"CAcert ignores signature algorithm from csr".
This patch introduces the UI for our members to choose which signature
algorithm they want their certificates signed with. Among the choices
are SHA-256, SHA-384 and SHA-512. Further choices may be included as our
signer and web frontend permit.
* - [$hash_identifier]['name'] = Name that should be displayed in UI
* - [$hash_identifier]['info'] = Additional information that can help
* with the selection of a suitable algorithm
*/
public static function getInfo() {
return array(
'sha256' => array(
'name' => 'SHA-256',
'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
),
'sha384' => array(
'name' => 'SHA-384',
'info' => '',
),
'sha512' => array(
'name' => 'SHA-512',
'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
),
);
}
/**
* Check if the input is a supported hash algorithm identifier otherwise
* return the identifier of the default hash algorithm
*
* @param string $hash_identifier
* @return string The cleaned identifier
*/
public static function clean($hash_identifier) {
if (array_key_exists($hash_identifier, self::getInfo() )) {
<p><?=_("If you are a valid organisation and would like the organisation name in the certificates you can apply for an organisation assurance. Contact us via support@cacert.org for more information.")?></p>
<p><?=_("If you are a valid organisation and would like the organisation name in the certificates you can apply for an organisation assurance. Contact us via support@cacert.org for more information.")?></p>
<formmethod="post"action="account.php">
<formmethod="post"action="account.php">
<p><labelfor="description"><?=_("Optional comment, only used in the certificate overview")?></label><br/>
<labelfor="root2"><?=_("Sign by class 3 root certificate")?></label>
</li>
</ul>
<p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
<p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
<?}?>
<?}?>
<p><?=_("Optional comment, only used in the certificate overview")?><br>
<p><inputtype="checkbox"name="CCA"/><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
<?=_("Please Note: You need to accept the CCA to proceed.")?></p>
<p><inputtype="checkbox"id="CCA"name="CCA"/><labelfor="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
<?=_("Please note: You need to accept the CCA to proceed.")?></label></p>
<inputtype="radio"id="root1"name="rootcert"value="1"/><labelfor="root1"><?=_("Sign by class 1 root certificate")?></label><br/>
<inputtype="radio"id="root2"name="rootcert"value="2"checked="checked"/><labelfor="root2"><?=_("Sign by class 3 root certificate")?></label><br/>
<?=str_replace("\n","<br>\n",wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."),60))?>
</td>
</tr>
<trname="expert">
<tdclass="DataTD"colspan="2"align="left">
<tdclass="DataTD"colspan="2"align="left">
<inputtype="radio"name="rootcert"value="1"checked/><?=_("Sign by class 1 root certificate")?><br/>
<?=_("Hash algorithm used when signing the certificate:")?><br/>
<inputtype="radio"name="rootcert"value="2"/><?=_("Sign by class 3 root certificate")?><br/>
<?
<?=str_replace("\n","<br>\n",wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"),60))?>
foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
<formmethod="post"action="account.php">
<formmethod="post"action="account.php">
<inputtype="radio"name="rootcert"value="1"/><?=_("Sign by class 1 root certificate")?><br/>
<p><labelfor="description"><?=_("Optional comment, only used in the certificate overview")?></label><br/>
<inputtype="radio"name="rootcert"value="2"checked/><?=_("Sign by class 3 root certificate")?><br/>
<labelfor="root2"><?=_("Sign by class 3 root certificate")?></label>
</li>
</ul>
<p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
<p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
<inputtype="radio"name="rootcert"value="1"checked/><?=_("Sign by class 1 root certificate")?><br/>
<inputtype="radio"name="rootcert"value="2"/><?=_("Sign by class 3 root certificate")?><br/>
<?=str_replace("\n","<br />\n",wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"),125))?>
<inputtype="radio"id="root1"name="rootcert"value="1"/><labelfor="root1"><?=_("Sign by class 1 root certificate")?></label><br/>
<inputtype="radio"id="root2"name="rootcert"value="2"checked="checked"/><labelfor="root2"><?=_("Sign by class 3 root certificate")?></label><br/>
<?=str_replace("\n","<br />\n",wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."),125))?>
</td>
</tr>
</tr>
<?}?>
<trname="expertoff"style="display:none">
<trname="expert">
<tdclass="DataTD"colspan="2"align="left">
<?=_("Hash algorithm used when signing the certificate:")?><br/>
<?
foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
<labelfor="SSO"><?=_("Add Single Sign On ID Information")?><br/>
<?=str_replace("\n","<br>\n",wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."),125))?>
<ahref="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a></label>
</td>
</td>
</tr>
</tr>
<trname="expert">
<trname="expert">
<tdclass="DataTD"colspan="2"align="left">
<tdclass="DataTD"colspan="2">
<inputtype="radio"name="SSO"value="0"checked/><?=_("No Single Sign On ID")?><br/>
<labelfor="optionalCSR"><?=_("Optional Client CSR, no information on the certificate will be used")?></label><br/>
<inputtype="radio"name="SSO"value="1"/><?=_("Add Single Sign On ID Information")?><br/>
<?=str_replace("\n","<br>\n",wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."),125))?>
<ahref="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a>
</td>
</td>
</tr>
</tr>
<trname="expert">
<tr>
<tdclass="DataTD"colspan="2"><?=_("Optional Client CSR, no information on the certificate will be used")?></td>
<strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
<labelfor="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
<?=_("Please Note: You need to accept the CCA to proceed.")?>
<?=_("Please note: You need to accept the CCA to proceed.")?></label>