commit 3c0fa1d98a552876ea35240b00acef0cf236a26d Author: Brian McCullough Date: Fri Sep 6 22:00:02 2024 +0200 Initial creation of new Repository diff --git a/about.php b/about.php new file mode 100644 index 0000000..27f7b92 --- /dev/null +++ b/about.php @@ -0,0 +1,106 @@ + +
+

This Site and Service

+ This site has been developed by CAcert to give CAcert certificate users the ability to + allow users of their web sites to connect using OpenID supported by the CAcert Web-Of-Trust. +
+
+ We hope that this will help you creating a bridge between your website, + whether powered by Drupal, + Wordpress, or other technology, and your users, who are holders of CAcert Client SSL + Certificates and can be identified to your site that way. +
+
+
+

CAcert

+ CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free. +
+
+ CAcert's goal is to promote awareness and education on computer security through the use of encryption, + specifically by providing cryptographic certificates. These certificates can be used to digitally sign and + encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the + internet. Any application that supports the Secure Socket Layer Protocol (SSL or TLS) can make use of + certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code + signing and document signatures. +
+
+ If you want to have free certificates issued to you, join the CAcert Community . +
+
+ If you want to use certificates issued by CAcert, read the CAcert Root Distribution License .This license + applies to using the CAcert root keys . + +
+
+
+

OpenID Connect

+ +

What is OpenID Connect

+ OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 + framework of specifications (IETF RFC 6749 and 6750). It simplifies the way to verify + the identity of users based on the authentication performed by an Authorization Server + and to obtain user profile information in an interoperable and REST-like manner. +
+
+ OpenID Connect enables application and website developers to launch sign-in + flows and receive verifiable assertions about users across Web-based, mobile, + and JavaScript clients. And the specification suite is extensible to support a + range of optional features such as encryption of identity data, discovery of + OpenID Providers, and session logout. ( from OpenID Foundation ) +
+
+ OpenID Connect is an advancement from the older Oauth 2.0 technique, providing + a simpler method for servers and their users to connect and authenticate each other. +
+
+ OpenID Connect (OIDC) is an identity authentication protocol that is an extension of + open authorization (OAuth) 2.0 to standardize the process for authenticating and + authorizing users when they sign in to access digital services. OIDC provides + authentication, which means verifying that users are who they say they are. + OAuth 2.0 authorizes which systems those users are allowed to access. + OAuth 2.0 is typically used to enable two unrelated applications to share information + without compromising user data. For example, many people use their email or social + media accounts to sign in to a third-party site rather than creating a new username + and password. OIDC is also used to provide single sign-on. Organizations can use a + secure identity and access management (IAM) system like Microsoft Entra ID (formerly + Azure Active Directory) as the primary authenticator of identities and then use + OIDC to pass that authentication to other apps. +
+
+ This way users only need to sign in once with one username and password to + access multiple apps. ( from Microsoft ) +
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ '; + echo "
"; + echo file_get_contents("html/footer.html"); + + echo "

Copyright © CAcert, Inc "; + echo date("Y"); + echo "

"; + + ?> +
diff --git a/admin_delete.php b/admin_delete.php new file mode 100644 index 0000000..630bb93 --- /dev/null +++ b/admin_delete.php @@ -0,0 +1,68 @@ +query($sql) as $row) { + $clientID = $row['client_id']; + + $retcode = exec("/srv/hydra/bin/hydra delete oauth2-client $clientID --endpoint $internalHydraEndpointURL ", $hydraArray); + + $outArray = []; + + foreach ($hydraArray as $hydra) { + + $keyIDX = strpos($hydra,"\t"); + + if ( $keyIDX === false ) { + $outArray[ $hydra ] = ""; + } else { + $valIDX = strrpos($hydra,"\t", -1); + + $key = substr( $hydra, 0, $keyIDX ); + + $val = substr( $hydra, $valIDX + 1 ); + $outArray[ $key ] = $val; + } + } + + echo "Input: " . var_export($clientID,true) . "
"; + echo "Hydra: " . var_export($outArray,true) . "
"; + + $stmt = $db->prepare("update clients set deleted_at = now() where client_id = :client_id"); + + $retcode = $stmt->execute( [ $clientID ]); + + echo "

"; + echo "DB Retcode: " . var_export($retcode,true). "
"; + +} + + + +echo file_get_contents("html/footer.html"); + +echo "
"; +echo '

Copyright © CAcert, Inc '; +echo date("Y"); +echo "

"; + + diff --git a/cacert.ini.sample b/cacert.ini.sample new file mode 100644 index 0000000..ada9afb --- /dev/null +++ b/cacert.ini.sample @@ -0,0 +1,10 @@ +[DB] +User="User ID for DB" +Password="Password for DB" + +[URLs] +InternalHydraEndpointURL="https://auth.cacert.localhost:4445" +WellKnownURL="https://registration.:4444/.well-known/openid-configuration" +AuthURL="https://authserver.:4444/oauth2/auth" +TokenURL="https://authserver.:4444/oauth2/token" +UserInfoURL="https://authserver.:4444/userinfo" diff --git a/delete.php b/delete.php new file mode 100644 index 0000000..bceab05 --- /dev/null +++ b/delete.php @@ -0,0 +1,113 @@ +query($sql) as $row) { + $data['id'] = $row['id']; + $data['site_name'] = $row['site_name']; + $data['site_owner'] = $row['site_owner']; + $data['client_id'] = $row['client_id']; + $data['owner_id'] = $row['owner_id']; + $data['created_at'] = $row['created_at']; + + $radioArray[] = $data; +} + +$itemCount = count($radioArray); + + +?> + +
+

+ This page allows you to remove a site registration that + you have created with this tool. +

+ +

Choose a Site Registration to Delete

+ +
+
+ + + + + + + + + "; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + } + + ?> +
+   + + Site Name + + Site Owner + + Owner ID + + Date Created +
"; + echo ""; + echo ""; + $site_name = $radioArray[$i]["site_name"]; + echo "$site_name"; + echo ""; + $site_owner = $radioArray[$i]["site_owner"]; + echo "$site_owner"; + echo ""; + $owner_id = $radioArray[$i]["owner_id"]; + echo "$owner_id"; + $client_id = $radioArray[$i]["client_id"]; + echo ""; + echo ""; + $createdAt = new DateTime($radioArray[$i]["created_at"]); + $createdAtStr = date_format($createdAt, 'Y-m-d H:i:s'); + echo "$createdAtStr"; + echo "
+
+
+ + +
+ +
+
+ +"; + +echo file_get_contents("html/footer.html"); + +echo "
"; +echo '

Copyright © CAcert, Inc '; +echo date("Y"); +echo "

"; + +echo "
"; +echo ""; diff --git a/delete1.php b/delete1.php new file mode 100644 index 0000000..6ad5971 --- /dev/null +++ b/delete1.php @@ -0,0 +1,95 @@ + + +
+ + prepare("update clients set deleted_at = now() where client_id = :client_id"); + $retcode = $stmt->execute([$clientID]); + + $stmt = $db->query("select site_name, created_at, client_id from clients where client_id = '$clientID' "); + $result = $stmt->fetchAll(); + + ?> +
+

+ + Site + with Client ID + deleted successfully +

+
+ + "; + +echo file_get_contents("html/footer.html"); + +echo "
"; +echo '

Copyright © CAcert, Inc '; +echo date("Y"); +echo "

"; + +echo "
"; +echo ""; + diff --git a/favicon.ico b/favicon.ico new file mode 100644 index 0000000..dfccc66 Binary files /dev/null and b/favicon.ico differ diff --git a/html/CAcert-logo.svg b/html/CAcert-logo.svg new file mode 100644 index 0000000..eb1957d --- /dev/null +++ b/html/CAcert-logo.svg @@ -0,0 +1,2 @@ + + diff --git a/html/body.html b/html/body.html new file mode 100644 index 0000000..5ad6022 --- /dev/null +++ b/html/body.html @@ -0,0 +1,2 @@ + + diff --git a/html/footer.html b/html/footer.html new file mode 100644 index 0000000..6af70b5 --- /dev/null +++ b/html/footer.html @@ -0,0 +1,14 @@ + + + + + + + + + + diff --git a/html/header.html b/html/header.html new file mode 100644 index 0000000..fb8092a --- /dev/null +++ b/html/header.html @@ -0,0 +1,25 @@ + + + + + + + + + + + + + +
+
+
+ +
+
+

Home

 +
+
+
+ diff --git a/index.php b/index.php new file mode 100644 index 0000000..43e2bac --- /dev/null +++ b/index.php @@ -0,0 +1,47 @@ + + + +
+ +
+ +
+
+ +
+'; +echo file_get_contents("html/footer.html"); + +echo "

Copyright © CAcert, Inc "; +echo date("Y"); +echo "

"; + +?> + + + + + diff --git a/info.php b/info.php new file mode 100644 index 0000000..c33d963 --- /dev/null +++ b/info.php @@ -0,0 +1,58 @@ + + +
+
+

+ This site provides several functions related to registering + your web site or application to use CAcert's OpenID Connect facility, + allowing people holding CAcert Client Certificates to use OpenID Connect + to log in to your site. +

+

+ In order to use this site, you must have a valid + client certificate from CAcert installed in your browser. +

+

+ Such a certificate may be obtained from + CAcert. +

+

+ This tool provides three functions, found in the Home menu. +
+ Register a New Site, + List all Registered Sites + and un-register or + Delete a Site. +

+

+ You may download the various URLs provided by the OpenID component + Here +

+

+ For more information, see our About Page + or CAcert. +

+
+ +
+ +"; + + echo file_get_contents("html/footer.html"); + + echo "
"; + echo '

Copyright © CAcert, Inc '; + echo date("Y"); + echo "

"; + + echo "
"; + +echo ""; diff --git a/list.php b/list.php new file mode 100644 index 0000000..13a34b0 --- /dev/null +++ b/list.php @@ -0,0 +1,115 @@ +query($sql) as $row) { + $data['id'] = $row['id']; + $data['site_name'] = $row['site_name']; + $data['site_owner'] = $row['site_owner']; + $data['client_id'] = $row['client_id']; + $data['created_at'] = $row['created_at']; + $data['deleted_at'] = $row['deleted_at']; + + $listArray[] = $data; +} + +$itemCount = count($listArray); + + +?> + +
+

+ This page shows you all of the sites + that you have registered here, and their + current status. +

+ +
+

List of Site Registrations

+ +
+ + + + + + + + + "; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + } + + ?> +
+ Site Name + + Site Owner + + Client ID + + Created + + Status +
"; + $site_name = $listArray[$i]["site_name"]; + echo "$site_name"; + echo ""; + $site_owner = $listArray[$i]["site_owner"]; + echo "$site_owner"; + echo ""; + $client_id = $listArray[$i]["client_id"]; + echo "$client_id"; + echo ""; + $createdAt = new DateTime($listArray[$i]["created_at"]); + $createdAtStr = date_format($createdAt, 'Y-m-d H:i:s'); + echo "$createdAtStr"; + echo ""; + if ( is_null($listArray[$i]["deleted_at"]) ) { + echo "Active"; + } else { + echo "Deleted"; + } + echo "
+
+
+
+ +
+
+ +"; + +echo file_get_contents("html/footer.html"); + +echo "
"; +echo '

Copyright © CAcert, Inc '; +echo date("Y"); +echo "

"; + +echo "
"; +echo "
"; diff --git a/register.php b/register.php new file mode 100644 index 0000000..a8f62ac --- /dev/null +++ b/register.php @@ -0,0 +1,317 @@ + 0) { + + + $db = new PDO("pgsql:host=localhost;port=5432;dbname=oidc_db;user=$dbUser;password=$dbPass"); + + $siteName = $_POST['siteName']; + $redirectURL = $_POST['redirectURL']; + $authMethod = $_POST['endpointAuth']; + $notes = $_POST['notes']; + + $clientDN = $_SERVER['SSL_CLIENT_S_DN']; + $cn_pos = strpos( $clientDN, ',CN=' ); + $clientName = substr( $clientDN, $cn_pos + 4 ); + + $stmt = $db->query("select created_at from clients where site_name = '$siteName' and owner_id like '%$clientName%' and deleted_at is null"); + $res = $stmt->fetch(PDO::FETCH_ASSOC); + + echo "
"; + + if ($res) { + echo "
"; + echo "
"; + echo "Error: Found an existing record for that site: '$siteName'"; + echo "
"; + echo "
"; + } else { + + for ($emailIndex = 0; $emailIndex < 20; $emailIndex++) { + $emailSAN = 'SSL_CLIENT_SAN_Email_' . $emailIndex; + if (array_key_exists($emailSAN, $_SERVER)) { + $clientEMail[] = $_SERVER[$emailSAN]; + } else { + break; + } + } + + switch( $authMethod ) { + case 'basic': + $endpointAuthMethod = 'client_secret_basic' ; + break; + + case 'post': + $endpointAuthMethod = 'client_secret_post' ; + break; + + } + + + $hydra_command = "/srv/hydra/bin/hydra create oauth2-client --endpoint " . $ini_arr[ 'URLs' ][ 'InternalHydraEndpointURL' ] . " --name '$siteName' --owner '$clientDN' --redirect-uri '$redirectURL' --token-endpoint-auth-method '$endpointAuthMethod' --scope openid,offline,offline_access,profile,email"; + $retcode = exec($hydra_command, $hydraArray); + + + $outArray = []; + + foreach ($hydraArray as $hydra) { + + $keyIDX = strpos($hydra, "\t"); + + if ($keyIDX === false) { + $outArray[$hydra] = ""; + } else { + $valIDX = strrpos($hydra, "\t", -1); + + $key = substr($hydra, 0, $keyIDX); + + $val = substr($hydra, $valIDX + 1); + + $outArray[$key] = $val; + } + } + + if (array_key_exists('CLIENT ID', $outArray)) { + + echo "

Here are your Client ID and Client Secret

"; + echo "
"; + echo "Make sure that you copy these two values somewhere safe, because the Client Secret can "; + echo "not be retrieved again."; + echo "
"; + + echo "
"; + echo "
"; + + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo "
"; + echo "Client ID"; + echo " "; + echo ""; + echo $outArray['CLIENT ID']; + echo "
"; + echo "Client Secret"; + echo " "; + echo ""; + echo $outArray['CLIENT SECRET']; + echo "
"; + echo "
"; + echo "
"; + echo "

"; + echo "You will also need the following URLs for your site plugin."; + echo "

"; + echo "
"; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + echo "
"; + echo "Authorize"; + echo " "; + echo $ini_arr[ 'AuthURL' ]; + echo "
"; + echo "Token"; + echo " "; + echo $ini_arr[ 'TokenURL' ]; + echo "
"; + echo "User Info"; + echo " "; + echo $ini_arr[ 'UserInfoURL' ]; + echo "
"; + + + echo "
"; + ?> +

+ Download a list of relevant URLs + here +

+ + "; + + + $stmt = $db->prepare("insert into clients + ( site_name, site_owner, client_id, owner_id, redirect_url ) +values ( ?, ?, ?, ?, ? ) "); + + $clientID = $outArray['CLIENT ID']; + $retcode = $stmt->execute([$siteName, $clientName, $clientID, $clientDN, $redirectURL]); + + + $dbClientID = $db->lastInsertID(); + + $stmt = $db->prepare("insert into owner_email ( client_id, e_mail ) values ( ?, ? )"); + + foreach ($clientEMail as $mail) { + $retcode = $stmt->execute([$dbClientID, $mail]); + } + + } else { + echo "

"; + echo "Unable to register new client."; + echo "

"; + + } + + } + +} else { + ?> + +
+
+ + + + + + + + + + + +
+

+ How to Register a New Site +

+
+
+
+ To make use of this system and register a site, + you need the following things: +
+
    +
  1. + A unique name to identify your site registration +
    2. +
    +
  2. + The "Redirect URL" that the OpenID plugin + for the site that you are registering requires. +
    3. +
    +
  3. + Does your plugin use Post or Basic authentication? + The default is POST. If you have requirements other than those two, please contact + the CAcert OpenID development team at bmccullough@cacert.org +
    4. +
    +
  4. + Optional notes for yourself. +
    5. +
+

+ You may download the various URLs provided by the OpenID component + here +

+
+
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + +
+ + + +
+ + + +
+ + + + +
+ + +
+ + + +
+
+
+ + +
+
+
+ +
+
+
+ + "; + +echo file_get_contents("html/footer.html"); + +echo "
"; +echo '

Copyright © CAcert, Inc '; +echo date("Y"); +echo "

"; + +echo "
"; + +echo "
"; diff --git a/scotland-travel-destination-shutterstock-512226913.jpg b/scotland-travel-destination-shutterstock-512226913.jpg new file mode 100644 index 0000000..8bb97df Binary files /dev/null and b/scotland-travel-destination-shutterstock-512226913.jpg differ diff --git a/style.css b/style.css new file mode 100644 index 0000000..33c2951 --- /dev/null +++ b/style.css @@ -0,0 +1,204 @@ +/* Transitions aren't quite as smooth on firefox */ + +:root { + --gradient: conic-gradient( + from 240deg at 50% 50%, + #00ffc3, + #00fad9, + #00f4f0, + #00eeff, + #00e6ff, + #00dcff, + #00d2ff, + #00c5ff, + #00b8ff, + #6da8ff, + #9f97ff, + #c285ff + ); +} + +*, *::before, *::after { + box-sizing: border-box; + font-family: "Poppins", sans-serif; +} + +body, html { + -webkit-text-size-adjust: 100%; + -webkit-tap-highlight-color: transparent; + -webkit-font-smoothing: antialiased; + text-rendering: optimizeLegibility; +} + +body { + background-color: black; + background-image: url(scotland-travel-destination-shutterstock-512226913.jpg); + background-repeat: no-repeat; + background-size: cover; +} + +.headerDiv { + display: block; + position: fixed; + top: 0; + left: 0; +} + +a:link, a:visited, a:hover, a:active { + color: black; +} + +.navDiv { + display: flex; + flex: auto; + align-items: center; + justify-content: center; + margin-top: 15em; +} + +.navDiv a { + text-decoration: none; +} + +.navDiv ul { + list-style-type: none; + color: black; + background-color: lightblue; + padding: 10px; +} + +.navDiv li { + font-size: x-large; +} + +input.navDiv { + display: none; +} + +.scrollDiv { + overflow-y: scroll; + overflow-x: scroll; + border: 5px outset blue; + background-color: lightblue; + position: absolute; + margin: auto; + top: 10em; + width: 85%; +} + +/* Define the scrollbar style */ +.scrollDiv::-webkit-scrollbar { + width: 10px; + height: 10px; +} + +/* Define the thumb style */ +.scrollDiv::-webkit-scrollbar-thumb { + background: linear-gradient(to bottom right, #4d7fff 0%, #1a56ff 100%); + border-radius: 5px; +} + +/* Define the track style */ +.scrollDiv::-webkit-scrollbar-track { + background-color: #ddd; + border: 1px solid #ccc; +} + +/* Define the button style */ +.scrollDiv::-webkit-scrollbar-button { + background-color: #4d7fff; + border-radius: 5px; +} + +/* Define the button style when being hovered over */ +.scrollDiv::-webkit-scrollbar-button:hover { + background-color: #999999; +} + + +table, th, td { + border: 1px solid black; + border-collapse: collapse; + padding: 5px; + text-align: left; +} + + +.myDiv { + display: block; + /*border: 5px outset red;*/ + padding: 5px; + background-color: lightblue; + text-align: center; +} + +input.myDiv { + display: inline; +} + +table.myDiv, th.myDiv, td.myDiv { + border: 1px solid black; + border-collapse: collapse; + padding: 5px; +} + +.aboutDiv { + width: 80%; + height: 60%; + position: absolute; + top: 10em; + left: 50px; + background-color: lightblue; + /*margin: 30px auto;*/ + box-shadow: 0 0 2px gray; + padding: 20px; +} + +/* Define the scrollbar style */ +.aboutDiv::-webkit-scrollbar { + width: 10px; + height: 10px; +} + +/* Define the thumb style */ +.aboutDiv::-webkit-scrollbar-thumb { + background: linear-gradient(to bottom right, #4d7fff 0%, #1a56ff 100%); + border-radius: 5px; +} + +/* Define the track style */ +.aboutDiv::-webkit-scrollbar-track { + background-color: #ddd; + border: 1px solid #ccc; +} + +/* Define the button style */ +.aboutDiv::-webkit-scrollbar-button { + background-color: #4d7fff; + border-radius: 5px; +} + +/* Define the button style when being hovered over */ +.aboutDiv::-webkit-scrollbar-button:hover { + background-color: #999999; +} + +.instructionsDiv { + border: 5px outset blue; + background-color: lightblue; + text-align: left; + width: 50em; + padding: 15px; + padding-left: 1em; + margin: auto; + min-height: 7em; +} + +.pageFooter { + width:auto; + color: black; + background: lightgrey ; + padding: 1em; + vertical-align: bottom; + +}