From 924e6b033769e6b2daddfe567b7aafd8f84bc4c1 Mon Sep 17 00:00:00 2001 From: Wytze van der Raay Date: Fri, 13 Jun 2014 16:00:16 +0000 Subject: [PATCH] Intermediate patch for https://bugs.cacert.org/view.php?id=807 "CAcert ignores signature algorithm from csr". This patch introduces the UI for our members to choose which signature algorithm they want their certificates signed with. Among the choices are SHA-256, SHA-384 and SHA-512. Further choices may be included as our signer and web frontend permit. --- includes/account.php | 17 +++++ includes/lib/account.php | 50 ++++++++++++++ pages/account/10.php | 65 ++++++++++++++++--- pages/account/16.php | 104 ++++++++++++++++++++++------- pages/account/20.php | 61 +++++++++++++++-- pages/account/3.php | 137 +++++++++++++++++++++++++-------------- www/styles/default.css | 12 ++-- 7 files changed, 353 insertions(+), 93 deletions(-) diff --git a/includes/account.php b/includes/account.php index 99c65c5..b1ab984 100644 --- a/includes/account.php +++ b/includes/account.php @@ -289,6 +289,9 @@ function buildSubjectFromSession() { if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; } + + $_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']); + $csr = ""; if(trim($_REQUEST['optionalCSR']) == "") { @@ -386,6 +389,7 @@ function buildSubjectFromSession() { `codesign`='".intval($_SESSION['_config']['codesign'])."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -490,6 +494,7 @@ function buildSubjectFromSession() { `codesign`='".intval($_SESSION['_config']['codesign'])."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -763,6 +768,8 @@ function buildSubjectFromSession() { if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; } + + $_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']); } if($process != "" && $oldid == 11) @@ -807,6 +814,7 @@ function buildSubjectFromSession() { `domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."', `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; } elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) { $query = "insert into `domaincerts` set @@ -814,6 +822,7 @@ function buildSubjectFromSession() { `domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."', `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; } else { showheader(_("My CAcert.org Account!")); @@ -1467,6 +1476,8 @@ function buildSubjectFromSession() { if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; + $_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']); + $_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description'])); if(@count($_SESSION['_config']['emails']) > 0) @@ -1534,6 +1545,7 @@ function buildSubjectFromSession() { `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `codesign`='".intval($_SESSION['_config']['codesign'])."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -1629,6 +1641,7 @@ function buildSubjectFromSession() { `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".intval($_SESSION['_config']['codesign'])."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -1893,6 +1906,8 @@ function buildSubjectFromSession() { $_SESSION['_config']['rootcert'] = intval($_REQUEST['rootcert']); if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; + + $_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']); } if($process != "" && $oldid == 21) @@ -1967,6 +1982,7 @@ function buildSubjectFromSession() { `created`=NOW(), `subject`='".mysql_real_escape_string($csrsubject)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `type`='".$type."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; } else { @@ -1976,6 +1992,7 @@ function buildSubjectFromSession() { `created`=NOW(), `subject`='".mysql_real_escape_string($csrsubject)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `type`='".$type."', `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; } diff --git a/includes/lib/account.php b/includes/lib/account.php index 4c4d5ac..dd8afd3 100644 --- a/includes/lib/account.php +++ b/includes/lib/account.php @@ -98,3 +98,53 @@ function fix_assurer_flag($userID = NULL) return true; } + +/** + * Supported hash algorithms for signing certificates + */ +class HashAlgorithms { + /** + * Default hash algorithm identifier for signing + * @var string + */ + public static $default = 'sha256'; + + /** + * Get display strings for the supported hash algorithms + * @return array(string=>array('name'=>string, 'info'=>string)) + * - [$hash_identifier]['name'] = Name that should be displayed in UI + * - [$hash_identifier]['info'] = Additional information that can help + * with the selection of a suitable algorithm + */ + public static function getInfo() { + return array( + 'sha256' => array( + 'name' => 'SHA-256', + 'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'), + ), + 'sha384' => array( + 'name' => 'SHA-384', + 'info' => '', + ), + 'sha512' => array( + 'name' => 'SHA-512', + 'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'), + ), + ); + } + + /** + * Check if the input is a supported hash algorithm identifier otherwise + * return the identifier of the default hash algorithm + * + * @param string $hash_identifier + * @return string The cleaned identifier + */ + public static function clean($hash_identifier) { + if (array_key_exists($hash_identifier, self::getInfo() )) { + return $hash_identifier; + } else { + return self::$default; + } + } +} diff --git a/pages/account/10.php b/pages/account/10.php index 8908400..17999a7 100644 --- a/pages/account/10.php +++ b/pages/account/10.php @@ -30,17 +30,66 @@

+


+ +

+


+ +

+ +
+ + + + +
+ = 50) { ?> -
-
+
    +
  • + + +
  • +
  • + + +
  • +

-


-

-

-
-

CCA")?>
-

+ +

+
    + $display_info) { +?> +
  • + /> + +
  • + +
+ +
+
+ +

" />
+ + + diff --git a/pages/account/16.php b/pages/account/16.php index db8a8f5..8783bc5 100644 --- a/pages/account/16.php +++ b/pages/account/16.php @@ -25,47 +25,101 @@ - + - : - + + - + - : - +