gensslcert.php3 8.62 KB
Newer Older
1
2
3
<?php
#
# EMULAB-COPYRIGHT
4
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
5
6
7
8
9
10
11
# All rights reserved.
#
include("defs.php3");

#
# Only known and logged in users can do this.
#
12
13
14
$this_user = CheckLoginOrDie();
$uid       = $this_user->uid();
$isadmin   = ISADMIN();
15
16

#
17
18
19
20
21
22
# Verify page arguments
#
$optargs = OptionalPageArguments("target_user", PAGEARG_USER,
				 "submit",      PAGEARG_STRING,
				 "finished",    PAGEARG_BOOLEAN,
				 "formfields",  PAGEARG_ARRAY);
23

24
25
26
27
# Default to current user if not provided.
if (!isset($target_user)) {
     $target_user = $this_user;
}
28

29
30
31
32
33
34
35
# Need these below
$target_uid = $target_user->uid();

#
# The conclusion.
# 
if (isset($finished)) {
36
37
    PAGEHEADER("Download SSL Certificate for user: $target_uid");

38
39
    $sslurl = CreateURL("getsslcert", $target_user);
    $sshurl = CreateURL("getsslcert", $target_user, "ssh", 1);
40
    
41
    echo "<blockquote>
42
          <a href='$sslurl'>Download</a> your 
43
          certificate and private key in PEM format, and then save
44
45
46
          it to a file in your .ssl directory.
          <br>
          <br>
47
          You can also download it in <a href='$sslurl&p12=1'><em>pkc12</em></a>
48
49
50
          format for loading
          into your web browser (if you do not know what this means, or why
          you need to do this, then ignore this).
51
52
53
54
55
56
57
58
59
60
61
62
63
	  <br>
	  <br>
	  We have also created a SSH key pair for you, derived from your new 
          ssl certificate, using the same pass phrase.
          You can <a href='$sshurl'>Download</a> the private
          key and load it into your ssh agent. The private key is typically
	  placed in your .ssh directory on your desktop machine. If you are
          running an agent such as
	  <a href='http://www.chiark.greenend.org.uk/~sgtatham/putty/'>Putty</a>
          or
	  <a href='http://sshkeychain.sourceforge.net/'>SSHKeychain</a>,
	  please consult the
	  documentation for those programs.
64
          </blockquote>\n";
65
66
67
68
69
	    
    PAGEFOOTER();
    return;
}

70
71
72
73
74
#
# Standard Testbed Header, now that we know what we want to say.
#
PAGEHEADER("Generate SSL Certificate for user: $target_uid");

75
76
77
#
# Only admin people can create SSL certs for another user.
#
78
79
80
if (!$isadmin && !$target_user->SameUser($this_user)) {
    USERERROR("You do not have permission to create SSL certs ".
	      "for $target_uid!", 1);
81
82
}

83
function SPITFORM($target_user, $formfields, $errors)
84
{
85
    global $isadmin, $BOSSNODE;
86
87
88

    $target_uid    = $target_user->uid();
    $target_webid  = $target_user->webid();
89
90
91
92
93
94
95
96
97

    echo "<blockquote>
          By downloading an encrypted SSL certificate, you are able to use
          Emulab's XMLRPC server from your desktop or home machine. This
          certificate must be pass phrase protected, and allows you to issue
          any of the RPC requests documented in the <a href=xmlrpcapi.php3>
          Emulab XMLRPC Reference</a>.</blockquote><br>\n";
    
    echo "<center>
98
          Create an SSL Certificate[<b>1</b>]
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
          </center><br>\n";

    if ($errors) {
	echo "<table class=nogrid
                     align=center border=0 cellpadding=6 cellspacing=0>
              <tr>
                 <th align=center colspan=2>
                   <font size=+1 color=red>
                      &nbsp;Oops, please fix the following errors!&nbsp;
                   </font>
                 </td>
              </tr>\n";

	while (list ($name, $message) = each ($errors)) {
	    echo "<tr>
                     <td align=right>
                       <font color=red>$name:&nbsp;</font></td>
                     <td align=left>
                       <font color=red>$message</font></td>
                  </tr>\n";
	}
	echo "</table><br>\n";
    }

    echo "<table align=center border=1> 
          <form enctype=multipart/form-data
                action=gensslcert.php3 method=post>\n";
126
127
    echo "<input type=hidden name=\"formfields[user]\" ".
	         "value=$target_webid>\n";
128
129

    echo "<tr>
130
              <td>PassPhrase[<b>2</b>]:</td>
131
132
133
134
135
136
137
138
139
140
141
142
143
144
              <td class=left>
                  <input type=password
                         name=\"formfields[passphrase1]\"
                         size=24></td>
          </tr>\n";

    echo "<tr>
              <td>Confirm PassPhrase:</td>
              <td class=left>
                  <input type=password
                         name=\"formfields[passphrase2]\"
                         size=24></td>
          </tr>\n";

145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
    if (1) {
	echo "<tr>
  	          <td>Reuse Private Key?[<b>3</b>]:</td>
		  <td class=left>
		      <input type=checkbox
			     name=\"formfields[reusekey]\"
			     value=Yep";

	if (isset($formfields["reusekey"]) &&
	    strcmp($formfields["reusekey"], "Yep") == 0)
	    echo "           checked";
	    
	echo "                       > Yes
		  </td>
	      </tr>\n";
    }
    
162
163
164
165
166
    #
    # Verify with password.
    #
    if (!$isadmin) {
	echo "<tr>
167
                  <td>Emulab Password[<b>4</b>]:</td>
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
                  <td class=left>
                      <input type=password
                             name=\"formfields[password]\"
                             size=12></td>
              </tr>\n";
    }

    echo "<tr>
              <td colspan=2 align=center>
                 <b><input type=submit name=submit value='Create SSL Cert'></b>
              </td>
          </tr>\n";

    echo "</form>
          </table>\n";

    echo "<blockquote><blockquote><blockquote>
          <ol>
186
187
            <li> This is an <b>encrypted key</b> and should <b>not</b> replace
                 your <tt>emulab.pem</tt> in your <tt>.ssl</tt> directory.
188
189
190
            <li> You must supply a passphrase to use when encrypting the
                 private key for your SSL certificate. You will be prompted
                 for this passphrase whenever you attempt to use it. Pick
191
192
193
                 a good one!
            <li> Reuse your existing private key unless you think it has been
                 compromised. Must provide correct passphrase for your key.";
194
195
196
197
198
    if (!$isadmin) {
	echo "<li> As a security precaution, you must supply your Emulab user
                 password when creating new ssl certificates. ";
    }
    echo "</ol>
199
200
201
202
203
204
205
206
          </blockquote></blockquote></blockquote>\n";
}

#
# On first load, display a form of current values.
#
if (! isset($_POST['submit'])) {
    $defaults = array();
207
    $defaults["reusekey"] = "Yep";
208
    
209
    SPITFORM($target_user, $defaults, 0);
210
211
212
213
    PAGEFOOTER();
    return;
}

214
215
216
217
218
# Must get formfields.
if (!isset($formfields)) {
    PAGEARGERROR("Invalid form arguments; no formfields arrary.");
}

219
220
221
222
223
224
225
226
#
# Otherwise, must validate and redisplay if errors
#
$errors = array();

#
# Need this for checkpass.
#
227
228
$user_name  = $target_user->name();
$user_email = $target_user->email();
229

230
231
232
#TBERROR("$target_uid, $user_name, $user_email, " .
#	$formfields[passphrase1], 0); 

233
234
235
#
# Must supply a reasonable passphrase.
# 
236
237
if (!isset($formfields["passphrase1"]) ||
    strcmp($formfields["passphrase1"], "") == 0) {
238
239
    $errors["Passphrase"] = "Missing Field";
}
240
241
if (!isset($formfields["passphrase2"]) ||
    strcmp($formfields["passphrase2"], "") == 0) {
242
243
    $errors["Confirm Passphrase"] = "Missing Field";
}
244
elseif (strcmp($formfields["passphrase1"], $formfields["passphrase2"])) {
245
246
247
    $errors["Confirm Passphrase"] = "Does not match Passphrase";
}
elseif (! CHECKPASSWORD($target_uid,
248
			$formfields["passphrase1"],
249
250
251
252
253
254
255
256
257
			$user_name,
			$user_email, $checkerror)) {
    $errors["Passphrase"] = "$checkerror";
}

#
# Must verify passwd to create an SSL key.
#
if (! $isadmin) {
258
259
    if (!isset($formfields["password"]) ||
	strcmp($formfields["password"], "") == 0) {
260
261
	$errors["Password"] = "Must supply a verification password";
    }
262
    elseif (VERIFYPASSWD($target_uid, $formfields["password"]) != 0) {
263
264
265
266
267
268
	$errors["Password"] = "Incorrect password";
    }
}

# Spit the errors
if (count($errors)) {
269
    SPITFORM($target_user, $formfields, $errors);
270
271
272
273
    PAGEFOOTER();
    return;
}

274
275
276
277
278
279
$reusekey = "";
if (isset($formfields["reusekey"]) &&
    strcmp($formfields["reusekey"], "Yep") == 0) {
    $reusekey = "-r";
}

280
281
282
#
# Insert key, update authkeys files and nodes if appropriate.
#
283
STARTBUSY("Generating Certificate");
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
$retval = SUEXEC($target_uid, "nobody",
		 "webmkusercert $reusekey -p " .
		 escapeshellarg($formfields["passphrase1"]) . " $target_uid",
		 SUEXEC_ACTION_IGNORE);
HIDEBUSY();

#
# Fatal Error. Report to tbops.
# 
if ($retval < 0) {
    SUEXECERROR(SUEXEC_ACTION_DIE);
    #
    # Never returns ...
    #
    die("");
}

#
# User Error. Report to user.
#
if ($retval > 0) {
    $errors["PassPhrase"] = $suexec_output;
    
    SPITFORM($target_user, $formfields, $errors);
    PAGEFOOTER();
    return;
}
311
312
313

#
# Redirect back, avoiding a POST in the history.
314
315
#
PAGEREPLACE(CreateURL("gensslcert", $target_user, "finished", 1));
316

317
PAGEFOOTER();
318
?>