Fix for https://bugs.cacert.org/view.php?id=440

"Problem with subjectAltName"

includes/account.php

@@ -22,6 +22,57 @@
 
 	loadem("account");
 
+/**
+ * Build a subject string as needed by the signer
+ *
+ * @param array(string) $domains
+ *     First domain is used as CN and repeated in subjectAltName. Duplicates
+ *     should already been removed
+ *
+ * @param bool $include_xmpp_addr
+ *     [default: true] Whether to include the XmppAddr in the subjectAltName.
+ *     This is needed if the Jabber server is jabber.example.com but a Jabber ID
+ *     on that server would be alice@example.com
+ *
+ * @return string
+ */
+function buildSubject(array $domains, $include_xmpp_addr = true) {
+	$subject = "/CN=${domains[0]}";
+
+	foreach ($domains as $domain) {
+		$subject .= "/subjectAltName=DNS:$domain";
+
+		if ($include_xmpp_addr) {
+			$subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$domain";
+		}
+	}
+
+	return $subject;
+}
+
+/**
+ * Builds the subject string from the session variables
+ * $_SESSION['_config']['rows'] and $_SESSION['_config']['altrows']
+ *
+ * @return string
+ */
+function buildSubjectFromSession() {
+	$domains = array();
+
+	if (is_array($_SESSION['_config']['rows'])) {
+		$domains = array_merge($domains, $_SESSION['_config']['rows']);
+	}
+
+	if (is_array($_SESSION['_config']['altrows']))
+		foreach ($_SESSION['_config']['altrows'] as $row) {
+			if (substr($row, 0, 4) === "DNS:") {
+				$domains[] = substr($row, 4);
+			}
+		}
+
+	return buildSubject(array_unique($domains));
+}
+
 	$id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
 	$oldid = array_key_exists("oldid",$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
 	$process = array_key_exists("process",$_REQUEST) ? $_REQUEST['process'] : "";
@@ -741,35 +792,8 @@
 			exit;
 		}
 
-		$subject = "";
-		$count = 0;
-		$supressSAN=0;
-		if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+		$subject = buildSubjectFromSession();
 
-		if(is_array($_SESSION['_config']['rows']))
-			foreach($_SESSION['_config']['rows'] as $row)
-			{
-				$count++;
-				if($count <= 1)
-				{
-					$subject .= "/CN=$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				} else {
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
-		if(is_array($_SESSION['_config']['altrows']))
-			foreach($_SESSION['_config']['altrows'] as $row)
-			{
-				if(substr($row, 0, 4) == "DNS:")
-				{
-					$row = substr($row, 4);
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
 		if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 			$_SESSION['_config']['rootcert'] = 1;
 
@@ -795,7 +819,6 @@
 			echo _("Domain not verified.");
 			showfooter();
 			exit;
-
 		}
 
 		mysql_query($query);
@@ -894,29 +917,7 @@
 					continue;
 				}
 
-				$subject = "";
-				$count = 0;
-				if(is_array($_SESSION['_config']['rows']))
-					foreach($_SESSION['_config']['rows'] as $row)
-					{
-						$count++;
-						if($count <= 1)
-						{
-							$subject .= "/CN=$row";
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						} else {
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						}
-					}
-				if(is_array($_SESSION['_config']['altrows']))
-					foreach($_SESSION['_config']['altrows'] as $row)
-						if(!strstr($subject, "=$row/") &&
-							substr($subject, -strlen("=$row")) != "=$row")
-							$subject .= "/subjectAltName=$row";
+				$subject = buildSubjectFromSession();
 				$subject = mysql_real_escape_string($subject);
 				mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
 
@@ -938,6 +939,7 @@
 		{
 			echo _("You did not select any certificates for renewal.");
 		}
+
 		showfooter();
 		exit;
 	}
@@ -1445,7 +1447,6 @@
 
 	if($oldid == 16 && $process != "")
 	{
-
 		if(array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] && $_SESSION['profile']['codesign'] && ($_SESSION['profile']['points'] >= 100))
 		{
 			$_REQUEST['codesign'] = 1;
@@ -1948,20 +1949,7 @@
 		//if($org['contact'])
 		//	$csrsubject .= "/emailAddress=".trim($org['contact']);
 
-		if(is_array($_SESSION['_config']['rows']))
-			foreach($_SESSION['_config']['rows'] as $row)
-				$csrsubject .= "/commonName=$row";
-		$SAN="";
-		if(is_array($_SESSION['_config']['altrows']))
-			foreach($_SESSION['_config']['altrows'] as $subalt)
-			{
-				if($SAN != "")
-					$SAN .= ",";
-				$SAN .= "$subalt";
-			}
-
-		if($SAN != "")
-			$csrsubject .= "/subjectAltName=".$SAN;
+		$csrsubject .= buildSubjectFromSession();
 
 		$type="";
 		if($_REQUEST["ocspcert"]!="" && $_SESSION['profile']['admin'] == 1) $type="8";
@@ -2757,8 +2745,8 @@
 
 			sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
 						"support@cacert.org", "", "", "CAcert Support");
-
 		}
+
 		showfooter();
 		exit;
 	}

pages/account/11.php

@@ -15,39 +15,61 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
+
 <p>
-<?=_("Please make sure the following details are correct before proceeding any further.")?>
+<?=_("Please make sure the following details are correct before proceeding ".
+		"any further.")?>
 </p>
-<?// print_r($_SESSION['_config']['altrows']); ?>
+
+<p><?
+if (is_array($_SESSION['_config']['rows'])) {
+	foreach ($_SESSION['_config']['rows'] as $row) {
+		echo _("CommonName"), ": $row<br>\n";
+	}
+}
+
+if (is_array($_SESSION['_config']['altrows'])) {
+	foreach ($_SESSION['_config']['altrows'] as $row) {
+		echo _("subjectAltName"), ": $row<br>\n";
+	}
+}
+?></p>
+
 <p>
-<? if(is_array($_SESSION['_config']['rows']))
-	foreach($_SESSION['_config']['rows'] as $row) { ?>
-<?=_("CommonName")?>: <?=$row?><br>
-<? } ?>
-<? if(is_array($_SESSION['_config']['altrows']))
-	foreach($_SESSION['_config']['altrows'] as $row) { ?>
-<?=_("subjectAltName")?>: <?=$row?><br>
-<? } ?>
-<? if(1 == 0) { ?>
-<?=_("Organisation")?>: <?=$_SESSION['_config']['O']?><br>
-<?=_("Org. Unit")?>: <?=$_SESSION['_config']['OU']?><br>
-<?=_("Location")?>: <?=$_SESSION['_config']['L']?><br>
-<?=_("State/Province")?>: <?=$_SESSION['_config']['ST']?><br>
-<?=_("Country")?>: <?=$_SESSION['_config']['C']?><br>
-<?=_("Email Address")?>: <?=$_SESSION['_config']['emailAddress']?><br>
-<? } ?>
-<?=_("No additional information will be included on certificates because it can not be automatically checked by the system.")?>
-<? if(array_key_exists('rejected',$_SESSION['_config']) && is_array($_SESSION['_config']['rejected'])) { ?>
-<br><br><?=_("The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.")?><br>
-<? foreach($_SESSION['_config']['rejected'] as $row) { ?>
-<?=_("Rejected")?>: <a href="account.php?id=7&amp;newdomain=<?=$row?>"><?=$row?></a><br>
-<? } } ?>
-<? if(is_array($_SESSION['_config']['rows']) || is_array($_SESSION['_config']['altrows'])) { ?>
-<form method="post" action="account.php">
-<input type="submit" name="process" value="<?=_("Submit")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
-</form>
-<? } else { ?>
-<br><br><b><?=_("Unable to continue as no valid commonNames or subjectAltNames were present on your certificate request.")?></b>
-<? } ?>
+<?=_("No additional information will be included on certificates because it ".
+		"can not be automatically checked by the system.")?>
 </p>
+
+<p><?
+if (array_key_exists('rejected',$_SESSION['_config']) &&
+		is_array($_SESSION['_config']['rejected'])) {
+	echo _("The following hostnames were rejected because the system couldn't ".
+			"link them to your account, if they are valid please verify the ".
+			"domains against your account."), "<br>\n";
+	
+	foreach ($_SESSION['_config']['rejected'] as $row) {
+		echo _("Rejected");
+		echo ": <a href='account.php?id=7&amp;newdomain=$row'>$row</a><br>\n";
+	}
+}
+?></p>
+
+<?
+if (is_array($_SESSION['_config']['rows']) ||
+		is_array($_SESSION['_config']['altrows'])) {
+	?>
+	<form method="post" action="account.php">
+		<p>
+			<input type="submit" name="process" value="<?=_("Submit")?>">
+			<input type="hidden" name="oldid" value="<?=$id?>">
+		</p>
+	</form>
+	<?
+} else {
+	?>
+	<p>
+		<b><?=_("Unable to continue as no valid commonNames or ".
+				"subjectAltNames were present on your certificate request.")?></b>
+	</p>
+	<?
+}

pages/account/21.php

@@ -14,41 +14,57 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/ ?>
-<?
-	$org = $_SESSION['_config']['row'];
-	if($org['id'] <= 0)
-		$org = $_SESSION['_config']['altrow'];
+*/
+
+$org = $_SESSION['_config']['row'];
+if ($org['id'] <= 0) {
+	$org = $_SESSION['_config']['altrow'];
+}
 ?>
-<p>
-<?=_("Please make sure the following details are correct before proceeding any further.")?>
-</p>
 
 <p>
-<? if(is_array($_SESSION['_config']['rows']))
-	foreach($_SESSION['_config']['rows'] as $row) { ?>
-<?=_("CommonName")?>: <?=$row?><br>
-<? } ?>
-<? if(is_array($_SESSION['_config']['altrows']))
-	foreach($_SESSION['_config']['altrows'] as $row) { ?>
-<?=_("subjectAltName")?>: <?=$row?><br>
-<? } ?>
-<?=_("Organisation")?>: <?=$org['O']?><br>
-<?=_("Org. Unit")?>: <?=($_SESSION['_config']['OU'])?><br>
-<?=_("Location")?>: <?=$org['L']?><br>
-<?=_("State/Province")?>: <?=$org['ST']?><br>
-<?=_("Country")?>: <?=$org['C']?><br>
+<?=_("Please make sure the following details are correct before proceeding ".
+		"any further.")?>
+</p>
 
+<p><?
+if (is_array($_SESSION['_config']['rows'])) {
+	foreach ($_SESSION['_config']['rows'] as $row) {
+		echo _("CommonName"), ": $row<br>\n";
+	}
+}
 
-<form method="post" action="account.php">
-<input type="submit" name="process" value="<?=_("Submit")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
+if (is_array($_SESSION['_config']['altrows'])) {
+	foreach ($_SESSION['_config']['altrows'] as $row) {
+		echo _("subjectAltName"), ": $row<br>\n";
+	}
+}
 
+echo _("Organisation"), ": {$org['O']}<br>\n";
+echo _("Org. Unit"), ": {$_SESSION['_config']['OU']}<br>\n";
+echo _("Location"), ": {$org['L']}<br>\n";
+echo _("State/Province"), ": {$org['ST']}<br>\n";
+echo _("Country"), ": {$org['C']}<br>\n";
+?>
 
-<? if($_SESSION['profile']['admin'] == 1) { ?>
-<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
-<input type="checkbox" name="ocspcert" value="OCSPCert"/> <?=_("OCSP certificate")?>
-<? } ?>
+<form method="post" action="account.php">
+	<p>
+		<input type="submit" name="process" value="<?=_("Submit")?>">
+		<input type="hidden" name="oldid" value="<?=$id?>">
+	</p>
+	
+	<?
+	if ($_SESSION['profile']['admin'] == 1) {
+		?>
+		<p>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<input type="checkbox" name="ocspcert" value="OCSPCert"/>
+				<?=_("OCSP certificate")?>
+		</p>
+		<?
+	}
+	?>
 
 </form>
-</p>