Reviewed-on: #18
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
- add more comprehensive message when a user does not select an email address or the SSO flag
- fix missing value for coll_found in emailcerts INSERT query
- handle database errors when the emailcerts INSERT query fails
This change fixes the client certificate login for cases where duplicate
serial numbers have been issued and recorded in the emailcerts table.
Email addresses from the client certificate are used as an additional
matching parameter.
- includes/lib/general.php got a new function
get_email_addresses_from_client_cert to create an array of email
addresses from the environment variables set by Apache httpd
- includes/loggedin.php and www/index.php use the new function to pass
email addresses to the get_user_id_from_cert function
- get_user_id_from_cert in includes/lib/general.php has been enhanced to
use a JOIN over the emailcerts, root_certs and email tables. All
parameters are escaped via mysql_real_escape_string
- SQL errors in get_user_id_from_cert are now handled
- a match from get_user_id_from_cert is only returned when there is
exactly one row in the result set
The code and the used query have been tested with Apache 2.4.10 and PHP
5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a
container based test setup to match the current production setup as
close as possible.
This change removes locale/cv.c. It does not seem to be used anywhere in
the current system. None of the current critical team members knows
about its history. It might have been replaced by
locale/escape_special_chars.php long ago.
This commit introduces a fix for wrongly inserted email addresses that
have a memid=0 field because of MariaDBs strict mode that was enabled
after moving from MySQL to MariaDB.
Fixes https://bugs.cacert.org/view.php?id=1543
2 years ago
18 changed files with 435 additions and 330 deletions
@ -156,7 +156,7 @@ function buildSubjectFromSession() {
$emailid = mysql_insert_id();
$body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates to your heart's content!")."\n\n";
@ -514,7 +520,7 @@ function buildSubjectFromSession() {
{
$id = 4;
showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
} else {
@ -665,7 +671,7 @@ function buildSubjectFromSession() {
$domainid = mysql_insert_id();
$body = sprintf(_("Below is the link you need to open to verify your domain '%s'. Once your address is verified you will be able to start issuing certificates to your heart's content!"),$_SESSION['_config']['domain'])."\n\n";
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
}
@ -852,7 +858,7 @@ function buildSubjectFromSession() {
{
$id = 11;
showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
} else {
@ -938,7 +944,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else {
$drow = mysql_fetch_assoc($res);
$crt_name = escapeshellarg($drow['crt_name']);
@ -1102,7 +1108,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else {
printf(_("Certificate for '%s' has been renewed."), $row['CN']);
@ -1656,7 +1662,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0)
{
showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
} else {
@ -1912,7 +1918,7 @@ function buildSubjectFromSession() {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
}
@ -2010,7 +2016,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0)
{
showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter();
exit;
} else {
@ -2082,7 +2088,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else {
$drow = mysql_fetch_assoc($res);
$crtname = escapeshellarg($drow['crt_name']);
@ -2892,7 +2898,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0)
{
showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<ahref='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
'info' => '',
),
'sha384' => array(
'name' => 'SHA-384',
@ -128,7 +128,7 @@ class HashAlgorithms {
),
'sha512' => array(
'name' => 'SHA-512',
'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
<h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3>
<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
<p><?=_("Once you decide to subscribe for an SSL Client Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for a Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?><ahref="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p>
<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Client Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?><ahref="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p>
<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
<h4><?=_("There is a new method for generating a CSR for this page.")?></h5>
<p><?=_("It is completely described in https://wiki.cacert.org/TutorialsHowto/Generate-new-CSR, which you should follow. At the point where it says \"Copy CSR to Clipboard\" do that and come back to this page and paste the result into the textbox at the bottom of this page.")?></p>
<p><ahref='https://community.cacert.org/clientcert'target=_blank><?=_("Here is a link to that procedure. It will open in a new tab.")?></a></p>
<?
$query = "select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 and `hash`=''";
<inputtype="radio"id="root1"name="rootcert"value="1"/><labelfor="root1"><?=_("Sign by class 1 root certificate")?></label><br/>
<inputtype="radio"id="root2"name="rootcert"value="2"checked="checked"/><labelfor="root2"><?=_("Sign by class 3 root certificate")?></label><br/>
<?=str_replace("\n","<br />\n",wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."),125))?>
</td>
</tr>
<?}?>
<trname="expert">
<tdclass="DataTD"colspan="2"align="left">
<?=_("Hash algorithm used when signing the certificate:")?><br/>
<?
foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
<?=_("Please note: By ticking this box you will automatically have your name included in the certificate.")?></label>
</td>
</tr>
<tr>
<tdclass="DataTD"colspan="2"align="left">
<inputtype="radio"id="root1"name="rootcert"value="1"/><labelfor="root1"><?=_("Sign by class 1 root certificate")?></label><br/>
<inputtype="radio"id="root2"name="rootcert"value="2"checked="checked"/><labelfor="root2"><?=_("Sign by class 3 root certificate")?></label><br/>
<?=str_replace("\n","<br />\n",wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."),125))?>
<labelfor="SSO"><?=_("Add Single Sign On ID Information")?><br/>
<?=str_replace("\n","<br>\n",wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."),125))?>
<ahref="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a></label>
</td>
</tr>
<trname="expert">
<tdclass="DataTD"colspan="2">
<labelfor="optionalCSR"><?=_("Optional Client CSR, no information on the certificate will be used")?></label><br/>
<labelfor="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
<?=_("Please note: You need to accept the CCA to proceed.")?></label>
<labelfor="SSO"><?=_("Add Single Sign On ID Information")?><br/>
<?=str_replace("\n","<br>\n",wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."),125))?>
<ahref="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a></label>
<labelfor="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br/>
<?=_("Please note: You need to accept the CCA to proceed.")?></label>
$body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
@ -99,13 +99,7 @@ Please see <a href='http://www.privacy.gov.au/'>http://www.privacy.gov.au/</a> f
Governmental warrants and civil supoenas will be processed through the dispute resolution system, which ensures that valid authority is given to whoever complies with the supoena or the warrant.
</p>
<p>If you need to contact us in writing, address your mail to:</p>
<p>
CAcert Inc.<br/>
PO Box 66 <br/>
Oatley NSW 2223<br/>
Australia
<p>If you need to contact us in writing, address your mail to the postal address of CAcert Inc. The current postal address of Cacert Inc. can be found on CAcert's web site.
</p>
<p><ahref="http://validator.w3.org/check?uri=referer"><imgsrc="images/valid-html50-blue.png"alt="Valid HTML 5"height="31"width="88"></a></p>