1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); $data = array(); $keys = implode('|', array_keys($needed)); preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER); foreach ($matches as $m) { $data[$m[1]] = $m[3] ? $m[3] : $m[4]; unset($needed[$m[1]]); } if ($needed) { error_log("EST: Missing auth parameter"); die('Authentication failed'); } $user = $data['username']; if (strlen($user) < 1) { error_log("EST: Empty username"); die('Authentication failed'); } $db = new PDO($osu_db); if (!$db) { error_log("EST: Could not access database"); die("Could not access database"); } $sql = "SELECT rowid,password,operation FROM sessions " . "WHERE user='$user' AND realm='$realm'"; $q = $db->query($sql); if (!$q) { error_log("EST: Session not found for user=$user realm=$realm"); die("Session not found"); } $row = $q->fetch(); if (!$row) { error_log("EST: Session fetch failed for user=$user realm=$realm"); die('Session not found'); } $rowid = $row['rowid']; $oper = $row['operation']; if ($oper != '5') { error_log("EST: Unexpected operation $oper for user=$user realm=$realm"); die("Session not found"); } $pw = $row['password']; if (strlen($pw) < 1) { error_log("EST: Empty password for user=$user realm=$realm"); die('Authentication failed'); } $A1 = md5($user . ':' . $realm . ':' . $pw); $A2 = md5($method . ':' . $data['uri']); $resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $resp) { error_log("EST: Incorrect authentication response for user=$user realm=$realm"); die('Authentication failed'); } } if ($method == "GET" && $cmd == "cacerts") { $fname = "$osu_root/est/$realm-cacerts.pkcs7"; if (!file_exists($fname)) { error_log("EST: cacerts - unknown realm $realm"); die("Unknown realm"); } header("Content-Transfer-Encoding: base64"); header("Content-Type: application/pkcs7-mime"); $data = file_get_contents($fname); echo wordwrap(base64_encode($data), 72, "\n", true); echo "\n"; error_log("EST: cacerts"); } else if ($method == "GET" && $cmd == "csrattrs") { header("Content-Transfer-Encoding: base64"); header("Content-Type: application/csrattrs"); readfile("$osu_root/est/est-attrs.b64"); error_log("EST: csrattrs"); } else if ($method == "POST" && $cmd == "simpleenroll") { if (!isset($user) || strlen($user) == 0) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); error_log("EST: simpleenroll - require authentication"); die('Authentication required'); } if (!isset($_SERVER["CONTENT_TYPE"])) { error_log("EST: simpleenroll without Content-Type"); die("Missing Content-Type"); } if (!stristr($_SERVER["CONTENT_TYPE"], "application/pkcs10")) { error_log("EST: simpleenroll - unexpected Content-Type: " . $_SERVER["CONTENT_TYPE"]); die("Unexpected Content-Type"); } $data = file_get_contents("php://input"); error_log("EST: simpleenroll - POST data from php://input: " . $data); $req = base64_decode($data); if ($req == FALSE) { error_log("EST: simpleenroll - Invalid base64-encoded PKCS#10 data"); die("Invalid base64-encoded PKCS#10 data"); } $cadir = "$osu_root/est"; $reqfile = "$cadir/tmp/cert-req.pkcs10"; $f = fopen($reqfile, "wb"); fwrite($f, $req); fclose($f); $req_pem = "$reqfile.pem"; if (file_exists($req_pem)) unlink($req_pem); exec("openssl req -in $reqfile -inform DER -out $req_pem -outform PEM"); if (!file_exists($req_pem)) { error_log("EST: simpleenroll - Failed to parse certificate request"); die("Failed to parse certificate request"); } /* FIX: validate request and add HS 2.0 extensions to cert */ $cert_pem = "$cadir/tmp/req-signed.pem"; if (file_exists($cert_pem)) unlink($cert_pem); exec("openssl x509 -req -in $req_pem -CAkey $cadir/cakey.pem -out $cert_pem -CA $cadir/cacert.pem -CAserial $cadir/serial -days 365 -text"); if (!file_exists($cert_pem)) { error_log("EST: simpleenroll - Failed to sign certificate"); die("Failed to sign certificate"); } $cert = file_get_contents($cert_pem); $handle = popen("openssl x509 -in $cert_pem -serial -noout", "r"); $serial = fread($handle, 200); pclose($handle); $pattern = "/serial=(?P[0-9a-fA-F:]*)/m"; preg_match($pattern, $serial, $matches); if (!isset($matches['snhex']) || strlen($matches['snhex']) < 1) { error_log("EST: simpleenroll - Could not get serial number"); die("Could not get serial number"); } $sn = str_replace(":", "", strtoupper($matches['snhex'])); $user = "cert-$sn"; error_log("EST: user = $user"); $cert_der = "$cadir/tmp/req-signed.der"; if (file_exists($cert_der)) unlink($cert_der); exec("openssl x509 -in $cert_pem -inform PEM -out $cert_der -outform DER"); if (!file_exists($cert_der)) { error_log("EST: simpleenroll - Failed to convert certificate"); die("Failed to convert certificate"); } $der = file_get_contents($cert_der); $fingerprint = hash("sha256", $der); $pkcs7 = "$cadir/tmp/est-client.pkcs7"; if (file_exists($pkcs7)) unlink($pkcs7); exec("openssl crl2pkcs7 -nocrl -certfile $cert_pem -out $pkcs7 -outform DER"); if (!file_exists($pkcs7)) { error_log("EST: simpleenroll - Failed to prepare PKCS#7 file"); die("Failed to prepare PKCS#7 file"); } if (!$db->exec("UPDATE sessions SET user='$user', cert='$fingerprint', cert_pem='$cert' WHERE rowid=$rowid")) { error_log("EST: simpleenroll - Failed to update session database"); die("Failed to update session database"); } header("Content-Transfer-Encoding: base64"); header("Content-Type: application/pkcs7-mime"); $data = file_get_contents($pkcs7); $resp = wordwrap(base64_encode($data), 72, "\n", true); echo $resp . "\n"; error_log("EST: simpleenroll - PKCS#7 response: " . $resp); } else { header("HTTP/1.0 404 Not Found"); error_log("EST: Unexpected method or path"); die("Unexpected method or path"); } ?>