1 |
jpp |
1.1 |
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/createlinks smeserver-phpki-ng-0.3/createlinks |
2 |
|
|
--- smeserver-phpki-ng-0.3.old/createlinks 2022-12-13 23:47:43.623000000 -0500 |
3 |
|
|
+++ smeserver-phpki-ng-0.3/createlinks 2022-12-14 02:19:37.953000000 -0500 |
4 |
|
|
@@ -20,9 +20,9 @@ |
5 |
|
|
event_link("phpki-fixtakey", qw(bootstrap-console-save post-upgrade), "50"); |
6 |
|
|
event_link("phpki-fixownership", qw(bootstrap-console-save post-upgrade), "02"); |
7 |
|
|
templates2events("/etc/httpd/pki-conf/httpd.conf", qw(bootstrap-console-save conf-userpanel domain-modify)); |
8 |
|
|
-safe_symlink("sigusr1", "root/etc/e-smith/events/conf-userpanel/services2adjust/httpd-pki"); |
9 |
|
|
-safe_symlink("sigusr1", "root/etc/e-smith/events/domain-modify/services2adjust/httpd-pki"); |
10 |
|
|
-safe_symlink("sigusr1", "root/etc/e-smith/events/logrotate/services2adjust/httpd-pki"); |
11 |
|
|
+safe_symlink("restart", "root/etc/e-smith/events/conf-userpanel/services2adjust/httpd-pki"); |
12 |
|
|
+safe_symlink("restart", "root/etc/e-smith/events/domain-modify/services2adjust/httpd-pki"); |
13 |
|
|
+safe_symlink("restart", "root/etc/e-smith/events/logrotate/services2adjust/httpd-pki"); |
14 |
|
|
|
15 |
|
|
|
16 |
|
|
# our event specific for updating with yum without reboot |
17 |
|
|
@@ -35,7 +35,7 @@ |
18 |
|
|
/etc/httpd/conf/httpd.conf |
19 |
|
|
/etc/httpd/pki-conf/httpd.conf |
20 |
|
|
/etc/opt/remi/php73/php-fpm.d/www.conf |
21 |
|
|
- |
22 |
|
|
+ /opt/phpki/html/config.php |
23 |
|
|
)) |
24 |
|
|
{ |
25 |
|
|
templates2events( $file, $event ); |
26 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass |
27 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass 2022-12-13 23:47:43.612000000 -0500 |
28 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass 2022-12-14 11:56:57.739000000 -0500 |
29 |
|
|
@@ -29,7 +29,36 @@ |
30 |
|
|
SSLRequireSSL on |
31 |
|
|
Require ip $localAccess $externalSSLAccess |
32 |
|
|
</Location> |
33 |
|
|
+ # we want Public access to ns_revoke_query.php |
34 |
|
|
+ <Location /phpki/ns_revoke_query.php> |
35 |
|
|
+ Require all granted |
36 |
|
|
+ </Location> |
37 |
|
|
+ # we want Public access to policy |
38 |
|
|
+ <Location /phpki/policy.html> |
39 |
|
|
+ Require all granted |
40 |
|
|
+ </Location> |
41 |
|
|
+ # we want Public access to help |
42 |
|
|
+ <Location /phpki/help> |
43 |
|
|
+ Require all granted |
44 |
|
|
+ </Location> |
45 |
|
|
+ <Location /phpki/help.php> |
46 |
|
|
+ Require all granted |
47 |
|
|
+ </Location> |
48 |
|
|
+ # we want Public access to crl list |
49 |
|
|
+ <Location /phpki/dl_crl.php> |
50 |
|
|
+ Require all granted |
51 |
|
|
+ </Location> |
52 |
|
|
+ # and we redirect old config to our new safer script |
53 |
|
|
+ RewriteEngine On |
54 |
|
|
+ RewriteCond %{QUERY_STRING} stage=dl_crl |
55 |
jpp |
1.4 |
+ RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L] |
56 |
jpp |
1.1 |
|
57 |
|
|
HERE |
58 |
|
|
+ # safely redirect crl request to php script striping all GET requests |
59 |
|
|
+ # but would leave POST |
60 |
|
|
+ #RewriteEngine On |
61 |
|
|
+ #RewriteCond %{REQUEST_URI} ^/?phpki/dl_crl/?\$ |
62 |
|
|
+ #RewriteRule ^ /phpki/index.php?stage=dl_crl [P,NC] |
63 |
|
|
+ |
64 |
|
|
} |
65 |
|
|
} |
66 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki |
67 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki 2022-12-13 23:47:43.627000000 -0500 |
68 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki 2022-12-14 02:24:57.440000000 -0500 |
69 |
|
|
@@ -14,6 +14,8 @@ |
70 |
|
|
SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\" |
71 |
|
|
</FilesMatch>\n"; |
72 |
|
|
} |
73 |
|
|
+ SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 |
74 |
|
|
+ SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1 |
75 |
|
|
AddType application/x-x509-ca-cert .crt .pem |
76 |
|
|
AddType application/pkix-crl .crl |
77 |
|
|
AddType application/pkix-cert .cer .der |
78 |
|
|
@@ -30,10 +32,11 @@ |
79 |
|
|
Require user admin {getUsersList("phpki");} |
80 |
|
|
Require ip 127.0.0.1 |
81 |
|
|
</RequireAll> |
82 |
|
|
- |
83 |
|
|
+ SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 |
84 |
|
|
+ SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1 |
85 |
|
|
{ |
86 |
|
|
my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m"; |
87 |
|
|
- $OUT = " TKTAuthTimeout $ManagerTimeout\n"; |
88 |
|
|
+ $OUT = " TKTAuthTimeout $ManagerTimeout\n"; |
89 |
|
|
my $Cookie = ${'httpd-admin'}{Cookie} || "disabled"; |
90 |
|
|
$OUT .= " TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled"; |
91 |
|
|
my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66"; |
92 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/01config smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/01config |
93 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/01config 1969-12-31 19:00:00.000000000 -0500 |
94 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/01config 2022-12-14 02:15:51.130000000 -0500 |
95 |
|
|
@@ -0,0 +1,38 @@ |
96 |
|
|
+{ |
97 |
|
|
+# use Data::Validate::IP; |
98 |
|
|
+ use Net::IP qw(ip_is_ipv4 ip_is_ipv6); |
99 |
|
|
+ our $KeySize = $modSSL{KeySize} ||'4096'; |
100 |
|
|
+ our $FQDN = "$SystemName.$DomainName"; |
101 |
|
|
+ our $Country = $modSSL{Country} || "--"; |
102 |
|
|
+ our $State = $modSSL{State} || "----"; |
103 |
|
|
+ our $commonName = $modSSL{CommonName} || $FQDN; |
104 |
|
|
+ our $crt = "/home/e-smith/ssl.crt/$FQDN.crt"; |
105 |
|
|
+ our $key = "/home/e-smith/ssl.key/$FQDN.key"; |
106 |
|
|
+ our $defaultCity = $ldap{defaultCity} || '-'; |
107 |
|
|
+ our $defaultCompany = $ldap{defaultCompany} || $commonName ; |
108 |
|
|
+ our $defaultDepartment = $ldap{defaultDepartment} || '-'; |
109 |
|
|
+ our $email = "admin\@$DomainName"; |
110 |
|
|
+ our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`; |
111 |
|
|
+ chomp @subjectAlt; |
112 |
|
|
+ our $subjectAltName = ""; |
113 |
|
|
+ my $i=0; |
114 |
|
|
+ for my $elem (@subjectAlt) { |
115 |
|
|
+ $subjectAltName .= ", " if $i>0; |
116 |
|
|
+ $i++; |
117 |
|
|
+ if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){ |
118 |
|
|
+ $subjectAltName .= "IP:$elem"; |
119 |
|
|
+ next; |
120 |
|
|
+ } |
121 |
|
|
+ $subjectAltName .= "DNS:$elem"; |
122 |
|
|
+ } |
123 |
|
|
+ $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName; |
124 |
|
|
+ |
125 |
|
|
+ # crop fields that are too long for X509: |
126 |
|
|
+ $Country = substr($Country, 0, 2); |
127 |
|
|
+ $defaultCity = substr($defaultCity, 0, 128); |
128 |
|
|
+ $defaultCompany = substr($defaultCompany, 0, 64); |
129 |
|
|
+ $defaultDepartment = substr($defaultDepartment, 0, 64); |
130 |
|
|
+ $email = substr($email, 0, 64); |
131 |
|
|
+ $commonName = substr($commonName, 0, 64); |
132 |
|
|
+ $OUT=""; |
133 |
|
|
+} |
134 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields |
135 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields 1969-12-31 19:00:00.000000000 -0500 |
136 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields 2022-12-14 02:15:51.133000000 -0500 |
137 |
|
|
@@ -0,0 +1,30 @@ |
138 |
|
|
+{ |
139 |
|
|
+ my $phone = ${ldap}{defaultPhoneNumber} || "none"; |
140 |
|
|
+ my $zip = ${ldap}{postalCode} || "H0H 0H0"; |
141 |
|
|
+ my $street = ${ldap}{defaultStreet} || "Address Line #1"; |
142 |
|
|
+ @lines = map { |
143 |
|
|
+ m:\$config\['common_name'\]: && s/.*/\$config['common_name']='$commonName';/; |
144 |
|
|
+ m:\$config\['unit'\]: && s/.*/\$config['unit']='$defaultDepartment';/; |
145 |
|
|
+ m:\$config\['keysize'\]: && s/.*/\$config['keysize']='4096';/; |
146 |
|
|
+ m:\$config\['country'\]: && s/.*/\$config['country']='$Country';/; |
147 |
|
|
+ m:\$config\['province'\]: && s/.*/\$config['province']='$State';/; |
148 |
|
|
+ m:\$config\['locality'\]: && s/.*/\$config['locality']='$defaultCity';/; |
149 |
|
|
+ m:\$config\['organization'\]: && s/.*/\$config['organization']='$defaultCompany';/; |
150 |
|
|
+ m:\$config\['contact'\]: && s/.*/\$config['contact']='$email';/; |
151 |
|
|
+ m:\$config\['base_url'\]: && s/.*/\$config['base_url']='https:\/\/$commonName\/phpki\/';/; |
152 |
|
|
+ s/(^|\n)[\n\s]*/$1/g;; |
153 |
|
|
+ $_ |
154 |
|
|
+ } @lines; |
155 |
|
|
+ push @lines, "\$config['common_name']='$commonName';" unless grep( /\$config\['common_name'\]/ ,@lines); |
156 |
|
|
+ push @lines, "\$config['unit']='$defaultDepartment';" unless grep( /\$config\['unit'\]/ ,@lines); |
157 |
|
|
+ push @lines, "\$config['keysize']='4096';" unless grep( /\$config\['keysize'\]/ ,@lines); |
158 |
|
|
+ push @lines, "\$config['country']='$Country';" unless grep( /\$config\['country'\]/ ,@lines); |
159 |
|
|
+ push @lines, "\$config['province']='$State';" unless grep( /\$config\['province'\]/ ,@lines); |
160 |
|
|
+ push @lines, "\$config['locality']='$defaultCity';" unless grep( /\$config\['locality'\]/ ,@lines); |
161 |
|
|
+ push @lines, "\$config['organization']='$defaultCompany';" unless grep( /\$config\['organization'\]/ ,@lines); |
162 |
|
|
+ push @lines, "\$config['contact']='$email';" unless grep( /\$config\['contact'\]/ ,@lines); |
163 |
|
|
+ push @lines, "\$config['base_url']='https://$commonName/phpki/';" unless grep( /\$config\['base_url'\]/ ,@lines); |
164 |
|
|
+ # we do not update the following as it will mess up the file. |
165 |
|
|
+ push @lines, "\$config[\'getting_help\']=\'<b>Contact:</b><br>\nFirst-Name Last-Name<br>\n$defaultCompany/$defaultDepartment<br>\n$street<br>\n$defaultCity, $State, $zip<br>\n<br>\nPhone: $phone<br>\nE-mail: <a href=mailto:$email>$email</a> <i><b>E-mail is preferred.</b></i><br>\';" unless grep( /\$config\['getting_help'\]/ ,@lines); |
166 |
|
|
+ ""; |
167 |
|
|
+} |
168 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile |
169 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile 1969-12-31 19:00:00.000000000 -0500 |
170 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile 2022-12-14 02:15:51.135000000 -0500 |
171 |
|
|
@@ -0,0 +1,8 @@ |
172 |
|
|
+{ |
173 |
|
|
+ $OUT .= ""; |
174 |
|
|
+ foreach my $line (@lines) |
175 |
|
|
+ { |
176 |
|
|
+ $OUT .= "$line\n"; |
177 |
|
|
+ } |
178 |
|
|
+ $OUT .= "?>"; |
179 |
|
|
+} |
180 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin |
181 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin 1969-12-31 19:00:00.000000000 -0500 |
182 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin 2022-12-14 02:15:51.137000000 -0500 |
183 |
|
|
@@ -0,0 +1,17 @@ |
184 |
|
|
+{ |
185 |
|
|
+ # vim: ft=perl: |
186 |
|
|
+ %lines = (); |
187 |
|
|
+ @lines = (); |
188 |
|
|
+ open (RD, "</opt/phpki/html/config.php") |
189 |
|
|
+ || warn "Cannot open input file /opt/phpki/html/config.php: $!\n"; |
190 |
|
|
+ while (<RD>) |
191 |
|
|
+ { |
192 |
jpp |
1.3 |
+ chomp; |
193 |
jpp |
1.1 |
+ next if grep { /^$/ } $_ ; |
194 |
jpp |
1.3 |
+ next if grep { /^\?/ } $_; |
195 |
jpp |
1.1 |
+ push @lines, $_; |
196 |
|
|
+ $lines{$_} = 1; |
197 |
|
|
+ } |
198 |
|
|
+ close(RD); |
199 |
|
|
+ ""; |
200 |
|
|
+} |
201 |
jpp |
1.2 |
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass |
202 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass 2022-12-17 01:56:20.627000000 -0500 |
203 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass 2022-12-17 02:07:46.903000000 -0500 |
204 |
|
|
@@ -48,10 +48,15 @@ |
205 |
|
|
<Location /phpki/dl_crl.php> |
206 |
|
|
Require all granted |
207 |
|
|
</Location> |
208 |
|
|
+ <Location /phpki/dl_crl_pem.php> |
209 |
|
|
+ Require all granted |
210 |
|
|
+ </Location> |
211 |
|
|
# and we redirect old config to our new safer script |
212 |
|
|
RewriteEngine On |
213 |
|
|
- RewriteCond %{QUERY_STRING} stage=dl_crl |
214 |
|
|
+ RewriteCond %{QUERY_STRING} stage=dl_crl(&|\$) |
215 |
jpp |
1.4 |
RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L] |
216 |
jpp |
1.2 |
+ RewriteCond %{QUERY_STRING} stage=dl_crl_pem(&|\$) |
217 |
jpp |
1.4 |
+ RewriteRule ^ /phpki/dl_crl_pem.php [QSD,R=302,L] |
218 |
jpp |
1.2 |
|
219 |
|
|
HERE |
220 |
|
|
# safely redirect crl request to php script striping all GET requests |
221 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile |
222 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile 2022-12-17 01:56:20.628000000 -0500 |
223 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile 2022-12-17 02:09:54.412000000 -0500 |
224 |
|
|
@@ -2,6 +2,10 @@ |
225 |
|
|
$OUT .= ""; |
226 |
|
|
foreach my $line (@lines) |
227 |
|
|
{ |
228 |
|
|
+ chomp $line; |
229 |
|
|
+ next if grep { /^$/ } $line ; |
230 |
|
|
+ push @lines, $_; |
231 |
|
|
+ |
232 |
|
|
$OUT .= "$line\n"; |
233 |
|
|
} |
234 |
|
|
$OUT .= "?>"; |
235 |
|
|
diff -Nur --no-dereference smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php smeserver-phpki-ng-0.3/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php |
236 |
|
|
--- smeserver-phpki-ng-0.3.old/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php 1969-12-31 19:00:00.000000000 -0500 |
237 |
|
|
+++ smeserver-phpki-ng-0.3/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php 2022-12-17 02:08:38.149000000 -0500 |
238 |
|
|
@@ -0,0 +1 @@ |
239 |
|
|
+FILTER=sub { $_[0] =~ /^\s*$/ ? '' : $_[0] } |