a4ec71e5d60a6a26dd2c3e0846a7437594abab18
[cacert-devel.git] / www / api / ccsr.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18 $username = mysql_real_escape_string($_REQUEST['username']);
19 $password = mysql_real_escape_string($_REQUEST['password']);
20
21 $query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
22 $res = mysql_query($query);
23 if(mysql_num_rows($res) != 1)
24 die("403,That username couldn't be found\n");
25 $user = mysql_fetch_assoc($res);
26 $memid = $user['id'];
27 $emails = array();
28 foreach($_REQUEST['email'] as $email)
29 {
30 $email = mysql_real_escape_string(trim($email));
31 $query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0 and `email`='$email'";
32 $res = mysql_query($query);
33 if(mysql_num_rows($res) > 0)
34 {
35 $row = mysql_fetch_assoc($res);
36 $id = $row['id'];
37 $emails[$id] = $email;
38 }
39 }
40 if(count($emails) <= 0)
41 die("404,Wasn't able to match any emails sent against your account");
42 $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' group by `to`";
43 $row = mysql_fetch_assoc(mysql_query($query));
44 $points = $row['points'];
45
46 $name = "CAcert WoT User\n";
47 $newname = mysql_real_escape_string(trim($_REQUEST['name']));
48 if($points >= 50)
49 {
50 if($newname == $user['fname']." ".$user['lname'] ||
51 $newname == $user['fname']." ".$user['mname']." ".$user['lname'] ||
52 $newname == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
53 $newname == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
54 $name = $newname;
55 }
56
57 $codesign = 0;
58 if($user['codesign'] == "1" && $_REQUEST['codesign'] == "1" && $points >= 100)
59 $codesign = 1;
60
61 $CSR = trim($_REQUEST['optionalCSR']);
62
63 if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
64 {
65 die("403, $weakKey");
66 }
67
68 $incsr = tempnam("/tmp", "ccsrIn");
69 $checkedcsr = tempnam("/tmp", "ccsrOut");
70 $fp = fopen($incsr, "w");
71 fputs($fp, $CSR);
72 fclose($fp);
73 $do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
74 @unlink($incsr);
75 if(filesize($checkedcsr) <= 0)
76 die("404,Invalid or missing CSR");
77
78 $csrsubject = "/CN=$name";
79 foreach($emails as $id => $email)
80 $csrsubject .= "/emailAddress=".$email;
81
82 $query = "insert into `emailcerts` set `CN`='".$user['email']."', `keytype`='MS',
83 `memid`='".$user['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
84 `subject`='$csrsubject', `codesign`='$codesign'";
85 mysql_query($query);
86 $certid = mysql_insert_id();
87 $CSRname = generatecertpath("csr","client",$certid);
88 rename($checkedcsr, $CSRname);
89
90 mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'");
91
92 foreach($emails as $emailid => $email)
93 mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='$emailid'");
94
95 $do = `../../scripts/runclient`;
96 sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
97 $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
98 $res = mysql_query($query);
99 if(mysql_num_rows($res) <= 0)
100 die("404,Your certificate request has failed. ID: $certid");
101 $cert = mysql_fetch_assoc($res);
102 echo "200,Authentication Ok\n";
103 readfile("../".$cert['crt_name']);
104 ?>