From 924e6b033769e6b2daddfe567b7aafd8f84bc4c1 Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Fri, 13 Jun 2014 16:00:16 +0000
Subject: [PATCH] Intermediate patch for
 https://bugs.cacert.org/view.php?id=807 "CAcert ignores signature algorithm
 from csr".

This patch introduces the UI for our members to choose which signature
algorithm they want their certificates signed with. Among the choices
are SHA-256, SHA-384 and SHA-512. Further choices may be included as our
signer and web frontend permit.
---
 includes/account.php     |  17 +++++
 includes/lib/account.php |  50 +++++++++++++++
 pages/account/10.php     |  65 ++++++++++++++++---
 pages/account/16.php     | 102 +++++++++++++++++++++++-------
 pages/account/20.php     |  61 +++++++++++++++---
 pages/account/3.php      | 131 +++++++++++++++++++++++++--------------
 www/styles/default.css   |  12 ++--
 7 files changed, 349 insertions(+), 89 deletions(-)

diff --git a/includes/account.php b/includes/account.php
index 99c65c5..b1ab984 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -289,6 +289,9 @@ function buildSubjectFromSession() {
 			if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 				$_SESSION['_config']['rootcert'] = 1;
 		}
+
+		$_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']);
+
 		$csr = "";
 		if(trim($_REQUEST['optionalCSR']) == "")
 		{
@@ -386,6 +389,7 @@ function buildSubjectFromSession() {
 						`codesign`='".intval($_SESSION['_config']['codesign'])."',
 						`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
 						`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 			mysql_query($query);
 			$emailid = mysql_insert_id();
@@ -490,6 +494,7 @@ function buildSubjectFromSession() {
 						`codesign`='".intval($_SESSION['_config']['codesign'])."',
 						`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
 						`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 			mysql_query($query);
 			$emailid = mysql_insert_id();
@@ -763,6 +768,8 @@ function buildSubjectFromSession() {
 			if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 				$_SESSION['_config']['rootcert'] = 1;
 		}
+
+		$_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']);
 	}
 
 	if($process != "" && $oldid == 11)
@@ -807,6 +814,7 @@ function buildSubjectFromSession() {
 						`domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
 						`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
 						`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 		} elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) {
 			$query = "insert into `domaincerts` set
@@ -814,6 +822,7 @@ function buildSubjectFromSession() {
 						`domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
 						`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
 						`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 		} else {
 			showheader(_("My CAcert.org Account!"));
@@ -1467,6 +1476,8 @@ function buildSubjectFromSession() {
 		if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 			$_SESSION['_config']['rootcert'] = 1;
 
+		$_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']);
+
 		$_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description']));
 
 		if(@count($_SESSION['_config']['emails']) > 0)
@@ -1534,6 +1545,7 @@ function buildSubjectFromSession() {
 						`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
 						`codesign`='".intval($_SESSION['_config']['codesign'])."',
 						`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 			mysql_query($query);
 			$emailid = mysql_insert_id();
@@ -1629,6 +1641,7 @@ function buildSubjectFromSession() {
 						`subject`='".mysql_real_escape_string($csrsubject)."',
 						`codesign`='".intval($_SESSION['_config']['codesign'])."',
 						`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 			mysql_query($query);
 			$emailid = mysql_insert_id();
@@ -1893,6 +1906,8 @@ function buildSubjectFromSession() {
 		$_SESSION['_config']['rootcert'] = intval($_REQUEST['rootcert']);
 		if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 			$_SESSION['_config']['rootcert'] = 1;
+
+		$_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']);
 	}
 
 	if($process != "" && $oldid == 21)
@@ -1967,6 +1982,7 @@ function buildSubjectFromSession() {
 					`created`=NOW(),
 					`subject`='".mysql_real_escape_string($csrsubject)."',
 					`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+					`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 					`type`='".$type."',
 					`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 		} else {
@@ -1976,6 +1992,7 @@ function buildSubjectFromSession() {
 					`created`=NOW(),
 					`subject`='".mysql_real_escape_string($csrsubject)."',
 					`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+					`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
 					`type`='".$type."',
 					`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
 		}
diff --git a/includes/lib/account.php b/includes/lib/account.php
index 4c4d5ac..dd8afd3 100644
--- a/includes/lib/account.php
+++ b/includes/lib/account.php
@@ -98,3 +98,53 @@ function fix_assurer_flag($userID = NULL)
 
 	return true;
 }
+
+/**
+ * Supported hash algorithms for signing certificates
+ */
+class HashAlgorithms {
+	/**
+	 * Default hash algorithm identifier for signing
+	 * @var string
+	 */
+	public static $default = 'sha256';
+
+	/**
+	 * Get display strings for the supported hash algorithms
+	 * @return array(string=>array('name'=>string, 'info'=>string))
+	 *     - [$hash_identifier]['name'] = Name that should be displayed in UI
+	 *     - [$hash_identifier]['info'] = Additional information that can help
+	 *       with the selection of a suitable algorithm
+	 */
+	public static function getInfo() {
+		return array(
+				'sha256' => array(
+						'name' => 'SHA-256',
+						'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
+					),
+				'sha384' => array(
+						'name' => 'SHA-384',
+						'info' => '',
+					),
+				'sha512' => array(
+						'name' => 'SHA-512',
+						'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
+					),
+			);
+	}
+
+	/**
+	 * Check if the input is a supported hash algorithm identifier otherwise
+	 * return the identifier of the default hash algorithm
+	 *
+	 * @param string $hash_identifier
+	 * @return string The cleaned identifier
+	 */
+	public static function clean($hash_identifier) {
+		if (array_key_exists($hash_identifier, self::getInfo() )) {
+			return $hash_identifier;
+		} else {
+			return self::$default;
+		}
+	}
+}
diff --git a/pages/account/10.php b/pages/account/10.php
index 8908400..17999a7 100644
--- a/pages/account/10.php
+++ b/pages/account/10.php
@@ -30,17 +30,66 @@
 <p><?=_("If you are a valid organisation and would like the organisation name in the certificates you can apply for an organisation assurance. Contact us via support@cacert.org for more information.")?></p>
 
 <form method="post" action="account.php">
+<p><label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
+	<input type="text" id="description" name="description" maxlength="80" size="80" />
+</p>
+<p><label for="CSR"><?=_("Paste your CSR (Certificate Signing Request) below...")?></label><br />
+	<textarea id="CSR" name="CSR" cols="80" rows="15"></textarea>
+</p>
+
+<fieldset>
+<legend>
+	<input type="checkbox" id="expertbox" onchange="showExpert(this.checked)" style="display:none" />
+	<label for="expertbox"><?=_("Advanced Options")?></label>
+</legend>
+<div id="advanced_options">
+
 <? if($_SESSION['profile']['points'] >= 50) { ?>
-<input type="radio" name="rootcert" value="1"/> <?=_("Sign by class 1 root certificate")?><br />
-<input type="radio" name="rootcert" value="2" checked/> <?=_("Sign by class 3 root certificate")?><br />
+<ul class="no_indent">
+	<li>
+		<input type="radio" id="root1" name="rootcert" value="1" />
+		<label for="root1"><?=_("Sign by class 1 root certificate")?></label>
+	</li>
+	<li>
+		<input type="radio" id="root2" name="rootcert" value="2" checked="checked" />
+		<label for="root2"><?=_("Sign by class 3 root certificate")?></label>
+	</li>
+</ul>
 <p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
 <? } ?>
-<p><?=_("Optional comment, only used in the certificate overview")?><br>
-       <input type="text" name="description" maxlength="80" size=80/></p>
-<p><?=_("Paste your CSR(Certificate Signing Request) below...")?></p>
-<textarea name="CSR" cols="80" rows="15"></textarea><br />
-<p><input type="checkbox" name="CCA" /> <strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br />
-  <?=_("Please Note: You need to accept the CCA to proceed.")?></p>
+
+<p class="attach_ul"><?=_("Hash algorithm used when signing the certificate:")?></p>
+<ul class="no_indent">
+<?
+foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
+?>
+	<li>
+		<input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
+		<label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label>
+	</li>
+<?
+}
+?>
+</ul>
+
+</div>
+</fieldset>
+
+<p><input type="checkbox" id="CCA" name="CCA" /> <label for="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br />
+  <?=_("Please note: You need to accept the CCA to proceed.")?></label></p>
 <input type="submit" name="process" value="<?=_("Submit")?>" />
 <input type="hidden" name="oldid" value="<?=$id?>" />
 </form>
+
+
+<script language="javascript">
+function showExpert(a)
+{
+	var options=document.getElementById("advanced_options");
+	options.style.display = (a) ? "" : "none";
+
+	var checkbox=document.getElementById("expertbox");
+	checkbox.style.display = "";
+}
+showExpert(false);
+</script>
diff --git a/pages/account/16.php b/pages/account/16.php
index db8a8f5..8783bc5 100644
--- a/pages/account/16.php
+++ b/pages/account/16.php
@@ -25,47 +25,101 @@
   <tr>
     <td class="DataTD"><?=_("Add")?></td>
     <td class="DataTD"><?=_("Address")?></td>
-<? if(array_key_exists('emails',$_SESSION['_config']) && is_array($_SESSION['_config']['emails']))
-	foreach($_SESSION['_config']['emails'] as $val) { ?>
+<?
+if (array_key_exists('emails',$_SESSION['_config']) && is_array($_SESSION['_config']['emails'])) {
+	$i = 1;
+	foreach($_SESSION['_config']['emails'] as $val) {
+?>
   <tr>
-    <td class="DataTD"><?=_("Email")?>:</td>
-    <td class="DataTD"><input type="text" name="emails[]" value="<?=$val?>"/></td>
+    <td class="DataTD"><label for="email<?=$i?>"><?=_("Email")?></label></td>
+    <td class="DataTD"><input type="text" id="email<?=$i?>" name="emails[]" value="<?=$val?>"/></td>
   </tr>
-<? } ?>
+<?
+		$i++;
+	}
+} ?>
   <tr>
-    <td class="DataTD"><?=_("Email")?>:</td>
-    <td class="DataTD"><input type="text" name="emails[]"/></td>
+    <td class="DataTD"><label for="email0"><?=_("Email")?></td>
+    <td class="DataTD"><input type="text" id="email0" name="emails[]"/></td>
   </tr>
   <tr>
-    <td class="DataTD"><?=_("Name")?>:</td>
-    <td class="DataTD"><input type="text" name="name" value="<?=array_key_exists('name',$_SESSION['_config'])?($_SESSION['_config']['name']):''?>"/></td>
+    <td class="DataTD"><label for="name"><?=_("Name")?></label></td>
+    <td class="DataTD"><input type="text" id="name" name="name" value="<?=array_key_exists('name',$_SESSION['_config'])?($_SESSION['_config']['name']):''?>"/></td>
   </tr>
   <tr>
-    <td class="DataTD"><?=_("Department")?>:</td>
-    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
+    <td class="DataTD"><label for="OU"><?=_("Department")?></label></td>
+    <td class="DataTD"><input type="text" id="OU" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
   </tr>
-  <tr>
+
+  <tr name="expertoff" style="display:none">
+    <td class="DataTD">
+      <input type="checkbox" id="expertbox" name="expertbox" onchange="showExpert(this.checked)" />
+    </td>
+    <td class="DataTD">
+      <label for="expertbox"><?=_("Show advanced options")?></label>
+    </td>
+  </tr>
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+        <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
+        <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label><br />
+        <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 60))?>
+    </td>
+  </tr>
+
+  <tr name="expert">
     <td class="DataTD" colspan="2" align="left">
-        <input type="radio" name="rootcert" value="1" checked /> <?=_("Sign by class 1 root certificate")?><br />
-        <input type="radio" name="rootcert" value="2" /> <?=_("Sign by class 3 root certificate")?><br />
-        <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"), 60))?>
+      <?=_("Hash algorithm used when signing the certificate:")?><br />
+      <?
+      foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
+      ?>
+        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
+        <label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label><br />
+      <?
+      }
+      ?>
     </td>
   </tr>
+
 <? if($_SESSION['profile']['codesign'] && $_SESSION['profile']['points'] >= 100) { ?>
-  <tr>
-    <td class="DataTD" colspan="2" align="left"><input type="checkbox" name="codesign" value="1" /><?=_("Code Signing")?></td>
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+      <input type="checkbox" id="codesign" name="codesign" value="1" />
+      <label for="codesign"><?=_("Code Signing")?></label>
+    </td>
   </tr>
 <? } ?>
-   <tr>
-   <td class="DataTD" colspan="2" align="left">
-      <?=_("Optional comment, only used in the certificate overview")?><br />
-       <input type="text" name="description" maxlength="80" size=80 />
-   </td>
+  <tr>
+    <td class="DataTD" colspan="2" align="left">
+      <label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
+      <input type="text" id="description" name="description" maxlength="80" size="80" />
+    </td>
   </tr>
   <tr>
-    <td class="DataTD" colspan="2"><input type="submit" name="add_email" value="<?=_("Another Email")?>">
-			<input type="submit" name="process" value="<?=_("Next")?>" /></td>
+    <td class="DataTD" colspan="2">
+      <input type="submit" name="add_email" value="<?=_("Add Another Email Address")?>">
+      <input type="submit" name="process" value="<?=_("Next")?>" />
+    </td>
   </tr>
 </table>
 <input type="hidden" name="oldid" value="<?=$id?>">
 </form>
+
+<script language="javascript">
+function showExpert(a)
+{
+  b=document.getElementsByName("expert");
+  for(i=0;b.length>i;i++)
+  {
+    if(!a) {b[i].setAttribute("style","display:none"); }
+    else {b[i].removeAttribute("style");}
+  }
+  b=document.getElementsByName("expertoff");
+  for(i=0;b.length>i;i++)
+  {
+    b[i].removeAttribute("style");
+  }
+
+}
+showExpert(false);
+</script>
diff --git a/pages/account/20.php b/pages/account/20.php
index ee16dd4..89bbc30 100644
--- a/pages/account/20.php
+++ b/pages/account/20.php
@@ -27,13 +27,60 @@
 <p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
 
 <form method="post" action="account.php">
-<input type="radio" name="rootcert" value="1" /> <?=_("Sign by class 1 root certificate")?><br />
-<input type="radio" name="rootcert" value="2" checked /> <?=_("Sign by class 3 root certificate")?><br />
-<p> <?=_("Optional comment, only used in the certificate overview")?><br />
-       <input type="text" name="description" maxlength="80" size=80 /></p>
+<p><label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
+	<input type="text" id="description" name="description" maxlength="80" size="80" />
+</p>
+<p><label for="CSR"><?=_("Paste your CSR (Certificate Signing Request) below...")?></label><br />
+	<textarea id="CSR" name="CSR" cols="80" rows="15"></textarea>
+</p>
+
+<fieldset>
+<legend>
+	<input type="checkbox" id="expertbox" onchange="showExpert(this.checked)" style="display:none" />
+	<label for="expertbox"><?=_("Advanced Options")?></label>
+</legend>
+<div id="advanced_options">
+<ul class="no_indent">
+	<li>
+		<input type="radio" id="root1" name="rootcert" value="1" />
+		<label for="root1"><?=_("Sign by class 1 root certificate")?></label>
+	</li>
+	<li>
+		<input type="radio" id="root2" name="rootcert" value="2" checked="checked" />
+		<label for="root2"><?=_("Sign by class 3 root certificate")?></label>
+	</li>
+</ul>
 <p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
-<p><?=_("Paste your CSR below...")?></p>
-<textarea name="CSR" cols="80" rows="15"></textarea><br />
+
+<p class="attach_ul"><?=_("Hash algorithm used when signing the certificate:")?></p>
+<ul class="no_indent">
+<?
+foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
+?>
+	<li>
+		<input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
+		<label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label>
+	</li>
+<?
+}
+?>
+</ul>
+
+</div>
+</fieldset>
+
 <input type="submit" name="process" value="<?=_("Submit")?>" />
 <input type="hidden" name="oldid" value="<?=$id?>" />
-</form>
\ No newline at end of file
+</form>
+
+<script language="javascript">
+function showExpert(a)
+{
+	var options=document.getElementById("advanced_options");
+	options.style.display = (a) ? "" : "none";
+
+	var checkbox=document.getElementById("expertbox");
+	checkbox.style.display = "";
+}
+showExpert(false);
+</script>
diff --git a/pages/account/3.php b/pages/account/3.php
index 7e34300..cd62ce0 100644
--- a/pages/account/3.php
+++ b/pages/account/3.php
@@ -34,6 +34,7 @@
   <tr>
     <td class="DataTD"><?=_("Add")?></td>
     <td class="DataTD"><?=_("Address")?></td>
+  </tr>
 
 <?
 	$query = "select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 and `hash`=''";
@@ -41,8 +42,8 @@
 	while($row = mysql_fetch_assoc($res))
 	{ ?>
   <tr>
-    <td class="DataTD"><input type="checkbox" name="addid[]" value="<?=intval($row['id'])?>"></td>
-    <td class="DataTD"><?=sanitizeHTML($row['email'])?></td>
+    <td class="DataTD"><input type="checkbox" id="addid<?=intval($row['id'])?>" name="addid[]" value="<?=intval($row['id'])?>"></td>
+    <td class="DataTD" align="left"><label for="addid<?=intval($row['id'])?>"><?=sanitizeHTML($row['email'])?></label></td>
   </tr>
 <? }
 if($_SESSION['profile']['points'] >= 50)
@@ -52,81 +53,120 @@ if($_SESSION['profile']['points'] >= 50)
 	$lname = $_SESSION['profile']['lname'];
 	$suffix = $_SESSION['profile']['suffix'];
 ?>
-    <td class="DataTD" colspan="2" align="left">
-      <input type="radio" name="rootcert" value="1" checked /> <?=_("Sign by class 1 root certificate")?><br />
-      <input type="radio" name="rootcert" value="2" /> <?=_("Sign by class 3 root certificate")?><br />
-      <?=str_replace("\n", "<br />\n", wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"), 125))?>
-    </td>
-  </tr>
   <tr>
     <td class="DataTD" colspan="2" align="left">
-      <input type="radio" name="incname" value="0" checked /> <?=_("No Name")?><br />
-      <? if($fname && $lname) { ?><input type="radio" name="incname" value="1" /> <?=_("Include")?> '<?=$fname." ".$lname?>'<br /><? } ?>
-      <? if($fname && $mname && $lname) { ?><input type="radio" name="incname" value="2" /> <?=_("Include")?> '<?=$fname." ".$mname." ".$lname?>'<br /><? } ?>
-      <? if($fname && $lname && $suffix) { ?><input type="radio" name="incname" value="3" /> <?=_("Include")?> '<?=$fname." ".$lname." ".$suffix?>'<br /><? } ?>
-      <? if($fname && $mname && $lname && $suffix) { ?><input type="radio" name="incname" value="4" /> <?=_("Include")?> '<?=$fname." ".$mname." ".$lname." ".$suffix?>'<br /><? } ?>
+      <input type="radio" id="incname0" name="incname" value="0" checked="checked" />
+        <label for="incname0"><?=_("No Name")?></label><br />
+      <? if($fname && $lname) { ?>
+        <input type="radio" id="incname1" name="incname" value="1" />
+        <label for="incname1"><?=_("Include")?> '<?=$fname." ".$lname?>'</label><br />
+      <? } ?>
+      <? if($fname && $mname && $lname) { ?>
+        <input type="radio" id="incname2" name="incname" value="2" />
+        <label for="incname2"><?=_("Include")?> '<?=$fname." ".$mname." ".$lname?>'</label><br />
+      <? } ?>
+      <? if($fname && $lname && $suffix) { ?>
+        <input type="radio" id="incname3" name="incname" value="3" />
+        <label for="incname3"><?=_("Include")?> '<?=$fname." ".$lname." ".$suffix?>'</label><br />
+      <? } ?>
+      <? if($fname && $mname && $lname && $suffix) { ?>
+        <input type="radio" id="incname4" name="incname" value="4" />
+        <label for="incname4"><?=_("Include")?> '<?=$fname." ".$mname." ".$lname." ".$suffix?>'</label><br />
+      <? } ?>
     </td>
   </tr>
 <? } ?>
-<? if($_SESSION['profile']['points'] >= 100 && $_SESSION['profile']['codesign'] > 0) { ?>
+
   <tr>
     <td class="DataTD">
-      <input type="checkbox" name="codesign" value="1" />
+      <input type="checkbox" id="login" name="login" value="1" checked="checked" />
     </td>
     <td class="DataTD" align="left">
-      <?=_("Code Signing")?><br />
-      <?=_("Please Note: By ticking this box you will automatically have your name included in any certificates.")?>
+      <label for="login"><?=_("Enable certificate login with this certificate")?><br />
+      <?=_("By allowing certificate login, this certificate can be used to login into this account at https://secure.cacert.org/ .")?></label>
     </td>
   </tr>
-<? } ?>
-
   <tr>
+    <td class="DataTD" colspan="2" align="left">
+      <label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
+      <input type="text" id="description" name="description" maxlength="100" size="100" />
+    </td>
+  </tr>
+
+  <tr name="expertoff" style="display:none">
     <td class="DataTD">
-      <input type="checkbox" name="login" value="1" checked="checked" />
+      <input type="checkbox" id="expertbox" name="expertbox" onchange="showExpert(this.checked)" />
     </td>
-    <td class="DataTD"> <?=_("Enable certificate login with this certificate")?><br />
-      <?=_("By allowing certificate login, this certificate can be used to login into this account at https://secure.cacert.org/ .")?><br/>
+    <td class="DataTD" align="left">
+      <label for="expertbox"><?=_("Show advanced options")?></label>
     </td>
   </tr>
-  <tr>
-   <td class="DataTD" colspan="2" align="left">
-      <?=_("Optional comment, only used in the certificate overview")?><br />
-       <input type="text" name="description" maxlength="100" size="100" />
-   </td>
+
+<?
+if($_SESSION['profile']['points'] >= 50)
+{
+?>
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+      <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
+      <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label><br />
+      <?=str_replace("\n", "<br />\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 125))?>
+    </td>
   </tr>
+<? } ?>
 
-  <tr name="expertoff" style="display:none">
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+      <?=_("Hash algorithm used when signing the certificate:")?><br />
+      <?
+      foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
+      ?>
+        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
+        <label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label><br />
+      <?
+      }
+      ?>
+    </td>
+  </tr>
+
+<? if($_SESSION['profile']['points'] >= 100 && $_SESSION['profile']['codesign'] > 0) { ?>
+  <tr name="expert">
     <td class="DataTD">
-      <input type="checkbox" name="expertbox" onchange="showExpert(this.checked)" />
+      <input type="checkbox" id="codesign" name="codesign" value="1" />
     </td>
+    <td class="DataTD" align="left">
+      <label for="codesign"><?=_("Code Signing")?><br />
+      <?=_("Please note: By ticking this box you will automatically have your name included in the certificate.")?></label>
+    </td>
+  </tr>
+<? } ?>
+
+  <tr name="expert">
     <td class="DataTD">
-      <?=_("Show advanced options")?>
+      <input type="checkbox" id="SSO" name="SSO" value="1" />
+    </td>
+    <td class="DataTD" align="left">
+      <label for="SSO"><?=_("Add Single Sign On ID Information")?><br />
+      <?=str_replace("\n", "<br>\n", wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."), 125))?>
+      <a href="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a></label>
     </td>
   </tr>
 
   <tr name="expert">
-    <td class="DataTD" colspan="2" align="left">
-	<input type="radio" name="SSO" value="0" checked /> <?=_("No Single Sign On ID")?><br />
-	<input type="radio" name="SSO" value="1" /> <?=_("Add Single Sign On ID Information")?><br />
-	<?=str_replace("\n", "<br>\n", wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."), 125))?>
-	<a href="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a>
+    <td class="DataTD" colspan="2">
+      <label for="optionalCSR"><?=_("Optional Client CSR, no information on the certificate will be used")?></label><br />
+      <textarea id="optionalCSR" name="optionalCSR" cols="80" rows="5"></textarea>
     </td>
   </tr>
 
 
- <tr name="expert">
-    <td class="DataTD" colspan="2"><?=_("Optional Client CSR, no information on the certificate will be used")?></td>
- </tr>
- <tr name="expert">
-    <td class="DataTD" colspan="2"><textarea name="optionalCSR" cols="80" rows="5"></textarea></td>
- </tr>
- <tr>
+  <tr>
     <td class="DataTD">
-      <input type="checkbox" name="CCA" />
+      <input type="checkbox" id="CCA" name="CCA" />
     </td>
     <td class="DataTD" align="left">
-      <strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br />
-        <?=_("Please Note: You need to accept the CCA to proceed.")?>
+      <label for="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br />
+      <?=_("Please note: You need to accept the CCA to proceed.")?></label>
     </td>
   </tr>
   <tr>
@@ -154,4 +194,3 @@ function showExpert(a)
 }
 showExpert(false);
 </script>
-
diff --git a/www/styles/default.css b/www/styles/default.css
index a7ba2a8..4ddfbba 100644
--- a/www/styles/default.css
+++ b/www/styles/default.css
@@ -94,6 +94,14 @@ ul.no_indent {
 	padding: 0px;
 }
 
+.attach_ul {
+	margin-bottom: 0px;
+}
+
+.attach_ul + ul {
+	margin-top: 0px;
+}
+
 
 /***********************************************/
 /* Layout Divs                                 */
@@ -414,10 +422,6 @@ a.glink:hover {
 	color: #000000;
 }
 
-.story p {
-	padding: 0px 0px 10px 0px;
-}
-
 .story a.capsule {
 	font: bold 1em Arial,sans-serif;
 	color: #005FA9;