Compare commits

...

59 commits

Author SHA1 Message Date
c4aa189a0f Merge pull request 'Add a contribution guide' (!32) from add-a-contribution-guide into main
Reviewed-on: #32
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-10-17 22:45:50 +00:00
d6baac39d6 Add a section explaining the OpenID connect link 2024-10-08 09:02:20 +02:00
afcf1b5d37 Add missing closing quote 2024-10-08 08:58:19 +02:00
12fdf40cda Merge pull request 'Implement warning thresholds for OpenPGP' (!31) from unify-behaviour-of-x509-and-gpg-retries into main
Reviewed-on: #31
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-10-07 20:59:40 +00:00
3a3dae868e Merge pull request 'Fix server cert expiry queries' (!29) from fix-user-deletion-sql into main
Reviewed-on: #29
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-10-05 19:26:37 +00:00
fae023e712 Add a contribution guide
This commit adds an initial version of a contribution guide to help new
contributors.
2024-10-05 18:25:39 +02:00
de3cf38c5d Implement warning thresholds for OpenPGP
This patch fixes https://bugs.cacert.org/view.php?id=1530 by adding the same
warning threshold behaviour for OpenPGP signing requests that exists for
X.509 signing requests.

The warning threshold has been moved to a variable. The SQL statements are
created using an sprintf statement to avoid potential SQL injections that may
get introduced by setting the warning_threshold variable to an invalid valid.

Fixes #1530
2024-10-05 17:24:49 +02:00
18ffb1b781 Fix server cert expiry queries
Addresses #1544
2024-10-05 09:55:10 +02:00
efe24df995 Merge pull request 'Add policy/CCA mail script for 2024-09-25 mailing' (!28) from send-policy-cca-script-202409 into main
Reviewed-on: #28
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-10-01 09:17:03 +00:00
6c40447437 Merge pull request 'Ignore generated files' (!27) from ignore-generated-files into main
Reviewed-on: #27
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-10-01 09:12:09 +00:00
bb4d099ea1 Add policy/CCA mail script for 2024-09-25 mailing
Signed-off-by: Jan Dittberner <jandd@cacert.org>
2024-10-01 10:56:43 +02:00
685ff8f2b8 Ignore generated files
- ignore multiple files from production (CommModule logs and debug
  output), tarballs, lastid files from scripts
- ignore files that are left over by patch, vim and JetBrains IDEs
  during development
2024-10-01 10:51:42 +02:00
7d0cb00de2 Merge pull request 'Fix user deletion' (!26) from fix-user-deletion into main
Reviewed-on: #26
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-09-30 18:54:35 +00:00
07b1cd75fc Merge pull request 'Fix cats_import' (!25) from fix-cats-importer into main
Reviewed-on: #25
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-09-30 18:54:16 +00:00
56c3a8a391 Fix user deletion
Fixes #1544
2024-09-30 08:32:38 +02:00
bba0b479d5 Fix cats_import
- compare the client certificate email address directly instead of
  trying to match DN parts
- improve handling of IP addresses
2024-09-21 10:27:54 +02:00
4edf5c0cc5 Merge pull request 'Corrected language. This is the New Client Certificate page, but has the New Server Certificate language.' (!19) from bug-1559 into main
Reviewed-on: #19
Reviewed-by: Jan Dittberner <jandd@cacert.org>
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-08-06 20:03:05 +00:00
fd29a02049 Merge branch 'main' into bug-1559 2024-08-06 20:02:47 +00:00
1d41eedc27 Merge pull request 'Updated text as per #bug-1537' (!24) from bug-1537 into main
Reviewed-on: #24
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Jan Dittberner <jandd@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-08-06 19:59:36 +00:00
bb8fd1519b Merge pull request 'Adjusted wording as per https://lists.cacert.org/wws/arc/cacert-policy/2020-09/msg00008.html' (!21) from bug-1560 into main
Reviewed-on: #21
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-08-06 19:58:52 +00:00
2ca4b1aab8 Updated text as per #bug-1537
Edited CCA, Privacy Policy and RDL text to remove references to Australia.
2024-06-12 22:39:41 -04:00
Brian McCullough
c4b9c6370e Adjusted wording as per https://lists.cacert.org/wws/arc/cacert-policy/2020-09/msg00008.html 2024-06-01 22:42:42 -04:00
Brian McCullough
5989e8adad Corrected label on CSR text box. 2024-05-29 08:40:40 -04:00
16a05fff74 Corrected language. This is the New Client Certificate page, but has the New Server Certificate language. 2024-05-24 14:03:39 -04:00
06aee033a7 Merge pull request 'Replace http links with https' (!18) from use-https-for-verification-links into main
Reviewed-on: #18
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-20 10:46:40 +00:00
c61f0c4519 Merge branch 'main' into use-https-for-verification-links 2024-05-20 10:46:16 +00:00
408796eaf0 Merge pull request 'Improve client certificate issuing' (!17) from fix-client-cert-issues into main
Reviewed-on: #17
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-20 10:46:01 +00:00
844eb0fbf3 Merge branch 'main' into fix-client-cert-issues 2024-05-20 10:42:51 +00:00
abfce60ed4 Merge pull request 'Fix client certificate login' (!16) from fix-client-certificate-login into main
Reviewed-on: #16
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-20 10:35:30 +00:00
44987425dc Merge branch 'main' into fix-client-certificate-login 2024-05-20 10:35:19 +00:00
e021736c47 Merge pull request 'Add maintenance query to remove memid=0 emails' (!2) from fix-email-address-maintenance-bug-1543 into main
Reviewed-on: #2
Reviewed-by: Brian Mc Cullough <bmccullough@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-20 10:34:39 +00:00
66daeb6fcd Merge branch 'main' into fix-email-address-maintenance-bug-1543 2024-05-20 10:34:13 +00:00
9626e7f6fc Fix initial index for email SAN lookup 2024-05-05 21:32:20 +02:00
5f89d48036 Remove leftover header call 2024-05-05 21:22:16 +02:00
3bf254e237 Use https links instead of http for registration 2024-05-05 20:16:09 +02:00
0f75bdcdac Use https links instead of http 2024-05-05 20:16:09 +02:00
9a672e9bf9 Improve client certificate issuing
- add more comprehensive message when a user does not select an email address or the SSO flag
- fix missing value for coll_found in emailcerts INSERT query
- handle database errors when the emailcerts INSERT query fails
2024-05-05 20:13:37 +02:00
560be526c4 Fix client certificate login
This change fixes the client certificate login for cases where duplicate
serial numbers have been issued and recorded in the emailcerts table.

Email addresses from the client certificate are used as an additional
matching parameter.

- includes/lib/general.php got a new function
  get_email_addresses_from_client_cert to create an array of email
  addresses from the environment variables set by Apache httpd
- includes/loggedin.php and www/index.php use the new function to pass
  email addresses to the get_user_id_from_cert function
- get_user_id_from_cert in includes/lib/general.php has been enhanced to
  use a JOIN over the emailcerts, root_certs and email tables. All
  parameters are escaped via mysql_real_escape_string
- SQL errors in get_user_id_from_cert are now handled
- a match from get_user_id_from_cert is only returned when there is
  exactly one row in the result set

The code and the used query have been tested with Apache 2.4.10 and PHP
5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a
container based test setup to match the current production setup as
close as possible.
2024-05-05 20:08:53 +02:00
e2f9138035 Merge pull request 'Ignore files that are dynamically generated' (!12) from update-gitignore into main
Reviewed-on: #12
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-04 13:42:35 +00:00
443467c435 Merge pull request 'Add class 3 root-certificates signed in 2021' (!13) from add-2021-class3-certificate-files into main
Reviewed-on: #13
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-04 13:41:26 +00:00
6e23a0bd87 Merge pull request 'Use Digest::SHA instead of removed Digest::SHA1' (!14) from fix-sha-digest-import into main
Reviewed-on: #14
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-04 13:39:03 +00:00
f14c9ad991 Merge pull request 'Remove locale/cv.c' (!15) from remove-unused-c-code into main
Reviewed-on: #15
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2024-05-04 13:37:24 +00:00
6d2da10fa2 Remove locale/cv.c
This change removes locale/cv.c. It does not seem to be used anywhere in
the current system. None of the current critical team members knows
about its history. It might have been replaced by
locale/escape_special_chars.php long ago.
2024-05-04 10:10:02 +02:00
5d9c8689cc Use Digest::SHA instead of removed Digest::SHA1
This fixes the Digest import in server.pl. Digest::SHA1 has long been
replaced by the more generic Digest::SHA.
2024-05-03 20:00:23 +02:00
6e3549c21a Add class 3 certificates signed in 2021
These files have been referenced in pages/index/3.php since commit
bf7dcbd0
2024-05-03 19:58:42 +02:00
03b6d7c4bf Ignore files that are dynamically generated 2024-05-03 19:54:16 +02:00
0dc3bd7626 Merge pull request 'Redirect to code.cacert.org for source code' (!11) from feature/replace-static-tarballs-with-code-reference into main
Reviewed-on: #11
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2023-09-17 09:18:01 +00:00
bf2ab338d1 Merge pull request 'Remove opinionated comments on hash algorithms' (!10) from bugfix/remove-opinionated-hash-algorithm-descriptions into main
Reviewed-on: #10
2023-09-17 09:12:18 +00:00
62dc71fb4d Redirect to code.cacert.org for source code 2023-09-17 11:11:03 +02:00
f6831c82af Remove opinionated comments on hash algorithms 2023-09-17 11:04:02 +02:00
efb9f4b461 Merge pull request 'Add missing closing a tag for link' (#9) from add-closing-tag-for-csr-app-link into main
Reviewed-on: #9
2023-09-17 08:59:39 +00:00
ccd5273c7b Add missing closing a tag for link 2023-09-17 10:49:48 +02:00
37fd9a3127 Merge pull request 'bugfix/1551-link-to-csr-app' (#8) from bugfix/1551-link-to-csr-app into main
Reviewed-on: #8
Reviewed-by: Dirk Astrath <dirk@cacert.org>
2023-09-17 08:42:03 +00:00
3ecb1a6d1a Enable expert options by default
addresses https://bugs.cacert.org/view.php?id=1551
2023-09-16 21:28:23 +02:00
91f7e11751 Add link to new CSR generator application
addresses https://bugs.cacert.org/view.php?id=1551
2023-09-16 21:27:10 +02:00
df612b08ba Merge branch 'main' into fix-email-address-maintenance-bug-1543 2023-09-16 14:45:51 +00:00
6ddce57ded Merge branch 'main' into fix-email-address-maintenance-bug-1543 2023-07-16 20:27:35 +00:00
508226374a Merge branch 'master' into fix-email-address-maintenance-bug-1543 2022-09-19 15:14:14 +00:00
733949e467 Add maintenance query to remove memid=0 emails
This commit introduces a fix for wrongly inserted email addresses that
have a memid=0 field because of MariaDBs strict mode that was enabled
after moving from MySQL to MariaDB.

Fixes https://bugs.cacert.org/view.php?id=1543
2022-07-07 18:18:40 +02:00
22 changed files with 867 additions and 353 deletions

20
.gitignore vendored
View file

@ -5,3 +5,23 @@
# Ignore file with the account data # Ignore file with the account data
/password.dat /password.dat
*.orig
*.rej
.*.swp
/.idea/
/CommModule/*-active
/CommModule/infogpg.txt
/CommModule/logfile*txt
/CommModule/nohup*
/CommModule/nohup.out
/CommModule/oldlogs/
/CommModule/serialserver.conf
/crt/
/csr/
/locale/cv
/pages/index/feed.rss
/scripts/*_lastid.txt
/tarballs
/www/*.crl
/www/*.crl.patch

196
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,196 @@
# Contributing to the CAcert code base
This short guide will help you to get your contributions into the cacert-webdb
code base.
## Checking the bug tracker
CAcert tracks bugs in the bug tracker at https://bugs.cacert.org/. Please look
whether the change you want to contribute addresses any of the issues there.
The bug tracker is linked from the "Issues" link on
https://code.cacert.org/cacert/cacert-webdb.
## Clone the repository
You need a local working copy to contribute changes. Get a clone using a git
client of your choice. The following shell snippets use the official git
command line client that can be installed from common Linux distribution
repositories or can be downloaded or installed from [the Git project
website](https://git-scm.com/downloads).
```shell
# go to where you usually store your code or projects
cd ~/projects
# clone the repository
git clone https://code.cacert.org/cacert/cacert-webdb.git
```
## Create a local bugfix branch
Get the latest changes from the original repository before you start
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# fetch all recent changes (not needed if you just cloned the repository)
# -p removes local copies of branches that are no longer available in the
# main repository
git fetch --all -p
```
Create a new bugfix branch based on the origin/main branch. The main branch is
where all changes are merged before they are deployed in production.
```
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# create a new branch from the main branch
git checkout -b the-descriptive-name-for-your-change origin/main
```
## Edit code / documentation
Make sure that you do the minimal required changes to the code or documentation
files, this will make life of reviewers easier. Avoid whitespace changes and
code reformatting that are not related to the lines that you change. Code
reformatting should be performed in separate branches and pull requests that
contain no other changes.
Try to keep your changes small and isolated. A pull request (PR) should focus
on a single purpose.
Code comments should be used to explain the "Why" of code. It does not make
sense to comment things that are obvious from the code itself:
```php
// BAD EXAMPLE, don't do this
// print Hello
print("Hello");
```
## Commit your changes
Commit the changes that you made to your local branch. Please provide a
[meaningful commit message](https://chris.beams.io/posts/git-commit/) and
reference the bug number from the [Bug tracker](https://bugs.cacert.org/) when
you contribute to fix any of the issues.
```shell
git add .
git commit -m "Fix foo in bla subsystem
This commit does XYZ to address ABC.
Address #<number>"
```
You may add more commits but please make sure that you only do changes required
for the specific contribution. Please use new branches for other
features/bugfixes (see above).
## Contribute your changes
There are two ways to contribute changes. You can either push your branch to
https://code.cacert.org/cacert/cacert-webdb or you can upload a series of patches to
the bug tracker. Pushing the changes to https://code.cacert.org/ is the
preferred variant as it makes life of reviewers easier.
If it took a while to prepare your changes you should rebase your branch on the
latest changes in the CAcertOrg/cacert-devel release branch:
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
git fetch --all -p
git rebase origin/main
```
You might need to fix merge conflicts in case you changed the same lines as
another contributor. A introduction to merge conflict handling can be found in
the [Git Book](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts).
Please be aware that all of us are volunteers. It might take a while until we
find the time to review and merge your changes.
### Create a pull request on code.cacert.org
You need a user account on code.cacert.org to contribute changes. If you don't
have an account yet send a mail to code-admin@cacert.org and include:
* your full name
* an email address
* a desired short username (up to 16 characters)
* a short introduction about you, if you are not yet known to other members of
the software team
An administrator will create an account for you and give you access to the
repositories. When you have received the welcome mail from the administrator
you should login to https://code.cacert.org/ and set your password.
Once you logged in using your password you may choose to add OpenID Connect
authentication to your account. Visit the
[Security](https://code.cacert.org/user/settings/security) settings of your
account and click on "Link account" and choose "cacert-oidc". You can then use
a CAcert client certificate and use the "Sign in with cacert-oidc" option for
future logins to the code.cacert.org application.
After this onboarding procedure you can push changes to the repository and
create pull requests.
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# push your changes
git push -u origin the-descriptive-name-for-your-change
```
The response to the push command will contain a short description and a link to
create a pull request. Please follow that link or go to
https://code.cacert.org/cacert/cacert-webdb/pulls to create a new pull request
from your branch to the main branch.
The code.cacert.org system will suggest a short description based on your
commit messages, you should add more information if you think that reviewers
will need some context to understand your pull requests' intent.
### Submit a series of patches for the bug tracker
If you have reasons not to use the pull request workflow you may create a
series of patches for your changes. Please be aware that this makes reviews
harder and may delay merging the changes.
To create a series of patches use the following:
```shell
# go to your local copy of the cacert-webdb repository
cd ~/projects/cacert-webdb
# fetch the latest changes if it has been a while
git fetch --all -p
# create a patch series and write the patches to the /tmp/ directory
git format-patch -o /tmp origin/main..the-descriptive-name-for-your-change
```
The git format-patch command will output the patch file names, similar to this:
```text
/tmp/0001-Change-the-files-for-me.patch
/tmp/0002-Update-the-documentation.patch
```
To submit this open the corresponding issue in [the bug
tracker](https://bugs.cacert.org/) and attach the patch files to the bug
report. Please add a descriptive comment to help reviewers understand what you
have changed.
## What next?
Once you have submitted your pull request or patch files you need to wait for
reviews. If your changes look ok they will be merged into the main branch.
Deployments to the production system are usually done close to the merges and
will be marked using git tags.
If reviewers ask you for changes to your pull requests please use your local
copy of the cacert-webdb code, add new commits to your branch and push them as
described above. The git format-patch workflow is a bit harder. You will need
to create a new patch series based on what you have submitted before and will
need to attach the new patch(es) to the bug tracker.

View file

@ -40,6 +40,9 @@ my $paranoid=1;
my $debug=0; my $debug=0;
# number of attempts before giving up
my $warn_threshold = 3;
#my $serialport="/dev/ttyS0"; #my $serialport="/dev/ttyS0";
my $serialport="/dev/ttyUSB0"; my $serialport="/dev/ttyUSB0";
@ -734,7 +737,9 @@ sub HandleCerts($$)
SysLog "HandleCerts $table\n"; SysLog "HandleCerts $table\n";
my $sth = $dbh->prepare("select * from $table where crt_name='' and csr_name!='' and warning<3"); my $sth = $dbh->prepare(sprintf(
"select * from %s where crt_name='' and csr_name!='' and warning<%d", $table, $warn_threshold
));
$sth->execute(); $sth->execute();
#$rowdata; #$rowdata;
while ( my $rowdata = $sth->fetchrow_hashref() ) while ( my $rowdata = $sth->fetchrow_hashref() )
@ -904,7 +909,7 @@ sub HandleCerts($$)
else else
{ {
SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n"); SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n");
$dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'"); $dbh->do(sprintf("update %s set warning=warning+1 where id=%d", $table, $row{'id'}));
} }
} }
} }
@ -1078,7 +1083,9 @@ sub sendRevokeMail()
sub HandleGPG() sub HandleGPG()
{ {
my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' "); my $sth = $dbh->prepare(sprintf(
"select * from gpg where crt='' and csr!='' and warning<%d", $warn_threshold
));
$sth->execute(); $sth->execute();
my $rowdata; my $rowdata;
while ( $rowdata = $sth->fetchrow_hashref() ) while ( $rowdata = $sth->fetchrow_hashref() )
@ -1144,7 +1151,7 @@ sub HandleGPG()
sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support"); sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support");
} else { } else {
SysLog("Could not find the issued gpg key. ".$row{"id"}."\n"); SysLog("Could not find the issued gpg key. ".$row{"id"}."\n");
#$dbh->do("delete from `gpg` where `id`='".$row{'id'}."'"); $dbh->do(sprintf("update gpg set warning=warning+1 where id=%d", $row{'id'}));
} }
} }
} }

View file

@ -12,7 +12,7 @@ use File::CounterFile;
use Time::HiRes q(usleep); use Time::HiRes q(usleep);
use IPC::Open3; use IPC::Open3;
use File::Copy; use File::Copy;
use Digest::SHA1 qw(sha1_hex); use Digest::SHA qw(sha1_hex);
#Protocol version: #Protocol version:
my $ver=1; my $ver=1;

View file

@ -156,7 +156,7 @@ function buildSubjectFromSession() {
$emailid = mysql_insert_id(); $emailid = mysql_insert_id();
$body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates to your heart's content!")."\n\n"; $body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates to your heart's content!")."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; $body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!"); $body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail($_REQUEST['email'], "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support"); sendmail($_REQUEST['email'], "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
@ -253,7 +253,8 @@ function buildSubjectFromSession() {
if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1') if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); ?><p><?= _("I didn't receive a valid Certificate Request, hit the back button and try again."); ?></p>
<p><?= _("You did not select any email address and did not check the SSO option."); ?></p><?
showfooter(); showfooter();
exit; exit;
} }
@ -495,8 +496,13 @@ function buildSubjectFromSession() {
`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
`rootcert`='".intval($_SESSION['_config']['rootcert'])."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."',
mysql_query($query); `coll_found`=0";
if (!mysql_query($query)) {
trigger_error("Query failed: " . mysql_errno() . ": " . mysql_error(), E_USER_ERROR);
}
$emailid = mysql_insert_id(); $emailid = mysql_insert_id();
if(is_array($addys)) if(is_array($addys))
foreach($addys as $addy) foreach($addys as $addy)
@ -514,7 +520,7 @@ function buildSubjectFromSession() {
{ {
$id = 4; $id = 4;
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} else { } else {
@ -665,7 +671,7 @@ function buildSubjectFromSession() {
$domainid = mysql_insert_id(); $domainid = mysql_insert_id();
$body = sprintf(_("Below is the link you need to open to verify your domain '%s'. Once your address is verified you will be able to start issuing certificates to your heart's content!"),$_SESSION['_config']['domain'])."\n\n"; $body = sprintf(_("Below is the link you need to open to verify your domain '%s'. Once your address is verified you will be able to start issuing certificates to your heart's content!"),$_SESSION['_config']['domain'])."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n"; $body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!"); $body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail($authaddy, "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support"); sendmail($authaddy, "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
@ -777,7 +783,7 @@ function buildSubjectFromSession() {
if(!file_exists($_SESSION['_config']['tmpfname'])) if(!file_exists($_SESSION['_config']['tmpfname']))
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} }
@ -852,7 +858,7 @@ function buildSubjectFromSession() {
{ {
$id = 11; $id = 11;
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} else { } else {
@ -938,7 +944,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query); $res = mysql_query($query);
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else { } else {
$drow = mysql_fetch_assoc($res); $drow = mysql_fetch_assoc($res);
$crt_name = escapeshellarg($drow['crt_name']); $crt_name = escapeshellarg($drow['crt_name']);
@ -1102,7 +1108,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query); $res = mysql_query($query);
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else { } else {
printf(_("Certificate for '%s' has been renewed."), $row['CN']); printf(_("Certificate for '%s' has been renewed."), $row['CN']);
echo "<br/>\n<a href='account.php?id=6&cert=$newid' target='_new'>". echo "<br/>\n<a href='account.php?id=6&cert=$newid' target='_new'>".
@ -1656,7 +1662,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} else { } else {
@ -1912,7 +1918,7 @@ function buildSubjectFromSession() {
if(!file_exists($_SESSION['_config']['tmpfname'])) if(!file_exists($_SESSION['_config']['tmpfname']))
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} }
@ -2010,7 +2016,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} else { } else {
@ -2082,7 +2088,7 @@ function buildSubjectFromSession() {
$res = mysql_query($query); $res = mysql_query($query);
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
} else { } else {
$drow = mysql_fetch_assoc($res); $drow = mysql_fetch_assoc($res);
$crtname = escapeshellarg($drow['crt_name']); $crtname = escapeshellarg($drow['crt_name']);
@ -2892,7 +2898,7 @@ function buildSubjectFromSession() {
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
showheader(_("My CAcert.org Account!")); showheader(_("My CAcert.org Account!"));
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>"); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
showfooter(); showfooter();
exit; exit;
} else { } else {

View file

@ -120,7 +120,7 @@ class HashAlgorithms {
return array( return array(
'sha256' => array( 'sha256' => array(
'name' => 'SHA-256', 'name' => 'SHA-256',
'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'), 'info' => '',
), ),
'sha384' => array( 'sha384' => array(
'name' => 'SHA-384', 'name' => 'SHA-384',
@ -128,7 +128,7 @@ class HashAlgorithms {
), ),
'sha512' => array( 'sha512' => array(
'name' => 'SHA-512', 'name' => 'SHA-512',
'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'), 'info' => '',
), ),
); );
} }

View file

@ -1,6 +1,6 @@
<? /* <? /*
LibreSSL - CAcert web application LibreSSL - CAcert web application
Copyright (C) 2004-2011 CAcert Inc. Copyright (C) CAcert Inc.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -16,6 +16,49 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ */
/**
* Walk through the email address environment variables that Apache httpd
* might have set and put them into an array.
*
* The function ensures that unique addresses are returned.
*
* @return array
*/
function get_email_addresses_from_client_cert() {
$addresses = array();
$maxAddresses = 10; // implement a hard boundary to avoid endless loop
// try SAN email addresses first
$envNameBase = "SSL_CLIENT_SAN_Email";
for ($i = 0; $i <= $maxAddresses; $i++) {
$envName = sprintf("%s_%d", $envNameBase, $i);
if (!array_key_exists($envName, $_SERVER)) {
break;
}
$addresses[] = $_SERVER[$envName];
}
if (count($addresses) > 0) {
return array_unique($addresses);
}
// fallback for older Apache httpd versions that do not support email SAN fields
$envNameBase = "SSL_CLIENT_S_DN_Email";
if (array_key_exists($envNameBase, $_SERVER)) {
$addresses[] = $_SERVER[$envNameBase];
}
for ($i = 1; $i <= $maxAddresses; $i++) {
$envName = sprintf("%s_%d", $envNameBase, $i);
if (array_key_exists($envName, $_SERVER)) {
$addresses[] = $_SERVER[$envName];
}
}
return array_unique($addresses);
}
/** /**
* Checks if the user may log in and retrieve the user id * Checks if the user may log in and retrieve the user id
* *
@ -26,22 +69,38 @@
* usually $_SERVER['SSL_CLIENT_M_SERIAL'] * usually $_SERVER['SSL_CLIENT_M_SERIAL']
* @param $issuer_cn string * @param $issuer_cn string
* usually $_SERVER['SSL_CLIENT_I_DN_CN'] * usually $_SERVER['SSL_CLIENT_I_DN_CN']
* @param $addresses array
* list of email addresses from the certificate
* @return int * @return int
* the user id, -1 in case of error * the user id, -1 in case of error
*
* @see get_email_addresses_from_client_cert()
*/ */
function get_user_id_from_cert($serial, $issuer_cn) function get_user_id_from_cert($serial, $issuer_cn, $addresses) {
{ $addresses_for_sql = array_map('mysql_real_escape_string', $addresses);
$query = "select `memid` from `emailcerts` where
`serial`='".mysql_escape_string($serial)."' and $query = sprintf("SELECT DISTINCT ec.`memid`
`rootcert`= (select `id` from `root_certs` where FROM `emailcerts` ec
`Cert_Text`='".mysql_escape_string($issuer_cn)."') and JOIN root_certs r ON r.id = ec.rootcert
`revoked`=0 and disablelogin=0 and JOIN email e ON ec.memid = e.memid
UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0"; WHERE ec.serial = '%s'
AND r.`Cert_Text` = '%s'
AND e.email IN ('%s')
AND ec.revoked = 0
AND ec.disablelogin = 0
AND UNIX_TIMESTAMP(ec.expire) > UNIX_TIMESTAMP()", mysql_real_escape_string($serial),
mysql_real_escape_string($issuer_cn), implode("', '", $addresses_for_sql));
$res = mysql_query($query); $res = mysql_query($query);
if(mysql_num_rows($res) > 0) if ($res === false) {
{ trigger_error(sprintf("MySQL error %d: %s", mysql_errno(), mysql_error()));
$row = mysql_fetch_assoc($res);
return intval($row['memid']); return -1;
}
if (mysql_num_rows($res) === 1) {
$row = mysql_fetch_row($res);
return intval($row[0]);
} }
return -1; return -1;

View file

@ -54,7 +54,7 @@
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 || $_SESSION['profile']['loggedin'] == 0)) if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 || $_SESSION['profile']['loggedin'] == 0))
{ {
$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'], $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
$_SERVER['SSL_CLIENT_I_DN_CN']); $_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());
if($user_id >= 0) if($user_id >= 0)
{ {

View file

@ -1234,7 +1234,7 @@ function get_user_agreements($memid, $type=null, $active=null){
if (0==$cca) { if (0==$cca) {
$query = "select 1 from `gpg` where `memid`='$uid' and `expire`>NOW()"; $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>NOW()";
}else{ }else{
$query = "select 1 from `gpg` where `memid`='$uid' and `expire`>(NOW()-90*86400)"; $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>( SUBDATE( NOW(), 90 ))";
} }
$res = mysql_query($query); $res = mysql_query($query);
return mysql_num_rows($res) > 0; return mysql_num_rows($res) > 0;
@ -1248,8 +1248,8 @@ function get_user_agreements($memid, $type=null, $active=null){
$query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>NOW() and `revoked`<`created`"; $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>NOW() and `revoked`<`created`";
$query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>NOW()"; $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>NOW()";
}else{ }else{
$query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>(NOW()-90*86400) and `revoked`<`created`"; $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>( SUBDATE( NOW(), 90 )) and `revoked`<`created`";
$query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>(NOW()-90*86400)"; $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>( SUBDATE( NOW(), 90 ))";
} }
$res = mysql_query($query1); $res = mysql_query($query1);
$r1 = mysql_num_rows($res)>0; $r1 = mysql_num_rows($res)>0;
@ -1273,19 +1273,19 @@ function get_user_agreements($memid, $type=null, $active=null){
select 1 from `domaincerts` join `domains` select 1 from `domaincerts` join `domains`
on `domaincerts`.`domid` = `domains`.`id` on `domaincerts`.`domid` = `domains`.`id`
where `domains`.`memid` = '$uid' where `domains`.`memid` = '$uid'
and `revoked`>NOW()"; and `domaincerts`.`revoked` > NOW()";
} else { } else {
$query1 = " $query1 = "
select 1 from `domaincerts` join `domains` select 1 from `domaincerts` join `domains`
on `domaincerts`.`domid` = `domains`.`id` on `domaincerts`.`domid` = `domains`.`id`
where `domains`.`memid` = '$uid' where `domains`.`memid` = '$uid'
and `expire`>(NOW()-90*86400) and `domaincerts`.`expire` > ( SUBDATE( NOW(), 90 ))
and `revoked`<`created`"; and `domaincerts`.`revoked` < `domaincerts`.`created`";
$query2 = " $query2 = "
select 1 from `domaincerts` join `domains` select 1 from `domaincerts` join `domains`
on `domaincerts`.`domid` = `domains`.`id` on `domaincerts`.`domid` = `domains`.`id`
where `domains`.`memid` = '$uid' where `domains`.`memid` = '$uid'
and `revoked`>(NOW()-90*86400)"; and `domaincerts`.`revoked` > ( SUBDATE( NOW(), 90 ))";
} }
$res = mysql_query($query1); $res = mysql_query($query1);
$r1 = mysql_num_rows($res)>0; $r1 = mysql_num_rows($res)>0;

View file

@ -1,102 +0,0 @@
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
typedef unsigned char uchar;
typedef struct{char * nm; int v;} vp;
vp vpl[] = {
{"nbsp", 160}, {"lt",0x3c}, {"amp", 38},
{"eacute", 233}, {"egrave", 232}, {"ouml", 246},
{"alpha", 0x3b1}, {"beta", 0x3b2}, {"gamma", 0x3b3},
{"delta", 0x3b4}, {"Delta", 0x394},
{"sigma", 0x3c3}, {"Sigma", 0x3a3},
{"epsilon", 0x3b5}, {"zeta", 0x3b6},
{"theta", 0x3b8}, {"mu", 0x3bc},
{"phi", 0x3c6},
{"omega", 0x3c9},
{"lambda", 0x3bb}, {"rho", 0x3c1},
{"pi", 0x3c0}, {"Pi", 0x3a0},
{"ndash", 0x2013}, {"mdash", 0x2014},
{"and", 8743}, {"rarr", 8594}, {"forall", 0x2200},
{"sum", 8721}};
int cc = 0; // count of conversions.
static void Utf(int m, uint a){
if (a & m) {Utf(m>>1, a>>6); putchar(128 | a & 63);}
else putchar((m<<1)&255 | a);}
static void utf8(uint a){
if(a == '<') printf("%s", "&lt;");
else if(a == '&') printf("%s", "&amp;");
else if(a & -128) {++cc;
Utf(-32, a>>6); putchar(128 | a & 63);} else putchar(a);}
char * em[] = {"", "tag", "quoted string", "utf", "character ref"};
int lc = 1, cil = 0, tcc=0;
char gc(int x){char c = getchar();
if(c == EOF && feof(stdin)) {
if(x) fprintf(stderr, "file ended in %s\n", em[x]);
fprintf(stderr, "Converted %d characters\n", cc);
exit(0);}
if(c == 10 || c == 13) {tcc += cil; cil = 0; ++lc;}
++cil; return c;}
void loc(){fprintf(stderr, "Ending at byte %d of line %d,"
"(or 0x%x in file):\n", cil, lc, tcc+cil);}
char gx(){char c = gc(3); if ((c&0xc0) != 0x80)
{loc(); fprintf(stderr, "Bad utf8 extension byte: %02X\n", c);}
return c;}
int main(int argc, char * * args){
int bk = argc == 2;
while(1){
int vx(int x){if((x & 0xffffffe0) == 0x80){
if(x == 150) return 8211;
if(x == 151) return 8212;
loc(); fprintf(stderr, "Invalid character: 0x%x=%d\n", x, x);}
return x;}
uchar c = gc(0);
if(c == '<'){putchar(c); while(1){char c = gc(1);
if(c == '"'){putchar(c); while(1){char c = gc(2);
if(c == '"'){putchar(c); break;}
else putchar(c);}}
else if(c == '>'){putchar(c); break;}
else putchar(c);}}
else if(bk && c > 127){int v=0, sc=0, C=c;
while(C&0x40){C <<=1; v = (v<<6) | gx() & 0x3f; ++sc;}
{int uc = vx(v | (0x3f>>sc & (int)c) << 6*sc);
{int k = sizeof(vpl)/sizeof(vp);
while(k--) if(uc == vpl[k].v)
{printf("&%s;", vpl[k].nm); goto end;}}
printf("&#x%x;", uc);}
end: ++cc;}
else if(!bk && c == '&') {char c = gc(4);
int gs(char c, int r){
int vd(char c){if('0' <= c && c <= '9') return c - '0';
{char lc = tolower(c);
if(r == 16 && 'a' <= lc && lc <= 'f') return lc - 'a' + 10;
loc();
fprintf(stderr, "Invalid digit folowing \"&#\" construct.");
exit(0);
return 0;}}
int k = vd(c);
while(1){char c = gc(4); if(c == ';') return k;
k = r*k + vd(c);}}
if(c == '#') {char c = gc(4);
utf8(vx(c == 'x' || c == 'X' ? gs('0', 16) : gs(c, 10)));}
else {int k = sizeof(vpl)/sizeof(vp);
char st[10]; st[0] = c;
{int n; for(n=1; n<10; ++n) {char c = gc(4);
if(c == ';') goto e1;
if(!isalpha(c)) break;
st[n] = c;}
loc(); fprintf(stderr, "%s reference\n",
n>10?"Verbose":"Invalid");
continue;
e1: st[n] = 0;
// loc(); fprintf(stderr, "string is <%s>.\n", st);
while(k--) if(!strcmp(st, vpl[k].nm)) {
utf8(vpl[k].v); break;}
if(k<0) {loc();
fprintf(stderr, "Unrecognized reference: &%s;\n", st);}}}}
else if(c > 127) {loc(); fprintf(stderr, "Non ASCII char.\n");}
else putchar(c);
}
return 0;
}

View file

@ -18,14 +18,18 @@
include_once("../includes/shutdown.php"); include_once("../includes/shutdown.php");
?> ?>
<h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3> <h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3>
<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p> <p><?=_("Once you decide to subscribe for an SSL Client Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p> <p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for a Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p> <p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Client Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p>
<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p> <p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
<h4><?= _("There is a new method for generating a CSR for this page.") ?></h5>
<p><?= _("It is completely described in https://wiki.cacert.org/TutorialsHowto/Generate-new-CSR, which you should follow. At the point where it says \"Copy CSR to Clipboard\" do that and come back to this page and paste the result into the textbox at the bottom of this page.") ?></p>
<p><a href='https://community.cacert.org/clientcert' target=_blank ><?= _("Here is a link to that procedure. It will open in a new tab.") ?></a></p>
<form method="post" action="account.php"> <form method="post" action="account.php">
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper"> <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
<tr> <tr>
@ -93,20 +97,11 @@ if($_SESSION['profile']['points'] >= 50)
</td> </td>
</tr> </tr>
<tr name="expertoff" style="display:none">
<td class="DataTD">
<input type="checkbox" id="expertbox" name="expertbox" onchange="showExpert(this.checked)" />
</td>
<td class="DataTD" align="left">
<label for="expertbox"><?=_("Show advanced options")?></label>
</td>
</tr>
<? <?
if($_SESSION['profile']['points'] >= 50) if($_SESSION['profile']['points'] >= 50)
{ {
?> ?>
<tr name="expert"> <tr>
<td class="DataTD" colspan="2" align="left"> <td class="DataTD" colspan="2" align="left">
<input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br /> <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
<input type="radio" id="root2" name="rootcert" value="2" checked="checked"/> <label for="root2"><?= _("Sign by class 3 root certificate") ?></label><br/> <input type="radio" id="root2" name="rootcert" value="2" checked="checked"/> <label for="root2"><?= _("Sign by class 3 root certificate") ?></label><br/>
@ -115,7 +110,7 @@ if($_SESSION['profile']['points'] >= 50)
</tr> </tr>
<? } ?> <? } ?>
<tr name="expert"> <tr>
<td class="DataTD" colspan="2" align="left"> <td class="DataTD" colspan="2" align="left">
<?= _("Hash algorithm used when signing the certificate:") ?><br/> <?= _("Hash algorithm used when signing the certificate:") ?><br/>
<? <?
@ -130,7 +125,7 @@ if($_SESSION['profile']['points'] >= 50)
</tr> </tr>
<? if ($_SESSION[ 'profile' ][ 'points' ] >= 100 && $_SESSION[ 'profile' ][ 'codesign' ] > 0 ) { ?> <? if ($_SESSION[ 'profile' ][ 'points' ] >= 100 && $_SESSION[ 'profile' ][ 'codesign' ] > 0 ) { ?>
<tr name="expert"> <tr>
<td class="DataTD"> <td class="DataTD">
<input type="checkbox" id="codesign" name="codesign" value="1"/> <input type="checkbox" id="codesign" name="codesign" value="1"/>
</td> </td>
@ -141,7 +136,7 @@ if($_SESSION['profile']['points'] >= 50)
</tr> </tr>
<? } ?> <? } ?>
<tr name="expert"> <tr>
<td class="DataTD"> <td class="DataTD">
<input type="checkbox" id="SSO" name="SSO" value="1"/> <input type="checkbox" id="SSO" name="SSO" value="1"/>
</td> </td>
@ -152,14 +147,13 @@ if($_SESSION['profile']['points'] >= 50)
</td> </td>
</tr> </tr>
<tr name="expert"> <tr>
<td class="DataTD" colspan="2"> <td class="DataTD" colspan="2">
<label for="optionalCSR"><?=_("Optional Client CSR, no information on the certificate will be used")?></label><br /> <label for="optionalCSR"><?= _("Paste Client CSR here") ?></label><br/>
<textarea id="optionalCSR" name="optionalCSR" cols="80" rows="5"></textarea> <textarea id="optionalCSR" name="optionalCSR" cols="80" rows="5"></textarea>
</td> </td>
</tr> </tr>
<tr> <tr>
<td class="DataTD"> <td class="DataTD">
<input type="checkbox" id="CCA" name="CCA"/> <input type="checkbox" id="CCA" name="CCA"/>
@ -169,28 +163,10 @@ if($_SESSION['profile']['points'] >= 50)
<?= _("Please note: You need to accept the CCA to proceed.") ?></label> <?= _("Please note: You need to accept the CCA to proceed.") ?></label>
</td> </td>
</tr> </tr>
<tr> <tr>
<td class="DataTD" colspan="2"><input type="submit" name="process" value="<?= _("Next") ?>"/></td> <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?= _("Next") ?>"/></td>
</tr> </tr>
</table> </table>
<input type="hidden" name="oldid" value="<?= $id ?>"/> <input type="hidden" name="oldid" value="<?= $id ?>"/>
</form> </form>
<script language="javascript">
function showExpert(a)
{
b=document.getElementsByName("expert");
for(i=0;b.length>i;i++)
{
if(!a) {b[i].setAttribute("style","display:none"); }
else {b[i].removeAttribute("style");}
}
b=document.getElementsByName("expertoff");
for(i=0;b.length>i;i++)
{
b[i].removeAttribute("style");
}
}
showExpert(false);
</script>

View file

@ -39,6 +39,12 @@
(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 172800"; (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 172800";
mysql_query($query); mysql_query($query);
// removes entries that where introduced due to missing/wrong default value
// in MariaDB strict mode, see https://bugs.cacert.org/view.php?id=1543
$query = "delete from `email` where `memid`=0 and
(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 172800";
mysql_query($query);
$query = "delete from `disputedomain` where `hash`!='' and $query = "delete from `disputedomain` where `hash`!='' and
(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 21600"; (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 21600";
mysql_query($query); mysql_query($query);

View file

@ -0,0 +1,201 @@
#!/usr/bin/php -q
<?php
/*
LibreSSL - CAcert web application
Copyright (C) 2004-2009 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
include_once("../includes/mysql.php");
// read texts
$lines_EN = <<<EOF
[German translation below / Deutsche Uebersetzung weiter unten]
We are writing to you as a member of CAcert. When you became a member of the CAcert community, you accepted the CCA (CAcert Community Agreement) as a basis for your membership. The Policy Group, as the legislative body of our community, has removed the reference to the location of the head office of CAcert Inc. (the association who operates the infrastructure on behalf of the community) from the CCA and a few Policies (RDL, Privacy Policy) as part of the relocation of the association from Australia (New South Wales) to Europe (Switzerland).
This does not change the meaning of the CCA, the policies or the relationship between you, the community and the association. The policies are still based on Common Law. You do not need to take any further action. However, if you do not agree with this change, you must cancel your agreement with the CCA, and, therefore, your membership in the CAcert community, by initiating the appropriate procedure as described in the policies and in the wiki.
While we are it, we would like to take this opportunity to briefly introduce you to some innovations:
The advantage of CAcert's certificates is the personal verification of those certificates by members of the Web of Trust. They can be used for identification, for signing documents or e-mails, for encryption, login, OpenID Connect, etc. In addition, we see good application possibilities in enterprises by means of Organisation Assurance (OrgA), which can also generate income and stabilise our finances.
Do you share our view that CAcert is still useful today? If so, then read on!
We have outlined above some areas where we see the future of CAcert. If you have any other ideas, please write to us. Your ideas are important to CAcert's teams. You may reach them directly using https://wiki.cacert.org/engagement
Apart from the new focus, a lot has happened in the operational area in recent months:
- renewed critical, acess admin and software team
- CAcert Inc. moved from Australia to Europe where most of its members live
- faster and more energy efficient hardware with recent software
- fail over
- OpenID Connect login with certificate [see below for details]
We all know the buttons with which we can log on to any website with our account with a large American Internet company. OpenID Connect is an extremely secure alternative for identity management. Websites and other Internet services can register with CAcert and then CAcert members can use one of their certificates, backed by our Web of Trust, to identify that member without needing to use a password. Password theft is impossible.
Of course, all this always takes time to be done, time required of our group of volunteers. And time is money, because day and night our servers continue to run, needing electric power... The cost for this, three thousand Euros per year, is actually very little.
- If you would like to support CAcert today: A donation of 5, 10, 20 or 50 Euro (francs, dollars) (if possible on a regular basis) already helps CAcert. We accept both cards and bank transfers. See https://wiki.cacert.org/engagement for more information.
- In addition, when you book your business trips and holidays please use our partner Booking.com https://www.booking.com/index.html?aid=346253
- Become a member of the CAcert Inc. association. Applications with postal address to: secretary@cacert.org (annual fee 10 Euro)
If you feel better at providing your skills than your money, read at https://wiki.cacert.org/engagement what you can do. You are more than welcome too! There are technical and non-technical areas, where even small contributions are a great help for running our operations, if they are made regularly and with a long term commitment in mind.
We would like to thank you very much for your participation, help and cooperation. If each of the thousands of CAcert members lifts only a little finger, we will be able to achieve great things!
Best regards
Brian McCullough Etienne Ruedin
President CAcert Inc. Secretary CAcert Inc.
PS: Answers to the most frequently asked questions about CAcert can be found at https://wiki.cacert.org/engagement
----
CAcert Inc.
Clos Belmont 2
1208 Geneva
Switzerland
Donations IBAN CH02 0077 4010 3947 4420 0
----
Wir schreiben Dir als Mitglied von CAcert. Als Du Mitglied der CAcert-Gemeinschaft wurdest, hast Du das CCA (CAcert Community Agreement) als Grundlage fuer Deine Mitgliedschaft akzeptiert. Die Policy Group als gesetzgebendes Organ unserer Gemeinschaft hat im Zuge des Umzugs des Vereins von Australien (Neusuedwales) nach Europa (Schweiz) den Hinweis auf den Sitz von CAcert Inc. (dem Verein, der die Infrastruktur im Auftrag der Gemeinschaft betreibt) aus dem CCA und einigen Policies (RDL, Privacy Policy) entfernt.
Dies aendert nichts an der Bedeutung des CCA, den Richtlinien (Policies) oder der Beziehung zwischen Dir, der Gemeinschaft und dem Verein. Die Richtlinien basieren nach wie vor auf dem Common Law. Du musst keine weiteren Schritte unternehmen. Wenn Du jedoch mit dieser Aenderung nicht einverstanden bist, musst Du Deine Zustimmung zur CCA und damit Deine Mitgliedschaft in der CAcert-Gemeinschaft kuendigen, indem Du das entsprechende Verfahren einleitest, wie in den Richtlinien und im Wiki beschrieben.
Bei dieser Gelegenheit moechten wir Dich kurz auf einige Neuerungen hinweisen:
Der Vorteil von CAcert-Zertifikaten ist die persoenliche Ueberpruefung dieser Zertifikate durch Mitglieder des Web of Trust. Sie koennen zur Identifikation, zum Signieren von Dokumenten oder E-Mails, zur Verschluesselung, zum Login, fuer OpenID Connect, etc. verwendet werden. Darueber hinaus sehen wir gute Anwendungsmoeglichkeiten in Unternehmen durch die Organisation Assurance (OrgA), die auch Einnahmen generieren und unsere Finanzen stabilisieren koennte.
Teilst Du unsere Ansicht, dass CAcert auch heute noch sinnvoll ist? Wenn ja, dann lies weiter!
Wir haben oben einige Bereiche skizziert, in denen wir die Zukunft von CAcert sehen. Wenn Du weitere Ideen hast, schreibe uns bitte. Deine Ideen sind den Teams von CAcert wichtig. Du kannst sie direkt ueber https://wiki.cacert.org/engagement erreichen.
Neben der neuen Ausrichtung hat sich in den letzten Monaten auch im operativen Bereich einiges getan:
- Erneuertes kritisches, Access-Admin- und Software-Team
- CAcert Inc. ist von Australien nach Europa umgezogen, wo die meisten seiner Mitglieder leben
- schnellere und energieeffizientere Hardware mit aktuellerer Software
- Failover
- OpenID Connect Anmeldung mit Zertifikat [Details siehe unten]
Wir alle kennen die Knoepfe, mit denen wir uns mit unserem Konto bei einer grossen amerikanischen Internetfirma auf jeder beliebigen Website anmelden koennen. OpenID Connect ist eine extrem sichere Alternative fuer das Identitaetsmanagement. Websites und andere Internetdienste koennen sich bei CAcert registrieren und dann koennen CAcert-Mitglieder eines ihrer Zertifikate, das durch unser Web of Trust gesichert ist, verwenden, um dieses Mitglied zu identifizieren, ohne ein Passwort verwenden zu muessen. Passwort-Diebstahl ist unmoeglich.
Natuerlich braucht all dies immer Zeit, Zeit, die unsere Gruppe von Freiwilligen benoetigt. Und Zeit ist Geld, denn unsere Server laufen Tag und Nacht weiter und brauchen Strom... Die Kosten dafuer, dreitausend Euro pro Jahr, sind eigentlich sehr gering.
- Wenn Du CAcert heute unterstuetzen moechtest: Eine Spende von 5, 10, 20 oder 50 Euro (Franken, Dollar) (moeglichst regelmaessig) hilft CAcert bereits. Wir akzeptieren sowohl Karten als auch Bankueberweisungen. Siehe https://wiki.cacert.org/engagement fuer weitere Informationen.
- Wenn Du Deine Geschaeftsreisen und Ferien buchst, nutze bitte auch unseren Partner Booking.com https://www.booking.com/index.html?aid=346253
- Werde Mitglied im Verein CAcert Inc. Anmeldungen mit Postanschrift an: secretary@cacert.org (Jahresbeitrag 10 Euro)
Wenn Du lieber Deine Faehigkeiten als Dein Geld zur Verfuegung stellen willst, lies unter https://wiki.cacert.org/engagement, was Du tun kannst. Auch da bist Du mehr als willkommen! Es gibt technische und nicht-technische Bereiche, in denen auch kleine Beitraege eine grosse Hilfe fuer den Betrieb sind, wenn sie regelmaessig und mit langfristigem Engagement geleistet werden.
Wir moechten Dir herzlich fuer Deine Teilnahme, Hilfe und Mitarbeit danken. Wenn jedes der Tausenden von CAcert-Mitgliedern nur einen kleinen Finger ruehrt, werden wir Grosses erreichen koennen!
Mit freundlichen Gruessen
Brian McCullough Etienne Ruedin
Praesident CAcert Inc. Sekretaer CAcert Inc.
PS: Antworten auf die am haeufigsten gestellten Fragen zu CAcert findest Du unter https://wiki.cacert.org/engagement
----
CAcert Inc.
Clos Belmont 2
1208 Geneva
Switzerland
Spendenkonto IBAN CH02 0077 4010 3947 4420 0
EOF;
$lines_EN = wordwrap($lines_EN, 75, "\n");
$lines_EN = mb_convert_encoding($lines_EN, "HTML-ENTITIES", "UTF-8");
// read last used id
$lastid = 0;
if (file_exists("send_policy_cca20240925_lastid.txt"))
{
$fp = fopen("send_policy_cca20240925_lastid.txt", "r");
$lastid = trim(fgets($fp, 4096));
fclose($fp);
}
echo "ID now: $lastid\n";
$count = 0;
$query = "
SELECT `id`, `fname`, `lname`, `email`
FROM `users`
WHERE `deleted` = '0000-00-00 00:00:00'
AND `modified` != '0000-00-00 00:00:00'
AND `verified` = '1'
AND `id` >= '$lastid'
AND email not like 'a20%cacert.org'
ORDER BY `id`";
/*
$query = "
SELECT `id`, `fname`, `lname`, `email`
FROM `users`
WHERE `deleted` = '0000-00-00 00:00:00'
AND `modified` != '0000-00-00 00:00:00'
AND `verified` = '1'
AND (`id` = '87908' or `id` = '12438')
ORDER BY `id`";
*/
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
$mailtxt = "Dear ${row["fname"]} ${row["lname"]},\n".$lines_EN."\n\n";
sendmail($row['email'], "[CAcert.org] CAcert Inc. moved to Europe (legal information)", $mailtxt, "support@cacert.org", "", "", "CAcert", "returns@cacert.org", "");
$fp = fopen("send_policy_cca20240925_lastid.txt", "w");
fputs($fp, $row["id"]."\n");
fclose($fp);
$count++;
echo "Sent ${count}th mail. User ID: ${row["id"]}\n";
// if(0 == $count % 16) {
// sleep (1);
// }
if ($count >= 3000) {
// avoid memory exhaustion -- this script has a memory leak
echo "Continue\n";
exit(0);
}
}
echo "Stop\n";

View file

@ -1,6 +1,6 @@
<? /* <? /*
LibreSSL - CAcert web application LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc. Copyright (C) 2004-2024 CAcert Inc.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,25 +31,19 @@ function sanitize_string($buffer) {
} }
define ('UNDEFINED', 'nd'); define ('UNDEFINED', 'nd');
define ('ALLOWED_IP', '213.154.225.243');
define ('ALLOWED_IP2', '172.16.2.27');
define ('CONFIG_FILEPATH', '/www/'); define ('CONFIG_FILEPATH', '/www/');
$expected_client_address = 'cats@cacert.org';
$allowed_ip_addresses = ['213.154.225.243', '172.16.2.27'];
$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED; $remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED; $server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED; $https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED; $ssl_client_email = (isset($_SERVER['SSL_CLIENT_S_DN_Email']))?$_SERVER['SSL_CLIENT_S_DN_Email']:UNDEFINED;
$access = FALSE; // Access only from cats.cacert.org with a client certificate for cats@cacert.org
$access = in_array($remote_addr, $allowed_ip_addresses) && ($https == 'on') && ($ssl_client_email == $expected_client_address);
// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
if (
($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2) &&
$https == 'on' &&
// Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
// Ted: Is this specified? I don't think so, therefore I'd keep stristr
strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
) $access = TRUE;
if ($access !== TRUE) { if ($access !== TRUE) {
echo 'UNAUTHORIZED ACCESS<br>'."\r\n"; echo 'UNAUTHORIZED ACCESS<br>'."\r\n";

View file

@ -0,0 +1,37 @@
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
cSvOK6eB1kdGKLA8ymXxZp8=
-----END CERTIFICATE-----

Binary file not shown.

View file

@ -0,0 +1,132 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1368616 (0x14e228)
Signature Algorithm: sha512WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Apr 19 12:18:30 2021 GMT
Not After : Apr 17 12:18:30 2031 GMT
Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
05:fb:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Authority Information Access:
OCSP - URI:http://ocsp.CAcert.org/
CA Issuers - URI:http://www.CAcert.org/class3.crt
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.18506.2.3.1
CPS: http://www.CAcert.org/cps.php
X509v3 CRL Distribution Points:
Full Name:
URI:https://www.cacert.org/class3.crl
Signature Algorithm: sha512WithRSAEncryption
c6:1e:ad:77:5c:b4:28:9b:d1:c8:8d:44:12:c0:bd:76:76:04:
83:21:07:f8:11:82:7f:6b:c1:95:42:c0:38:11:b5:25:70:8d:
8b:0c:c1:d5:6c:fd:1c:1a:03:7c:8b:f8:06:31:a5:9d:de:41:
29:d4:8b:9b:84:d7:3d:c1:37:86:71:a3:1f:5b:61:29:1e:5d:
77:7d:bb:f0:ad:b9:15:19:13:14:e6:35:80:ff:a6:19:b4:37:
85:94:41:e8:88:c3:5f:e0:b2:06:a4:bb:f8:40:a9:1d:39:ac:
ed:ea:3f:98:04:4d:f9:8c:f9:47:79:73:52:f5:ec:df:34:97:
fb:3e:77:e0:dc:d1:83:88:ba:88:73:47:5a:a6:a4:15:c4:0d:
70:0d:0f:9e:4b:13:07:7e:ef:18:3e:f9:a5:01:aa:79:29:b1:
e7:52:fa:53:3a:c8:a6:7f:b6:ef:89:a1:b1:a1:4d:2f:ce:63:
85:7f:a5:2a:e9:3b:d4:c1:a3:cf:0a:13:85:bb:99:d7:9c:66:
90:84:e7:66:d4:50:b3:a1:e1:2d:22:2a:25:68:c3:20:b2:2b:
c4:ba:98:1d:e8:4a:ef:5c:58:c2:b4:4d:84:56:f7:4e:bb:16:
68:42:6c:92:b8:6f:78:cd:0e:b3:fb:ef:a0:b3:64:87:f2:f7:
88:44:39:fc:b9:e6:2c:c0:98:24:d4:40:2c:5e:c8:ee:0b:1d:
b8:02:4d:26:b8:0a:18:c6:2f:1e:4b:75:6e:8f:2e:21:73:bc:
c2:03:55:ee:aa:14:e0:9a:1a:07:53:0b:df:44:14:a8:67:05:
af:44:c8:d3:a1:45:76:02:b6:7f:0c:b9:86:e9:4f:c6:6e:b0:
bb:15:b4:bf:e8:80:b5:76:31:fe:64:64:c1:0a:58:6d:c5:50:
b6:b2:03:bf:1d:42:4f:59:39:d1:c4:31:8b:e8:c8:2a:39:1c:
15:61:f0:de:40:68:0e:70:a8:b3:4f:ee:91:e8:0f:4f:b6:90:
9e:4d:80:6c:be:1c:ee:70:a4:b8:07:04:2b:0d:41:02:54:84:
4e:47:ea:8b:96:ed:76:58:61:e7:c3:21:7b:06:6f:d4:b7:0b:
e7:34:32:83:cc:35:a6:e7:25:4f:7c:17:42:fc:bc:57:03:c6:
9f:42:7f:98:60:f8:80:b2:d9:f6:b1:9c:1c:35:04:0a:89:31:
16:85:a4:fa:ee:4c:09:c5:6a:98:66:ec:c8:6e:2a:e6:cb:92:
dc:23:6c:96:c1:d4:45:f3:3c:6d:02:b8:a0:bb:c7:47:c2:c2:
1c:40:4c:45:c7:45:06:7f:3b:71:2b:ce:2b:a7:81:d6:47:46:
28:b0:3c:ca:65:f1:66:9f
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
cSvOK6eB1kdGKLA8ymXxZp8=
-----END CERTIFICATE-----

View file

@ -153,7 +153,7 @@ require_once('../includes/notary.inc.php');
{ {
include_once("../includes/lib/general.php"); include_once("../includes/lib/general.php");
$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'], $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
$_SERVER['SSL_CLIENT_I_DN_CN']); $_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());
if($user_id >= 0) if($user_id >= 0)
{ {
@ -479,7 +479,7 @@ if ($oldid == 52 )
write_user_agreement($memid, "CCA", "account creation", "", 1); write_user_agreement($memid, "CCA", "account creation", "", 1);
$body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n"; $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; $body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!"); $body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support"); sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");

View file

@ -68,8 +68,8 @@
<h4><a name="0.1">0.1</a> Terms</h4> <h4><a name="0.1">0.1</a> Terms</h4>
<ol> <ol>
<li>"CAcert" means CAcert Inc., a non-profit Association of Members <li>"CAcert" means CAcert Inc., a non-profit Association of Members.
incorporated in New South Wales, Australia. Note that Association Members Note that Association Members
are distinct from the Members defined here.</li> are distinct from the Members defined here.</li>
<li>"Member" means you, a registered participant within CAcert's Community, <li>"Member" means you, a registered participant within CAcert's Community,
@ -295,8 +295,7 @@
<h4><a name="3.1">3.1</a> Governing Law</h4> <h4><a name="3.1">3.1</a> Governing Law</h4>
<p>This agreement is governed under the law of New South Wales, Australia, <p>This agreement is governed under the law of New South Wales, Australia.</p>
being the home of the CAcert Inc. Association.</p>
<h4><a name="3.2">3.2</a> Arbitration as Forum of Dispute Resolution</h4> <h4><a name="3.2">3.2</a> Arbitration as Forum of Dispute Resolution</h4>

View file

@ -99,13 +99,7 @@ Please see <a href='http://www.privacy.gov.au/'>http://www.privacy.gov.au/</a> f
Governmental warrants and civil supoenas will be processed through the dispute resolution system, which ensures that valid authority is given to whoever complies with the supoena or the warrant. Governmental warrants and civil supoenas will be processed through the dispute resolution system, which ensures that valid authority is given to whoever complies with the supoena or the warrant.
</p> </p>
<p>If you need to contact us in writing, address your mail to the postal address of CAcert Inc. The current postal address of Cacert Inc. can be found on CAcert's web site.
<p>If you need to contact us in writing, address your mail to:</p>
<p>
CAcert Inc.<br />
PO Box 66 <br />
Oatley NSW 2223<br />
Australia
</p> </p>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p> <p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
</body> </body>

View file

@ -51,7 +51,7 @@ Editor: Mark Lipscombe
<h2 id="g0.1">1. Terms </h2> <h2 id="g0.1">1. Terms </h2>
<p> <p>
"CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia. "CAcert Inc" means CAcert Incorporated, a non-profit association.
<br> <br>
"CAcert Community Agreement" means the agreement entered into by each person wishing to RELY. "CAcert Community Agreement" means the agreement entered into by each person wishing to RELY.
<br> <br>

View file

@ -1,6 +1,6 @@
<? /* <? /*
LibreSSL - CAcert web application LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc. Copyright (C) 2004-2023 CAcert Inc.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -17,21 +17,10 @@
*/ */
if(array_key_exists('iagree',$_REQUEST) && $_REQUEST['iagree'] == "yes") if(array_key_exists('iagree',$_REQUEST) && $_REQUEST['iagree'] == "yes")
{ {
$output_file = $fname = readlink("../tarballs/current.tar.bz2"); header('Location: https://code.cacert.org/cacert/cacert-webdb/archive/main.tar.gz', TRUE, 302);
header('Pragma: public');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate'); // HTTP/1.1
header('Cache-Control: pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
header('Content-Transfer-Encoding: none');
header('Content-Type: application/octetstream; name="' . $output_file . '"'); //This should work for IE & Opera
header('Content-Type: application/octet-stream; name="' . $output_file . '"'); //This should work for the rest
header('Content-Disposition: inline; filename="' . $output_file . '"');
header("Content-length: ".intval(filesize($_SESSION['_config']['filepath']."/tarballs/$fname")));
readfile($_SESSION['_config']['filepath']."/tarballs/$fname");
exit; exit;
} }
loadem("index"); loadem("index");
showheader(_("CAcert Source License")); showheader(_("CAcert Source License"));
?> ?>