/**
* Set options for Crypt_GPG and add encrypting and signing keys.
*
* @param string $encryptKey Key identifier, usually an email address but can be fingerprint
* @param string $signKey Key identifier, usually an email address but can be fingerprint
* @param string $signKeyPassPhrase Optional passphrase for key required for signing
*/
public function __construct($encryptKey, $signKey = null, $signKeyPassPhrase = null)
{
parent::__construct();
// Set options
$this->setOptions();
$this->gpg = new Crypt_GPG($this->options);
// Add encryption key
$this->gpg->addEncryptKey($encryptKey);
// Add signing key
if ($signKey) {
$this->gpg->addSignKey($signKey, $signKeyPassPhrase);
$this->sign = true;
}
}
function sign_file($filedata)
{
$gpg = new Crypt_GPG();
$gpg->addSignKey('*****@*****.**');
$signature = $gpg->sign($filedata, Crypt_GPG::SIGN_MODE_CLEAR);
return $signature;
}
public function gpgDiagnostics(&$diagnostic_errors)
{
$gpgStatus = 0;
if (Configure::read('GnuPG.email') && Configure::read('GnuPG.homedir')) {
$continue = true;
try {
require_once 'Crypt/GPG.php';
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'));
$key = $gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
} catch (Exception $e) {
$gpgStatus = 2;
$continue = false;
}
if ($continue) {
try {
$gpgStatus = 0;
$signed = $gpg->sign('test', Crypt_GPG::SIGN_MODE_CLEAR);
} catch (Exception $e) {
$gpgStatus = 3;
}
}
} else {
$gpgStatus = 1;
}
if ($gpgStatus != 0) {
$diagnostic_errors++;
}
return $gpgStatus;
}
public function sendEmail($user, $body, $bodyNoEnc = false, $subject, $replyToUser = false)
{
$failed = false;
$failureReason = "";
// check if the e-mail can be encrypted
$canEncrypt = false;
if (isset($user['User']['gpgkey']) && !empty($user['User']['gpgkey'])) {
$canEncrypt = true;
}
// If bodyonlencrypted is enabled and the user has no encryption key, use the alternate body (if it exists)
if (Configure::read('GnuPG.bodyonlyencrypted') && !$canEncrypt && $bodyNoEnc) {
$body = $bodyNoEnc;
}
$body = str_replace('\\n', PHP_EOL, $body);
// Sign the body
require_once 'Crypt/GPG.php';
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'));
// , 'debug' => true
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
$body = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
} catch (Exception $e) {
$failureReason = " the message could not be signed. The following error message was returned by gpg: " . $e->getMessage();
$this->log($e->getMessage());
$failed = true;
}
// If we cannot encrypt the mail and the server settings restricts sending unencrypted messages, return false
if (!$failed && !$canEncrypt && Configure::read('GnuPG.onlyencrypted')) {
$failed = true;
$failureReason = " encrypted messages are enforced and the message could not be encrypted for this user as no valid encryption key was found.";
}
// Let's encrypt the message if we can
if (!$failed && $canEncrypt) {
$keyImportOutput = $gpg->importKey($user['User']['gpgkey']);
try {
$gpg->addEncryptKey($keyImportOutput['fingerprint']);
// use the key that was given in the import
$body = $gpg->encrypt($body, true);
} catch (Exception $e) {
// despite the user having a PGP key and the signing already succeeding earlier, we get an exception. This must mean that there is an issue with the user's key.
$failureReason = " the message could not be encrypted because there was an issue with the user's PGP key. The following error message was returned by gpg: " . $e->getMessage();
$this->log($e->getMessage());
$failed = true;
}
}
$replyToLog = '';
if (!$failed) {
$Email = new CakeEmail();
// If the e-mail is sent on behalf of a user, then we want the target user to be able to respond to the sender
// For this reason we should also attach the public key of the sender along with the message (if applicable)
if ($replyToUser != false) {
$Email->replyTo($replyToUser['User']['email']);
if (!empty($replyToUser['User']['gpgkey'])) {
$Email->attachments(array('gpgkey.asc' => array('data' => $replyToUser['User']['gpgkey'])));
}
$replyToLog = 'from ' . $replyToUser['User']['email'];
}
$Email->from(Configure::read('MISP.email'));
$Email->to($user['User']['email']);
$Email->subject($subject);
$Email->emailFormat('text');
$result = $Email->send($body);
$Email->reset();
}
$this->Log = ClassRegistry::init('Log');
$this->Log->create();
if (!$failed && $result) {
$this->Log->save(array('org' => 'SYSTEM', 'model' => 'User', 'model_id' => $user['User']['id'], 'email' => $user['User']['email'], 'action' => 'email', 'title' => 'Email ' . $replyToLog . ' to ' . $user['User']['email'] . ' sent, titled "' . $subject . '".', 'change' => null));
return true;
} else {
if (isset($result) && !$result) {
$failureReason = " there was an error sending the e-mail.";
}
$this->Log->save(array('org' => 'SYSTEM', 'model' => 'User', 'model_id' => $user['User']['id'], 'email' => $user['User']['email'], 'action' => 'email', 'title' => 'Email ' . $replyToLog . ' to ' . $user['User']['email'] . ', titled "' . $subject . '" failed. Reason: ' . $failureReason, 'change' => null));
}
return false;
}
private function __sendProposalAlertEmail($id)
{
$this->loadModel('Event');
$this->Event->recursive = -1;
$event = $this->Event->read(null, $id);
// If the event has an e-mail lock, return
if ($event['Event']['proposal_email_lock'] == 1) {
return;
} else {
$this->_setProposalLock($id);
}
try {
$this->loadModel('User');
$this->User->recursive = -1;
$orgMembers = array();
$temp = $this->User->findAllByOrg($event['Event']['orgc'], array('email', 'gpgkey', 'contactalert', 'id'));
foreach ($temp as $tempElement) {
if ($tempElement['User']['contactalert'] || $tempElement['User']['id'] == $event['Event']['user_id']) {
array_push($orgMembers, $tempElement);
}
}
$body = "";
$body .= "Hello, \n";
$body .= "\n";
$body .= "A user of another organisation has proposed a change to an event created by you or your organisation. \n";
$body .= "\n";
$body .= "To view the event in question, follow this link:";
$body .= ' ' . Configure::read('MISP.baseurl') . '/events/view/' . $id . "\n";
$body .= "\n";
$body .= "You can reach the user at " . $this->Auth->user('email');
$body .= "\n";
// sign the body
require_once 'Crypt/GPG.php';
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'));
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
$bodySigned = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
// Add the GPG key of the user as attachment
// LATER sign the attached GPG key
if (null != !$this->User->getPGP($this->Auth->user('id'))) {
// save the gpg key to a temporary file
$tmpfname = tempnam(TMP, "GPGkey");
$handle = fopen($tmpfname, "w");
fwrite($handle, $this->User->getPGP($this->Auth->user('id')));
fclose($handle);
// attach it
$this->Email->attachments = array('gpgkey.asc' => $tmpfname);
}
foreach ($orgMembers as &$reporter) {
if (!empty($reporter['User']['gpgkey'])) {
// import the key of the user into the keyring
// this isn't really necessary, but it gives it the fingerprint necessary for the next step
$keyImportOutput = $gpg->importKey($reporter['User']['gpgkey']);
// say what key should be used to encrypt
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'));
$gpg->addEncryptKey($keyImportOutput['fingerprint']);
// use the key that was given in the import
$bodyEncSig = $gpg->encrypt($bodySigned, true);
} catch (Exception $e) {
// catch errors like expired PGP keys
$this->log($e->getMessage());
// no need to return here, as we want to send out mails to the other users if GPG encryption fails for a single user
}
} else {
$bodyEncSig = $bodySigned;
// FIXME should I allow sending unencrypted "contact" mails to people if they didn't import they GPG key?
}
// prepare the email
$this->Email->from = Configure::read('MISP.email');
$this->Email->to = $reporter['User']['email'];
$this->Email->subject = "[" . Configure::read('MISP.org') . " MISP] Proposal to event #" . $id;
$this->Email->template = 'body';
$this->Email->sendAs = 'text';
// both text or html
$this->set('body', $bodyEncSig);
// Add the GPG key of the user as attachment
// LATER sign the attached GPG key
if (null != $this->User->getPGP($this->Auth->user('id'))) {
// attach the gpg key
$this->Email->attachments = array('gpgkey.asc' => $tmpfname);
}
// send it
$result = $this->Email->send();
// If you wish to send multiple emails using a loop, you'll need
// to reset the email fields using the reset method of the Email component.
$this->Email->reset();
}
} catch (Exception $e) {
return false;
}
return true;
}
/**
* Encrypt and sign given string to one or more recipients
*
* @param string $string
* @param string|array $encryptKeyID
* @param string $signkeyPassword
* @param string $signkeyID
* @param boolean $mode
* @param boolean $armor
* @return string
*/
public static function encryptAndSign($string, $encryptKeyID, $signkeyPassword = null, $signkeyID = null, $mode = null, $armor = true)
{
$gpg = new Crypt_GPG();
if ($mode === null) {
$mode = Crypt_GPG::SIGN_MODE_CLEAR;
}
if ($signkeyID === null) {
$signkeyID = ConfigManager::getConfig("Crypto", "GPG")->AuxConfig->defaultKey;
}
if ($signkeyPassword === null) {
$signkeyPassword = ConfigManager::getConfig("Crypto", "GPG")->AuxConfig->defaultKeyPasswd;
}
$gpg->addSignKey($signkeyID, $signkeyPassword);
if (is_array($encryptKeyID)) {
foreach ($encryptKeyID as $keyId) {
$gpg->addEncryptKey($keyId);
}
} else {
$gpg->addEncryptKey($encryptKeyID);
}
return $gpg->encryptAndSign($string, $armor);
}
/**
*
* Sends out an email to all people within the same org
* with the request to be contacted about a specific event.
* @todo move __sendContactEmail($id, $message) to a better place. (components?)
*
* @param unknown_type $id The id of the event for wich you want to contact the org.
* @param unknown_type $message The custom message that will be appended to the email.
* @param unknown_type $all, true: send to org, false: send to person.
*
* @codingStandardsIgnoreStart
* @throws \UnauthorizedException as well. // TODO Exception NotFoundException
* @codingStandardsIgnoreEnd
*
* @return True if success, False if error
*/
private function __sendContactEmail($id, $message, $all)
{
// fetch the event
$event = $this->Event->read(null, $id);
$this->loadModel('User');
if (!$all) {
//Insert extra field here: alertOrg or something, then foreach all the org members
//limit this array to users with contactalerts turned on!
$orgMembers = array();
$this->User->recursive = 0;
$temp = $this->User->findAllByOrg($event['Event']['org'], array('email', 'gpgkey', 'contactalert', 'id'));
foreach ($temp as $tempElement) {
if ($tempElement['User']['contactalert'] || $tempElement['User']['id'] == $event['Event']['user_id']) {
array_push($orgMembers, $tempElement);
}
}
} else {
$orgMembers = $this->User->findAllById($event['Event']['user_id'], array('email', 'gpgkey'));
}
// The mail body, h() is NOT needed as we are sending plain-text mails.
$body = "";
$body .= "Hello, \n";
$body .= "\n";
$body .= "Someone wants to get in touch with you concerning a MISP event. \n";
$body .= "\n";
$body .= "You can reach him at " . $this->Auth->user('email') . "\n";
if (!$this->Auth->user('gpgkey')) {
$body .= "His GPG/PGP key is added as attachment to this email. \n";
}
$body .= "\n";
$body .= "He wrote the following message: \n";
$body .= $message . "\n";
$body .= "\n";
$body .= "\n";
$body .= "The event is the following: \n";
// print the event in mail-format
// LATER place event-to-email-layout in a function
$appendlen = 20;
$body .= 'URL : ' . Configure::read('CyDefSIG.baseurl') . '/events/view/' . $event['Event']['id'] . "\n";
$body .= 'Event : ' . $event['Event']['id'] . "\n";
$body .= 'Date : ' . $event['Event']['date'] . "\n";
if ('true' == Configure::read('CyDefSIG.showorg')) {
$body .= 'Reported by : ' . $event['Event']['org'] . "\n";
}
$body .= 'Risk : ' . $event['Event']['risk'] . "\n";
$body .= 'Analysis : ' . $event['Event']['analysis'] . "\n";
$relatedEvents = $this->Event->getRelatedEvents($this->Auth->user());
if (!empty($relatedEvents)) {
foreach ($relatedEvents as &$relatedEvent) {
$body .= 'Related to : ' . Configure::read('CyDefSIG.baseurl') . '/events/view/' . $relatedEvent['Event']['id'] . ' (' . $relatedEvent['Event']['date'] . ')' . "\n";
}
}
$body .= 'Info : ' . "\n";
$body .= $event['Event']['info'] . "\n";
$body .= "\n";
$body .= 'Attributes :' . "\n";
$bodyTempOther = "";
if (!empty($event['Attribute'])) {
foreach ($event['Attribute'] as &$attribute) {
$line = '- ' . $attribute['type'] . str_repeat(' ', $appendlen - 2 - strlen($attribute['type'])) . ': ' . $attribute['value'] . "\n";
if ('other' == $attribute['type']) {
// append the 'other' attribute types to the bottom.
$bodyTempOther .= $line;
} else {
$body .= $line;
}
}
}
$body .= "\n";
$body .= $bodyTempOther;
// append the 'other' attribute types to the bottom.
// sign the body
require_once 'Crypt/GPG.php';
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
// , 'debug' => true
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
$bodySigned = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
// Add the GPG key of the user as attachment
// LATER sign the attached GPG key
if ($this->Auth->user('gpgkey') != null) {
// save the gpg key to a temporary file
$tmpfname = tempnam(TMP, "GPGkey");
$handle = fopen($tmpfname, "w");
fwrite($handle, $this->Auth->user('gpgkey'));
fclose($handle);
// attach it
$this->Email->attachments = array('gpgkey.asc' => $tmpfname);
}
foreach ($orgMembers as &$reporter) {
if (!empty($reporter['User']['gpgkey'])) {
// import the key of the user into the keyring
// this isn't really necessary, but it gives it the fingerprint necessary for the next step
$keyImportOutput = $gpg->importKey($reporter['User']['gpgkey']);
// say what key should be used to encrypt
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
$gpg->addEncryptKey($keyImportOutput['fingerprint']);
// use the key that was given in the import
$bodyEncSig = $gpg->encrypt($bodySigned, true);
} catch (Exception $e) {
// catch errors like expired PGP keys
$this->log($e->getMessage());
// no need to return here, as we want to send out mails to the other users if GPG encryption fails for a single user
}
} else {
$bodyEncSig = $bodySigned;
// FIXME should I allow sending unencrypted "contact" mails to people if they didn't import they GPG key?
}
// prepare the email
$this->Email->from = Configure::read('CyDefSIG.email');
$this->Email->replyTo = $this->Auth->user('email');
$this->Email->to = $reporter['User']['email'];
$this->Email->subject = "[" . Configure::read('CyDefSIG.org') . " " . Configure::read('CyDefSIG.name') . "] Need info about event " . $id . " - TLP Amber";
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
$this->Email->template = 'body';
$this->Email->sendAs = 'text';
// both text or html
$this->set('body', $bodyEncSig);
// Add the GPG key of the user as attachment
// LATER sign the attached GPG key
if ($this->Auth->user('gpgkey') != null) {
// attach the gpg key
$this->Email->attachments = array('gpgkey.asc' => $tmpfname);
}
// send it
$result = $this->Email->send();
// If you wish to send multiple emails using a loop, you'll need
// to reset the email fields using the reset method of the Email component.
$this->Email->reset();
}
// remove the temporary gpg file
if ($this->Auth->user('gpgkey') != null) {
unlink($tmpfname);
}
return $result;
}
public function admin_email()
{
if (!$this->_isSiteAdmin()) {
throw new MethodNotAllowedException();
}
$this->User->recursive = 0;
$temp = $this->User->find('all', array('fields' => array('email', 'gpgkey')));
$emails = array();
$gpgKeys = array();
// save all the emails of the users and set it for the dropdown list in the form
foreach ($temp as $user) {
array_push($emails, $user['User']['email']);
array_push($gpgKeys, $user['User']['gpgkey']);
}
$this->set('recipientEmail', $emails);
// User has filled in his contact form, send out the email.
if ($this->request->is('post') || $this->request->is('put')) {
$message1 = null;
$message2 = null;
$recipients = array();
$messageP = array();
// Formulating the message and the subject that will be common to the e-mail(s) sent
if ($this->request->data['User']['action'] == '0') {
// Custom message
$subject = $this->request->data['User']['subject'];
$message1 .= $this->request->data['User']['message'];
} else {
// Temp password
if ($this->request->data['User']['customMessage']) {
$message1 .= $this->request->data['User']['message'];
} else {
$message1 .= "Dear MISP user,\n\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at ";
$message1 .= Configure::read('CyDefSIG.baseurl');
$message1 .= ", where you will be prompted to manually change your password to something of your own choice.";
}
//$message .= "\n\nYour temporary password: "******"\n\nIf you have any questions, contact us at: " . Configure::read('CyDefSIG.contact') . ".";
}
$message2 .= "\n\nBest Regards,\n" . Configure::read('CyDefSIG.org') . ' MISP support';
// Return an error message if the action is a password reset for a new user
if ($this->request->data['User']['recipient'] == 2 && $this->request->data['User']['action'] == '1') {
$this->Session->setFlash(__('Cannot reset the password of a user that doesn\'t exist.'));
$this->redirect(array('action' => 'email', 'admin' => true));
}
// Setting up the list of recipient(s) based on the setting and creating the final message for each user, including the password
// If the recipient is all users, and the action to create a password, create it and for each user and squeeze it between the main message and the signature
if ($this->request->data['User']['recipient'] == 0) {
$recipients = $emails;
$recipientGPG = $gpgKeys;
if ($this->request->data['User']['action'] == '1') {
$i = 0;
foreach ($recipients as $rec) {
$password = $this->User->generateRandomPassword();
$messageP = "\n\nYour temporary password: "******"\n\nYour temporary password: " . $password . $message2;
$recipientPass[0] = $password;
} else {
$message[0] = $message1;
}
}
require_once 'Crypt/GPG.php';
$i = 0;
foreach ($recipients as $recipient) {
if (!empty($recipientGPG[$i])) {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
// , 'debug' => true
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
$messageSigned = $gpg->sign($message[$i], Crypt_GPG::SIGN_MODE_CLEAR);
$keyImportOutput = $gpg->importKey($recipientGPG[$i]);
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
$gpg->addEncryptKey($keyImportOutput['fingerprint']);
// use the key that was given in the import
$encryptedMessage = $gpg->encrypt($messageSigned, true);
} catch (Exception $e) {
// catch errors like expired PGP keys
$this->log($e->getMessage());
// no need to return here, as we want to send out mails to the other users if GPG encryption fails for a single user
}
} else {
$encryptedMessage = $message[$i];
}
// prepare the email
$this->Email->from = Configure::read('CyDefSIG.email');
$this->Email->to = $recipients[$i];
$this->Email->subject = $subject;
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
$this->Email->template = 'body';
$this->Email->sendAs = 'text';
// both text or html
$this->set('body', $encryptedMessage);
// send it
$result = $this->Email->send();
// if sending successful and action was a password change, update the user's password.
if ($result && $this->request->data['User']['action'] == '1') {
$this->User->recursive = 0;
$temp = $this->User->findByEmail($recipients[$i]);
$this->User->id = $temp['User']['id'];
$this->User->read();
$this->User->saveField('password', $recipientPass[$i]);
$this->User->saveField('change_pw', '1');
}
// If you wish to send multiple emails using a loop, you'll need
// to reset the email fields using the reset method of the Email component.
$this->Email->reset();
$i++;
}
$this->Session->setFlash(__('E-mails sent.'));
}
// User didn't see the contact form yet. Present it to him.
}
/**
* Verify a message
*
* @param Message $message
* @param string $fingerprint
* @return bool
* @throws \Exception
*/
public function verify(Message $message, string $fingerprint) : bool
{
$gnupg = new \Crypt_GPG($this->options);
$gnupg->addSignKey($fingerprint);
/**
* @var \Crypt_GPG_Signature[]
*/
$verified = $gnupg->verify($message->getBodyText());
foreach ($verified as $sig) {
if (false) {
$sig = new \Crypt_GPG_Signature();
}
if ($sig->isValid()) {
return true;
}
}
return false;
}
