diff options
author | Michael Tänzer <neo@nhng.de> | 2011-04-11 00:49:26 +0200 |
---|---|---|
committer | Michael Tänzer <neo@nhng.de> | 2011-04-11 00:49:26 +0200 |
commit | cd9e6e79631835fddda384801f5e3c415cbc5d90 (patch) | |
tree | af7b3f66910db34a87d3565e93fc5e434761f4c7 /includes/account_stuff.php | |
parent | 803eaaf70962b3beedc5cb8ce0f82aa8e7fe589f (diff) | |
download | cacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.tar.gz cacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.tar.xz cacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.zip |
#918: add checkWeakKeyX509()
#918: "Weak keys in certificates"
Signed-off-by: Michael Tänzer <neo@nhng.de>
Diffstat (limited to 'includes/account_stuff.php')
-rw-r--r-- | includes/account_stuff.php | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/includes/account_stuff.php b/includes/account_stuff.php index e8beb7f..7c8980c 100644 --- a/includes/account_stuff.php +++ b/includes/account_stuff.php @@ -354,6 +354,53 @@ function hideall() { } /** + * Checks whether the given X509 certificate contains a vulnerable key + * + * @param $cert string + * The X509 certificate to be checked + * @param $encoding string [optional] + * The encoding the certificate is in (for the "-inform" parameter of + * OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed) + * @return string containing the reason if the key is considered weak, + * empty string otherwise + */ + function checkWeakKeyX509($cert, $encoding = "PEM") + { + // non-PEM-encodings may be binary so don't use echo + $descriptorspec = array( + 0 => array("pipe", "r"), // STDIN for child + 1 => array("pipe", "w"), // STDOUT for child + ); + $encoding = escapeshellarg($encoding); + $proc = proc_open("openssl x509 -inform $encoding -text -noout", + $descriptorspec, $pipes); + + if (is_resource($proc)) + { + fwrite($pipes[0], $cert); + fclose($pipes[0]); + + $certText = ""; + while (!feof($pipes[1])) + { + $certText .= fread($pipes[1], 8192); + } + fclose($pipes[1]); + + if (($status = proc_close($proc)) !== 0 || $certText === "") + { + return _("I didn't receive a valid Certificate Request, hit ". + "the back button and try again."); + } + } else { + return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL"); + } + + + return checkWeakKeyText($certText); + } + + /** * Checks whether the given SPKAC contains a vulnerable key * * @param $spkac string |