/**
* test_content - test a CSR for deficiencies
*
* This function is to be used when testing uploaded CSRs for flaws and errors.
* It will test for:
* - common text-patterns
* - that the key meets the required key-length
* - that it is a normal CSR (previous point will fail if it is a 'bogus' CSR
* - that the auth_url is derived from the supplied CSR
*/
function test_content($content, $auth_url)
{
$testres = true;
/* check for start */
$start = substr($content, 0, strlen("-----BEGIN CERTIFICATE REQUEST-----"));
$end = substr($content, -(strlen("-----END CERTIFICATE REQUEST-----") + 1), -1);
/* test start and ending of certificate */
if (strcmp("-----BEGIN CERTIFICATE REQUEST-----", $start) !== 0 && strcmp("-----END CERTIFICATE REQUEST-----", $end) !== 0) {
Framework::error_output("malformed CSR. Please upload a proper CSR to the system.");
return false;
}
/* test type. IGTF will soon change the charter to *not* issue DSA
* certificates */
if (get_algorithm($content) !== "rsa") {
Framework::error_output("Will only accept RSA keys!");
return false;
}
/*
* test length of pubkey
*/
$length = Config::get_config('min_key_length');
if (csr_pubkey_length($content) < $length) {
Framework::error_output("Uploaded key is not long enough. Please download a proper keyscript and try again.");
return false;
}
/*
* test CSR to blacklist. It is safe to call exec as we have tested the
* content of the CSR.
*/
$cmd = "echo \"{$content}\" | openssl-vulnkey -";
exec($cmd, $output, $return_val);
switch ($return_val) {
case 0:
/* key is not blacklisted */
break;
case 1:
Framework::error_output("Uploaded CSR is blacklisted!");
return false;
case 127:
Logger::log_event(LOG_ERR, __FILE__ . ":" . __LINE__ . " openssl-vulnkey not installed");
break;
default:
Logger::log_event(LOG_DEBUG, __FILE__ . ":" . __LINE__ . " Unknown return ({$return_val}) value from shell");
break;
}
/*
* test authenticity of auth_url
*/
$hash = pubkey_hash($content, true);
if (substr($hash, 0, ConfusaConstants::$AUTH_KEY_LENGTH) != $auth_url) {
Framework::error_output("Uploaded key ({$hash}) and auth_url ({$auth_url}) does not match");
return false;
}
return true;
}
/**
* Prepare the action
*/
function prepare_action()
{
global $_posted_params, $_action;
global $_display_algorithm_descriptions, $_display_algorithm_categories, $_display_image;
global $_algorithms, $_algorithm;
$_posted_params = get_posted_params();
$_action = get_action($_posted_params);
$_display_algorithm_descriptions = empty($_COOKIE['_aa_no_algorithm_description']);
$_display_algorithm_categories = empty($_COOKIE['_aa_no_algorithm_categories']);
$_display_image = empty($_COOKIE['_aa_no_image']);
$_algorithms = get_algorithms($_display_algorithm_descriptions);
$_algorithm = get_algorithm($_posted_params, $_algorithms);
}
