bug 807: Allow changing the hash algorithm used in signing
authorMichael Tänzer <neo@nhng.de>
Wed, 19 Mar 2014 23:43:07 +0000 (00:43 +0100)
committerMichael Tänzer <neo@nhng.de>
Wed, 19 Mar 2014 23:43:07 +0000 (00:43 +0100)
Signed-off-by: Michael Tänzer <neo@nhng.de>
includes/account.php
includes/lib/account.php
pages/account/10.php
pages/account/16.php
pages/account/20.php
pages/account/3.php
www/styles/default.css

index 7c3748d..0dbab8d 100644 (file)
@@ -284,6 +284,14 @@ function buildSubjectFromSession() {
                        if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                                $_SESSION['_config']['rootcert'] = 1;
                }
+
+               // Check if we got a valid hash algorithm, otherwise use default
+               if (array_key_exists('hash_alg', $_REQUEST) && array_key_exists($_REQUEST['hash_alg'], HASH_ALGORITHMS)) {
+                       $_SESSION['_config']['hash_alg'] = $_REQUEST['hash_alg'];
+               } else {
+                       $_SESSION['_config']['hash_alg'] = DEFAULT_HASH_ALGORITHM;
+               }
+
                $csr = "";
                if(trim($_REQUEST['optionalCSR']) == "")
                {
@@ -384,6 +392,7 @@ function buildSubjectFromSession() {
                                                `codesign`='".intval($_SESSION['_config']['codesign'])."',
                                                `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
                                                `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
@@ -485,6 +494,7 @@ function buildSubjectFromSession() {
                                                `codesign`='".$_SESSION['_config']['codesign']."',
                                                `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
                                                `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
@@ -762,6 +772,13 @@ function buildSubjectFromSession() {
                        if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                                $_SESSION['_config']['rootcert'] = 1;
                }
+
+               // Check if we got a valid hash algorithm, otherwise use default
+               if (array_key_exists('hash_alg', $_REQUEST) && array_key_exists($_REQUEST['hash_alg'], HASH_ALGORITHMS)) {
+                       $_SESSION['_config']['hash_alg'] = $_REQUEST['hash_alg'];
+               } else {
+                       $_SESSION['_config']['hash_alg'] = DEFAULT_HASH_ALGORITHM;
+               }
        }
 
        if($process != "" && $oldid == 11)
@@ -806,6 +823,7 @@ function buildSubjectFromSession() {
                                                `domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
                                                `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
                                                `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                } elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) {
                        $query = "insert into `domaincerts` set
@@ -813,6 +831,7 @@ function buildSubjectFromSession() {
                                                `domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
                                                `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
                                                `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                } else {
                        showheader(_("My CAcert.org Account!"));
@@ -1462,6 +1481,13 @@ function buildSubjectFromSession() {
                if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                        $_SESSION['_config']['rootcert'] = 1;
 
+               // Check if we got a valid hash algorithm, otherwise use default
+               if (array_key_exists('hash_alg', $_REQUEST) && array_key_exists($_REQUEST['hash_alg'], HASH_ALGORITHMS)) {
+                       $_SESSION['_config']['hash_alg'] = $_REQUEST['hash_alg'];
+               } else {
+                       $_SESSION['_config']['hash_alg'] = DEFAULT_HASH_ALGORITHM;
+               }
+
                if(trim($_REQUEST['description']) != ""){
                        $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
                }else{
@@ -1533,6 +1559,7 @@ function buildSubjectFromSession() {
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
                                                `codesign`='".$_SESSION['_config']['codesign']."',
                                                `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
@@ -1625,6 +1652,7 @@ function buildSubjectFromSession() {
                                                `subject`='$csrsubject',
                                                `codesign`='".$_SESSION['_config']['codesign']."',
                                                `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                                `description`='".$_SESSION['_config']['description']."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
@@ -1890,6 +1918,13 @@ function buildSubjectFromSession() {
                $_SESSION['_config']['rootcert'] = intval($_REQUEST['rootcert']);
                if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                        $_SESSION['_config']['rootcert'] = 1;
+
+               // Check if we got a valid hash algorithm, otherwise use default
+               if (array_key_exists('hash_alg', $_REQUEST) && array_key_exists($_REQUEST['hash_alg'], HASH_ALGORITHMS)) {
+                       $_SESSION['_config']['hash_alg'] = $_REQUEST['hash_alg'];
+               } else {
+                       $_SESSION['_config']['hash_alg'] = DEFAULT_HASH_ALGORITHM;
+               }
        }
 
        if($process != "" && $oldid == 21)
@@ -1964,6 +1999,7 @@ function buildSubjectFromSession() {
                                        `created`=NOW(),
                                        `subject`='$csrsubject',
                                        `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                       `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                        `type`='$type',
                                        `description`='".$_SESSION['_config']['description']."'";
                } else {
@@ -1973,6 +2009,7 @@ function buildSubjectFromSession() {
                                        `created`=NOW(),
                                        `subject`='$csrsubject',
                                        `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                       `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
                                        `type`='$type',
                                        `description`='".$_SESSION['_config']['description']."'";
                }
index e311668..7660861 100644 (file)
 
 /**
  * Function to recalculate the cached Assurer status
- * 
+ *
  * @param int $userID
  *     if the user ID is not given the flag will be recalculated for all users
- * 
+ *
  * @return bool
  *     false if there was an error on fixing the flag. This does NOT return the
  *     new value of the flag
@@ -30,7 +30,7 @@
 function fix_assurer_flag($userID = NULL)
 {
        // Update Assurer-Flag on users table if 100 points and CATS passed.
-       // 
+       //
        // We may have some performance issues here if no userID is given
        // there are ~150k assurances and ~220k users currently
        // but the exists-clause on cats_passed should be a good filter
@@ -46,20 +46,20 @@ function fix_assurer_flag($userID = NULL)
                                WHERE `cp`.`variant_id` = `cv`.`id`
                                        AND `cv`.`type_id` = 1
                                        AND `cp`.`user_id` = `u`.`id`
-                       ) 
+                       )
                        AND (
                                SELECT SUM(`points`) FROM `notary` AS `n`
                                WHERE `n`.`to` = `u`.`id`
                                        AND (`n`.`expire` > now()
                                        OR `n`.`expire` IS NULL)
                        ) >= 100';
-       
+
        $query = mysql_query($sql);
        if (!$query) {
                return false;
        }
        // Challenge has been passed and non-expired points >= 100
-       
+
        // Reset flag if requirements are not met
        //
        // Also a bit performance critical but assurer flag is only set on
@@ -88,11 +88,30 @@ function fix_assurer_flag($userID = NULL)
                                                )
                                ) < 100
                        )';
-       
+
        $query = mysql_query($sql);
        if (!$query) {
                return false;
        }
-       
+
        return true;
-}
\ No newline at end of file
+}
+
+
+/**
+ * Contains a map of all hash algorithms currently supported for signing.
+ *
+ * @var array(string=>string) identifier => display_string
+ */
+define("HASH_ALGORITHMS", array(
+               "sha256" => "SHA256 "._("recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x)."),
+               "sha384" => "SHA384",
+               "sha512" => "SHA512",
+               ));
+
+/**
+ * The identifier of the default hash algorithm used as found in HASH_ALGORITHMS
+ *
+ * @var string
+ */
+define("DEFAULT_HASH_ALGORITHM", "sha256");
index 56d6730..82e4c87 100644 (file)
 <div id="advanced_options">
 
 <? if($_SESSION['profile']['points'] >= 50) { ?>
-<p>
-       <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
-       <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label>
-</p>
+<ul class="no_indent">
+       <li>
+               <input type="radio" id="root1" name="rootcert" value="1" />
+               <label for="root1"><?=_("Sign by class 1 root certificate")?></label>
+       </li>
+       <li>
+               <input type="radio" id="root2" name="rootcert" value="2" checked="checked" />
+               <label for="root2"><?=_("Sign by class 3 root certificate")?></label>
+       </li>
+</ul>
 <p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
 <? } ?>
 
+<p class="attach_ul"><?=_("Hash algorithm used when signing the certificate:")?></p>
+<ul class="no_indent">
+<?
+foreach (HASH_ALGORITHMS as $algorithm => $display_string) {
+?>
+       <li>
+               <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(DEFAULT_HASH_ALGORITHM === $algorithm)?'checked="checked"':''?> />
+               <label for="hash_alg_<?=$algorithm?>"><?=$display_string?></label>
+       </li>
+<?
+} ?>
+</ul>
+
 </div>
 </fieldset>
 
index ad86e3d..d2c9787 100644 (file)
@@ -66,6 +66,20 @@ if (array_key_exists('emails',$_SESSION['_config']) && is_array($_SESSION['_conf
         <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 60))?>
     </td>
   </tr>
+
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+      <?=_("Hash algorithm used when signing the certificate:")?><br />
+      <?
+      foreach (HASH_ALGORITHMS as $algorithm => $display_string) {
+      ?>
+        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(DEFAULT_HASH_ALGORITHM === $algorithm)?'checked="checked"':''?> />
+        <label for="hash_alg_<?=$algorithm?>"><?=$display_string?></label><br />
+      <?
+      } ?>
+    </td>
+  </tr>
+
 <? if($_SESSION['profile']['codesign'] && $_SESSION['profile']['points'] >= 100) { ?>
   <tr name="expert">
     <td class="DataTD" colspan="2" align="left">
index c90d9b4..f91440e 100644 (file)
        <label for="expertbox"><?=_("Advanced Options")?></label>
 </legend>
 <div id="advanced_options">
-<p>
-       <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
-       <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label>
-</p>
+<ul class="no_indent">
+       <li>
+               <input type="radio" id="root1" name="rootcert" value="1" />
+               <label for="root1"><?=_("Sign by class 1 root certificate")?></label>
+       </li>
+       <li>
+               <input type="radio" id="root2" name="rootcert" value="2" checked="checked" />
+               <label for="root2"><?=_("Sign by class 3 root certificate")?></label>
+       </li>
+</ul>
 <p><?=_("Please note: The class 3 root certificate needs to be setup in your webserver as a chained certificate, while slightly more complicated to setup, this root certificate is more likely to be trusted by more people.")?></p>
+
+<p class="attach_ul"><?=_("Hash algorithm used when signing the certificate:")?></p>
+<ul class="no_indent">
+<?
+foreach (HASH_ALGORITHMS as $algorithm => $display_string) {
+?>
+       <li>
+               <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(DEFAULT_HASH_ALGORITHM === $algorithm)?'checked="checked"':''?> />
+               <label for="hash_alg_<?=$algorithm?>"><?=$display_string?></label>
+       </li>
+<?
+} ?>
+</ul>
+
 </div>
 </fieldset>
 
index d558ed9..7ce4267 100644 (file)
@@ -115,6 +115,19 @@ if($_SESSION['profile']['points'] >= 50)
   </tr>
 <? } ?>
 
+  <tr name="expert">
+    <td class="DataTD" colspan="2" align="left">
+      <?=_("Hash algorithm used when signing the certificate:")?><br />
+      <?
+      foreach (HASH_ALGORITHMS as $algorithm => $display_string) {
+      ?>
+        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(DEFAULT_HASH_ALGORITHM === $algorithm)?'checked="checked"':''?> />
+        <label for="hash_alg_<?=$algorithm?>"><?=$display_string?></label><br />
+      <?
+      } ?>
+    </td>
+  </tr>
+
 <? if($_SESSION['profile']['points'] >= 100 && $_SESSION['profile']['codesign'] > 0) { ?>
   <tr name="expert">
     <td class="DataTD">
index 0fdcf2d..b8d9182 100644 (file)
@@ -94,6 +94,14 @@ ul.no_indent {
        padding: 0px;
 }
 
+.attach_ul {
+       margin-bottom: 0px;
+}
+
+.attach_ul + ul {
+       margin-top: 0px;
+}
+
 
 /***********************************************/
 /* Layout Divs                                 */