cacert-webdb/scripts/servercerts.php

250 lines
9.6 KiB
PHP
Raw Normal View History

2004-10-16 00:28:17 +00:00
#!/usr/bin/php -q
<? /*
Copyright (C) 2004 by Duane Groth <duane_at_CAcert_dot_org>
This file is part of CAcert.
CAcert has been released under a CAcert Source License
which can be found included with these source files or can
be downloaded from the internet from the following address:
http://www.cacert.org/src-lic.php
CAcert is distributed WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the License for more details.
*/
2006-08-03 13:20:55 +00:00
$lck = fopen('/tmp/SslLock', 'w');
while(flock($lck, LOCK_EX) < 0)
sleep(rand(100000,200000));
2005-11-08 10:06:04 +00:00
2004-10-16 00:28:17 +00:00
$monarr = array("Jan" => 1, "Feb" => 2, "Mar" => 3, "Apr" => 4, "May" => 5, "Jun" => 6,
"Jul" => 7, "Aug" => 8, "Sep" => 9, "Oct" => 10, "Nov" => 11, "Dec" => 12);
include_once("../includes/mysql.php");
$query = "select * from `domaincerts` where `crt_name`=''";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
$query = "select * from `domains`,`users` where `domains`.`id`='".$row['domid']."' and
`users`.`id`=`domains`.`memid`";
$user = mysql_fetch_assoc(mysql_query($query));
2004-10-16 15:32:35 +00:00
if($user['language'] != "")
{
$userlang = $user['language'];
putenv("LANG=".$_SESSION['_config']['translations'][$userlang]);
setlocale(LC_ALL, $_SESSION['_config']['translations'][$userlang]);
} else {
putenv("LANG=en_AU");
setlocale(LC_ALL, "en_AU");
}
2004-10-16 00:28:17 +00:00
$days = 180;
if(intval($user['memid']) > 0)
{
$drow = mysql_fetch_assoc(mysql_query("select sum(`points`) as `total` from `notary`
where `to`='".$user['memid']."' group by `to`"));
if($drow['total'] >= 50)
$days = 730;
}
2004-10-29 01:02:13 +00:00
$row['crt_name'] = "../crt/server-".$row['id'].".crt";
2005-03-12 19:40:24 +00:00
$row['csr_name'] = "../..".$row['csr_name'];
2005-05-13 15:34:39 +00:00
$tmpname = tempnam("/tmp", "servercert");
2006-08-14 16:52:24 +00:00
// MAKE SURE ALL VARIABLES ARE RESET HERE!!!
$SAN = $newsubject = "";
2005-05-13 15:34:39 +00:00
$fp = fopen($tmpname, "w");
fputs($fp, "basicConstraints = critical, CA:FALSE\n");
fputs($fp, "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n");
fputs($fp, "keyUsage = digitalSignature, keyEncipherment\n");
2005-05-23 01:53:59 +00:00
fputs($fp, "authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org\n");
2005-05-13 15:34:39 +00:00
$bits = explode("/", $row['subject']);
foreach($bits as $val)
{
$bit = explode("=", $val);
if($bit['0'] == "subjectAltName")
{
if($SAN != "")
2006-02-03 18:45:23 +00:00
$SAN .= ",";
2005-05-13 15:34:39 +00:00
$SAN .= trim($bit['1']);
} else {
$newsubject .= "/".$val;
}
}
if($SAN != "")
fputs($fp, "subjectAltName = $SAN\n");
fclose($fp);
$newsubject = str_replace("//", "/", $newsubject);
2005-11-08 10:06:04 +00:00
if($row['rootcert'] == 2)
$opensslcnf = "/etc/ssl/class3-server.cnf";
else
$opensslcnf = "/etc/ssl/openssl-server.cnf";
$do = `echo "/usr/bin/openssl ca -md $row[md] -config $opensslcnf -in $row[csr_name] -out $row[crt_name] -days $days -key test -batch -subj '$newsubject' -extfile '$tmpname'" >> /tmp/openssl.tmp`;
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -in $row[csr_name] -out $row[crt_name] -days $days -key test -batch -subj '$newsubject' -extfile '$tmpname' 2>&1`;
2006-02-03 18:45:23 +00:00
// unlink($tmpname);
2004-10-16 00:28:17 +00:00
$dom = mysql_fetch_assoc(mysql_query("select * from `domains` where `id`='$row[domid]'"));
$user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$dom[memid]'"));
2005-05-13 15:34:39 +00:00
if(filesize($row['crt_name']) > 0 && intval($user['id']) > 0)
2004-10-16 00:28:17 +00:00
{
2005-05-13 15:34:39 +00:00
$end = trim(`/usr/bin/openssl x509 -in '$row[crt_name]' -noout -enddate`);
2004-10-16 00:28:17 +00:00
$bits = explode("=", $end, 2);
$end = trim($bits[1]);
while(strstr($end, " "))
$end = str_replace(" ", " ", $end);
$bits = explode(" ", $end);
$month = $bits['0'];
$month = $monarr[$month];
$day = $bits['1'];
$time = $bits['2'];
$year = $bits['3'];
$bits = explode(":", $time);
$hour = $bits['0'];
$min = $bits['1'];
$sec = $bits['2'];
$date = gmmktime($hour, $min, $sec, $month, $day, $year);
$cert = trim(`/usr/bin/openssl x509 -in $row[crt_name]`);
2005-05-13 15:34:39 +00:00
$bits = explode("=", trim(`/usr/bin/openssl x509 -serial -noout -in '$row[crt_name]'`), 2);
2004-10-16 00:28:17 +00:00
$serial = $bits['1'];
$query = "update `domaincerts` set `crt_name`='".$row['crt_name']."',
`modified`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`serial`='$serial', `expire`=FROM_UNIXTIME($date) where `id`='".$row['id']."'";
mysql_query($query);
$body = _("Hi")." ".$user['fname'].",\n\n";
$body .= sprintf(_("Below you will find your certificate for %s.")."\n\n", $row['CN']);
$body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n".$cert;
2005-05-23 01:53:59 +00:00
sendmail($user['email'], "[CAcert.org] "._("Server Certificate"), $body, "support@cacert.org", "", "", "CAcert Support");
2004-10-24 00:10:26 +00:00
} else {
$query = "delete from `domaincerts` where `id`='".$row['id']."'";
mysql_query($query);
2004-10-16 00:28:17 +00:00
}
}
$query = "select * from `domaincerts` where `revoked`='1970-01-01 10:00:01'";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
2005-11-08 10:06:04 +00:00
if($row['rootcert'] == 2)
$opensslcnf = "/etc/ssl/class3-server.cnf";
else
$opensslcnf = "/etc/ssl/openssl-server.cnf";
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -key test -batch -revoke $row[crt_name] > /dev/null 2>&1`;
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -key test -batch -gencrl -crldays 7 -crlexts crl_ext -out /tmp/cacert-revoke.crl > /dev/null 2>&1`;
2004-10-16 00:28:17 +00:00
$do = `/usr/bin/openssl crl -in /tmp/cacert-revoke.crl -outform DER -out ../www/revoke.crl > /dev/null 2>&1`;
$dom = mysql_fetch_assoc(mysql_query("select * from `domains` where `id`='".$row['domid']."'"));
$user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$dom['memid']."'"));
2004-10-16 15:32:35 +00:00
if($user['language'] != "")
{
$userlang = $user['language'];
putenv("LANG=".$_SESSION['_config']['translations'][$userlang]);
setlocale(LC_ALL, $_SESSION['_config']['translations'][$userlang]);
} else {
putenv("LANG=en_AU");
setlocale(LC_ALL, "en_AU");
}
2004-10-16 00:28:17 +00:00
mysql_query("update `domaincerts` set `revoked`=FROM_UNIXTIME(UNIX_TIMESTAMP()) where `id`='".$row['id']."'");
$body = _("Hi")." ".$user['fname'].",\n\n";
$body .= sprintf(_("Your certificate for %s has been revoked, as per request.")."\n\n", $row['CN']);
$body .= _("Best regards")."\n"._("CAcert.org Support!");
2005-05-23 01:53:59 +00:00
sendmail($user['email'], "[CAcert.org] ".sprintf(_("Certificate for %s has been revoked"), $row['CN']), $body, "support@cacert.org", "", "", "CAcert Support");
2004-10-16 00:28:17 +00:00
}
$query = "select * from `orgdomaincerts` where `crt_name`=''";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
2004-10-29 01:02:13 +00:00
$row['crt_name'] = "../crt/orgserver-".$row['id'].".crt";
2004-10-16 00:28:17 +00:00
$days = 730;
2005-05-13 15:34:39 +00:00
$row['csr_name'] = "../../".$row['csr_name'];
$tmpname = tempnam("/tmp", "serverorgcert");
$newsubject = "";
$fp = fopen($tmpname, "w");
fputs($fp, "basicConstraints = critical, CA:FALSE\n");
fputs($fp, "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n");
fputs($fp, "keyUsage = digitalSignature, keyEncipherment\n");
2005-05-23 01:53:59 +00:00
fputs($fp, "authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org\n");
2005-05-13 15:34:39 +00:00
$bits = explode("/", $row['subject']);
foreach($bits as $val)
{
$bit = explode("=", $val);
if($bit['0'] == "subjectAltName")
{
if($SAN != "")
$SAN .= ", ";
$SAN .= trim($bit['1']);
2006-02-03 18:45:23 +00:00
} else if($bit['0'] != "") {
$newsubject .= "/$val";
2005-05-13 15:34:39 +00:00
}
}
if($SAN != "")
fputs($fp, "subjectAltName = $SAN\n");
fclose($fp);
$newsubject = str_replace("//", "/", $newsubject);
2005-11-08 10:06:04 +00:00
if($row['rootcert'] == 2)
2006-02-03 18:45:23 +00:00
$opensslcnf = "/etc/ssl/class3-server-org.cnf";
2005-11-08 10:06:04 +00:00
else
2006-02-03 18:45:23 +00:00
$opensslcnf = "/etc/ssl/openssl-server-org.cnf";
2005-11-08 10:06:04 +00:00
$do = `echo "/usr/bin/openssl ca -md $row[md] -config $opensslcnf -in $row[csr_name] -out $row[crt_name] -days $days -key test -batch -subj '$newsubject' -extfile '$tmpname'" >> /tmp/openssl.tmp`;
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -in $row[csr_name] -out $row[crt_name] -days $days -key test -batch -subj '$newsubject' -extfile '$tmpname' > /dev/null 2>&1`;
2006-02-03 18:45:23 +00:00
// unlink($tmpname);
2005-05-13 15:34:39 +00:00
if(filesize($row['crt_name']) > 0)
2004-10-16 00:28:17 +00:00
{
$end = trim(`/usr/bin/openssl x509 -in $row[crt_name] -noout -enddate`);
$bits = explode("=", $end, 2);
$end = trim($bits[1]);
while(strstr($end, " "))
$end = str_replace(" ", " ", $end);
$bits = explode(" ", $end);
$month = $bits[0];
$month = $monarr[$month];
$day = $bits[1];
$time = $bits[2];
$year = $bits[3];
$bits = explode(":", $time);
$hour = $bits[0];
$min = $bits[1];
$sec = $bits[2];
$date = gmmktime($hour, $min, $sec, $month, $day, $year);
$cert = trim(`/usr/bin/openssl x509 -in $row[crt_name]`);
$bits = explode("=", trim(`/usr/bin/openssl x509 -serial -noout -in $row[crt_name]`), 2);
$serial = $bits[1];
$query = "update `orgdomaincerts` set `crt_name`='$row[crt_name]', `modified`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
2004-10-24 00:10:26 +00:00
`serial`='$serial', `expire`=FROM_UNIXTIME($date) where `id`='".$row['id']."'";
mysql_query($query);
} else {
$query = "delete from `orgdomaincerts` where `id`='".$row['id']."'";
2004-10-16 00:28:17 +00:00
mysql_query($query);
}
}
$query = "select * from `orgdomaincerts` where `revoked`='1970-01-01 10:00:01'";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
2005-11-08 10:06:04 +00:00
if($row['rootcert'] == 2)
2006-02-03 18:45:23 +00:00
$opensslcnf = "/etc/ssl/class3-server-org.cnf";
2005-11-08 10:06:04 +00:00
else
2006-02-03 18:45:23 +00:00
$opensslcnf = "/etc/ssl/openssl-server-org.cnf";
2005-11-08 10:06:04 +00:00
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -key test -batch -revoke $row[crt_name] > /dev/null 2>&1`;
$do = `/usr/bin/openssl ca -md $row[md] -config $opensslcnf -key test -batch -gencrl -crldays 7 -crlexts crl_ext -out /tmp/cacert-revoke.crl > /dev/null 2>&1`;
2004-10-16 00:28:17 +00:00
$do = `/usr/bin/openssl crl -in /tmp/cacert-revoke.crl -outform DER -out ../www/revoke.crl > /dev/null 2>&1`;
mysql_query("update `orgdomaincerts` set `revoked`=FROM_UNIXTIME(UNIX_TIMESTAMP()) where `id`='$row[id]'");
}
2006-08-03 13:20:55 +00:00
flock($lck, LOCK_UN);
fclose($lck);
2004-10-16 00:28:17 +00:00
?>