From 90dcf899dae9bff3dc9d7e7953e2841dadea178f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Tue, 5 Mar 2013 23:08:48 +0100
Subject: Source code taken from cacert-20130227.tar.bz2

---
 includes/account.php |   1 +
 includes/keygen.php  | 128 +++++++++++
 locale/Makefile      |   3 +-
 pages/account/12.php |   8 +-
 pages/account/17.php | 122 +----------
 pages/account/4.php  | 175 +--------------
 pages/index/4.php    |   8 +-
 www/keygenIE.js      | 609 +++++++++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 753 insertions(+), 301 deletions(-)
 create mode 100644 includes/keygen.php
 create mode 100644 www/keygenIE.js

diff --git a/includes/account.php b/includes/account.php
index 8125602..496c7ca 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -422,6 +422,7 @@
 						`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
 						`subject`='".mysql_real_escape_string($csrsubject)."',
 						`codesign`='".$_SESSION['_config']['codesign']."',
+						`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
 						`rootcert`='".$_SESSION['_config']['rootcert']."'";
 			mysql_query($query);
 			$emailid = mysql_insert_id();
diff --git a/includes/keygen.php b/includes/keygen.php
new file mode 100644
index 0000000..09ec7f9
--- /dev/null
+++ b/includes/keygen.php
@@ -0,0 +1,128 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2011  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+if (array_key_exists('HTTP_USER_AGENT',$_SERVER) && strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
+
+	<noscript>
+		<p><?=_('You have to enable JavaScript to generate certificates in the browser.')?></p>
+		<p><?=_('If you don\'t want to do that for any reason, you can use '.
+			'manually created certificate requests instead.')?></p>
+	</noscript>
+
+	<div id="noActiveX" style="color:red">
+		<p><?=_('Could not initialize ActiveX object required for certificate generation.')?></p>
+		<p><?=_('You have to enable ActiveX for this to work. On Windows Vista, Windows 7 and '.
+			'later versions you have to add this website to the list of trusted sites '.
+			'in the internet settings.')?></p>
+		<p><?php
+			printf(_('Go to "Extras -> Internet Options -> Security -> Trusted '.
+				'Websites", click on "Custom Level", set "ActiveX control '.
+				'elements that are not marked as safe initialized on start in '.
+				'scripts" to "Confirm" and click "OK". Now click "Sites", add '.
+				'"%s" and "%s" to your list of trusted sites and make the '.
+				'changes come into effect by clicking "Close" and "OK".'),
+				'https://'.$_SESSION['_config']['normalhostname'],
+				'https://'.$_SESSION['_config']['securehostname'])?>
+		</p>
+	</div>
+
+	<form method="post" style="display:none" action="account.php"
+			id="CertReqForm">
+		<input type="hidden" name="oldid" value="<?=intval($id)?>" />
+		<input type="hidden" id="CSR" name="CSR" />
+		<input type="hidden" name="keytype" value="MS" />
+
+		<p><?=_('Security level')?>:
+			<select id="SecurityLevel">
+				<option value="high" selected="selected"><?=_('High')?></option>
+				<option value="medium"><?=_('Medium')?></option>
+				<option value="custom"><?=_('Custom')?>&hellip;</option>
+			</select>
+		</p>
+
+		<fieldset id="customSettings" style="display:none">
+			<legend><?=_('Custom Parameters')?></legend>
+
+			<p><?=_('Cryptography Provider')?>:
+				<select id="CspProvider"></select>
+			</p>
+			<p><?=_('Algorithm')?>: <select id="algorithm"></select></p>
+			<p><?=_('Keysize')?>:
+				<input id="keySize" type="number" />
+				<?=_('Minimum Size')?>: <span id="keySizeMin"></span>,
+				<?=_('Maximum Size')?>: <span id="keySizeMax"></span>,
+				<?php
+				// TRANSLATORS: this specifies the step between two valid key
+				// sizes. E.g. if the step is 512 and the minimum is 1024 and
+				// the maximum is 2048, then only 1024, 1536 and 2048 bits may
+				// be specified as key size.
+				echo _('Step')?>: <span id="keySizeStep"></span></p>
+			<p style="color:red"><?php
+				printf(_('Please note that RSA key sizes smaller than %d bit '.
+					'will not be accepted by CAcert.'),
+					1024)?>
+			</p>
+		</fieldset>
+
+		<p><input type="submit" id="GenReq" name="GenReq" value="<?=_('Create Certificate')?>" /></p>
+		<p id="generatingKeyNotice" style="display:none">
+			<?=_('Generating your key. Please wait')?>&hellip;</p>
+	</form>
+
+	<!-- Error messages used in the JavaScript. Defined here so they can be
+	translated without passing the JavaScript code through PHP -->
+	<p id="createRequestErrorChooseAlgorithm" style="display:none">
+		<?=_('Could not generate certificate request. Probably you need to '.
+			'choose a different algorithm.')?>
+	</p>
+	<p id="createRequestErrorConfirmDialogue" style="display:none">
+		<?=_('Could not generate certificate request. Please confirm the '.
+			'dialogue if you are asked if you want to generate the key.')?>
+	</p>
+	<p id="createRequestErrorConnectDevice" style="display:none">
+		<?=_('Could not generate certificate request. Please make sure the '.
+			'cryptography device (e.g. the smartcard) is connected.')?>
+	</p>
+	<p id="createRequestError" style="display:none">
+		<?=_('Could not generate certificate request.')?>
+	</p>
+	<p id="invalidKeySizeError" style="display:none">
+		<?=_('You have specified an invalid key size')?>
+	</p>
+	<p id="unsupportedPlatformError" style="display:none">
+		<?=_('Could not initialize the cryptographic module for your '.
+			'platform. Currently we support Microsoft Windows XP, Vista '.
+			'and 7. If you\'re using one of these platforms and see this '.
+			'error message anyway you might have to enable ActiveX as '.
+			'described in the red explanation text and accept loading of '.
+			'the module.')?>
+	</p>
+
+	<script type="text/javascript" src="keygenIE.js"></script>
+
+<? } else { ?>
+	<p>
+		<form method="post" action="account.php">
+			<input type="hidden" name="keytype" value="NS">
+			<?=_("Keysize:")?> <keygen name="SPKAC" challenge="<? $_SESSION['spkac_hash']=make_hash(); echo $_SESSION['spkac_hash']; ?>">
+
+			<input type="submit" name="submit" value="<?=_("Create Certificate Request")?>">
+			<input type="hidden" name="oldid" value="<?=intval($id)?>">
+		</form>
+	</p>
+<? }
diff --git a/locale/Makefile b/locale/Makefile
index 1517066..4215a4f 100644
--- a/locale/Makefile
+++ b/locale/Makefile
@@ -176,7 +176,8 @@ upload.clean: template.clean
 messages.pot: $(GETTEXT_FILES)
 	xgettext --output - --sort-by-file --copyright-holder "CAcert Inc." \
 		--package-name "CAcert" --package-version "$(VERSION)" \
-		--msgid-bugs-address "translations-admin@cacert.org" $^ | \
+		--msgid-bugs-address "translations-admin@cacert.org" \
+		--add-comments=TRANSLATORS $^ | \
 		# replace place holders in the lines before the first msgid\
 		sed '1,/^msgid/ { s/SOME DESCRIPTIVE TITLE/$(DESCRITPION)/; s/YEAR/$(COPYRIGHT_YEAR)/; s/PACKAGE/$(PACKAGE)/ }' \
 		> $@
diff --git a/pages/account/12.php b/pages/account/12.php
index 44926ca..fa8b41a 100644
--- a/pages/account/12.php
+++ b/pages/account/12.php
@@ -36,7 +36,7 @@
 			`domaincerts`.`expire` as `expires`, `revoked` as `revoke`,
 			UNIX_TIMESTAMP(`revoked`) as `revoked`, `CN`, `domaincerts`.`serial`, `domaincerts`.`id` as `id`
 			from `domaincerts`,`domains`
-			where `memid`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 and `domaincerts`.`domid`=`domains`.`id` ";
+			where `memid`='".intval($_SESSION['profile']['id'])."' and `domaincerts`.`domid`=`domains`.`id` ";
 	if($viewall != 1)
 	{
 		$query .= "AND `revoked`=0 AND `renewed`=0 ";
@@ -49,7 +49,7 @@
 	{
 ?>
   <tr>
-    <td colspan="6" class="DataTD"><?=_("No domains are currently listed.")?></td>
+    <td colspan="6" class="DataTD"><?=_("No certificates are currently listed.")?></td>
   </tr>
 <? } else {
 	while($row = mysql_fetch_assoc($res))
@@ -85,8 +85,10 @@
 	    <input type="submit" name="revoke" value="<?=_("Revoke/Delete")?>"></td>
   </tr>
 <? } ?>
+  <tr>
+    <td class="DataTD" colspan="6"><?=_("From here you can delete pending requests, or revoke valid certificates.")?></td>
+  </tr>
 </table>
 <input type="hidden" name="oldid" value="<?=$id?>">
 <input type="hidden" name="csrf" value="<?=make_csrf('srvcerchange')?>" />
 </form>
-<p><?=_("From here you can delete pending requests, or revoke valid certificates.")?></p>
diff --git a/pages/account/17.php b/pages/account/17.php
index 2ba5390..8ac8b65 100644
--- a/pages/account/17.php
+++ b/pages/account/17.php
@@ -14,124 +14,6 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/ ?>
-<? if(array_key_exists('HTTP_USER_AGENT',$_SERVER) && strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
-<object classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" codebase="/xenroll.cab#Version=5,131,3659,0" id="cec">
-<?=_("You must enable ActiveX for this to work.")?>
-</object>
-<form method="post" action="account.php" name="CertReqForm"><p>
-<input type="hidden" name="session" value="UsedXenroll">
-<?=_("Key Strength:")?> <select name="CspProvider"></select>
-<input type="hidden" name="oldid" value="<?=$id?>">
-<INPUT TYPE=HIDDEN NAME="CSR">
-<input type="hidden" name="keytype" value="MS">
-<?=_("'Enhanced Provider' is generally the best option, which has a key size of 1024bit. If you need a bigger key size you will need to use a different browser.")?>
-<input type="submit" name="GenReq" value="Create Certificate"><br>
-</p></form>
-<script type="text/vbscript" language="vbscript">
-<!--
-Function GetProviderList()
-  Dim CspList, cspIndex, ProviderName
-  On Error Resume Next
+*/
 
-  count = 0
-  base = 0
-  enhanced = 0
-  CspList = ""
-  ProviderName = ""
-
-  For ProvType = 0 to 13
-    cspIndex = 0
-    cec.ProviderType = ProvType
-    ProviderName = cec.enumProviders(cspIndex,0)
-
-    while ProviderName <> ""
-     Set oOption = document.createElement("OPTION")
-     oOption.text = ProviderName
-     oOption.value = ProvType
-     Document.CertReqForm.CspProvider.add(oOption)
-     if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then
-       base = count
-     end if
-     if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-       enhanced = count
-     end if
-     cspIndex = cspIndex +1
-     ProviderName = ""
-     ProviderName = cec.enumProviders(cspIndex,0)
-     count = count + 1
-   wend
-  Next
-  Document.CertReqForm.CspProvider.selectedIndex = base
-  if enhanced then
-    Document.CertReqForm.CspProvider.selectedIndex = enhanced
-  end if
-End Function
-
-Function CSR(keyflags)
-  CSR = ""
-  szName  = ""
-  cec.HashAlgorithm = "MD5"
-  err.clear
-  On Error Resume Next
-  set options = document.all.CspProvider.options
-  index = options.selectedIndex
-  cec.providerName = options(index).text
-  tmpProviderType = options(index).value
-  cec.providerType = tmpProviderType
-  cec.KeySpec = 2
-  if tmpProviderType < 2 Then
-    cec.KeySpec = 1
-  end if
-  cec.GenKeyFlags = &h04000001 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = &h04000000 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  if cec.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-    if MsgBox("<?=_("The 1024-bit key generation failed. Would you like to try 512 instead?")?>", vbOkCancel)=vbOk Then
-      cec.providerName = "Microsoft Base Cryptographic Provider v1.0"
-    else
-      Exit Function
-    end if
-  end if
-  cec.GenKeyFlags = 1 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = 0
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-End Function
-
-Sub GenReq_OnClick
-  Dim TheForm
-  Set TheForm = Document.CertReqForm
-  err.clear
-  result = CSR(2)
-  if len(result)=0 Then
-    result = MsgBox("Unable to generate PKCS#10.", 0, "Alert")
-    Exit Sub
-  end if
-  TheForm.CSR.Value = result
-  TheForm.Submit
-  Exit Sub
-End Sub
-
-GetProviderList()
--->
-</script>
-<? } else { ?>
-<p>
-<form method="post" action="account.php">
-<input type="hidden" name="keytype" value="NS">
-<?=_("Keysize:")?> <keygen name="SPKAC" challenge="<? $_SESSION['spkac_hash']=make_hash(); echo $_SESSION['spkac_hash']; ?>">
-
-
-<input type="submit" name="submit" value="<?=_("Create Certificate Request")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
-</form>
-</p>
-<? } ?>
+require_once($_SESSION['_config']['filepath'].'/includes/keygen.php');
diff --git a/pages/account/4.php b/pages/account/4.php
index a4d6597..8ac8b65 100644
--- a/pages/account/4.php
+++ b/pages/account/4.php
@@ -14,177 +14,6 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/ ?>
-<? if(array_key_exists('HTTP_USER_AGENT',$_SERVER) && strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
-<object classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" codebase="/xenroll.cab#Version=5,131,3659,0" id="cec">
-<?=_("You must enable ActiveX for this to work. On Vista you have to add this website to the list of trusted sites in the internet-settings.")?><?=_("Go to Extras->Internet Options->Security->Trusted Websites, click on Custom Level, check ActiveX control elements that are not marked as safe initialized on start in scripts")?>
-</object>
-<form method="post" action="account.php" name="CertReqForm"><p>
-<input type="hidden" name="session" value="UsedXenroll">
-<?=_("Key Strength:")?> <select name="CspProvider"></select>
-<input type="hidden" name="oldid" value="<?=$id?>">
-<INPUT TYPE=HIDDEN NAME="CSR">
-<input type="hidden" name="keytype" value="MS">
-<input type="submit" name="GenReq" value="Create Certificate"><br>
-</p></form>
-<script type="text/vbscript" language="vbscript">
-<!--
-Function GetProviderList()
-  Dim CspList, cspIndex, ProviderName
-  On Error Resume Next
+*/
 
-  count = 0
-  base = 0
-  enhanced = 0
-  CspList = ""
-  ProviderName = ""
-
-  // Vista:
-  Set csps = CreateObject("X509Enrollment.CCspInformations")
-  If IsObject(csps) Then
-    csps.AddAvailableCsps()
-    Document.CertReqForm.keytype.value="VI"
-    For j = 0 to csps.Count-1
-      Set oOption = document.createElement("OPTION")
-      oOption.text = csps.ItemByIndex(j).Name
-      oOption.value = j
-      Document.CertReqForm.CspProvider.add(oOption)
-    Next
-
-  Else
-
-  // 2000,XP:
-
-   For ProvType = 0 to 13
-    cspIndex = 0
-    cec.ProviderType = ProvType
-    ProviderName = cec.enumProviders(cspIndex,0)
-
-    while ProviderName <> ""
-     Set oOption = document.createElement("OPTION")
-     oOption.text = ProviderName
-     oOption.value = ProvType
-     Document.CertReqForm.CspProvider.add(oOption)
-     if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then
-       base = count
-     end if
-     if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-       enhanced = count
-     end if
-     cspIndex = cspIndex +1
-     ProviderName = ""
-     ProviderName = cec.enumProviders(cspIndex,0)
-     count = count + 1
-    wend
-   Next
-   Document.CertReqForm.CspProvider.selectedIndex = base
-   if enhanced then
-    Document.CertReqForm.CspProvider.selectedIndex = enhanced
-   end if
-  End If
-End Function
-
-Function CSR(keyflags)
-  CSR = ""
-  szName  = ""
-
-
-  // Vista
-  if Document.CertReqForm.keytype.value="VI" Then
-
-    Dim g_objClassFactory
-    Dim obj
-    Dim objPrivateKey
-    Dim g_objRequest
-    Dim g_objRequestCMC
-  
-    Set g_objClassFactory=CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory")
-    Set obj=g_objClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
-    Set objPrivateKey=g_objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey")
-    Set objRequest=g_objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
-    //Msgbox     exit function
-    objPrivateKey.ProviderName = Document.CertReqForm.CspProvider(Document.CertReqForm.CspProvider.selectedIndex).text
-    // "Microsoft Enhanced RSA and AES Cryptographic Provider"
-    objPrivateKey.ProviderType = "24"
-    objPrivateKey.KeySpec = "1"
-    objPrivateKey.ExportPolicy = 1
-    objRequest.InitializeFromPrivateKey 1, objPrivateKey, ""
-    Set objDN = g_objClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
-    objDN.Encode("CN=CAcertRequest")
-    objRequest.Subject = objDN
-
-    //  obj.Initialize(1)
-    obj.InitializeFromRequest(objRequest)
-    obj.CertificateDescription="Description"
-    obj.CertificateFriendlyName="FriendlyName"
-    CSR=obj.CreateRequest(1)
-    If len(CSR)<>0 Then Exit Function
-    Msgbox "<?=_("Error while generating the certificate-request. Please make sure that you have added this website to the list of trusted sites in the Internet-Options menu!")?>"
-
-  else
-  // XP
-
-  cec.HashAlgorithm = "MD5"
-  err.clear
-  On Error Resume Next
-  set options = document.all.CspProvider.options
-  index = options.selectedIndex
-  cec.providerName = options(index).text
-  tmpProviderType = options(index).value
-  cec.providerType = tmpProviderType
-  cec.KeySpec = 2
-  if tmpProviderType < 2 Then
-    cec.KeySpec = 1
-  end if
-  cec.GenKeyFlags = &h04000001 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = &h04000000 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  if cec.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-    if MsgBox("<?=_("The 1024-bit key generation failed. Would you like to try 512 instead?")?>", vbOkCancel)=vbOk Then
-      cec.providerName = "Microsoft Base Cryptographic Provider v1.0"
-    else
-      Exit Function
-    end if
-  end if
-  cec.GenKeyFlags = 1 OR keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = keyflags
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  if len(CSR)<>0 then Exit Function
-  cec.GenKeyFlags = 0
-  CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  End if
-End Function
-
-Sub GenReq_OnClick
-  Dim TheForm
-  Set TheForm = Document.CertReqForm
-  err.clear
-  result = CSR(2)
-  if len(result)=0 Then
-    result = MsgBox("Unable to generate PKCS#10.", 0, "Alert")
-    Exit Sub
-  end if
-  TheForm.CSR.Value = result
-  TheForm.Submit
-  Exit Sub
-End Sub
-
-GetProviderList()
--->
-</script>
-<? } else { ?>
-<p>
-<form method="post" action="account.php">
-<input type="hidden" name="keytype" value="NS">
-<?=_("Keysize:")?> <keygen name="SPKAC" challenge="<? $_SESSION['spkac_hash']=make_hash(); echo $_SESSION['spkac_hash']; ?>">
-
-<input type="submit" name="submit" value="<?=_("Create Certificate Request")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
-</form>
-</p>
-<? } ?>
+require_once($_SESSION['_config']['filepath'].'/includes/keygen.php');
diff --git a/pages/index/4.php b/pages/index/4.php
index ffbfe26..9eb90af 100644
--- a/pages/index/4.php
+++ b/pages/index/4.php
@@ -29,7 +29,7 @@
 <? } else { ?>
 <style>
 .box2 {width:100%;text-align:center;}
-.box {background:#F5F7F7;border:2px solid #cccccc;margin:0px auto;height:250px;width:300px;padding:1em;}
+.box {background:#F5F7F7;border:2px solid #cccccc;margin:0px auto;height:auto;width:300px;padding:1em;}
 .smalltext {font-size:10px;}
 label {width:100px;display:block;float:left;}
 text {width:166px;display:block;float:left;}
@@ -45,15 +45,15 @@ h1 {font-size:1.9em;text-align:center;}
 <label for="email"><?=_("Email Address")?>:</label><input type='text' name="email" value="<?=sanitizeHTML(array_key_exists("email",$_REQUEST)?$_REQUEST['email']:"")?>" <? if(array_key_exists('notauto',$_REQUEST) && $_REQUEST['noauto'] == 1) echo " autocomplete='off'"; ?>/><br />
 <label for="pword"><?=_("Pass Phrase")?>:</label><input type='password' name='pword' autocomplete="off"/><br />
 <input type='submit' name="process" value="<?=_("Login")?>" /><br /><br />
-<a href='https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=4'><?=_("Password Login")?></a> - 
-<a href='https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=5'><?=_("Lost Password")?></a> - 
+<a href='https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=4'><?=_("Password Login")?></a> -
+<a href='https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=5'><?=_("Lost Password")?></a> -
 <a href='https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=4&amp;noauto=1'><?=_("Net Cafe Login")?></a><br />
 <p class='smalltext'><?=sprintf(_("If you are having trouble with your username or password, please visit our %swiki page%s for more information"), "<a href='http://wiki.cacert.org/wiki/FAQ/LostPasswordOrAccount' target='_new'>", "</a>");?></p>
 <input type="hidden" name="oldid" value="<?=$id?>">
 </form>
 </div>
 </div>
-<? } 
+<? }
 if(array_key_exists("oldlocation",$_SESSION['_config']) && $_SESSION['_config']['oldlocation']!="")
 {
   echo "<br/><center>"._("If you want to use certificate login instead of username+password, please")." <a href='https://secure.cacert.org/".sanitizeHTML($_SESSION['_config']['oldlocation'])."'>"._("click here")."</a></center>";
diff --git a/www/keygenIE.js b/www/keygenIE.js
new file mode 100644
index 0000000..be2d184
--- /dev/null
+++ b/www/keygenIE.js
@@ -0,0 +1,609 @@
+/*
+LibreSSL - CAcert web application
+Copyright (C) 2004-2012  CAcert Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+var CAcert_keygen_IE = function () {
+
+	/// Makes a new DOM text node
+	var textnode = function (text) {
+		return document.createTextNode(text);
+	}
+
+	/// makes a new <p> element
+	var paragraph = function (text) {
+		var paragraph = document.createElement("p");
+		paragraph.appendChild(textnode(text));
+		return paragraph;
+	}
+
+	/// makes a new <pre> elemtent
+	var pre = function (text) {
+		var pre = document.createElement("pre");
+		pre.appendChild(textnode(text));
+		return pre;
+	}
+
+	/// makes a new <option> element
+	var option = function (text, value) {
+		var option = document.createElement("option");
+		if (value !== undefined) {
+			option.setAttribute("value", value);
+		}
+		option.appendChild(textnode(text));
+		return option;
+	}
+
+	/// Removes all child nodes from the element
+	var removeChildren = function (element) {
+		element.innerHTML = "";
+	}
+
+	/// Show error message to user from exception
+	var showError = function (message, exception) {
+		window.alert(
+			message +
+			"\n\nError: " + exception.message +
+			" (0x" + (0xFFFFFFFF + exception.number + 1).toString(16) +
+			" / " + exception.number + ")"
+			);
+	}
+
+	// Get important elements from the DOM
+	var form = document.getElementById("CertReqForm");
+	var securityLevel = document.getElementById("SecurityLevel");
+	var customSettings = document.getElementById("customSettings");
+	var provider = document.getElementById("CspProvider");
+	var algorithm = document.getElementById("algorithm");
+	var algorithmParagraph = document.getElementById("algorithmParagraph");
+	var keySize = document.getElementById("keySize");
+	var keySizeMin = document.getElementById("keySizeMin");
+	var keySizeMax = document.getElementById("keySizeMax");
+	var keySizeStep = document.getElementById("keySizeStep");
+	var genReq = document.getElementById("GenReq");
+	var csr = document.getElementById("CSR");
+	var noActiveX = document.getElementById("noActiveX");
+	var generatingKeyNotice = document.getElementById("generatingKeyNotice");
+	var createRequestErrorChooseAlgorithm = document.getElementById("createRequestErrorChooseAlgorithm");
+	var createRequestErrorConfirmDialogue = document.getElementById("createRequestErrorConfirmDialogue");
+	var createRequestErrorConnectDevice = document.getElementById("createRequestErrorConnectDevice");
+	var createRequestError = document.getElementById("createRequestError");
+	var invalidKeySizeError = document.getElementById("invalidKeySizeError");
+	var unsupportedPlatformError = document.getElementById("unsupportedPlatformError");
+
+	/// Initialise the CertEnroll code (Vista and higher)
+	/// returns false if initialisation fails
+	var initCertEnroll = function () {
+		var factory = null;
+		var providerList = null;
+		var cspStats = null;
+
+		// Try to initialise the ActiveX element. Requires permissions by the user
+		try {
+			factory = new ActiveXObject("X509Enrollment.CX509EnrollmentWebClassFactory");
+			if (!factory) {
+				throw {
+					name: "NoObjectError",
+					message: "Got null at object creation"
+					};
+			}
+
+			// also try to create a useless object here so the library gets
+			// initialised and we don't need to check everytime later
+			factory.CreateObject("X509Enrollment.CObjectId");
+
+			form.style.display = "";
+			noActiveX.style.display = "none";
+		} catch (e) {
+			return false;
+		}
+
+		/// Get the selected provider
+		var getProvider = function () {
+			var providerIndex = provider.options[provider.selectedIndex].value;
+			return providerList.ItemByIndex(providerIndex);
+		}
+
+		/// Get the selected algorithm
+		var getAlgorithm = function () {
+			var algorithmIndex = algorithm.options[algorithm.selectedIndex].value;
+			return alg = cspStats.ItemByIndex(algorithmIndex).CspAlgorithm;
+		}
+
+		/// Get the selected key size
+		var getKeySize = function () {
+			var alg = getAlgorithm();
+
+			var bits = parseInt(keySize.value, 10);
+			if (
+				(bits < alg.MinLength) ||
+				(bits > alg.MaxLength) ||
+				(
+					alg.IncrementLength &&
+					((bits - alg.MinLength) % alg.IncrementLength !== 0)
+				)
+			) {
+				return false;
+			}
+
+			return bits;
+		}
+
+		/// Fill the key size list
+		var getKeySizeList = function () {
+			if (!cspStats) {
+				return false;
+			}
+
+			var alg = getAlgorithm();
+
+			// HTML5 attributes
+			keySize.setAttribute("min", alg.MinLength);
+			keySize.setAttribute("max", alg.MaxLength);
+			keySize.setAttribute("step", alg.IncrementLength);
+			keySize.setAttribute("value", alg.DefaultLength);
+			keySize.value = ""+alg.DefaultLength;
+
+			// ugly, but buggy otherwise if done with text nodes
+			keySizeMin.innerHTML = alg.MinLength;
+			keySizeMax.innerHTML = alg.MaxLength;
+			keySizeStep.innerHTML = alg.IncrementLength;
+
+			return true;
+		}
+
+		/// Fill the algorithm list
+		var getAlgorithmList = function () {
+			var i;
+			
+			if (!providerList) {
+				return false;
+			}
+
+			var csp = getProvider();
+
+			cspStats = providerList.GetCspStatusesFromOperations(
+				0x1c, //XCN_NCRYPT_ANY_ASYMMETRIC_OPERATION
+				//0x10, //XCN_NCRYPT_SIGNATURE_OPERATION
+				//0x8, //XCN_NCRYPT_SECRET_AGREEMENT_OPERATION
+				//0x4, //XCN_NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION
+				csp
+				);
+
+			removeChildren(algorithm);
+			for (i = 0; i < cspStats.Count; i++) {
+				var alg = cspStats.ItemByIndex(i).CspAlgorithm;
+				algorithm.appendChild(option(alg.Name, i));
+			}
+
+			return getKeySizeList();
+		}
+
+		/// Fill the crypto provider list
+		var getProviderList = function () {
+			var i;
+			
+			var csps = factory.CreateObject("X509Enrollment.CCspInformations");
+
+			// Get provider information
+			csps.AddAvailableCsps();
+
+			removeChildren(provider);
+
+			for (i = 0; i < csps.Count; i++) {
+				var csp = csps.ItemByIndex(i);
+				provider.appendChild(option(csp.Name, i));
+			}
+
+			providerList = csps;
+
+			return getAlgorithmList();
+		}
+
+		/// Generate a key and create and submit the actual CSR
+		var createCSR = function () {
+			var providerName, algorithmOid, bits;
+
+			var level = securityLevel.options[securityLevel.selectedIndex];
+			if (level.value === "custom") {
+				providerName = getProvider().Name;
+				var alg = getAlgorithm();
+				algorithmOid = alg.GetAlgorithmOid(0, 0)
+				bits = getKeySize();
+				if (!bits) {
+					window.alert(invalidKeySizeError.innerHTML);
+					return false;
+				}
+			} else {
+				providerName = "Microsoft Software Key Storage Provider";
+
+				algorithmOid = factory.CreateObject("X509Enrollment.CObjectId");
+				algorithmOid.InitializeFromValue("1.2.840.113549.1.1.1"); // RSA
+				// "1.2.840.10040.4.1" == DSA
+				// "1.2.840.10046.2.1" == DH
+
+				if (level.value === "high") {
+					bits = 4096;
+				} else { // medium
+					bits = 2048;
+				}
+			}
+
+			var privateKey = factory.CreateObject("X509Enrollment.CX509PrivateKey");
+			privateKey.ProviderName = providerName;
+			privateKey.Algorithm = algorithmOid;
+			privateKey.Length = bits;
+			privateKey.KeyUsage = 0xffffff; // XCN_NCRYPT_ALLOW_ALL_USAGES
+
+			var request = factory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10");
+			request.InitializeFromPrivateKey(
+				1, // ContextUser
+				privateKey,
+				"" // don't use a template
+				);
+
+			var enroll = factory.CreateObject("X509Enrollment.CX509Enrollment");
+			enroll.InitializeFromRequest(request);
+
+			generatingKeyNotice.style.display = "";
+
+			// The request needs to be created after we return so the "please wait"
+			// message gets rendered
+			var createCSRHandler = function () {
+				try {
+					csr.value = enroll.CreateRequest(0x1); //XCN_CRYPT_STRING_BASE64
+					form.submit();
+				} catch (e) {
+					showError(createRequestErrorChooseAlgorithm.innerHTML, e);
+				}
+
+				generatingKeyNotice.style.display = "none";
+			}
+
+			window.setTimeout(createCSRHandler, 0);
+
+			// Always return false, form is submitted by deferred method
+			return false;
+		}
+
+		/// Call if securityLevel has changed
+		var refreshSecurityLevel = function () {
+			var level = securityLevel.options[securityLevel.selectedIndex];
+			if (level.value === "custom") {
+				getProviderList();
+				customSettings.style.display = "";
+			} else {
+				customSettings.style.display = "none";
+			}
+		}
+
+		securityLevel.onchange = refreshSecurityLevel;
+		provider.onchange = getAlgorithmList;
+		algorithm.onchange = getKeySizeList;
+		genReq.onclick = createCSR;
+
+		return true;
+	} // end of initCertEnroll()
+
+	/// Initialise Xenroll code (XP and lower)
+	/// returns false if initialisation fails
+	var initXEnroll = function () {
+		cenroll = null;
+
+		providerTypes = Array(
+				 1, //PROV_RSA_FULL
+				 2, //PROV_RSA_SIG
+				 3, //PROV_DSS
+				 4, //PROV_FORTEZZA
+				 5, //PROV_MS_EXCHANGE
+				 6, //PROV_SSL
+				12, //PROV_RSA_SCHANNEL
+				13, //PROV_DSS_DH
+				14, //PROV_EC_ECDSA_SIG
+				15, //PROV_EC_ECNRA_SIG
+				16, //PROV_EC_ECDSA_FULL
+				17, //PROV_EC_ECNRA_FULL
+				18, //PROV_DH_SCHANNEL
+				20, //PROV_SPYRUS_LYNKS
+				21, //PROV_RNG
+				22, //PROV_INTEL_SEC
+				23, //PROV_REPLACE_OWF
+				24  //PROV_RSA_AES
+			);
+
+		algClasses = Array(
+			1 << 13, //ALG_CLASS_SIGNATURE
+			//2 << 13, //ALG_CLASS_MSG_ENCRYPT
+			//3 << 13, //ALG_CLASS_DATA_ENCRYPT
+			//4 << 13, //ALG_CLASS_HASH
+			5 << 13  //ALG_CLASS_KEY_EXCHANGE
+			);
+
+		// Try to initialise the ActiveX element.
+		try {
+			cenroll = new ActiveXObject("CEnroll.CEnroll");
+
+			if (!cenroll) {
+				throw {
+					name: "NoObjectError",
+					message: "Got null at object creation"
+				};
+			}
+
+			form.style.display = "";
+			algorithm.disabled = true;
+			noActiveX.style.display = "none";
+		} catch (e) {
+			return false;
+		}
+
+		/// Get the name of the selected provider
+		var getProviderName = function () {
+			return provider.options[provider.selectedIndex].text;
+		}
+
+		/// Get the type of the selected provider
+		var getProviderType = function () {
+			return parseInt(provider.options[provider.selectedIndex].value, 10);
+		}
+
+		var refreshProvider = function () {
+			cenroll.ProviderName = getProviderName();
+			cenroll.ProviderType = getProviderType();
+		}
+
+		/// Get the ID of the selected algorithm
+		var getAlgorithmId = function () {
+			return parseInt(algorithm.options[algorithm.selectedIndex].value, 10);
+		}
+
+		/// Minimum bit length for exchange keys
+		var getMinExKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLen(true, true);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Maximum bit length for exchange keys
+		var getMaxExKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLen(false, true);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Step size for exchange keys
+		/// This might not be available on older platforms
+		var getStepExKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLenEx(3, 1);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Minimum bit length for signature keys
+		var getMinSigKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLen(true, false);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Maximum bit length for signature keys
+		var getMaxSigKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLen(false, false);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Step size for signature keys
+		/// This might not be available on older platforms
+		var getStepSigKeyLength = function () {
+			refreshProvider();
+
+			try {
+				return cenroll.GetKeyLenEx(3, 2);
+			} catch (e) {
+				return false;
+			}
+		}
+
+		/// Get the selected key size
+		var getKeySize = function () {
+			var bits = parseInt(keySize.value, 10);
+			if (
+				(bits < getMinSigKeyLength()) ||
+				(bits > getMaxSigKeyLength()) ||
+				(
+					getStepSigKeyLength() &&
+					((bits - getMinSigKeyLength()) % getStepSigKeyLength() !== 0)
+				)
+			) {
+				return false;
+			}
+
+			return bits;
+		}
+
+		var getKeySizeLimits = function () {
+			// HTML5 attributes
+			keySize.setAttribute("min", getMinSigKeyLength());
+			keySize.setAttribute("max", getMaxSigKeyLength());
+			if (getStepSigKeyLength()) {
+				keySize.setAttribute("step", getStepSigKeyLength());
+			}
+
+			// ugly, but buggy otherwise if done with text nodes
+			keySizeMin.innerHTML = getMinSigKeyLength();
+			keySizeMax.innerHTML = getMaxSigKeyLength();
+			keySizeStep.innerHTML = getStepSigKeyLength();
+
+			if (getMinSigKeyLength() === getMaxSigKeyLength()) {
+				keySize.value = getMaxSigKeyLength();
+			}
+
+			return true;
+		}
+
+		/// Fill the algorithm selection box
+		var getAlgorithmList = function () {
+			var i, j;
+			
+			refreshProvider();
+
+			removeChildren(algorithm);
+
+			for (i = 0; i < algClasses.length; ++i) {
+				for (j = 0; true; ++j) {
+					try {
+						var algId = cenroll.EnumAlgs(j, algClasses[i]);
+						var algName = cenroll.GetAlgName(algId);
+						algorithm.appendChild(option(algName, algId));
+					} catch (e) {
+						break;
+					}
+				}
+			}
+
+			getKeySizeLimits();
+		}
+
+		/// Fill the provider selection box
+		var getProviderList = function () {
+			var i, j;
+			
+			removeChildren(provider);
+
+			for (i = 0; i < providerTypes.length; ++i) {
+				cenroll.providerType = providerTypes[i];
+
+				var providerName = "invalid";
+				for (j = 0; true; ++j) {
+					try {
+						providerName = cenroll.enumProviders(j, 0);
+						provider.appendChild(option(providerName, providerTypes[i]));
+					} catch (e) {
+						break;
+					}
+				}
+			}
+
+			return getAlgorithmList();
+		}
+
+		var createCSR = function () {
+			var providerName, bits;
+
+			var level = securityLevel.options[securityLevel.selectedIndex];
+			if (level.value === "custom") {
+				refreshProvider();
+
+				bits = getKeySize();
+				if (bits === false) {
+					window.alert(invalidKeySizeError.innerHTML);
+					return false;
+				}
+			} else {
+				cenroll.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
+				cenroll.ProviderType = 1; //PROV_RSA_FULL
+
+				if (level.value === "high") {
+					bits = 4096;
+				} else { // medium
+					bits = 2048;
+				}
+			}
+
+			cenroll.GenKeyFlags = bits << 16; // keysize is encoded in the uper 16 bits
+			//cenroll.GenKeyFlags = cenroll.GenKeyFlags | 0x1; //CRYPT_EXPORTABLE
+
+			generatingKeyNotice.style.display = "";
+
+			// The request needs to be created after we return so the "please wait"
+			// message gets rendered
+			var createCSRHandler = function () {
+				try {
+					csr.value = cenroll.createPKCS10("", "1.3.6.1.5.5.7.3.2");
+					form.submit();
+				} catch (e) {
+					if (e.number === -2147023673) {
+						// 0x800704c7 => dialogue declined
+						showError(createRequestErrorConfirmDialogue.innerHTML, e);
+					} else if (e.number === -2146435043) {
+						// 0x8010001d => crypto-device not connected
+						showError(createRequestErrorConnectDevice.innerHTML, e);
+					} else {
+						showError(createRequestError.innerHTML, e);
+					}
+				}
+
+				generatingKeyNotice.style.display = "none";
+				cenroll.Reset();
+			}
+
+			window.setTimeout(createCSRHandler, 0);
+
+			// Always return false, form is submitted by deferred method
+			return false;
+		}
+
+		/// Call if securityLevel has changed
+		var refreshSecurityLevel = function () {
+			var level = securityLevel.options[securityLevel.selectedIndex];
+			if (level.value === "custom") {
+				getProviderList();
+				customSettings.style.display = "";
+			} else {
+				customSettings.style.display = "none";
+			}
+		}
+
+		securityLevel.onchange = refreshSecurityLevel;
+		provider.onchange = getAlgorithmList;
+		algorithm.onchange = getKeySizeLimits;
+		genReq.onclick = createCSR;
+
+		return true;
+	};
+
+	// Run the init functions until one is successful
+	if (initCertEnroll()) {
+		form.style.display = "";
+		noActiveX.style.display = "none";
+	} else if (initXEnroll()) {
+		form.style.display = "";
+		noActiveX.style.display = "none";
+	} else {
+		window.alert(unsupportedPlatformError.innerHTML);
+	}
+} ();
-- 
cgit v1.2.1