forked from melvincarvalho/foafme
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathspkac_cert.php
200 lines (164 loc) · 6.58 KB
/
spkac_cert.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
<?php
//-----------------------------------------------------------------------------------------------------------------------------------
//
// Filename : spkac_cert.php
// Version : 1.0
// Date : 14th Jan 2009
//
// Decription : This script creates an X.509 SSL Certificate based on a supplied SPKAC.
//
// Usage : spkac_cert.php?foaf=http://foaf.me/jsmith&
// commonName=J Smith&
// organizationName=My Company Ltd&
// organizationalUnitName=Technology Division&
// localityName=Newbury&
// stateOrProvinceName=Berkshire&
// countryName=GB&
// pubkey=***...***
//
// All parameters except 'foaf' and 'commonName' are optional. Some parameters if missing will default as per openssl.cnf
//
// See Also : This script is entirely based on
// http://phpmylogin.sourceforge.net/wiki/doku.php?id=keygen_attribute
//
//-----------------------------------------------------------------------------------------------------------------------------------
require_once 'config.php';
// Returns a X.509 SSL certificate
function create_identity_x509(
$countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress,
$foafLocation, $pubkey)
{
// Remove any whitespace in teh supplied SPKAC
$keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $pubkey);
// Create the DN for the openssl call
if ($countryName)
$keyreq .= "\ncountryName=".$countryName;
if ($stateOrProvinceName)
$keyreq .= "\nstateOrProvinceName=".$stateOrProvinceName;
if ($localityName)
$keyreq .= "\nlocalityName=".$localityName;
if ($organizationName)
$keyreq .= "\norganizationName=".$organizationName;
if ($organizationalUnitName)
$keyreq .= "\n0.OU=".$organizationalUnitName;
if ($commonName)
$keyreq .= "\nCN=".$commonName;
if ($emailAddress)
$keyreq .= "\nemailAddress=".$emailAddress;
// Setup the contents of the subjectAltName
if ($foafLocation)
$SAN="URI:$foafLocation";
if ($emailAddress)
{
if ($SAN)
$SAN.=",email:$emailAddress";
else
$SAN="email:$emailAddress";
}
// Export the subjectAltName to be picked up by the openssl.cnf file
if ($SAN)
{
putenv("SAN=$SAN");
}
// Create temporary files to hold the input and output to the openssl call.
$tmpSPKACfname = tempnam("/tmp", "SPK");
$tmpCERTfname = tempnam("/tmp", "CRT");
// Write the SPKAC and DN into the temporary file
$handle = fopen($tmpSPKACfname, "w");
fwrite($handle, $keyreq);
fclose($handle);
// TODO - This should be more easily configured
$command = "openssl ca -config ".$GLOBALS['config']['openssl_config_dir']."/openssl.cnf -verbose -batch -notext -spkac $tmpSPKACfname -out $tmpCERTfname -passin file:".$GLOBALS['config']['openssl_config_dir']."/password 2>&1";
// Run the command;
$output = `$command`;
// TODO - Check for failures on the command
if (preg_match("/Data Base Updated/", $output)==0)
{
print "Failed to create X.509 Certificate<br><br>";
print "<pre>";
print $output;
print "</pre>";
return;
}
// Delete the temporary SPKAC and DN file
unlink($tmpSPKACfname);
return $tmpCERTfname;
}
// Send the p12 encoded SSL certificate as a file transfer
function download_identity_x509($certLocation)
{
$length = filesize($certLocation);
header('Last-Modified: '.date('r+b'));
header('Accept-Ranges: bytes');
header('Content-Length: '.$length);
header('Content-Type: application/x-x509-user-cert');
readfile($certLocation);
unlink($certLocation);
exit;
}
//-----------------------------------------------------------------------------------------------------------------------------------
//
// Main
//
//-----------------------------------------------------------------------------------------------------------------------------------
// Print out the permitted script parameters
if ($_GET[help])
{
print "cert.php?<br>";
print "<ul>foaf=http://foaf.me/jsmith&<br><br>";
print "commonName=J Smith&<br><br>";
print "[email protected]&<br><br>";
print "organizationName=My Company Ltd&<br><br>";
print "organizationalUnitName=Technology Division&<br><br>";
print "localityName=Newbury&<br><br>";
print "stateOrProvinceName=Berkshire&<br><br>";
print "countryName=GB&<br><br>";
print "pubkey=***...***</ul>";
exit();
}
// Check if the foaf location is specified in the script call
$foafLocation = $_GET[foaf];
if (!$foafLocation)
{
if (array_key_exists('foaf', $_GET))
$query = $_SERVER[QUERY_STRING];
else
$query = ($_SERVER[QUERY_STRING]?$_SERVER[QUERY_STRING]."&":"") . "foaf=";
print "Please specify the location of your foaf file. <a href='https://foaf.me/spkac_cert.php?" . $query . "'>https://foaf.me/spkac_cert.php?foaf=</a><font color='red'><b>http://foaf.me/nickname</b></font><br><br>The FOAF location is added to the SubjectAltName within the SSL Client Certificate<br>";
exit();
}
// Check if the commonName is specified in the script call
$commonName = $_GET[commonName];
if (!$commonName)
{
if (array_key_exists('commonName', $_GET))
$query = $_SERVER[QUERY_STRING];
else
$query = ($_SERVER[QUERY_STRING]?$_SERVER[QUERY_STRING]."&":"") . "commonName=";
print "Please specify the Common Name to be added to your certficate. <a href='https://foaf.me/spkac_cert.php?" . $query . "'>https://foaf.me/spkac_cert.php?commonName=</a><font color='red'><b>Common Name</b></font><br><br>";
exit();
}
// Check that script is called using the HTTPS protocol
if ($_SERVER[HTTPS] == NULL)
{
print "Please use the following secure uri to download the Identity P12. <a href='https://foaf.me/spkac_cert.php?" . $_SERVER[QUERY_STRING] . "'>https://foaf.me/spkac_cert.php?" . $_SERVER[QUERY_STRING] . "</a><br>";
exit();
}
// Get the rest of the script parameters
$countryName = $_GET[countryName];
$stateOrProvinceName = $_GET[stateOrProvinceName];
$localityName = $_GET[localityName];
$organizationName = $_GET[organizationName];
$organizationalUnitName = $_GET[organizationalUnitName];
$emailAddress = $_GET[emailAddress];
$pubkey = $_GET[pubkey];
// Create a x509 SSL certificate
if ( $x509 = create_identity_x509(
$countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress,
$foafLocation, $pubkey ) )
{
// Send the X.509 SSL certificate to the script caller as a file transfer
download_identity_x509($x509);
}
?>