From 21ffacf9f23ce1bfa69a6747d6650d70f961b5ca Mon Sep 17 00:00:00 2001 From: Wytze van der Raay Date: Wed, 10 Apr 2019 09:37:24 +0000 Subject: [PATCH] Fixes for https://bugs.cacert.org/view.php?id=1305: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature. See the message thread preserved in https://lists.cacert.org/wws/arc/cacert-systemlog/2016-03/ for more information on the re-signed root certificates installed and enabled by this commit. --- pages/index/3.php | 43 +++++++++++++++++++++---------------------- www/cap.html.php | 12 ++++++------ www/cap.php | 14 +++++++++----- www/capnew.php | 18 +++++++++++------- www/coap.html.php | 10 +++++----- www/coapnew.php | 18 +++++++++++------- 6 files changed, 63 insertions(+), 52 deletions(-) diff --git a/pages/index/3.php b/pages/index/3.php index f060c8f..f99d64c 100644 --- a/pages/index/3.php +++ b/pages/index/3.php @@ -18,35 +18,24 @@

","")?>

-

- -

@@ -56,8 +45,16 @@
  • A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
  • + + + /** + Since we don't seem to have a way to GPG sign our current key, we have, at least temporarily, removed this. + + https://bugs.cacert.org/view.php?id=1305#c5784 + + **/

    -
    +    
     -----BEGIN PGP SIGNED MESSAGE-----
     Hash: SHA1
     
    @@ -74,6 +71,8 @@ Mch2LMZhK4h/SBIft5ROzVU=
     =R/pJ
     -----END PGP SIGNATURE-----
     
    + +
     -----BEGIN PGP SIGNED MESSAGE-----
     Hash: SHA1
    diff --git a/www/cap.html.php b/www/cap.html.php
    index 3522f1c..df2f682 100644
    --- a/www/cap.html.php
    +++ b/www/cap.html.php
    @@ -16,7 +16,7 @@
         Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
             loadem("index");
             showheader(_("Identity Verification Form (CAP) form"));
    -	Version: $Id: cap.html.php,v 1.3 2015/01/08 15:02:40 wytze Exp $
    +	Version: $Id: cap.html.php,v 1.4 2019/04/10 09:37:24 wytze Exp $
     */
     	echo '', "\n";
     	echo '', "\n";
    @@ -38,18 +38,18 @@
     	echo '
    ', "\n"; echo ''._("Identity Verification Form (CAP) form").'
    ', "\n"; echo '
    ', "\n"; - echo '
    '.'CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia - http://www.cacert.org/
    ', "\n"; + echo '
    '.'Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia - http://www.cacert.org/
    ', "\n"; - echo '', "\n"; + echo '
    ', "\n"; echo '', "\n"; echo '', "\n"; - echo ' ', "\n"; - echo ' ', "\n"; + echo ' ', "\n"; + echo ' ', "\n"; echo '', "\n"; echo '', "\n"; echo ' ', "\n"; - echo ' ', "\n"; + echo ' ', "\n"; echo '', "\n"; echo '', "\n"; echo '', "\n"; diff --git a/www/cap.php b/www/cap.php index 40b269a..b189b18 100644 --- a/www/cap.php +++ b/www/cap.php @@ -48,14 +48,18 @@ $this->SetFont('Arial','I',8); if($_SESSION['_config']['language'] == "ja") $this->SetFont('SJIS','I',8); - $this->Cell(0,0,'CAcert Inc. - PO Box 66 - Oatley NSW 2223 - Australia - http://www.CAcert.org',0,0,'C'); + $this->Cell(0,0,'CAcert Inc. - Hangar 10 Airfield Avenue - Murwillumbah NSW 2484 - Australia - http://www.CAcert.org',0,0,'C'); $this->Ln(3); $this->SetFont('Arial','',6); if($_SESSION['_config']['language'] == "ja") $this->SetFont('SJIS','',6); - $this->Cell(0,0, recode($_SESSION['_config']['recode'], _("CAcert's Root Certificate fingerprints")).": A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B "._("and")." 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33",0,0,'C'); - $this->SetLineWidth(0.05); - $this->Line(1, 43, $this->w - 1, 43); + $this->Cell(0,0, recode($_SESSION['_config']['recode'], _("CAcert's Root Certificate fingerprints"). _(" (since 2019)")),0,0,'C'); + $this->ln(3); + $this->Cell(0,0, recode($_SESSION['_config']['recode'], "SHA1: root: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5 "._("and")." class3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0"),0,0,'C'); + $this->ln(3); + $this->Cell(0,0, recode($_SESSION['_config']['recode'], "SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5 "._("and")." class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544"),0,0,'C'); + $this->SetLineWidth(0.05); // added 3 points to the abcissa 43 -> 46 to get second line fingerprints + $this->Line(1, 46, $this->w - 1, 46); $this->SetLineWidth(0.2); } @@ -69,7 +73,7 @@ $date = date("Y-m-d"); // Show text blurb at top of page - $this->SetY(45); + $this->SetY(48); // added 3 points to the abcissa 45 -> 48 to get second line fingerprints $this->SetFont('Arial','',10); if($_SESSION['_config']['language'] == "ja") $this->SetFont('SJIS','',10); diff --git a/www/capnew.php b/www/capnew.php index a57bde3..5a4dcae 100644 --- a/www/capnew.php +++ b/www/capnew.php @@ -17,8 +17,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -// $Id: capnew.php,v 1.5 2015/01/08 15:02:40 wytze Exp $ -define('REV', '$Revision: 1.5 $'); +// $Id: capnew.php,v 1.6 2019/04/10 09:37:24 wytze Exp $ +define('REV', '$Revision: 1.6 $'); /* ** Created from old cap.php 2003, which used the now obsoleted ftpdf package @@ -297,7 +297,7 @@ define('LLBLUE','#D6E2EB'); // lighhter blue RGB 173 197 215 define('LIME', '#C7FF00'); // RGB 199 255 0 define('GREEN', '#00BE00'); // 0 190 0 -define('POBOX','CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia'); +define('POBOX','Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia'); define('WEB', 'http://www.cacert.org'); define('WIKI','http://wiki.cacert.org/wiki'); define('ROOTKEYS','http://www.cacert.org/index.php?id=3'); @@ -311,9 +311,13 @@ define('ARBIT', WIKI.'/ArbitrationForum'); define('CCA', 'CAcertCommunityAgreement'); // default policy to print define('POLICY','policy/'); // default polciy doc directory define('EXT','.html'); // default polciy doc extention, should be html +/* finger print CAcert Root Key SHA256 since 2019*/ // should obtain this automatically +define('CLASS1_SHA256','07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5'); +define('CLASS3_SHA256','F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544'); +/* finger print CAcert Root Key */ // not to use since 2019 /* finger print CAcert Root Key */ // should obtain this automatically -define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33'); -define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE'); +define('CLASS1_SHA1','DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5'); +define('CLASS3_SHA1','A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0'); // next two are not used on the form define('CLASS1_MD5','A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B'); define('CLASS3_MD5','F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42'); @@ -387,7 +391,7 @@ function utf8_is_ascii_ctrl($str) { // extend TCPF with custom functions class CAPPDF extends TCPDF { - // do cap form version numbering automatically '$Revision: 1.5 $' + // do cap form version numbering automatically '$Revision: 1.6 $' /*public*/ function Version() { strtok(REV, ' '); return(strtok(' ')); @@ -918,7 +922,7 @@ class CAPPDF extends TCPDF { $this->SetXY($savex,$savey); // sha1 fingerprint CAcert rootkeys class 1 and class 3 - $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha1 fingerprints") ) . ', class 1: '. CLASS1_SHA1 . ', class 3: ' . CLASS3_SHA1; + $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha256 fingerprints (since 2019)") ) . ', class 1: '. CLASS1_SHA256 . ', class 3: ' . CLASS3_SHA256; $this->Ln(3); $this->SetX($this->lMargin); $this->SetFont(FONT,'',F_SIZE * $this->colwidth / ($this->GetStringWidth($strg) +1)); $this->Cell($this->colwidth,10, $strg,0,0,'C',0,NULL); diff --git a/www/coap.html.php b/www/coap.html.php index fdc186e..1e050cf 100644 --- a/www/coap.html.php +++ b/www/coap.html.php @@ -14,7 +14,7 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Version: $Id: coap.html.php,v 1.3 2015/01/08 15:02:41 wytze Exp $ + Version: $Id: coap.html.php,v 1.4 2019/04/10 09:37:24 wytze Exp $ */ ?> @@ -49,19 +49,19 @@ table#TAB1 td { border: 0 } echo ''._("Organisation Information (COAP) form").'
    ', "\n"; ?> -
    CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia - http://www.cacert.org
    +
    Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia - http://www.cacert.org

    ', "\n"; echo '
    '._("CAcert's Root Certificate sha1 fingerprints").'class 1: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33'._("CAcert's Root Certificate sha256 fingerprints (since 2019)").'class 1: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
    class 3: AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCEclass 3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544
    '._("CAcert's Root Certificate sha1 fingerprints").'', "\n"; + echo ' ', "\n"; ?> - + - + diff --git a/www/coapnew.php b/www/coapnew.php index 832e397..baeb224 100644 --- a/www/coapnew.php +++ b/www/coapnew.php @@ -17,8 +17,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -// $Id: coapnew.php,v 1.5 2015/01/08 15:02:41 wytze Exp $ -define('REV', '$Revision: 1.5 $'); +// $Id: coapnew.php,v 1.6 2019/04/10 09:37:24 wytze Exp $ +define('REV', '$Revision: 1.6 $'); /* ** Created from old cap.php 2003, which used the now obsoleted ftpdf package @@ -332,7 +332,7 @@ define('LLBLUE','#D6E2EB'); // lighhter blue RGB 173 197 215 define('LIME', '#C7FF00'); // RGB 199 255 0 define('GREEN', '#00BE00'); // 0 190 0 -define('POBOX','CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia'); +define('POBOX','Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia '); define('WEB', 'http://www.cacert.org'); define('WIKI','http://wiki.cacert.org/wiki'); define('ROOTKEYS','http://www.cacert.org/index.php?id=3'); @@ -346,9 +346,13 @@ define('ARBIT', WIKI."/ArbitrationForum"); define('CCA', "CAcertCommunityAgreement"); // default policy to print define('POLICY','policy/'); // default polciy doc directory define('EXT','.html'); // default polciy doc extention, should be html +/* finger print CAcert Root Key SHA256 since 2019*/ // should obtain this automatically +define('CLASS1_SHA256','07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5'); +define('CLASS3_SHA256','F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544'); +/* finger print CAcert Root Key */ // not to use since 2019 /* finger print CAcert Root Key */ // should obtain this automatically -define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33'); -define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE'); +define('CLASS1_SHA1','DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5'); +define('CLASS3_SHA1','A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0'); // next two are not used on the form define('CLASS1_MD5','A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B'); define('CLASS3_MD5','F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42'); @@ -422,7 +426,7 @@ function utf8_is_ascii_ctrl($str) { // extend TCPF with custom functions class COAPPDF extends TCPDF { - // do cap form version numbering automatically "$Revision: 1.5 $" + // do cap form version numbering automatically "$Revision: 1.6 $" /*public*/ function Version() { strtok(REV, " "); return(strtok(" ")); @@ -935,7 +939,7 @@ class COAPPDF extends TCPDF { $this->SetXY($savex,$savey); // sha1 fingerprint CAcert rootkeys class 1 and class 3 - $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha1 fingerprints") ) . ", class 1: ". CLASS1_SHA1 . ", class 3: " . CLASS3_SHA1; + $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha256 fingerprints") ) . ", class 1: ". CLASS1_SHA256 . ", class 3: " . CLASS3_SHA256; $this->Ln(3); $this->SetX($this->lMargin); $this->SetFont(FONT,'',F_SIZE * $this->colwidth / ($this->GetStringWidth($strg) +1)); $this->Cell($this->colwidth,10, $strg,0,0,'C',0,NULL);
    '._("CAcert's Root Certificate sha256 fingerprints (since 2019)").'class 1: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33class 1: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
    class 3: AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCEclass 3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544