Merge pull request #6 from majestick/master

added alt_names feature for ssl certs
radicand · Sep 18, 2013 · 4a460af · 4a460af
2 parents 2bbe334 + 8d3e0f7
commit 4a460af
Show file tree

Hide file tree

Showing 5 changed files with 147 additions and 35 deletions.
diff --git a/ca/request_cert.php b/ca/request_cert.php
@@ -25,7 +25,8 @@
 $expiry       = gpvar('expiry');
 $keysize      = gpvar('keysize');
 $cert_type    = gpvar('cert_type');
-
+$dns_names    = gpvar('dns_names');
+$ip_addr      = gpvar('ip_addr');
 
 # To repopulate form after error.
 $hidden_fields = '
@@ -41,6 +42,8 @@
     <input type=hidden name=expiry value="' . htvar($expiry) . '">
     <input type=hidden name=keysize value="' . htvar($keysize) . '">
     <input type=hidden name=cert_type value="' . htvar($cert_type) . '">
+    <input type=hidden name=dns_names value="' . htvar($dns_names) . '">
+    <input type=hidden name=ip_addr value="' . htvar($ip_addr) . '">
 ';
 
 
@@ -72,10 +75,21 @@
 	if ( $email && ! is_email($email) )
 		$er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';
 
+	$ip_ar=explode("\n", $ip_addr);
+	foreach ($ip_ar as $value){
+		if ( $value && ! is_ip($value) )
+			$er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
+	}
+
+	$dns_n=explode("\n", $dns_names);
+	foreach ($dns_n as $value){
+		if ( $value && ! is_fqdn(trim($value)) )
+			$er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
+	}
+
 	if ( $er )
 		$er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
 
-
 	if ($email && ($serial = CAdb_in($email,$common_name))) { 	
 		$er = '';
 		$certtext = CA_cert_text($serial);
@@ -119,6 +133,8 @@
 	Certificate Life<br>
 	Key Size<br>
 	Certificate Use<br>
+	IP Addresses<br>
+	DNS Alt Names<br>
     	</td>
 
     	<td>
@@ -133,6 +149,8 @@
 	print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
 	print htvar($keysize). ' bits<br>';
 	print htvar($cert_type). '<br>';
+    print htvar($dns_names). '<br>';
+    print htvar($ip_addr). '<br>';
 	?>
     	</td>
 
@@ -168,7 +186,7 @@
 case 'final':
 	if ($submit == "Yes!  Create and Download") {
 		if (! $serial = CAdb_in($email,$common_name)) {
-			list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize);
+			list($ret,$errtxt) = CA_create_cert($cert_type,$country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize,$dns_names,$ip_addr);
 
 			if (! $ret) {
 	                	printHeader();
@@ -227,6 +245,8 @@
 	if (! $expiry)        $expiry = 1;
 	if (! $keysize)       $keysize = 1024;
 	if (! $cert_type)     $cert_type = 'email';
+	if (! $dns_names)     $dns_names = "";
+	if (! $ip_addr)       $ip_addr = "";
 
 	printHeader();
 	?>
@@ -236,44 +256,44 @@
 	<th colspan=2><h3>Certificate Request Form</h3></th>
 
 	<tr>
-	<td width=30%>Common Name<br>(i.e. User real name or computer hostname) </td>
+	<td width=30%>Common Name<font color=red size=3>*</font><br>(i.e. User real name or computer hostname) </td>
 	<td><input type=text name=common_name value="<?php echo  htvar($common_name)?>" size=50 maxlength=60></td>
 	</tr>
 
 	<tr>
-	<td>E-mail Address </td>
+	<td>E-mail Address <font color=red size=3>*</font></td>
 	<td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
 	</tr>
 
 	<tr>
-	<td>Organization (Company/Agency)</td>
+	<td>Organization (Company/Agency)<font color=red size=3>*</font></td>
 	<td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
 	</tr>
 
 	<tr>
-	<td>Department/Unit </td><td><input type=text name=unit value="<?php echo  htvar($unit) ?>" size=40 maxlength=60></td>
+	<td>Department/Unit<font color=red size=3>*</font> </td><td><input type=text name=unit value="<?php echo  htvar($unit) ?>" size=40 maxlength=60></td>
 	</tr>
 
 	<tr>
-	<td>Locality (City/County)</td><td><input type=text name=locality value="<?php echo  htvar($locality) ?>" size=30 maxlength=30></td>
+	<td>Locality (City/County)<font color=red size=3>*</font></td><td><input type=text name=locality value="<?php echo  htvar($locality) ?>" size=30 maxlength=30></td>
 	</tr>
 
 	<tr>
-	<td>State/Province</td><td><input type=text name=province value="<?php echo  htvar($province) ?>" size=30 maxlength=30></td>
+	<td>State/Province<font color=red size=3>*</font></td><td><input type=text name=province value="<?php echo  htvar($province) ?>" size=30 maxlength=30></td>
 	</tr>
 
 	<tr>
-	<td>Country</td>
+	<td>Country<font color=red size=3>*</font></td>
 	<td><input type=text name=country value="<?php echo  htvar($country) ?>" size=2 maxlength=2></td>
 	</tr>
 
 	<tr>
-	<td>Certificate Password </td>
+	<td>Certificate Password<font color=red size=3>*</font> </td>
 	<td><input type=password name=passwd value="<?php echo  htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv  value="<?php echo  htvar($passwdv) ?>" size=30></td>
 	</tr>
 
 	<tr>
-	<td>Certificate Life </td>
+	<td>Certificate Life<font color=red size=3>*</font> </td>
 	<td><select name=expiry>
 	<?php
 
@@ -291,7 +311,7 @@
 	</tr>
 
 	<tr>
-	<td>Key Size </td>
+	<td>Key Size<font color=red size=3>*</font> </td>
 	<td><select name=keysize>
 	<?php
 	for ( $i = 512 ; $i <= 4096 ; $i+= 512 ) {
@@ -303,8 +323,9 @@
 	</tr>
 
 	<tr>
-	<td>Certificate Use: </td>
-	<td><select name=cert_type>
+	<td>Certificate Use:<font color=red size=3>*</font> </td>
+	<td><select name=cert_type onchange="if (this.value=='server') 
+        {setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
 	<?php
 	print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
 	print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
@@ -317,8 +338,16 @@
 	</select></td>
 	</tr>
 
+	<tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
+	<td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?= htvar($dns_names) ?></textarea></td>
+	</tr>
+
+	<tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
+	<td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?= htvar($ip_addr) ?></textarea></td>
+	</tr>
+
 	<tr>
-	<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* All fields are required</td>
+	<td><center><input type=submit name=submit value='Submit Request'></center><input type=hidden name=form_stage value='validate'></td><td><font color=red size=3>* Fields are required</td>
 	</tr>
 	</table>
 	</form>

diff --git a/include/common.php b/include/common.php
@@ -36,8 +36,26 @@ function printHeader($withmenu="default") {
 	?>
 	<!DOCTYPE html>
 	<head>
+	<meta charset="utf-8">
 	<title>PHPki: <?php echo $title?> </title>
 	<link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
+	<script type="text/javascript" language="javascript">
+
+	function setVisibility(rowName, show) {
+        // Tabellenzelle ermitteln
+
+        var actualVisibility=document.getElementById(rowName).style.visibility;
+
+        if(show==false) {
+                document.getElementById(rowName).style.visibility = "hidden";
+                document.getElementById(rowName).style.display = "none";
+        } else {
+                document.getElementById(rowName).style.visibility = "visible";
+                document.getElementById(rowName).style.display = "";
+        }
+	}
+
+	</script>
 	</head>
 	<body>
 	<?php

diff --git a/include/my_functions.php b/include/my_functions.php
@@ -31,7 +31,7 @@ function upload($source, $destination, $content_type="application/octet-stream")
 #	header("Cache-Control: no-store, no-cache, must-revalidate");
 #	header("Cache-Control: post-check=0, pre-check=0", false);
 #	header("Pragma: no-cache");
-        header("Content-Type: $content_type");
+    header("Content-Type: $content_type");
 
 	if (is_array($source)) {
 		$fsize = 0;
@@ -90,10 +90,9 @@ function csort($array, $column, $ascdec=SORT_ASC){
 #
 function htvar($v, $strip=false) {
 	if ($strip) 
-		return  htmlentities(stripslashes($v));
+		return  htmlentities(stripslashes($v), 0, "UTF-8");
 	else
-		return  htmlentities($v);
-
+		return  htmlentities($v, 0, "UTF-8");
 }
 
 
@@ -185,6 +184,30 @@ function is_email($v) {
 	return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
 }
 
+#
+# Returns True if the given string is a IP address
+#
+function is_ip( $ip = null ) {
+    if( !$ip or strlen(trim($ip)) == 0){
+        return false;
+    }
+    $ip=trim($ip);
+    if(preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/",$ip)) {
+        foreach(explode(".", $ip) as $block)
+            if($block<0 || $block>255 )
+                return false;
+        return true;
+    }
+    return false;
+}
+
+#
+# Returns True if the given string is a valid FQDN
+#
+function is_fqdn($FQDN) {
+    return (!empty($FQDN) && preg_match('/(?=^.{1,254}$)(^(?:(?!\d|-)[a-z0-9\-]{1,63}(?<!-)\.)+(?:[a-z]{2,})$)/i', $FQDN) > 0);
+}
+
 #
 # Checks regexp in every element of an array, returns TRUE as soon
 # as a match is found.

diff --git a/include/openssl_functions.php b/include/openssl_functions.php
@@ -5,15 +5,49 @@
 // File name is placed in ./tmp with a random name. It lingers unless
 // removed manually.
 //
-function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096) {
+function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=4096,$dns_names='',$ip_addr='',$serial='') {
 	global $config, $PHPki_user;
 
 	$issuer = $PHPki_user;
+	$count_dns = 0;
+	$count_ip = 0;
+	$alt_names = "";
+
+	if (! $dns_names == '') {
+
+		$dns_n=explode("\n", $dns_names);
+		$count_dns  = $count_dns + 1;
+		$alt_names .= "DNS.$count_dns = $common_name\n";
+		foreach ($dns_n as $value) {
+			if (! $value == '') {
+				$count_dns  = $count_dns + 1;
+				$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+			}
+		}
+	}
+
+	if (! $ip_addr == '') {
+		$ip_ar=explode("\n", $ip_addr);
+		foreach ($ip_ar as $value) {
+			if (! $value == '') {
+				$count_dns  = $count_dns + 1;
+				$count_ip   = $count_ip + 1;
+				$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
+				$alt_names .= "IP.$count_ip = ".trim($value)."\n";
+			}
+		}
+	}
 
+	if (($count_dns > 0) || ($count_ip > 0)) {
+		$server_altnames = "@alt_names";
+	} else {
+		$server_altnames = "DNS:$common_name,email:copy";
+	}
+
 	$cnf_contents = "
 HOME             = $config[home_dir] 
 RANDFILE         = $config[random]
-dir	             = $config[ca_dir]
+dir	         = $config[ca_dir]
 certs            = $config[cert_dir]
 crl_dir	         = $config[crl_dir]
 database         = $config[index]
@@ -104,7 +138,7 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 subjectAltName         = email:copy
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Root Certificate\"
-#nsCaRevocationUrl      = ns_revoke_query.php?
+#nsCaRevocationUrl     = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html
 
 [ email_ext ]
@@ -119,7 +153,7 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html
 
 [ email_signing_ext ]
@@ -134,7 +168,7 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 crlDistributionPoints  = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Personal Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl          = $config[base_url]policy.html
 
 [ server_ext ]
@@ -144,12 +178,12 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 extendedKeyUsage        = critical, serverAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
-subjectAltName          = DNS:$common_name,email:copy
+subjectAltName          = $server_altnames
 issuerAltName           = issuer:copy
 crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 nsComment               = \"PHPki/OpenSSL Generated Server Certificate\"
 nsBaseUrl               = $config[base_url]
-nsRevocationUrl         = ns_revoke_query.php?
+nsRevocationUrl         = $config[base_url]ns_revoke_query.php?$serial
 nsCaPolicyUrl           = $config[base_url]policy.html
 
 [ time_stamping_ext ]
@@ -163,7 +197,7 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 crlDistributionPoints   = URI:$config[base_url]index.php?stage=dl_crl
 nsComment              = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
 nsBaseUrl              = $config[base_url]
-nsRevocationUrl        = ns_revoke_query.php?
+nsRevocationUrl        = $config[base_url]ns_revoke_query.php?$serial
 
 [ vpn_client_ext ]
 basicConstraints        = critical, CA:false
@@ -191,8 +225,12 @@ function CA_create_cnf($country='',$province='',$locality='',$organization='',$u
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer:always
 subjectAltName          = DNS:$common_name,email:copy
+
+[alt_names]
+$alt_names
 ";
 
+
 	# Write out the config file.
 	$cnf_file  = tempnam('./tmp','cnf-');
 	$handle = fopen($cnf_file,"w");
@@ -466,7 +504,7 @@ function CA_revoke_cert($serial) {
 //
 // Returns an array containing the output of failed openssl commands.
 //
-function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) {
+function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024,$dns_names,$ip_addr) {
 	global $config;
 
 	# Wait here if another user has the database locked.
@@ -484,11 +522,11 @@ function CA_create_cert($cert_type='email',$country,$province,$locality,$organiz
 
 	$expiry_days = round($expiry * 365.25, 0);
 
-	$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize);
+	$cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize,$dns_names,$ip_addr,$serial);
 
 	# Escape certain dangerous characters in user input
 	$email         = escshellcmd($email);
-	$_passwd        = escshellarg($passwd);
+	$_passwd       = escshellarg($passwd);
 	$friendly_name = escshellarg($common_name);
 	$extensions    = escshellarg($cert_type.'_ext');