/[smecontribs]/rpms/phpki-ng/contribs10/phpki-ng-0.84-fix-for-php74-code-tidy.patch
ViewVC logotype

Annotation of /rpms/phpki-ng/contribs10/phpki-ng-0.84-fix-for-php74-code-tidy.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Mar 7 19:16:18 2021 UTC (3 years, 8 months ago) by jcrisp
Branch: MAIN
CVS Tags: phpki-ng-0_84-11_el7_sme, phpki-ng-0_84-3_el7_sme, phpki-ng-0_84-10_el7_sme, phpki-ng-0_84-12_el7_sme, phpki-ng-0_84-7_el7_sme, phpki-ng-0_84-2_el7_sme, phpki-ng-0_84-5_el7_sme, phpki-ng-0_84-6_el7_sme, phpki-ng-0_84-9_el7_sme, phpki-ng-0_84-4_el7_sme, phpki-ng-0_84-8_el7_sme
* Wed Mar 07 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.84-2.sme
- Change version to 0.84
- Fix undefined constant errors [SME: 11397]
- fix tempdir [SME: 11398]
- update code to be PHP 7.4+ compliant
- format with CodeSniff to PSR2

1 jcrisp 1.1 diff -ruN phpki-ng.old/phpki-ng-0.84/about.php phpki-ng/phpki-ng-0.84/about.php
2     --- phpki-ng.old/phpki-ng-0.84/about.php 2020-04-02 14:22:47.000000000 +0200
3     +++ phpki-ng/phpki-ng-0.84/about.php 2021-03-07 19:33:03.019322943 +0100
4     @@ -1,31 +1,32 @@
5     <?php
6     -
7     -
8     include('./config.php');
9     include('./include/my_functions.php');
10     include('./include/common.php');
11    
12     printHeader('about');
13     -
14     ?>
15     +
16     <p>
17     PHPki is an <a href=http://www.opensource.org target=_blank>Open Source</a>
18     Web application for managing a <a href=<?php echo BASE_URL?>help/glossary.html#PKI target=help/glossary>
19     Public Key Infrastructure</a> within a small organizations. PHPki acts as a
20     mechanism for the centralized creation and management of digital certificates.
21     PHPki is capable of managing certificates for multiple organizations or user
22     -accounts.
23     +accounts.</p>
24    
25     <p>
26     PHPki requires the Apache Web Server, the <href=http://www.php.net target=_blank>PHP</a> Scripting Language, and <href=http://www.openssl.org target=_blank>
27     OpenSSL</a>, all of which are included with any major
28     <a href=http://www.linux.org target=_blank> Linux Operating System</a>
29     <a href=http://www.redhat.com target=_blank>distribution</a>.
30     +</p>
31    
32     <p>
33     This software may be freely redistributed under the terms of the
34     <a href=http://www.gnu.org target=_blank>GNU</a> Public
35     License provided this page and all copyright notices remain completely intact.
36     +</p>
37     +
38     <p>
39     <center><h4>Copyright: 2003, William E. Roadcap</h4>
40     <form>
41     @@ -36,7 +37,7 @@
42     </textarea>
43     </form>
44     </center>
45     -<p>
46     +</p>
47    
48     <?php
49     printFooter();
50     diff -ruN phpki-ng.old/phpki-ng-0.84/admin/index.php phpki-ng/phpki-ng-0.84/admin/index.php
51     --- phpki-ng.old/phpki-ng-0.84/admin/index.php 2020-04-02 14:22:47.000000000 +0200
52     +++ phpki-ng/phpki-ng-0.84/admin/index.php 2021-03-07 19:33:03.019322943 +0100
53     @@ -10,118 +10,117 @@
54     $passwd = gpvar('passwd');
55     $passwdv = gpvar('passwdv');
56    
57     -switch($stage) {
58     -case 'list_users':
59     - printHeader('admin');
60     +switch ($stage) {
61     + case 'list_users':
62     + printHeader('admin');
63     print '<p><h3>Contents of '.htvar($config['passwd_file']).' file:</h3><pre>';
64     readfile($config['passwd_file'])
65    
66     - ?>
67     - </pre>
68     - <form action="<?php echo $PHP_SELF?>" method="post">
69     - <input type=submit name=submit value="Back to Menu">
70     - </form>
71     - <?php
72     - printFooter(false);
73     - break;
74     -
75     -case 'add_user_form';
76     - printHeader('admin');
77     - ?>
78     - <body onLoad="self.focus();document.form.login.focus()">
79     - <form action="<?php echo $PHP_SELF?>" method="post" name="form">
80     - <table>
81     - <th colspan=2><h3>Add User or Change Password</h3></th>
82     - <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
83     - <tr><td>Password </td><td><input type=password name=passwd value='' size=20></td></tr>
84     - <tr><td>Verify Password </td><td><input type=password name=passwdv value='' size=20></td></tr>
85     - </table>
86     - <input type=hidden name=stage value=add_user>
87     - <input type=submit name=submit value='Submit'>
88     - </form>
89     - <?php
90     - break;
91     -
92     -case 'add_user':
93     - printHeader('admin');
94     - if (! $passwd || ! $passwdv || $passwd != $passwdv || strlen($passwd) < 8) {
95     - print "<center><h2><font color=red>Missing or invalid password or password and password verification do not match.</font></h2></center>"
96     -
97     - ?>
98     - <p><center>
99     - <form action="<?php echo $PHP_SELF?>" method="post">
100     - <input type=hidden name=stage value=add_user_form>
101     - <input type=hidden name=login value="<?php echo htvar($login)?>">
102     - <input type=submit name=submit value=Back>
103     - </form></center>
104     - <?php
105     - }
106     - else {
107     - $pwdfile = escapeshellarg($config['passwd_file']);
108     - $login = escapeshellarg($login);
109     - $passwd = escapeshellarg($passwd);
110     -
111     - print 'Results of htpasswd command:<br>';
112     - system("htpasswd -bm $pwdfile $login $passwd 2>&1")
113     - ?>
114     - <p>
115     - <form action="<?php echo $PHP_SELF?>" method="post">
116     - <input type=submit name=submit value="Back to Menu">
117     - </form>
118     - <?php
119     - }
120     - printFooter();
121     - break;
122     -
123     -case 'del_user_form';
124     - printHeader('admin');
125     - ?>
126     - <body onLoad="self.focus();document.form.login.focus();">
127     - <form action="<?php echo $PHP_SELF?>" method="post" name="form">
128     - <table>
129     - <th colspan=2><h3>Remove User</h3></th>
130     - <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
131     - </table>
132     - <input type=hidden name=stage value=del_user>
133     - <input type=submit name=submit value='Submit'>
134     - </form>
135     - <?php
136     - printFooter();
137     - break;
138     -case 'del_user':
139     - printHeader('admin');
140     -
141     - $pwdfile = escapeshellarg($config['passwd_file']);
142     - $login = escapeshellarg($login);
143     -
144     - print 'Results of htpasswd command:<br>';
145     - system("htpasswd -D $pwdfile $login 2>&1")
146     - ?>
147     - <p>
148     - <form action="<?php echo $PHP_SELF?>" method="post">
149     - <input type=submit name=submit value="Back to Menu">
150     - </form>
151     - <?php
152     - printFooter();
153     - break;
154     -
155     -default:
156     - printHeader('admin');
157     - ?>
158     - <br>
159     - <br>
160     - <center>
161     - <table class=menu><th class=menu>SYSADMIN MENU</th>
162     - <tr><td class=menu style="padding-left: 1em;"><table>
163     - <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=add_user_form>Add User or Change Password</a></td></tr>
164     - <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=del_user_form>Remove User</a></td></tr>
165     - <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=list_users>List Password File Contents</a></td></tr>
166     - </table></td></tr>
167     - </table>
168     - </center>
169     - <br><br>
170     - <?php
171     - printFooter();
172     + ?>
173     + </pre>
174     + <form action="<?php echo $PHP_SELF?>" method="post">
175     + <input type=submit name=submit value="Back to Menu">
176     + </form>
177     + <?php
178     + printFooter(false);
179     + break;
180     +
181     + case 'add_user_form';
182     + printHeader('admin');
183     + ?>
184     + <body onLoad="self.focus();document.form.login.focus()">
185     + <form action="<?php echo $PHP_SELF?>" method="post" name="form">
186     + <table>
187     + <th colspan=2><h3>Add User or Change Password</h3></th>
188     + <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
189     + <tr><td>Password </td><td><input type=password name=passwd value='' size=20></td></tr>
190     + <tr><td>Verify Password </td><td><input type=password name=passwdv value='' size=20></td></tr>
191     + </table>
192     + <input type=hidden name=stage value=add_user>
193     + <input type=submit name=submit value='Submit'>
194     + </form>
195     + <?php
196     + break;
197     +
198     + case 'add_user':
199     + printHeader('admin');
200     + if (! $passwd || ! $passwdv || $passwd != $passwdv || strlen($passwd) < 8) {
201     + print "<center><h2><font color=red>Missing or invalid password or password and password verification do not match.</font></h2></center>"
202     +
203     + ?>
204     + <p><center>
205     + <form action="<?php echo $PHP_SELF?>" method="post">
206     + <input type=hidden name=stage value=add_user_form>
207     + <input type=hidden name=login value="<?php echo htvar($login)?>">
208     + <input type=submit name=submit value=Back>
209     + </form></center>
210     + <?php
211     + } else {
212     + $pwdfile = escapeshellarg($config['passwd_file']);
213     + $login = escapeshellarg($login);
214     + $passwd = escapeshellarg($passwd);
215     +
216     + print 'Results of htpasswd command:<br>';
217     + system("htpasswd -bm $pwdfile $login $passwd 2>&1")
218     + ?>
219     + <p>
220     + <form action="<?php echo $PHP_SELF?>" method="post">
221     + <input type=submit name=submit value="Back to Menu">
222     + </form>
223     + <?php
224     + }
225     + printFooter();
226     + break;
227     +
228     + case 'del_user_form';
229     + printHeader('admin');
230     + ?>
231     + <body onLoad="self.focus();document.form.login.focus();">
232     + <form action="<?php echo $PHP_SELF?>" method="post" name="form">
233     + <table>
234     + <th colspan=2><h3>Remove User</h3></th>
235     + <tr><td>User ID</td><td><input type=text name=login value="<?php echo htvar($login)?>" maxlength=15 size=15></td></tr>
236     + </table>
237     + <input type=hidden name=stage value=del_user>
238     + <input type=submit name=submit value='Submit'>
239     + </form>
240     + <?php
241     + printFooter();
242     + break;
243     + case 'del_user':
244     + printHeader('admin');
245     +
246     + $pwdfile = escapeshellarg($config['passwd_file']);
247     + $login = escapeshellarg($login);
248     +
249     + print 'Results of htpasswd command:<br>';
250     + system("htpasswd -D $pwdfile $login 2>&1")
251     + ?>
252     + <p>
253     + <form action="<?php echo $PHP_SELF?>" method="post">
254     + <input type=submit name=submit value="Back to Menu">
255     + </form>
256     + <?php
257     + printFooter();
258     + break;
259     +
260     + default:
261     + printHeader('admin');
262     + ?>
263     + <br>
264     + <br>
265     + <center>
266     + <table class=menu><th class=menu>SYSADMIN MENU</th>
267     + <tr><td class=menu style="padding-left: 1em;"><table>
268     + <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=add_user_form>Add User or Change Password</a></td></tr>
269     + <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=del_user_form>Remove User</a></td></tr>
270     + <tr><td class=menu-pad><a href=<?php echo $PHP_SELF?>?stage=list_users>List Password File Contents</a></td></tr>
271     + </table></td></tr>
272     + </table>
273     + </center>
274     + <br><br>
275     + <?php
276     + printFooter();
277     }
278    
279     ?>
280     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/help.php phpki-ng/phpki-ng-0.84/ca/help.php
281     --- phpki-ng.old/phpki-ng-0.84/ca/help.php 2020-04-02 14:22:47.000000000 +0200
282     +++ phpki-ng/phpki-ng-0.84/ca/help.php 2021-03-07 19:33:03.029323092 +0100
283     @@ -364,7 +364,7 @@
284     <p>
285     <h2><a name="GETTING-HELP">GETTING ADDITIONAL HELP</a></h2>
286     <blockquote>
287     -<?php echo $config[getting_help]?>
288     +<?php echo $config['getting_help']?>
289     </blockquote>
290     <br>
291    
292     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/index.php phpki-ng/phpki-ng-0.84/ca/index.php
293     --- phpki-ng.old/phpki-ng-0.84/ca/index.php 2020-04-02 14:22:47.000000000 +0200
294     +++ phpki-ng/phpki-ng-0.84/ca/index.php 2021-03-07 19:33:03.070323708 +0100
295     @@ -1,3 +1,2 @@
296     <?php
297     header("Location: ./../index.php");
298     -?>
299     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/main.php phpki-ng/phpki-ng-0.84/ca/main.php
300     --- phpki-ng.old/phpki-ng-0.84/ca/main.php 2020-04-02 14:22:47.000000000 +0200
301     +++ phpki-ng/phpki-ng-0.84/ca/main.php 2021-03-07 19:33:03.070323709 +0100
302     @@ -8,161 +8,159 @@
303    
304     $stage = gpvar('stage');
305    
306     -switch($stage) {
307     -
308     -case 'dl_takey':
309     - upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream');
310     - break;
311     -
312     -case 'dl_dhparam':
313     - upload("$config[private_dir]/dhparam2048.pem", "$config[ca_prefix]dhparam2048.pem", 'application/octet-stream');
314     - break;
315     -
316     -case 'dl_root':
317     - upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
318     - break;
319     -
320     -case 'dl_crl':
321     - upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
322     - break;
323     -
324     -case 'dl_crl_pem':
325     - upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
326     - break;
327     -
328     -case 'gen_crl':
329     - list($ret,$errtxt) = CA_generate_crl();
330     -
331     - printHeader(false);
332     -
333     - if ($ret) {
334     - ?>
335     - <center><h2>Certificate Revocation List Updated</h2></center>
336     - <br>
337     - <form action="<?php echo $PHP_SELF?>" method="post">
338     - <input type="submit" name="submit" value="Back to Menu">
339     - </form>
340     - <?php
341     - print '<pre>'.CA_crl_text().'</pre>';
342     - }
343     - else {
344     - ?>
345     - <font color="#ff0000">
346     - <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
347     - <blockquote>
348     - <h3>Debug Info:</h3>
349     - <pre><?php echo $errtxt?></pre>
350     - </blockquote>
351     - <form action="<?php echo $PHP_SELF?>" method="post">
352     - <br>
353     - <input type="submit" name="submit" value="Back to Menu">
354     - <br>
355     - </form>
356     - <?php
357     -}
358     - break;
359     -
360     -case 'display_takey':
361     - printHeader(false);
362     -
363     - ?>
364     - <center><h2>OpenVPN pre-shared Key</h2></center>
365     - <br>
366     - <form action="<?php echo $PHP_SELF?>" method="post">
367     - <input type="submit" name="submit" value="Back to Menu">
368     - </form>
369     - <?php
370     - print '<pre>'.ta_key_text().'</pre>';
371     - break;
372     -
373     -case 'display_dhparam':
374     - printHeader(false);
375     -
376     - ?>
377     - <center><h2>OpenVPN Diffie-Helman parameters</h2></center>
378     - <br>
379     - <form action="<?php echo $PHP_SELF?>" method="post">
380     - <input type=submit name=submit value="Back to Menu">
381     - </form>
382     - <?php
383     - print '<pre>'.dhparam_text().'</pre>';
384     - break;
385     -
386     -case 'display_root_pem':
387     - printHeader(false);
388     -
389     - ?>
390     - <center><h2>Root certificate file (PEM Encoded)</h2></center>
391     - <br>
392     - <form action="<?php echo $PHP_SELF?>" method="post">
393     - <input type="submit" name="submit" value="Back to Menu">
394     - </form>
395     - <?php
396     - print '<pre>'.root_pem_text().'</pre>';
397     - break;
398     -
399     -
400     -default:
401     - printHeader('ca');
402     - ?>
403     - <br>
404     - <br>
405     - <center>
406     - <table class="menu" width="600px"><th class="menu" colspan="2"><big>CERTIFICATE MANAGEMENT MENU</big></th>
407     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width="33%">
408     - <a href="request_cert.php">Create a New Certificate</a></td>
409     - <td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates.
410     - You may create certificates in succession without re-entering the entire form
411     - by clicking the "<strong>Go Back</strong>" button after each certificate is created.</td></tr>
412     -
413     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
414     - <a href="manage_certs.php">Manage Certificates</a></td>
415     - <td>Conveniently view, download, revoke, and renew your existing certificates using the
416     - <strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr>
417     -
418     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
419     - <a href="<?php echo $PHP_SELF?>?stage=gen_crl">Update & View the Certificate Revocation List</a></td>
420     - <td>Some applications automagically reference the Certificate Revocation List to determine
421     - certificate validity. It is not necessary to perform this update function, as the CRL is
422     - updated when certificates are revoked. However, doing so is harmless.
423     - <a href="../help.php" target="_help">Read the online help</a> to learn more about this.</td></tr>
424     -
425     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
426     - <a href="<?php echo $PHP_SELF?>?stage=dl_root">Download the Root Certificate</a><br><br>
427     - <a href="<?php echo $PHP_SELF?>?stage=display_root_pem">Display the Root Certificate (PEM Encoded)</a></td>
428     - <td>The "Root" certificate must be installed before using any of the
429     - certificates issued here. <a href="../help.php" target="_help">Read the online help</a>
430     - to learn more about this.</td></tr>
431     -
432     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
433     - <a href="<?php echo $PHP_SELF?>?stage=dl_crl">Download the Certificate Revocation List</a><br><br>
434     - <a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Download in PEM format.</a></td>
435     - <td>This is the official list of revoked certificates. Using this list with your e-mail or
436     - browser application is optional. Some applications will automagically reference this list.</td></tr>
437     - <?php
438     - if (file_exists($config[private_dir] . '/takey.pem')) {
439     - ?>
440     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
441     - <a href="<?php echo $PHP_SELF?>?stage=dl_takey">Download the static pre-shared key</a><br><br>
442     - <a href="<?php echo $PHP_SELF?>?stage=display_takey">Display the static pre-shared key</a></td>
443     - <td>This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.</td></tr>
444     - <?php }
445     - ?>
446     - <?php if (file_exists ($config[private_dir] . '/dhparam2048.pem')) {
447     - ?>
448     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
449     - <a href="<?php echo $PHP_SELF?>?stage=dl_dhparam">Download the Diffie-Hellman parameters</a><br><br>
450     - <a href="<?php echo $PHP_SELF?>?stage=display_dhparam">Display the Diffie-Hellman parameters</a></td>
451     - <td>This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement
452     - protocol enables two communication partners to exchange a secret key safely.</td></tr>
453     - <?php }
454     - ?>
455     -
456     - </table>
457     - </center>
458     - <br><br>
459     - <?php
460     - printFooter();
461     +switch ($stage) {
462     + case 'dl_takey':
463     + upload($config['private_dir'] . '/takey.pem', $config['ca_prefix'] . 'takey.pem', 'application/octet-stream');
464     + break;
465     +
466     + case 'dl_dhparam':
467     + upload($config['private_dir'] . '/dhparam2048.pem', $config['ca_prefix'] . 'dhparam2048.pem', 'application/octet-stream');
468     + break;
469     +
470     + case 'dl_root':
471     + upload($config['cacert_pem'], $config['ca_prefix'] . 'cacert.crt', 'application/x-x509-ca-cert');
472     + break;
473     +
474     + case 'dl_crl':
475     + upload($config['cacrl_der'], $config['ca_prefix'] . 'cacrl.crl', 'application/pkix-crl');
476     + break;
477     +
478     + case 'dl_crl_pem':
479     + upload($config['cacrl_pem'], $config['ca_prefix'] . 'cacrl.crl', 'application/octet-stream');
480     + break;
481     +
482     + case 'gen_crl':
483     + list($ret,$errtxt) = CA_generate_crl();
484     +
485     + printHeader(false);
486     +
487     + if ($ret) {
488     + ?>
489     + <center><h2>Certificate Revocation List Updated</h2></center>
490     + <br>
491     + <form action="<?php echo $PHP_SELF?>" method="post">
492     + <input type="submit" name="submit" value="Back to Menu">
493     + </form>
494     + <?php
495     + print '<pre>'.CA_crl_text().'</pre>';
496     + } else {
497     + ?>
498     + <font color="#ff0000">
499     + <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
500     + <blockquote>
501     + <h3>Debug Info:</h3>
502     + <pre><?php echo $errtxt?></pre>
503     + </blockquote>
504     + <form action="<?php echo $PHP_SELF?>" method="post">
505     + <br>
506     + <input type="submit" name="submit" value="Back to Menu">
507     + <br>
508     + </form>
509     + <?php
510     + }
511     + break;
512     +
513     + case 'display_takey':
514     + printHeader(false);
515     +
516     + ?>
517     + <center><h2>OpenVPN pre-shared Key</h2></center>
518     + <br>
519     + <form action="<?php echo $PHP_SELF?>" method="post">
520     + <input type="submit" name="submit" value="Back to Menu">
521     + </form>
522     + <?php
523     + print '<pre>'.ta_key_text().'</pre>';
524     + break;
525     +
526     + case 'display_dhparam':
527     + printHeader(false);
528     +
529     + ?>
530     + <center><h2>OpenVPN Diffie-Helman parameters</h2></center>
531     + <br>
532     + <form action="<?php echo $PHP_SELF?>" method="post">
533     + <input type=submit name=submit value="Back to Menu">
534     + </form>
535     + <?php
536     + print '<pre>'.dhparam_text().'</pre>';
537     + break;
538     +
539     + case 'display_root_pem':
540     + printHeader(false);
541     +
542     + ?>
543     + <center><h2>Root certificate file (PEM Encoded)</h2></center>
544     + <br>
545     + <form action="<?php echo $PHP_SELF?>" method="post">
546     + <input type="submit" name="submit" value="Back to Menu">
547     + </form>
548     + <?php
549     + print '<pre>'.root_pem_text().'</pre>';
550     + break;
551     +
552     +
553     + default:
554     + printHeader('ca');
555     + ?>
556     + <br>
557     + <br>
558     + <center>
559     + <table class="menu" width="600px"><th class="menu" colspan="2"><big>CERTIFICATE MANAGEMENT MENU</big></th>
560     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width="33%">
561     + <a href="request_cert.php">Create a New Certificate</a></td>
562     + <td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates.
563     + You may create certificates in succession without re-entering the entire form
564     + by clicking the "<strong>Go Back</strong>" button after each certificate is created.</td></tr>
565     +
566     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
567     + <a href="manage_certs.php">Manage Certificates</a></td>
568     + <td>Conveniently view, download, revoke, and renew your existing certificates using the
569     + <strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr>
570     +
571     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
572     + <a href="<?php echo $PHP_SELF?>?stage=gen_crl">Update & View the Certificate Revocation List</a></td>
573     + <td>Some applications automagically reference the Certificate Revocation List to determine
574     + certificate validity. It is not necessary to perform this update function, as the CRL is
575     + updated when certificates are revoked. However, doing so is harmless.
576     + <a href="../help.php" target="_help">Read the online help</a> to learn more about this.</td></tr>
577     +
578     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
579     + <a href="<?php echo $PHP_SELF?>?stage=dl_root">Download the Root Certificate</a><br><br>
580     + <a href="<?php echo $PHP_SELF?>?stage=display_root_pem">Display the Root Certificate (PEM Encoded)</a></td>
581     + <td>The "Root" certificate must be installed before using any of the
582     + certificates issued here. <a href="../help.php" target="_help">Read the online help</a>
583     + to learn more about this.</td></tr>
584     +
585     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
586     + <a href="<?php echo $PHP_SELF?>?stage=dl_crl">Download the Certificate Revocation List</a><br><br>
587     + <a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Download in PEM format.</a></td>
588     + <td>This is the official list of revoked certificates. Using this list with your e-mail or
589     + browser application is optional. Some applications will automagically reference this list.</td></tr>
590     + <?php
591     + if (file_exists($config['private_dir'] . '/takey.pem')) {
592     + ?>
593     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
594     + <a href="<?php echo $PHP_SELF?>?stage=dl_takey">Download the static pre-shared key</a><br><br>
595     + <a href="<?php echo $PHP_SELF?>?stage=display_takey">Display the static pre-shared key</a></td>
596     + <td>This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.</td></tr>
597     + <?php }
598     + ?>
599     + <?php if (file_exists($config['private_dir'] . '/dhparam2048.pem')) {
600     + ?>
601     + <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
602     + <a href="<?php echo $PHP_SELF?>?stage=dl_dhparam">Download the Diffie-Hellman parameters</a><br><br>
603     + <a href="<?php echo $PHP_SELF?>?stage=display_dhparam">Display the Diffie-Hellman parameters</a></td>
604     + <td>This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement
605     + protocol enables two communication partners to exchange a secret key safely.</td></tr>
606     + <?php }
607     + ?>
608     +
609     + </table>
610     + </center>
611     + <br><br>
612     + <?php
613     + printFooter();
614     }
615    
616     ?>
617     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/manage_certs.php phpki-ng/phpki-ng-0.84/ca/manage_certs.php
618     --- phpki-ng.old/phpki-ng-0.84/ca/manage_certs.php 2020-04-02 14:22:47.000000000 +0200
619     +++ phpki-ng/phpki-ng-0.84/ca/manage_certs.php 2021-03-07 19:33:03.071323720 +0100
620     @@ -6,14 +6,14 @@
621     include('../include/common.php');
622     include('../include/openssl_functions.php');
623    
624     -$stage = gpvar('stage');
625     -$serial = gpvar('serial');
626     -$sortfield = gpvar('sortfield');
627     -$ascdec = gpvar('ascdec');
628     -$passwd = gpvar('passwd');
629     -$expiry = gpvar('expiry');
630     -$submit = gpvar('submit');
631     -$dl_type = gpvar('dl_type');
632     +$stage = gpvar('stage');
633     +$serial = gpvar('serial');
634     +$sortfield = gpvar('sortfield');
635     +$ascdec = gpvar('ascdec');
636     +$passwd = gpvar('passwd');
637     +$expiry = gpvar('expiry');
638     +$submit = gpvar('submit');
639     +$dl_type = gpvar('dl_type');
640    
641     $search = gpvar('search');
642     $show_valid = gpvar('show_valid');
643     @@ -22,404 +22,403 @@
644    
645    
646     # Prevent handling certs that don't belong to user
647     -if ($serial && CAdb_issuer($serial) != $PHPki_user && ! in_array($PHPki_user, $PHPki_admins)) {
648     - $stage = 'goaway';
649     +if ($serial && CAdb_issuer($serial) != $PHPki_user && ! in_array($PHPki_user, $PHPki_admins)) {
650     + $stage = 'goaway';
651     }
652    
653     -if ( !($show_valid.$show_revoked.$show_expired) ) {
654     - $show_valid = 'V';
655     - $show_revoked = 'R';
656     - $show_expired = 'E';
657     +if (!($show_valid.$show_revoked.$show_expired)) {
658     + $show_valid = 'V';
659     + $show_revoked = 'R';
660     + $show_expired = 'E';
661     }
662    
663     -$qstr_filter = 'search='.htvar($search) . '&' . "show_valid=$show_valid&" . "show_revoked=$show_revoked&" . "show_expired=$show_expired&";
664     +$qstr_filter = 'search='.htvar($search) . '&' . "show_valid=$show_valid&" . "show_revoked=$show_revoked&" . "show_expired=$show_expired&";
665    
666     $qstr_sort = "sortfield=$sortfield&ascdec=$ascdec";
667    
668     switch ($stage) {
669     -case 'goaway':
670     - printHeader(false);
671     - ?>
672     -
673     - <p><center><h1><font color="red">YOU ARE A VERY BAD BOY!</font></h2></center>
674     -
675     - <?php
676     - break;
677     -
678     -case 'display':
679     - printHeader(false);
680     - ?>
681     -
682     - <center><h2>Certificate Details</h2></center>
683     - <center><font color="#0000AA"><h3>(#<?php echo $serial?>)<br><?php echo htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>')?> </h3></font></center>
684     -
685     - <?php
686     -
687     - if ($revoke_date = CAdb_is_revoked($serial)) {
688     - print '<center><font color=red><h2>REVOKED '.$revoke_date.'</h2></font></center>';
689     - }
690     -
691     - print '<pre>'.CA_cert_text($serial).'</pre>';
692     - break;
693     -
694     -case 'dl-confirm':
695     - printHeader('ca');
696     -
697     - $rec = CAdb_get_entry($serial);
698     -
699     - ?>
700     - <h3>You are about to download the <font color=red>PRIVATE</font> certificate key for <?php echo $rec['common_name'].' &lt;'.$rec['email'].'&gt; '?></h3>
701     - <h3><font color="red">DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!</font></h3>
702     - <form action="<?php echo $PHP_SELF.'?stage=download&serial='.$serial.'&'.$qstr_sort.'&'.$qstr_filter?>" method="post">
703     - <strong>File type: </strong>
704     - <select name="dl_type">
705     - <option value="PKCS#12">PKCS#12 Bundle</option>
706     - <option value="PEMCERT">PEM Certificate</option>
707     - <option value="PEMKEY">PEM Key</option>
708     - <option value="PEMBUNDLE">PEM Bundle</option>
709     - <option value="PEMCABUNDLE">PEM Bundle w/Root</option>
710     - </select>
711     - <input type="submit" name="submit" value="Download">
712     - &nbsp; or &nbsp;
713     - <input type="submit" name="submit" value="Go Back">
714     - </form>
715     + case 'goaway':
716     + printHeader(false);
717     + ?>
718     +
719     + <p><center><h1><font color="red">YOU ARE A VERY BAD BOY!</font></h2></center>
720     +
721     + <?php
722     + break;
723     +
724     + case 'display':
725     + printHeader(false);
726     + ?>
727     +
728     + <center><h2>Certificate Details</h2></center>
729     + <center><font color="#0000AA"><h3>(#<?php echo $serial?>)<br><?php echo htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>')?> </h3></font></center>
730    
731     <?php
732    
733     - break;
734     + if ($revoke_date = CAdb_is_revoked($serial)) {
735     + print '<center><font color=red><h2>REVOKED '.$revoke_date.'</h2></font></center>';
736     + }
737    
738     -case 'download':
739     - if (strstr($submit, "Back")) $dl_type = '';
740     + print '<pre>'.CA_cert_text($serial).'</pre>';
741     + break;
742    
743     - $rec = CAdb_get_entry($serial);
744     + case 'dl-confirm':
745     + printHeader('ca');
746     +
747     + $rec = CAdb_get_entry($serial);
748     +
749     + ?>
750     + <h3>You are about to download the <font color=red>PRIVATE</font> certificate key for <?php echo $rec['common_name'].' &lt;'.$rec['email'].'&gt; '?></h3>
751     + <h3><font color="red">DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!</font></h3>
752     + <form action="<?php echo $PHP_SELF.'?stage=download&serial='.$serial.'&'.$qstr_sort.'&'.$qstr_filter?>" method="post">
753     + <strong>File type: </strong>
754     + <select name="dl_type">
755     + <option value="PKCS#12">PKCS#12 Bundle</option>
756     + <option value="PEMCERT">PEM Certificate</option>
757     + <option value="PEMKEY">PEM Key</option>
758     + <option value="PEMBUNDLE">PEM Bundle</option>
759     + <option value="PEMCABUNDLE">PEM Bundle w/Root</option>
760     + </select>
761     + <input type="submit" name="submit" value="Download">
762     + &nbsp; or &nbsp;
763     + <input type="submit" name="submit" value="Go Back">
764     + </form>
765     +
766     + <?php
767    
768     - switch ($dl_type) {
769     - case 'PKCS#12':
770     - upload("$config[pfx_dir]/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
771     - break;
772     - case 'PEMCERT':
773     - upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name]-cert.pem",'application/pkix-cert');
774     - break;
775     - case 'PEMKEY':
776     - upload("$config[private_dir]/$serial-key.pem", "$rec[common_name]-key.pem",'application/octet-stream');
777     - break;
778     - case 'PEMBUNDLE':
779     - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem"), "$rec[common_name]-Bundle.pem",'application/octet-stream');
780     - break;
781     - case 'PEMCABUNDLE':
782     - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$rec[common_name]-CABundle.pem",'application/octet-stream');
783     - break;
784     - default:
785     - header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
786     - }
787     - break;
788     -
789     -case 'revoke-form':
790     - $rec = CAdb_get_entry($serial);
791     -
792     - printHeader('ca');
793     -
794     - ?>
795     - <h4>You are about to <font color=red>REVOKE</font> the following certificate:
796     - <hr>
797     - <table width="500px"><tr>
798     - <td width="25%" style="white-space: nowrap">
799     - <p align="right">
800     + break;
801     +
802     + case 'download':
803     + if (strstr($submit, "Back")) {
804     + $dl_type = '';
805     + }
806     +
807     + $rec = CAdb_get_entry($serial);
808     +
809     + switch ($dl_type) {
810     + case 'PKCS#12':
811     + upload($config['pfx_dir'] . "/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
812     + break;
813     + case 'PEMCERT':
814     + upload($config['new_certs_dir'] . "/$serial.pem", "$rec[common_name]-cert.pem", 'application/pkix-cert');
815     + break;
816     + case 'PEMKEY':
817     + upload($config['private_dir'] . "/$serial-key.pem", "$rec[common_name]-key.pem", 'application/octet-stream');
818     + break;
819     + case 'PEMBUNDLE':
820     + upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem"), $rec['common_name'] . "-Bundle.pem", 'application/octet-stream');
821     + break;
822     + case 'PEMCABUNDLE':
823     + upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem", $config['cacert_pem']), $rec['common_name'] . "-CABundle.pem", 'application/octet-stream');
824     + break;
825     + default:
826     + header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
827     + }
828     + break;
829     +
830     + case 'revoke-form':
831     + $rec = CAdb_get_entry($serial);
832     +
833     + printHeader('ca');
834     +
835     + ?>
836     + <h4>You are about to <font color=red>REVOKE</font> the following certificate:
837     + <hr>
838     + <table width="500px"><tr>
839     + <td width="25%" style="white-space: nowrap">
840     + <p align="right">
841     Serial Number<br>
842     - User's Name<br>
843     - Email Address<br>
844     - Organization<br>
845     - Department/Unit<br>
846     - Locality<br>
847     - State/Province<br>
848     - Country<br>
849     - </p>
850     - </td>
851     - <?php
852     -
853     - print '
854     - <td>
855     - '.htvar($rec[serial]).'<br>
856     - '.htvar($rec[common_name]).'<br>
857     - '.htvar($rec[email]).'<br>
858     - '.htvar($rec[organization]).'<br>
859     - '.htvar($rec[unit]).'<br>
860     - '.htvar($rec[locality]).'<br>
861     - '.htvar($rec[province]).'<br>
862     - '.htvar($rec[country]).'<br>
863     - </td>
864     - </tr></table>
865     - <h4>Are you sure?</h4>
866     - <form action="'.$PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter.'" method=post>
867     - <input type=hidden name=stage value=revoke >
868     - <input type=hidden name=serial value='.$serial.' >
869     - <input type=submit name=submit value=Yes >&nbsp
870     - <input type=submit name=submit value=Cancel>
871     - </form>';
872     -
873     - break;
874     -
875     -case 'revoke':
876     - $ret = true;
877     - if ($submit == 'Yes')
878     - list($ret, $errtxt) = CA_revoke_cert($serial);
879     -
880     - if (! $ret) {
881     - printHeader('ca');
882     -
883     - print "<form action=\"$PHP_SELF?stage=revoke-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
884     - ?>
885     - <font color=#ff0000>
886     - <h2>There was an error revoking your certificate.</h2></font><br>
887     - <blockquote>
888     - <h3>Debug Info:</h3>
889     - <pre><?php echo $errtxt?></pre>
890     - </blockquote>
891     - <p>
892     - <input type=submit name=submit value=Back>
893     - <p>
894     - </form>
895     - <?php
896     - }
897     - else
898     - header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
899     - break;
900     -
901     -case 'renew-form':
902     - #
903     - # Get last known values submitted by this user. We only really
904     - # need the expiry value, but the old cert values will override
905     - # the rest.
906     - #
907     - if (! $submit and file_exists("config/user-${PHPki_user}.php")) {
908     - include("config/user-${PHPki_user}.php");
909     - }
910     - #
911     - # Get values from the old certificate.
912     - #
913     - $rec = CAdb_get_entry($serial);
914     - $country = $rec['country'];
915     - $province = $rec['province'];
916     - $locality = $rec['locality'];
917     - $organization = $rec['organization'];
918     - $unit = $rec['unit'];
919     - $common_name = $rec['common_name'];
920     - $email = $rec['email'];
921     -
922     - printHeader('ca');
923     - ?>
924     - <body onLoad="self.focus();document.form.passwd.focus();">
925     -
926     - <form action="<?php echo $PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter?>" method=post name=form>
927     - <table width=99%>
928     - <th colspan="2"><h3>Certificate Renewal Form</h3></th>
929     -
930     - <tr>
931     - <td colspan="2" style="text-align:center">This will Revoke the old Certificate and Create a new one<br>You can add a password if required</td>
932     - </tr>
933     -
934     - <tr>
935     - <td width="25%">Common Name </td>
936     - <td><input type="text"" name="common_name" value="<?php echo htvar($common_name)?>" size="50" maxlength="60" disabled></td>
937     - </tr>
938     -
939     - <tr>
940     - <td>E-mail Address </td>
941     - <td><input type="text" name="email" value="<?php echo htvar($email)?>" size="50" maxlength="60" disabled></td>
942     - </tr>
943     -
944     - <tr>
945     - <td>Organization </td>
946     - <td><input type="text" name="organization" value="<?php echo htvar($organization)?>" size="60" maxlength="60" disabled></td>
947     - </tr>
948     -
949     - <tr>
950     - <td>Department/Unit </td><td><input type="text" name="unit" value="<?php echo htvar($unit) ?>" size="40" maxlength="60" disabled></td>
951     - </tr>
952     -
953     - <tr>
954     - <td>Locality</td><td><input type="text" name="locality" value="<?php echo htvar($locality) ?>" size="30" maxlength="30" disabled></td>
955     - </tr>
956     -
957     - <tr>
958     - <td>State/Province</td><td><input type="text" name="province" value="<?php echo htvar($province) ?>" size="30" maxlength="30" disabled></td>
959     - </tr>
960     -
961     - <tr>
962     - <td>Country</td>
963     - <td><input type="text" name="country" value="<?php echo htvar($country) ?>" size="2" maxlength="2" disabled></td>
964     - </tr>
965     -
966     - <tr>
967     - <td>Certificate Password </td>
968     - <td><input type="password" name="passwd" value="<?php echo htvar($passwd) ?>" size="30"></td>
969     - </tr>
970     -
971     - <tr>
972     - <td>Certificate Life </td>
973     - <td><select name=expiry>
974     - <?php
975     -
976     - print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
977     - print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
978     - print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
979     - print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
980     - for ( $i = 2 ; $i <= 5 ; $i++ ) {
981     - print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
982     - }
983     -
984     - ?>
985     -
986     - </select></td>
987     - </tr>
988     - <tr>
989     - <td>&nbsp</td>
990     - <td>
991     - <input type="submit" name="submit" value="Submit Request">&nbsp
992     - <input type="submit" name="submit" value="Back">
993     - <input type="hidden" name="stage" value="renew">
994     - <input type="hidden" name="serial" value="<?php echo $serial ?>" >
995     - </td>
996     - </tr>
997     - </table>
998     - </form>
999     -
1000     - <?php
1001     -
1002     - printFooter();
1003     - break;
1004     -
1005     -case 'renew':
1006     - $ret = true;
1007     - if ($submit == "Submit Request") {
1008     - list($ret, $errtxt) = CA_renew_cert($serial, $expiry, $passwd);
1009     - }
1010     -
1011     - if (! $ret) {
1012     - printHeader('ca');
1013     -
1014     - print "<form action=\"$PHP_SELF?stage=renew-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
1015     - ?>
1016     - <font color=#ff0000>
1017     - <h2>There was an error creating your certificate.</h2>
1018     - </font><br>
1019     - <blockquote>
1020     - <h3>Debug Info:</h3>
1021     - <pre><?php echo $errtxt?></pre>
1022     - </blockquote>
1023     - <p>
1024     - <input type="submit" name="submit" value="Back">
1025     - <p>
1026     - </form>
1027     - <?php
1028     - }
1029     - else {
1030     - header("Location: $PHP_SELF?$qstr_sort&$qstr_filter");
1031     - }
1032     -
1033     - break;
1034     -
1035     -default:
1036     -
1037     - printHeader('ca');
1038     -
1039     - ?>
1040     - <body onLoad="self.focus();document.filter.search.focus();">
1041     - <table style="margin:0 auto">
1042     - <tr><th colspan=9><big>CERTIFICATE MANAGEMENT CONTROL PANEL</big></th></tr>
1043     - <tr><td colspan=9><center>
1044     - <form action="<?php echo "$PHP_SELF?$qstr_sort"?>" method="get" name="filter">
1045     + User's Name<br>
1046     + Email Address<br>
1047     + Organization<br>
1048     + Department/Unit<br>
1049     + Locality<br>
1050     + State/Province<br>
1051     + Country<br>
1052     + </p>
1053     + </td>
1054     + <?php
1055     +
1056     + print '
1057     + <td>
1058     + '.htvar($rec['serial']).'<br>
1059     + '.htvar($rec['common_name']).'<br>
1060     + '.htvar($rec['email']).'<br>
1061     + '.htvar($rec['organization']).'<br>
1062     + '.htvar($rec['unit']).'<br>
1063     + '.htvar($rec['locality']).'<br>
1064     + '.htvar($rec['province']).'<br>
1065     + '.htvar($rec['country']).'<br>
1066     + </td>
1067     + </tr></table>
1068     + <h4>Are you sure?</h4>
1069     + <form action="'.$PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter.'" method=post>
1070     + <input type=hidden name=stage value=revoke >
1071     + <input type=hidden name=serial value='.$serial.' >
1072     + <input type=submit name=submit value=Yes >&nbsp
1073     + <input type=submit name=submit value=Cancel>
1074     + </form>';
1075     +
1076     + break;
1077     +
1078     + case 'revoke':
1079     + $ret = true;
1080     + if ($submit == 'Yes') {
1081     + list($ret, $errtxt) = CA_revoke_cert($serial);
1082     + }
1083     +
1084     + if (! $ret) {
1085     + printHeader('ca');
1086     +
1087     + print "<form action=\"$PHP_SELF?stage=revoke-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
1088     + ?>
1089     + <font color=#ff0000>
1090     + <h2>There was an error revoking your certificate.</h2></font><br>
1091     + <blockquote>
1092     + <h3>Debug Info:</h3>
1093     + <pre><?php echo $errtxt?></pre>
1094     + </blockquote>
1095     + <p>
1096     + <input type=submit name=submit value=Back>
1097     + <p>
1098     + </form>
1099     + <?php
1100     + } else {
1101     + header("Location: ${PHP_SELF}?$qstr_sort&$qstr_filter");
1102     + }
1103     + break;
1104     +
1105     + case 'renew-form':
1106     + #
1107     + # Get last known values submitted by this user. We only really
1108     + # need the expiry value, but the old cert values will override
1109     + # the rest.
1110     + #
1111     + if (! $submit and file_exists("config/user-${PHPki_user}.php")) {
1112     + include("config/user-${PHPki_user}.php");
1113     + }
1114     + #
1115     + # Get values from the old certificate.
1116     + #
1117     + $rec = CAdb_get_entry($serial);
1118     + $country = $rec['country'];
1119     + $province = $rec['province'];
1120     + $locality = $rec['locality'];
1121     + $organization = $rec['organization'];
1122     + $unit = $rec['unit'];
1123     + $common_name = $rec['common_name'];
1124     + $email = $rec['email'];
1125     +
1126     + printHeader('ca');
1127     + ?>
1128     + <body onLoad="self.focus();document.form.passwd.focus();">
1129     +
1130     + <form action="<?php echo $PHP_SELF.'?'.$qstr_sort.'&'.$qstr_filter?>" method=post name=form>
1131     + <table width=99%>
1132     + <th colspan="2"><h3>Certificate Renewal Form</h3></th>
1133     +
1134     + <tr>
1135     + <td colspan="2" style="text-align:center">This will Revoke the old Certificate and Create a new one<br>You can add a password if required</td>
1136     + </tr>
1137     +
1138     + <tr>
1139     + <td width="25%">Common Name </td>
1140     + <td><input type="text"" name="common_name" value="<?php echo htvar($common_name)?>" size="50" maxlength="60" disabled></td>
1141     + </tr>
1142     +
1143     + <tr>
1144     + <td>E-mail Address </td>
1145     + <td><input type="text" name="email" value="<?php echo htvar($email)?>" size="50" maxlength="60" disabled></td>
1146     + </tr>
1147     +
1148     + <tr>
1149     + <td>Organization </td>
1150     + <td><input type="text" name="organization" value="<?php echo htvar($organization)?>" size="60" maxlength="60" disabled></td>
1151     + </tr>
1152     +
1153     + <tr>
1154     + <td>Department/Unit </td><td><input type="text" name="unit" value="<?php echo htvar($unit) ?>" size="40" maxlength="60" disabled></td>
1155     + </tr>
1156     +
1157     + <tr>
1158     + <td>Locality</td><td><input type="text" name="locality" value="<?php echo htvar($locality) ?>" size="30" maxlength="30" disabled></td>
1159     + </tr>
1160     +
1161     + <tr>
1162     + <td>State/Province</td><td><input type="text" name="province" value="<?php echo htvar($province) ?>" size="30" maxlength="30" disabled></td>
1163     + </tr>
1164     +
1165     + <tr>
1166     + <td>Country</td>
1167     + <td><input type="text" name="country" value="<?php echo htvar($country) ?>" size="2" maxlength="2" disabled></td>
1168     + </tr>
1169     +
1170     + <tr>
1171     + <td>Certificate Password </td>
1172     + <td><input type="password" name="passwd" value="<?php echo htvar($passwd) ?>" size="30"></td>
1173     + </tr>
1174     +
1175     + <tr>
1176     + <td>Certificate Life </td>
1177     + <td><select name=expiry>
1178     +
1179     + <?php
1180     + print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
1181     + print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
1182     + print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
1183     + print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
1184     + for ($i = 2; $i <= 5; $i++) {
1185     + print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
1186     + }
1187     + ?>
1188     +
1189     + </select></td>
1190     + </tr>
1191     + <tr>
1192     + <td>&nbsp</td>
1193     + <td>
1194     + <input type="submit" name="submit" value="Submit Request">&nbsp
1195     + <input type="submit" name="submit" value="Back">
1196     + <input type="hidden" name="stage" value="renew">
1197     + <input type="hidden" name="serial" value="<?php echo $serial ?>" >
1198     + </td>
1199     + </tr>
1200     + </table>
1201     + </form>
1202     +
1203     + <?php
1204     +
1205     + printFooter();
1206     + break;
1207     +
1208     + case 'renew':
1209     + $ret = true;
1210     + if ($submit == "Submit Request") {
1211     + list($ret, $errtxt) = CA_renew_cert($serial, $expiry, $passwd);
1212     + }
1213     +
1214     + if (! $ret) {
1215     + printHeader('ca');
1216     +
1217     + print "<form action=\"$PHP_SELF?stage=renew-form&serial=$serial&$qstr_sort&$qstr_filter\" method=post>";
1218     + ?>
1219     + <font color=#ff0000>
1220     + <h2>There was an error creating your certificate.</h2>
1221     + </font><br>
1222     + <blockquote>
1223     + <h3>Debug Info:</h3>
1224     + <pre><?php echo $errtxt?></pre>
1225     + </blockquote>
1226     + <p>
1227     + <input type="submit" name="submit" value="Back">
1228     + <p>
1229     + </form>
1230     + <?php
1231     + } else {
1232     + header("Location: $PHP_SELF?$qstr_sort&$qstr_filter");
1233     + }
1234     +
1235     + break;
1236     +
1237     + default:
1238     + printHeader('ca');
1239     + ?>
1240     +
1241     + <body onLoad="self.focus();document.filter.search.focus();">
1242     + <table style="margin:0 auto">
1243     + <tr><th colspan=9><big>CERTIFICATE MANAGEMENT CONTROL PANEL</big></th></tr>
1244     + <tr><td colspan=9><center>
1245     + <form action="<?php echo "$PHP_SELF?$qstr_sort"?>" method="get" name="filter">
1246     Search: <input type="text" name=search" value="<?php echo htvar($search)?>" style="font-size: 11px;" maxlength="60" size="30">
1247     &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
1248     - <input type="checkbox" name="show_valid" value="V" <?php echo ($show_valid?'checked':'')?>>Valid
1249     + <input type="checkbox" name="show_valid" value="V" <?php echo ($show_valid?'checked':'')?>>Valid
1250     &nbsp&nbsp
1251     - <input type="checkbox" name="show_revoked" value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
1252     + <input type="checkbox" name="show_revoked" value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
1253     &nbsp&nbsp
1254     - <input type="checkbox" name="show_expired" value="E" <?php echo ($show_expired?'checked':'')?>>Expired
1255     + <input type="checkbox" name="show_expired" value="E" <?php echo ($show_expired?'checked':'')?>>Expired
1256     &nbsp&nbsp&nbsp&nbsp&nbsp
1257     - <input type="submit" name="submit" value="Apply Filter" style="font-size: 11px;">
1258     + <input type="submit" name="submit" value="Apply Filter" style="font-size: 11px;">
1259     </form>
1260     - </center></td>
1261     - </tr>
1262     - <?php
1263     -
1264     - if (! $sortfield) {
1265     - $sortfield = 'email' ;
1266     - $ascdec = 'A';
1267     - }
1268     -
1269     - if ($ascdec == 'A') {
1270     - $arrow_gif = '../images/uparrow-blue.gif';
1271     - $ht_ascdec = 'D';
1272     - }
1273     - else {
1274     - $arrow_gif = '../images/downarrow-blue.gif';
1275     - $ht_ascdec = 'A';
1276     - }
1277     -
1278     - print '<tr>';
1279     -
1280     - $headings = array(
1281     - 'status'=>"Status", 'issued'=>"Issued", 'expires'=>"Expires",
1282     - 'common_name'=>"User's Name", 'email'=>"E-mail",
1283     - 'organization'=>"Organization", 'unit'=>"Department",
1284     - 'locality'=>"Locality"
1285     - );
1286     -
1287     - foreach($headings as $field=>$head) {
1288     - print '<th><a href="'.$PHP_SELF.'?sortfield='.$field.'&ascdec=A&'.$qstr_filter.'" title="Click to sort on this column."><u>'.$head.'</u></a>';
1289     -
1290     - if ($sortfield == $field) {
1291     - print '&nbsp<a href="'.$PHP_SELF.'?sortfield='.$field.'&ascdec='.$ht_ascdec.'&'.$qstr_filter.'" >'.
1292     - '<img src='.$arrow_gif.' height=12 alt=\'Change sort order.\' title=\'Click to reverse sort order.\'></a>';
1293     - }
1294     -
1295     - print '</th>';
1296     - }
1297     - print '<th><font color=green>Actions</font></th>';
1298     - print '</tr>';
1299     -
1300     - $x = "^[$show_valid$show_revoked$show_expired]";
1301     -
1302     - if (in_array($PHPki_user, $PHPki_admins)) {
1303     - $x = "$x.*$search";
1304     - }
1305     - else {
1306     - $x = "$x.*$search.*$PHPki_user|$x.*$PHPki_user.*$search";
1307     - }
1308     -
1309     - $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC));
1310     -
1311     - $stcolor = array('Valid'=>'green','Revoked'=>'red','Expired'=>'orange');
1312     -
1313     - foreach($db as $rec) {
1314     - print '<tr style="font-size: 11px;">
1315     - <td><font color='.$stcolor[$rec['status']].'><b>' .$rec[status].'</b></font></td>
1316     - <td style="white-space: nowrap">'.$rec['issued'].'</td>
1317     - <td style="white-space: nowrap">'.$rec['expires'].'</td>
1318     - <td>'.$rec['common_name'].'</td>
1319     - <td style="white-space: nowrap"><a href="mailto:' . htvar($rec['common_name']) . ' <' . htvar($rec['email']) . '>" >' . htvar($rec['email']) . '</a></td>
1320     - <td>'.htvar($rec['organization']).'</td>
1321     - <td>'.htvar($rec['unit']).'</td>
1322     - <td>'.htvar($rec['locality']).'</td>
1323     - <td><a href="'.$PHP_SELF.'?stage=display&serial='.$rec['serial'].'" target=_certdisp>'.
1324     - '<img src=../images/display.png alt="Display" title="Display complete certificate details."></a>';
1325     -
1326     - if ($rec['status'] == 'Valid') {
1327     - print '
1328     - <a href="'.$PHP_SELF.'?stage=dl-confirm&serial='.$rec['serial'].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
1329     - '<img src=../images/download.png alt="Download" title="Download the PRIVATE certificate. DO NOT DISTRIBUTE THIS TO THE PUBLIC!"></a>
1330     - <a href="'.$PHP_SELF.'?stage=revoke-form&serial='.$rec['serial'].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
1331     - '<img src=../images/revoke.png alt="Revoke" title="Revoke the certificate when the e-mail address is no longer valid or the certificate password or private key has been compromised."></a>';
1332     - }
1333     - print '
1334     - <a href="'.$PHP_SELF.'?stage=renew-form&serial='.$rec['serial'].'&'.$qstr_sort.'&'.$qstr_filter.'">'.
1335     - '<img src=../images/renew.png alt="Renew" title="Renew the certificate by revoking it, if necessary, and creating a replacement with a new expiration date."></a>
1336     - </td></tr>';
1337     - }
1338     + </center></td>
1339     + </tr>
1340     +
1341     + <?php
1342     +
1343     + if (! $sortfield) {
1344     + $sortfield = 'email' ;
1345     + $ascdec = 'A';
1346     + }
1347     +
1348     + if ($ascdec == 'A') {
1349     + $arrow_gif = '../images/uparrow-blue.gif';
1350     + $ht_ascdec = 'D';
1351     + } else {
1352     + $arrow_gif = '../images/downarrow-blue.gif';
1353     + $ht_ascdec = 'A';
1354     + }
1355     +
1356     + print '<tr>';
1357     +
1358     + $headings = array(
1359     + 'status'=>"Status", 'issued'=>"Issued", 'expires'=>"Expires",
1360     + 'common_name'=>"User's Name", 'email'=>"E-mail",
1361     + 'organization'=>"Organization", 'unit'=>"Department",
1362     + 'locality'=>"Locality"
1363     + );
1364     +
1365     + foreach ($headings as $field => $head) {
1366     + print '<th><a href="'.$PHP_SELF.'?sortfield='.$field.'&ascdec=A&'.$qstr_filter.'" title="Click to sort on this column."><u>'.$head.'</u></a>';
1367     +
1368     + if ($sortfield == $field) {
1369     + print '&nbsp<a href="'.$PHP_SELF.'?sortfield='.$field.'&ascdec='.$ht_ascdec.'&'.$qstr_filter.'" >'.
1370     + '<img src='.$arrow_gif.' height=12 alt=\'Change sort order.\' title=\'Click to reverse sort order.\'></a>';
1371     + }
1372     +
1373     + print '</th>';
1374     + }
1375     + print '<th><font color=green>Actions</font></th>';
1376     + print '</tr>';
1377     +
1378     + $x = "^[$show_valid$show_revoked$show_expired]";
1379     +
1380     + if (in_array($PHPki_user, $PHPki_admins)) {
1381     + $x = "$x.*$search";
1382     + } else {
1383     + $x = "$x.*$search.*$PHPki_user|$x.*$PHPki_user.*$search";
1384     + }
1385     +
1386     + $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC));
1387     +
1388     + $stcolor = array('Valid'=>'green','Revoked'=>'red','Expired'=>'orange');
1389     +
1390     + foreach ($db as $rec) {
1391     + print '<tr style="font-size: 11px;">
1392     + <td><font color='. $stcolor[$rec['status']] . '><b>' . $rec['status'] . '</b></font></td>
1393     + <td style="white-space: nowrap">'.$rec['issued'].'</td>
1394     + <td style="white-space: nowrap">'.$rec['expires'].'</td>
1395     + <td>' . $rec['common_name'] . '</td>
1396     + <td style="white-space: nowrap"><a href="mailto:' . htvar($rec['common_name']) . ' <' . htvar($rec['email']) . '>" >' . htvar($rec['email']) . '</a></td>
1397     + <td>' . htvar($rec['organization']) . '</td>
1398     + <td>' . htvar($rec['unit']) . '</td>
1399     + <td>' . htvar($rec['locality']) . '</td>
1400     + <td><a href="' . $PHP_SELF . '?stage=display&serial=' . $rec['serial'] . '" target=_certdisp>'.
1401     + '<img src=../images/display.png alt="Display" title="Display complete certificate details."></a>';
1402     +
1403     + if ($rec['status'] == 'Valid') {
1404     + print '
1405     + <a href="' . $PHP_SELF . '?stage=dl-confirm&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
1406     + '<img src=../images/download.png alt="Download" title="Download the PRIVATE certificate. DO NOT DISTRIBUTE THIS TO THE PUBLIC!"></a>
1407     + <a href="' . $PHP_SELF . '?stage=revoke-form&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
1408     + '<img src=../images/revoke.png alt="Revoke" title="Revoke the certificate when the e-mail address is no longer valid or the certificate password or private key has been compromised."></a>';
1409     + }
1410     + print '
1411     + <a href="' . $PHP_SELF . '?stage=renew-form&serial=' . $rec['serial'] . '&' . $qstr_sort . '&' . $qstr_filter . '">' .
1412     + '<img src=../images/renew.png alt="Renew" title="Renew the certificate by revoking it, if necessary, and creating a replacement with a new expiration date."></a>
1413     + </td></tr>';
1414     + }
1415    
1416     - print '</table>';
1417     + print '</table>';
1418    
1419     - printFooter();
1420     + printFooter();
1421     }
1422     ?>
1423     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/policy.html phpki-ng/phpki-ng-0.84/ca/policy.html
1424     --- phpki-ng.old/phpki-ng-0.84/ca/policy.html 2020-04-02 14:22:47.000000000 +0200
1425     +++ phpki-ng/phpki-ng-0.84/ca/policy.html 2021-03-07 19:33:03.072323731 +0100
1426     @@ -1,78 +1,34 @@
1427     -<html>
1428     -
1429     -<head>
1430     -<title>Certificate Authority Agreement</title>
1431     -</head>
1432     -
1433     -<body>
1434     -
1435     -<h2 align=center>Certificate Authority Agreement</h2>
1436     -<h3 align=center>Policy and Practices</h3>
1437     -
1438     -<br><br>
1439     -<p>This is a statement of practices by this Digital Certificate Authority.
1440     -Your use of this Certificate Authority constitutes your and/or your agency's
1441     -understanding and full acceptance of these practices and all associated risks.
1442     -<strong>Please have an authorized person at your agency sign this document and fax it to 000-000-0000</strong>
1443     -
1444     -<p>This document may not be all encompassing, and we reserve the right to modify it at any time.
1445     -
1446     -<ul>
1447     -<li> The sole role of this Certificate Authority is
1448     -to provide and maintain a password protected software application for the easy
1449     -and instant creation and management of standard x.509 personal digital
1450     -certificates for e-mail encryption. We assume no responsibility for
1451     -verifying the identity of any persons other than that of the limited number of
1452     -authorized users of the software.
1453     -We accept no liability for damages resulting from the use, misuse,
1454     -or compromise of the software application or its host server.
1455     -
1456     -<p><li>As an authorized user of the software, you are in effect <strong>THE</strong> Certificate Authority for your
1457     -agency. As such, you are solely
1458     -responsible for authenticating the identity of the persons for whom you obtain
1459     -certificates. We accept no
1460     -responsibility or liability for non-repudiation in any digital certificate
1461     -created by this software. You agree that
1462     -password protection to the application by authorized certificate managers,
1463     -and personal identity management by
1464     -those managers is sufficient to create a chain of trust for non-repudiation
1465     -in all digital certificates created using the software.
1466     -
1467     -<p><li>No more than two(2)
1468     -users at your agency should have access to your agency's Certificate Authority
1469     -password. We should be notified
1470     -immediately, via e-mail, when the employment of any
1471     -authorized user at your agency is terminated so that a new password can be
1472     -issued.
1473     -
1474     -<p><li>This Certificate
1475     -Authority software application is accessed via the Internet using standard SSL
1476     -or Secure Server encryption mechanisms.
1477     -Although steps have been taken to protect the security and availability
1478     -of the host server and application, its exposure to the Internet as well as any
1479     -presently unknown security flaws could lead to potential compromise of the
1480     -software and your certificates.
1481     -
1482     -<p><li>No promise is made as
1483     -to the availability of the software in the event of hardware, software, or
1484     -telecommunications failure or maintenance. 
1485     -No advanced notice will be given when the software must be temporarily
1486     -taken off line for service.
1487     -
1488     -<p><li>In order to provide
1489     -software which can easily create &quot;instant&quot; certificates it is
1490     -necessary to store all private keys on the host server. As such, all private keys are potentially exposed
1491     -to the Internet and suffer some risk of unauthorized access. However, since all private keys <strong>ARE
1492     -ENCRYPTED</strong> using a password provided by you, they are unlikely to be usable by
1493     -any intruder.
1494     -
1495     -<p><li>A publicly accessible
1496     -web page is provided for interested Internet users to download the Certificate
1497     -Authority root certificate, certificate revocation list, and search for the
1498     -e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static
1499     -content with users' e-mail addresses is available.
1500     -
1501     -</ul>
1502     -</body>
1503     -
1504     -</html>
1505     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
1506     +
1507     +<html>
1508     +<head>
1509     + <title>Certificate Authority Agreement</title>
1510     +</head>
1511     +
1512     +<body>
1513     + <h2 align="center">Certificate Authority Agreement</h2>
1514     +
1515     + <h3 align="center">Policy and Practices</h3><br>
1516     + <br>
1517     +
1518     + <p>This is a statement of practices by this Digital Certificate Authority. Your use of this Certificate Authority constitutes your and/or your agency's understanding and full acceptance of these practices and all associated risks. <strong>Please have an authorized person at your agency sign this document and fax it to 000-000-0000</strong></p>
1519     +
1520     + <p>This document may not be all encompassing, and we reserve the right to modify it at any time.</p>
1521     +
1522     + <ul>
1523     + <li>The sole role of this Certificate Authority is to provide and maintain a password protected software application for the easy and instant creation and management of standard x.509 personal digital certificates for e-mail encryption. We assume no responsibility for verifying the identity of any persons other than that of the limited number of authorized users of the software. We accept no liability for damages resulting from the use, misuse, or compromise of the software application or its host server.</li>
1524     +
1525     + <li>As an authorized user of the software, you are in effect <strong>THE</strong> Certificate Authority for your agency. As such, you are solely responsible for authenticating the identity of the persons for whom you obtain certificates. We accept no responsibility or liability for non-repudiation in any digital certificate created by this software. You agree that password protection to the application by authorized certificate managers, and personal identity management by those managers is sufficient to create a chain of trust for non-repudiation in all digital certificates created using the software.</li>
1526     +
1527     + <li>No more than two(2) users at your agency should have access to your agency's Certificate Authority password. We should be notified immediately, via e-mail, when the employment of any authorized user at your agency is terminated so that a new password can be issued.</li>
1528     +
1529     + <li>This Certificate Authority software application is accessed via the Internet using standard SSL or Secure Server encryption mechanisms. Although steps have been taken to protect the security and availability of the host server and application, its exposure to the Internet as well as any presently unknown security flaws could lead to potential compromise of the software and your certificates.</li>
1530     +
1531     + <li>No promise is made as to the availability of the software in the event of hardware, software, or telecommunications failure or maintenance.&nbsp; No advanced notice will be given when the software must be temporarily taken off line for service.</li>
1532     +
1533     + <li>In order to provide software which can easily create "instant" certificates it is necessary to store all private keys on the host server. As such, all private keys are potentially exposed to the Internet and suffer some risk of unauthorized access. However, since all private keys <strong>ARE ENCRYPTED</strong> using a password provided by you, they are unlikely to be usable by any intruder.</li>
1534     +
1535     + <li>A publicly accessible web page is provided for interested Internet users to download the Certificate Authority root certificate, certificate revocation list, and search for the e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static content with users' e-mail addresses is available.</li>
1536     + </ul>
1537     +</body>
1538     +</html>
1539     diff -ruN phpki-ng.old/phpki-ng-0.84/ca/request_cert.php phpki-ng/phpki-ng-0.84/ca/request_cert.php
1540     --- phpki-ng.old/phpki-ng-0.84/ca/request_cert.php 2020-04-02 14:22:47.000000000 +0200
1541     +++ phpki-ng/phpki-ng-0.84/ca/request_cert.php 2021-03-07 19:33:03.072323731 +0100
1542     @@ -7,7 +7,7 @@
1543     include('../include/openssl_functions.php') ;
1544    
1545     # User's preferences file
1546     -$user_cnf = "$config[home_dir]/config/user-".strtr($PHPki_user,'/\\','|#').'.php';
1547     +$user_cnf = $config['home_dir'] . "/config/user-".strtr($PHPki_user, '/\\', '|#').'.php';
1548    
1549     # Retrieve GET/POST values
1550     $form_stage = gpvar('form_stage');
1551     @@ -48,355 +48,398 @@
1552    
1553    
1554     switch ($form_stage) {
1555     + case 'validate':
1556     + $er = '';
1557    
1558     -case 'validate':
1559     - $er = '';
1560     -
1561     - if (! $country) $er .= 'Missing Country<br>';
1562     - if (! $province) $er .= 'Missing State/Province<br>';
1563     - if (! $locality) $er .= 'Missing Locality (City/County)<br>';
1564     - if (! $organization) $er .= 'Missing Organization (Company/Agency)<br>';
1565     - if (! $unit) $er .= 'Missing Unit/Department<br>';
1566     - if (! $common_name) $er .= 'Missing E-mail User\'s Full Name<br>';
1567     - if (! $email) $er .= 'Missing E-mail Address<br>';
1568     -
1569     - if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd) $er .= 'Missing Certificate Password<br>';
1570     - if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv) $er .= 'Missing Certificate Password Verification "Again"<br>';
1571     -
1572     - if ( $passwd && strlen($passwd) < 8 )
1573     - $er .= 'Certificate password is too short.<br>';
1574     -
1575     - if ( $passwd and $passwd != $passwdv )
1576     - $er .= 'Password and password verification do not match.<br>';
1577     -
1578     - //if ( ! is_alnum($passwd) or ! is_alnum($passwdv) )
1579     - // $er .= 'Password contains invalid characters.<br>';
1580     -
1581     - if ( $email && ! is_email($email) )
1582     - $er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';
1583     -
1584     - $ip_ar=explode("\n", $ip_addr);
1585     - foreach ($ip_ar as $value){
1586     - if ( $value && ! is_ip($value) )
1587     - $er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
1588     - }
1589     -
1590     - $dns_n=explode("\n", $dns_names);
1591     - foreach ($dns_n as $value){
1592     - if ( $value && ! is_fqdn(trim($value)) )
1593     - $er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
1594     - }
1595     -
1596     - if ( $er )
1597     - $er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
1598     -
1599     - if ($email && ($serial = CAdb_in($email,$common_name))) {
1600     - $er = '';
1601     - $certtext = CA_cert_text($serial);
1602     - $er .= '<h2>A valid certificate already exists for ' . htvar("$common_name <$email>") . '</h2>';
1603     - $er .= '</font><blockquote><pre> ' . htvar($certtext) . ' </pre></blockquote>';
1604     -
1605     - }
1606     -
1607     - if ($er) {
1608     - printHeader();
1609     - ?>
1610     -
1611     - <form action='<?php echo $PHP_SELF?>' method=post>
1612     - <input type=submit name=submit value='Go Back'>
1613     - <font color=#ff0000><?php echo $er?></font>
1614     - <br><input type=submit name=submit value='Go Back'>
1615     -
1616     - <?php
1617     - print $hidden_fields;
1618     - print "</form>";
1619     -
1620     - printFooter();
1621     - break;
1622     - }
1623     -
1624     -case 'confirm':
1625     - printHeader();
1626     -
1627     - ?>
1628     - <h4>You are about to create a certificate using the following information:</h4>
1629     - <table width=500><tr>
1630     - <td width=25% style='white-space: nowrap'>
1631     - <p align=right>
1632     - User's Name<br>
1633     - E-mail Address<br>
1634     - Organization<br>
1635     - Department/Unit<br>
1636     - Locality<br>
1637     - State/Province<br>
1638     - Country<br>
1639     - Certificate Life<br>
1640     - Key Size<br>
1641     - Certificate Use<br>
1642     - <?php
1643     - if ($cert_type == 'server' ) {
1644     - print 'DNS Alt Names<br>';
1645     - print 'IP Addresses<br>';
1646     - }
1647     - ?>
1648     - </p>
1649     - </td>
1650     -
1651     - <td>
1652     - <?php
1653     - print htvar($common_name) . '<br>';
1654     - print htvar($email) . '<br>';
1655     - print htvar($organization) . '<br>';
1656     - print htvar($unit) . '<br>';
1657     - print htvar($locality) . '<br>';
1658     - print htvar($province) . '<br>';
1659     - print htvar($country) . '<br>';
1660     - print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
1661     - print htvar($keysize). ' bits<br>';
1662     -
1663     - switch ($cert_type) {
1664     - case 'email':
1665     - print 'E-mail, SSL Client' . '<br>';
1666     - break;
1667     - case 'email_signing':
1668     - print 'E-mail, SSL Client, Code Signing' . '<br>';
1669     - break;
1670     - case 'server':
1671     - print 'SSL Server' . '<br>';
1672     - print htvar($dns_names). '<br>';
1673     - print htvar($ip_addr). '<br>';
1674     - break;
1675     - case 'vpn_client':
1676     - print 'VPN Client Only' . '<br>';
1677     - break;
1678     - case 'vpn_server':
1679     - print 'VPN Server Only' . '<br>';
1680     - break;
1681     - case 'vpn_client_server':
1682     - print 'VPN Client, VPN Server' . '<br>';
1683     - break;
1684     - case 'time_stamping':
1685     - print 'Time Stamping' . '<br>';
1686     -
1687     - }
1688     - ?>
1689     - </td>
1690     -
1691     - </tr></table>
1692     -
1693     - <h4>Are you sure?</h4>
1694     - <p><form action='<?php echo $PHP_SELF?>' method=post>
1695     - <?php echo $hidden_fields ?>
1696     - <input type=hidden name=form_stage value=final>
1697     - <input type=submit name=submit value='Yes. Create and Download' >&nbsp;
1698     - <input type=submit name=submit value='Yes. Just Create' >&nbsp;
1699     - <input type=submit name=submit value='Go Back'>
1700     - </form>
1701     -
1702     - <?php
1703     - printFooter();
1704     -
1705     - # Save user's defaults
1706     - $fp = fopen($user_cnf,'w');
1707     - $x = '<?php
1708     - $country = \''.addslashes($country).'\';
1709     - $locality = \''.addslashes($locality).'\';
1710     - $province = \''.addslashes($province).'\';
1711     - $organization = \''.addslashes($organization).'\';
1712     - $unit = \''.addslashes($unit).'\';
1713     - $expiry = \''.addslashes($expiry).'\';
1714     - $keysize = \''.addslashes($keysize).'\';
1715     - ?>';
1716     - fwrite($fp,$x);
1717     - fclose($fp);
1718     -
1719     - break;
1720     -
1721     -case 'final':
1722     - if ($submit == "Yes Create and Download" || $submit == "Yes. Just Create") {
1723     - if (! $serial = CAdb_in($email,$common_name)) {
1724     - list($ret,$errtxt) = CA_create_cert($cert_type, $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize, $dns_names, $ip_addr);
1725     -
1726     - if (! $ret) {
1727     - printHeader();
1728     - ?>
1729     - <form action="<?php echo $PHP_SELF?>" method="post">
1730     - <font color=#ff0000>
1731     - <h2>There was an error creating your certificate.</h2></font><br>
1732     - <blockquote>
1733     - <h3>Debug Info:</h3>
1734     - <pre><?php echo $errtxt?></pre>
1735     - </blockquote>
1736     - <p>
1737     - <?php echo $hidden_fields?>
1738     - <input type=submit name=submit value=Back>
1739     - <p>
1740     - </form>
1741     - <?php
1742     - printFooter();
1743     - break;
1744     - }
1745     - else {
1746     - $serial = $errtxt;
1747     - }
1748     - }
1749     - }
1750     -
1751     - if ($submit == "Yes Create and Download") {
1752     - switch($cert_type) {
1753     - case 'server':
1754     -# upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
1755     - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$rec[common_name]-Bundle.pem",'application/pkix-cert');
1756     - break;
1757     - case 'email':
1758     - case 'email_signing':
1759     - case 'time_stamping':
1760     - case 'vpn_client_server':
1761     - case 'vpn_client':
1762     - case 'vpn_server':
1763     -# upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
1764     - upload("$config[pfx_dir]/$serial.pfx", "$rec[common_name].p12", 'application/x-pkcs12');
1765     - break;
1766     - }
1767     -
1768     - # Clear common_name fields
1769     - $common_name = '';
1770     - break;
1771     - }
1772     -
1773     -# Clear common_name fields
1774     -$common_name = '';
1775     -
1776     -// We could add 'return to index or create another certificate'
1777     -
1778     -default:
1779     - #
1780     - # Default fields to reasonable values if necessary.
1781     - #
1782     - if (! $submit and file_exists($user_cnf)) include($user_cnf);
1783     -
1784     - if (! $country) $country = $config['country'];
1785     - if (! $province) $province = $config['province'];
1786     - if (! $locality) $locality = "";
1787     - if (! $organization) $organization = "";
1788     - if (! $unit) $unit = "";
1789     - if (! $email) $email = "";
1790     - if (! $expiry) $expiry = 1;
1791     - if (! $keysize) $keysize = 2048;
1792     - if (! $cert_type) $cert_type = 'email';
1793     - if (! $dns_names) $dns_names = "";
1794     - if (! $ip_addr) $ip_addr = "";
1795     -
1796     - printHeader();
1797     - ?>
1798     -
1799     - <body onLoad="self.focus();document.request.common_name.focus();document.request.cert_type.onchange();">
1800     - <form action="<?php echo $PHP_SELF?>" method=post name=request>
1801     - <table width=99%>
1802     - <th colspan=2><h3>Certificate Request Form</h3></th>
1803     -
1804     - <tr>
1805     - <td width=30%>Common Name<font color=red size=3>*</font><br>(i.e. User real name or computer hostname - used as SubjectAltName)</td>
1806     - <td><input type=text name=common_name value="<?php echo htvar($common_name)?>" size=50 maxlength=60></td>
1807     - </tr>
1808     -
1809     - <tr>
1810     - <td>E-mail Address <font color=red size=3>*</font></td>
1811     - <td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
1812     - </tr>
1813     -
1814     - <tr>
1815     - <td>Organization (Company/Agency)<font color=red size=3>*</font></td>
1816     - <td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
1817     - </tr>
1818     -
1819     - <tr>
1820     - <td>Department/Unit<font color=red size=3>*</font> </td><td><input type=text name=unit value="<?php echo htvar($unit) ?>" size=40 maxlength=60></td>
1821     - </tr>
1822     -
1823     - <tr>
1824     - <td>Locality (City/County)<font color=red size=3>*</font></td><td><input type=text name=locality value="<?php echo htvar($locality) ?>" size=30 maxlength=30></td>
1825     - </tr>
1826     -
1827     - <tr>
1828     - <td>State/Province<font color=red size=3>*</font></td><td><input type=text name=province value="<?php echo htvar($province) ?>" size=30 maxlength=30></td>
1829     - </tr>
1830     -
1831     - <tr>
1832     - <td>Country<font color=red size=3>*</font></td>
1833     - <td><input type=text name=country value="<?php echo htvar($country) ?>" size=2 maxlength=2></td>
1834     - </tr>
1835     -
1836     - <tr>
1837     - <td>Certificate Password<font color=red size=3>*</font><br>(Mandatory for Email,SSL Client,Code signing)</td>
1838     - <td><input type=password name=passwd value="<?php echo htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv value="<?php echo htvar($passwdv) ?>" size=30></td>
1839     - </tr>
1840     -
1841     - <tr>
1842     - <td>Certificate Life<font color=red size=3>*</font> </td>
1843     - <td><select name=expiry>
1844     -
1845     - <?php
1846     - print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
1847     - print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
1848     - print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
1849     - print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
1850     - for ( $i = 2 ; $i <= 5 ; $i++ ) {
1851     - print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
1852     - }
1853     -
1854     - ?>
1855     -
1856     - </select></td>
1857     - </tr>
1858     -
1859     - <tr>
1860     - <td>Key Size<font color=red size=3>*</font> </td>
1861     - <td><select name=keysize>
1862     - <?php
1863     - for ( $i = 512 ; $i <= 4096 ; $i+= 512 ) {
1864     - print "<option value=$i " . ($keysize == $i ? "selected='selected'" : "") . ">$i bits</option>\n" ;
1865     - }
1866     - ?>
1867     -
1868     - </select></td>
1869     - </tr>
1870     -
1871     - <tr>
1872     - <td>Certificate Use:<font color=red size=3>*</font> </td>
1873     - <td><select name=cert_type onchange="if (this.value=='server')
1874     - {setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
1875     - <?php
1876     - print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
1877     - print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
1878     - print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
1879     - print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
1880     - print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
1881     - print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
1882     - print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
1883     - ?>
1884     - </select></td>
1885     - </tr>
1886     -
1887     - <tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
1888     - <td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?php echo htvar($dns_names) ?></textarea></td>
1889     - </tr>
1890     -
1891     - <tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
1892     - <td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?php echo htvar($ip_addr) ?></textarea></td>
1893     - </tr>
1894     - <tr>
1895     - <td>&nbsp</td>
1896     - <td>&nbsp</td>
1897     - </tr>
1898     - <tr>
1899     - <td><font color=red size=3>* Fields are required</td><td><input type=submit name=submit value='Submit Request'><input type=hidden name=form_stage value='validate'></td>
1900     - </tr>
1901     - </table>
1902     - </form>
1903     - <?php
1904     -
1905     - printFooter();
1906     + if (! $country) {
1907     + $er .= 'Missing Country<br>';
1908     + }
1909     + if (! $province) {
1910     + $er .= 'Missing State/Province<br>';
1911     + }
1912     + if (! $locality) {
1913     + $er .= 'Missing Locality (City/County)<br>';
1914     + }
1915     + if (! $organization) {
1916     + $er .= 'Missing Organization (Company/Agency)<br>';
1917     + }
1918     + if (! $unit) {
1919     + $er .= 'Missing Unit/Department<br>';
1920     + }
1921     + if (! $common_name) {
1922     + $er .= 'Missing E-mail User\'s Full Name<br>';
1923     + }
1924     + if (! $email) {
1925     + $er .= 'Missing E-mail Address<br>';
1926     + }
1927     +
1928     + if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd) {
1929     + $er .= 'Missing Certificate Password<br>';
1930     + }
1931     + if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv) {
1932     + $er .= 'Missing Certificate Password Verification "Again"<br>';
1933     + }
1934     +
1935     + if ($passwd && strlen($passwd) < 8) {
1936     + $er .= 'Certificate password is too short.<br>';
1937     + }
1938     +
1939     + if ($passwd and $passwd != $passwdv) {
1940     + $er .= 'Password and password verification do not match.<br>';
1941     + }
1942     +
1943     + //if ( ! is_alnum($passwd) or ! is_alnum($passwdv) )
1944     + // $er .= 'Password contains invalid characters.<br>';
1945     +
1946     + if ($email && ! is_email($email)) {
1947     + $er .= 'E-mail address ('. htvar($email) . ') may be invalid.<br>';
1948     + }
1949     +
1950     + $ip_ar=explode("\n", $ip_addr);
1951     + foreach ($ip_ar as $value) {
1952     + if ($value && ! is_ip($value)) {
1953     + $er .= 'IP address ('. htvar($value) . ') may be invalid.<br>';
1954     + }
1955     + }
1956     +
1957     + $dns_n=explode("\n", $dns_names);
1958     + foreach ($dns_n as $value) {
1959     + if ($value && ! is_fqdn(trim($value))) {
1960     + $er .= 'DNS Name ('. htvar($value) . ') may be invalid.<br>';
1961     + }
1962     + }
1963     +
1964     + if ($er) {
1965     + $er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
1966     + }
1967     +
1968     + if ($email && ($serial = CAdb_in($email, $common_name))) {
1969     + $er = '';
1970     + $certtext = CA_cert_text($serial);
1971     + $er .= '<h2>A valid certificate already exists for ' . htvar("$common_name <$email>") . '</h2>';
1972     + $er .= '</font><blockquote><pre> ' . htvar($certtext) . ' </pre></blockquote>';
1973     + }
1974     +
1975     + if ($er) {
1976     + printHeader();
1977     + ?>
1978     +
1979     + <form action='<?php echo $PHP_SELF?>' method=post>
1980     + <input type=submit name=submit value='Go Back'>
1981     + <font color=#ff0000><?php echo $er?></font>
1982     + <br><input type=submit name=submit value='Go Back'>
1983     +
1984     + <?php
1985     + print $hidden_fields;
1986     + print "</form>";
1987     +
1988     + printFooter();
1989     + break;
1990     + }
1991     +
1992     + case 'confirm':
1993     + printHeader();
1994     +
1995     + ?>
1996     + <h4>You are about to create a certificate using the following information:</h4>
1997     + <table width=500><tr>
1998     + <td width=25% style='white-space: nowrap'>
1999     + <p align=right>
2000     + User's Name<br>
2001     + E-mail Address<br>
2002     + Organization<br>
2003     + Department/Unit<br>
2004     + Locality<br>
2005     + State/Province<br>
2006     + Country<br>
2007     + Certificate Life<br>
2008     + Key Size<br>
2009     + Certificate Use<br>
2010     + <?php
2011     + if ($cert_type == 'server') {
2012     + print 'DNS Alt Names<br>';
2013     + print 'IP Addresses<br>';
2014     + }
2015     + ?>
2016     + </p>
2017     + </td>
2018     +
2019     + <td>
2020     + <?php
2021     + print htvar($common_name) . '<br>';
2022     + print htvar($email) . '<br>';
2023     + print htvar($organization) . '<br>';
2024     + print htvar($unit) . '<br>';
2025     + print htvar($locality) . '<br>';
2026     + print htvar($province) . '<br>';
2027     + print htvar($country) . '<br>';
2028     + print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'<br>';
2029     + print htvar($keysize). ' bits<br>';
2030     +
2031     + switch ($cert_type) {
2032     + case 'email':
2033     + print 'E-mail, SSL Client' . '<br>';
2034     + break;
2035     + case 'email_signing':
2036     + print 'E-mail, SSL Client, Code Signing' . '<br>';
2037     + break;
2038     + case 'server':
2039     + print 'SSL Server' . '<br>';
2040     + print htvar($dns_names). '<br>';
2041     + print htvar($ip_addr). '<br>';
2042     + break;
2043     + case 'vpn_client':
2044     + print 'VPN Client Only' . '<br>';
2045     + break;
2046     + case 'vpn_server':
2047     + print 'VPN Server Only' . '<br>';
2048     + break;
2049     + case 'vpn_client_server':
2050     + print 'VPN Client, VPN Server' . '<br>';
2051     + break;
2052     + case 'time_stamping':
2053     + print 'Time Stamping' . '<br>';
2054     + }
2055     + ?>
2056     + </td>
2057     +
2058     + </tr></table>
2059     +
2060     + <h4>Are you sure?</h4>
2061     + <p><form action='<?php echo $PHP_SELF?>' method=post>
2062     + <?php echo $hidden_fields ?>
2063     + <input type=hidden name=form_stage value=final>
2064     + <input type=submit name=submit value='Yes. Create and Download' >&nbsp;
2065     + <input type=submit name=submit value='Yes. Just Create' >&nbsp;
2066     + <input type=submit name=submit value='Go Back'>
2067     + </form>
2068     +
2069     + <?php
2070     + printFooter();
2071     +
2072     + # Save user's defaults
2073     + $fp = fopen($user_cnf, 'w');
2074     + $x = '<?php
2075     + $country = \''.addslashes($country).'\';
2076     + $locality = \''.addslashes($locality).'\';
2077     + $province = \''.addslashes($province).'\';
2078     + $organization = \''.addslashes($organization).'\';
2079     + $unit = \''.addslashes($unit).'\';
2080     + $expiry = \''.addslashes($expiry).'\';
2081     + $keysize = \''.addslashes($keysize).'\';
2082     + ?>';
2083     + fwrite($fp, $x);
2084     + fclose($fp);
2085     +
2086     + break;
2087     +
2088     + case 'final':
2089     + if ($submit == "Yes Create and Download" || $submit == "Yes. Just Create") {
2090     + if (! $serial = CAdb_in($email, $common_name)) {
2091     + list($ret,$errtxt) = CA_create_cert($cert_type, $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize, $dns_names, $ip_addr);
2092     +
2093     + if (! $ret) {
2094     + printHeader();
2095     + ?>
2096     + <form action="<?php echo $PHP_SELF?>" method="post">
2097     + <font color=#ff0000>
2098     + <h2>There was an error creating your certificate.</h2></font><br>
2099     + <blockquote>
2100     + <h3>Debug Info:</h3>
2101     + <pre><?php echo $errtxt?></pre>
2102     + </blockquote>
2103     + <p>
2104     + <?php echo $hidden_fields?>
2105     + <input type=submit name=submit value=Back>
2106     + <p>
2107     + </form>
2108     + <?php
2109     + printFooter();
2110     + break;
2111     + } else {
2112     + $serial = $errtxt;
2113     + }
2114     + }
2115     + }
2116     +
2117     + if ($submit == "Yes Create and Download") {
2118     + switch ($cert_type) {
2119     + case 'server':
2120     + # upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
2121     + upload(array($config['private_dir'] . "/$serial-key.pem",$config['new_certs_dir'] . "/$serial.pem",$config['cacert_pem']), $rec['common_name'] . "-Bundle.pem", 'application/pkix-cert');
2122     + break;
2123     + case 'email':
2124     + case 'email_signing':
2125     + case 'time_stamping':
2126     + case 'vpn_client_server':
2127     + case 'vpn_client':
2128     + case 'vpn_server':
2129     + # upload("$config[pfx_dir]/$serial.pfx", "$common_name ($email).p12", 'application/x-pkcs12');
2130     + upload($config['pfx_dir'] . "/$serial.pfx", $rec['common_name'] . ".p12", 'application/x-pkcs12');
2131     + break;
2132     + }
2133     +
2134     + # Clear common_name fields
2135     + $common_name = '';
2136     + break;
2137     + }
2138     +
2139     + # Clear common_name fields
2140     + $common_name = '';
2141     +
2142     + // We could add 'return to index or create another certificate'
2143     +
2144     + default:
2145     + #
2146     + # Default fields to reasonable values if necessary.
2147     + #
2148     + if (! $submit and file_exists($user_cnf)) {
2149     + include($user_cnf);
2150     + }
2151     +
2152     + if (! $country) {
2153     + $country = $config['country'];
2154     + }
2155     + if (! $province) {
2156     + $province = $config['province'];
2157     + }
2158     + if (! $locality) {
2159     + $locality = "";
2160     + }
2161     + if (! $organization) {
2162     + $organization = "";
2163     + }
2164     + if (! $unit) {
2165     + $unit = "";
2166     + }
2167     + if (! $email) {
2168     + $email = "";
2169     + }
2170     + if (! $expiry) {
2171     + $expiry = 1;
2172     + }
2173     + if (! $keysize) {
2174     + $keysize = 2048;
2175     + }
2176     + if (! $cert_type) {
2177     + $cert_type = 'email';
2178     + }
2179     + if (! $dns_names) {
2180     + $dns_names = "";
2181     + }
2182     + if (! $ip_addr) {
2183     + $ip_addr = "";
2184     + }
2185     +
2186     + printHeader();
2187     + ?>
2188     +
2189     + <body onLoad="self.focus();document.request.common_name.focus();document.request.cert_type.onchange();">
2190     + <form action="<?php echo $PHP_SELF?>" method=post name=request>
2191     + <table width=99%>
2192     + <th colspan=2><h3>Certificate Request Form</h3></th>
2193     +
2194     + <tr>
2195     + <td width=30%>Common Name<font color=red size=3> *</font><br>(i.e. User real name or computer hostname - used as SubjectAltName)</td>
2196     + <td><input type=text name=common_name value="<?php echo htvar($common_name)?>" size=50 maxlength=60></td>
2197     + </tr>
2198     +
2199     + <tr>
2200     + <td>E-mail Address<font color=red size=3> *</font></td>
2201     + <td><input type=text name=email value="<?php echo htvar($email)?>" size=50 maxlength=60></td>
2202     + </tr>
2203     +
2204     + <tr>
2205     + <td>Organization (Company/Agency)<font color=red size=3> *</font></td>
2206     + <td><input type=text name=organization value="<?php echo htvar($organization)?>" size=60 maxlength=60></td>
2207     + </tr>
2208     +
2209     + <tr>
2210     + <td>Department/Unit<font color=red size=3> *</font> </td><td><input type=text name=unit value="<?php echo htvar($unit) ?>" size=40 maxlength=60></td>
2211     + </tr>
2212     +
2213     + <tr>
2214     + <td>Locality (City/County)<font color=red size=3> *</font></td><td><input type=text name=locality value="<?php echo htvar($locality) ?>" size=30 maxlength=30></td>
2215     + </tr>
2216     +
2217     + <tr>
2218     + <td>State/Province<font color=red size=3> *</font></td><td><input type=text name=province value="<?php echo htvar($province) ?>" size=30 maxlength=30></td>
2219     + </tr>
2220     +
2221     + <tr>
2222     + <td>Country<font color=red size=3> *</font></td>
2223     + <td><input type=text name=country value="<?php echo htvar($country) ?>" size=2 maxlength=2></td>
2224     + </tr>
2225     +
2226     + <tr>
2227     + <td>Certificate Password<font color=red size=3> *</font><br>(Min 8 chars - Mandatory for Email,SSL Client,Code signing)</td>
2228     + <td><input type=password name=passwd value="<?php echo htvar($passwd) ?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv value="<?php echo htvar($passwdv) ?>" size=30></td>
2229     + </tr>
2230     +
2231     + <tr>
2232     + <td>Certificate Life<font color=red size=3>*</font> </td>
2233     + <td><select name=expiry>
2234     +
2235     + <?php
2236     + print "<option value=0.083 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Month</option>\n" ;
2237     + print "<option value=0.25 " . ($expiry == 1 ? "selected='selected'" : "") . " >3 Months</option>\n" ;
2238     + print "<option value=0.5 " . ($expiry == 1 ? "selected='selected'" : "") . " >6 Months</option>\n" ;
2239     + print "<option value=1 " . ($expiry == 1 ? "selected='selected'" : "") . " >1 Year</option>\n" ;
2240     + for ($i = 2; $i <= 5; $i++) {
2241     + print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
2242     + }
2243     +
2244     + ?>
2245     +
2246     + </select></td>
2247     + </tr>
2248     +
2249     + <tr>
2250     + <td>Key Size<font color=red size=3>*</font> </td>
2251     + <td><select name=keysize>
2252     + <?php
2253     + for ($i = 512; $i <= 4096; $i+= 512) {
2254     + print "<option value=$i " . ($keysize == $i ? "selected='selected'" : "") . ">$i bits</option>\n" ;
2255     + }
2256     + ?>
2257     +
2258     + </select></td>
2259     + </tr>
2260     +
2261     + <tr>
2262     + <td>Certificate Use:<font color=red size=3>*</font> </td>
2263     + <td><select name=cert_type onchange="if (this.value=='server')
2264     + {setVisibility('testrow1',true);setVisibility('testrow2',true);} else {setVisibility('testrow1',false);setVisibility('testrow2',false);}">
2265     + <?php
2266     + print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
2267     + print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
2268     + print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
2269     + print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
2270     + print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
2271     + print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
2272     + print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
2273     + ?>
2274     + </select></td>
2275     + </tr>
2276     +
2277     + <tr id="testrow2" name="testrow2" style="visibility:hidden;display:none;">
2278     + <td>Alternative DNS Names<br>(only one per Line)</td><td><textarea name=dns_names cols=30 rows=5><?php echo htvar($dns_names) ?></textarea></td>
2279     + </tr>
2280     +
2281     + <tr id="testrow1" name="testrow1" style="visibility:hidden;display:none;">
2282     + <td>IP's<br>(only one per Line)</td><td><textarea name=ip_addr cols=30 rows=5><?php echo htvar($ip_addr) ?></textarea></td>
2283     + </tr>
2284     + <tr>
2285     + <td>&nbsp</td>
2286     + <td>&nbsp</td>
2287     + </tr>
2288     + <tr>
2289     + <td><font color=red size=3>* Fields are required</td><td><input type=submit name=submit value='Submit Request'><input type=hidden name=form_stage value='validate'></td>
2290     + </tr>
2291     + </table>
2292     + </form>
2293     + <?php
2294     + printFooter();
2295     }
2296    
2297     ?>
2298     diff -ruN phpki-ng.old/phpki-ng-0.84/config.php phpki-ng/phpki-ng-0.84/config.php
2299     --- phpki-ng.old/phpki-ng-0.84/config.php 2020-04-02 14:22:47.000000000 +0200
2300     +++ phpki-ng/phpki-ng-0.84/config.php 2021-03-07 19:33:03.073323741 +0100
2301     @@ -1,3 +1,2 @@
2302     <?php
2303     -define("PHPKI_VERSION", "0.83");
2304     -?>
2305     +define("PHPKI_VERSION", "0.84");
2306     diff -ruN phpki-ng.old/phpki-ng-0.84/css/style.css phpki-ng/phpki-ng-0.84/css/style.css
2307     --- phpki-ng.old/phpki-ng-0.84/css/style.css 2020-04-02 14:22:47.000000000 +0200
2308     +++ phpki-ng/phpki-ng-0.84/css/style.css 2021-03-07 19:33:03.073323741 +0100
2309     @@ -1,171 +1,171 @@
2310     -h1 {
2311     - font-size: 32px;
2312     -}
2313     -
2314     -h2 {
2315     - font-size: 24px;
2316     -}
2317     -
2318     -h3 {
2319     - font-size: 18px;
2320     -}
2321     -
2322     -body {
2323     - margin: 10px;
2324     - padding: 0;
2325     - background: #fafaff;
2326     - font-family: Arial, Veranda, Helvetica, sans-serif;
2327     - font-size: 14px;
2328     -}
2329     -
2330     -img {
2331     - border: 0;
2332     -}
2333     -
2334     -a {
2335     - color: #00F;
2336     - background-color: transparent;
2337     -}
2338     -
2339     -a:link, a:active, a:visited {
2340     - color: #00F;
2341     - background-color: transparent;
2342     -}
2343     -
2344     -a.headermenu:link, a.headermenu:active, a.headermenu:visited {
2345     - text-decoration: underline;
2346     - color: #00F;
2347     - background-color: transparent;
2348     - padding-left: 8px;
2349     -}
2350     -
2351     -form {
2352     - padding: 0;
2353     - margin: 0;
2354     -}
2355     -
2356     -fieldset {
2357     - border: 2px solid black;
2358     - margin-left: 10px;
2359     - padding: 10px;
2360     - width: 700px;
2361     - font-size: 10px;
2362     -}
2363     -
2364     -legend {
2365     - background-color: rgb(200, 220, 240);
2366     - border: 2px solid black;
2367     - padding: 0.25em;
2368     - padding-top: 0.1em;
2369     - font-size: 12px;
2370     -}
2371     -
2372     -table {
2373     - font-size: 12px;
2374     - margin-right: .1in;
2375     -}
2376     -
2377     -th {
2378     - font-weight: bold;
2379     - background-color: #AFC3E4;
2380     - padding: 3px;
2381     - color: #323C4D;
2382     - text-align: center;
2383     - vertical-align: middle;
2384     - border: 1px solid #606060;
2385     - white-space: nowrap;
2386     -}
2387     -
2388     -td {
2389     - background-color: #DEE3EC;
2390     - padding: 3px;
2391     - text-align: left;
2392     - vertical-align: middle;
2393     - border: 1px solid #a0a0a0;
2394     -}
2395     -
2396     -.menu {
2397     - height: 22px;
2398     - font-size: 13px;
2399     - text-align: center;
2400     - vertical-align: bottom;
2401     - border: 1px solid #808080;
2402     - border-left: 2px solid #808080;
2403     - border-bottom: 2px solid #808080;
2404     - color: #000000;
2405     -}
2406     -
2407     -.menu-pad {
2408     - height: 22px;
2409     - font-size: 13px;
2410     - text-align: center;
2411     - padding-left: 1em;
2412     - padding-right: 1em;
2413     - vertical-align: bottom;
2414     - border: 1px solid #808080;
2415     - border-left: 2px solid #808080;
2416     - border-bottom: 2px solid #808080;
2417     - color: #000000;
2418     -}
2419     -
2420     -.menu a {
2421     - vertical-align: bottom;
2422     - text-decoration: none;
2423     - font-size: 13px;
2424     -}
2425     -
2426     -.headermenu-ie {
2427     - text-align: center;
2428     - margin-right: 0.1in;
2429     - margin-top: 0.20in;
2430     -}
2431     -
2432     -.headermenu-konq {
2433     - text-align: center;
2434     - margin-right: 0.1in;
2435     - margin-top: 0.25in;
2436     -}
2437     -
2438     -.logo-ie {
2439     - font-family: 'impact', sans-serif;
2440     - font-size: 60pt;
2441     - font-weight: bold;
2442     - color: #99caff;
2443     - margin-top: -0.20in;
2444     - margin-bottom: 0;
2445     - margin-right: 0.2in;
2446     - text-align: left;
2447     -}
2448     -
2449     -.title-ie {
2450     - font-family: 'impact', sans-serif;
2451     - font-size: 22pt;
2452     - font-weight: bold;
2453     - font-style: italic;
2454     - margin-right: 0.4in;
2455     - margin-top: -0.52in;
2456     - margin-bottom: 0;
2457     - text-align: left;
2458     -}
2459     -
2460     -.logo-konq {
2461     - font-family: 'impact', sans-serif;
2462     - font-size: 62pt;
2463     - font-weight: bold;
2464     - color: #99caff;
2465     - margin-top: -0.20in;
2466     - margin-bottom: 0;
2467     - margin-right: 0.2in;
2468     - text-align: left;
2469     -}
2470     -
2471     -.title-konq {
2472     - font-family: 'impact', 'sans-serif';
2473     - font-size: 24pt;
2474     - font-weight: bold;
2475     - font-style: italic;
2476     - margin-right: 0.4in;
2477     - margin-top: -0.55in;
2478     - margin-bottom: 0;
2479     - text-align: left;
2480     -}
2481     +h1 {
2482     + font-size: 32px;
2483     +}
2484     +
2485     +h2 {
2486     + font-size: 24px;
2487     +}
2488     +
2489     +h3 {
2490     + font-size: 18px;
2491     +}
2492     +
2493     +body {
2494     + margin: 10px;
2495     + padding: 0;
2496     + background: #fafaff;
2497     + font-family: Arial, Veranda, Helvetica, sans-serif;
2498     + font-size: 14px;
2499     +}
2500     +
2501     +img {
2502     + border: 0;
2503     +}
2504     +
2505     +a {
2506     + color: #00F;
2507     + background-color: transparent;
2508     +}
2509     +
2510     +a:link, a:active, a:visited {
2511     + color: #00F;
2512     + background-color: transparent;
2513     +}
2514     +
2515     +a.headermenu:link, a.headermenu:active, a.headermenu:visited {
2516     + text-decoration: underline;
2517     + color: #00F;
2518     + background-color: transparent;
2519     + padding-left: 8px;
2520     +}
2521     +
2522     +form {
2523     + padding: 0;
2524     + margin: 0;
2525     +}
2526     +
2527     +fieldset {
2528     + border: 2px solid black;
2529     + margin-left: 10px;
2530     + padding: 10px;
2531     + width: 700px;
2532     + font-size: 10px;
2533     +}
2534     +
2535     +legend {
2536     + background-color: rgb(200, 220, 240);
2537     + border: 2px solid black;
2538     + padding: 0.25em;
2539     + padding-top: 0.1em;
2540     + font-size: 12px;
2541     +}
2542     +
2543     +table {
2544     + font-size: 12px;
2545     + margin-right: .1in;
2546     +}
2547     +
2548     +th {
2549     + font-weight: bold;
2550     + background-color: #AFC3E4;
2551     + padding: 3px;
2552     + color: #323C4D;
2553     + text-align: center;
2554     + vertical-align: middle;
2555     + border: 1px solid #606060;
2556     + white-space: nowrap;
2557     +}
2558     +
2559     +td {
2560     + background-color: #DEE3EC;
2561     + padding: 3px;
2562     + text-align: left;
2563     + vertical-align: middle;
2564     + border: 1px solid #a0a0a0;
2565     +}
2566     +
2567     +.menu {
2568     + height: 22px;
2569     + font-size: 13px;
2570     + text-align: center;
2571     + vertical-align: bottom;
2572     + border: 1px solid #808080;
2573     + border-left: 2px solid #808080;
2574     + border-bottom: 2px solid #808080;
2575     + color: #000000;
2576     +}
2577     +
2578     +.menu-pad {
2579     + height: 22px;
2580     + font-size: 13px;
2581     + text-align: center;
2582     + padding-left: 1em;
2583     + padding-right: 1em;
2584     + vertical-align: bottom;
2585     + border: 1px solid #808080;
2586     + border-left: 2px solid #808080;
2587     + border-bottom: 2px solid #808080;
2588     + color: #000000;
2589     +}
2590     +
2591     +.menu a {
2592     + vertical-align: bottom;
2593     + text-decoration: none;
2594     + font-size: 13px;
2595     +}
2596     +
2597     +.headermenu-ie {
2598     + text-align: center;
2599     + margin-right: 0.1in;
2600     + margin-top: 0.20in;
2601     +}
2602     +
2603     +.headermenu-konq {
2604     + text-align: center;
2605     + margin-right: 0.1in;
2606     + margin-top: 0.25in;
2607     +}
2608     +
2609     +.logo-ie {
2610     + font-family: 'impact', sans-serif;
2611     + font-size: 60pt;
2612     + font-weight: bold;
2613     + color: #99caff;
2614     + margin-top: -0.20in;
2615     + margin-bottom: 0;
2616     + margin-right: 0.2in;
2617     + text-align: left;
2618     +}
2619     +
2620     +.title-ie {
2621     + font-family: 'impact', sans-serif;
2622     + font-size: 22pt;
2623     + font-weight: bold;
2624     + font-style: italic;
2625     + margin-right: 0.4in;
2626     + margin-top: -0.52in;
2627     + margin-bottom: 0;
2628     + text-align: left;
2629     +}
2630     +
2631     +.logo-konq {
2632     + font-family: 'impact', sans-serif;
2633     + font-size: 62pt;
2634     + font-weight: bold;
2635     + color: #99caff;
2636     + margin-top: -0.20in;
2637     + margin-bottom: 0;
2638     + margin-right: 0.2in;
2639     + text-align: left;
2640     +}
2641     +
2642     +.title-konq {
2643     + font-family: 'impact', 'sans-serif';
2644     + font-size: 24pt;
2645     + font-weight: bold;
2646     + font-style: italic;
2647     + margin-right: 0.4in;
2648     + margin-top: -0.55in;
2649     + margin-bottom: 0;
2650     + text-align: left;
2651     +}
2652     diff -ruN phpki-ng.old/phpki-ng-0.84/gen_crl.php phpki-ng/phpki-ng-0.84/gen_crl.php
2653     --- phpki-ng.old/phpki-ng-0.84/gen_crl.php 2020-04-02 14:22:47.000000000 +0200
2654     +++ phpki-ng/phpki-ng-0.84/gen_crl.php 2021-03-07 19:33:03.074323756 +0100
2655     @@ -10,5 +10,3 @@
2656     include('../html/include/openssl_functions.php') ;
2657    
2658     CA_generate_crl();
2659     -
2660     -?>
2661     diff -ruN phpki-ng.old/phpki-ng-0.84/help/cacert_install_ie.html phpki-ng/phpki-ng-0.84/help/cacert_install_ie.html
2662     --- phpki-ng.old/phpki-ng-0.84/help/cacert_install_ie.html 2020-04-02 14:22:47.000000000 +0200
2663     +++ phpki-ng/phpki-ng-0.84/help/cacert_install_ie.html 2021-03-07 19:33:03.074323756 +0100
2664     @@ -1,29 +1,47 @@
2665     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2666     +
2667     <html>
2668     <head>
2669     -<title>Root Certificate Installation for Outlook & Outlook Express</title>
2670     -<link rel='stylesheet' type='text/css' href='../css/style.css'>
2671     + <title>Root Certificate Installation for Outlook &amp; Outlook Express</title>
2672     + <link rel='stylesheet' type='text/css' href='../css/style.css'>
2673     </head>
2674     +
2675     <body>
2676     -<center><h1>Root Certificate Installation for Outlook & Outlook Express</h1>
2677     -<h2>A Step-by-Step Guide</h2></center><br>
2678     -<h4>
2679     -<p><img src=../images/right-click-install-cacert.jpg>
2680     -<p>Open the folder which holds the certificates you have downloaded.<br>
2681     -Right-click on the certificate you wish to install, and select
2682     -<cite>Install Certificate</cite> from the context menu.
2683     -<p><br><img src=../images/cert-wizard1-welcome.jpg >
2684     -<p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite>
2685     -welcome window.
2686     -<p><br><img src=../images/cert-wizard4-select-store.jpg>
2687     -<p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.
2688     -<p><br><img src=../images/cert-wizard5-root-final.jpg>
2689     -<p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.
2690     -<p><br><img src=../images/confirm-install-cacert.jpg>
2691     -<p>You may be asked to confirm the root certificate installation. Click the <cite>Yes</cite> button if a window like this appears.
2692     -<p><br><img src=../images/import-successful.jpg>
2693     -<p>Windows confirms the root certificate was successfully imported.<br>
2694     -You may now <a href=usercert_install_ie.html>install your personal e-mail certificate</a>.
2695     + <center>
2696     + <h1>Root Certificate Installation for Outlook &amp; Outlook Express</h1>
2697     +
2698     + <h2>A Step-by-Step Guide</h2>
2699     + </center><br>
2700     +
2701     + <p><img src="../images/right-click-install-cacert.jpg"></p>
2702     +
2703     + <p>Open the folder which holds the certificates you have downloaded.<br>
2704     + Right-click on the certificate you wish to install, and select <cite>Install Certificate</cite> from the context menu.</p>
2705     +
2706     + <p><br>
2707     + <img src="../images/cert-wizard1-welcome.jpg"></p>
2708     +
2709     + <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> welcome window.</p>
2710     +
2711     + <p><br>
2712     + <img src="../images/cert-wizard4-select-store.jpg"></p>
2713     +
2714     + <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.</p>
2715     +
2716     + <p><br>
2717     + <img src="../images/cert-wizard5-root-final.jpg"></p>
2718     +
2719     + <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.</p>
2720     +
2721     + <p><br>
2722     + <img src="../images/confirm-install-cacert.jpg"></p>
2723     +
2724     + <p>You may be asked to confirm the root certificate installation. Click the <cite>Yes</cite> button if a window like this appears.</p>
2725     +
2726     + <p><br>
2727     + <img src="../images/import-successful.jpg"></p>
2728    
2729     -</h4>
2730     + <p>Windows confirms the root certificate was successfully imported.<br>
2731     + You may now <a href="usercert_install_ie.html">install your personal e-mail certificate</a>.</p>
2732     </body>
2733     </html>
2734     diff -ruN phpki-ng.old/phpki-ng-0.84/help/glossary.html phpki-ng/phpki-ng-0.84/help/glossary.html
2735     --- phpki-ng.old/phpki-ng-0.84/help/glossary.html 2020-04-02 14:22:47.000000000 +0200
2736     +++ phpki-ng/phpki-ng-0.84/help/glossary.html 2021-03-07 19:33:03.075323772 +0100
2737     @@ -1,144 +1,169 @@
2738     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2739     +
2740     <html>
2741     <head>
2742     -<title>PHPki Glossary</title>
2743     -<link rel='stylesheet' type='text/css' href='../css/style.css'>
2744     + <title>PHPki Glossary</title>
2745     + <link rel='stylesheet' type='text/css' href='../css/style.css'>
2746     </head>
2747     -<body>
2748    
2749     -<a name=TOP></a>
2750     -<a name=PKI></a><p>
2751     -<table>
2752     -<th><h2>PUBLIC KEY INFRASTRUCTURE</h2></th>
2753     -<tr><td>
2754     -PKI stands for <cite>Public Key Infrastructure</cite>. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private <a href=#KEYS>cryptographic key pair</a> that is obtained and shared through a trusted authority.
2755     -
2756     -PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.
2757     -</td></tr>
2758     -</table>
2759     -
2760     -<a name=CERTIFICATE></a><p>
2761     -<table>
2762     -<th><h2>DIGITAL CERTIFICATE</h2></th>
2763     -<tr><td>
2764     -<p>
2765     -An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
2766     -
2767     -<p>An individual wishing to send an encrypted message applies for a digital certificate from a <a href=#CA>Certificate Authority (CA)</a>. The CA issues an encrypted digital certificate containing the applicant's <a href=#KEYS>public key</a> and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.
2768     -
2769     -<p>The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.
2770     -
2771     -<p>The most widely used standard for digital certificates is X.509.
2772     -</td></tr>
2773     -</table>
2774     -
2775     -<a name=CA></a><p>
2776     -<table>
2777     -<th><h2>CERTIFICATE AUTHORITY</h2></th>
2778     -<tr><td>
2779     -A trusted third-party organization or company that issues digital certificates used to create digital signatures and <a href=#KEYS>public-private key pairs</a>. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
2780     -</td></tr>
2781     -</table>
2782     -
2783     -<a name=KEYS></a><p>
2784     -<table>
2785     -<th><h2>PUBLIC KEY ENCRYPTION</h2></th>
2786     -<tr><td>
2787     -A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
2788     -
2789     -<p>An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.
2790     -</td></tr>
2791     -</table>
2792     -
2793     -<a name=SMIME></a><p>
2794     -<table>
2795     -<th><h2>S/MIME</h2></th>
2796     -<tr><td>
2797     -S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the <a href=#RSA>RSA</a> encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).
2798     -</td></tr>
2799     -</table>
2800     -
2801     -<a name=RSA></a><p>
2802     -<table>
2803     -<th><h2>RSA</h2></th>
2804     -<tr><td>
2805     -RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards.
2806     -</td></tr>
2807     -</table>
2808     -
2809     -<a name=ROOT-CERT></a><p>
2810     -<table>
2811     -<th><h2>ROOT CERTIFICATE</h2></th>
2812     -<tr><td>
2813     -A root certificate is like a MASTER
2814     -<a href=#CERTIFICATE>digital certificate</a>.
2815     -You must install a <a href=#CA>certificate authority's</a> root certificate
2816     -before you can trust other certificates issued by that same certificate
2817     -authority. Root certificates are used to "sign" other certificates.
2818     -A signature by a root certificate is somewhat analogous to "notarizing" a
2819     -document in the physical world. When you install a root certificate on your
2820     -computer, you are saying you "trust" that certification authority and all
2821     -certificates it signs.
2822     -</td></tr>
2823     -</table>
2824     -
2825     -<a name=SIGNATURE></a><p>
2826     -<table>
2827     -<th><h2>DIGITAL SIGNATURE</h2></th>
2828     -<tr><td>
2829     -A digital code that can be attached to an electronically transmitted message
2830     -that uniquely identifies the sender. Like a written signature, the purpose of
2831     -a digital signature is to guarantee that the individual sending the message
2832     -really is who he or she claims to be. Digital certificates inherently provide
2833     -digital signature capability to most S/MIME enable e-mail clients. Digitally
2834     -signing an e-mail usually provides the recipient the with the sender's public
2835     -key, so the recipient may then send encrypted e-mail back to the sender.
2836     -</td></tr>
2837     -</table>
2838     -
2839     -<a name=X509></a><p>
2840     -<table>
2841     -<th><h2>X.509</h2></th>
2842     -<tr><td>
2843     -The most widely used standard for defining digital certificates. X.509 is
2844     -actually an ITU Recommendation, which means that has not yet been officially
2845     -defined or approved. As a result, companies have implemented the standard in
2846     -different ways. For example, both Netscape and Microsoft use X.509 certificates
2847     -to implement SSL in their web servers and browsers. But an X.509 certificate
2848     -generated by Netscape may not be readable by Microsoft products, and vice
2849     -versa.
2850     -</td></tr>
2851     -</table>
2852     -
2853     -<a name=PEM></a><p>
2854     -<table>
2855     -<th><h2>PEM</h2></th>
2856     -<tr><td>
2857     -PEM is a widely used standard for storing digital certificates.
2858     -A PEM encoded file can contain all of private keys, public keys, and
2859     -<a href=#X509>(x.509)</a> certificates. It is the default format for OpenSSL.
2860     -It stores data in Base64 encoded format, surrounded by ascii headers, so it is
2861     -suitable for text mode transfers between systems. PEM files usually end with
2862     -a <cite>.PEM</cite> extension.
2863     -</td></tr>
2864     -</table>
2865     -
2866     -<a name=DER></a><p>
2867     -<table>
2868     -<th><h2>DER</h2></th>
2869     -<tr><td>
2870     -DER is a widely used standard for storing digital certificates. A DER encoded
2871     -file can contain all of private keys, public keys, and <a href=#X509>(x.509)</a>
2872     -certificates. DER is a binary encoded headerless format. DER files usually
2873     -end with a <cite>.CRT</cite> or <cite>.CER</cite> extension.
2874     -</td></tr>
2875     -</table>
2876     -
2877     -<a name=PKCS12></a><p>
2878     -<table>
2879     -<th><h2>PKCS #12</h2></th>
2880     -<tr><td>
2881     -PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a <cite>.PFX</cite> extension.
2882     -</td></tr>
2883     -</table>
2884     +<body>
2885     + <a name="TOP" id="TOP"></a> <a name="PKI" id="PKI"></a>
2886    
2887     -<br><br></body></html>
2888     + <table>
2889     + <tr>
2890     + <th>
2891     + <h2>PUBLIC KEY INFRASTRUCTURE</h2>
2892     + </th>
2893     + </tr>
2894     +
2895     + <tr>
2896     + <td>PKI stands for <cite>Public Key Infrastructure</cite>. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private <a href="#KEYS">cryptographic key pair</a> that is obtained and shared through a trusted authority. PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.</td>
2897     + </tr>
2898     + </table><a name="CERTIFICATE" id="CERTIFICATE"></a>
2899     +
2900     + <table>
2901     + <tr>
2902     + <th>
2903     + <h2>DIGITAL CERTIFICATE</h2>
2904     + </th>
2905     + </tr>
2906     +
2907     + <tr>
2908     + <td>
2909     + <p>An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.</p>
2910     +
2911     + <p>An individual wishing to send an encrypted message applies for a digital certificate from a <a href="#CA">Certificate Authority (CA)</a>. The CA issues an encrypted digital certificate containing the applicant's <a href="#KEYS">public key</a> and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.</p>
2912     +
2913     + <p>The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.</p>
2914     +
2915     + <p>The most widely used standard for digital certificates is X.509.</p>
2916     + </td>
2917     + </tr>
2918     + </table><a name="CA" id="CA"></a>
2919     +
2920     + <table>
2921     + <tr>
2922     + <th>
2923     + <h2>CERTIFICATE AUTHORITY</h2>
2924     + </th>
2925     + </tr>
2926     +
2927     + <tr>
2928     + <td>A trusted third-party organization or company that issues digital certificates used to create digital signatures and <a href="#KEYS">public-private key pairs</a>. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.</td>
2929     + </tr>
2930     + </table><a name="KEYS" id="KEYS"></a>
2931     +
2932     + <table>
2933     + <tr>
2934     + <th>
2935     + <h2>PUBLIC KEY ENCRYPTION</h2>
2936     + </th>
2937     + </tr>
2938     +
2939     + <tr>
2940     + <td>
2941     + <p>A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.</p>
2942     +
2943     + <p>An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.</p>
2944     + </td>
2945     + </tr>
2946     + </table><a name="SMIME" id="SMIME"></a>
2947     +
2948     + <table>
2949     + <tr>
2950     + <th>
2951     + <h2>S/MIME</h2>
2952     + </th>
2953     + </tr>
2954     +
2955     + <tr>
2956     + <td>S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the <a href="#RSA">RSA</a> encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).</td>
2957     + </tr>
2958     + </table><a name="RSA" id="RSA"></a>
2959     +
2960     + <table>
2961     + <tr>
2962     + <th>
2963     + <h2>RSA</h2>
2964     + </th>
2965     + </tr>
2966     +
2967     + <tr>
2968     + <td>RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards.</td>
2969     + </tr>
2970     + </table><a name="ROOT-CERT" id="ROOT-CERT"></a>
2971     +
2972     + <table>
2973     + <tr>
2974     + <th>
2975     + <h2>ROOT CERTIFICATE</h2>
2976     + </th>
2977     + </tr>
2978     +
2979     + <tr>
2980     + <td>A root certificate is like a MASTER <a href="#CERTIFICATE">digital certificate</a>. You must install a <a href="#CA">certificate authority's</a> root certificate before you can trust other certificates issued by that same certificate authority. Root certificates are used to "sign" other certificates. A signature by a root certificate is somewhat analogous to "notarizing" a document in the physical world. When you install a root certificate on your computer, you are saying you "trust" that certification authority and all certificates it signs.</td>
2981     + </tr>
2982     + </table><a name="SIGNATURE" id="SIGNATURE"></a>
2983     +
2984     + <table>
2985     + <tr>
2986     + <th>
2987     + <h2>DIGITAL SIGNATURE</h2>
2988     + </th>
2989     + </tr>
2990     +
2991     + <tr>
2992     + <td>A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital certificates inherently provide digital signature capability to most S/MIME enable e-mail clients. Digitally signing an e-mail usually provides the recipient the with the sender's public key, so the recipient may then send encrypted e-mail back to the sender.</td>
2993     + </tr>
2994     + </table><a name="X509" id="X509"></a>
2995     +
2996     + <table>
2997     + <tr>
2998     + <th>
2999     + <h2>X.509</h2>
3000     + </th>
3001     + </tr>
3002     +
3003     + <tr>
3004     + <td>The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that has not yet been officially defined or approved. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their web servers and browsers. But an X.509 certificate generated by Netscape may not be readable by Microsoft products, and vice versa.</td>
3005     + </tr>
3006     + </table><a name="PEM" id="PEM"></a>
3007     +
3008     + <table>
3009     + <tr>
3010     + <th>
3011     + <h2>PEM</h2>
3012     + </th>
3013     + </tr>
3014     +
3015     + <tr>
3016     + <td>PEM is a widely used standard for storing digital certificates. A PEM encoded file can contain all of private keys, public keys, and <a href="#X509">(x.509)</a> certificates. It is the default format for OpenSSL. It stores data in Base64 encoded format, surrounded by ascii headers, so it is suitable for text mode transfers between systems. PEM files usually end with a <cite>.PEM</cite> extension.</td>
3017     + </tr>
3018     + </table><a name="DER" id="DER"></a>
3019     +
3020     + <table>
3021     + <tr>
3022     + <th>
3023     + <h2>DER</h2>
3024     + </th>
3025     + </tr>
3026     +
3027     + <tr>
3028     + <td>DER is a widely used standard for storing digital certificates. A DER encoded file can contain all of private keys, public keys, and <a href="#X509">(x.509)</a> certificates. DER is a binary encoded headerless format. DER files usually end with a <cite>.CRT</cite> or <cite>.CER</cite> extension.</td>
3029     + </tr>
3030     + </table><a name="PKCS12" id="PKCS12"></a>
3031     +
3032     + <table>
3033     + <tr>
3034     + <th>
3035     + <h2>PKCS #12</h2>
3036     + </th>
3037     + </tr>
3038     +
3039     + <tr>
3040     + <td>PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a <cite>.PFX</cite> extension.</td>
3041     + </tr>
3042     + </table><br>
3043     + <br>
3044     +</body>
3045     +</html>
3046     diff -ruN phpki-ng.old/phpki-ng-0.84/help/PKI_basics.html phpki-ng/phpki-ng-0.84/help/PKI_basics.html
3047     --- phpki-ng.old/phpki-ng-0.84/help/PKI_basics.html 2020-04-02 14:22:47.000000000 +0200
3048     +++ phpki-ng/phpki-ng-0.84/help/PKI_basics.html 2021-03-07 19:33:03.075323772 +0100
3049     @@ -1,64 +1,28 @@
3050     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
3051     +
3052     <html>
3053     <head>
3054     -<link rel='stylesheet' type='text/css' href='../css/style.css'>
3055     -<title>PKI and E-mail Encryption - A Brief Explanation</title>
3056     + <link rel='stylesheet' type='text/css' href='../css/style.css'>
3057     +
3058     + <title>PKI and E-mail Encryption - A Brief Explanation</title>
3059     </head>
3060     +
3061     <body>
3062     -<center><h1>PKI and E-mail Encryption - A Brief Explanation</h2></center>
3063     + <center>
3064     + <h1>PKI and E-mail Encryption - A Brief Explanation</h1>
3065     + </center>
3066     +
3067     + <p>PKI stands for <cite>Public Key Infrastructure</cite>. PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a <a href="glossary.html#KEYS" target="glossary">public and a private cryptographic key pair</a> that is obtained and shared through a <a href="glossary.html#CA" target="glossary">trusted Authority</a>.</p>
3068     +
3069     + <p>Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.</p>
3070     +
3071     + <p>In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more <a href="glossary.html#CA" target="glossary">Certificate Authorities(CA)</a> by downloading and installing each trusted Authority's <a href="glossary.html#ROOT-CERT" target="glossary">root certificate</a> on their computers. They will each obtain their own personal <a href="glossary.html#CERTIFICATE" target="glossary">digital certificate</a> from a trusted Certificate Authority, and install them on their respective computers. Because they mutually trust the Certificate Authorities, they trust each other's digital certificates. More specifically, they trust the <a href="glossary.html#KEYS" target="glossary">public keys</a> contained within their personal digital certificates which have been <a href="glossary.html#SIGNATURE" target="glossary">digitally signed</a> by a trusted Certificate Authority. They will then exchange their trusted public keys by sending each other digitally
3072     + signed e-mail messages. Once each party has the other's public key, they may exchange trusted and encrypted messsages.</p>
3073     +
3074     + <p>Public key exchange and encryption is like exchanging notarized documents. One trusts a notarized document because a trusted third party, the Notary Public, has signed it. The Certificate Authority is the Notary Public, and the public keys are the documents.</p>
3075    
3076     -PKI stands for <cite>Public Key Infrastructure</cite>. PKI is Information
3077     -Technology infrastructure that enables users of a basically unsecure public
3078     -network (such as the Internet) to securely and privately exchange data through
3079     -the use of a <a href=glossary.html#KEYS target=glossary>public and a private
3080     -cryptographic key pair</a> that is obtained and shared through a
3081     -<a href=glossary.html#CA target=glossary>trusted Authority</a>.
3082     -
3083     -<p>
3084     -Public and private keys are like two halves of a single key. PKI encryption
3085     -algorithms are designed such that a public key is used to encrypt or
3086     -"lock" a message, and only the complementary private key can "unlock" that
3087     -message.
3088     -Think of a bank vault or safe that can only be unlocked by two individuals
3089     -using two different but complementary keys. Neither of those keys can be used
3090     -by itself to unlock the vault.
3091     -
3092     -<p>
3093     -In practice, individuals wishing to exchange encrypted e-mail
3094     -will agree to mutually trust one or more <a href=glossary.html#CA target=glossary>
3095     -Certificate Authorities(CA)</a> by downloading and installing each trusted Authority's
3096     -<a href=glossary.html#ROOT-CERT target=glossary>root certificate</a> on their computers.
3097     -They will each obtain their own personal
3098     -<a href=glossary.html#CERTIFICATE target=glossary>digital certificate</a>
3099     -from a trusted Certificate Authority, and install them on their
3100     -respective computers.
3101     -Because they mutually trust the Certificate Authorities, they trust each other's
3102     -digital certificates. More specifically, they trust the
3103     -<a href=glossary.html#KEYS target=glossary>public keys</a> contained within
3104     -their personal digital certificates which have been
3105     -<a href=glossary.html#SIGNATURE target=glossary>digitally signed</a> by a
3106     -trusted Certificate Authority.
3107     -They will then exchange their trusted public keys by sending each other
3108     -digitally signed e-mail messages. Once each party has the other's public key,
3109     -they may exchange trusted and encrypted messsages.
3110     -
3111     -<p>
3112     -Public key exchange and encryption is like exchanging notarized documents.
3113     -One trusts a notarized document because a trusted third party, the Notary
3114     -Public, has signed it. The Certificate Authority is the Notary Public, and
3115     -the public keys are the documents.
3116     -
3117     -<p>
3118     -Remember, having a personal digital certificate alone does <strong>not</strong>
3119     -give one the ability to send encrypted e-mail to others, but only allows the
3120     -<strong>receipt</strong> of encrypted e-mail. PKI is a cooperative encryption
3121     -standard. Both parties who are exchanging encrypted messages must have
3122     -personal digital certificates, they must trust the Certificate Authority
3123     -which issued the other persons certificate, and they must exchange
3124     -public keys with each other, as described above.
3125     -
3126     -<p>
3127     -The process of installing certificates and exchanging public keys is dependent
3128     -upon the e-mail application one uses, and is beyond the scope of this document.
3129     + <p>Remember, having a personal digital certificate alone does <strong>not</strong> give one the ability to send encrypted e-mail to others, but only allows the <strong>receipt</strong> of encrypted e-mail. PKI is a cooperative encryption standard. Both parties who are exchanging encrypted messages must have personal digital certificates, they must trust the Certificate Authority which issued the other persons certificate, and they must exchange public keys with each other, as described above.</p>
3130    
3131     + <p>The process of installing certificates and exchanging public keys is dependent upon the e-mail application one uses, and is beyond the scope of this document.</p>
3132     </body>
3133     </html>
3134     diff -ruN phpki-ng.old/phpki-ng-0.84/help/usercert_install_ie.html phpki-ng/phpki-ng-0.84/help/usercert_install_ie.html
3135     --- phpki-ng.old/phpki-ng-0.84/help/usercert_install_ie.html 2020-04-02 14:22:47.000000000 +0200
3136     +++ phpki-ng/phpki-ng-0.84/help/usercert_install_ie.html 2021-03-07 19:33:03.076323787 +0100
3137     @@ -1,40 +1,51 @@
3138     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
3139     +
3140     <html>
3141     <head>
3142     -<title>Personal E-mail Certificate Installation for Outlook & Outlook Express</title>
3143     -<link rel='stylesheet' type='text/css' href='../css/style.css'>
3144     + <title>Personal E-mail Certificate Installation for Outlook &amp; Outlook Express</title>
3145     + <link rel='stylesheet' type='text/css' href='../css/style.css'>
3146     </head>
3147     +
3148     <body>
3149     -<center><h1>Personal E-mail Certificate Installation for Outlook & Outlook Express</h1>
3150     -<h2>A Step-by-Step Guide</h2></center><br>
3151     -<h4>
3152     -<p><img src=../images/right-click-install-usercert.jpg>
3153     -<p>Open the folder which holds the certificates you have downloaded.<br>
3154     -Right-click on the certificate you wish to install, and select
3155     -<cite>Install PFX</cite> from the context menu.
3156     -<p><br><img src=../images/cert-wizard1-welcome.jpg >
3157     -<p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite>
3158     -welcome window.
3159     -<p><br><img src=../images/cert-wizard2-select-file.jpg>
3160     -<p>Click the <cite>Next</cite> button in the <cite>Select File to Import</cite> window.
3161     -<p><br><img src=../images/cert-wizard3-password.jpg>
3162     -<p>The personal e-mail certificate files created by PHPki contain an encrypted
3163     -copy of your private key. When your certficate was created, a password was
3164     -given to PHPki to encrypt the private key. The same password is used to
3165     -decrypt your private key and install the certificate. Do not forget or lose
3166     -this password as it cannot be recovered under any circumstance.
3167     -Select the <cite>Enable strong private key protection</cite> option if you
3168     -would like Windows to add an additional layer of password protection to use
3169     -your certificate. This is not necessary, and will not be covered further here.
3170     -There is no need to select the <cite>Mark the private key as exportable</cite>
3171     -option. Enter your certificate password and click the <cite>Next</cite> button
3172     -in the <cite>Password Protection for Private Keys</cite> window.
3173     -<p><br><img src=../images/cert-wizard4-select-store.jpg>
3174     -<p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.
3175     -<p><br><img src=../images/cert-wizard5-user-final.jpg>
3176     -<p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.
3177     -<p><br><img src=../images/import-successful.jpg>
3178     -<p>Windows confirms the root certificate was successfully imported.<br>
3179     + <center>
3180     + <h1>Personal E-mail Certificate Installation for Outlook &amp; Outlook Express</h1>
3181     +
3182     + <h2>A Step-by-Step Guide</h2>
3183     + </center><br>
3184     +
3185     + <p><img src="../images/right-click-install-usercert.jpg"></p>
3186     +
3187     + <p>Open the folder which holds the certificates you have downloaded.<br>
3188     + Right-click on the certificate you wish to install, and select <cite>Install PFX</cite> from the context menu.</p>
3189     +
3190     + <p><br>
3191     + <img src="../images/cert-wizard1-welcome.jpg"></p>
3192     +
3193     + <p>Click the <cite>Next</cite> button in the <cite>Certificate Wizard</cite> welcome window.</p>
3194     +
3195     + <p><br>
3196     + <img src="../images/cert-wizard2-select-file.jpg"></p>
3197     +
3198     + <p>Click the <cite>Next</cite> button in the <cite>Select File to Import</cite> window.</p>
3199     +
3200     + <p><br>
3201     + <img src="../images/cert-wizard3-password.jpg"></p>
3202     +
3203     + <p>The personal e-mail certificate files created by PHPki contain an encrypted copy of your private key. When your certficate was created, a password was given to PHPki to encrypt the private key. The same password is used to decrypt your private key and install the certificate. Do not forget or lose this password as it cannot be recovered under any circumstance. Select the <cite>Enable strong private key protection</cite> option if you would like Windows to add an additional layer of password protection to use your certificate. This is not necessary, and will not be covered further here. There is no need to select the <cite>Mark the private key as exportable</cite> option. Enter your certificate password and click the <cite>Next</cite> button in the <cite>Password Protection for Private Keys</cite> window.</p>
3204     +
3205     + <p><br>
3206     + <img src="../images/cert-wizard4-select-store.jpg"></p>
3207     +
3208     + <p>Click the <cite>Next</cite> button in the <cite>Select a Certificate Store</cite> window.</p>
3209     +
3210     + <p><br>
3211     + <img src="../images/cert-wizard5-user-final.jpg"></p>
3212     +
3213     + <p>Click the <cite>Finish</cite> button in the <cite>Complete the Certificate..</cite> window.</p>
3214     +
3215     + <p><br>
3216     + <img src="../images/import-successful.jpg"></p>
3217    
3218     -</h4>
3219     + <p>Windows confirms the root certificate was successfully imported.<br></p>
3220     </body>
3221     </html>
3222     diff -ruN phpki-ng.old/phpki-ng-0.84/help.php phpki-ng/phpki-ng-0.84/help.php
3223     --- phpki-ng.old/phpki-ng-0.84/help.php 2020-04-02 14:22:47.000000000 +0200
3224     +++ phpki-ng/phpki-ng-0.84/help.php 2021-03-07 19:33:03.076323787 +0100
3225     @@ -5,11 +5,12 @@
3226    
3227     printHeader(about);
3228     ?>
3229     -<center><h1>PHPki HELP FILES</h1>
3230     -<a href=<?php echo BASE_URL?>help/PKI_basics.html><h3>PKI and E-mail Encryption - A Brief Explanation</h3></a>
3231     -<a href=<?php echo BASE_URL?>help/cacert_install_ie.html><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a>
3232     -<p><a href=<?php echo BASE_URL?>help/usercert_install_ie.html><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a>
3233     -<p><a href=<?php echo BASE_URL?>help/glossary.html><h3>Glossary</h3></a>
3234     +<center>
3235     + <h1>PHPki HELP FILES</h1>
3236     + <p><a href="<?php echo BASE_URL?>"help/PKI_basics.html><h3>PKI and E-mail Encryption - A Brief Explanation</h3></a></p>
3237     + <p><a href="<?php echo BASE_URL?>"help/cacert_install_ie.html><h3>Installing Our Root Certificate For Use With Outlook and Outlook Express</h3></a></p>
3238     + <p><a href="<?php echo BASE_URL?>"help/usercert_install_ie.html><h3>Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express</h3></a></p>
3239     + <p><a href="<?php echo BASE_URL?>"help/glossary.html><h3>Glossary</h3></a></p>
3240     </center>
3241     <?php
3242     printFooter();
3243     diff -ruN phpki-ng.old/phpki-ng-0.84/include/common.php phpki-ng/phpki-ng-0.84/include/common.php
3244     --- phpki-ng.old/phpki-ng-0.84/include/common.php 2020-04-02 14:22:47.000000000 +0200
3245     +++ phpki-ng/phpki-ng-0.84/include/common.php 2021-03-07 19:33:03.077323802 +0100
3246     @@ -2,46 +2,48 @@
3247    
3248     umask(0007);
3249    
3250     -if (isset($_SERVER['PHP_AUTH_USER']))
3251     - $PHPki_user = md5($_SERVER['PHP_AUTH_USER']);
3252     -else
3253     - $PHPki_user = md5('default');
3254     +if (isset($_SERVER['PHP_AUTH_USER'])) {
3255     + $PHPki_user = md5($_SERVER['PHP_AUTH_USER']);
3256     +} else {
3257     + $PHPki_user = md5('default');
3258     +}
3259    
3260     $PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, "utf-8");
3261    
3262    
3263     -function printHeader($withmenu="default") {
3264     - global $config;
3265     - $title = ($config['header_title']?$config['header_title']:'PHPki Certificate Authority');
3266     -
3267     - switch ($withmenu) {
3268     - case 'public':
3269     - case 'about':
3270     - case 'setup':
3271     - $style_css = './css/style.css';
3272     - break;
3273     - case 'ca':
3274     - case 'admin':
3275     - default:
3276     - $style_css = '../css/style.css';
3277     - break;
3278     - }
3279     +function printHeader($withmenu = "default")
3280     +{
3281     + global $config;
3282     + $title = ($config['header_title']?$config['header_title']:'PHPki Certificate Authority');
3283     +
3284     + switch ($withmenu) {
3285     + case 'public':
3286     + case 'about':
3287     + case 'setup':
3288     + $style_css = './css/style.css';
3289     + break;
3290     + case 'ca':
3291     + case 'admin':
3292     + default:
3293     + $style_css = '../css/style.css';
3294     + break;
3295     + }
3296    
3297     - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
3298     - header("Expires: -1");
3299     + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
3300     + header("Expires: -1");
3301     header("Cache-Control: no-store, no-cache, must-revalidate");
3302     header("Cache-Control: post-check=0, pre-check=0", false);
3303     header("Pragma: no-cache");
3304    
3305     - ?>
3306     - <!DOCTYPE html>
3307     - <head>
3308     - <meta charset="utf-8">
3309     - <title>PHPki: <?php echo $title?> </title>
3310     - <link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
3311     - <script type="text/javascript" language="javascript">
3312     + ?>
3313     + <!DOCTYPE html>
3314     + <head>
3315     + <meta charset="utf-8">
3316     + <title>PHPki: <?php echo $title?> </title>
3317     + <link rel="stylesheet" type="text/css" href="<?php echo $style_css?>">
3318     + <script type="text/javascript" language="javascript">
3319    
3320     - function setVisibility(rowName, show) {
3321     + function setVisibility(rowName, show) {
3322     // Tabellenzelle ermitteln
3323    
3324     var actualVisibility=document.getElementById(rowName).style.visibility;
3325     @@ -53,96 +55,94 @@
3326     document.getElementById(rowName).style.visibility = "visible";
3327     document.getElementById(rowName).style.display = "";
3328     }
3329     - }
3330     + }
3331    
3332     - </script>
3333     - </head>
3334     - <body>
3335     - <?php
3336     -
3337     - if (isKonq()) {
3338     - $logoclass = 'logo-konq';
3339     - $titleclass = 'title-konq';
3340     - $menuclass = 'headermenu-konq';
3341     - }
3342     - else {
3343     - $logoclass = 'logo-ie';
3344     - $titleclass = 'title-ie';
3345     - $menuclass = 'headermenu-ie';
3346     - }
3347     -
3348     - ?>
3349     - <div class="<?php echo $logoclass?>">PHPki</div>
3350     - <div class="<?php echo $titleclass?>"><?php echo $title?></div>
3351     - <?php
3352     -
3353     - switch ($withmenu) {
3354     - case false:
3355     - case 'about':
3356     - break;
3357     - case 'setup':
3358     - ?>
3359     - <div class="<?php echo $menuclass?>">
3360     - <a class="<?php echo $menuclass?>" href="readme.php">ReadMe</a>
3361     - <a class="<?php echo $menuclass?>" href="setup.php">Setup</a>
3362     - <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
3363     - </div>
3364     - <?php
3365     - break;
3366     - case 'public':
3367     - print "<div class=$menuclass>";
3368     -
3369     - if (DEMO) {
3370     - print "<a class=$menuclass href=\"index.php\">Public</a>";
3371     - print "<a class=$menuclass href=\"ca/\">Manage</a>";
3372     - }
3373     - else {
3374     - print "<a class=$menuclass href=\"index.php\">Menu</a>";
3375     - }
3376     -
3377     - if (file_exists('policy.html')) {
3378     - print '<a class='.$menuclass.' style="color: red;" href="policy.html" target="help">Policy</a>';
3379     - }
3380     - ?>
3381     - <a class="<?php echo $menuclass?>" href="help.php" target="_help">Help</a>
3382     - <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
3383     - </div>
3384     - <?php
3385     - break;
3386     - case 'ca':
3387     - default:
3388     - print "<div class=$menuclass>";
3389     -
3390     - if (DEMO) {
3391     - print "<a class=$menuclass href=\"../index.php\">Public</a>";
3392     - print "<a class=$menuclass href=\"../ca/index.php\">Manage</a>";
3393     - }
3394     - else {
3395     - print "<a class=$menuclass href=\"index.php\">Menu</a>";
3396     - }
3397     -
3398     - if (file_exists('../policy.html')) {
3399     - print '<a class='.$menuclass.' style="color: red;" href="../policy.html" target="help">Policy</a>';
3400     - }
3401     - ?>
3402     - <a class="<?php echo $menuclass?>" href="../help.php" target="_help">Help</a>
3403     - <a class="<?php echo $menuclass?>" href="../about.php" target="_about">About</a>
3404     - </div>
3405     - <?php
3406     - }
3407     + </script>
3408     + </head>
3409     + <body>
3410     + <?php
3411     +
3412     + if (isKonq()) {
3413     + $logoclass = 'logo-konq';
3414     + $titleclass = 'title-konq';
3415     + $menuclass = 'headermenu-konq';
3416     + } else {
3417     + $logoclass = 'logo-ie';
3418     + $titleclass = 'title-ie';
3419     + $menuclass = 'headermenu-ie';
3420     + }
3421     +
3422     + ?>
3423     + <div class="<?php echo $logoclass?>">PHPki</div>
3424     + <div class="<?php echo $titleclass?>"><?php echo $title?></div>
3425     + <?php
3426     +
3427     + switch ($withmenu) {
3428     + case false:
3429     + case 'about':
3430     + break;
3431     + case 'setup':
3432     + ?>
3433     + <div class="<?php echo $menuclass?>">
3434     + <a class="<?php echo $menuclass?>" href="readme.php">ReadMe</a>
3435     + <a class="<?php echo $menuclass?>" href="setup.php">Setup</a>
3436     + <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
3437     + </div>
3438     + <?php
3439     + break;
3440     + case 'public':
3441     + print "<div class=$menuclass>";
3442     +
3443     + if (DEMO) {
3444     + print "<a class=$menuclass href=\"index.php\">Public</a>";
3445     + print "<a class=$menuclass href=\"ca/\">Manage</a>";
3446     + } else {
3447     + print "<a class=$menuclass href=\"index.php\">Menu</a>";
3448     + }
3449     +
3450     + if (file_exists('policy.html')) {
3451     + print '<a class='.$menuclass.' style="color: red;" href="policy.html" target="help">Policy</a>';
3452     + }
3453     + ?>
3454     + <a class="<?php echo $menuclass?>" href="help.php" target="_help">Help</a>
3455     + <a class="<?php echo $menuclass?>" href="about.php" target="_about">About</a>
3456     + </div>
3457     + <?php
3458     + break;
3459     + case 'ca':
3460     + default:
3461     + print "<div class=$menuclass>";
3462     +
3463     + if (DEMO) {
3464     + print "<a class=$menuclass href=\"../index.php\">Public</a>";
3465     + print "<a class=$menuclass href=\"../ca/index.php\">Manage</a>";
3466     + } else {
3467     + print "<a class=$menuclass href=\"index.php\">Menu</a>";
3468     + }
3469     +
3470     + if (file_exists('../policy.html')) {
3471     + print '<a class='.$menuclass.' style="color: red;" href="../policy.html" target="help">Policy</a>';
3472     + }
3473     + ?>
3474     + <a class="<?php echo $menuclass?>" href="../help.php" target="_help">Help</a>
3475     + <a class="<?php echo $menuclass?>" href="../about.php" target="_about">About</a>
3476     + </div>
3477     + <?php
3478     + }
3479    
3480     - ?><hr style="width:99%; align:left; color:#99caff;" /><?php
3481     + ?><hr style="width:99%; align:left; color:#99caff;" /><?php
3482     }
3483    
3484    
3485     -function printFooter() {
3486     - ?>
3487     - <br />
3488     - <hr style="width:99%; color:#99caff;" />
3489     - <p style="margin-top: -5px; font-size: 8pt; text-align:center;">PHPki v<?php echo PHPKI_VERSION?> - Copyright 2003 - William E. Roadcap</p>
3490     - </body>
3491     - </html>
3492     - <?php
3493     +function printFooter()
3494     +{
3495     + ?>
3496     + <br />
3497     + <hr style="width:99%; color:#99caff;" />
3498     + <p style="margin-top: -5px; font-size: 8pt; text-align:center;">PHPki v<?php echo PHPKI_VERSION?> - Copyright 2003 - William E. Roadcap</p>
3499     + </body>
3500     + </html>
3501     + <?php
3502     }
3503    
3504     ?>
3505     diff -ruN phpki-ng.old/phpki-ng-0.84/include/my_functions.php phpki-ng/phpki-ng-0.84/include/my_functions.php
3506     --- phpki-ng.old/phpki-ng-0.84/include/my_functions.php 2020-04-02 14:22:47.000000000 +0200
3507     +++ phpki-ng/phpki-ng-0.84/include/my_functions.php 2021-03-07 19:33:03.077323802 +0100
3508     @@ -5,49 +5,57 @@
3509     #
3510     # Returns TRUE if browser is Internet Explorer.
3511     #
3512     -function isIE() {
3513     - global $_SERVER;
3514     - return strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE');
3515     -}
3516     -
3517     -function isKonq() {
3518     - global $_SERVER;
3519     - return strstr($_SERVER['HTTP_USER_AGENT'], 'Konqueror');
3520     -}
3521     -
3522     -function isMoz() {
3523     - global $_SERVER;
3524     - return strstr($_SERVER['HTTP_USER_AGENT'], 'Gecko');
3525     +function isIE()
3526     +{
3527     + global $_SERVER;
3528     + return strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE');
3529     +}
3530     +
3531     +function isKonq()
3532     +{
3533     + global $_SERVER;
3534     + return strstr($_SERVER['HTTP_USER_AGENT'], 'Konqueror');
3535     +}
3536     +
3537     +function isMoz()
3538     +{
3539     + global $_SERVER;
3540     + return strstr($_SERVER['HTTP_USER_AGENT'], 'Gecko');
3541     }
3542    
3543    
3544     #
3545     # Force upload of specified file to browser.
3546     #
3547     -function upload($source, $destination, $content_type="application/octet-stream") {
3548     - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
3549     - header("Expires: -1");
3550     -# header("Cache-Control: no-store, no-cache, must-revalidate");
3551     -# header("Cache-Control: post-check=0, pre-check=0", false);
3552     -# header("Pragma: no-cache");
3553     +function upload($source, $destination, $content_type = "application/octet-stream")
3554     +{
3555     + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
3556     + header("Expires: -1");
3557     +# header("Cache-Control: no-store, no-cache, must-revalidate");
3558     +# header("Cache-Control: post-check=0, pre-check=0", false);
3559     +# header("Pragma: no-cache");
3560     header("Content-Type: $content_type");
3561    
3562     - if (is_array($source)) {
3563     - $fsize = 0;
3564     - foreach($source as $f) $fsize += filesize($f);
3565     - }
3566     - else {
3567     - $fsize = filesize($source);
3568     - }
3569     + if (is_array($source)) {
3570     + $fsize = 0;
3571     + foreach ($source as $f) {
3572     + $fsize += filesize($f);
3573     + }
3574     + } else {
3575     + $fsize = filesize($source);
3576     + }
3577    
3578     - header("Content-length: " . $fsize);
3579     + header("Content-length: " . $fsize);
3580     # header("Content-Disposition: attachment; filename=\"" . $destination ."\"");
3581     header("Content-Disposition: filename=\"" . $destination ."\"");
3582    
3583     - if (is_array($source))
3584     - foreach($source as $f) $ret = readfile($f);
3585     - else
3586     - $ret=readfile($source);
3587     + if (is_array($source)) {
3588     + foreach ($source as $f) {
3589     + $ret = readfile($f);
3590     + }
3591     + } else {
3592     + $ret=readfile($source);
3593     + }
3594    
3595     # $fd=fopen($source,'r');
3596     # fpassthru($fd);
3597     @@ -60,35 +68,51 @@
3598     # by field name. POST fields have precedence over GET fields.
3599     # Quoting/Slashes are stripped if magic quotes gpc is on.
3600     #
3601     -function gpvar($v) {
3602     - global $_GET, $_POST;
3603     +function gpvar($v)
3604     +{
3605     + global $_GET, $_POST;
3606     $x = "";
3607     - if (isset($_GET[$v])) $x = $_GET[$v];
3608     - if (isset($_POST[$v])) $x = $_POST[$v];
3609     - if (get_magic_quotes_gpc()) $x = stripslashes($x);
3610     - return $x;
3611     + if (isset($_GET[$v])) {
3612     + $x = $_GET[$v];
3613     + }
3614     + if (isset($_POST[$v])) {
3615     + $x = $_POST[$v];
3616     + }
3617     + if (get_magic_quotes_gpc()) {
3618     + $x = stripslashes($x);
3619     + }
3620     + return $x;
3621     }
3622    
3623    
3624     #
3625     # Sort a two multidimensional array by one of it's columns
3626     #
3627     -function csort($array, $column, $ascdec=SORT_ASC){
3628     +function csort($array, $column, $ascdec = SORT_ASC)
3629     +{
3630    
3631     - if (sizeof($array) == 0) return $array;
3632     + if (sizeof($array) == 0) {
3633     + return $array;
3634     + }
3635    
3636     // Sort by digital date rather than text date
3637     - if ($column == 'issued') $column = "issuedSort";
3638     - if ($column == 'expires') $column = 'expiresSort';
3639     + if ($column == 'issued') {
3640     + $column = "issuedSort";
3641     + }
3642     + if ($column == 'expires') {
3643     + $column = 'expiresSort';
3644     + }
3645    
3646     if ($column == 'status') {
3647     - foreach($array as $x) {
3648     - $sortarr[]=$x[$column];
3649     - $sortdate[] = $x['expiresSort'];
3650     - }
3651     + foreach ($array as $x) {
3652     + $sortarr[]=$x[$column];
3653     + $sortdate[] = $x['expiresSort'];
3654     + }
3655     array_multisort($sortarr, $ascdec, $sortdate, SORT_ASC, $array);
3656     } else {
3657     - foreach($array as $x) $sortarr[]=$x[$column];
3658     + foreach ($array as $x) {
3659     + $sortarr[]=$x[$column];
3660     + }
3661     array_multisort($sortarr, $ascdec, $array);
3662     }
3663     return $array;
3664     @@ -99,11 +123,13 @@
3665     # Returns a value suitable for display in the browser.
3666     # Strips slashes if second argument is true.
3667     #
3668     -function htvar($v, $strip=false) {
3669     - if ($strip)
3670     - return htmlentities(stripslashes($v), 0, "UTF-8");
3671     - else
3672     - return htmlentities($v, 0, "UTF-8");
3673     +function htvar($v, $strip = false)
3674     +{
3675     + if ($strip) {
3676     + return htmlentities(stripslashes($v), 0, "UTF-8");
3677     + } else {
3678     + return htmlentities($v, 0, "UTF-8");
3679     + }
3680     }
3681    
3682    
3683     @@ -113,11 +139,13 @@
3684     # provided strings with single-quotes and quotes any
3685     # other dangerous characters.
3686     #
3687     -function escshellarg($v, $strip=false) {
3688     - if ($strip)
3689     - return escapeshellarg(stripslashes($v));
3690     - else
3691     - return escapeshellarg($v);
3692     +function escshellarg($v, $strip = false)
3693     +{
3694     + if ($strip) {
3695     + return escapeshellarg(stripslashes($v));
3696     + } else {
3697     + return escapeshellarg($v);
3698     + }
3699     }
3700    
3701    
3702     @@ -125,93 +153,103 @@
3703     # Similar to escshellarg(), but doesn't surround provided
3704     # string with single-quotes.
3705     #
3706     -function escshellcmd($v, $strip=false) {
3707     - if ($strip)
3708     - return escapeshellcmd(stripslashes($v));
3709     - else
3710     - return escapeshellarg($v);
3711     +function escshellcmd($v, $strip = false)
3712     +{
3713     + if ($strip) {
3714     + return escapeshellcmd(stripslashes($v));
3715     + } else {
3716     + return escapeshellarg($v);
3717     + }
3718     }
3719     -
3720     +
3721     #
3722     # Recursively strips slashes from a string or array.
3723     #
3724     -function stripslashes_array(&$a) {
3725     - if (is_array($a)) {
3726     - foreach($a as $k => $v) {
3727     - my_stripslashes($a[$k]);
3728     - }
3729     - }
3730     - else {
3731     - $a = stripslashes($a);
3732     - }
3733     +function stripslashes_array(&$a)
3734     +{
3735     + if (is_array($a)) {
3736     + foreach ($a as $k => $v) {
3737     + my_stripslashes($a[$k]);
3738     + }
3739     + } else {
3740     + $a = stripslashes($a);
3741     + }
3742     }
3743    
3744    
3745     #
3746     # Don't use this.
3747     #
3748     -function undo_magic_quotes(&$a) {
3749     - if(get_magic_quotes_gpc()) {
3750     - global $HTTP_POST_VARS, $HTTP_GET_VARS;
3751     -
3752     - foreach($HTTP_POST_VARS as $k => $v) {
3753     - stripslashes_array($HTTP_POST_VARS[$k]);
3754     - global $$k;
3755     - stripslashes_array($$k);
3756     - }
3757     - foreach($HTTP_GET_VARS as $k => $v) {
3758     - stripslashes_array($HTTP_GET_VARS[$k]);
3759     - global $$k;
3760     - stripslashes_array($$k);
3761     - }
3762     - }
3763     +function undo_magic_quotes(&$a)
3764     +{
3765     + if (get_magic_quotes_gpc()) {
3766     + global $HTTP_POST_VARS, $HTTP_GET_VARS;
3767     +
3768     + foreach ($HTTP_POST_VARS as $k => $v) {
3769     + stripslashes_array($HTTP_POST_VARS[$k]);
3770     + global $$k;
3771     + stripslashes_array($$k);
3772     + }
3773     + foreach ($HTTP_GET_VARS as $k => $v) {
3774     + stripslashes_array($HTTP_GET_VARS[$k]);
3775     + global $$k;
3776     + stripslashes_array($$k);
3777     + }
3778     + }
3779     }
3780    
3781     #
3782     # Returns TRUE if argument contains only alphabetic characters.
3783     #
3784     -function is_alpha($v) {
3785     - #return (eregi('[^A-Z]',$v) ? false : true) ;
3786     - #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
3787     - return (preg_match('/[^A-Z]/i',$v) ? false : true) ;
3788     +function is_alpha($v)
3789     +{
3790     + #return (eregi('[^A-Z]',$v) ? false : true) ;
3791     + #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
3792     + return (preg_match('/[^A-Z]/i', $v) ? false : true) ;
3793     }
3794    
3795     #
3796     # Returns TRUE if argument contains only numeric characters.
3797     #
3798     -function is_num($v) {
3799     - #return (eregi('[^0-9]',$v) ? false : true) ;
3800     - return (preg_match('/[^0-9]/',$v) ? false : true) ; # Replaced eregi() with preg_match()
3801     +function is_num($v)
3802     +{
3803     + #return (eregi('[^0-9]',$v) ? false : true) ;
3804     + return (preg_match('/[^0-9]/', $v) ? false : true) ; # Replaced eregi() with preg_match()
3805     }
3806    
3807     #
3808     # Returns TRUE if argument contains only alphanumeric characters.
3809     #
3810     -function is_alnum($v) {
3811     - #return (eregi('[^A-Z0-9]',$v) ? false : true) ;
3812     - return (preg_match('/[^A-Z0-9]/i',$v) ? false : true) ; # Replaced eregi() with preg_match()
3813     +function is_alnum($v)
3814     +{
3815     + #return (eregi('[^A-Z0-9]',$v) ? false : true) ;
3816     + return (preg_match('/[^A-Z0-9]/i', $v) ? false : true) ; # Replaced eregi() with preg_match()
3817     }
3818    
3819     #
3820     # Returns TRUE if argument is in proper e-mail address format.
3821     #
3822     -function is_email($v) {
3823     - #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
3824     - return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i',$v) ? true : false); # Replaced eregi() with preg_match()
3825     +function is_email($v)
3826     +{
3827     + #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
3828     + return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i', $v) ? true : false); # Replaced eregi() with preg_match()
3829     }
3830    
3831     #
3832     # Returns True if the given string is a IP address
3833     #
3834     -function is_ip( $ip = null ) {
3835     - if( !$ip or strlen(trim($ip)) == 0){
3836     +function is_ip($ip = null)
3837     +{
3838     + if (!$ip or strlen(trim($ip)) == 0) {
3839     return false;
3840     }
3841     $ip=trim($ip);
3842     - if(preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/",$ip)) {
3843     - foreach(explode(".", $ip) as $block)
3844     - if($block<0 || $block>255 )
3845     + if (preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/", $ip)) {
3846     + foreach (explode(".", $ip) as $block) {
3847     + if ($block<0 || $block>255) {
3848     return false;
3849     + }
3850     + }
3851     return true;
3852     }
3853     return false;
3854     @@ -220,9 +258,10 @@
3855     #
3856     # Returns True if the given string is a valid FQDN
3857     #
3858     -function is_fqdn($FQDN) {
3859     +function is_fqdn($FQDN)
3860     +{
3861     // remove leading wildcard characters if exist
3862     - $FQDN = preg_replace('/^\*\./','', $FQDN, 1);
3863     + $FQDN = preg_replace('/^\*\./', '', $FQDN, 1);
3864     return (!empty($FQDN) && preg_match('/^(?=.{1,254}$)((?=[a-z0-9-]{1,63}\.)(xn--+)?[a-z0-9]+(-[a-z0-9]+)*\.)+(xn--+)?[a-z0-9]{2,63}$/i', $FQDN) > 0);
3865     }
3866    
3867     @@ -231,26 +270,31 @@
3868     # as a match is found.
3869     #
3870    
3871     -function eregi_array($regexp, $arr) {
3872     +function eregi_array($regexp, $arr)
3873     +{
3874    
3875     - foreach ($arr as $elem) {
3876     - #if (eregi($regexp,$elem))
3877     - if (! preg_match('/^\/.*\/$/', $regexp)) # if it doesn't begin and end with '/'
3878     - $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
3879     - if (preg_match($regexp.'i',$elem)) # Replaced eregi() with preg_match()
3880     - return true;
3881     - }
3882     - return false;
3883     + foreach ($arr as $elem) {
3884     + #if (eregi($regexp,$elem))
3885     + if (! preg_match('/^\/.*\/$/', $regexp)) { # if it doesn't begin and end with '/'
3886     + $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
3887     + }
3888     + if (preg_match($regexp.'i', $elem)) { # Replaced eregi() with preg_match()
3889     + return true;
3890     + }
3891     + }
3892     + return false;
3893     }
3894     #
3895     # Reads entire file into a string
3896     # Same as file_get_contents in php >= 4.3.0
3897     #
3898     -function my_file_get_contents($f) {
3899     - return implode('', file($f));
3900     +function my_file_get_contents($f)
3901     +{
3902     + return implode('', file($f));
3903     }
3904    
3905     -function getOSInformation() {
3906     +function getOSInformation()
3907     +{
3908     if (false == function_exists("shell_exec")) {
3909     return null;
3910     }
3911     @@ -261,4 +305,3 @@
3912     return null;
3913     }
3914     }
3915     -?>
3916     diff -ruN phpki-ng.old/phpki-ng-0.84/include/openssl_functions.php phpki-ng/phpki-ng-0.84/include/openssl_functions.php
3917     --- phpki-ng.old/phpki-ng-0.84/include/openssl_functions.php 2020-04-02 14:22:47.000000000 +0200
3918     +++ phpki-ng/phpki-ng-0.84/include/openssl_functions.php 2021-03-07 19:33:03.078323817 +0100
3919     @@ -5,64 +5,88 @@
3920     // File name is placed in ./tmp with a random name. It lingers unless
3921     // removed manually.
3922     //
3923     -function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=2048,$dns_names='',$ip_addr='',$serial='') {
3924     - global $config, $PHPki_user;
3925     +function CA_create_cnf($country = '', $province = '', $locality = '', $organization = '', $unit = '', $common_name = '', $email = '', $keysize = 2048, $dns_names = '', $ip_addr = '', $serial = '')
3926     +{
3927     + global $config, $PHPki_user;
3928     +
3929     + $issuer = $PHPki_user;
3930     + $count_dns = 0;
3931     + $count_ip = 0;
3932     + $alt_names = "";
3933     +
3934     + if (! $dns_names == '') {
3935     + $dns_n=explode("\n", $dns_names);
3936     + $count_dns = $count_dns + 1;
3937     + $alt_names .= "DNS.$count_dns = $common_name\n";
3938     + foreach ($dns_n as $value) {
3939     + if (! $value == '') {
3940     + $count_dns = $count_dns + 1;
3941     + $alt_names .= "DNS.$count_dns = ".trim($value)."\n";
3942     + }
3943     + }
3944     + }
3945     +
3946     + if (! $ip_addr == '') {
3947     + $ip_ar=explode("\n", $ip_addr);
3948     + foreach ($ip_ar as $value) {
3949     + if (! $value == '') {
3950     + $count_dns = $count_dns + 1;
3951     + $count_ip = $count_ip + 1;
3952     + # reetp IP should not be added to a DNS entry
3953     + #$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
3954     + $alt_names .= "IP.$count_ip = ".trim($value)."\n";
3955     + }
3956     + }
3957     + }
3958     +
3959     + if (($count_dns > 0) || ($count_ip > 0)) {
3960     + $server_altnames = "@alt_names";
3961     + } else {
3962     + $server_altnames = "DNS:$common_name,email:copy";
3963     + }
3964     +
3965     + $configHOME = $config['home_dir'];
3966     + $configRANDFILE = $config['random'];
3967     + $configCa_dir = $config['ca_dir'];
3968     + $configCert_dir = $config['cert_dir'];
3969     + $configCrl_dir = $config['crl_dir'];
3970     + $configDatabase = $config['index'];
3971     + $configNew_certs_dir = $config['new_certs_dir'];
3972     + $configPrivate_dir = $config['private_dir'];
3973     + $configSerial = $config['serial'];
3974     + $configCacert_pem = $config['cacert_pem'];
3975     + $configCacrl_pem = $config['cacrl_pem'];
3976     + $configCakey = $config['cakey'];
3977     + $configDefault_md = $config['default_md'];
3978     + $configBase_url = $config['base_url'];
3979     + $configCrl_dist = $config['crl_distrib'];
3980     + $configComment_root = $config['comment_root'];
3981     + $configPolicy_url = $config['policy_url'];
3982     + $configRevoke_url = $config['revoke_url'];
3983     + $configComment_email = $config['comment_email'];
3984     + $configComment_sign = $config['comment_sign'];
3985     + $configComment_srv = $config['comment_srv'];
3986     +
3987    
3988     - $issuer = $PHPki_user;
3989     - $count_dns = 0;
3990     - $count_ip = 0;
3991     - $alt_names = "";
3992     -
3993     - if (! $dns_names == '') {
3994     -
3995     - $dns_n=explode("\n", $dns_names);
3996     - $count_dns = $count_dns + 1;
3997     - $alt_names .= "DNS.$count_dns = $common_name\n";
3998     - foreach ($dns_n as $value) {
3999     - if (! $value == '') {
4000     - $count_dns = $count_dns + 1;
4001     - $alt_names .= "DNS.$count_dns = ".trim($value)."\n";
4002     - }
4003     - }
4004     - }
4005     -
4006     - if (! $ip_addr == '') {
4007     - $ip_ar=explode("\n", $ip_addr);
4008     - foreach ($ip_ar as $value) {
4009     - if (! $value == '') {
4010     - $count_dns = $count_dns + 1;
4011     - $count_ip = $count_ip + 1;
4012     - # reetp IP should not be added to a DNS entry
4013     - #$alt_names .= "DNS.$count_dns = ".trim($value)."\n";
4014     - $alt_names .= "IP.$count_ip = ".trim($value)."\n";
4015     - }
4016     - }
4017     - }
4018     -
4019     - if (($count_dns > 0) || ($count_ip > 0)) {
4020     - $server_altnames = "@alt_names";
4021     - } else {
4022     - $server_altnames = "DNS:$common_name,email:copy";
4023     - }
4024     -
4025     - $cnf_contents = "
4026     -HOME = $config[home_dir]
4027     -RANDFILE = $config[random]
4028     -dir = $config[ca_dir]
4029     -certs = $config[cert_dir]
4030     -crl_dir = $config[crl_dir]
4031     -database = $config[index]
4032     -new_certs_dir = $config[new_certs_dir]
4033     -private_dir = $config[private_dir]
4034     -serial = $config[serial]
4035     -certificate = $config[cacert_pem]
4036     -crl = $config[cacrl_pem]
4037     -private_key = $config[cakey]
4038     +
4039     + $cnf_contents = "
4040     +HOME = $configHOME
4041     +RANDFILE = $configRANDFILE
4042     +dir = $configCa_dir
4043     +certs = $configCert_dir
4044     +crl_dir = $configCrl_dir
4045     +database = $configDatabase
4046     +new_certs_dir = $configNew_certs_dir
4047     +private_dir = $configPrivate_dir
4048     +serial = $configSerial
4049     +certificate = $configCacert_pem
4050     +crl = $configCacrl_pem
4051     +private_key = $configCakey
4052     crl_extentions = crl_ext
4053     default_days = 365
4054     default_crl_days = 30
4055     preserve = no
4056     -default_md = $config[default_md]
4057     +default_md = $configDefault_md
4058    
4059     [ req ]
4060     default_bits = $keysize
4061     @@ -108,7 +132,7 @@
4062     x509_extensions = vpn_client_server_ext
4063     default_days = 365
4064     policy = policy_supplied
4065     -
4066     +
4067     [ time_stamping_cert ]
4068     x509_extensions = time_stamping_ext
4069     default_days = 365
4070     @@ -137,10 +161,10 @@
4071     nsCertType = sslCA, emailCA, objCA
4072     subjectKeyIdentifier = hash
4073     subjectAltName = email:copy
4074     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
4075     -nsComment = $config[comment_root]
4076     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
4077     +nsComment = $configComment_root
4078     #nsCaRevocationUrl =
4079     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
4080     +nsCaPolicyUrl = $configBase_url$configPolicy_url
4081    
4082     [ email_ext ]
4083     basicConstraints = critical, CA:false
4084     @@ -151,11 +175,11 @@
4085     authorityKeyIdentifier = keyid:always, issuer:always
4086     subjectAltName = email:copy
4087     issuerAltName = issuer:copy
4088     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
4089     -nsComment = $config[comment_email]
4090     -nsBaseUrl = $config[base_url]
4091     -nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
4092     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
4093     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
4094     +nsComment = $configComment_email
4095     +nsBaseUrl = $configBase_url
4096     +nsRevocationUrl = $configBase_url$configRevoke_url$serial
4097     +nsCaPolicyUrl = $configBase_url$configPolicy_url
4098    
4099     [ email_signing_ext ]
4100     basicConstraints = critical, CA:false
4101     @@ -166,11 +190,11 @@
4102     authorityKeyIdentifier = keyid:always, issuer:always
4103     subjectAltName = email:copy
4104     issuerAltName = issuer:copy
4105     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
4106     -nsComment = $config[comment_sign]
4107     -nsBaseUrl = $config[base_url]
4108     -nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
4109     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
4110     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
4111     +nsComment = $configComment_sign
4112     +nsBaseUrl = $configBase_url
4113     +nsRevocationUrl = $configBase_url$configRevoke_url$serial
4114     +nsCaPolicyUrl = $configBase_url$configPolicy_url
4115    
4116     [ server_ext ]
4117     basicConstraints = critical, CA:false
4118     @@ -181,11 +205,11 @@
4119     authorityKeyIdentifier = keyid:always, issuer:always
4120     subjectAltName = $server_altnames
4121     issuerAltName = issuer:copy
4122     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
4123     -nsComment = $config[comment_srv]
4124     -nsBaseUrl = $config[base_url]
4125     -nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
4126     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
4127     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
4128     +nsComment = $configComment_srv
4129     +nsBaseUrl = $configBase_url
4130     +nsRevocationUrl = $configBase_url$configRevoke_url$serial
4131     +nsCaPolicyUrl = $configBase_url$configPolicy_url
4132    
4133     [ time_stamping_ext ]
4134     basicConstraints = CA:false
4135     @@ -195,10 +219,10 @@
4136     authorityKeyIdentifier = keyid:always, issuer:always
4137     subjectAltName = DNS:$common_name,email:copy
4138     issuerAltName = issuer:copy
4139     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
4140     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
4141     nsComment = $config[comment_stamp]
4142     -nsBaseUrl = $config[base_url]
4143     -nsRevocationUrl = $config[base_url]$config[revoke_url]$serial
4144     +nsBaseUrl = $configBase_url
4145     +nsRevocationUrl = $configBase_url$configRevoke_url$serial
4146    
4147     [ vpn_client_ext ]
4148     basicConstraints = critical, CA:false
4149     @@ -232,13 +256,13 @@
4150     ";
4151    
4152    
4153     - # Write out the config file.
4154     - $cnf_file = tempnam('../../tmp','cnf-'); // Why is this not in the phpki dir ? why ../../ ?
4155     - $handle = fopen($cnf_file,"w");
4156     - fwrite($handle, $cnf_contents);
4157     - fclose($handle);
4158     -
4159     - return($cnf_file);
4160     + # Write out the config file.
4161     + $cnf_file = tempnam('../../tmp', 'cnf-'); // Why is this not in the phpki dir ? why ../../ ?
4162     + $handle = fopen($cnf_file, "w");
4163     + fwrite($handle, $cnf_contents);
4164     + fclose($handle);
4165     +
4166     + return($cnf_file);
4167     }
4168    
4169     //
4170     @@ -247,242 +271,264 @@
4171     // Fields: serial, country, province, locality, organization,
4172     // issuer, unit, common_name, email
4173     //
4174     -function CAdb_to_array($search = '.*') {
4175     - global $config;
4176     -
4177     - # Prepend a default status to search string if missing.
4178     - #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
4179     - if (! preg_match("/^\^\[.*\]/", $search)) $search = '^[VRE].*'.$search;
4180     - # Include valid certs?
4181     - #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
4182     - if (preg_match('/^\^\[.*V.*\]/',$search)) $inclval = true;
4183     - # Include revoked certs?
4184     - #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
4185     - if (preg_match('/^\^\[.*R.*\]/',$search)) $inclrev = true;
4186     - # Include expired certs?
4187     - #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
4188     - if (preg_match('/^\^\[.*E.*\]/',$search)) $inclexp = true;
4189     -
4190     - # There isn't really a status of 'E' in the openssl index.
4191     - # Change (E)xpired to (V)alid within the search string.
4192     - #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
4193     - $search = preg_replace('/^(\^\[.*)E(.*\])/','${1}V${2}',$search);
4194     -
4195     - $db = array();
4196     - exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
4197     - foreach($x as $y) {
4198     - $i = CAdb_explode_entry($y);
4199     - if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp))
4200     - $db[$i['serial']] = $i;
4201     - }
4202     +function CAdb_to_array($search = '.*')
4203     +{
4204     + global $config;
4205     +
4206     + # Prepend a default status to search string if missing.
4207     + #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search;
4208     + if (! preg_match("/^\^\[.*\]/", $search)) {
4209     + $search = '^[VRE].*'.$search;
4210     + }
4211     + # Include valid certs?
4212     + #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true;
4213     + if (preg_match('/^\^\[.*V.*\]/', $search)) {
4214     + $inclval = true;
4215     + }
4216     + # Include revoked certs?
4217     + #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true;
4218     + if (preg_match('/^\^\[.*R.*\]/', $search)) {
4219     + $inclrev = true;
4220     + }
4221     + # Include expired certs?
4222     + #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true;
4223     + if (preg_match('/^\^\[.*E.*\]/', $search)) {
4224     + $inclexp = true;
4225     + }
4226     +
4227     + # There isn't really a status of 'E' in the openssl index.
4228     + # Change (E)xpired to (V)alid within the search string.
4229     + #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search);
4230     + $search = preg_replace('/^(\^\[.*)E(.*\])/', '${1}V${2}', $search);
4231     +
4232     + $db = array();
4233     + exec('egrep -i '.escshellarg($search).' '.$config['index'], $x);
4234     + foreach ($x as $y) {
4235     + $i = CAdb_explode_entry($y);
4236     + if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp)) {
4237     + $db[$i['serial']] = $i;
4238     + }
4239     + }
4240    
4241     - return($db);
4242     + return($db);
4243     }
4244    
4245    
4246     //
4247     // Returns an array containing the index record for
4248     // certificate $serial.
4249     -//
4250     -function CAdb_get_entry($serial) {
4251     - global $config;
4252     - $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$";
4253     - $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
4254     - if ($x)
4255     - return CAdb_explode_entry($x);
4256     - else {
4257     - return false;
4258     - }
4259     +//
4260     +function CAdb_get_entry($serial)
4261     +{
4262     + global $config;
4263     + $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$";
4264     + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
4265     + if ($x) {
4266     + return CAdb_explode_entry($x);
4267     + } else {
4268     + return false;
4269     + }
4270     }
4271    
4272    
4273     //
4274     -// Returns the serial number of a VALID certificate matching
4275     +// Returns the serial number of a VALID certificate matching
4276     // $email and/or $name. Returns FALSE if no match is found.
4277     //
4278     -function CAdb_in($email="", $name="") {
4279     - global $config;
4280     - $email = escshellcmd($email);
4281     - $name = escshellcmd($name);
4282     - $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email";
4283     - $x =exec('egrep '.escshellarg($regexp).' '.$config['index']);
4284     +function CAdb_in($email = "", $name = "")
4285     +{
4286     + global $config;
4287     + $email = escshellcmd($email);
4288     + $name = escshellcmd($name);
4289     + $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email";
4290     + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
4291    
4292     if ($x) {
4293     - list($j,$j,$j,$serial,$j,$j) = explode("\t", $x);
4294     - return "$serial";
4295     - }
4296     - else
4297     - return false;
4298     + list($j,$j,$j,$serial,$j,$j) = explode("\t", $x);
4299     + return "$serial";
4300     + } else {
4301     + return false;
4302     + }
4303     }
4304    
4305    
4306     //
4307     // Alias for CAdb_in()
4308     //
4309     -function CAdb_serial($email, $name='') {
4310     - return CAdb_in($email, $name='');
4311     +function CAdb_serial($email, $name = '')
4312     +{
4313     + return CAdb_in($email, $name = '');
4314     }
4315    
4316     //
4317     // Alias for CAdb_in()
4318     //
4319     -function CAdb_exists($email, $name='') {
4320     - return CAdb_in($email, $name='');
4321     +function CAdb_exists($email, $name = '')
4322     +{
4323     + return CAdb_in($email, $name = '');
4324     }
4325    
4326    
4327     //
4328     // Returns the certificate 'issuer'
4329     //
4330     -function CAdb_issuer($serial) {
4331     - global $config;
4332     - $rec = CAdb_get_entry($serial);
4333     - return $rec['issuer'];
4334     +function CAdb_issuer($serial)
4335     +{
4336     + global $config;
4337     + $rec = CAdb_get_entry($serial);
4338     + return $rec['issuer'];
4339     }
4340    
4341     //
4342     // Returns an array containing the respective fields given a
4343     // a raw line ($dbentry) from the certificate index.
4344     -// Fields: serial, country, province locality, organization,
4345     +// Fields: serial, country, province locality, organization,
4346     // issuer, unit, common_name, email
4347     //
4348     -function CAdb_explode_entry($dbentry) {
4349     - $a = explode("\t", $dbentry);
4350     - $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]);
4351     -
4352     - switch ($a[0]) {
4353     - case "V":
4354     - $db['status'] = "Valid";
4355     - break;
4356     - case "R":
4357     - $db['status'] = "Revoked";
4358     - break;
4359     - }
4360     -
4361     - // CA_cert_start/enddate
4362     - // A date will be returned in this format
4363     - // Feb 27 16:00:09 2020 GMT
4364     - // Add a 'digital' sort key for digital date sorting later
4365     - sscanf(CA_cert_startdate($a[3]),"%s%s%s%s", $mm,$dd,$tt,$yy);
4366     - $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
4367     - $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
4368     -
4369     - sscanf(CA_cert_enddate($a[3]), "%s%s%s%s",$mm,$dd,$tt,$yy);
4370     - $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
4371     - $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
4372     -
4373     - if (time() > strtotime("$yy-$mm-$dd")) {
4374     - $db['status'] = "Expired";
4375     - }
4376     -
4377     -
4378     - // Compatibility with migrated certs from openvpn-bridge
4379     - if(count($b) == 7){
4380     - $db['serial'] = $a[3];
4381     - $db['country'] = $b[1];
4382     - $db['province'] = $b[2];
4383     - $db['locality'] = '';
4384     - $db['organization'] = $b[3];
4385     - $db['issuer'] = '';
4386     - $db['unit'] = $b[4];
4387     - $db['common_name'] = $b[5];
4388     - $db['email'] = $b[6];
4389     - }
4390     - // Compatibility with renewed certs from openvpn-bridge
4391     - elseif(count($b) == 8){
4392     - $db['serial'] = $a[3];
4393     - $db['country'] = $b[1];
4394     - $db['province'] = $b[2];
4395     - $db['locality'] = $b[3];
4396     - $db['organization'] = $b[4];
4397     - $db['issuer'] = '';
4398     - $db['unit'] = $b[5];
4399     - $db['common_name'] = $b[6];
4400     - $db['email'] = $b[7];
4401     - }
4402     - // Else, it's a certificate created with phpki
4403     - else{
4404     - $db['serial'] = $a[3];
4405     - $db['country'] = $b[1];
4406     - $db['province'] = $b[2];
4407     - $db['locality'] = $b[3];
4408     - $db['organization'] = $b[4];
4409     - $db['issuer'] = $b[5];
4410     - $db['unit'] = $b[6];
4411     - $db['common_name'] = $b[7];
4412     - $db['email'] = $b[8];
4413     - }
4414     +function CAdb_explode_entry($dbentry)
4415     +{
4416     + $a = explode("\t", $dbentry);
4417     + $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]);
4418     +
4419     + switch ($a[0]) {
4420     + case "V":
4421     + $db['status'] = "Valid";
4422     + break;
4423     + case "R":
4424     + $db['status'] = "Revoked";
4425     + break;
4426     + }
4427     +
4428     + // CA_cert_start/enddate
4429     + // A date will be returned in this format
4430     + // Feb 27 16:00:09 2020 GMT
4431     + // Add a 'digital' sort key for digital date sorting later
4432     + sscanf(CA_cert_startdate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy);
4433     + $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
4434     + $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
4435     +
4436     + sscanf(CA_cert_enddate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy);
4437     + $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd"));
4438     + $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd"));
4439     +
4440     + if (time() > strtotime("$yy-$mm-$dd")) {
4441     + $db['status'] = "Expired";
4442     + }
4443     +
4444     +
4445     + // Compatibility with migrated certs from openvpn-bridge
4446     + if (count($b) == 7) {
4447     + $db['serial'] = $a[3];
4448     + $db['country'] = $b[1];
4449     + $db['province'] = $b[2];
4450     + $db['locality'] = '';
4451     + $db['organization'] = $b[3];
4452     + $db['issuer'] = '';
4453     + $db['unit'] = $b[4];
4454     + $db['common_name'] = $b[5];
4455     + $db['email'] = $b[6];
4456     + } // Compatibility with renewed certs from openvpn-bridge
4457     + elseif (count($b) == 8) {
4458     + $db['serial'] = $a[3];
4459     + $db['country'] = $b[1];
4460     + $db['province'] = $b[2];
4461     + $db['locality'] = $b[3];
4462     + $db['organization'] = $b[4];
4463     + $db['issuer'] = '';
4464     + $db['unit'] = $b[5];
4465     + $db['common_name'] = $b[6];
4466     + $db['email'] = $b[7];
4467     + } // Else, it's a certificate created with phpki
4468     + else {
4469     + $db['serial'] = $a[3];
4470     + $db['country'] = $b[1];
4471     + $db['province'] = $b[2];
4472     + $db['locality'] = $b[3];
4473     + $db['organization'] = $b[4];
4474     + $db['issuer'] = $b[5];
4475     + $db['unit'] = $b[6];
4476     + $db['common_name'] = $b[7];
4477     + $db['email'] = $b[8];
4478     + }
4479    
4480     - return $db;
4481     + return $db;
4482     }
4483    
4484     //
4485     // Returns the date & time a specified certificate is revoked,
4486     // Returns FALSE if the certificate is not revoked.
4487     //
4488     -function CAdb_is_revoked($serial) {
4489     - global $config;
4490     - $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
4491     - $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
4492     -
4493     - if ($x) {
4494     - list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
4495     - // Revoke date = 'R' + start date and is in this format
4496     - // 200227162209Z
4497     - sscanf($revoke_date, "%2s%2s%2s",$yy,$mm,$dd);
4498     - return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
4499     - }
4500     - else
4501     - return false;
4502     +function CAdb_is_revoked($serial)
4503     +{
4504     + global $config;
4505     + $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
4506     + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']);
4507     +
4508     + if ($x) {
4509     + list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x);
4510     + // Revoke date = 'R' + start date and is in this format
4511     + // 200227162209Z
4512     + sscanf($revoke_date, "%2s%2s%2s", $yy, $mm, $dd);
4513     + return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd"));
4514     + } else {
4515     + return false;
4516     + }
4517     }
4518    
4519     //
4520     // Returns TRUE if a certificate is valid, otherwise FALSE.
4521     //
4522     -function CAdb_is_valid($serial) {
4523     - global $config;
4524     - $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$";
4525     -
4526     - if (exec('egrep '.escshellarg($regexp).' '.$config['index']))
4527     - return true;
4528     - else
4529     - return false;
4530     +function CAdb_is_valid($serial)
4531     +{
4532     + global $config;
4533     + $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$";
4534     +
4535     + if (exec('egrep '.escshellarg($regexp).' '.$config['index'])) {
4536     + return true;
4537     + } else {
4538     + return false;
4539     + }
4540     }
4541    
4542     //
4543     // Returns the long-form certificate description as output by
4544     // openssl x509 -in certificatefile -text -purpose
4545     //
4546     -function CA_cert_text($serial) {
4547     - global $config;
4548     - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4549     - return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1'));
4550     +function CA_cert_text($serial)
4551     +{
4552     + global $config;
4553     + $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4554     + return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1'));
4555     }
4556    
4557     //
4558     // Returns the long-form text of the Certificate Revocation List
4559     -// openssl crl -in crlfile -text
4560     +// openssl crl -in crlfile -text
4561     //
4562     -function CA_crl_text() {
4563     - global $config;
4564     - $crlfile = $config['cacrl_pem'];
4565     - return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
4566     +function CA_crl_text()
4567     +{
4568     + global $config;
4569     + $crlfile = $config['cacrl_pem'];
4570     + return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
4571     }
4572    
4573     // Returns the static takey.pem file
4574     -function ta_key_text() {
4575     +function ta_key_text()
4576     +{
4577     global $config;
4578     return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
4579     }
4580    
4581     // Returns the dhparam file
4582     -function dhparam_text() {
4583     +function dhparam_text()
4584     +{
4585     global $config;
4586     return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam2048.pem 2>&1'));
4587     }
4588    
4589     // Returns the root CA certificate file (PEM Encoded)
4590     -function root_pem_text() {
4591     +function root_pem_text()
4592     +{
4593     global $config;
4594     return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
4595     }
4596     @@ -490,416 +536,447 @@
4597     //
4598     // Returns the subject of a certificate.
4599     //
4600     -function CA_cert_subject($serial) {
4601     - global $config;
4602     - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4603     - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1');
4604     - return(str_replace('subject=', '', $x));
4605     +function CA_cert_subject($serial)
4606     +{
4607     + global $config;
4608     + $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4609     + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1');
4610     + return(str_replace('subject=', '', $x));
4611     }
4612    
4613     //
4614     // Returns the common name of a certificate.
4615     //
4616     -function CA_cert_cname($serial) {
4617     - global $config;
4618     - #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
4619     - return(preg_replace('/^.*\/CN=(.*)\/.*/','${1}',CA_cert_subject($serial)));
4620     -
4621     +function CA_cert_cname($serial)
4622     +{
4623     + global $config;
4624     + #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial)));
4625     + return(preg_replace('/^.*\/CN=(.*)\/.*/', '${1}', CA_cert_subject($serial)));
4626     }
4627    
4628     //
4629     // Returns the email address of a certificate.
4630     //
4631     -function CA_cert_email($serial) {
4632     - global $config;
4633     - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4634     - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1');
4635     - return($x);
4636     +function CA_cert_email($serial)
4637     +{
4638     + global $config;
4639     + $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4640     + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1');
4641     + return($x);
4642     }
4643    
4644     //
4645     // Returns the effective date of a certificate.
4646     //
4647     -function CA_cert_startdate($serial) {
4648     - global $config;
4649     - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4650     - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1');
4651     - return(str_replace('notBefore=','',$x));
4652     +function CA_cert_startdate($serial)
4653     +{
4654     + global $config;
4655     + $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4656     + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1');
4657     + return(str_replace('notBefore=', '', $x));
4658     }
4659    
4660     //
4661     // Returns the expiration date of a certificate.
4662     //
4663     -function CA_cert_enddate($serial) {
4664     - global $config;
4665     - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4666     - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1');
4667     - return(str_replace('notAfter=','',$x));
4668     +function CA_cert_enddate($serial)
4669     +{
4670     + global $config;
4671     + $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem';
4672     + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1');
4673     + return(str_replace('notAfter=', '', $x));
4674     }
4675    
4676     //
4677     // Revokes a specified certificate.
4678     //
4679     -function CA_revoke_cert($serial) {
4680     - global $config;
4681     -
4682     - $fd = fopen($config['index'],'a');
4683     - flock($fd, LOCK_EX);
4684     +function CA_revoke_cert($serial)
4685     +{
4686     + global $config;
4687     +
4688     + $fd = fopen($config['index'], 'a');
4689     + flock($fd, LOCK_EX);
4690     +
4691     + $certfile = $config['new_certs_dir'] . "/$serial.pem";
4692     + $cmd_output[] = 'Revoking the certificate.';
4693     + $configCa_pwd = $config['ca_pwd'];
4694     + $configOpenssl_cnf = $config['openssl_cnf'];
4695     + exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$ConfigCa_pwd 2>&1", $cmd_output, $ret);
4696     +
4697     + if ($ret == 0) {
4698     + unset($cmd_output);
4699     + list($ret, $cmd_output[]) = CA_generate_crl();
4700     + }
4701    
4702     - $certfile = "$config[new_certs_dir]/$serial.pem";
4703     -
4704     - $cmd_output[] = 'Revoking the certificate.';
4705     - exec(CA." -config '$config[openssl_cnf]' -revoke ".escshellarg($certfile)." -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret);
4706     -
4707     - if ($ret == 0) {
4708     - unset($cmd_output);
4709     - list($ret, $cmd_output[]) = CA_generate_crl();
4710     - }
4711     -
4712     - fclose($fd);
4713     + fclose($fd);
4714    
4715     - return array(($ret == true || $ret == 0 ? true : false), implode('<br>',$cmd_output));
4716     + return array(($ret == true || $ret == 0 ? true : false), implode('<br>', $cmd_output));
4717     }
4718    
4719     //
4720     // Creates a new certificate request, and certificate in various formats
4721     -// according to specified parameters. PKCS12 bundle files contain the
4722     +// according to specified parameters. PKCS12 bundle files contain the
4723     // private key, certificate, and CA certificate.
4724     //
4725     // Returns an array containing the output of failed openssl commands.
4726     //
4727     -function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=2048,$dns_names,$ip_addr) {
4728     - global $config;
4729     +function CA_create_cert($cert_type = 'email', $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize = 2048, $dns_names, $ip_addr)
4730     +{
4731     + global $config;
4732     +
4733     + # Wait here if another user has the database locked.
4734     + $fd = fopen($config['index'], "a");
4735     + flock($fd, LOCK_EX);
4736     +
4737     + # Get the next available serial number
4738     + $serial = trim(implode('', file($config['serial'])));
4739     +
4740     + $userkey = $config['private_dir'] . "/$serial-key.pem";
4741     + $userreq = $config['req_dir'] ."/$serial-req.pem";
4742     + $usercert = $config['new_certs_dir'].'/'.$serial.'.pem';
4743     + $userder = $config['cert_dir'] . "/$serial.der";
4744     + $userpfx = $config['pfx_dir'] . "/$serial.pfx";
4745     +
4746     + $expiry_days = round($expiry * 365.25, 0);
4747     +
4748     + $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email, $keysize, $dns_names, $ip_addr, $serial);
4749     +
4750     + # Escape certain dangerous characters in user input
4751     + $email = escshellcmd($email);
4752     + $_passwd = escshellarg($passwd);
4753     + $friendly_name = escshellarg($common_name);
4754     + $extensions = escshellarg($cert_type.'_ext');
4755     +
4756     + # Create the certificate request
4757     + unset($cmd_output);
4758     + $cmd_output[] = 'Creating certificate request.';
4759     +
4760     + if (($_passwd) && ($_passwd != "''")) {
4761     + exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd 2>&1", $cmd_output, $ret);
4762     + } else {
4763     + exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes 2>&1", $cmd_output, $ret);
4764     + }
4765     +
4766     + # Sign the certificate request and create the certificate
4767     + if ($ret == 0) {
4768     + unset($cmd_output);
4769     + $cmd_output[] = "Signing $cert_type certificate request.";
4770     + $configCa_pwd = $config['ca_pwd'];
4771     + exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
4772     + };
4773     +
4774     + # Create DER format certificate
4775     + if ($ret == 0) {
4776     + unset($cmd_output);
4777     + $cmd_output[] = "Creating DER format certificate.";
4778     + exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
4779     + };
4780     +
4781     + # Create a PKCS12 certificate file for download to Windows
4782     + if ($ret == 0) {
4783     + unset($cmd_output);
4784     + $cmd_output[] = "Creating PKCS12 format certificate.";
4785     + $configCacert_pem = $config['cacert_pem'];
4786     + $configOrganization = $config['organization'];
4787     + $configRandom = $config['random'];
4788     +
4789     + if (($_passwd) && ($_passwd != "''")) {
4790     + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
4791     + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
4792     + } else {
4793     + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
4794     + // reetp - this needs looking at
4795     + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
4796     + //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
4797     + }
4798     + };
4799    
4800     - # Wait here if another user has the database locked.
4801     - $fd = fopen($config['index'],"a");
4802     - flock($fd, LOCK_EX);
4803     -
4804     - # Get the next available serial number
4805     - $serial = trim(implode('',file($config['serial'])));
4806     -
4807     - $userkey = $config['private_dir'].'/'.$serial.'-key.pem';
4808     - $userreq = $config['req_dir'].'/'.$serial.'-req.pem';
4809     - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem';
4810     - $userder = $config['cert_dir'].'/'.$serial.'.der';
4811     - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx';
4812     -
4813     - $expiry_days = round($expiry * 365.25, 0);
4814     -
4815     - $cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize,$dns_names,$ip_addr,$serial);
4816     -
4817     - # Escape certain dangerous characters in user input
4818     - $email = escshellcmd($email);
4819     - $_passwd = escshellarg($passwd);
4820     - $friendly_name = escshellarg($common_name);
4821     - $extensions = escshellarg($cert_type.'_ext');
4822     -
4823     - # Create the certificate request
4824     - unset($cmd_output);
4825     - $cmd_output[] = 'Creating certificate request.';
4826     -
4827     - if (($_passwd) && ($_passwd != "''")) {
4828     - exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd 2>&1", $cmd_output, $ret);
4829     - }
4830     - else {
4831     - exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes 2>&1", $cmd_output, $ret);
4832     - }
4833     -
4834     - # Sign the certificate request and create the certificate
4835     - if ($ret == 0) {
4836     - unset($cmd_output);
4837     - $cmd_output[] = "Signing $cert_type certificate request.";
4838     - exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
4839     - };
4840     -
4841     - # Create DER format certificate
4842     - if ($ret == 0) {
4843     - unset($cmd_output);
4844     - $cmd_output[] = "Creating DER format certificate.";
4845     - exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
4846     - };
4847     -
4848     - # Create a PKCS12 certificate file for download to Windows
4849     - if ($ret == 0) {
4850     - unset($cmd_output);
4851     - $cmd_output[] = "Creating PKCS12 format certificate.";
4852     - if (($_passwd) && ($_passwd != "''")) {
4853     - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
4854     - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
4855     - }
4856     - else {
4857     - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
4858     - // reetp - this needs looking at
4859     - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
4860     - //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
4861     - }
4862     - };
4863     -
4864     - #Unlock the CA database
4865     - fclose($fd);
4866     -
4867     - #Remove temporary openssl config file.
4868     - if (file_exists($cnf_file)) unlink($cnf_file);
4869     -
4870     - if ($ret == 0) {
4871     - # Successful!
4872     - # Return status=true and serial number of issued certificate.
4873     - return array(true, $serial);
4874     -
4875     - }
4876     - else {
4877     - # Not successful. :-(
4878     - # Clean up our loose ends.
4879     - # Return status=false and openssl output/errors for debug.
4880     - CA_remove_cert($serial);
4881     - $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.';
4882     - return array(false, implode("<br>",$cmd_output));
4883     - }
4884     + #Unlock the CA database
4885     + fclose($fd);
4886     +
4887     + #Remove temporary openssl config file.
4888     + if (file_exists($cnf_file)) {
4889     + unlink($cnf_file);
4890     + }
4891     +
4892     + if ($ret == 0) {
4893     + # Successful!
4894     + # Return status=true and serial number of issued certificate.
4895     + return array(true, $serial);
4896     + } else {
4897     + # Not successful. :-(
4898     + # Clean up our loose ends.
4899     + # Return status=false and openssl output/errors for debug.
4900     + CA_remove_cert($serial);
4901     + $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.';
4902     + return array(false, implode("<br>", $cmd_output));
4903     + }
4904     }
4905    
4906     //
4907     // Renews a specified certificate, revoking any existing valid versions.
4908     -// Uses old certificate request to Creates a new request, and certificate
4909     +// Uses old certificate request to Creates a new request, and certificate
4910     // in various formats.
4911     //
4912     // Returns an array containing the output of failed openssl commands.
4913     //
4914     -// FIXME: Yes, I know... This functions contains much duplicative code
4915     +// FIXME: Yes, I know... This functions contains much duplicative code
4916     // from CA_create_cert(). Bleh!
4917     -//
4918     -function CA_renew_cert($old_serial,$expiry,$passwd) {
4919     - global $config;
4920     -
4921     - # Do not renew a revoked certificate if a valid one exists for this
4922     - # URL. Find and renew the valid certificate instead.
4923     - if (CAdb_is_revoked($old_serial)) {
4924     - $ret = CAdb_in(CA_cert_email($old_serial),CA_cert_cname($old_serial));
4925     - if ($ret && $old_serial != $ret) $old_serial = $ret;
4926     - }
4927     -
4928     - # Valid certificates must be revoked prior to renewal.
4929     - if (CAdb_is_valid($old_serial)) {
4930     - $ret = CA_revoke_cert($old_serial);
4931     - if (! $ret[0]) return $ret;
4932     - }
4933     -
4934     - $cert_type = CA_cert_type($old_serial);
4935     - $extensions = $cert_type.'_ext';
4936     -
4937     - # Get common_name from old certificate for use as the
4938     - # "friendly name" of PKCS12 certificate.
4939     - $rec = CAdb_get_entry($old_serial);
4940     - $country = $rec['country'];
4941     - $province = $rec['province'];
4942     - $locality = $rec['locality'];
4943     - $organization = $rec['organiztion'];
4944     - $unit = $rec['unit'];
4945     - $common_name = $rec['common_name'];
4946     - $email = $rec['email'];
4947     -
4948     - # Wait here if another user has the database locked.
4949     - $fd = fopen($config['index'],"a");
4950     - flock($fd, LOCK_EX);
4951     -
4952     - # Get the next available serial number
4953     - $serial = trim(implode('',file($config['serial'])));
4954     -
4955     - $old_userkey = $config['private_dir'].'/'.$old_serial.'-key.pem';
4956     - $old_userreq = $config['req_dir'].'/'.$old_serial.'-req.pem';
4957     - $userkey = $config['private_dir'].'/'.$serial.'-key.pem';
4958     - $userreq = $config['req_dir'].'/'.$serial.'-req.pem';
4959     - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem';
4960     - $userder = $config['cert_dir'].'/'.$serial.'.der';
4961     - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx';
4962     -
4963     - $expiry_days = round($expiry * 365.25, 0);
4964     -
4965     - $cmd_output = array();
4966     - $ret = 0;
4967     -
4968     - # Create a new certificate request by copying the old request.
4969     - if (! file_exists($old_userreq) || ! copy($old_userreq,$userreq)) {
4970     - $cmd_output[] = 'Could not create new certificate request file.';
4971     - $ret = 1;
4972     - }
4973     -
4974     - # Copy private key to new file.
4975     - if ($ret == 0 && (! file_exists($old_userkey) || ! copy($old_userkey,$userkey))) {
4976     - $cmd_output[] = "Could not update private key file.";
4977     - $ret = 1;
4978     - }
4979     -
4980     - $cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email);
4981     -
4982     - # "friendly name" of PKCS12 certificate.
4983     - $friendly_name = escshellarg($rec['common_name']);
4984     -
4985     - # Escape dangerous characters in user input.
4986     - $_passwd = escshellarg($passwd);
4987     -
4988     - # Sign the certificate request and create the certificate.
4989     - if ($ret == 0) {
4990     - unset($cmd_output);
4991     - $cmd_output[] = "Signing the $cert_type certificate request.";
4992     - exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
4993     - };
4994     -
4995     - # Create DER format certificate
4996     - if ($ret == 0) {
4997     - unset($cmd_output);
4998     - $cmd_output[] = "Creating DER format certificate.";
4999     - exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
5000     - };
5001     -
5002     - # Create a PKCS12 certificate file for download to Windows
5003     - if ($ret == 0) {
5004     - unset($cmd_output);
5005     - $cmd_output[] = "Creating PKCS12 format certificate.";
5006     - if (($_passwd) && ($_passwd != "''")) {
5007     - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
5008     - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
5009     - }
5010     - else {
5011     - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
5012     +//
5013     +function CA_renew_cert($old_serial, $expiry, $passwd)
5014     +{
5015     + global $config;
5016     +
5017     + # Do not renew a revoked certificate if a valid one exists for this
5018     + # URL. Find and renew the valid certificate instead.
5019     + if (CAdb_is_revoked($old_serial)) {
5020     + $ret = CAdb_in(CA_cert_email($old_serial), CA_cert_cname($old_serial));
5021     + if ($ret && $old_serial != $ret) {
5022     + $old_serial = $ret;
5023     + }
5024     + }
5025     +
5026     + # Valid certificates must be revoked prior to renewal.
5027     + if (CAdb_is_valid($old_serial)) {
5028     + $ret = CA_revoke_cert($old_serial);
5029     + if (! $ret[0]) {
5030     + return $ret;
5031     + }
5032     + }
5033     +
5034     + $cert_type = CA_cert_type($old_serial);
5035     + $extensions = $cert_type.'_ext';
5036     +
5037     + # Get common_name from old certificate for use as the
5038     + # "friendly name" of PKCS12 certificate.
5039     + $rec = CAdb_get_entry($old_serial);
5040     + $country = $rec['country'];
5041     + $province = $rec['province'];
5042     + $locality = $rec['locality'];
5043     + $organization = $rec['organization'];
5044     + $unit = $rec['unit'];
5045     + $common_name = $rec['common_name'];
5046     + $email = $rec['email'];
5047     +
5048     + # Wait here if another user has the database locked.
5049     + $fd = fopen($config['index'], "a");
5050     + flock($fd, LOCK_EX);
5051     +
5052     + # Get the next available serial number
5053     + $serial = trim(implode('', file($config['serial'])));
5054     +
5055     + $old_userkey = $config['private_dir'] . "$old_serial-key.pem";
5056     + $old_userreq = $config['req_dir'] . "/$old_serial-req.pem";
5057     + $userkey = $config['private_dir'] . "/$serial-key.pem";
5058     + $userreq = $config['req_dir'] . "/$serial-req.pem";
5059     + $usercert = $config['new_certs_dir'] . "/$serial.pem";
5060     + $userder = $config['cert_dir'] . "/$serial.der";
5061     + $userpfx = $config['pfx_dir'] . "/$serial.pfx";
5062     +
5063     +
5064     + $expiry_days = round($expiry * 365.25, 0);
5065     +
5066     + $cmd_output = array();
5067     + $ret = 0;
5068     +
5069     + # Create a new certificate request by copying the old request.
5070     + if (! file_exists($old_userreq) || ! copy($old_userreq, $userreq)) {
5071     + $cmd_output[] = 'Could not create new certificate request file.';
5072     + $ret = 1;
5073     + }
5074     +
5075     + # Copy private key to new file.
5076     + if ($ret == 0 && (! file_exists($old_userkey) || ! copy($old_userkey, $userkey))) {
5077     + $cmd_output[] = "Could not update private key file.";
5078     + $ret = 1;
5079     + }
5080     +
5081     + $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email);
5082     +
5083     + # "friendly name" of PKCS12 certificate.
5084     + $friendly_name = escshellarg($rec['common_name']);
5085     +
5086     + # Escape dangerous characters in user input.
5087     + $_passwd = escshellarg($passwd);
5088     +
5089     + $configCa_pwd = $config['ca_pwd'];
5090     + $configCacert_pem = $config['cacert_pem'];
5091     + $configOrganization = $config['organization'];
5092     + $configRandom = $config['random'];
5093     +
5094     + # Sign the certificate request and create the certificate.
5095     + if ($ret == 0) {
5096     + unset($cmd_output);
5097     + $cmd_output[] = "Signing the $cert_type certificate request.";
5098     + exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret);
5099     + };
5100     +
5101     + # Create DER format certificate
5102     + if ($ret == 0) {
5103     + unset($cmd_output);
5104     + $cmd_output[] = "Creating DER format certificate.";
5105     + exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
5106     + };
5107     +
5108     + # Create a PKCS12 certificate file for download to Windows
5109     + if ($ret == 0) {
5110     + unset($cmd_output);
5111     + $cmd_output[] = "Creating PKCS12 format certificate.";
5112     + if (($_passwd) && ($_passwd != "''")) {
5113     + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd";
5114     + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret);
5115     + } else {
5116     + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx";
5117     // reetp - this needs looking at
5118     - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
5119     - //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
5120     + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret);
5121     + //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret);
5122     + }
5123     + };
5124    
5125     - }
5126     - };
5127     -
5128     - #Unlock the CA database
5129     - fclose($fd);
5130     -
5131     - # https://github.com/radicand/phpki/issues/14
5132     - if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) {
5133     - $cert_type = 'email_signing';
5134     - }
5135     - if (preg_match('E-mail Protection', $certtext)) {
5136     - $cert_type = 'email';
5137     - }
5138     -
5139     - #Remove temporary openssl config file.
5140     - if (file_exists($cnf_file)) unlink($cnf_file);
5141     -
5142     - if ($ret == 0) {
5143     - return array(true, $serial);
5144     - }
5145     - else {
5146     - # Not successful, so clean up before exiting.
5147     - CA_remove_cert($serial);
5148     -
5149     - if (eregi_array('.*private key.*',$cmd_output))
5150     - $cmd_output[] = '<strong>This was likely caused by entering the wrong certificate password.</strong>';
5151     - else
5152     - $cmd_output[] = '<strong>Click on the "Help" link above for information on how to report this problem.</strong>';
5153     + #Unlock the CA database
5154     + fclose($fd);
5155     +
5156     + # https://github.com/radicand/phpki/issues/14
5157     + if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) {
5158     + $cert_type = 'email_signing';
5159     + }
5160     + if (preg_match('E-mail Protection', $certtext)) {
5161     + $cert_type = 'email';
5162     + }
5163     +
5164     + #Remove temporary openssl config file.
5165     + if (file_exists($cnf_file)) {
5166     + unlink($cnf_file);
5167     + }
5168     +
5169     + if ($ret == 0) {
5170     + return array(true, $serial);
5171     + } else {
5172     + # Not successful, so clean up before exiting.
5173     + CA_remove_cert($serial);
5174     +
5175     + if (eregi_array('.*private key.*', $cmd_output)) {
5176     + $cmd_output[] = '<strong>This was likely caused by entering the wrong certificate password.</strong>';
5177     + } else {
5178     + $cmd_output[] = '<strong>Click on the "Help" link above for information on how to report this problem.</strong>';
5179     + }
5180    
5181     - return array(false, implode('<br>',$cmd_output));
5182     - }
5183     + return array(false, implode('<br>', $cmd_output));
5184     + }
5185     }
5186    
5187     //
5188     -// Creates a new Certificate Revocation List and copies it the the approriate
5189     +// Creates a new Certificate Revocation List and copies it the the approriate
5190     // locations. Returns error messages from failed commands.
5191     //
5192     -function CA_generate_crl() {
5193     - global $config;
5194     +function CA_generate_crl()
5195     +{
5196     + global $config;
5197     +
5198     + $configOpenssl_cnf = $config['openssl_cnf'];
5199     + $configCacrl_pem = $config['cacrl_pem'];
5200     + $configCa_pwd = $config['ca_pwd'];
5201     + $configCacrl_der = $config['cacrl_der'];
5202     + $ret = 0;
5203     +
5204     + $cmd_output[] = "Generating Certificate Revocation List.";
5205     + exec(CA. " -gencrl -config '$configOpenssl_cnf' -out '$configCacrl_pem' -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret);
5206     +
5207     + if ($ret == 0) {
5208     + unset($cmd_output);
5209     + $cmd_output[] = "Creating DER format Certificate Revocation List.";
5210     + exec(CRL." -in '$configCacrl_der' -out '$configCacrl_der' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
5211     + }
5212    
5213     - $ret = 0;
5214     -
5215     - $cmd_output[] = "Generating Certificate Revocation List.";
5216     - exec(CA. " -gencrl -config '$config[openssl_cnf]' -out '$config[cacrl_pem]' -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret);
5217     -
5218     - if ($ret == 0) {
5219     - unset($cmd_output);
5220     - $cmd_output[] = "Creating DER format Certificate Revocation List.";
5221     - exec(CRL." -in '$config[cacrl_pem]' -out '$config[cacrl_der]' -inform PEM -outform DER 2>&1", $cmd_output, $ret);
5222     - }
5223     -
5224     - return array(($ret == 0 ? true : false), implode('<br>',$cmd_output));
5225     + return array(($ret == 0 ? true : false), implode('<br>', $cmd_output));
5226     }
5227    
5228     //
5229     // Removes a specified certificate from the certificate index,
5230     // and all traces of it from the file system.
5231     //
5232     -function CA_remove_cert($serial) {
5233     - global $config;
5234     -
5235     - $userreq = $config['req_dir'].'/'.$serial.'-req.pem';
5236     - $userkey = $config['private_dir'].'/'.$serial.'-key.pem';
5237     - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem';
5238     - $userder = $config['cert_dir'].'/'.$serial.'.der';
5239     - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx';
5240     -
5241     -
5242     - # Wait here if another user has the database locked.
5243     - $fd = fopen($config['index'],'a');
5244     - flock($fd, LOCK_EX);
5245     +function CA_remove_cert($serial)
5246     +{
5247     + global $config;
5248     +
5249     + $userreq = $config['req_dir'] . "/$serial-req.pem";
5250     + $userkey = $config['private_dir'] . "/$serial-key.pem";
5251     + $usercert = $config['new_certs_dir'] . "/$serial.pem";
5252     + $userder = $config['cert_dir'] . "/$serial.der";
5253     + $userpfx = $config['pfx_dir'] ."/$serial.pfx";
5254     +
5255     + $configIndex = $config['index'];
5256     +
5257     + # Wait here if another user has the database locked.
5258     + $fd = fopen($configIndex, 'a');
5259     + flock($fd, LOCK_EX);
5260     +
5261     + if (file_exists($userreq)) {
5262     + unlink($userreq);
5263     + }
5264     + if (file_exists($userkey)) {
5265     + unlink($userkey);
5266     + }
5267     + if (file_exists($usercert)) {
5268     + unlink($usercert);
5269     + }
5270     + if (file_exists($userder)) {
5271     + unlink($userder);
5272     + }
5273     + if (file_exists($userpfx)) {
5274     + unlink($userpfx);
5275     + }
5276     +
5277     + $tmpfile = $configIndex .'.tmp';
5278     + copy($configIndex, $tmpfile);
5279     +
5280     + $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$";
5281     + exec('egrep -v '.escshellarg($regexp)." $tmpfile > $configIndex 2>/dev/null");
5282    
5283     - if( file_exists($userreq)) unlink($userreq);
5284     - if( file_exists($userkey)) unlink($userkey);
5285     - if( file_exists($usercert)) unlink($usercert);
5286     - if( file_exists($userder)) unlink($userder);
5287     - if( file_exists($userpfx)) unlink($userpfx);
5288     -
5289     - $tmpfile = $config['index'].'.tmp';
5290     - copy($config['index'], $tmpfile);
5291     -
5292     - $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$";
5293     - exec('egrep -v '.escshellarg($regexp)." $tmpfile > $config[index] 2>/dev/null");
5294     -
5295     - unlink($tmpfile);
5296     - fclose($fd);
5297     -
5298     + unlink($tmpfile);
5299     + fclose($fd);
5300     }
5301    
5302     //
5303     -// Returns the likely intended use for a specified certificate
5304     +// Returns the likely intended use for a specified certificate
5305     // (email, server, vpn).
5306     //
5307     -function CA_cert_type($serial) {
5308     +function CA_cert_type($serial)
5309     +{
5310    
5311     - $certtext = CA_cert_text($serial);
5312     + $certtext = CA_cert_text($serial);
5313    
5314     - #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) {
5315     - if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtest)) {
5316     - $cert_type = 'email_codesigning';
5317     - }
5318     - #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) {
5319     - if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) {
5320     - $cert_type = 'email';
5321     - }
5322     - #elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) {
5323     - elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) {
5324     - $cert_type = 'server';
5325     - }
5326     - #elseif (ereg('timeStamping|Time Stamping', $certtext)) {
5327     - elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) {
5328     - $cert_type = 'time_stamping';
5329     - }
5330     - #elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) {
5331     - elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) {
5332     - $cert_type = 'vpn_client_server';
5333     - }
5334     - #elseif (ereg('TLS Web Client Authentication', $certtext)) {
5335     - elseif (preg_match('~TLS Web Client Authentication~', $certtext)) {
5336     - $cert_type = 'vpn_client';
5337     - }
5338     - #elseif (ereg('TLS Web Server Authentication', $certtext)) {
5339     - elseif (preg_match('~TLS Web Server Authentication~', $certtext)) {
5340     - $cert_type = 'vpn_server';
5341     - }
5342     - else {
5343     - $cert_type = 'vpn_client_server';
5344     - }
5345     -
5346     - return $cert_type;
5347     -}
5348     -
5349     -function CA_get_root_pem() {
5350     - global $config;
5351     - return(file_get_contents($config['cacert_pem']));
5352     + #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) {
5353     + if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtest)) {
5354     + $cert_type = 'email_codesigning';
5355     + }
5356     + #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) {
5357     + if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) {
5358     + $cert_type = 'email';
5359     + } #elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) {
5360     + elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) {
5361     + $cert_type = 'server';
5362     + } #elseif (ereg('timeStamping|Time Stamping', $certtext)) {
5363     + elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) {
5364     + $cert_type = 'time_stamping';
5365     + } #elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) {
5366     + elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) {
5367     + $cert_type = 'vpn_client_server';
5368     + } #elseif (ereg('TLS Web Client Authentication', $certtext)) {
5369     + elseif (preg_match('~TLS Web Client Authentication~', $certtext)) {
5370     + $cert_type = 'vpn_client';
5371     + } #elseif (ereg('TLS Web Server Authentication', $certtext)) {
5372     + elseif (preg_match('~TLS Web Server Authentication~', $certtext)) {
5373     + $cert_type = 'vpn_server';
5374     + } else {
5375     + $cert_type = 'vpn_client_server';
5376     + }
5377     +
5378     + return $cert_type;
5379     +}
5380     +
5381     +function CA_get_root_pem()
5382     +{
5383     + global $config;
5384     + return(file_get_contents($config['cacert_pem']));
5385     }
5386     -
5387     -?>
5388     diff -ruN phpki-ng.old/phpki-ng-0.84/main.php phpki-ng/phpki-ng-0.84/main.php
5389     --- phpki-ng.old/phpki-ng-0.84/main.php 2020-04-02 14:22:47.000000000 +0200
5390     +++ phpki-ng/phpki-ng-0.84/main.php 2021-03-07 19:33:03.079323832 +0100
5391     @@ -8,72 +8,66 @@
5392    
5393     $stage = gpvar('stage');
5394    
5395     -switch($stage) {
5396     +switch ($stage) {
5397     + case 'dl_root':
5398     + upload($config['cacert_pem'], $config['ca_prefix'] . "cacert.crt", 'application/x-x509-ca-cert');
5399     + break;
5400     +
5401     + case 'display_root':
5402     + printHeader('public');
5403     +
5404     + ?>
5405     + <center><h2>Root Certificate (PEM Encoded)</h2></center>
5406     + <p><pre><?php echo CA_get_root_pem() ?></pre></p>
5407     + <p>
5408     + <form action="<?php echo $PHP_SELF?>" method="post">
5409     + <input type=submit name=submit value="Back to Menu">
5410     + </form>
5411     + <?php
5412     + break;
5413     +
5414     + case 'dl_crl':
5415     + upload($config['cacrl_der'], $config['ca_prefix'] . "cacrl.crl", 'application/pkix-crl');
5416     + break;
5417     +
5418     + case 'dl_crl_pem':
5419     + upload($config['cacrl_pem'], $config['ca_prefix'] . "cacrl.crl", 'application/octet-stream');
5420     + break;
5421     +
5422     + default:
5423     + printHeader('public');
5424     +
5425     + ?>
5426     + <br>
5427     + <br>
5428     + <center>
5429     + <table class=menu width=500><th class=menu colspan=2><big>PUBLIC CONTENT MENU<big></th>
5430     + <tr>
5431     + <td style="text-align: center; vertical-align: middle; font-weight: bold;" width=35%> <a href=search.php>Search for a Certificate</a></td>
5432     + <td>Find a digital certificate to download and install in your e-mail or browser application.</td>
5433     + </tr>
5434     +
5435     + <tr>
5436     + <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=dl_root>Download Our Root Certificate</a> </td>
5437     + <td>You must install our "Root" certificate before you can use any of the certificates issued here. <a href=help.php target=_help>Read the online help</a> to learn more about this.</td>
5438     + </tr>
5439     +
5440     + <tr>
5441     + <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td>
5442     + <td>This option provides the "Root" certificate PEM encoded text for advanced users to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a> to learn more about this.</td>
5443     +
5444     + <tr>
5445     + <td style="text-align: center; vertical-align: middle; font-weight: bold;"> <a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
5446     + <td>The official list of certificates revoked by this site. Installation and use of this list is optional. Some e-mail programs will reference this list automagically. (<a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td>
5447     + </tr>
5448     + </table>
5449     + </center>
5450     + <br>
5451     + <br>
5452    
5453     -case 'dl_root':
5454     - upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
5455     - break;
5456     -
5457     -case 'display_root':
5458     - printHeader('public');
5459     -
5460     - ?>
5461     - <center><h2>Root Certificate (PEM Encoded)</h2></center>
5462     - <p>
5463     - <pre><?php echo CA_get_root_pem() ?></pre>
5464     - <p>
5465     - <form action="<?php echo $PHP_SELF?>" method="post">
5466     - <input type=submit name=submit value="Back to Menu">
5467     - </form>
5468     - <?php
5469     - break;
5470     -
5471     -case 'dl_crl':
5472     - upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
5473     - break;
5474     -
5475     -case 'dl_crl_pem':
5476     - upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
5477     - break;
5478     -
5479     -default:
5480     - printHeader('public');
5481     -
5482     - ?>
5483     - <br>
5484     - <br>
5485     - <center>
5486     - <table class=menu width=500><th class=menu colspan=2><big>PUBLIC CONTENT MENU<big></th>
5487     -
5488     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=35%>
5489     - <a href=search.php>Search for a Certificate</a></td>
5490     - <td>Find a digital certificate to download and install in your e-mail or browser application.</td></tr>
5491     -
5492     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
5493     - <a href=<?php echo $PHP_SELF?>?stage=dl_root>Download Our Root Certificate</a></td>
5494     - <td>You must install our "Root" certificate before you can use any of the
5495     - certificates issued here. <a href=help.php target=_help>Read the online help</a>
5496     - to learn more about this.</td></tr>
5497     -
5498     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
5499     - <a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td>
5500     - <td>This option provides the "Root" certificate PEM encoded text for advanced users
5501     - to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a>
5502     - to learn more about this.</td>
5503     -
5504     - <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
5505     -
5506     - <a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
5507     - <td>The official list of certificates revoked by this site. Installation and use of
5508     - this list is optional. Some e-mail programs will reference this list automagically.
5509     - (<a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td></tr>
5510     -
5511     - </table>
5512     - </center>
5513     - <br><br>
5514     - <?php
5515     + <?php
5516    
5517     - printFooter();
5518     + printFooter();
5519     }
5520    
5521     ?>
5522     diff -ruN phpki-ng.old/phpki-ng-0.84/ns_revoke_query.php phpki-ng/phpki-ng-0.84/ns_revoke_query.php
5523     --- phpki-ng.old/phpki-ng-0.84/ns_revoke_query.php 2020-04-02 14:22:47.000000000 +0200
5524     +++ phpki-ng/phpki-ng-0.84/ns_revoke_query.php 2021-03-07 19:33:03.080323846 +0100
5525     @@ -7,10 +7,10 @@
5526     #
5527     # PROTOCOL:
5528     # The client should issue an HTTP GET request using a URL that is
5529     -# the concatenation of the revocation url and certificate serial
5530     +# the concatenation of the revocation url and certificate serial
5531     # number. (i.e. http://www.host.dom/phpki/ns_revoke_query.php?10A5F2)
5532     #
5533     -# The server should return a document of type
5534     +# The server should return a document of type
5535     # application/x-netscape-revocation containing a single character
5536     # '1' if the certificate is revoked, '0' if it is valid.
5537     #
5538     @@ -23,9 +23,10 @@
5539     # old Reg Ex doesnt work, new should do the work
5540     #$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$";
5541     $regexp = "^R.*$serial.*$";
5542     +$configIndex = $config['index'];
5543    
5544     -if (exec("egrep '$regexp' $config[index]"))
5545     - print '1';
5546     -else
5547     - print '0';
5548     -?>
5549     +if (exec("egrep '$regexp' '$configIndex'")) {
5550     + print '1';
5551     +} else {
5552     + print '0';
5553     +}
5554     diff -ruN phpki-ng.old/phpki-ng-0.84/policy.html phpki-ng/phpki-ng-0.84/policy.html
5555     --- phpki-ng.old/phpki-ng-0.84/policy.html 2020-04-02 14:22:47.000000000 +0200
5556     +++ phpki-ng/phpki-ng-0.84/policy.html 2021-03-07 19:33:03.080323846 +0100
5557     @@ -1,14 +1,15 @@
5558     +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
5559     +
5560     <html>
5561     <head>
5562     -<title>Certificate Authority Issuer's Statement</title>
5563     + <title>Certificate Authority Issuer's Statement</title>
5564     </head>
5565     +
5566     <body>
5567     -<h1 align=center>Certificate Authority Issuer's Statement</h2>
5568     -<p>
5569     -This is a private Limited Liability certificate authority for use by member
5570     -non-profit agencies.
5571     -<p>
5572     -Certificate non-repudiation is achieved via identity verification by password
5573     -authorized certificate managers from each member agency.
5574     + <h1 align="center">Certificate Authority Issuer's Statement</h1>
5575     +
5576     + <p>This is a private Limited Liability certificate authority for use by member non-profit agencies.</p>
5577     +
5578     + <p>Certificate non-repudiation is achieved via identity verification by password authorized certificate managers from each member agency.</p>
5579     </body>
5580     </html>
5581     diff -ruN phpki-ng.old/phpki-ng-0.84/readme.php phpki-ng/phpki-ng-0.84/readme.php
5582     --- phpki-ng.old/phpki-ng-0.84/readme.php 2020-04-02 14:22:47.000000000 +0200
5583     +++ phpki-ng/phpki-ng-0.84/readme.php 2021-03-07 19:33:03.081323860 +0100
5584     @@ -10,4 +10,3 @@
5585     readfile('./README.md');
5586     print '</pre>';
5587     printFooter();
5588     -?>
5589     diff -ruN phpki-ng.old/phpki-ng-0.84/search.php phpki-ng/phpki-ng-0.84/search.php
5590     --- phpki-ng.old/phpki-ng-0.84/search.php 2020-04-02 14:22:47.000000000 +0200
5591     +++ phpki-ng/phpki-ng-0.84/search.php 2021-03-07 19:33:03.081323860 +0100
5592     @@ -15,132 +15,137 @@
5593     $show_expired = gpvar('show_expired');
5594    
5595     # Force stage back to search form if search string is empty.
5596     -if ($stage == "search" && ! $search) $stage = "";
5597     +if ($stage == "search" && ! $search) {
5598     + $stage = "";
5599     +}
5600    
5601     # Force filter to (V)alid certs if no search status is selected.
5602     -if ( !($show_valid.$show_revoked.$show_expired) ) $show_valid = 'V';
5603     +if (!($show_valid.$show_revoked.$show_expired)) {
5604     + $show_valid = 'V';
5605     +}
5606    
5607     switch ($stage) {
5608     -case 'display':
5609     - printHeader('about');
5610     + case 'display':
5611     + printHeader('about');
5612     +
5613     + print '
5614     + <center><h2>Certificate Details</h2></center>
5615     + <center><font color=#0000AA><h3>(#'.htvar($serial).')<br>'.htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>').'</h3></font></center>';
5616    
5617     - print '
5618     - <center><h2>Certificate Details</h2></center>
5619     - <center><font color=#0000AA><h3>(#'.htvar($serial).')<br>'.htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>').'</h3></font></center>';
5620     -
5621     - if ($revoke_date = CAdb_is_revoked($serial))
5622     - print '<center><font color=red><h2>REVOKED '.htvar($revoke_date).'</h2></font></center>';
5623     -
5624     - print '<pre>'.htvar(CA_cert_text($serial)).'</pre>';
5625     - break;
5626     -
5627     -case 'download':
5628     - $rec = CAdb_get_entry($serial);
5629     - upload("$config[cert_dir]/$serial.der", "$rec[common_name].cer", 'application/pkix-cert');
5630     + if ($revoke_date = CAdb_is_revoked($serial)) {
5631     + print '<center><font color=red><h2>REVOKED '.htvar($revoke_date).'</h2></font></center>';
5632     + }
5633     +
5634     + print '<pre>'.htvar(CA_cert_text($serial)).'</pre>';
5635     break;
5636    
5637     -case 'download_pem':
5638     - $rec = CAdb_get_entry($serial);
5639     - upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name].pem", 'application/pkix-cert');
5640     - break;
5641     -
5642     -case 'search':
5643     - printHeader('public');
5644     -
5645     - $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search");
5646     -
5647     - print '<body onLoad="self.focus();document.form.submit.focus()">';
5648     - if (sizeof($db) == 0) {
5649     - ?>
5650     - <center>
5651     - <h2>Nothing Found</h2>
5652     - <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
5653     - <input type=hidden name=search value="<?php echo htvar($search)?>">
5654     - <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
5655     - <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
5656     - <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
5657     - <input type=submit name=submit value="Go Back">
5658     - </form>
5659     - </center>
5660     - <?php
5661     - printFooter();
5662     - break;
5663     - }
5664     + case 'download':
5665     + $rec = CAdb_get_entry($serial);
5666     + upload($config['cert_dir'] . "/$serial.der", $rec['common_name'] . ".cer", 'application/pkix-cert');
5667     + break;
5668    
5669     - print '<table>';
5670     - print '<th colspan=9><big>CERTIFICATE SEARCH RESULTS</big></th>';
5671     + case 'download_pem':
5672     + $rec = CAdb_get_entry($serial);
5673     + upload($config['new_certs_dir'] . "/$serial.pem", $rec['common_name'] . ".pem", 'application/pkix-cert');
5674     + break;
5675     +
5676     + case 'search':
5677     + printHeader('public');
5678     +
5679     + $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search");
5680     +
5681     + print '<body onLoad="self.focus();document.form.submit.focus()">';
5682     + if (sizeof($db) == 0) {
5683     + ?>
5684     + <center>
5685     + <h2>Nothing Found</h2>
5686     + <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
5687     + <input type=hidden name=search value="<?php echo htvar($search)?>">
5688     + <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
5689     + <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
5690     + <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
5691     + <input type=submit name=submit value="Go Back">
5692     + </form>
5693     + </center>
5694     + <?php
5695     + printFooter();
5696     + break;
5697     + }
5698     +
5699     + print '<table>';
5700     + print '<th colspan=9><big>CERTIFICATE SEARCH RESULTS</big></th>';
5701    
5702     $headings = array(
5703     status=>"Status", issued=>"Issued", expires=>"Expires",
5704     common_name=>"User's Name", email=>"E-mail",
5705     organization=>"Organization", unit=>"Department",
5706     locality=>"Locality", province=>"State"
5707     - );
5708     + );
5709     +
5710     + print '<tr>';
5711     + foreach ($headings as $field => $head) {
5712     + print '<th>'.htvar($head). '</th>';
5713     + }
5714     + print '</tr>';
5715     +
5716     + foreach ($db as $rec) {
5717     + $stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange');
5718    
5719     - print '<tr>';
5720     - foreach($headings as $field=>$head) {
5721     - print '<th>'.htvar($head). '</th>';
5722     + ?>
5723     + <tr style="font-size: 11px;">
5724     + <td style="color: <?php echo $stcolor[$rec['status']]?>; font-weight: bold"><?php echo htvar($rec['status'])?></td>
5725     + <td style="white-space: nowrap"><?php echo htvar($rec['issued'])?></td>
5726     + <td style="white-space: nowrap"><?php echo htvar($rec['expires'])?></td>
5727     + <td><?php echo htvar($rec['common_name'])?></td>
5728     + <td style="white-space: nowrap"><a href="mailto: <?php echo htvar($rec['common_name']).'<'.htvar($rec['email']).'>' ?> "> <?php echo htvar($rec['email'])?></a></td>
5729     + <td><?php echo htvar($rec['organization'])?></td>
5730     + <td><?php echo htvar($rec['unit'])?></td>
5731     + <td><?php echo htvar($rec['locality'])?></td>
5732     + <td><?php echo htvar($rec['province'])?></td>
5733     + <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
5734     + <?php
5735     + if ($rec['status'] != 'Revoked') {
5736     + ?>
5737     + <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download&serial=<?php echo htvar($rec['serial'])?>"><img src=images/download.png alt="Download" title="Download the certificate so that you may send encrypted e-mail"></a>
5738     + <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download_pem&serial=<?=htvar($rec['serial'])?>"><img src=images/download.png alt="Download (in PEM format)" title="Download in PEM format"></a>
5739     + <?php
5740     }
5741     - print '</tr>';
5742     + print '</td></tr>';
5743     + }
5744     +
5745     + ?>
5746     + </table>
5747     +
5748     + <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
5749     + <input type=submit name=submit value="Another Search">
5750     + <input type=hidden name=search value="<?php echo htvar($search)?>">
5751     + <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
5752     + <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
5753     + <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
5754     + </form>
5755     + <?php
5756     +
5757     + printFooter();
5758     + break;
5759    
5760     - foreach($db as $rec) {
5761     - $stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange');
5762     + default:
5763     + printHeader('public');
5764    
5765     - ?>
5766     - <tr style="font-size: 11px;">
5767     - <td style="color: <?php echo $stcolor[$rec['status']]?>; font-weight: bold"><?php echo htvar($rec['status'])?></td>
5768     - <td style="white-space: nowrap"><?php echo htvar($rec['issued'])?></td>
5769     - <td style="white-space: nowrap"><?php echo htvar($rec['expires'])?></td>
5770     - <td><?php echo htvar($rec['common_name'])?></td>
5771     - <td style="white-space: nowrap"><a href="mailto: <?php echo htvar($rec['common_name']).'<'.htvar($rec['email']).'>' ?> "> <?php echo htvar($rec['email'])?></a></td>
5772     - <td><?php echo htvar($rec['organization'])?></td>
5773     - <td><?php echo htvar($rec['unit'])?></td>
5774     - <td><?php echo htvar($rec['locality'])?></td>
5775     - <td><?php echo htvar($rec['province'])?></td>
5776     - <td><a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?> ?stage=display&serial=<?php echo htvar($rec['serial'])?>" target=_certdisp><img src=images/display.png alt="Display" title="Display the certificate in excruciating detail"></a>
5777     - <?php
5778     - if ($rec['status'] != 'Revoked') {
5779     - ?>
5780     - <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download&serial=<?php echo htvar($rec['serial'])?>"><img src=images/download.png alt="Download" title="Download the certificate so that you may send encrypted e-mail"></a>
5781     - <a href="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>?stage=download_pem&serial=<?=htvar($rec['serial'])?>"><img src=images/download.png alt="Download (in PEM format)" title="Download in PEM format"></a>
5782     - <?php
5783     - }
5784     - print '</td></tr>';
5785     - }
5786     -
5787     - ?>
5788     - </table>
5789     -
5790     - <form action="<?php echo htmlentities($_SERVER['SCRIPT_NAME'])?>" method="post" name="form">
5791     - <input type=submit name=submit value="Another Search">
5792     - <input type=hidden name=search value="<?php echo htvar($search)?>">
5793     - <input type=hidden name=show_valid value="<?php echo htvar($show_valid)?>">
5794     - <input type=hidden name=show_revoked value="<?php echo htvar($show_revoked)?>">
5795     - <input type=hidden name=show_expired value="<?php echo htvar($show_expired)?>">
5796     - </form>
5797     - <?php
5798     -
5799     - printFooter();
5800     - break;
5801     -
5802     -default:
5803     - printHeader('public');
5804     -
5805     - ?>
5806     - <body onLoad="self.focus();document.search.search.focus();">
5807     - <center><h2>Certificate Search</h2>
5808     - <form action="<?php echo $PHP_SELF?>" method="post" name="search">
5809     - <input type=text name=search value="<?php echo htvar($search)?>" maxlength=60 size=40>
5810     - <input type=submit name=submit value="Find It!"><br>
5811     - <input type=checkbox name=show_valid value="V" <?php echo ($show_valid?'checked':'')?>>Valid
5812     - &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_revoked value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
5813     - &nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_expired value="E" <?php echo ($show_expired?'checked':'')?>>Expired
5814     - <input type=hidden name=stage value=search>
5815     - </form></center>
5816     -
5817     - <br><br>
5818     - <?php
5819     - printFooter();
5820     + ?>
5821     + <body onLoad="self.focus();document.search.search.focus();">
5822     + <center><h2>Certificate Search</h2>
5823     + <form action="<?php echo $PHP_SELF?>" method="post" name="search">
5824     + <input type=text name=search value="<?php echo htvar($search)?>" maxlength=60 size=40>
5825     + <input type=submit name=submit value="Find It!"><br>
5826     + <input type=checkbox name=show_valid value="V" <?php echo ($show_valid?'checked':'')?>>Valid
5827     + &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_revoked value="R" <?php echo ($show_revoked?'checked':'')?>>Revoked
5828     + &nbsp;&nbsp;&nbsp;&nbsp;<input type=checkbox name=show_expired value="E" <?php echo ($show_expired?'checked':'')?>>Expired
5829     + <input type=hidden name=stage value=search>
5830     + </form></center>
5831     +
5832     + <br><br>
5833     + <?php
5834     + printFooter();
5835     }
5836    
5837     ?>
5838     diff -ruN phpki-ng.old/phpki-ng-0.84/setup.php-presetup phpki-ng/phpki-ng-0.84/setup.php-presetup
5839     --- phpki-ng.old/phpki-ng-0.84/setup.php-presetup 2020-04-02 14:22:47.000000000 +0200
5840     +++ phpki-ng/phpki-ng-0.84/setup.php-presetup 2021-03-07 19:33:03.084323905 +0100
5841     @@ -3,27 +3,27 @@
5842     include('./include/my_functions.php');
5843     include('./include/common.php');
5844    
5845     -function flush_exec($command, $line_length=200) {
5846     - $handle = popen("$command 2>&1",'r');
5847     +function flush_exec($command, $line_length = 200)
5848     +{
5849     + $handle = popen("$command 2>&1", 'r');
5850    
5851     $line = '';
5852     - while (! feof($handle)) {
5853     - $chr = fread($handle, 1);
5854     - $line .= $chr;
5855     - if ($chr == "\n") {
5856     - print str_replace("\n", "<br>\n", $line);
5857     - $line = '';
5858     - flush();
5859     - }
5860     - elseif (strlen($line) > $line_length) {
5861     - print $line."<br>\n";
5862     - $line = '';
5863     - flush();
5864     - }
5865     + while (! feof($handle)) {
5866     + $chr = fread($handle, 1);
5867     + $line .= $chr;
5868     + if ($chr == "\n") {
5869     + print str_replace("\n", "<br>\n", $line);
5870     + $line = '';
5871     + flush();
5872     + } elseif (strlen($line) > $line_length) {
5873     + print $line."<br>\n";
5874     + $line = '';
5875     + flush();
5876     }
5877     + }
5878     print $line."<br>\n";
5879     - flush();
5880     - return;
5881     + flush();
5882     + return;
5883     }
5884    
5885     $version = PHPKI_VERSION;
5886     @@ -69,7 +69,9 @@
5887     $header_title = gpvar('header_title');
5888     $store_dir = gpvar('store_dir');
5889    
5890     -if ($base_url && substr($base_url,-1) != '/') $base_url .= '/';
5891     +if ($base_url && substr($base_url, -1) != '/') {
5892     + $base_url .= '/';
5893     +}
5894    
5895     $hidden_fields = '
5896     <input type=hidden name=country value="' . htvar($country) . '">
5897     @@ -101,62 +103,99 @@
5898     ';
5899    
5900     switch ($stage) {
5901     -case 'validate':
5902     - $er = '';
5903     + case 'validate':
5904     + $er = '';
5905     +
5906     + if (! $country) {
5907     + $er .= 'Missing Country<br>';
5908     + }
5909     + if (! $province) {
5910     + $er .= 'Missing State/Province<br>';
5911     + }
5912     + if (! $locality) {
5913     + $er .= 'Missing Locality<br>';
5914     + }
5915     + if (! $organization) {
5916     + $er .= 'Missing Organization<br>';
5917     + }
5918     + if (! $unit) {
5919     + $er .= 'Missing Unit/Department<br>';
5920     + }
5921     + if (! $contact) {
5922     + $er .= 'Missing Contact E-mail Address<br>';
5923     + }
5924     + if (! $common_name) {
5925     + $er .= 'Missing Common Name<br>';
5926     + }
5927     + if (! $passwd) {
5928     + $er .= 'Missing Certificate Password<br>';
5929     + }
5930     + if (! $passwdv) {
5931     + $er .= 'Missing Certificate Password Verification "Again"<br>';
5932     + }
5933     + if (! $header_title) {
5934     + $er .= 'Missing Header Title<br>';
5935     + }
5936     + if (! $passwd_file) {
5937     + $er .= 'Missing User Password File Location';
5938     + }
5939     + if (! $store_dir) {
5940     + $er .= 'Missing Storage Directory<br>';
5941     + }
5942    
5943     - if (! $country) $er .= 'Missing Country<br>';
5944     - if (! $province) $er .= 'Missing State/Province<br>';
5945     - if (! $locality) $er .= 'Missing Locality<br>';
5946     - if (! $organization) $er .= 'Missing Organization<br>';
5947     - if (! $unit) $er .= 'Missing Unit/Department<br>';
5948     - if (! $contact) $er .= 'Missing Contact E-mail Address<br>';
5949     - if (! $common_name) $er .= 'Missing Common Name<br>';
5950     - if (! $passwd) $er .= 'Missing Certificate Password<br>';
5951     - if (! $passwdv) $er .= 'Missing Certificate Password Verification "Again"<br>';
5952     - if (! $header_title) $er .= 'Missing Header Title<br>';
5953     - if (! $passwd_file) $er .= 'Missing User Password File Location';
5954     - if (! $store_dir) $er .= 'Missing Storage Directory<br>';
5955     -
5956     - $countrycode = strtoupper($country);
5957     -
5958     - if (! preg_match("/\b[A-Z][A-Z]\b/", $countrycode, $match) ) {
5959     - $er .= 'Country Code must be ISO 3166 two letters <br>';
5960     - }
5961     -
5962     - if ( $passwd && strlen($passwd) < 8 )
5963     - $er .= 'Certificate password is too short.<br>';
5964     + $countrycode = strtoupper($country);
5965     +
5966     + if (! preg_match("/\b[A-Z][A-Z]\b/", $countrycode, $match)) {
5967     + $er .= 'Country Code must be ISO 3166 two letters <br>';
5968     + }
5969    
5970     - if ( $passwd and $passwd != $passwdv )
5971     - $er .= 'Password and password verification do not match.<br>';
5972     + if ($passwd && strlen($passwd) < 8) {
5973     + $er .= 'Certificate password is too short.<br>';
5974     + }
5975     +
5976     + if ($passwd and $passwd != $passwdv) {
5977     + $er .= 'Password and password verification do not match.<br>';
5978     + }
5979    
5980     - if ( $contact && ! is_email($contact) )
5981     + if ($contact && ! is_email($contact)) {
5982     $er .= 'E-mail address ('. htvar($contact) . ') may be invalid.<br>';
5983     + }
5984    
5985     - if (strpos($store_dir,$_SERVER['DOCUMENT_ROOT']) === 0)
5986     - $er .= 'Store directory must exist somewhere outside of DOCUMENT_ROOT ('.$_SERVER['DOCUMENT_ROOT'].').<br>';
5987     + if (strpos($store_dir, $_SERVER['DOCUMENT_ROOT']) === 0) {
5988     + $er .= 'Store directory must exist somewhere outside of DOCUMENT_ROOT ('.$_SERVER['DOCUMENT_ROOT'].').<br>';
5989     + }
5990    
5991     - if (strpos($store_dir,dirname($_SERVER['SCRIPT_FILENAME'])) === 0)
5992     - $er .= 'Store directory cannot exist within the PHPki installation directory ('.dirname($_SERVER['SCRIPT_FILENAME']).').<br>';
5993     + if (strpos($store_dir, dirname($_SERVER['SCRIPT_FILENAME'])) === 0) {
5994     + $er .= 'Store directory cannot exist within the PHPki installation directory ('.dirname($_SERVER['SCRIPT_FILENAME']).').<br>';
5995     + }
5996    
5997     - if (! $er) {
5998     - if (! file_exists($store_dir) ) {
5999     - if ( ! mkdir("$store_dir",$store_perms)) $er .= "Could not create the store directory \"$store_dir\"<br>";
6000     - }
6001     -
6002     - if (file_exists($store_dir)) {
6003     - if (! chmod($store_dir, $store_perms)) $er .= "Could not change permissions on the store directory \"$store_dir\"<br>";
6004     - if (! is_readable($store_dir)) $er .= "The store directory \"$store_dir\" is not readable by the web server user \"$uname\"<br>";
6005     - if (! is_writeable($store_dir)) $er .= "The store directory \"$store_dir\: is not writeable by the web server user \"$uname\"<br>";
6006     - }
6007     - else {
6008     - $er .= "Store directory \"$store_dir\" does not exist. You will have to manually create it as desribed in the setup form.<br>";
6009     - }
6010     - }
6011     + if (! $er) {
6012     + if (! file_exists($store_dir)) {
6013     + if (! mkdir("$store_dir", $store_perms)) {
6014     + $er .= "Could not create the store directory \"$store_dir\"<br>";
6015     + }
6016     + }
6017    
6018     - if ( $er )
6019     + if (file_exists($store_dir)) {
6020     + if (! chmod($store_dir, $store_perms)) {
6021     + $er .= "Could not change permissions on the store directory \"$store_dir\"<br>";
6022     + }
6023     + if (! is_readable($store_dir)) {
6024     + $er .= "The store directory \"$store_dir\" is not readable by the web server user \"$uname\"<br>";
6025     + }
6026     + if (! is_writeable($store_dir)) {
6027     + $er .= "The store directory \"$store_dir\: is not writeable by the web server user \"$uname\"<br>";
6028     + }
6029     + } else {
6030     + $er .= "Store directory \"$store_dir\" does not exist. You will have to manually create it as desribed in the setup form.<br>";
6031     + }
6032     + }
6033     +
6034     + if ($er) {
6035     $er = '<h2>ERROR(S) IN FORM:</h2><h4><blockquote>' . $er . '</blockquote></h4>';
6036     + }
6037    
6038     - if ($er) {
6039     + if ($er) {
6040     printHeader('setup');
6041     ?>
6042    
6043     @@ -171,95 +210,112 @@
6044    
6045     printFooter();
6046     break;
6047     - }
6048     + }
6049    
6050     -case 'write':
6051     -
6052     - printHeader('about');
6053     -
6054     - #
6055     - #Create the file store directory structure.
6056     - #
6057     -
6058     - print '<strong>Creating PHPki file store...</strong><br>';
6059     - flush();
6060     -
6061     - if (! file_exists("$store_dir/config")) mkdir("$store_dir/config",$store_perms);
6062     - if (! file_exists("$store_dir/tmp")) mkdir("$store_dir/tmp",$store_perms);
6063     - if (! file_exists("$store_dir/CA")) mkdir("$store_dir/CA",$store_perms);
6064     - if (! file_exists("$store_dir/CA/certs")) mkdir("$store_dir/CA/certs",$store_perms);
6065     - if (! file_exists("$store_dir/CA/private")) mkdir("$store_dir/CA/private",$store_perms);
6066     - if (! file_exists("$store_dir/CA/newcerts")) mkdir("$store_dir/CA/newcerts",$store_perms);
6067     - if (! file_exists("$store_dir/CA/requests")) mkdir("$store_dir/CA/requests",$store_perms);
6068     - if (! file_exists("$store_dir/CA/crl")) mkdir("$store_dir/CA/crl",$store_perms);
6069     - if (! file_exists("$store_dir/CA/pfx")) mkdir("$store_dir/CA/pfx",$store_perms);
6070     -
6071     -
6072     - #
6073     - # Create the PHPki CA configuration.
6074     - #
6075     - print '<strong>Writing configuration files...</strong><br>';
6076     - flush();
6077     + case 'write':
6078     + printHeader('about');
6079     +
6080     + #
6081     + #Create the file store directory structure.
6082     + #
6083     +
6084     + print '<strong>Creating PHPki file store...</strong><br>';
6085     + flush();
6086    
6087     - $config_main_txt = <<<EOS
6088     + if (! file_exists("$store_dir/config")) {
6089     + mkdir("$store_dir/config", $store_perms);
6090     + }
6091     + if (! file_exists("$store_dir/tmp")) {
6092     + mkdir("$store_dir/tmp", $store_perms);
6093     + }
6094     + if (! file_exists("$store_dir/CA")) {
6095     + mkdir("$store_dir/CA", $store_perms);
6096     + }
6097     + if (! file_exists("$store_dir/CA/certs")) {
6098     + mkdir("$store_dir/CA/certs", $store_perms);
6099     + }
6100     + if (! file_exists("$store_dir/CA/private")) {
6101     + mkdir("$store_dir/CA/private", $store_perms);
6102     + }
6103     + if (! file_exists("$store_dir/CA/newcerts")) {
6104     + mkdir("$store_dir/CA/newcerts", $store_perms);
6105     + }
6106     + if (! file_exists("$store_dir/CA/requests")) {
6107     + mkdir("$store_dir/CA/requests", $store_perms);
6108     + }
6109     + if (! file_exists("$store_dir/CA/crl")) {
6110     + mkdir("$store_dir/CA/crl", $store_perms);
6111     + }
6112     + if (! file_exists("$store_dir/CA/pfx")) {
6113     + mkdir("$store_dir/CA/pfx", $store_perms);
6114     + }
6115     +
6116     +
6117     + #
6118     + # Create the PHPki CA configuration.
6119     + #
6120     + print '<strong>Writing configuration files...</strong><br>';
6121     + flush();
6122     +
6123     + $config_main_txt = <<<EOS
6124     <?php
6125     # PHPki CONFIGURATION FILE
6126     # Automatically generated by PHPki. Edit at your own peril.
6127     #
6128     -\$config['organization'] = '$organization';
6129     -\$config['unit'] = '$unit';
6130     -\$config['contact'] = '$contact';
6131     -\$config['locality'] = '$locality';
6132     -\$config['province'] = '$province';
6133     -\$config['country'] = '$country';
6134     -\$config['common_name'] = '$common_name';
6135     +\$config['organization'] = '$organization';
6136     +\$config['unit'] = '$unit';
6137     +\$config['contact'] = '$contact';
6138     +\$config['locality'] = '$locality';
6139     +\$config['province'] = '$province';
6140     +\$config['country'] = '$country';
6141     +\$config['common_name'] = '$common_name';
6142    
6143     # Store Directory
6144     -\$config['store_dir'] = '$store_dir';
6145     +\$config['store_dir'] = '$store_dir';
6146    
6147     # Location HTTP Password File
6148     -\$config['passwd_file'] = '$passwd_file';
6149     +\$config['passwd_file'] = '$passwd_file';
6150    
6151     # Password for CA root certificate.
6152     -\$config['ca_pwd'] = '$passwd';
6153     +\$config['ca_pwd'] = '$passwd';
6154    
6155     # Number of years the root certificate is good.
6156     -\$config['expiry'] = '$expiry';
6157     +\$config['expiry'] = '$expiry';
6158    
6159     # CA certificate key size
6160     -\$config['keysize'] = '$keysize';
6161     +\$config['keysize'] = '$keysize';
6162    
6163     # This is superimposed over the PHPki logo on each page.
6164     -\$config['header_title'] = '$header_title';
6165     +\$config['header_title'] = '$header_title';
6166    
6167     # String to prefix cer and crl uploads
6168     -\$config['ca_prefix'] = '$ca_prefix';
6169     +\$config['ca_prefix'] = '$ca_prefix';
6170    
6171     # Location of your OpenSSL binary.
6172     -\$config['openssl_bin'] = '$openssl_bin';
6173     +\$config['openssl_bin'] = '$openssl_bin';
6174    
6175     # Base URL
6176     -\$config['base_url'] = '$base_url';
6177     +\$config['base_url'] = '$base_url';
6178    
6179     # CRL Distribution points path
6180     -\$config['crl_distrib'] = '$crl_distrib';
6181     +\$config['crl_distrib'] = '$crl_distrib';
6182    
6183     # Certificate Revocation URL
6184     -\$config['revoke_url'] = '$revoke_url';
6185     +\$config['revoke_url'] = '$revoke_url';
6186    
6187     # Certificate Authority Policy URL
6188     -\$config['policy_url'] = '$policy_url';
6189     +\$config['policy_url'] = '$policy_url';
6190    
6191     # Certificate Comment Fields
6192     \$config['comment_root'] = '$comment_root';
6193     -\$config['comment_email'] = '$comment_email';
6194     +\$config['comment_email'] = '$comment_email';
6195     \$config['comment_sign'] = '$comment_sign';
6196     -\$config['comment_srv'] = '$comment_srv';
6197     -\$config['comment_stamp'] = '$comment_stamp';
6198     +\$config['comment_srv'] = '$comment_srv';
6199     +\$config['comment_stamp'] = '$comment_stamp';
6200    
6201     # Who users should contact if they have technical difficulty with
6202     # your certificate authority site.
6203     -\$config['getting_help'] = '$getting_help';
6204     +\$config['getting_help'] = '$getting_help';
6205    
6206     #
6207     # You shouldn't change anything below this line. If you do, don't
6208     @@ -275,17 +331,17 @@
6209     \$config['pfx_dir'] = \$config['ca_dir'] . '/pfx';
6210     \$config['index'] = \$config['ca_dir'] . '/index.txt';
6211     \$config['serial'] = \$config['ca_dir'] . '/serial';
6212     -\$config['random'] = \$config['ca_dir'] . '/.rnd';
6213     +\$config['random'] = \$config['ca_dir'] . '/.rnd';
6214     +\$config['cacrl_pem'] = \$config['crl_dir'] . '/cacrl.pem';
6215     +\$config['cacrl_der'] = \$config['crl_dir'] . '/cacrl.crl';
6216     \$config['cacert_pem'] = \$config['cert_dir'] . '/cacert.pem';
6217     -\$config['cacrl_pem'] = \$config['crl_dir'] . '/cacrl.pem';
6218     -\$config['cacrl_der'] = \$config['crl_dir'] . '/cacrl.crl';
6219     \$config['cakey'] = \$config['private_dir'] . '/cakey.pem';
6220    
6221     # Default OpenSSL Config File.
6222     \$config['openssl_cnf'] = \$config['home_dir'] . '/config/openssl.cnf';
6223    
6224     # Define default md
6225     -\$config['default_md'] = 'sha512';
6226     +\$config['default_md'] = 'sha512';
6227    
6228     \$PHPki_admins = Array(md5('admin'));
6229    
6230     @@ -300,18 +356,18 @@
6231     ?>
6232     EOS;
6233    
6234     - #
6235     - # Write out the CA configuration file.
6236     - #
6237     - $fd = fopen("$store_dir/config/config.php",'w');
6238     - fwrite($fd, $config_main_txt);
6239     - fclose($fd);
6240     + #
6241     + # Write out the CA configuration file.
6242     + #
6243     + $fd = fopen("$store_dir/config/config.php", 'w');
6244     + fwrite($fd, $config_main_txt);
6245     + fclose($fd);
6246    
6247    
6248     - #
6249     - # Create the bootstrap configuration
6250     - #
6251     - $config_boot_txt = <<<EOS
6252     + #
6253     + # Create the bootstrap configuration
6254     + #
6255     + $config_boot_txt = <<<EOS
6256     <?php
6257     define('PHPKI_VERSION','$version');
6258     define('STORE_DIR','$store_dir');
6259     @@ -320,224 +376,248 @@
6260     ?>
6261     EOS;
6262    
6263     - #
6264     - # Write out the bootstrap config
6265     - #
6266     - $fd = fopen('./config.php','w');
6267     - fwrite($fd, $config_boot_txt);
6268     - fclose($fd);
6269     -
6270     -
6271     - # Re-read the CA config file so the openssl_functions
6272     - # can be used to create a CA root certificate.
6273     - include("$store_dir/config/config.php");
6274     -
6275     - #
6276     - # Now create a temporary openssl.cnf for creating a self-signed
6277     - # CA root certificate, and create a generic openssl.cnf file
6278     - # in the CA home
6279     - #
6280     - $config_txt1 = <<< EOS
6281     -HOME = $config[home_dir]
6282     -RANDFILE = $config[random]
6283     -dir = $config[ca_dir]
6284     -certs = $config[cert_dir]
6285     -crl_dir = $config[crl_dir]
6286     -database = $config[index]
6287     -new_certs_dir = $config[new_certs_dir]
6288     -private_dir = $config[private_dir]
6289     -serial = $config[serial]
6290     -certificate = $config[cacert_pem]
6291     -crl = $config[cacrl_pem]
6292     -private_key = $config[cakey]
6293     -crl_extensions = crl_ext
6294     -default_days = 365
6295     -default_crl_days= 30
6296     -preserve = no
6297     -default_md = $config[default_md]
6298     + #
6299     + # Write out the bootstrap config
6300     + #
6301     + $fd = fopen('./config.php', 'w');
6302     + fwrite($fd, $config_boot_txt);
6303     + fclose($fd);
6304     +
6305     +
6306     + # Re-read the CA config file so the openssl_functions
6307     + # can be used to create a CA root certificate.
6308     + include("$store_dir/config/config.php");
6309     +
6310     + #
6311     + # Now create a temporary openssl.cnf for creating a self-signed
6312     + # CA root certificate, and create a generic openssl.cnf file
6313     + # in the CA home
6314     + #
6315     +
6316     + $configHOME = $config['home_dir'];
6317     + $configRANDFILE = $config['random'];
6318     + $configCa_dir = $config['ca_dir'];
6319     + $configCert_dir = $config['cert_dir'];
6320     + $configCrl_dir = $config['crl_dir'];
6321     + $configDatabase = $config['index'];
6322     + $configNew_certs_dir = $config['new_certs_dir'];
6323     + $configPrivate_dir = $config['private_dir'];
6324     + $configSerial = $config['serial'];
6325     + $configCacert_pem = $config['cacert_pem'];
6326     + $configCacrl_pem = $config['cacrl_pem'];
6327     + $configCakey = $config['cakey'];
6328     + $configDefault_md = $config['default_md'];
6329     + $configBase_url = $config['base_url'];
6330     + $configCrl_dist = $config['crl_distrib'];
6331     + $configComment_root = $config['comment_root'];
6332     + $configPolicy_url = $config['policy_url'];
6333     + $configRevoke_url = $config['revoke_url'];
6334     + $configComment_email = $config['comment_email'];
6335     + $configComment_sign = $config['comment_sign'];
6336     + $configComment_srv = $config['comment_srv'];
6337     +
6338     +
6339     + $config_txt1 = "
6340     +
6341     +HOME = $configHOME
6342     +RANDFILE = $configRANDFILE
6343     +dir = $configCa_dir
6344     +certs = $configCert_dir
6345     +crl_dir = $configCrl_dir
6346     +database = $configDatabase
6347     +new_certs_dir = $configNew_certs_dir
6348     +private_dir = $configPrivate_dir
6349     +serial = $configSerial
6350     +certificate = $configCacert_pem
6351     +crl = $configCacrl_pem
6352     +private_key = $configCakey
6353     +crl_extentions = crl_ext
6354     +default_days = 365
6355     +default_crl_days = 30
6356     +preserve = no
6357     +default_md = $configDefault_md
6358    
6359     [ ca ]
6360     -default_ca = email_cert
6361     +default_ca = email_cert
6362    
6363     [ root_cert ]
6364     -x509_extensions = root_ext
6365     -default_days = 3650
6366     -policy = policy_supplied
6367     +x509_extensions = root_ext
6368     +default_days = 3650
6369     +policy = policy_supplied
6370    
6371     [ email_cert ]
6372     -x509_extensions = email_ext
6373     -default_days = 365
6374     -policy = policy_supplied
6375     +x509_extensions = email_ext
6376     +default_days = 365
6377     +policy = policy_supplied
6378    
6379     [ email_signing_cert ]
6380     -x509_extensions = email_signing_ext
6381     -default_days = 365
6382     -policy = policy_supplied
6383     +x509_extensions = email_signing_ext
6384     +default_days = 365
6385     +policy = policy_supplied
6386    
6387     [ server_cert ]
6388     -x509_extensions = server_ext
6389     -default_days = 365
6390     -policy = policy_supplied
6391     +x509_extensions = server_ext
6392     +default_days = 365
6393     +policy = policy_supplied
6394    
6395     [ vpn_cert ]
6396     -x509_extensions = vpn_client_server_ext
6397     -default_days = 365
6398     -policy = policy_supplied
6399     +x509_extensions = vpn_client_server_ext
6400     +default_days = 365
6401     +policy = policy_supplied
6402    
6403     [ time_stamping_cert ]
6404     -x509_extensions = time_stamping_ext
6405     -default_days = 365
6406     -policy = policy_supplied
6407     +x509_extensions = time_stamping_ext
6408     +default_days = 365
6409     +policy = policy_supplied
6410    
6411     [ policy_supplied ]
6412     -countryName = supplied
6413     -stateOrProvinceName = supplied
6414     -localityName = supplied
6415     -organizationName = supplied
6416     -organizationalUnitName = supplied
6417     -commonName = supplied
6418     -emailAddress = supplied
6419     +countryName = supplied
6420     +stateOrProvinceName = supplied
6421     +localityName = supplied
6422     +organizationName = supplied
6423     +organizationalUnitName = supplied
6424     +commonName = supplied
6425     +emailAddress = supplied
6426    
6427     [ root_ext ]
6428     -basicConstraints = CA:true
6429     -keyUsage = cRLSign, keyCertSign
6430     -nsCertType = sslCA, emailCA, objCA
6431     -subjectKeyIdentifier = hash
6432     -subjectAltName = email:copy
6433     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
6434     -nsComment = $config[comment_root]
6435     -#nsCaRevocationUrl =
6436     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
6437     +basicConstraints = CA:true
6438     +keyUsage = cRLSign, keyCertSign
6439     +nsCertType = sslCA, emailCA, objCA
6440     +subjectKeyIdentifier = hash
6441     +subjectAltName = email:copy
6442     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
6443     +nsComment = $configComment_root
6444     +#nsCaRevocationUrl =
6445     +nsCaPolicyUrl = $configBase_url$configPolicy_url
6446    
6447     [ email_ext ]
6448     -basicConstraints = critical, CA:false
6449     -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
6450     -extendedKeyUsage = critical, emailProtection, clientAuth
6451     -nsCertType = critical, client, email
6452     -subjectKeyIdentifier = hash
6453     -authorityKeyIdentifier = keyid:always, issuer:always
6454     -subjectAltName = email:copy
6455     -issuerAltName = issuer:copy
6456     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
6457     -nsComment = $config[comment_email]
6458     -nsBaseUrl = $config[base_url]
6459     -nsRevocationUrl = $config[revoke_url]
6460     -#nsRenewalUrl =
6461     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
6462     -#nsSslServerName =
6463     +basicConstraints = critical, CA:false
6464     +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
6465     +extendedKeyUsage = critical, emailProtection, clientAuth
6466     +nsCertType = critical, client, email
6467     +subjectKeyIdentifier = hash
6468     +authorityKeyIdentifier = keyid:always, issuer:always
6469     +subjectAltName = email:copy
6470     +issuerAltName = issuer:copy
6471     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
6472     +nsComment = $configComment_email
6473     +nsBaseUrl = $configBase_url
6474     +nsRevocationUrl = $configRevoke_url
6475     +#nsRenewalUrl =
6476     +nsCaPolicyUrl = $configBase_url$configPolicy_url
6477     +#nsSslServerName =
6478    
6479     [ email_signing_ext ]
6480     -basicConstraints = critical, CA:false
6481     -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
6482     -extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
6483     -nsCertType = critical, client, email
6484     -subjectKeyIdentifier = hash
6485     -authorityKeyIdentifier = keyid:always, issuer:always
6486     -subjectAltName = email:copy
6487     -issuerAltName = issuer:copy
6488     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
6489     -nsComment = $config[comment_sign]
6490     -nsBaseUrl = $config[base_url]
6491     -nsRevocationUrl = $config[revoke_url]
6492     -#nsRenewalUrl =
6493     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
6494     -#nsSslServerName =
6495     +basicConstraints = critical, CA:false
6496     +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
6497     +extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
6498     +nsCertType = critical, client, email
6499     +subjectKeyIdentifier = hash
6500     +authorityKeyIdentifier = keyid:always, issuer:always
6501     +subjectAltName = email:copy
6502     +issuerAltName = issuer:copy
6503     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
6504     +nsComment = $configComment_sign
6505     +nsBaseUrl = $configBase_url
6506     +nsRevocationUrl = $configRevoke_url
6507     +#nsRenewalUrl =
6508     +nsCaPolicyUrl = $configBase_url$configPolicy_url
6509     +#nsSslServerName =
6510    
6511     [ server_ext ]
6512     -basicConstraints = CA:false
6513     -keyUsage = critical, digitalSignature, keyEncipherment
6514     -nsCertType = critical, server
6515     -extendedKeyUsage = critical, serverAuth, 1.3.6.1.5.5.7.3.1
6516     -subjectKeyIdentifier = hash
6517     -authorityKeyIdentifier = keyid:always, issuer:always
6518     -subjectAltName = DNS:$common_name,email:copy
6519     -issuerAltName = issuer:copy
6520     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
6521     -nsComment = $config[comment_srv]
6522     -nsBaseUrl = $config[base_url]
6523     -nsRevocationUrl = $config[revoke_url]
6524     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
6525     +basicConstraints = critical, CA:false
6526     +keyUsage = critical, digitalSignature, keyEncipherment
6527     +nsCertType = server
6528     +extendedKeyUsage = critical, serverAuth
6529     +subjectKeyIdentifier = hash
6530     +authorityKeyIdentifier = keyid:always, issuer:always
6531     +subjectAltName = $server_altnames
6532     +issuerAltName = issuer:copy
6533     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
6534     +nsComment = $configComment_srv
6535     +nsBaseUrl = $configBase_url
6536     +nsRevocationUrl = $configRevoke_url
6537     +nsCaPolicyUrl = $configBase_url$configPolicy_url
6538    
6539     [ time_stamping_ext ]
6540     -basicConstraints = CA:false
6541     -keyUsage = critical, nonRepudiation, digitalSignature
6542     -extendedKeyUsage = timeStamping
6543     -subjectKeyIdentifier = hash
6544     -authorityKeyIdentifier = keyid:always, issuer:always
6545     -subjectAltName = DNS:$common_name,email:copy
6546     -issuerAltName = issuer:copy
6547     -crlDistributionPoints = URI:$config[base_url]$config[crl_distrib]
6548     -nsComment = $config[comment_stamp]
6549     -nsBaseUrl = $config[base_url]
6550     -nsRevocationUrl = $config[revoke_url]
6551     -nsCaPolicyUrl = $config[base_url]$config[policy_url]
6552     +basicConstraints = CA:false
6553     +keyUsage = critical, nonRepudiation, digitalSignature
6554     +extendedKeyUsage = timeStamping
6555     +subjectKeyIdentifier = hash
6556     +authorityKeyIdentifier = keyid:always, issuer:always
6557     +subjectAltName = DNS:$common_name,email:copy
6558     +issuerAltName = issuer:copy
6559     +crlDistributionPoints = URI:$configBase_url$configCrl_dist
6560     +nsComment = $config[comment_stamp]
6561     +nsBaseUrl = $configBase_url
6562     +nsRevocationUrl = $configRevoke_url
6563     +nsCaPolicyUrl = $configBase_url$configPolicy_url
6564    
6565     [ vpn_client_ext ]
6566     -basicConstraints = critical, CA:false
6567     -keyUsage = critical, digitalSignature
6568     -extendedKeyUsage = critical, clientAuth
6569     -nsCertType = critical, client
6570     -subjectKeyIdentifier = hash
6571     -authorityKeyIdentifier = keyid:always, issuer:always
6572     -subjectAltName = DNS:$common_name,email:copy
6573     +basicConstraints = critical, CA:false
6574     +keyUsage = critical, digitalSignature
6575     +extendedKeyUsage = critical, clientAuth
6576     +nsCertType = critical, client
6577     +subjectKeyIdentifier = hash
6578     +authorityKeyIdentifier = keyid:always, issuer:always
6579     +subjectAltName = DNS:$common_name,email:copy
6580    
6581     [ vpn_server_ext ]
6582     -basicConstraints = critical, CA:false
6583     -keyUsage = critical, digitalSignature, keyEncipherment
6584     -extendedKeyUsage = critical, serverAuth
6585     -nsCertType = critical, server
6586     -subjectKeyIdentifier = hash
6587     -authorityKeyIdentifier = keyid:always, issuer:always
6588     -subjectAltName = DNS:$common_name,email:copy
6589     +basicConstraints = critical, CA:false
6590     +keyUsage = critical, digitalSignature, keyEncipherment
6591     +extendedKeyUsage = critical, serverAuth
6592     +nsCertType = critical, server
6593     +subjectKeyIdentifier = hash
6594     +authorityKeyIdentifier = keyid:always, issuer:always
6595     +subjectAltName = DNS:$common_name,email:copy
6596    
6597     [ vpn_client_server_ext ]
6598     -basicConstraints = critical, CA:false
6599     -keyUsage = critical, digitalSignature, keyEncipherment
6600     -extendedKeyUsage = critical, serverAuth, clientAuth
6601     -nsCertType = critical, server, client
6602     -subjectKeyIdentifier = hash
6603     -authorityKeyIdentifier = keyid:always, issuer:always
6604     -subjectAltName = DNS:$common_name,email:copy
6605     +basicConstraints = critical, CA:false
6606     +keyUsage = critical, digitalSignature, keyEncipherment
6607     +extendedKeyUsage = critical, serverAuth, clientAuth
6608     +nsCertType = critical, server, client
6609     +subjectKeyIdentifier = hash
6610     +authorityKeyIdentifier = keyid:always, issuer:always
6611     +subjectAltName = DNS:$common_name,email:copy
6612    
6613     [ crl_ext ]
6614     issuerAltName=issuer:copy
6615     authorityKeyIdentifier=keyid:always,issuer:always
6616    
6617     +";
6618    
6619     -EOS;
6620     -
6621     - $config_txt2 = <<< EOS
6622     + $config_txt2 = <<< EOS
6623     [ req ]
6624     -default_bits = 2048
6625     -default_keyfile = privkey.pem
6626     -distinguished_name = req_name
6627     -string_mask = nombstr
6628     -req_extensions = req_ext
6629     +default_bits = 2048
6630     +default_keyfile = privkey.pem
6631     +distinguished_name = req_name
6632     +string_mask = nombstr
6633     +req_extensions = req_ext
6634    
6635     [ req_name]
6636     -countryName = Country Name (2 letter code)
6637     -countryName_default = US
6638     -countryName_min = 2
6639     -countryName_max = 2
6640     +countryName = Country Name (2 letter code)
6641     +countryName_default = US
6642     +countryName_min = 2
6643     +countryName_max = 2
6644    
6645     -stateOrProvinceName = State or Province Name (full name)
6646     -stateOrProvinceName_default =
6647     +stateOrProvinceName = State or Province Name (full name)
6648     +stateOrProvinceName_default =
6649    
6650     -localityName = Locality Name (eg, city)
6651     -localityName_default =
6652     +localityName = Locality Name (eg, city)
6653     +localityName_default =
6654    
6655     -0.organizationName = Organization Name (eg, company)
6656     -0.organizationName_default =
6657     +0.organizationName = Organization Name (eg, company)
6658     +0.organizationName_default =
6659    
6660     -1.organizationName = Second Organization Name (eg, company)
6661     -1.organizationName_default =
6662     +1.organizationName = Second Organization Name (eg, company)
6663     +1.organizationName_default =
6664    
6665     -organizationalUnitName = Organizational Unit Name (eg, section)
6666     -organizationalUnitName_default =
6667     +organizationalUnitName = Organizational Unit Name (eg, section)
6668     +organizationalUnitName_default =
6669    
6670     -commonName = Common Name (eg, YOUR name)
6671     +commonName = Common Name (eg, YOUR name)
6672    
6673     -emailAddress = Email Address or Web URL
6674     +emailAddress = Email Address or Web URL
6675    
6676     [ req_ext ]
6677     basicConstraints = critical, CA:false
6678     @@ -545,23 +625,31 @@
6679    
6680     EOS;
6681    
6682     - $config_txt3 = <<< EOS
6683     + $configCountry = $config['country'];
6684     + $configProvince = $config['province'];
6685     + $configLocality = $config['locality'];
6686     + $configOrganization = $config['organization'];
6687     + $configUnit = $config['unit'];
6688     + $configCommon_name = $config['common_name'];
6689     + $configEmailaddress = $config['contact'];
6690     +
6691     + $config_txt3 = <<< EOS
6692     [ req ]
6693     -default_bits = 2048
6694     -default_keyfile = privkey.pem
6695     -distinguished_name = req_name
6696     -string_mask = nombstr
6697     -req_extensions = req_ext
6698     -prompt = no
6699     +default_bits = 2048
6700     +default_keyfile = privkey.pem
6701     +distinguished_name = req_name
6702     +string_mask = nombstr
6703     +req_extensions = req_ext
6704     +prompt = no
6705    
6706     [ req_name ]
6707     -C = $config[country]
6708     -ST = $config[province]
6709     -L = $config[locality]
6710     -O = $config[organization]
6711     -OU = $config[unit]
6712     -CN = $config[common_name]
6713     -emailAddress = $config[contact]
6714     +C = $configCountry
6715     +ST = $configProvince
6716     +L = $configLocality
6717     +O = $configOrganization
6718     +OU = $configUnit
6719     +CN = $configCommon_name
6720     +emailAddress = $configEmailaddress
6721    
6722     [ req_ext ]
6723     basicConstraints = critical, CA:true
6724     @@ -569,163 +657,217 @@
6725    
6726     EOS;
6727    
6728     - #
6729     - # Write the permanent OpenSSL config
6730     - #
6731     - $fd = fopen($config['openssl_cnf'],'w');
6732     - fwrite($fd, $config_txt1 . $config_txt2);
6733     - fclose($fd);
6734     -
6735     - #
6736     - # Write the temporary OpenSSL config
6737     - #
6738     - $tmp_cnf = "$config[home_dir]/tmp/openssl.cnf";
6739     - $fd = fopen($tmp_cnf,'w');
6740     - fwrite($fd, $config_txt1 . $config_txt3);
6741     - fclose($fd);
6742     -
6743     - #
6744     - # Intialize index.txt and serial files
6745     - #
6746     - $fd = fopen($config['index'],'w');
6747     - fwrite($fd, "");
6748     - fclose($fd);
6749     - #
6750     - $fd = fopen($config['serial'],'w');
6751     - fwrite($fd, "100001");
6752     - fclose($fd);
6753     -
6754     - #
6755     - # Convert expiry years to approximate days.
6756     - #
6757     - $days = $config['expiry'] * 365.25;
6758     -
6759     -
6760     - #
6761     - # Create a new self-signed CA certificate in PEM format.
6762     - #
6763     - print '<strong>Creating root certificate...</strong><br>';
6764     - flush();
6765     - // .rnd created here
6766     - exec(REQ . " -x509 -config $tmp_cnf -extensions root_ext -newkey rsa:$keysize -keyout $config[cakey] -out $config[cacert_pem] -passout pass:'$config[ca_pwd]' -days $days 2>&1");
6767     -
6768     - # **** DISABLED *****
6769     - # It appears that both IE and Netscape accept PEM formatted root certificates
6770     - #
6771     - # Create a copy of the CA certificate in DER format.
6772     - #
6773     - #exec(X509 . " -in ca/$config[cacert_pem] -inform PEM -out ca/$config[cacert_der] -outform DER 2>&1");
6774     -
6775     - #
6776     - # Generate the initial CRL.
6777     - #
6778     - print '<strong>Generating certificate revocation list...</strong><br>';
6779     - flush();
6780     - exec(CA . " -gencrl -config $config[openssl_cnf] -out $config[cacrl_pem] -passin pass:'$config[ca_pwd]'");
6781     -
6782     - # Make a copy of the CRL in DER format.
6783     - #
6784     - exec(CRL . " -in $config[cacrl_pem] -out $config[cacrl_der] -inform PEM -outform DER");
6785     -
6786     - #
6787     - # Clean up.
6788     - #
6789     - if (! unlink("$store_dir/tmp/openssl.cnf")) print "Can't unlink $store_dir/tmp/openssl.cnf";
6790     -
6791     - #
6792     - # Create dhparam files for OpenVPN and others.
6793     - #
6794     - #print '<p><strong>Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.<br>';
6795     - #print "Saving to $config[private_dir]/dhparam1024.pem.</strong><br>";
6796     - #$cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024";
6797     - #print $cmd.'<br>';
6798     - #flush();
6799     - #flush_exec($cmd,100);
6800     -
6801     - #print "Please ignore warnings about \"unable to write 'random state\' <br><br>";
6802     -
6803     - // This method works but still errors in logs
6804     - // exec(DH . "-rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024");
6805     - // exec(DH . " -out '$config[private_dir]/dhparam1024.pem' 1024");
6806     -
6807     - print '<p><strong>Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.<br>';
6808     - print "Saving to $store_dir/dhparam2048.pem.</strong><br>";
6809     - $cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam2048.pem' 2048";
6810     - print $cmd.'<br>';
6811     - flush();
6812     - flush_exec($cmd,200);
6813     -
6814     - print "Please ignore warnings about \"unable to write 'random state' <br><br>";
6815     -
6816     - #
6817     - # Create a TLS auth key for OpenVPN if openvpn is installed
6818     - #
6819     - $command = 'which openvpn';
6820     - $command = escapeshellcmd($command);
6821     -
6822     - if (system ($command) == '/usr/sbin/openvpn') {
6823     -
6824     - print '<p><strong>Creating a TLS authentication key used by OpenVPN.<br>';
6825     - print "Saving to $store_dir/takey.pem.</strong><br>";
6826     - $cmd = "openvpn --genkey --secret '$config[private_dir]/takey.pem'";
6827     - print $cmd.'<br>';
6828     + #
6829     + # Write the permanent OpenSSL config
6830     + #
6831     + $fd = fopen($config['openssl_cnf'], 'w');
6832     + fwrite($fd, $config_txt1 . $config_txt2);
6833     + fclose($fd);
6834     +
6835     + #
6836     + # Write the temporary OpenSSL config
6837     + #
6838     + $configHome_dir = $config['home_dir'];
6839     + $tmp_cnf = "$configHome_dir/tmp/openssl.cnf";
6840     + $fd = fopen($tmp_cnf, 'w');
6841     + fwrite($fd, $config_txt1 . $config_txt3);
6842     + fclose($fd);
6843     +
6844     + #
6845     + # Initialize index.txt and serial files
6846     + #
6847     + $fd = fopen($config['index'], 'w');
6848     + fwrite($fd, "");
6849     + fclose($fd);
6850     + #
6851     + $fd = fopen($config['serial'], 'w');
6852     + fwrite($fd, "100001");
6853     + fclose($fd);
6854     +
6855     + #
6856     + # Convert expiry years to approximate days.
6857     + #
6858     + $days = $config['expiry'] * 365.25;
6859     +
6860     + #
6861     + # Create a new self-signed CA certificate in PEM format.
6862     + #
6863     + print '<strong>Creating root certificate...</strong><br>';
6864     + flush();
6865     +
6866     + $configOpenssl_cnf = $config['openssl_cnf'];
6867     + $configPrivate_dir = $config['private_dir'];
6868     + $configCacert_pem = $config['cacert_pem'];
6869     + $configCa_pwd = $config['ca_pwd'];
6870     + $configCakey = $config['cakey'];
6871     + $configRandom = $config['random'];
6872     + $configCacrl_der = $config['cacrl_der'];
6873     + $configCacrl_pem = $config['cacrl_pem'];
6874     +
6875     + // .rnd created here
6876     + exec(REQ . " -x509 -config $tmp_cnf -extensions root_ext -newkey rsa:$keysize -keyout $configCakey -out $configCacert_pem -passout pass:'$configCa_pwd' -days $days 2>&1");
6877     +
6878     + # **** DISABLED *****
6879     + # It appears that both IE and Netscape accept PEM formatted root certificates
6880     + #
6881     + # Create a copy of the CA certificate in DER format.
6882     + #
6883     + #exec(X509 . " -in ca/$config[cacert_pem] -inform PEM -out ca/$config[cacert_der] -outform DER 2>&1");
6884     +
6885     + #
6886     + # Generate the initial CRL.
6887     + #
6888     + print '<strong>Generating certificate revocation list...</strong><br>';
6889     + flush();
6890     + exec(CA . " -gencrl -config $configOpenssl_cnf -out $configCacrl_pem -passin pass:'$configCa_pwd'");
6891     +
6892     + # Make a copy of the CRL in DER format.
6893     + #
6894     + exec(CRL . " -in $configCacrl_pem -out $configCarcrl_der -inform PEM -outform DER");
6895     +
6896     + #
6897     + # Clean up.
6898     + #
6899     + if (! unlink("$store_dir/tmp/openssl.cnf")) {
6900     + print "Can't unlink $store_dir/tmp/openssl.cnf";
6901     + }
6902     +
6903     + #
6904     + # Create dhparam files for OpenVPN and others.
6905     + #
6906     + #print '<p><strong>Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.<br>';
6907     + #print "Saving to $config[private_dir]/dhparam1024.pem.</strong><br>";
6908     + #$cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024";
6909     + #print $cmd.'<br>';
6910     + #flush();
6911     + #flush_exec($cmd,100);
6912     +
6913     + #print "Please ignore warnings about \"unable to write 'random state\' <br><br>";
6914     +
6915     + // This method works but still errors in logs
6916     + // exec(DH . "-rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024");
6917     + // exec(DH . " -out '$config[private_dir]/dhparam1024.pem' 1024");
6918     +
6919     + print '<p><strong>Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.<br>';
6920     + print "Saving to $store_dir/dhparam2048.pem.</strong><br>";
6921     + $cmd = "openssl dhparam -rand '$configRandom' -out '$configPrivate_dir/dhparam2048.pem' 2048";
6922     + print $cmd.'<br>';
6923     flush();
6924     - flush_exec($cmd);
6925     - } else {
6926     - echo "openvpn is required to generate a takey.pem<br>";
6927     - echo "You can create one later like this:<br>";
6928     - echo "openvpn --genkey --secret". $config[private_dir] . "/takey.pem<br>";
6929     - }
6930     -
6931     -
6932     -
6933     - #
6934     - # Step aside and let the users in (create index.php files).
6935     - #
6936     - if (! unlink('index.php')) print "Can't unlink index.php";
6937     - if (! unlink('setup.php')) print "Can't unlink setup.php";;
6938     - if (! unlink('ca/index.php')) print "Can't unlink ca/index.php";
6939     - if (! symlink('main.php','index.php')) print "Can't symlink main.php";
6940     - if (! symlink('main.php','ca/index.php')) print "Can't symlink ca/main.php";
6941     -
6942     - ?>
6943     - <center>
6944     - <h2>Setup is complete. Your CA root certificate as been created.</h2>
6945     - <?php
6946     - if (! getOSInformation()) {
6947     - print '<h3><font color=red>SECURITY WARNING!&nbsp;&nbsp; Be sure to run the <cite>secure.sh</cite> shell script as the <strong>root</strong> user.</font></h3>';
6948     - }
6949     - ?>
6950     - <p><br><br>
6951     - <form action=index.php>
6952     - <input type=submit name=submit value="Proceed To The PHPki Main Menu">
6953     - </form>
6954     - </center>
6955     - <?php
6956     - printFooter();
6957     - break;
6958     -
6959     -default:
6960     - if (! $country) $country = $config['country'];
6961     - if (! $province) $province = $config['province'];
6962     - if (! $locality) $locality = $config['locality'];
6963     - if (! $organization) $organization = $config['organization'];
6964     - if (! $contact) $contact = $config['contact'];
6965     - if (! $expiry) $expiry = $config['expiry'];
6966     - if (! $expiry) $expiry = 10;
6967     - if (! $keysize) $keysize = $config['keysize'];
6968     - if (! $keysize) $keysize = 2048;
6969     - if (! $passwd) $passwd = $config['ca_pwd'];
6970     - if (! $passwdv) $passwdv = $passwd;
6971     + flush_exec($cmd, 200);
6972     +
6973     + print "Please ignore warnings about \"unable to write 'random state' <br><br>";
6974     +
6975     + #
6976     + # Create a TLS auth key for OpenVPN if openvpn is installed
6977     + #
6978     + $command = 'which openvpn';
6979     + $command = escapeshellcmd($command);
6980     +
6981     + if (system($command) == '/usr/sbin/openvpn') {
6982     + print '<p><strong>Creating a TLS authentication key used by OpenVPN.<br>';
6983     + print "Saving to $store_dir/takey.pem.</strong><br>";
6984     + $cmd = "openvpn --genkey --secret '$configPrivate_dir/takey.pem'";
6985     + print $cmd.'<br>';
6986     + flush();
6987     + flush_exec($cmd);
6988     + } else {
6989     + echo "openvpn is required to generate a takey.pem<br>";
6990     + echo "You can create one later like this:<br>";
6991     + echo "openvpn --genkey --secret". $configPrivate_dir . "/takey.pem<br>";
6992     + }
6993     +
6994     +
6995    
6996     - if (! $unit) $unit = $config['unit'];
6997     - if (! $unit) $unit = "Certificate Authority";
6998     + #
6999     + # Step aside and let the users in (create index.php files).
7000     + #
7001     + if (! unlink('index.php')) {
7002     + print "Can't unlink index.php";
7003     + }
7004     + if (! unlink('setup.php')) {
7005     + print "Can't unlink setup.php";
7006     + };
7007     + if (! unlink('ca/index.php')) {
7008     + print "Can't unlink ca/index.php";
7009     + }
7010     + if (! symlink('main.php', 'index.php')) {
7011     + print "Can't symlink main.php";
7012     + }
7013     + if (! symlink('main.php', 'ca/index.php')) {
7014     + print "Can't symlink ca/main.php";
7015     + }
7016     +
7017     + ?>
7018     + <center>
7019     + <h2>Setup is complete. Your CA root certificate as been created.</h2>
7020     + <?php
7021     + if (! getOSInformation()) {
7022     + print '<h3><font color=red>SECURITY WARNING!&nbsp;&nbsp; Be sure to run the <cite>secure.sh</cite> shell script as the <strong>root</strong> user.</font></h3>';
7023     + }
7024     + ?>
7025     + <p><br><br>
7026     + <form action=index.php>
7027     + <input type=submit name=submit value="Proceed To The PHPki Main Menu">
7028     + </form>
7029     + </center>
7030     + <?php
7031     + printFooter();
7032     + break;
7033     +
7034     + default:
7035     + if (! $country) {
7036     + $country = $config['country'];
7037     + }
7038     + if (! $province) {
7039     + $province = $config['province'];
7040     + }
7041     + if (! $locality) {
7042     + $locality = $config['locality'];
7043     + }
7044     + if (! $organization) {
7045     + $organization = $config['organization'];
7046     + }
7047     + if (! $contact) {
7048     + $contact = $config['contact'];
7049     + }
7050     + if (! $expiry) {
7051     + $expiry = $config['expiry'];
7052     + }
7053     + if (! $expiry) {
7054     + $expiry = 10;
7055     + }
7056     + if (! $keysize) {
7057     + $keysize = $config['keysize'];
7058     + }
7059     + if (! $keysize) {
7060     + $keysize = 2048;
7061     + }
7062     + if (! $passwd) {
7063     + $passwd = $config['ca_pwd'];
7064     + }
7065     + if (! $passwdv) {
7066     + $passwdv = $passwd;
7067     + }
7068    
7069     - if (! $common_name) $common_name = $config['common_name'];
7070     - if (! $common_name) $common_name = "PHPki Certificate Authority";
7071     + if (! $unit) {
7072     + $unit = $config['unit'];
7073     + }
7074     + if (! $unit) {
7075     + $unit = "Certificate Authority";
7076     + }
7077    
7078     - if (! $getting_help) $getting_help = $config['getting_help'];
7079     - if (! $getting_help) $getting_help = '
7080     + if (! $common_name) {
7081     + $common_name = $config['common_name'];
7082     + }
7083     + if (! $common_name) {
7084     + $common_name = "PHPki Certificate Authority";
7085     + }
7086     +
7087     + if (! $getting_help) {
7088     + $getting_help = $config['getting_help'];
7089     + }
7090     + if (! $getting_help) {
7091     + $getting_help = '
7092     <b>Contact:</b><br>
7093     First-Name Last-Name<br>
7094     Company/Organization Name<br>
7095     @@ -735,322 +877,360 @@
7096     <br>
7097     Phone: (000) 000-0000<br>
7098     E-mail: <a href=mailto:someone@somewhere.com>someone@somewhere.com</a>&nbsp;&nbsp;&nbsp;<i><b>E-mail is preferred.</b></i><br>';
7099     + }
7100     +
7101     + if (! $store_dir) {
7102     + $store_dir = dirname($_SERVER['DOCUMENT_ROOT']).'/phpki-store';
7103     + }
7104     +
7105     + if (! $base_url) {
7106     + $base_url = $config['base_url'];
7107     + }
7108     + if (! $base_url) {
7109     + $base_url = 'http://www.somewhere.com/phpki/';
7110     + }
7111    
7112     - if (! $store_dir) $store_dir = dirname($_SERVER['DOCUMENT_ROOT']).'/phpki-store';
7113     + if (! $crl_distrib) {
7114     + $crl_distrib = 'index.php?stage=dl_crl';
7115     + }
7116     + if (! $revoke_url) {
7117     + $revoke_url = 'ns_revoke_query.php?';
7118     + }
7119     + if (! $policy_url) {
7120     + $policy_url = 'policy.html';
7121     + }
7122    
7123     - if (! $base_url) $base_url = $config['base_url'];
7124     - if (! $base_url) $base_url = 'http://www.somewhere.com/phpki/';
7125     + if (! $comment_root) {
7126     + $comment_root = 'PHPki/OpenSSL Generated Root Certificate Authority';
7127     + }
7128     + if (! $comment_email) {
7129     + $comment_email = 'PHPki/OpenSSL Generated Personal Certificate';
7130     + }
7131     + if (! $comment_sign) {
7132     + $comment_sign = 'PHPki/OpenSSL Generated Personal Certificate';
7133     + }
7134     + if (! $comment_srv) {
7135     + $comment_srv = 'PHPki/OpenSSL Generated Secure Server Certificate';
7136     + }
7137     + if (! $comment_stamp) {
7138     + $comment_stamp = 'PHPki/OpenSSL Generated Time Stamping Certificate';
7139     + }
7140     +
7141     + if (! $ca_prefix) {
7142     + $ca_prefix = $config['ca_prefix'];
7143     + }
7144     +
7145     + if (! $openssl_bin) {
7146     + $openssl_bin = $config['openssl_bin'];
7147     + }
7148     + if (! $openssl_bin) {
7149     + $openssl_bin = '/usr/bin/openssl';
7150     + }
7151     +
7152     + if (! $passwd_file) {
7153     + $passwd_file = $config['passwd_file'];
7154     + }
7155     + if (! $passwd_file) {
7156     + $passwd_file = dirname($_SERVER['DOCUMENT_ROOT']).'/phpkipasswd';
7157     + }
7158     +
7159     + if (! $header_title) {
7160     + $header_title = $config['header_title'];
7161     + }
7162     + if (! $header_title) {
7163     + $header_title = 'Certificate Authority';
7164     + }
7165    
7166     - if (! $crl_distrib) $crl_distrib = 'index.php?stage=dl_crl';
7167     - if (! $revoke_url) $revoke_url = 'ns_revoke_query.php?';
7168     - if (! $policy_url) $policy_url = 'policy.html';
7169     -
7170     - if (! $comment_root) $comment_root = 'PHPki/OpenSSL Generated Root Certificate Authority';
7171     - if (! $comment_email) $comment_email = 'PHPki/OpenSSL Generated Personal Certificate';
7172     - if (! $comment_sign) $comment_sign = 'PHPki/OpenSSL Generated Personal Certificate';
7173     - if (! $comment_srv) $comment_srv = 'PHPki/OpenSSL Generated Secure Server Certificate';
7174     - if (! $comment_stamp) $comment_stamp = 'PHPki/OpenSSL Generated Time Stamping Certificate';
7175     -
7176     - if (! $ca_prefix) $ca_prefix = $config['ca_prefix'];
7177     -
7178     - if (! $openssl_bin) $openssl_bin = $config['openssl_bin'];
7179     - if (! $openssl_bin) $openssl_bin = '/usr/bin/openssl';
7180     -
7181     - if (! $passwd_file) $passwd_file = $config['passwd_file'];
7182     - if (! $passwd_file) $passwd_file = dirname($_SERVER['DOCUMENT_ROOT']).'/phpkipasswd';
7183     -
7184     - if (! $header_title) $header_title = $config['header_title'];
7185     - if (! $header_title) $header_title = 'Certificate Authority';
7186     -
7187     - printHeader('setup');
7188     - ?>
7189     - <form action="<?php echo $PHP_SELF?>" method="post">
7190     - <center><h2>Certificate Authority Initial Setup</h2></center>
7191     - <table width=99%>
7192     - <tr>
7193     - <th colspan=2><h3>Root Certificate Data</h3></th>
7194     - </tr>
7195     -
7196     - <tr>
7197     - <td width=35%><strong>Organization</strong> <font color=red>*</font></td>
7198     - <td><input type=text name=organization value="<?php echo htvar($organization)?>" maxlength=60 size=50></td>
7199     - </tr>
7200     -
7201     - <tr>
7202     - <td><strong>Department/Unit</strong> <font color=red>*</font></td>
7203     - <td><input type=text name=unit value="<?php echo htvar($unit)?>" maxlength=60 size=30></td>
7204     - </tr>
7205     -
7206     - <tr>
7207     - <td>
7208     - <strong>Common Name</strong> <font color=red>*</font>
7209     - This is embeded in certificates, and is most often displayed in
7210     - e-mail clients as the <cite>Issued By:</cite> text. This is usually
7211     - the full name of your certificate authority (i.e. ACME Certificate Authority).
7212     - </td>
7213     - <td><input type=text name=common_name value="<?php echo htvar($common_name)?>" maxlength=60 size=60></td>
7214     - </tr>
7215     -
7216     - <tr>
7217     - <td>
7218     - <strong>Technical Contact E-mail Address</strong> <font color=red>*</font><br>
7219     - Enter an e-mail address where users should send correspondence
7220     - regarding your certificate authority and the certificates you issue.
7221     - </td>
7222     -
7223     - <td><input type=text name=contact value="<?php echo htvar($contact)?>" maxlength=60 size=30></td>
7224     - </tr>
7225     -
7226     - <tr>
7227     - <td><strong>Locality</strong> <font color=red>*</font></td>
7228     - <td><input type=text name=locality value="<?php echo htvar($locality)?>" maxlength=60 size=30></td>
7229     - </tr>
7230     -
7231     - <tr>
7232     - <td><strong>State/Province</strong> <font color=red>*</font></td>
7233     - <td><input type=text name=province value="<?php echo htvar($province)?>" maxlength=60 size=20></td>
7234     - </tr>
7235     -
7236     - <tr>
7237     - <td><strong>Country Code ISO 3166 - 2 Characters</strong> <font color=red>*</font></td>
7238     - <td><input type=text name=country value="<?php echo htvar($country)?>" maxlength=2 size=2></td>
7239     - </tr>
7240     -
7241     - <tr>
7242     - <td>
7243     - <strong>Password</strong> <font color=red>*</font><br>
7244     - This password will be used to protect your root certificate private
7245     - key.<br/>Can't contain single quote ! <strong><font color=red>Do not lose or forget this password.</font></strong>
7246     - </td>
7247     - <td><input type=password name=passwd value="<?php echo htvar($passwd)?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv value="<?php echo htvar($passwdv)?>" size=30></td>
7248     - </tr>
7249     -
7250     - <tr>
7251     - <td>
7252     - <strong>Certificate Life</strong> <font color=red>*</font><br>
7253     - Enter the number of years you wish your root certificate to be valid.
7254     - </td>
7255     - <td><select name=expiry>
7256     -
7257     - <?php
7258     - for ( $i = 5 ; $i <= 15 ; $i+=5 ) {
7259     - print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
7260     - }
7261     - ?>
7262     -
7263     - </select></td>
7264     - </tr>
7265     -
7266     - <tr>
7267     - <td>
7268     - <strong>Key Size</strong> <font color=red>*</font><br>
7269     - Enter the size of your certificate key. Recommend 2048+
7270     - </td>
7271     - <td><select name=keysize>
7272     -
7273     - <?php
7274     - for ( $i = 1024 ; $i <= 4096 ; $i+=512 ) {
7275     - print "<option value=$i " . ($keysize == $i ? "selected='selected'" : "") . ">$i bits</option>\n" ;
7276     - }
7277     - ?>
7278     -
7279     - </select></td>
7280     - </tr>
7281     -
7282     - <tr>
7283     - <td>
7284     - <strong>Certificate Authority Base URL</strong><br>
7285     - Enter the public Web address where your Certificate Authority will
7286     - reside. The address should end with a trailing slash (/) character.
7287     - This address will be embeded in all certficates issued
7288     - by your CA, for informational purposes.
7289     - </td>
7290     - <td>
7291     - <input type=text name=base_url value="<?php echo htvar($base_url)?>" size=50>
7292     - </td>
7293     - </tr>
7294     -
7295     - <tr>
7296     - <td>
7297     - <strong>Certificate Authority CRL Distribution Points</strong><br>
7298     - Provide the public URL where Certificate Revocation List (CRL) of
7299     - your CA will reside. This path is relative to Base URL above.
7300     - You may leave it by default if your clients have direct access to PHPki.
7301     - </td>
7302     - <td>
7303     - <input type=text name=crl_distrib value="<?php echo htvar($crl_distrib)?>" size=50>
7304     - </td>
7305     - </tr>
7306     -
7307     - <tr>
7308     - <td>
7309     - <strong>Certificate Authority Revocation Check URL</strong><br>
7310     - Provide the public URL where clients of your CA can check if the requested
7311     - certificate has been revoked. This path is relative to Base URL above.
7312     - You may leave it by default if your clients have direct access to PHPki.
7313     - </td>
7314     - <td>
7315     - <input type=text name=revoke_url value="<?php echo htvar($revoke_url)?>" size=50>
7316     - </td>
7317     - </tr>
7318     -
7319     - <tr>
7320     - <td>
7321     - <strong>Certificate Authority Policy URL</strong><br>
7322     - Provide the public URL where your CA policy will reside.
7323     - This path is relative to Base URL above.
7324     - You may leave it by default or adjust to your environment.
7325     - </td>
7326     - <td>
7327     - <input type=text name=policy_url value="<?php echo htvar($policy_url)?>" size=50>
7328     - </td>
7329     - </tr>
7330     -
7331     - <tr>
7332     - <td>
7333     - <strong>Root Certificate Comment</strong><br>
7334     - Root certificate Comment attribute. You may change it to something
7335     - or use the default value set by PHPki.
7336     - </td>
7337     - <td>
7338     - <input type=text name=comment_root value="<?php echo htvar($comment_root)?>" size=50>
7339     - </td>
7340     - </tr>
7341     -
7342     - <tr>
7343     - <td>
7344     - <strong>Email Certificate Comment</strong><br>
7345     - Email certificate Comment attribute. You may change it to something
7346     - or use the default value set by PHPki.
7347     - </td>
7348     - <td>
7349     - <input type=text name=comment_email value="<?php echo htvar($comment_email)?>" size=50>
7350     - </td>
7351     - </tr>
7352     -
7353     - <tr>
7354     - <td>
7355     - <strong>Email/Signing Certificate Comment</strong><br>
7356     - Email and signing certificate Comment attribute. You may change it
7357     - to something or use the default value set by PHPki.
7358     - </td>
7359     - <td>
7360     - <input type=text name=comment_sign value="<?php echo htvar($comment_sign)?>" size=50>
7361     - </td>
7362     - </tr>
7363     -
7364     - <tr>
7365     - <td>
7366     - <strong>SSL Server Certificate Comment</strong><br>
7367     - SSL server certificate Comment attribute. You may change it to something
7368     - or use the default value set by PHPki.
7369     - </td>
7370     - <td>
7371     - <input type=text name=comment_srv value="<?php echo htvar($comment_srv)?>" size=50>
7372     - </td>
7373     - </tr>
7374     -
7375     - <tr>
7376     - <td>
7377     - <strong>Time Stamping Certificate Comment</strong><br>
7378     - Time stamping certificate Comment attribute. You may change it
7379     - to something or use the default value set by PHPki.
7380     - </td>
7381     - <td>
7382     - <input type=text name=comment_stamp value="<?php echo htvar($comment_stamp)?>" size=50>
7383     - </td>
7384     - </tr>
7385     -
7386     - </table>
7387     -
7388     - <p>
7389     - <table width=99%>
7390     - <tr>
7391     - <th colspan=2><h3>Configuration Options</h3></th>
7392     - </tr>
7393     -
7394     - <tr>
7395     - <td width=35%>
7396     - <strong>Storage Directory <font color=red>*</font></strong><br>
7397     - Enter the location where PHPki will store its files. This should be a directory where
7398     - the web server has full read/write access (chown <?php echo $uname?> ; chmod 700), and is preferably
7399     - outside of DOCUMENT_ROOT (<?php echo $_SERVER['DOCUMENT_ROOT']?>). You may have to manually create the directory before completing this form.
7400     - </td>
7401     - <td>
7402     - <input type=text name=store_dir value="<?php echo htvar($store_dir)?>" size=35>
7403     - </td>
7404     - </tr>
7405     -
7406     - <tr>
7407     - <td width=35%>
7408     - <strong>Location of OpenSSL Executable <font color=red>*</font></strong><br>
7409     - Enter the location of your OpenSSL binary. The default is usually ok.
7410     - </td>
7411     - <td>
7412     - <input type=text name=openssl_bin value="<?php echo htvar($openssl_bin)?>" size=35>
7413     - </td>
7414     - </tr>
7415     -
7416     - <tr>
7417     - <td width=35%>
7418     - <strong>Location of HTTP password file <font color=red>*</font></strong><br>
7419     - Enter the location of your PHPki user password file. The default is usually ok.
7420     - </td>
7421     - <td>
7422     - <input type=text name=passwd_file value="<?php echo htvar($passwd_file)?>" size=35>
7423     - </td>
7424     - </tr>
7425     -
7426     - <tr>
7427     - <td>
7428     - <strong>File Upload Prefix</strong><br>
7429     - This is an optional prefix which will be added to root certificate
7430     - and certificate revocation list file uploads. Normally the root
7431     - certificate is uploaded as caroot.crt. With a prefix like
7432     - <cite style="white-space: nowrap">"acme_"</cite>, the root certificate would be uploaded as
7433     - <cite>"acme_caroot.crt"</cite>.
7434     - </td>
7435     - <td>
7436     - <input type=text name=ca_prefix value="<?php echo htvar($ca_prefix)?>" maxlength=10 size=10>
7437     - </td>
7438     - </tr>
7439     -
7440     - <tr>
7441     - <td>
7442     - <strong>Page Header Title</strong><br>
7443     - This title will be displayed superimposed over the PHPki logo at the
7444     - top of every page.
7445     - </td>
7446     - <td>
7447     - <input type=text name=header_title value="<?php echo htvar($header_title)?>" maxlength=40 size=40>
7448     - </td>
7449     - </tr>
7450     -
7451     - <tr>
7452     - <td>
7453     - <strong>Help Document Contact Info</strong><br>
7454     - This text will be inserted into the online help document
7455     - under the "Getting Additional Help" section. Include full
7456     - contact info for the convenience of your users. Use HTML
7457     - tags to improve presentation.
7458     - </td>
7459     - <td>
7460     - <textarea name=getting_help cols=50 rows=15><?php echo htvar($getting_help)?></textarea>
7461     - </td>
7462     - </tr>
7463     - </table>
7464     - <font color=red>* Required field</font>
7465     -
7466     - <p>
7467     - <center><input type=submit name=submit value=Submit></center></td>
7468     - <input type=hidden name=stage value='validate'>
7469     - </form>
7470     -
7471     - <?php
7472     - printFooter();
7473     - break;
7474     + printHeader('setup');
7475     + ?>
7476     + <form action="<?php echo $PHP_SELF?>" method="post">
7477     + <center><h2>Certificate Authority Initial Setup</h2></center>
7478     + <table width=99%>
7479     + <tr>
7480     + <th colspan=2><h3>Root Certificate Data</h3></th>
7481     + </tr>
7482     +
7483     + <tr>
7484     + <td width=35%><strong>Organization</strong> <font color=red>*</font></td>
7485     + <td><input type=text name=organization value="<?php echo htvar($organization)?>" maxlength=60 size=50></td>
7486     + </tr>
7487     +
7488     + <tr>
7489     + <td><strong>Department/Unit</strong> <font color=red>*</font></td>
7490     + <td><input type=text name=unit value="<?php echo htvar($unit)?>" maxlength=60 size=30></td>
7491     + </tr>
7492     +
7493     + <tr>
7494     + <td>
7495     + <strong>Common Name</strong> <font color=red>*</font>
7496     + This is embeded in certificates, and is most often displayed in
7497     + e-mail clients as the <cite>Issued By:</cite> text. This is usually
7498     + the full name of your certificate authority (i.e. ACME Certificate Authority).
7499     + </td>
7500     + <td><input type=text name=common_name value="<?php echo htvar($common_name)?>" maxlength=60 size=60></td>
7501     + </tr>
7502     +
7503     + <tr>
7504     + <td>
7505     + <strong>Technical Contact E-mail Address</strong> <font color=red>*</font><br>
7506     + Enter an e-mail address where users should send correspondence
7507     + regarding your certificate authority and the certificates you issue.
7508     + </td>
7509     +
7510     + <td><input type=text name=contact value="<?php echo htvar($contact)?>" maxlength=60 size=30></td>
7511     + </tr>
7512     +
7513     + <tr>
7514     + <td><strong>Locality</strong> <font color=red>*</font></td>
7515     + <td><input type=text name=locality value="<?php echo htvar($locality)?>" maxlength=60 size=30></td>
7516     + </tr>
7517     +
7518     + <tr>
7519     + <td><strong>State/Province</strong> <font color=red>*</font></td>
7520     + <td><input type=text name=province value="<?php echo htvar($province)?>" maxlength=60 size=20></td>
7521     + </tr>
7522     +
7523     + <tr>
7524     + <td><strong>Country Code ISO 3166 - 2 Characters</strong> <font color=red>*</font></td>
7525     + <td><input type=text name=country value="<?php echo htvar($country)?>" maxlength=2 size=2></td>
7526     + </tr>
7527     +
7528     + <tr>
7529     + <td>
7530     + <strong>Password</strong> <font color=red>*</font><br>
7531     + This password will be used to protect your root certificate private
7532     + key.<br/>Can't contain single quote ! <strong><font color=red>Do not lose or forget this password.</font></strong>
7533     + </td>
7534     + <td><input type=password name=passwd value="<?php echo htvar($passwd)?>" size=30>&nbsp;&nbsp; Again <input type=password name=passwdv value="<?php echo htvar($passwdv)?>" size=30></td>
7535     + </tr>
7536     +
7537     + <tr>
7538     + <td>
7539     + <strong>Certificate Life</strong> <font color=red>*</font><br>
7540     + Enter the number of years you wish your root certificate to be valid.
7541     + </td>
7542     + <td><select name=expiry>
7543     +
7544     + <?php
7545     + for ($i = 5; $i <= 15; $i+=5) {
7546     + print "<option value=$i " . ($expiry == $i ? "selected='selected'" : "") . " >$i Years</option>\n" ;
7547     + }
7548     + ?>
7549     +
7550     + </select></td>
7551     + </tr>
7552     +
7553     + <tr>
7554     + <td>
7555     + <strong>Key Size</strong> <font color=red>*</font><br>
7556     + Enter the size of your certificate key. Recommend 2048+
7557     + </td>
7558     + <td><select name=keysize>
7559     +
7560     + <?php
7561     + for ($i = 1024; $i <= 4096; $i+=512) {
7562     + print "<option value=$i " . ($keysize == $i ? "selected='selected'" : "") . ">$i bits</option>\n" ;
7563     + }
7564     + ?>
7565     +
7566     + </select></td>
7567     + </tr>
7568     +
7569     + <tr>
7570     + <td>
7571     + <strong>Certificate Authority Base URL</strong><br>
7572     + Enter the public Web address where your Certificate Authority will
7573     + reside. The address should end with a trailing slash (/) character.
7574     + This address will be embeded in all certficates issued
7575     + by your CA, for informational purposes.
7576     + </td>
7577     + <td>
7578     + <input type=text name=base_url value="<?php echo htvar($base_url)?>" size=50>
7579     + </td>
7580     + </tr>
7581     +
7582     + <tr>
7583     + <td>
7584     + <strong>Certificate Authority CRL Distribution Points</strong><br>
7585     + Provide the public URL where Certificate Revocation List (CRL) of
7586     + your CA will reside. This path is relative to Base URL above.
7587     + You may leave it by default if your clients have direct access to PHPki.
7588     + </td>
7589     + <td>
7590     + <input type=text name=crl_distrib value="<?php echo htvar($crl_distrib)?>" size=50>
7591     + </td>
7592     + </tr>
7593     +
7594     + <tr>
7595     + <td>
7596     + <strong>Certificate Authority Revocation Check URL</strong><br>
7597     + Provide the public URL where clients of your CA can check if the requested
7598     + certificate has been revoked. This path is relative to Base URL above.
7599     + You may leave it by default if your clients have direct access to PHPki.
7600     + </td>
7601     + <td>
7602     + <input type=text name=revoke_url value="<?php echo htvar($revoke_url)?>" size=50>
7603     + </td>
7604     + </tr>
7605     +
7606     + <tr>
7607     + <td>
7608     + <strong>Certificate Authority Policy URL</strong><br>
7609     + Provide the public URL where your CA policy will reside.
7610     + This path is relative to Base URL above.
7611     + You may leave it by default or adjust to your environment.
7612     + </td>
7613     + <td>
7614     + <input type=text name=policy_url value="<?php echo htvar($policy_url)?>" size=50>
7615     + </td>
7616     + </tr>
7617     +
7618     + <tr>
7619     + <td>
7620     + <strong>Root Certificate Comment</strong><br>
7621     + Root certificate Comment attribute. You may change it to something
7622     + or use the default value set by PHPki.
7623     + </td>
7624     + <td>
7625     + <input type=text name=comment_root value="<?php echo htvar($comment_root)?>" size=50>
7626     + </td>
7627     + </tr>
7628     +
7629     + <tr>
7630     + <td>
7631     + <strong>Email Certificate Comment</strong><br>
7632     + Email certificate Comment attribute. You may change it to something
7633     + or use the default value set by PHPki.
7634     + </td>
7635     + <td>
7636     + <input type=text name=comment_email value="<?php echo htvar($comment_email)?>" size=50>
7637     + </td>
7638     + </tr>
7639     +
7640     + <tr>
7641     + <td>
7642     + <strong>Email/Signing Certificate Comment</strong><br>
7643     + Email and signing certificate Comment attribute. You may change it
7644     + to something or use the default value set by PHPki.
7645     + </td>
7646     + <td>
7647     + <input type=text name=comment_sign value="<?php echo htvar($comment_sign)?>" size=50>
7648     + </td>
7649     + </tr>
7650     +
7651     + <tr>
7652     + <td>
7653     + <strong>SSL Server Certificate Comment</strong><br>
7654     + SSL server certificate Comment attribute. You may change it to something
7655     + or use the default value set by PHPki.
7656     + </td>
7657     + <td>
7658     + <input type=text name=comment_srv value="<?php echo htvar($comment_srv)?>" size=50>
7659     + </td>
7660     + </tr>
7661     +
7662     + <tr>
7663     + <td>
7664     + <strong>Time Stamping Certificate Comment</strong><br>
7665     + Time stamping certificate Comment attribute. You may change it
7666     + to something or use the default value set by PHPki.
7667     + </td>
7668     + <td>
7669     + <input type=text name=comment_stamp value="<?php echo htvar($comment_stamp)?>" size=50>
7670     + </td>
7671     + </tr>
7672     +
7673     + </table>
7674     +
7675     + <p>
7676     + <table width=99%>
7677     + <tr>
7678     + <th colspan=2><h3>Configuration Options</h3></th>
7679     + </tr>
7680     +
7681     + <tr>
7682     + <td width=35%>
7683     + <strong>Storage Directory <font color=red>*</font></strong><br>
7684     + Enter the location where PHPki will store its files. This should be a directory where
7685     + the web server has full read/write access (chown <?php echo $uname?> ; chmod 700), and is preferably
7686     + outside of DOCUMENT_ROOT (<?php echo $_SERVER['DOCUMENT_ROOT']?>). You may have to manually create the directory before completing this form.
7687     + </td>
7688     + <td>
7689     + <input type=text name=store_dir value="<?php echo htvar($store_dir)?>" size=35>
7690     + </td>
7691     + </tr>
7692     +
7693     + <tr>
7694     + <td width=35%>
7695     + <strong>Location of OpenSSL Executable <font color=red>*</font></strong><br>
7696     + Enter the location of your OpenSSL binary. The default is usually ok.
7697     + </td>
7698     + <td>
7699     + <input type=text name=openssl_bin value="<?php echo htvar($openssl_bin)?>" size=35>
7700     + </td>
7701     + </tr>
7702     +
7703     + <tr>
7704     + <td width=35%>
7705     + <strong>Location of HTTP password file <font color=red>*</font></strong><br>
7706     + Enter the location of your PHPki user password file. The default is usually ok.
7707     + </td>
7708     + <td>
7709     + <input type=text name=passwd_file value="<?php echo htvar($passwd_file)?>" size=35>
7710     + </td>
7711     + </tr>
7712     +
7713     + <tr>
7714     + <td>
7715     + <strong>File Upload Prefix</strong><br>
7716     + This is an optional prefix which will be added to root certificate
7717     + and certificate revocation list file uploads. Normally the root
7718     + certificate is uploaded as caroot.crt. With a prefix like
7719     + <cite style="white-space: nowrap">"acme_"</cite>, the root certificate would be uploaded as
7720     + <cite>"acme_caroot.crt"</cite>.
7721     + </td>
7722     + <td>
7723     + <input type=text name=ca_prefix value="<?php echo htvar($ca_prefix)?>" maxlength=10 size=10>
7724     + </td>
7725     + </tr>
7726     +
7727     + <tr>
7728     + <td>
7729     + <strong>Page Header Title</strong><br>
7730     + This title will be displayed superimposed over the PHPki logo at the
7731     + top of every page.
7732     + </td>
7733     + <td>
7734     + <input type=text name=header_title value="<?php echo htvar($header_title)?>" maxlength=40 size=40>
7735     + </td>
7736     + </tr>
7737     +
7738     + <tr>
7739     + <td>
7740     + <strong>Help Document Contact Info</strong><br>
7741     + This text will be inserted into the online help document
7742     + under the "Getting Additional Help" section. Include full
7743     + contact info for the convenience of your users. Use HTML
7744     + tags to improve presentation.
7745     + </td>
7746     + <td>
7747     + <textarea name=getting_help cols=50 rows=15><?php echo htvar($getting_help)?></textarea>
7748     + </td>
7749     + </tr>
7750     + </table>
7751     + <font color=red>* Required field</font>
7752     +
7753     + <p>
7754     + <center><input type=submit name=submit value=Submit></center></td>
7755     + <input type=hidden name=stage value='validate'>
7756     + </form>
7757     +
7758     + <?php
7759     + printFooter();
7760     + break;
7761     }
7762    
7763     -function create_ca_cnf($email, $expiry) {
7764     +function create_ca_cnf($email, $expiry)
7765     +{
7766     }
7767     ?>

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed