Usually those requests are about * requesting, downloading and listing certificates * * The API is mostly easy for the caller, detecting what the caller meant * on our side is unfortunately not so easy. So what the function does * * 1.) Does the request generate a POST? If so and if it includes POST['csr'] * ship the CSR to signing * 2.) Does the path to script have suffix parameters? If so, the first * suffix parameter is the auth-key/order-number of the certificate * which should be returned * 3.) If there is no suffix, list all the available certificates of the * authN user */ public function processRequest() { if (!$this->person->isAuth()) { $this->errorAuth(); } /* ship the CSR to signing */ if (isset($_POST['request'])) { $this->processSigningRequest(Input::sanitizeBase64($_POST['request'])); } $path = $_SERVER['PATH_INFO']; $path = trim($path, "/"); if (strlen($path) > 0) { $this->parameters = explode("/", $path); } if (count($this->parameters) >= 1) { $this->processDownloadSingle(); } $this->processListCerts(); }
/** * handleFileCertificate() Insert new RI-cert from FILE-upload * * This function is called whenever a certificate is uploaded via the * FILE-interface. Simple validation is performed before passing the * content on to the generic insertCertificate()-function * * It will use the comment provided via Post, so a mixture of FILE and * POST is used here. * * @param String $comment The comment associated with the certificate * @param Bolean $res indication if the certificate was uploaded successfully */ private function handleFileCertificate($comment) { $res = false; if (FileUpload::testError('cert')) { $cert = openssl_x509_read(FileUpload::getContent('cert')); if (openssl_x509_export($cert, $certDump, true)) { $cert = Input::sanitizeBase64($cert); $res = $this->insertCertificate($certDump, $comment); } } return $res; }
/** * Test whether the CSR in $content contains a public key that is * blacklisted (due to the Debian prime number generator flaw). * * If the key is blacklisted, this method will throw an exception * @param $content String containing CSR to be tested * @throws ConfusaGenException if key is blacklisted */ static function testBlacklist($content) { $shellContent = Input::sanitizeBase64(escapeshellarg($content)); $fp = popen("echo {$shellContent} | openssl-vulnkey -", "r"); if (!$fp) { Logger::log_event(LOG_ALERT, __CLASS__ . "::testBlacklist()", " Could not open process file-pointer in order to test for blacklisted CSR!"); /* if we cannot open openssl-vulnkey, we must assume that all uploaded * keys are blacklisted */ /* FIXME: add l10n */ throw new ConfusaGenException("Could not verify CSR against blacklist!"); } $res = fread($fp, 1024); fclose($fp); if (stripos($res, "not blacklisted", 0) === 0) { return; } else { if (stripos($res, "COMPROMISED", 0) === 0) { throw new ConfusaGenException("Key is blacklisted!"); } } Logger::log_event(LOG_DEBUG, __CLASS__ . "::testBlacklist()", " Unknown return ({$res}) value from shell"); }