switch ($stage) { case 'goaway': printHeader(false); ?> <p><div style="text-align:center"><h2 style="color:red">YOU ARE A VERY BAD BOY!</h2></div> <?php break; case 'display': printHeader(false); ?> <div style="text-align:center"><h2>Certificate Details</h2></div> <div style="text-align:center"><h3 style="color:#0000AA">(#<?php echo $serial; ?> )<br><?php echo htvar(CA_cert_cname($serial) . ' <' . CA_cert_email($serial) . '>'); ?> </h3></div> <?php if ($revoke_date = CAdb_is_revoked($serial)) { print '<div style="text-align:center"><h2 style="color:red">REVOKED ' . $revoke_date . '</h2></div>'; } print '<pre>' . CA_cert_text($serial) . '</pre>'; # Added htvar() to sanitize against htmlentities break; case 'dl-confirm': printHeader('ca'); $rec = CAdb_get_entry($serial); ?> <h3>You are about to download the <font color="red">PRIVATE</font> certificate key for <?php echo htvar($rec['common_name']) . ' <' . htvar($rec['email']) . '> ';
function CA_renew_cert($old_serial, $expiry, $passwd) { global $config; # Don't renew a revoked certificate if a valid one exists for this # URL. Find and renew the valid certificate instead. if (CAdb_is_revoked($old_serial)) { $ret = CAdb_in(CA_cert_email($old_serial), CA_cert_cname($old_serial)); if ($ret && $old_serial != $ret) { $old_serial = $ret; } } # Valid certificates must be revoked prior to renewal. if (CAdb_is_valid($old_serial)) { $ret = CA_revoke_cert($old_serial); if (!$ret[0]) { return $ret; } } $cert_type = CA_cert_type($old_serial); $extensions = $cert_type . '_ext'; # Get common_name from old certificate for use as the # "friendly name" of PKCS12 certificate. $rec = CAdb_get_entry($old_serial); $country = $rec['country']; $province = $rec['province']; $locality = $rec['locality']; $organization = $rec['organization']; $unit = $rec['unit']; $common_name = $rec['common_name']; $email = $rec['email']; # Wait here if another user has the database locked. $fd = fopen($config['index'], "a"); flock($fd, LOCK_EX); # Get the next available serial number $serial = trim(implode('', file($config['serial']))); $old_userkey = $config['private_dir'] . '/' . $old_serial . '-key.pem'; $old_userreq = $config['req_dir'] . '/' . $old_serial . '-req.pem'; $userkey = $config['private_dir'] . '/' . $serial . '-key.pem'; $userreq = $config['req_dir'] . '/' . $serial . '-req.pem'; $usercert = $config['new_certs_dir'] . '/' . $serial . '.pem'; $userder = $config['cert_dir'] . '/' . $serial . '.der'; $userpfx = $config['pfx_dir'] . '/' . $serial . '.pfx'; $expiry_days = round($expiry * 365.25, 0); $cmd_output = array(); $ret = 0; # Create a new certificate request by copying the old request. if (!file_exists($old_userreq) || !copy($old_userreq, $userreq)) { $cmd_output[] = 'Could not create new certificate request file.'; $ret = 1; } # Copy private key to new file. if ($ret == 0 && (!file_exists($old_userkey) || !copy($old_userkey, $userkey))) { $cmd_output[] = "Could not update private key file."; $ret = 1; } $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email); # "friendly name" of PKCS12 certificate. $friendly_name = escshellarg($rec['common_name']); # Escape dangerous characters in user input. $_passwd = escshellarg($passwd); # Sign the certificate request and create the certificate. if ($ret == 0) { unset($cmd_output); $cmd_output[] = "Signing the {$cert_type} certificate request."; exec(CA . " -config '{$cnf_file}' -in '{$userreq}' -out /dev/null -notext -days '{$expiry_days}' -passin pass:"******" -batch -extensions {$extensions} 2>&1", $cmd_output, $ret); } # Create DER format certificate if ($ret == 0) { unset($cmd_output); $cmd_output[] = "Creating DER format certificate."; exec(X509 . " -in '{$usercert}' -out '{$userder}' -inform PEM -outform DER 2>&1", $cmd_output, $ret); } # Create a PKCS12 certificate file for download to Windows if ($ret == 0) { unset($cmd_output); $cmd_output[] = "Creating PKCS12 format certificate."; if ($passwd) { $cmd_output[] = "infile: {$usercert} keyfile: {$userkey} outfile: {$userpfx} pass: {$_passwd}"; exec(PKCS12 . " -export -in '{$usercert}' -inkey '{$userkey}' -certfile " . $config['cacert_pem'] . " -caname " . $config['organization'] . " -out '{$userpfx}' -name {$friendly_name} -rand " . $config['random'] . " -passin pass:{$_passwd} -passout pass:{$_passwd} 2>&1", $cmd_output, $ret); } else { $cmd_output[] = "infile: {$usercert} keyfile: {$userkey} outfile: {$userpfx}"; #exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -passout pass: 2>&1", $cmd_output, $ret); exec(PKCS12 . " -export -in '{$usercert}' -inkey '{$userkey}' -certfile " . $config['cacert_pem'] . " -caname " . $config['organization'] . " -out '{$userpfx}' -name {$friendly_name} -nodes 2>&1", $cmd_output, $ret); } } #Unlock the CA database fclose($fd); #Remove temporary openssl config file. if (file_exists($cnf_file)) { unlink($cnf_file); } if ($ret == 0) { return array(true, $serial); } else { # Not successful, so clean up before exiting. CA_remove_cert($serial); if (eregi_array('/.*private key.*/', $cmd_output)) { $cmd_output[] = '<strong>This was likely caused by entering the wrong certificate password.</strong>'; } else { $cmd_output[] = '<strong>Click on the "Help" link above for information on how to report this problem.</strong>'; } return array(false, implode('<br>', $cmd_output)); } }
$show_revoked = gpvar('show_revoked'); $show_expired = gpvar('show_expired'); # Force stage back to search form if search string is empty. if ($stage == "search" && !$search) { $stage = ""; } # Force filter to (V)alid certs if no search status is selected. if (!($show_valid . $show_revoked . $show_expired)) { $show_valid = 'V'; } switch ($stage) { case display: printHeader('about'); print ' <center><h2>Certificate Details</h2></center> <center><font color=#0000AA><h3>(#' . htvar($serial) . ')<br>' . htvar(CA_cert_cname($serial) . ' <' . CA_cert_email($serial) . '>') . '</h3></font></center>'; if ($revoke_date = CAdb_is_revoked($serial)) { print '<center><font color=red><h2>REVOKED ' . htvar($revoke_date) . '</h2></font></center>'; } print '<pre>' . htvar(CA_cert_text($serial)) . '</pre>'; break; case 'download': $rec = CAdb_get_entry($serial); upload("{$config['cert_dir']}/{$serial}.der", "{$rec['common_name']} ({$rec['email']}).cer", 'application/pkix-cert'); break; case search: printHeader('public'); $db = CAdb_to_array("^[{$show_valid}{$show_revoked}{$show_expired}].*{$search}"); print '<body onLoad="self.focus();document.form.submit.focus()">'; if (sizeof($db) == 0) { ?>
$show_revoked = gpvar('show_revoked'); $show_expired = gpvar('show_expired'); # Force stage back to search form if search string is empty. if ($stage == "search" && !$search) { $stage = ""; } # Force filter to (V)alid certs if no search status is selected. if (!($show_valid . $show_revoked . $show_expired)) { $show_valid = 'V'; } switch ($stage) { case 'display': printHeader('about'); print ' <div style="text-align:center"><h2>Certificate Details</h2></div> <div style="text-align:center"><font color=#0000AA><h3>(#' . htvar($serial) . ')<br>' . htvar(CA_cert_cname($serial) . ' <' . CA_cert_email($serial) . '>') . '</h3></font></div>'; if ($revoke_date = CAdb_is_revoked($serial)) { print '<div style="text-align:center"><font color="red"><h2>REVOKED ' . htvar($revoke_date) . '</h2></font></div>'; } print '<pre>' . htvar(CA_cert_text($serial)) . '</pre>'; break; case 'download': $rec = CAdb_get_entry($serial); upload($config['cert_dir'] . "/{$serial}.der", $rec['common_name'] . " (" . $rec['email'] . ").cer", 'application/pkix-cert'); break; case 'search': printHeader('public'); $db = CAdb_to_array("^[{$show_valid}{$show_revoked}{$show_expired}].*{$search}"); print '<body onLoad="self.focus();document.form.submit.focus()">'; if (sizeof($db) == 0) { ?>