summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xCommModule/client.pl4
-rw-r--r--README1
-rw-r--r--includes/about_menu.php2
-rw-r--r--includes/account.php157
-rw-r--r--includes/account_stuff.php357
-rw-r--r--includes/general.php4
-rw-r--r--includes/mysql.php.sample4
-rw-r--r--[-rwxr-xr-x]pages/index/16.php15
-rw-r--r--pages/index/19.php94
-rw-r--r--pages/index/3.php15
-rw-r--r--scripts/31de-lt2011-berlin-email.txt20
-rw-r--r--scripts/31de-lt2011-berlin-mail.php.txt152
-rw-r--r--scripts/32de-ate-bonn-email.txt38
-rw-r--r--scripts/32de-ate-bonn-mail.php.txt151
-rw-r--r--scripts/33us-ate-wdc-email.txt40
-rw-r--r--scripts/33us-ate-wdc-mail.php.txt108
-rw-r--r--scripts/34us-ate-wdc-email.txt21
-rw-r--r--scripts/34us-ate-wdc-mail.php.txt108
-rw-r--r--scripts/35us-ate-ny-email.txt22
-rw-r--r--scripts/35us-ate-ny-mail.php.txt109
-rw-r--r--scripts/36us-ate-ny-email.txt34
-rw-r--r--scripts/36us-ate-ny-mail.php.txt109
-rwxr-xr-xscripts/DumpWeakCerts.pl179
-rwxr-xr-xscripts/mail-weak-keys.php161
-rw-r--r--scripts/perl_mysql.sample6
-rw-r--r--www/api/ccsr.php6
-rw-r--r--www/cap.html.php4
-rw-r--r--www/capnew.php10
-rw-r--r--www/certs/class3.crt73
-rw-r--r--www/certs/class3.derbin1548 -> 1885 bytes
-rw-r--r--www/certs/class3.txt152
-rw-r--r--www/coap.html.php4
-rw-r--r--www/coapnew.php14
-rw-r--r--www/index.php7
-rw-r--r--www/logos/CAcert-logo-colour-1000.pngbin0 -> 24317 bytes
-rw-r--r--www/logos/CAcert-logo-mono-1000.pngbin0 -> 19406 bytes
36 files changed, 1951 insertions, 230 deletions
diff --git a/CommModule/client.pl b/CommModule/client.pl
index 7b417d1..4e09c46 100755
--- a/CommModule/client.pl
+++ b/CommModule/client.pl
@@ -670,13 +670,13 @@ sub sendmail($$$$$$$)
SysLog "SMTP: ".<$smtp>;
print $smtp "HELO hlin.cacert.org\r\n";
SysLog "SMTP: ".<$smtp>;
- print $smtp "MAIL FROM: <returns\@cacert.org>\r\n";
+ print $smtp "MAIL FROM:<returns\@cacert.org>\r\n";
SysLog "MAIL FROM: ".<$smtp>;
@bits = split(",", $to);
foreach my $user (@bits)
{
- print $smtp "RCPT TO: <".trim($user).">\r\n";
+ print $smtp "RCPT TO:<".trim($user).">\r\n";
SysLog "RCPT TO: ".<$smtp>;
}
print $smtp "DATA\r\n";
diff --git a/README b/README
index 6e07b04..7f2ca78 100644
--- a/README
+++ b/README
@@ -9,6 +9,7 @@ PHP
GetText
UFPDF - PDF generation library from http://acko.net/node/56
OpenSSL - X.509 toolkit from http://www.openssl.org/
+openssl-vulnkey including blacklists for all common key sizes
GnuPG - OpenPGP toolkit from http://www.gnupg.org/
whois - whois client from http://www.linux.it/~md/software/
XEnroll - Enrollment Active-X control for IE5/6 from Microsoft (search for xenroll.cab)
diff --git a/includes/about_menu.php b/includes/about_menu.php
index 2f3080d..f34a274 100644
--- a/includes/about_menu.php
+++ b/includes/about_menu.php
@@ -4,7 +4,7 @@
<li><a href="http://blog.cacert.org/"><?=_("CAcert News")?></a></li>
<li><a href="http://wiki.CAcert.org/"><?=_("Wiki Documentation")?></a></li>
<li><a href="/policy/"><?=_("Policies")?></a></li>
- <li><a href="/index.php?id=19"><?=_("Point System")?></a></li>
+ <li><a href="//wiki.cacert.org/FAQ/Privileges"><?=_("Point System")?></a></li>
<li><a href="http://bugs.CAcert.org/"><?=_("Bug Database")?></a></li>
<? // <li><a href="/index.php?id=47">< = _ ("PR Materials" ) > </a></li> ?>
<? // <li><a href="/logos.php">< ? = _ ( " CAcert Logos " ) ? > </a></li> ?>
diff --git a/includes/account.php b/includes/account.php
index 685b53a..14702b9 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -299,6 +299,15 @@
$_SESSION['_config']['rootcert'] = 1;
$emails .= "SPKAC = $spkac";
+ if (($weakKey = checkWeakKeySPKAC($emails)) !== "")
+ {
+ $id = 4;
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$query = "insert into emailcerts set
`CN`='$defaultemail',
`keytype`='NS',
@@ -330,6 +339,16 @@
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") {
if($csr == "")
$csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."\n-----END CERTIFICATE REQUEST-----\n";
+
+ if (($weakKey = checkWeakKeyCSR($csr)) !== "")
+ {
+ $id = 4;
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$tmpfname = tempnam("/tmp", "id4CSR");
$fp = fopen($tmpfname, "w");
fputs($fp, $csr);
@@ -613,17 +632,23 @@
if($process != "" && $oldid == 10)
{
$CSR = clean_csr($_REQUEST['CSR']);
- $_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR");
- $fp = fopen($_SESSION['_config']['tmpfname'], "w");
if(strpos($CSR,"---BEGIN")===FALSE)
{
// In case the CSR is missing the ---BEGIN lines, add them automatically:
- fputs($fp,"-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n");
+ $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n";
}
- else
+
+ if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
{
- fputs($fp, $CSR);
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
}
+
+ $_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR");
+ $fp = fopen($_SESSION['_config']['tmpfname'], "w");
+ fputs($fp, $CSR);
fclose($fp);
$CSR = $_SESSION['_config']['tmpfname'];
$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
@@ -658,6 +683,23 @@
if($process != "" && $oldid == 11)
{
+ if(!file_exists($_SESSION['_config']['tmpfname']))
+ {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+ showfooter();
+ exit;
+ }
+
+ if (($weakKey = checkWeakKeyCSR(file_get_contents(
+ $_SESSION['_config']['tmpfname']))) !== "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$id = 11;
if($_SESSION['_config']['0.CN'] == "" && $_SESSION['_config']['0.subjectAltName'] == "")
{
@@ -731,13 +773,6 @@
mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'");
$CSRname=generatecertpath("csr","server",$CSRid);
- if(!file_exists($_SESSION['_config']['tmpfname']))
- {
- showheader(_("My CAcert.org Account!"));
- printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
- showfooter();
- exit;
- }
rename($_SESSION['_config']['tmpfname'], $CSRname);
chmod($CSRname,0644);
mysql_query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'");
@@ -780,8 +815,17 @@
printf(_("Invalid ID '%s' presented, can't do anything with it.")."<br/>\n", $id);
continue;
}
- mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'");
+
$row = mysql_fetch_assoc($res);
+
+ if (($weakKey = checkWeakKeyX509(file_get_contents(
+ $row['crt_name']))) !== "")
+ {
+ echo $weakKey, "<br/>\n";
+ continue;
+ }
+
+ mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'");
$query = "insert into `domaincerts` set
`domid`='".$row['domid']."',
`CN`='".mysql_real_escape_string($row['CN'])."',
@@ -946,8 +990,17 @@
printf(_("Invalid ID '%s' presented, can't do anything with it.")."<br>\n", $id);
continue;
}
- mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'");
+
$row = mysql_fetch_assoc($res);
+
+ if (($weakKey = checkWeakKeyX509(file_get_contents(
+ $row['crt_name']))) !== "")
+ {
+ echo $weakKey, "<br/>\n";
+ continue;
+ }
+
+ mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'");
$query = "insert into emailcerts set
`memid`='".$row['memid']."',
`CN`='".mysql_real_escape_string($row['CN'])."',
@@ -1378,6 +1431,15 @@
$_SESSION['_config']['rootcert'] = 1;
$emails .= "SPKAC = $spkac";
+ if (($weakKey = checkWeakKeySPKAC($emails)) !== "")
+ {
+ $id = 17;
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$query = "insert into `orgemailcerts` set
`CN`='$defaultemail',
`keytype`='NS',
@@ -1408,6 +1470,16 @@
mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'");
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") {
$csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."-----END CERTIFICATE REQUEST-----\n";
+
+ if (($weakKey = checkWeakKeyCSR($csr)) !== "")
+ {
+ $id = 17;
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$tmpfname = tempnam("/tmp", "id17CSR");
$fp = fopen($tmpfname, "w");
fputs($fp, $csr);
@@ -1514,8 +1586,17 @@
printf(_("Invalid ID '%s' presented, can't do anything with it.")."<br>\n", $id);
continue;
}
- mysql_query("update `orgemailcerts` set `renewed`='1' where `id`='$id'");
+
$row = mysql_fetch_assoc($res);
+
+ if (($weakKey = checkWeakKeyX509(file_get_contents(
+ $row['crt_name']))) !== "")
+ {
+ echo $weakKey, "<br/>\n";
+ continue;
+ }
+
+ mysql_query("update `orgemailcerts` set `renewed`='1' where `id`='$id'");
if($row['revoke'] > 0)
{
printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."<br>\n", $row['CN']);
@@ -1625,6 +1706,16 @@
if($process != "" && $oldid == 20)
{
$CSR = clean_csr($_REQUEST['CSR']);
+
+ if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
+ {
+ $id = 20;
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id20CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -1674,6 +1765,23 @@
if($process != "" && $oldid == 21)
{
$id = 21;
+
+ if(!file_exists($_SESSION['_config']['tmpfname']))
+ {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+ showfooter();
+ exit;
+ }
+
+ if (($weakKey = checkWeakKeyCSR(file_get_contents(
+ $_SESSION['_config']['tmpfname']))) !== "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
if($_SESSION['_config']['0.CN'] == "" && $_SESSION['_config']['0.subjectAltName'] == "")
{
@@ -1799,8 +1907,17 @@
printf(_("Invalid ID '%s' presented, can't do anything with it.")."<br>\n", $id);
continue;
}
- mysql_query("update `orgdomaincerts` set `renewed`='1' where `id`='$id'");
+
$row = mysql_fetch_assoc($res);
+
+ if (($weakKey = checkWeakKeyX509(file_get_contents(
+ $row['crt_name']))) !== "")
+ {
+ echo $weakKey, "<br/>\n";
+ continue;
+ }
+
+ mysql_query("update `orgdomaincerts` set `renewed`='1' where `id`='$id'");
if($row['revoke'] > 0)
{
printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."<br>\n", $row['CN']);
@@ -2497,6 +2614,14 @@
showfooter();
exit;
}
+
+ if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo $weakKey;
+ showfooter();
+ exit;
+ }
$query = "insert into `domaincerts` set
`CN`='".$_SESSION['_config']['0.CN']."',
diff --git a/includes/account_stuff.php b/includes/account_stuff.php
index caa7dc7..b6fdd7a 100644
--- a/includes/account_stuff.php
+++ b/includes/account_stuff.php
@@ -284,4 +284,361 @@ function hideall() {
</body>
</html><?
}
+
+ /**
+ * Produces a log entry with the error message with log level E_USER_WARN
+ * and a random ID an returns a message that can be displayed to the user
+ * including the generated ID
+ *
+ * @param $errormessage string
+ * The error message that should be logged
+ * @return string containing the generated ID that can be displayed to the
+ * user
+ */
+ function failWithId($errormessage) {
+ $errorId = rand();
+ trigger_error("$errormessage. ID: $errorId", E_USER_WARNING);
+ return sprintf(_("Something went wrong when processing your request. ".
+ "Please contact %s for help and provide them with the ".
+ "following ID: %d"),
+ "<a href='mailto:support@cacert.org?subject=System%20Error%20-%20".
+ "ID%3A%20$errorId'>support@cacert.org</a>",
+ $errorId);
+ }
+
+ /**
+ * Checks whether the given CSR contains a vulnerable key
+ *
+ * @param $csr string
+ * The CSR to be checked
+ * @param $encoding string [optional]
+ * The encoding the CSR is in (for the "-inform" parameter of OpenSSL,
+ * currently only "PEM" (default) or "DER" allowed)
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+ function checkWeakKeyCSR($csr, $encoding = "PEM")
+ {
+ // non-PEM-encodings may be binary so don't use echo
+ $descriptorspec = array(
+ 0 => array("pipe", "r"), // STDIN for child
+ 1 => array("pipe", "w"), // STDOUT for child
+ );
+ $encoding = escapeshellarg($encoding);
+ $proc = proc_open("openssl req -inform $encoding -text -noout",
+ $descriptorspec, $pipes);
+
+ if (is_resource($proc))
+ {
+ fwrite($pipes[0], $csr);
+ fclose($pipes[0]);
+
+ $csrText = "";
+ while (!feof($pipes[1]))
+ {
+ $csrText .= fread($pipes[1], 8192);
+ }
+ fclose($pipes[1]);
+
+ if (($status = proc_close($proc)) !== 0 || $csrText === "")
+ {
+ return _("I didn't receive a valid Certificate Request, hit ".
+ "the back button and try again.");
+ }
+ } else {
+ return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+ }
+
+
+ return checkWeakKeyText($csrText);
+ }
+
+ /**
+ * Checks whether the given X509 certificate contains a vulnerable key
+ *
+ * @param $cert string
+ * The X509 certificate to be checked
+ * @param $encoding string [optional]
+ * The encoding the certificate is in (for the "-inform" parameter of
+ * OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed)
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+ function checkWeakKeyX509($cert, $encoding = "PEM")
+ {
+ // non-PEM-encodings may be binary so don't use echo
+ $descriptorspec = array(
+ 0 => array("pipe", "r"), // STDIN for child
+ 1 => array("pipe", "w"), // STDOUT for child
+ );
+ $encoding = escapeshellarg($encoding);
+ $proc = proc_open("openssl x509 -inform $encoding -text -noout",
+ $descriptorspec, $pipes);
+
+ if (is_resource($proc))
+ {
+ fwrite($pipes[0], $cert);
+ fclose($pipes[0]);
+
+ $certText = "";
+ while (!feof($pipes[1]))
+ {
+ $certText .= fread($pipes[1], 8192);
+ }
+ fclose($pipes[1]);
+
+ if (($status = proc_close($proc)) !== 0 || $certText === "")
+ {
+ return _("I didn't receive a valid Certificate Request, hit ".
+ "the back button and try again.");
+ }
+ } else {
+ return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+ }
+
+
+ return checkWeakKeyText($certText);
+ }
+
+ /**
+ * Checks whether the given SPKAC contains a vulnerable key
+ *
+ * @param $spkac string
+ * The SPKAC to be checked
+ * @param $spkacname string [optional]
+ * The name of the variable that contains the SPKAC. The default is
+ * "SPKAC"
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+ function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
+ {
+ /* Check for the debian OpenSSL vulnerability */
+
+ $spkac = escapeshellarg($spkac);
+ $spkacname = escapeshellarg($spkacname);
+ $spkacText = `echo $spkac | openssl spkac -spkac $spkacname`;
+ if ($spkacText === null) {
+ return _("I didn't receive a valid Certificate Request, hit the ".
+ "back button and try again.");
+ }
+
+ return checkWeakKeyText($spkacText);
+ }
+
+ /**
+ * Checks whether the given text representation of a CSR or a SPKAC contains
+ * a weak key
+ *
+ * @param $text string
+ * The text representation of a key as output by the
+ * "openssl <foo> -text -noout" commands
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+ function checkWeakKeyText($text)
+ {
+ /* Which public key algorithm? */
+ if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
+ $algorithm))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't extract the ".
+ "public key algorithm used");
+ } else {
+ $algorithm = $algorithm[1];
+ }
+
+
+ if ($algorithm === "rsaEncryption")
+ {
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ $keysize))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
+ "key size");
+ } else {
+ $keysize = intval($keysize[1]);
+ }
+
+ if ($keysize < 1024)
+ {
+ return sprintf(_("The keys that you use are very small ".
+ "and therefore insecure. Please generate stronger ".
+ "keys. More information about this issue can be ".
+ "found in %sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+ "</a>");
+ } elseif ($keysize < 2048) {
+ // not critical but log so we have some statistics about
+ // affected users
+ trigger_error("checkWeakKeyText(): Certificate for small ".
+ "key (< 2048 bit) requested", E_USER_NOTICE);
+ }
+
+
+ $debianVuln = checkDebianVulnerability($text, $keysize);
+ if ($debianVuln === true)
+ {
+ return sprintf(_("The keys you use have very likely been ".
+ "generated with a vulnerable version of OpenSSL which ".
+ "was distributed by debian. Please generate new keys. ".
+ "More information about this issue can be found in ".
+ "%sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#DebianVulnerability'>",
+ "</a>");
+ } elseif ($debianVuln === false) {
+ // not vulnerable => do nothing
+ } else {
+ return failWithId("checkWeakKeyText(): Something went wrong in".
+ "checkDebianVulnerability()");
+ }
+
+ if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
+ $exponent))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
+ "exponent");
+ } else {
+ $exponent = $exponent[1]; // exponent might be very big =>
+ //handle as string using bc*()
+
+ if (bccomp($exponent, "3") === 0)
+ {
+ return sprintf(_("The keys you use might be insecure. ".
+ "Although there is currently no known attack for ".
+ "reasonable encryption schemes, we're being ".
+ "cautious and don't allow certificates for such ".
+ "keys. Please generate stronger keys. More ".
+ "information about this issue can be found in ".
+ "%sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
+ "</a>");
+ } elseif (!(bccomp($exponent, "65537") >= 0 &&
+ (bccomp($exponent, "100000") === -1 ||
+ // speed things up if way smaller than 2^256
+ bccomp($exponent, bcpow("2", "256")) === -1) )) {
+ // 65537 <= exponent < 2^256 recommended by NIST
+ // not critical but log so we have some statistics about
+ // affected users
+ trigger_error("checkWeakKeyText(): Certificate for ".
+ "unsuitable exponent '$exponent' requested",
+ E_USER_NOTICE);
+ }
+ }
+ }
+
+ /* No weakness found */
+ return "";
+ }
+
+ /**
+ * Reimplement the functionality of the openssl-vulnkey tool
+ *
+ * @param $text string
+ * The text representation of a key as output by the
+ * "openssl <foo> -text -noout" commands
+ * @param $keysize int [optional]
+ * If the key size is already known it can be provided so it doesn't
+ * have to be parsed again. This also skips the check whether the key
+ * is an RSA key => use wisely
+ * @return TRUE if key is vulnerable, FALSE otherwise, NULL in case of error
+ */
+ function checkDebianVulnerability($text, $keysize = 0)
+ {
+ $keysize = intval($keysize);
+
+ if ($keysize === 0)
+ {
+ /* Which public key algorithm? */
+ if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
+ $algorithm))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't extract ".
+ "the public key algorithm used", E_USER_WARNING);
+ return null;
+ } else {
+ $algorithm = $algorithm[1];
+ }
+
+ if ($algorithm !== "rsaEncryption") return false;
+
+ /* Extract public key size */
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ $keysize))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't parse the ".
+ "RSA key size", E_USER_WARNING);
+ return null;
+ } else {
+ $keysize = intval($keysize[1]);
+ }
+ }
+
+ // $keysize has been made sure to contain an int
+ $blacklist = "/usr/share/openssl-blacklist/blacklist.RSA-$keysize";
+ if (!(is_file($blacklist) && is_readable($blacklist)))
+ {
+ if (in_array($keysize, array(512, 1024, 2048, 4096)))
+ {
+ trigger_error("checkDebianVulnerability(): Blacklist for ".
+ "$keysize bit keys not accessible. Expected at ".
+ "$blacklist", E_USER_ERROR);
+ return null;
+ }
+
+ trigger_error("checkDebianVulnerability(): $blacklist is not ".
+ "readable. Unsupported key size?", E_USER_WARNING);
+ return false;
+ }
+
+
+ /* Extract RSA modulus */
+ if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
+ '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
+ $text, $modulus))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't extract the ".
+ "RSA modulus", E_USER_WARNING);
+ return null;
+ } else {
+ $modulus = $modulus[1];
+ // strip whitespace and colon leftovers
+ $modulus = str_replace(array(" ", "\t", "\n", ":"), "", $modulus);
+
+ // when using "openssl xxx -text" first byte was 00 in all my test
+ // cases but 00 not present in the "openssl xxx -modulus" output
+ if ($modulus[0] === "0" && $modulus[1] === "0")
+ {
+ $modulus = substr($modulus, 2);
+ } else {
+ trigger_error("checkDebianVulnerability(): First byte is not ".
+ "zero", E_USER_NOTICE);
+ }
+
+ $modulus = strtoupper($modulus);
+ }
+
+
+ /* calculate checksum and look it up in the blacklist */
+ $checksum = substr(sha1("Modulus=$modulus\n"), 20);
+
+ // $checksum and $blacklist should be safe, but just to make sure
+ $checksum = escapeshellarg($checksum);
+ $blacklist = escapeshellarg($blacklist);
+ exec("grep $checksum $blacklist", $dummy, $debianVuln);
+ if ($debianVuln === 0) // grep returned something => it is on the list
+ {
+ return true;
+ } elseif ($debianVuln === 1) { // grep returned nothing
+ return false;
+ } else {
+ trigger_error("checkDebianVulnerability(): Something went wrong ".
+ "when looking up the key with checksum $checksum in the ".
+ "blacklist $blacklist", E_USER_ERROR);
+ return null;
+ }
+
+ // Should not get here
+ return null;
+ }
?>
diff --git a/includes/general.php b/includes/general.php
index 5789875..16b75e4 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -673,12 +673,12 @@
$line = fgets($fp, 4096);
if(substr($line, 0, 3) != "250")
continue;
- fputs($fp, "MAIL FROM: <returns@cacert.org>\r\n");
+ fputs($fp, "MAIL FROM:<returns@cacert.org>\r\n");
$line = fgets($fp, 4096);
if(substr($line, 0, 3) != "250")
continue;
- fputs($fp, "RCPT TO: <$email>\r\n");
+ fputs($fp, "RCPT TO:<$email>\r\n");
$line = trim(fgets($fp, 4096));
fputs($fp, "QUIT\r\n");
fclose($fp);
diff --git a/includes/mysql.php.sample b/includes/mysql.php.sample
index 1f477e4..ff5cfc3 100644
--- a/includes/mysql.php.sample
+++ b/includes/mysql.php.sample
@@ -55,11 +55,11 @@
$InputBuffer = fgets($smtp, 1024);
fputs($smtp, "HELO www.cacert.org\r\n");
$InputBuffer = fgets($smtp, 1024);
- fputs($smtp, "MAIL FROM: <returns@cacert.org>\r\n");
+ fputs($smtp, "MAIL FROM:<returns@cacert.org>\r\n");
$InputBuffer = fgets($smtp, 1024);
$bits = explode(",", $to);
foreach($bits as $user)
- fputs($smtp, "RCPT TO: <".trim($user).">\r\n");
+ fputs($smtp, "RCPT TO:<".trim($user).">\r\n");
$InputBuffer = fgets($smtp, 1024);
fputs($smtp, "DATA\r\n");
$InputBuffer = fgets($smtp, 1024);
diff --git a/pages/index/16.php b/pages/index/16.php
index ad493f2..c2cb391 100755..100644
--- a/pages/index/16.php
+++ b/pages/index/16.php
@@ -35,8 +35,12 @@ Class 3 <?=_("PKI Key")?><br>
<a href="certs/class3.der"><?=_("Intermediate Certificate (DER Format)")?></a><br/>
<a href="certs/class3.txt"><?=_("Intermediate Certificate (Text Format)")?></a><br/>
<a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a><br/>
-<?=_("Fingerprint")?> SHA1: DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D<br/>
-<?=_("Fingerprint")?> MD5: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6<br/>
+<?php /*
+ class3 subroot fingerprint updated: 2011-05-23 class3 Re-sign project
+ https://wiki.cacert.org/Roots/Class3ResignProcedure/Migration
+*/ ?>
+<?=_("Fingerprint")?> SHA1: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE<br/>
+<?=_("Fingerprint")?> MD5: F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42<br/>
</p>
<p>
@@ -79,3 +83,10 @@ TG1yj+lkktROGGyn0hJ5SbM=
-----END PGP SIGNATURE-----
</pre>
</p>
+
+<p>
+<? printf(_('An overview over all CA certificates ever issued can be found in '.
+ '%sthe wiki%s.'),
+ '<a href="//wiki.cacert.org/Roots/StateOverview">',
+ '</a>') ?>
+</p>
diff --git a/pages/index/19.php b/pages/index/19.php
index c58eb68..b44960d 100644
--- a/pages/index/19.php
+++ b/pages/index/19.php
@@ -15,90 +15,10 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
-<span style="background-color: #FF8080; font-size: 150%">
-Note that the <strong>TTP</strong> programme is effectively <strong>Frozen</strong><br>
-Until a subsidiary policy under AP is written, it is against AP rules.<br>
-</span>
-&nbsp;<br>
-<h3><?=_("Information")?></h3>
-<table border="0" align="center" cellspacing="0" cellpadding="0">
- <tr>
- <td class="title" colspan="2"><?=_("What can CAcert provide to you, to increase your privacy and security for free?")?></td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Client certificates (un-assured)")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("You can send digitally signed/encrypted emails; others can send encrypted emails to you.")?><br /><br />
- <u><?=_("Limitations")?>:</u> <?=_("Certificates expire in 6 months. Only the email address itself can be entered into the certificate (not your full name)")?>.<br /><br />
- <u><?=_("Verification needed")?>:</u> <?=_("You must confirm it is your email address by responding to a 'ping' email sent to it.")?><br /><br />
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Assured client certificates")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("Same as above plus you can include your full name in the certificates.")?><br /><br />
- <u><?=_("Limitations")?>:</u> <?=_("Certificates expire in 24 months.")?><br /><br />
- <u><?=_("Verification needed")?>:</u> <?=_("Same as above, plus you must get a minimum of 50 assurance points by meeting with one or more assurers from the CAcert Web of Trust, who verify your identity using your government issued photo identity documents.")?><br /><br />
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Code signing certificates")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("Digitally sign code, web applets, installers, etc. including your name and location in the certificates.")?><br><br>
- <u><?=_("Limitations")?>:</u> <?=sprintf(_("Certificates expire in 12 months. Certificates %s must%s include your full name."),"<u>","</u>")?><br /><br />
- <u><?=_("Verification needed")?>:</u> <?=_("Same as above plus get 100 assurance points by meeting with multiple assurers from the CAcert Web of Trust, who verify your identity using your government issued photo identity documents.")?><br><br>
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Server certificates (un-assured)")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("Enable encrypted data transfer for users accessing your web, email, or other SSL enabled service on your server; wildcard certificates are allowed.")?><br><br>
- <u><?=_("Limitations")?>:</u> <?=_("Certificates expire in 6 months; only the domain name itself can be entered into the certificates (not your full name, company name, location, etc.).")?><br><br>
- <u><?=_("Verification needed")?>:</u> <?=_("You must confirm that you are the owner (or authorized administrator) of the domain by responding to a 'ping' email sent to either the email address listed in the whois record, or one of the RFC-mandatory addresses (hostmaster/postmaster/etc).")?><br><br>
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Assured server certificates")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("Same as above.")?><br><br>
- <u><?=_("Limitations")?>:</u> <?=_("Same as above, except certificates expire in 24 months.")?><br><br>
- <u><?=_("Verification needed")?>:</u> <?=_("Same as above, plus get 50 assurance points by meeting with assurer(s) from the CAcert Web of Trust, who verify your identity using your government issued photo identity documents.")?><br><br>
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Become an assurer in CAcert Web of Trust")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("The ability to assure other new CAcert users; contribute to the strengthening and broadening of the CAcert Web of Trust.")?><br><br>
- <u><?=_("Limitations")?>:</u> <?=_("The number of assurance point you have will limit the maximum assurance points you can issue for people you assure.")?><br><br>
- <u><?=_("Verification needed")?>:</u> <?=_("You will need to be issued 100 points by meeting with existing assurers from the CAcert Web of Trust, who verify your identity using your government issued photo identity documents; OR if it is too difficult to meet up with existing assurers in your area, meet with two Trusted Third Party assurers (notary public, justice of the peace, lawyer, bank manager, accountant) to do the verifying.")?><br><br>
- </td>
- </tr>
- <tr>
- <td class="DataTD">
- <h4><?=_("Become a member of the CAcert Association")?></h4>
- </td>
- <td class="DataTD">
- <u><?=_("Benefits")?>:</u> <?=_("You get a vote in how CAcert (a non-profit association incorporated in Australia) is run; be eligible for positions on the CAcert board.")?><br><br>
- <u><?=_("Limitations")?>:</u> <?=_("None, the sky is the limit for CAcert.")?><br><br>
- <u><?=_("Verification needed")?>:</u> <?=_("None; $10 USD per year membership fee.")?><br><br>
- </td>
- </tr>
- <tr>
- <td class="DataTD" colspan="2">
- (*) <?=_("Please note a general limitation is that, unlike long-time players like Verisign, CAcert's root certificate is not included by default in mainstream browsers, email clients, etc. This means people to whom you send encrypted email, or users who visit your SSL-enabled web server, will first have to import CAcert's root certificate, or they will have to agree to pop-up security warnings (which may look a little scary to non-techy users).")?>
- </td>
- </tr>
-</table>
-<br>
+<p style="background-color: #FF8080; font-size: 150%">
+<?
+printf(_("This page has been moved to the %swiki%s. Please update your ".
+ "bookmarks and report any broken links."),
+ '<a href="//wiki.cacert.org/FAQ/Privileges">', '</a>');
+?>
+</p> \ No newline at end of file
diff --git a/pages/index/3.php b/pages/index/3.php
index ad493f2..c2cb391 100644
--- a/pages/index/3.php
+++ b/pages/index/3.php
@@ -35,8 +35,12 @@ Class 3 <?=_("PKI Key")?><br>
<a href="certs/class3.der"><?=_("Intermediate Certificate (DER Format)")?></a><br/>
<a href="certs/class3.txt"><?=_("Intermediate Certificate (Text Format)")?></a><br/>
<a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a><br/>
-<?=_("Fingerprint")?> SHA1: DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D<br/>
-<?=_("Fingerprint")?> MD5: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6<br/>
+<?php /*
+ class3 subroot fingerprint updated: 2011-05-23 class3 Re-sign project
+ https://wiki.cacert.org/Roots/Class3ResignProcedure/Migration
+*/ ?>
+<?=_("Fingerprint")?> SHA1: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE<br/>
+<?=_("Fingerprint")?> MD5: F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42<br/>
</p>
<p>
@@ -79,3 +83,10 @@ TG1yj+lkktROGGyn0hJ5SbM=
-----END PGP SIGNATURE-----
</pre>
</p>
+
+<p>
+<? printf(_('An overview over all CA certificates ever issued can be found in '.
+ '%sthe wiki%s.'),
+ '<a href="//wiki.cacert.org/Roots/StateOverview">',
+ '</a>') ?>
+</p>
diff --git a/scripts/31de-lt2011-berlin-email.txt b/scripts/31de-lt2011-berlin-email.txt
new file mode 100644
index 0000000..85b0ff5
--- /dev/null
+++ b/scripts/31de-lt2011-berlin-email.txt
@@ -0,0 +1,20 @@
+Hallo CAcert Assurers,
+
+Der diesjaehrige Linuxtag hat begonnen.
+
+Leider ohne CAcert Teilnahme mit einem leeren Stand ....
+
+Wir suchen noch haenderingend Assurer rund um Berlin die Donnerstag und Freitag noch auf dem Stand aushelfen koennen.
+
+Der Stand ist in bester Lage (Mozilla hatte abgesagt, und wir haben deren Stand bekommen). Der leere Stand wirft natuerlich kein gutes Licht auf CAcert.
+
+Aus dem Grund benoetigen wir jede Hilfe, die wir noch bekommen koennen. Auch wenn es vielleicht nur fuer einen halben Tag ist.
+
+Bis zu 7 Karten koennen wir noch zur Verfuegung stellen, sofern ihr eure Mithilfe angebietet.
+
+Hierzu eine kurze Rueckantwort an events@cacert.org
+
+Vielen Dank fuer Eure Unterstuetzung im Vorraus.
+
+
+Kontakt: events@cacert.org
diff --git a/scripts/31de-lt2011-berlin-mail.php.txt b/scripts/31de-lt2011-berlin-mail.php.txt
new file mode 100644
index 0000000..96a6241
--- /dev/null
+++ b/scripts/31de-lt2011-berlin-mail.php.txt
@@ -0,0 +1,152 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("31de-lt2011-berlin-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 50;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+
+// Software Freedom Day 19. Sept 2009
+// $locid = 715191; // Hamburg
+
+// LISA2009 Baltimore, 1.11.2009
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, United States
+// $city = "Baltimore, MD - Nov. 3rd 2009";
+
+// OpenSourceTreffen-Muenchen, 20.11.2009
+// $locid = 1260319; // Muenchen
+// $city = "Muenchen - 20. Nov 2009";
+
+// BLIT2009, Brandenburger Linux-Infotag, 21.11.2009
+// $locid = 1486658; // Potsdam
+// $eventname = "Brandenburger Linux-Infotag (BLIT2009)";
+// $city = "Potsdam - 21. Nov 2009";
+
+// ATE-Goteborg, 16.12.2009
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $eventname = "ATE-Goteborg";
+// $city = "Goteborg - Dec 16th 2009";
+
+// Assurance Event Mission Hills CA, 15.01.2010
+// $locid = 2094781; // Mission Hills (Los Angeles), California, United States
+// $eventname = "Assurance Event";
+// $city = "Mission Hills CA - Jan 15th 2010";
+
+// Assurance Event OSD Copenhagen DK, 5.03.2010
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $eventname = "Assurance Event OpenSource-Days 2010";
+// $city = "Copenhagen DK - March 5th/6th 2010";
+
+// SCALE 8x Los Angeles, CA, Feb 19-21 2010
+// $locid = 2093625; // Copenhagen, Kobenhavn*, Denmark
+// $eventname = "SCALE 8x 2010";
+// $city = "Los Angeles, CA - February 19-21 2010";
+
+// ATE Sydney, AU, Mar 24 2010
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $eventname = "ATE-Sydney";
+// $city = "March 24, 2010";
+
+// ATE Essen, DE, Sept 28 2010
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Essen";
+// $city = "September 28, 2010";
+
+// ATE Aachen, DE, Oct 4th 2010
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Aachen";
+// $city = "October 4th, 2010";
+
+// ATE Muenchen, DE, Apr 2nd 2011
+// $locid = 1260319; // Muenchen
+// $eventname = "ATE-Muenchen";
+// $city = "2. April, 2011";
+
+
+// Linuxtag, Berlin, May 11, 2011,
+ $locid = 228950; // Berlin
+ $eventname = "Linuxtag Berlin";
+ $city = "11.-14. Mai, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ echo "invitation sent to $xrows recipients.\n";
+?>
diff --git a/scripts/32de-ate-bonn-email.txt b/scripts/32de-ate-bonn-email.txt
new file mode 100644
index 0000000..5c830a6
--- /dev/null
+++ b/scripts/32de-ate-bonn-email.txt
@@ -0,0 +1,38 @@
+Es hat sich viel getan im letzten Jahr. Eine ganze Reihe von bisher eher "muendlich ueberlieferten" Regeln wurden in Policies gegossen. Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B. in dem CAcert Community Agreement) wurden beschlossen. Die Assurer Training Events wollen versuchen, die ganzen Informationen unter’s Volk zu bringen:
+
+Ein ATE ist eine Veranstaltung zur Qualitaetssicherung des CAcert Web-of-Trusts, denn im Gegensatz zu vielen kommerziellen Zertifikats-Ausstellern findet bei CAcert keine zentralisierte Identitaetsueberpruefung beim Aussteller statt.
+
+Statt dessen gibt es ein Netzwerk aus Freiwilligen (Assurern), gegenueber denen sich ein Interessent (Assuree) ausweisen kann, um sich seine Identitaet bestaetigen zu lassen.
+Diese Bestaetigung ist Voraussetzung dafuer, dass sich der Interessent spaeter Zertifikate generieren lassen kann, die seinen Namen enthalten.
+
+Fuer das Web-of-Trust gibt es ein Regelwerk, CAcert Community Agreement (CCA), Assurance Policy und Assurance Handbook seien beispielhaft genannt.
+
+Das ATE schult die CAcert Assurer ueber Neuerungen im Regelwerk und hilft, Kenntnisse aufzufrischen:
+
+- Was hast du auf dem CAP Formular hinzuzufuegen, wenn du Minderjaehrige ueberpruefst ?
+- Was sind die 2 wesentlichen Punkte der CCA die du einem Assuree vermitteln koennen sollst ?
+- Unter welchen Umstaenden koennen z.Bsp. niederlaendische Rufnamen akzeptiert werden?
+
+Antworten auf diese und weitere Fragen erhaelst du bei den Assurer Training Events (ATEs).
+
+Darueberhinaus wird beim ATE der Vorgang der Identitaetsueberpruefung trainiert und auditiert, um die Qualitaet der Assurances in der taeglichen Praxis zu erfassen. Dabei gilt es moegliche Fehler und Fallstricke zu erkennen und aufzudecken. Die Assurer haben also die Moeglichkeit, sich mit den Fehlern auseinanderzusetzen und zu erfahren, wie diese vermieden werden koennen.
+
+As IanG said: The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute.
+
+Die kommende Veranstaltung in deiner Naehe findet statt am:
+
+- Mittwoch den 08. Juni 2011
+- in der Zeit von: 19:00 - ca. 22:00 Uhr
+- im Jugendzentrum St. Martin
+- Heilsbachstr. 4
+- 53123 Bonn
+
+Details zum Veranstaltungsort und Anfahrthinweise findet Ihr im
+Wiki [http://wiki.cacert.org/Events/2011-06-08-ATE-Bonn]
+Blog [http://blog.cacert.org/2011/05/514.html]
+
+Teilnehmer Registrierung mit Rueckantwort: 'Ich moechte am ATE-Bonn teilnehmen'
+
+Das Veranstaltungs-Team freut sich schon auf Eure Teilnahme.
+
+Kontakt: events@cacert.org
diff --git a/scripts/32de-ate-bonn-mail.php.txt b/scripts/32de-ate-bonn-mail.php.txt
new file mode 100644
index 0000000..ea8c579
--- /dev/null
+++ b/scripts/32de-ate-bonn-mail.php.txt
@@ -0,0 +1,151 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("32de-ate-bonn-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+
+// Software Freedom Day 19. Sept 2009
+// $locid = 715191; // Hamburg
+
+// LISA2009 Baltimore, 1.11.2009
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, United States
+// $city = "Baltimore, MD - Nov. 3rd 2009";
+
+// OpenSourceTreffen-Muenchen, 20.11.2009
+// $locid = 1260319; // Muenchen
+// $city = "Muenchen - 20. Nov 2009";
+
+// BLIT2009, Brandenburger Linux-Infotag, 21.11.2009
+// $locid = 1486658; // Potsdam
+// $eventname = "Brandenburger Linux-Infotag (BLIT2009)";
+// $city = "Potsdam - 21. Nov 2009";
+
+// ATE-Goteborg, 16.12.2009
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $eventname = "ATE-Goteborg";
+// $city = "Goteborg - Dec 16th 2009";
+
+// Assurance Event Mission Hills CA, 15.01.2010
+// $locid = 2094781; // Mission Hills (Los Angeles), California, United States
+// $eventname = "Assurance Event";
+// $city = "Mission Hills CA - Jan 15th 2010";
+
+// Assurance Event OSD Copenhagen DK, 5.03.2010
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $eventname = "Assurance Event OpenSource-Days 2010";
+// $city = "Copenhagen DK - March 5th/6th 2010";
+
+// SCALE 8x Los Angeles, CA, Feb 19-21 2010
+// $locid = 2093625; // Copenhagen, Kobenhavn*, Denmark
+// $eventname = "SCALE 8x 2010";
+// $city = "Los Angeles, CA - February 19-21 2010";
+
+// ATE Sydney, AU, Mar 24 2010
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $eventname = "ATE-Sydney";
+// $city = "March 24, 2010";
+
+// ATE Essen, DE, Sept 28 2010
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Essen";
+// $city = "September 28, 2010";
+
+// ATE Aachen, DE, Oct 4th 2010
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Aachen";
+// $city = "October 4th, 2010";
+
+// ATE Muenchen, DE, Apr 2nd 2011
+// $locid = 1260319; // Muenchen
+// $eventname = "ATE-Muenchen";
+// $city = "2. April, 2011";
+
+// ATE Bonn, DE, Jun 8th 2011
+ $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+ $eventname = "ATE-Bonn";
+ $city = "8. Juni, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/33us-ate-wdc-email.txt b/scripts/33us-ate-wdc-email.txt
new file mode 100644
index 0000000..6547347
--- /dev/null
+++ b/scripts/33us-ate-wdc-email.txt
@@ -0,0 +1,40 @@
+CAcert Assurer Training Event -- Washington DC / Chantilly
+::::::::::::::::::::::::::::::::::::::::::::::::::
+
+Dear Member of the CAcert Community,
+
+Much has happened during recent years. The old way of orally-transmitted
+procedures has now gone, and our rules have been cast into formal
+policies. New procedures (e.g. the Assurer Challenge) and obligations
+(e.g. in the CAcert Community Agreement) have been approved.
+
+The Assurer Training Events bring all this to you, the Assurer, and the
+Community:
+
+- What do you have to add onto the CAP form if you assure minors ?
+- What are the 2 essential CCA points you have to present an Assuree ?
+- Who can access the Member's privacy information?
+
+Answers to these and many other questions typically faced by Assurers
+are given at the Assurer Training Events (ATEs). Bring your ID for
+assurances. Especially note that Tverify/Thawte people need to boost up
+their Assurance Points.
+
+ATE-WDC takes place at:
+* Saturday, June 18th, 2011
+* Eggspectations Restaurant, Westone Plaza, Chantilly VA.
+* 12:00 - 16:30
+
+For Registration please reply: 'I will attend ATE-Washington'
+
+Don't forget your ID!
+
+We are looking forward to hearing from you.
+
+
+- Best regards from the Event Team!
+
+
+PS: Contact: events@cacert.org
+Location, Transportation and other event details at
+[https://wiki.cacert.org/Events/20110618ATE-WashingtonDC]
diff --git a/scripts/33us-ate-wdc-mail.php.txt b/scripts/33us-ate-wdc-mail.php.txt
new file mode 100644
index 0000000..117fadb
--- /dev/null
+++ b/scripts/33us-ate-wdc-mail.php.txt
@@ -0,0 +1,108 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("33us-ate-wdc-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, US
+// $locid = 1486658; // Potsdam
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $locid = 2094781; // Mission Hills (Los Angeles), California, US
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+
+// ATE Bonn, DE, Jun 8th 2011
+// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Bonn";
+// $city = "8. Juni, 2011";
+
+// ATE Washington DC, US, Jun 18th 2011
+ $locid = 2102723; // Washington (District of Columbia, ..., US
+ $eventname = "ATE-Washington-DC";
+ $city = "June 18th, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/34us-ate-wdc-email.txt b/scripts/34us-ate-wdc-email.txt
new file mode 100644
index 0000000..7735ed8
--- /dev/null
+++ b/scripts/34us-ate-wdc-email.txt
@@ -0,0 +1,21 @@
+Dear Member of the CAcert Community,
+
+Just a quick final reminder that we will hold an ATE - Assurer Training Event - in Chantilly, VA this coming Saturday, 12:00.
+
+It's a lunch time event in a private room, so come hungry to the Eggspectations Restaurant in Westone Plaza.
+
+Assurers and prospective Assurers are the intended audience. We also invite those who just want the chance to get assured. (Note that old Tverify / Thawte points are gone, and if you haven't done our fabulously entertaining *Assurer Challenge* you are not an Assurer anymore.)
+
+Bring your ID documents and some CAP forms!
+
+- Best regards from the Event Team!
+
+ATE-WDC takes place at:
+* Saturday, June 18th, 2011
+* Eggspectations Restaurant, Westone Plaza, Chantilly VA.
+* 12:00 - 16:30
+* more: [http://wiki.cacert.org/Events/20110618ATE-WashingtonDC]
+
+For Registration please reply: 'I will attend ATE-Washington'
+
+Contact: events@cacert.org
diff --git a/scripts/34us-ate-wdc-mail.php.txt b/scripts/34us-ate-wdc-mail.php.txt
new file mode 100644
index 0000000..6478d45
--- /dev/null
+++ b/scripts/34us-ate-wdc-mail.php.txt
@@ -0,0 +1,108 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("34us-ate-wdc-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, US
+// $locid = 1486658; // Potsdam
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $locid = 2094781; // Mission Hills (Los Angeles), California, US
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+
+// ATE Bonn, DE, Jun 8th 2011
+// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+// $eventname = "ATE-Bonn";
+// $city = "8. Juni, 2011";
+
+// ATE Washington DC, US, Jun 18th 2011
+ $locid = 2102723; // Washington (District of Columbia, ..., US
+ $eventname = "ATE-Washington-DC getting closer";
+ $city = "June 18th, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/35us-ate-ny-email.txt b/scripts/35us-ate-ny-email.txt
new file mode 100644
index 0000000..7ee95bf
--- /dev/null
+++ b/scripts/35us-ate-ny-email.txt
@@ -0,0 +1,22 @@
+Dear Member of the CAcert Community,
+
+We have a possibility to run an Assurer Training Event in New York in the period June 20th to 26. One of our co-auditor-presenters is in Washington DC for the ATE on the 18th, and is willing to make the trip.
+
+ - Can you help? Can you attend?
+
+If you are interested in attending, please reply to this email with "I want to attend an ATE in New York, I prefer XXXXX dates."
+
+*If you can help then please contact us*. We need some combination of these things:
+
+ * on-ground contact person
+ * venue good for everyone to get to, about 3 hours access
+ * accomodation
+
+To read more about our popular tour of ATEs:
+ * https://wiki.cacert.org/ATE
+ * https://wiki.cacert.org/Events/20110618ATE-WashingtonDC
+
+- Best regards from the Event Team!
+
+
+PS: Contact: events@cacert.org
diff --git a/scripts/35us-ate-ny-mail.php.txt b/scripts/35us-ate-ny-mail.php.txt
new file mode 100644
index 0000000..01b2d5d
--- /dev/null
+++ b/scripts/35us-ate-ny-mail.php.txt
@@ -0,0 +1,109 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("35us-ate-ny-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, US
+// $locid = 1486658; // Potsdam
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $locid = 2094781; // Mission Hills (Los Angeles), California, US
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+
+// ATE Washington DC, US, Jun 18th 2011
+// $locid = 2102723; // Washington (District of Columbia, ..., US
+// $eventname = "ATE-Washington-DC getting closer";
+// $city = "June 18th, 2011";
+
+// ATE Washington DC, US, Jun 18th 2011
+ $locid = 2177566; // New York (Bronx), New York, United States
+ $eventname = "ATE-New York";
+ $city = "period June 20th to 26, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/36us-ate-ny-email.txt b/scripts/36us-ate-ny-email.txt
new file mode 100644
index 0000000..6cd1ef1
--- /dev/null
+++ b/scripts/36us-ate-ny-email.txt
@@ -0,0 +1,34 @@
+CAcert Assurer Training Event -- New York / Rutgers / Piscataway, NJ
+::::::::::::::::::::::::::::::::::::::::::::::::::
+
+Dear Member of the CAcert Community,
+
+Much has happened during recent years. The old way of orally-transmitted procedures has now gone, and our rules have been cast into formal policies. New procedures (e.g. the Assurer Challenge) and obligations (e.g. in the CAcert Community Agreement) have been approved.
+
+The Assurer Training Events bring all this to you, the Assurer, and the Community:
+
+- What do you have to add onto the CAP form if you assure minors ?
+- What are the 2 essential CCA points you have to present an Assuree ?
+- Who can access the Member's privacy information?
+
+Answers to these and many other questions typically faced by Assurers are given at the Assurer Training Events (ATEs). Bring your ID for assurances. Especially note that Tverify/Thawte people need to boost up their Assurance Points.
+
+ATE-NY takes place at:
+* Monday, June 20th, 2011
+* Rutgers Department of Computer Science, Piscataway, NJ
+* 1pm - 4pm
+
+For Registration please reply: 'I will attend ATE-NY'
+
+Don't forget your ID!
+
+We are looking forward to hearing from you.
+
+
+- Best regards from the Event Team!
+
+
+PS: Contact: events@cacert.org
+Location, Transportation and other event details at
+[https://wiki.cacert.org/Events/20110620ATE-NewYork]
+
diff --git a/scripts/36us-ate-ny-mail.php.txt b/scripts/36us-ate-ny-mail.php.txt
new file mode 100644
index 0000000..1f75bb1
--- /dev/null
+++ b/scripts/36us-ate-ny-mail.php.txt
@@ -0,0 +1,109 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("36us-ate-ny-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 520340; // Duesseldorf
+// $locid = 1260319; // Muenchen
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, US
+// $locid = 1486658; // Potsdam
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $locid = 2094781; // Mission Hills (Los Angeles), California, US
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+
+// ATE Washington DC, US, Jun 18th 2011
+// $locid = 2102723; // Washington (District of Columbia, ..., US
+// $eventname = "ATE-Washington-DC getting closer";
+// $city = "June 18th, 2011";
+
+// ATE Washington DC, US, Jun 18th 2011
+ $locid = 2177566; // New York (Bronx), New York, United States
+ $eventname = "ATE-New York / Rutgers / Piscataway, NJ";
+ $city = "June 20th, 2011";
+
+
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/DumpWeakCerts.pl b/scripts/DumpWeakCerts.pl
new file mode 100755
index 0000000..85648fe
--- /dev/null
+++ b/scripts/DumpWeakCerts.pl
@@ -0,0 +1,179 @@
+#!/usr/bin/perl
+# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
+# and https://wiki.cacert.org/Arbitrations/a20110312.1
+
+use strict;
+use warnings;
+
+use DBI;
+
+my $cacert_db_config;
+my $cacert_db_user;
+my $cacert_db_password;
+
+# Read database access data from the config file
+eval `cat perl_mysql`;
+
+my $dbh = DBI->connect($cacert_db_config, $cacert_db_user, $cacert_db_password, { RaiseError => 1, AutoCommit => 0 } ) || die "Cannot connect database: $DBI::errstr";
+
+my $sth_certs;
+my $sth_userdata;
+
+my $cert_domid;
+my $cert_userid;
+my $cert_orgid;
+my $cert_CN;
+my $cert_expire;
+my $cert_filename;
+my $cert_serial;
+
+my $user_email;
+my $user_firstname;
+
+my $reason;
+
+my @row;
+
+sub IsWeak($) {
+ my ($CertFileName) = @_;
+
+ my $ModulusSize = 0;
+ my $Exponent = 0;
+ my $result = 0;
+
+ # Do key size and exponent checking for RSA keys
+ open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
+ while (<CERTTEXT>) {
+ if (/^ +([^ ]+) Public Key:/) {
+ last if ($1 ne "RSA");
+ }
+ if (/^ +Modulus \((\d+) bit\)/) {
+ $ModulusSize = $1;
+ }
+ if (/^ +Exponent: (\d+)/) {
+ $Exponent = $1;
+ last;
+ }
+ }
+ close(CERTTEXT);
+ if ($ModulusSize > 0 && $Exponent > 0) {
+ if ($ModulusSize < 1024 || $Exponent==3) {
+ $result = "SmallKey";
+ }
+ }
+
+ if (!$result) {
+ # Check with openssl-vulnkey
+ # This is currently not tested, if you don't know what you are doing leave it commented!
+ if (system("openssl-vulnkey -q $CertFileName") != 0) {
+ $result = "openssl-vulnkey";
+ }
+ }
+
+ return $result;
+}
+
+# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
+# Get all domain certificates
+$sth_certs = $dbh->prepare(
+ "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+ " FROM `domaincerts` AS `dc` ".
+ " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+$sth_certs->execute();
+
+$sth_userdata = $dbh->prepare(
+ "SELECT `u`.`email`, `u`.`fname` ".
+ " FROM `domains` AS `d`, `users` AS `u` ".
+ " WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
+
+while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+ if (-f $cert_filename) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
+ $sth_userdata->execute($cert_domid);
+ ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
+ print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ $sth_userdata->finish();
+ }
+ }
+}
+$sth_certs->finish();
+
+# Get all email certificates
+$sth_certs = $dbh->prepare(
+ "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+ " FROM `emailcerts` AS `ec` ".
+ " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+$sth_certs->execute();
+
+$sth_userdata = $dbh->prepare(
+ "SELECT `u`.`email`, `u`.`fname` ".
+ " FROM `users` AS `u` ".
+ " WHERE `u`.`id`=?");
+
+while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+ if (-f $cert_filename) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
+ $sth_userdata->execute($cert_userid);
+ ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
+ print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ $sth_userdata->finish();
+ }
+ }
+}
+$sth_certs->finish();
+
+# Get all Org Server certificates, notify all admins of the Org!
+$sth_certs = $dbh->prepare(
+ "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+ " FROM `orgdomaincerts` AS `dc` ".
+ " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+$sth_certs->execute();
+
+$sth_userdata = $dbh->prepare(
+ "SELECT `u`.`email`, `u`.`fname` ".
+ " FROM `users` AS `u`, `org` ".
+ " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
+
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+ if (-f $cert_filename) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
+ $sth_userdata->execute($cert_orgid);
+ while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
+ print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ }
+ $sth_userdata->finish();
+ }
+ }
+}
+$sth_certs->finish();
+
+# Get all Org Email certificates, notify all admins of the Org!
+$sth_certs = $dbh->prepare(
+ "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+ " FROM `orgemailcerts` AS `ec` ".
+ " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+$sth_certs->execute();
+
+$sth_userdata = $dbh->prepare(
+ "SELECT `u`.`email`, `u`.`fname` ".
+ " FROM `users` AS `u`, `org` ".
+ " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
+
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+ if (-f $cert_filename) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
+ $sth_userdata->execute($cert_orgid);
+ while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
+ print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ }
+ $sth_userdata->finish();
+ }
+ }
+}
+$sth_certs->finish();
+
+$dbh->disconnect();
diff --git a/scripts/mail-weak-keys.php b/scripts/mail-weak-keys.php
new file mode 100755
index 0000000..95c0e4f
--- /dev/null
+++ b/scripts/mail-weak-keys.php
@@ -0,0 +1,161 @@
+#!/usr/bin/php -q
+<? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert
+
+ function SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
+Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+
+You should submit a new Certificate Signing Request of acceptable strength as soon as possible
+and replace your existing certificate.
+
+If you are interested in background information on this change please refer to this document:
+http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all
+client certficates must be backed by private keys with a key length at least 1024 bits
+and no other known vulnerabilities.
+
+This means that you should replace your current certificate with a new one of acceptable strength.
+If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
+If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
+option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
+request will be rejected.
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Organisation Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
+Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+
+You should submit a new Certificate Signing Request of acceptable strength as soon as possible
+and replace your existing certificate.
+
+If you are interested in background information on this change please refer to this document:
+http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Organisation Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Organisation Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all
+client certficates must be backed by private keys with a key length at least 1024 bits
+and no other known vulnerabilities.
+
+This means that you should replace your current certificate with a new one of acceptable strength.
+If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
+If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
+option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
+request will be rejected.
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Organisation Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ # Main
+
+ $num_domain = 0;
+ $num_client = 0;
+ $num_orgdomain = 0;
+ $num_orgclient = 0;
+ $action_date = '2011-07-15';
+ $in = fopen("php://stdin", "r");
+ while($in_string = rtrim(fgets($in, 255))) {
+ list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
+
+ if ($cert_type == "DomainCert") {
+ SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_domain++;
+ } else if ($cert_type == "EmailCert") {
+ SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_client++;
+ } else if ($cert_type == "OrgServerCert") {
+ SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_orgdomain++;
+ } else if ($cert_type == "OrgEmailCert") {
+ SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_orgclient++;
+ }
+ }
+ fclose($in);
+ echo "Mails sent: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n";
+?>
diff --git a/scripts/perl_mysql.sample b/scripts/perl_mysql.sample
new file mode 100644
index 0000000..4800289
--- /dev/null
+++ b/scripts/perl_mysql.sample
@@ -0,0 +1,6 @@
+# This file contains the data needed to connect to the database to be
+# used in perl scripts
+
+$cacert_db_config = 'DBI:mysql:database=cacert;host=127.0.0.1';
+$cacert_db_user = 'cacert';
+$cacert_db_password = '<put_password_here>'; \ No newline at end of file
diff --git a/www/api/ccsr.php b/www/api/ccsr.php
index e81c738..a4ec71e 100644
--- a/www/api/ccsr.php
+++ b/www/api/ccsr.php
@@ -59,6 +59,12 @@
$codesign = 1;
$CSR = trim($_REQUEST['optionalCSR']);
+
+ if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
+ {
+ die("403, $weakKey");
+ }
+
$incsr = tempnam("/tmp", "ccsrIn");
$checkedcsr = tempnam("/tmp", "ccsrOut");
$fp = fopen($incsr, "w");
diff --git a/www/cap.html.php b/www/cap.html.php
index c5ae89c..cc3fad6 100644
--- a/www/cap.html.php
+++ b/www/cap.html.php
@@ -16,7 +16,7 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
loadem("index");
showheader(_("Identity Verification Form (CAP) form"));
- Version: $Id: cap.html.php,v 1.1 2009-03-02 23:09:05 root Exp $
+ Version: $Id: cap.html.php,v 1.2 2011-06-10 18:30:41 wytze Exp $
*/
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">', "\n";
echo '<html>', "\n";
@@ -49,7 +49,7 @@
echo '</tr>', "\n";
echo '<tr>', "\n";
echo ' <td></td>', "\n";
- echo ' <td align="right"><font size=-7>class 3: DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D</font></td>', "\n";
+ echo ' <td align="right"><font size=-7>class 3: AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE</font></td>', "\n";
echo '<tr>', "\n";
echo '</font>', "\n";
echo '</td>', "\n";
diff --git a/www/capnew.php b/www/capnew.php
index 840fcca..3136993 100644
--- a/www/capnew.php
+++ b/www/capnew.php
@@ -17,8 +17,8 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
-// $Id: capnew.php,v 1.2 2009-03-02 23:09:05 root Exp $
-define('REV', '$Revision: 1.2 $');
+// $Id: capnew.php,v 1.3 2011-06-10 18:30:41 wytze Exp $
+define('REV', '$Revision: 1.3 $');
/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
@@ -313,10 +313,10 @@ define('POLICY','policy/'); // default polciy doc directory
define('EXT','.php'); // default polciy doc extention, should be html
/* finger print CAcert Root Key */ // should obtain this automatically
define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33');
-define('CLASS3_SHA1','DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D');
+define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE');
// next two are not used on the form
define('CLASS1_MD5','A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B');
-define('CLASS3_MD5','73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6');
+define('CLASS3_MD5','F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42');
// if on draft provide std message
define('WATERMARK','');
@@ -387,7 +387,7 @@ function utf8_is_ascii_ctrl($str) {
// extend TCPF with custom functions
class CAPPDF extends TCPDF {
- // do cap form version numbering automatically '$Revision: 1.2 $'
+ // do cap form version numbering automatically '$Revision: 1.3 $'
/*public*/ function Version() {
strtok(REV, ' ');
return(strtok(' '));
diff --git a/www/certs/class3.crt b/www/certs/class3.crt
index 35e2689..087ca0e 100644
--- a/www/certs/class3.crt
+++ b/www/certs/class3.crt
@@ -1,35 +1,42 @@
-----BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
-BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
-cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
-4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
-Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
-0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
-FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
-bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
-SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
-6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
-m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
-eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
-kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
-6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
-CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
-aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
-gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
-aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
-tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
-nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
-77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
-Bc/dLq4+gmF78CEQGPZE6lM5+dzQmiDgxrvgu1pPxJnIB721vaLbLmINQjRBvP+L
-ivVRIqqIMADisNS8vmW61QNXeZvo3MhN+FDtkaVSKKKs+zZYPumUK5FQhxvWXtaM
-zPcPEAxSTtAWYeXlCmy/F8dyRlecmPVsYGN6b165Ti/Iubm7aoW8mA3t+T6XhDSU
-rgCvoeXnkm5OvfPi2RSLXNLrAWygF6UtEOucekq9ve7O/e0iQKtwOIj1CodqwqsF
-YMlIBdpTwd5Ed2qz8zw87YC8pjhKKSRf/lk7myV6VmMAZLldpGJ9VzZPrYPvH5JT
-oI53V93lYRE9IwCQTDz6o2CTBKOvNfYOao9PSmCnhQVsRqGP9Md246FZV/dxssRu
-FFxtbUFm3xuTsdQAw+7Lzzw9IYCpX2Nl/N3gX6T0K/CFcUHUZyX7GrGXrtaZghNB
-0m6lG5kngOcLqagA
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----
diff --git a/www/certs/class3.der b/www/certs/class3.der
index cffe3c5..56f8c88 100644
--- a/www/certs/class3.der
+++ b/www/certs/class3.der
Binary files differ
diff --git a/www/certs/class3.txt b/www/certs/class3.txt
index 0b43b04..a77aa14 100644
--- a/www/certs/class3.txt
+++ b/www/certs/class3.txt
@@ -1,12 +1,12 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: md5WithRSAEncryption
+ Serial Number: 672138 (0xa418a)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
- Not Before: Oct 14 07:36:55 2005 GMT
- Not After : Mar 28 07:36:55 2033 GMT
+ Not Before: May 23 17:48:02 2011 GMT
+ Not After : May 20 17:48:02 2021 GMT
Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -49,6 +49,13 @@ Certificate:
05:fb:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
+ X509v3 Authority Key Identifier:
+ keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
+ DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+ serial:00
+
X509v3 Basic Constraints: critical
CA:TRUE
Authority Information Access:
@@ -59,68 +66,79 @@ Certificate:
Policy: 1.3.6.1.4.1.18506
CPS: http://www.CAcert.org/index.php?id=10
- Signature Algorithm: md5WithRSAEncryption
- 7f:08:88:a1:da:1a:50:49:da:89:fb:a1:08:72:f3:8a:f7:1e:
- c4:3a:b4:79:5b:20:30:b1:45:de:c2:5d:d3:65:69:f1:c2:5d:
- 54:54:3c:85:5f:b9:7b:42:91:c2:99:fd:1b:51:9b:ab:46:a5:
- a1:10:53:9e:6d:88:ac:73:6e:2c:33:a6:f0:f4:9e:e0:75:c1:
- 3e:88:45:a9:e1:66:43:fe:56:5a:d1:7a:41:78:f7:40:da:4a:
- 3a:f1:0b:5b:a5:bb:16:06:e6:c2:e7:93:b9:85:4d:97:4f:b1:
- 1e:38:43:80:ef:9b:0d:8c:ef:b8:a7:60:00:87:57:7d:1e:44:
- 1c:cb:23:ef:9b:3c:99:9d:af:b5:29:1c:45:79:16:96:4d:27:
- 6d:f1:1c:6c:c3:c2:55:64:b3:bc:14:e2:f3:a4:1f:1e:32:fc:
- 27:15:05:cf:dd:2e:ae:3e:82:61:7b:f0:21:10:18:f6:44:ea:
- 53:39:f9:dc:d0:9a:20:e0:c6:bb:e0:bb:5a:4f:c4:99:c8:07:
- bd:b5:bd:a2:db:2e:62:0d:42:34:41:bc:ff:8b:8a:f5:51:22:
- aa:88:30:00:e2:b0:d4:bc:be:65:ba:d5:03:57:79:9b:e8:dc:
- c8:4d:f8:50:ed:91:a5:52:28:a2:ac:fb:36:58:3e:e9:94:2b:
- 91:50:87:1b:d6:5e:d6:8c:cc:f7:0f:10:0c:52:4e:d0:16:61:
- e5:e5:0a:6c:bf:17:c7:72:46:57:9c:98:f5:6c:60:63:7a:6f:
- 5e:b9:4e:2f:c8:b9:b9:bb:6a:85:bc:98:0d:ed:f9:3e:97:84:
- 34:94:ae:00:af:a1:e5:e7:92:6e:4e:bd:f3:e2:d9:14:8b:5c:
- d2:eb:01:6c:a0:17:a5:2d:10:eb:9c:7a:4a:bd:bd:ee:ce:fd:
- ed:22:40:ab:70:38:88:f5:0a:87:6a:c2:ab:05:60:c9:48:05:
- da:53:c1:de:44:77:6a:b3:f3:3c:3c:ed:80:bc:a6:38:4a:29:
- 24:5f:fe:59:3b:9b:25:7a:56:63:00:64:b9:5d:a4:62:7d:57:
- 36:4f:ad:83:ef:1f:92:53:a0:8e:77:57:dd:e5:61:11:3d:23:
- 00:90:4c:3c:fa:a3:60:93:04:a3:af:35:f6:0e:6a:8f:4f:4a:
- 60:a7:85:05:6c:46:a1:8f:f4:c7:76:e3:a1:59:57:f7:71:b2:
- c4:6e:14:5c:6d:6d:41:66:df:1b:93:b1:d4:00:c3:ee:cb:cf:
- 3c:3d:21:80:a9:5f:63:65:fc:dd:e0:5f:a4:f4:2b:f0:85:71:
- 41:d4:67:25:fb:1a:b1:97:ae:d6:99:82:13:41:d2:6e:a5:1b:
- 99:27:80:e7:0b:a9:a8:00
+ Netscape CA Policy Url:
+ http://www.CAcert.org/index.php?id=10
+ Netscape Comment:
+ To get your own certificate for FREE, go to http://www.CAcert.org
+ Signature Algorithm: sha256WithRSAEncryption
+ 29:28:85:ae:44:a9:b9:af:a4:79:13:f0:a8:a3:2b:97:60:f3:
+ 5c:ee:e3:2f:c1:f6:e2:66:a0:11:ae:36:37:3a:76:15:04:53:
+ ea:42:f5:f9:ea:c0:15:d8:a6:82:d9:e4:61:ae:72:0b:29:5c:
+ 90:43:e8:41:b2:e1:77:db:02:13:44:78:47:55:af:58:fc:cc:
+ 98:f6:45:b9:d1:20:f8:d8:21:07:fe:6d:aa:73:d4:b3:c6:07:
+ e9:09:85:cc:3b:f2:b6:be:2c:1c:25:d5:71:8c:39:b5:2e:ea:
+ be:18:81:ba:b0:93:b8:0f:e3:e6:d7:26:8c:31:5a:72:03:84:
+ 52:e6:a6:f5:33:22:45:0a:c8:0b:0d:8a:b8:36:6f:90:09:a1:
+ ab:bd:d7:d5:4e:2e:71:a2:d4:ae:fa:a7:54:2b:eb:35:8d:5a:
+ b7:54:88:2f:ee:74:9f:ed:48:16:ca:0d:48:d0:94:d3:ac:a4:
+ a2:f6:24:df:92:e3:bd:eb:43:40:91:6e:1c:18:8e:56:b4:82:
+ 12:f3:a9:93:9f:d4:bc:9c:ad:9c:75:ee:5a:97:1b:95:e7:74:
+ 2d:1c:0f:b0:2c:97:9f:fb:a9:33:39:7a:e7:03:3a:92:8e:22:
+ f6:8c:0d:e4:d9:7e:0d:76:18:f7:01:f9:ef:96:96:a2:55:73:
+ c0:3c:71:b4:1d:1a:56:43:b7:c3:0a:8d:72:fc:e2:10:09:0b:
+ 41:ce:8c:94:a0:f9:03:fd:71:73:4b:8a:57:33:e5:8e:74:7e:
+ 15:01:00:e6:cc:4a:1c:e7:7f:95:19:2d:c5:a5:0c:8b:bb:b5:
+ ed:85:b3:5c:d3:df:b8:b9:f2:ca:c7:0d:01:14:ac:70:58:c5:
+ 8c:8d:33:d4:9d:66:a3:1a:50:95:23:fc:48:e0:06:43:12:d9:
+ cd:a7:86:39:2f:36:72:a3:80:10:e4:e1:f3:d1:cb:5b:1a:c0:
+ e4:80:9a:7c:13:73:06:4f:db:a3:6b:24:0a:ba:b3:1c:bc:4a:
+ 78:bb:e5:e3:75:38:a5:48:a7:a2:1e:af:76:d4:5e:f7:38:86:
+ 56:5a:89:ce:d6:c3:a7:79:b2:52:a0:c6:f1:85:b4:25:8c:f2:
+ 3f:96:b3:10:d9:8d:6c:57:3b:9f:6f:86:3a:18:82:22:36:c8:
+ b0:91:38:db:2a:a1:93:aa:84:3f:f5:27:65:ae:73:d5:c8:d5:
+ d3:77:ea:4b:9d:c7:41:bb:c7:c0:e3:a0:3f:e4:7d:a4:8d:73:
+ e6:12:4b:df:a1:73:73:73:3a:80:e8:d5:cb:8e:2f:cb:ea:13:
+ a7:d6:41:8b:ac:fa:3c:89:d7:24:f5:4e:b4:e0:61:92:b7:f3:
+ 37:98:c4:be:96:a3:b7:8a
-----BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
-BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
-cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
-4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
-Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
-0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
-FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
-bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
-SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
-6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
-m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
-eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
-kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
-6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
-CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
-aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
-gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
-aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
-tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
-nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
-77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
-Bc/dLq4+gmF78CEQGPZE6lM5+dzQmiDgxrvgu1pPxJnIB721vaLbLmINQjRBvP+L
-ivVRIqqIMADisNS8vmW61QNXeZvo3MhN+FDtkaVSKKKs+zZYPumUK5FQhxvWXtaM
-zPcPEAxSTtAWYeXlCmy/F8dyRlecmPVsYGN6b165Ti/Iubm7aoW8mA3t+T6XhDSU
-rgCvoeXnkm5OvfPi2RSLXNLrAWygF6UtEOucekq9ve7O/e0iQKtwOIj1CodqwqsF
-YMlIBdpTwd5Ed2qz8zw87YC8pjhKKSRf/lk7myV6VmMAZLldpGJ9VzZPrYPvH5JT
-oI53V93lYRE9IwCQTDz6o2CTBKOvNfYOao9PSmCnhQVsRqGP9Md246FZV/dxssRu
-FFxtbUFm3xuTsdQAw+7Lzzw9IYCpX2Nl/N3gX6T0K/CFcUHUZyX7GrGXrtaZghNB
-0m6lG5kngOcLqagA
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----
diff --git a/www/coap.html.php b/www/coap.html.php
index 901420e..8c2479c 100644
--- a/www/coap.html.php
+++ b/www/coap.html.php
@@ -14,7 +14,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Version: $Id: coap.html.php,v 1.1 2009-03-02 23:09:05 root Exp $
+ Version: $Id: coap.html.php,v 1.2 2011-06-10 18:30:41 wytze Exp $
*/
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
@@ -61,7 +61,7 @@ table#TAB1 td { border: 0 }
</tr>
<tr>
<td border=0></td>
- <td border=0 align="right"><font size=-7>class 3: DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D</font></td>
+ <td border=0 align="right"><font size=-7>class 3: AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE</font></td>
<tr>
</font>
</td>
diff --git a/www/coapnew.php b/www/coapnew.php
index 301d5c2..c9e4e47 100644
--- a/www/coapnew.php
+++ b/www/coapnew.php
@@ -17,8 +17,8 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
-// $Id: coapnew.php,v 1.2 2009-03-02 23:09:05 root Exp $
-define('REV', '$Revision: 1.2 $');
+// $Id: coapnew.php,v 1.3 2011-06-10 18:30:42 wytze Exp $
+define('REV', '$Revision: 1.3 $');
/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
@@ -347,11 +347,11 @@ define('CCA', "CAcertCommunityAgreement"); // default policy to print
define('POLICY','policy/'); // default polciy doc directory
define('EXT','.php'); // default polciy doc extention, should be html
/* finger print CAcert Root Key */ // should obtain this automatically
-define("CLASS1_SHA1","135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33");
-define("CLASS3_SHA1","DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D");
+define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33');
+define('CLASS3_SHA1','AD7C 3F64 FC44 39FE F4E9 0BE8 F47C 6CFA 8AAD FDCE');
// next two are not used on the form
-define("CLASS1_MD5","A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B");
-define("CLASS3_MD5","73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6");
+define('CLASS1_MD5','A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B');
+define('CLASS3_MD5','F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42');
// if on draft provide std message
define('WATERMARK',"");
@@ -422,7 +422,7 @@ function utf8_is_ascii_ctrl($str) {
// extend TCPF with custom functions
class COAPPDF extends TCPDF {
- // do cap form version numbering automatically "$Revision: 1.2 $"
+ // do cap form version numbering automatically "$Revision: 1.3 $"
/*public*/ function Version() {
strtok(REV, " ");
return(strtok(" "));
diff --git a/www/index.php b/www/index.php
index fb215c6..13e8dc6 100644
--- a/www/index.php
+++ b/www/index.php
@@ -627,6 +627,13 @@
if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
$_SESSION['signup']['year'] = "19XX";
+
+ if ($id == 19)
+ {
+ $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
+ $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
+ header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
+ }
showheader(_("Welcome to CAcert.org"));
includeit($id);
diff --git a/www/logos/CAcert-logo-colour-1000.png b/www/logos/CAcert-logo-colour-1000.png
new file mode 100644
index 0000000..a6dd6ac
--- /dev/null
+++ b/www/logos/CAcert-logo-colour-1000.png
Binary files differ
diff --git a/www/logos/CAcert-logo-mono-1000.png b/www/logos/CAcert-logo-mono-1000.png
new file mode 100644
index 0000000..1beeb43
--- /dev/null
+++ b/www/logos/CAcert-logo-mono-1000.png
Binary files differ