|
@@ -27,9 +27,9 @@ discard block |
|
|
block discarded – undo |
|
27
|
27
|
#private const EDUPKI_ENDPOINT_PUBLIC = "https://pki.edupki.org/edupki-ca/cgi-bin/pub/soap?wsdl=1"; |
|
28
|
28
|
#private const EDUPKI_ENDPOINT_RA = "https://ra.edupki.org/edupki-ca/cgi-bin/ra/soap?wsdl=1"; |
|
29
|
29
|
|
|
30
|
|
- private const LOCATION_RA_CERT = ROOT . "/config/SilverbulletClientCerts/edupki-test-ra.pem"; |
|
31
|
|
- private const LOCATION_RA_KEY = ROOT . "/config/SilverbulletClientCerts/edupki-test-ra.clearkey"; |
|
32
|
|
- private const LOCATION_WEBROOT = ROOT . "/config/SilverbulletClientCerts/eduPKI-webserver-root.pem"; |
|
|
30
|
+ private const LOCATION_RA_CERT = ROOT."/config/SilverbulletClientCerts/edupki-test-ra.pem"; |
|
|
31
|
+ private const LOCATION_RA_KEY = ROOT."/config/SilverbulletClientCerts/edupki-test-ra.clearkey"; |
|
|
32
|
+ private const LOCATION_WEBROOT = ROOT."/config/SilverbulletClientCerts/eduPKI-webserver-root.pem"; |
|
33
|
33
|
private const EDUPKI_RA_ID = 700; |
|
34
|
34
|
private const EDUPKI_CERT_PROFILE_BOTH = "Radius Server SOAP"; |
|
35
|
35
|
private const EDUPKI_CERT_PROFILE_IDP = "Radius Server SOAP"; |
|
@@ -49,13 +49,13 @@ discard block |
|
|
block discarded – undo |
|
49
|
49
|
parent::__construct(); |
|
50
|
50
|
|
|
51
|
51
|
if (stat(CertificationAuthorityEduPkiServer::LOCATION_RA_CERT) === FALSE) { |
|
52
|
|
- throw new Exception("RA operator PEM file not found: " . CertificationAuthorityEduPkiServer::LOCATION_RA_CERT); |
|
|
52
|
+ throw new Exception("RA operator PEM file not found: ".CertificationAuthorityEduPkiServer::LOCATION_RA_CERT); |
|
53
|
53
|
} |
|
54
|
54
|
if (stat(CertificationAuthorityEduPkiServer::LOCATION_RA_KEY) === FALSE) { |
|
55
|
|
- throw new Exception("RA operator private key file not found: " . CertificationAuthorityEduPkiServer::LOCATION_RA_KEY); |
|
|
55
|
+ throw new Exception("RA operator private key file not found: ".CertificationAuthorityEduPkiServer::LOCATION_RA_KEY); |
|
56
|
56
|
} |
|
57
|
57
|
if (stat(CertificationAuthorityEduPkiServer::LOCATION_WEBROOT) === FALSE) { |
|
58
|
|
- throw new Exception("CA website root CA file not found: " . CertificationAuthorityEduPkiServer::LOCATION_WEBROOT); |
|
|
58
|
+ throw new Exception("CA website root CA file not found: ".CertificationAuthorityEduPkiServer::LOCATION_WEBROOT); |
|
59
|
59
|
} |
|
60
|
60
|
} |
|
61
|
61
|
|
|
@@ -122,22 +122,22 @@ discard block |
|
|
block discarded – undo |
|
122
|
122
|
throw new Exception("Unexpected policies requested."); |
|
123
|
123
|
} |
|
124
|
124
|
$altArray = [# Array mit den Subject Alternative Names |
|
125
|
|
- "email:" . $csr["USERMAIL"] |
|
|
125
|
+ "email:".$csr["USERMAIL"] |
|
126
|
126
|
]; |
|
127
|
127
|
foreach ($csr["ALTNAMES"] as $oneAltName) { |
|
128
|
|
- $altArray[] = "DNS:" . $oneAltName; |
|
|
128
|
+ $altArray[] = "DNS:".$oneAltName; |
|
129
|
129
|
} |
|
130
|
130
|
$soapPub = $this->initEduPKISoapSession("PUBLIC"); |
|
131
|
131
|
$this->loggerInstance->debug(5, "FIRST ACTUAL SOAP REQUEST (Public, newRequest)!\n"); |
|
132
|
|
- $this->loggerInstance->debug(5, "PARAM_1: " . CertificationAuthorityEduPkiServer::EDUPKI_RA_ID . "\n"); |
|
133
|
|
- $this->loggerInstance->debug(5, "PARAM_2: " . $csr["CSR_STRING"] . "\n"); |
|
|
132
|
+ $this->loggerInstance->debug(5, "PARAM_1: ".CertificationAuthorityEduPkiServer::EDUPKI_RA_ID."\n"); |
|
|
133
|
+ $this->loggerInstance->debug(5, "PARAM_2: ".$csr["CSR_STRING"]."\n"); |
|
134
|
134
|
$this->loggerInstance->debug(5, "PARAM_3: "); |
|
135
|
135
|
$this->loggerInstance->debug(5, $altArray); |
|
136
|
|
- $this->loggerInstance->debug(5, "PARAM_4: " . $profile . "\n"); |
|
137
|
|
- $this->loggerInstance->debug(5, "PARAM_5: " . sha1("notused") . "\n"); |
|
138
|
|
- $this->loggerInstance->debug(5, "PARAM_6: " . $csr["USERNAME"] . "\n"); |
|
139
|
|
- $this->loggerInstance->debug(5, "PARAM_7: " . $csr["USERMAIL"] . "\n"); |
|
140
|
|
- $this->loggerInstance->debug(5, "PARAM_8: " . ProfileSilverbullet::PRODUCTNAME . "\n"); |
|
|
136
|
+ $this->loggerInstance->debug(5, "PARAM_4: ".$profile."\n"); |
|
|
137
|
+ $this->loggerInstance->debug(5, "PARAM_5: ".sha1("notused")."\n"); |
|
|
138
|
+ $this->loggerInstance->debug(5, "PARAM_6: ".$csr["USERNAME"]."\n"); |
|
|
139
|
+ $this->loggerInstance->debug(5, "PARAM_7: ".$csr["USERMAIL"]."\n"); |
|
|
140
|
+ $this->loggerInstance->debug(5, "PARAM_8: ".ProfileSilverbullet::PRODUCTNAME."\n"); |
|
141
|
141
|
$this->loggerInstance->debug(5, "PARAM_9: false\n"); |
|
142
|
142
|
$soapNewRequest = $soapPub->newRequest( |
|
143
|
143
|
CertificationAuthorityEduPkiServer::EDUPKI_RA_ID, # RA-ID |
|
@@ -159,11 +159,11 @@ discard block |
|
|
block discarded – undo |
|
159
|
159
|
} catch (Exception $e) { |
|
160
|
160
|
// PHP 7.1 can do this much better |
|
161
|
161
|
if (is_soap_fault($e)) { |
|
162
|
|
- throw new Exception("Error when sending SOAP request: " . "{$e->faultcode}: { |
|
|
162
|
+ throw new Exception("Error when sending SOAP request: "."{$e->faultcode}: { |
|
163
|
163
|
$e->faultstring |
|
164
|
164
|
}\n"); |
|
165
|
165
|
} |
|
166
|
|
- throw new Exception("Something odd happened while doing the SOAP request:" . $e->getMessage()); |
|
|
166
|
+ throw new Exception("Something odd happened while doing the SOAP request:".$e->getMessage()); |
|
167
|
167
|
} |
|
168
|
168
|
try { |
|
169
|
169
|
$soap = $this->initEduPKISoapSession("RA"); |
|
@@ -195,7 +195,7 @@ discard block |
|
|
block discarded – undo |
|
195
|
195
|
// for obnoxious reasons, we have to dump the request into a file and let pkcs7_sign read from the file |
|
196
|
196
|
// rather than just using the string. Grr. |
|
197
|
197
|
$tempdir = \core\common\Entity::createTemporaryDirectory("test"); |
|
198
|
|
- file_put_contents($tempdir['dir'] . "/content.txt", $soapCleartext); |
|
|
198
|
+ file_put_contents($tempdir['dir']."/content.txt", $soapCleartext); |
|
199
|
199
|
// retrieve our RA cert from filesystem |
|
200
|
200
|
// the RA certificates are not needed right now because we |
|
201
|
201
|
// have resorted to S/MIME signatures with openssl command-line |
|
@@ -207,7 +207,7 @@ discard block |
|
|
block discarded – undo |
|
207
|
207
|
// sign the data, using cmdline because openssl_pkcs7_sign produces strange results |
|
208
|
208
|
// -binary didn't help, nor switch -md to sha1 sha256 or sha512 |
|
209
|
209
|
$this->loggerInstance->debug(5, "Actual content to be signed is this:\n $soapCleartext\n"); |
|
210
|
|
- $execCmd = \config\Master::PATHS['openssl'] . " smime -sign -binary -in " . $tempdir['dir'] . "/content.txt -out " . $tempdir['dir'] . "/signature.txt -outform pem -inkey " . CertificationAuthorityEduPkiServer::LOCATION_RA_KEY . " -signer " . CertificationAuthorityEduPkiServer::LOCATION_RA_CERT; |
|
|
210
|
+ $execCmd = \config\Master::PATHS['openssl']." smime -sign -binary -in ".$tempdir['dir']."/content.txt -out ".$tempdir['dir']."/signature.txt -outform pem -inkey ".CertificationAuthorityEduPkiServer::LOCATION_RA_KEY." -signer ".CertificationAuthorityEduPkiServer::LOCATION_RA_CERT; |
|
211
|
211
|
$this->loggerInstance->debug(2, "Calling openssl smime with following cmdline: $execCmd\n"); |
|
212
|
212
|
$output = []; |
|
213
|
213
|
$return = 999; |
|
@@ -216,21 +216,21 @@ discard block |
|
|
block discarded – undo |
|
216
|
216
|
throw new Exception("Non-zero return value from openssl smime!"); |
|
217
|
217
|
} |
|
218
|
218
|
// and get the signature blob back from the filesystem |
|
219
|
|
- $detachedSig = trim(file_get_contents($tempdir['dir'] . "/signature.txt")); |
|
|
219
|
+ $detachedSig = trim(file_get_contents($tempdir['dir']."/signature.txt")); |
|
220
|
220
|
$this->loggerInstance->debug(5, "Request for server approveRequest has parameters:\n"); |
|
221
|
|
- $this->loggerInstance->debug(5, $soapReqnum . "\n"); |
|
222
|
|
- $this->loggerInstance->debug(5, $soapCleartext . "\n"); // PHP magically encodes this as base64 while sending! |
|
223
|
|
- $this->loggerInstance->debug(5, $detachedSig . "\n"); |
|
|
221
|
+ $this->loggerInstance->debug(5, $soapReqnum."\n"); |
|
|
222
|
+ $this->loggerInstance->debug(5, $soapCleartext."\n"); // PHP magically encodes this as base64 while sending! |
|
|
223
|
+ $this->loggerInstance->debug(5, $detachedSig."\n"); |
|
224
|
224
|
$soapIssueCert = $soap->approveRequest($soapReqnum, $soapCleartext, $detachedSig); |
|
225
|
|
- $this->loggerInstance->debug(5, "approveRequest Request was: \n" . $soap->__getLastRequest()); |
|
226
|
|
- $this->loggerInstance->debug(5, "approveRequest Response was: \n" . $soap->__getLastResponse()); |
|
|
225
|
+ $this->loggerInstance->debug(5, "approveRequest Request was: \n".$soap->__getLastRequest()); |
|
|
226
|
+ $this->loggerInstance->debug(5, "approveRequest Response was: \n".$soap->__getLastResponse()); |
|
227
|
227
|
if ($soapIssueCert === FALSE) { |
|
228
|
228
|
throw new Exception("The locally approved request was NOT processed by the CA."); |
|
229
|
229
|
} |
|
230
|
230
|
} catch (SoapFault $e) { |
|
231
|
|
- throw new Exception("SoapFault: Error when sending or receiving SOAP message: " . "{$e->faultcode}: {$e->faultname}: {$e->faultstring}: {$e->faultactor}: {$e->detail}: {$e->headerfault}\n"); |
|
|
231
|
+ throw new Exception("SoapFault: Error when sending or receiving SOAP message: "."{$e->faultcode}: {$e->faultname}: {$e->faultstring}: {$e->faultactor}: {$e->detail}: {$e->headerfault}\n"); |
|
232
|
232
|
} catch (Exception $e) { |
|
233
|
|
- throw new Exception("Exception: Something odd happened between the SOAP requests:" . $e->getMessage()); |
|
|
233
|
+ throw new Exception("Exception: Something odd happened between the SOAP requests:".$e->getMessage()); |
|
234
|
234
|
} |
|
235
|
235
|
return $soapReqnum; |
|
236
|
236
|
} |
|
@@ -282,9 +282,9 @@ discard block |
|
|
block discarded – undo |
|
282
|
282
|
throw new Exception("CAInfo has no root certificate for us!"); |
|
283
|
283
|
} |
|
284
|
284
|
} catch (SoapFault $e) { |
|
285
|
|
- throw new Exception("SoapFault: Error when sending or receiving SOAP message: " . "{$e->faultcode}: {$e->faultname}: {$e->faultstring}: {$e->faultactor}: {$e->detail}: {$e->headerfault}\n"); |
|
|
285
|
+ throw new Exception("SoapFault: Error when sending or receiving SOAP message: "."{$e->faultcode}: {$e->faultname}: {$e->faultstring}: {$e->faultactor}: {$e->detail}: {$e->headerfault}\n"); |
|
286
|
286
|
} catch (Exception $e) { |
|
287
|
|
- throw new Exception("Exception: Something odd happened between the SOAP requests:" . $e->getMessage()); |
|
|
287
|
+ throw new Exception("Exception: Something odd happened between the SOAP requests:".$e->getMessage()); |
|
288
|
288
|
} |
|
289
|
289
|
return [ |
|
290
|
290
|
"CERT" => openssl_x509_read($parsedCert['pem']), |
|
@@ -317,12 +317,12 @@ discard block |
|
|
block discarded – undo |
|
317
|
317
|
// for obnoxious reasons, we have to dump the request into a file and let pkcs7_sign read from the file |
|
318
|
318
|
// rather than just using the string. Grr. |
|
319
|
319
|
$tempdir = \core\common\Entity::createTemporaryDirectory("test"); |
|
320
|
|
- file_put_contents($tempdir['dir'] . "/content.txt", $soapRawRevRequest); |
|
|
320
|
+ file_put_contents($tempdir['dir']."/content.txt", $soapRawRevRequest); |
|
321
|
321
|
// retrieve our RA cert from filesystem |
|
322
|
322
|
// sign the data, using cmdline because openssl_pkcs7_sign produces strange results |
|
323
|
323
|
// -binary didn't help, nor switch -md to sha1 sha256 or sha512 |
|
324
|
324
|
$this->loggerInstance->debug(5, "Actual content to be signed is this:\n$soapRawRevRequest\n"); |
|
325
|
|
- $execCmd = \config\Master::PATHS['openssl'] . " smime -sign -binary -in " . $tempdir['dir'] . "/content.txt -out " . $tempdir['dir'] . "/signature.txt -outform pem -inkey " . CertificationAuthorityEduPkiServer::LOCATION_RA_KEY . " -signer " . CertificationAuthorityEduPkiServer::LOCATION_RA_CERT; |
|
|
325
|
+ $execCmd = \config\Master::PATHS['openssl']." smime -sign -binary -in ".$tempdir['dir']."/content.txt -out ".$tempdir['dir']."/signature.txt -outform pem -inkey ".CertificationAuthorityEduPkiServer::LOCATION_RA_KEY." -signer ".CertificationAuthorityEduPkiServer::LOCATION_RA_CERT; |
|
326
|
326
|
$this->loggerInstance->debug(2, "Calling openssl smime with following cmdline: $execCmd\n"); |
|
327
|
327
|
$output = []; |
|
328
|
328
|
$return = 999; |
|
@@ -331,7 +331,7 @@ discard block |
|
|
block discarded – undo |
|
331
|
331
|
throw new Exception("Non-zero return value from openssl smime!"); |
|
332
|
332
|
} |
|
333
|
333
|
// and get the signature blob back from the filesystem |
|
334
|
|
- $detachedSig = trim(file_get_contents($tempdir['dir'] . "/signature.txt")); |
|
|
334
|
+ $detachedSig = trim(file_get_contents($tempdir['dir']."/signature.txt")); |
|
335
|
335
|
$soapIssueRev = $soap->approveRevocationRequest($soapRevocationSerial, $soapRawRevRequest, $detachedSig); |
|
336
|
336
|
if ($soapIssueRev === FALSE) { |
|
337
|
337
|
throw new Exception("The locally approved revocation request was NOT processed by the CA."); |
|
@@ -339,9 +339,9 @@ discard block |
|
|
block discarded – undo |
|
339
|
339
|
} catch (Exception $e) { |
|
340
|
340
|
// PHP 7.1 can do this much better |
|
341
|
341
|
if (is_soap_fault($e)) { |
|
342
|
|
- throw new Exception("Error when sending SOAP request: " . "{$e->faultcode}: {$e->faultstring}\n"); |
|
|
342
|
+ throw new Exception("Error when sending SOAP request: "."{$e->faultcode}: {$e->faultstring}\n"); |
|
343
|
343
|
} |
|
344
|
|
- throw new Exception("Something odd happened while doing the SOAP request:" . $e->getMessage()); |
|
|
344
|
+ throw new Exception("Something odd happened while doing the SOAP request:".$e->getMessage()); |
|
345
|
345
|
} |
|
346
|
346
|
} |
|
347
|
347
|
|
|
@@ -441,9 +441,9 @@ discard block |
|
|
block discarded – undo |
|
441
|
441
|
*/ |
|
442
|
442
|
public function soapToXmlInteger($x) |
|
443
|
443
|
{ |
|
444
|
|
- return '<' . $x[0] . '>' |
|
|
444
|
+ return '<'.$x[0].'>' |
|
445
|
445
|
. htmlentities($x[1], ENT_NOQUOTES | ENT_XML1) |
|
446
|
|
- . '</' . $x[0] . '>'; |
|
|
446
|
+ . '</'.$x[0].'>'; |
|
447
|
447
|
} |
|
448
|
448
|
|
|
449
|
449
|
/** |
|
@@ -462,9 +462,9 @@ discard block |
|
|
block discarded – undo |
|
462
|
462
|
// dump private key into directory |
|
463
|
463
|
$outstring = ""; |
|
464
|
464
|
openssl_pkey_export($privateKey, $outstring); |
|
465
|
|
- file_put_contents($tempdir . "/pkey.pem", $outstring); |
|
|
465
|
+ file_put_contents($tempdir."/pkey.pem", $outstring); |
|
466
|
466
|
// PHP can only do one DC in the Subject. But we need three. |
|
467
|
|
- $execCmd = \config\Master::PATHS['openssl'] . " req -new -sha256 -key $tempdir/pkey.pem -out $tempdir/request.csr -subj /DC=test/DC=test/DC=eduroam/C=$fed/O=" . \config\ConfAssistant::CONSORTIUM['name'] . "/OU=$fed/CN=$username/emailAddress=$username"; |
|
|
467
|
+ $execCmd = \config\Master::PATHS['openssl']." req -new -sha256 -key $tempdir/pkey.pem -out $tempdir/request.csr -subj /DC=test/DC=test/DC=eduroam/C=$fed/O=".\config\ConfAssistant::CONSORTIUM['name']."/OU=$fed/CN=$username/emailAddress=$username"; |
|
468
|
468
|
$this->loggerInstance->debug(2, "Calling openssl req with following cmdline: $execCmd\n"); |
|
469
|
469
|
$output = []; |
|
470
|
470
|
$return = 999; |
GEANT /
CAT
