3bfe55aa61ada714422940e704621180092eec69
[cacert.git] / www / api / ccsr.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once '../../includes/lib/check_weak_key.php';
20
21 $username = mysql_real_escape_string($_REQUEST['username']);
22 $password = mysql_real_escape_string($_REQUEST['password']);
23
24 $query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
25 $res = mysql_query($query);
26 if(mysql_num_rows($res) != 1)
27 die("403,That username couldn't be found\n");
28 $user = mysql_fetch_assoc($res);
29 $memid = $user['id'];
30 $emails = array();
31 foreach($_REQUEST['email'] as $email)
32 {
33 $email = mysql_real_escape_string(trim($email));
34 $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0 and `email`='$email'";
35 $res = mysql_query($query);
36 if(mysql_num_rows($res) > 0)
37 {
38 $row = mysql_fetch_assoc($res);
39 $id = $row['id'];
40 $emails[$id] = $email;
41 }
42 }
43 if(count($emails) <= 0)
44 die("404,Wasn't able to match any emails sent against your account");
45 $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`";
46 $row = mysql_fetch_assoc(mysql_query($query));
47 $points = $row['points'];
48
49 $name = "CAcert WoT User\n";
50 $newname = mysql_real_escape_string(trim($_REQUEST['name']));
51 if($points >= 50)
52 {
53 if($newname == $user['fname']." ".$user['lname'] ||
54 $newname == $user['fname']." ".$user['mname']." ".$user['lname'] ||
55 $newname == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
56 $newname == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
57 $name = $newname;
58 }
59
60 $codesign = 0;
61 if($user['codesign'] == "1" && $_REQUEST['codesign'] == "1" && $points >= 100)
62 $codesign = 1;
63
64 $CSR = trim($_REQUEST['optionalCSR']);
65
66 if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
67 {
68 die("403, $weakKey");
69 }
70
71 $incsr = tempnam("/tmp", "ccsrIn");
72 $checkedcsr = tempnam("/tmp", "ccsrOut");
73 $fp = fopen($incsr, "w");
74 fputs($fp, $CSR);
75 fclose($fp);
76 $incsr_esc = escapeshellarg($incsr);
77 $checkedcsr_esc = escapeshellarg($checkedcsr);
78 $do = shell_exec("/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc");
79 @unlink($incsr);
80 if(filesize($checkedcsr) <= 0)
81 die("404,Invalid or missing CSR");
82
83 $csrsubject = "/CN=$name";
84 foreach($emails as $id => $email)
85 $csrsubject .= "/emailAddress=".$email;
86
87 $query = "insert into `emailcerts` set `CN`='".mysql_real_escape_string($user['email'])."', `keytype`='MS',
88 `memid`='".intval($user['id'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
89 `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".intval($codesign)."'";
90 mysql_query($query);
91 $certid = mysql_insert_id();
92 $CSRname = generatecertpath("csr","client",$certid);
93 rename($checkedcsr, $CSRname);
94
95 mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'");
96
97 foreach($emails as $emailid => $email)
98 mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='".intval($emailid)."'");
99
100 $do = shell_exec("../../scripts/runclient");
101 sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
102 $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
103 $res = mysql_query($query);
104 if(mysql_num_rows($res) <= 0)
105 die("404,Your certificate request has failed. ID: ".intval($certid));
106 $cert = mysql_fetch_assoc($res);
107 echo "200,Authentication Ok\n";
108 readfile("../".$cert['crt_name']);
109 ?>