summaryrefslogtreecommitdiff
path: root/includes/account_stuff.php
diff options
context:
space:
mode:
authorMichael Tänzer <neo@nhng.de>2011-04-11 00:49:26 +0200
committerMichael Tänzer <neo@nhng.de>2011-04-11 00:49:26 +0200
commitcd9e6e79631835fddda384801f5e3c415cbc5d90 (patch)
treeaf7b3f66910db34a87d3565e93fc5e434761f4c7 /includes/account_stuff.php
parent803eaaf70962b3beedc5cb8ce0f82aa8e7fe589f (diff)
downloadcacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.tar.gz
cacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.tar.xz
cacert-devel-cd9e6e79631835fddda384801f5e3c415cbc5d90.zip
#918: add checkWeakKeyX509()
#918: "Weak keys in certificates" Signed-off-by: Michael Tänzer <neo@nhng.de>
Diffstat (limited to 'includes/account_stuff.php')
-rw-r--r--includes/account_stuff.php47
1 files changed, 47 insertions, 0 deletions
diff --git a/includes/account_stuff.php b/includes/account_stuff.php
index e8beb7f..7c8980c 100644
--- a/includes/account_stuff.php
+++ b/includes/account_stuff.php
@@ -354,6 +354,53 @@ function hideall() {
}
/**
+ * Checks whether the given X509 certificate contains a vulnerable key
+ *
+ * @param $cert string
+ * The X509 certificate to be checked
+ * @param $encoding string [optional]
+ * The encoding the certificate is in (for the "-inform" parameter of
+ * OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed)
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+ function checkWeakKeyX509($cert, $encoding = "PEM")
+ {
+ // non-PEM-encodings may be binary so don't use echo
+ $descriptorspec = array(
+ 0 => array("pipe", "r"), // STDIN for child
+ 1 => array("pipe", "w"), // STDOUT for child
+ );
+ $encoding = escapeshellarg($encoding);
+ $proc = proc_open("openssl x509 -inform $encoding -text -noout",
+ $descriptorspec, $pipes);
+
+ if (is_resource($proc))
+ {
+ fwrite($pipes[0], $cert);
+ fclose($pipes[0]);
+
+ $certText = "";
+ while (!feof($pipes[1]))
+ {
+ $certText .= fread($pipes[1], 8192);
+ }
+ fclose($pipes[1]);
+
+ if (($status = proc_close($proc)) !== 0 || $certText === "")
+ {
+ return _("I didn't receive a valid Certificate Request, hit ".
+ "the back button and try again.");
+ }
+ } else {
+ return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+ }
+
+
+ return checkWeakKeyText($certText);
+ }
+
+ /**
* Checks whether the given SPKAC contains a vulnerable key
*
* @param $spkac string