gensslcert.php3 8.62 KB
Newer Older
1 2 3
<?php
#
# EMULAB-COPYRIGHT
4
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
5 6 7 8 9 10 11
# All rights reserved.
#
include("defs.php3");

#
# Only known and logged in users can do this.
#
12 13 14
$this_user = CheckLoginOrDie();
$uid       = $this_user->uid();
$isadmin   = ISADMIN();
15 16

#
17 18 19 20 21 22
# Verify page arguments
#
$optargs = OptionalPageArguments("target_user", PAGEARG_USER,
				 "submit",      PAGEARG_STRING,
				 "finished",    PAGEARG_BOOLEAN,
				 "formfields",  PAGEARG_ARRAY);
23

24 25 26 27
# Default to current user if not provided.
if (!isset($target_user)) {
     $target_user = $this_user;
}
28

29 30 31 32 33 34 35
# Need these below
$target_uid = $target_user->uid();

#
# The conclusion.
# 
if (isset($finished)) {
36 37
    PAGEHEADER("Download SSL Certificate for user: $target_uid");

38 39
    $sslurl = CreateURL("getsslcert", $target_user);
    $sshurl = CreateURL("getsslcert", $target_user, "ssh", 1);
40
    
41
    echo "<blockquote>
42
          <a href='$sslurl'>Download</a> your 
43
          certificate and private key in PEM format, and then save
44 45 46
          it to a file in your .ssl directory.
          <br>
          <br>
47
          You can also download it in <a href='$sslurl&p12=1'><em>pkc12</em></a>
48 49 50
          format for loading
          into your web browser (if you do not know what this means, or why
          you need to do this, then ignore this).
51 52 53 54 55 56 57 58 59 60 61 62 63
	  <br>
	  <br>
	  We have also created a SSH key pair for you, derived from your new 
          ssl certificate, using the same pass phrase.
          You can <a href='$sshurl'>Download</a> the private
          key and load it into your ssh agent. The private key is typically
	  placed in your .ssh directory on your desktop machine. If you are
          running an agent such as
	  <a href='http://www.chiark.greenend.org.uk/~sgtatham/putty/'>Putty</a>
          or
	  <a href='http://sshkeychain.sourceforge.net/'>SSHKeychain</a>,
	  please consult the
	  documentation for those programs.
64
          </blockquote>\n";
65 66 67 68 69
	    
    PAGEFOOTER();
    return;
}

70 71 72 73 74
#
# Standard Testbed Header, now that we know what we want to say.
#
PAGEHEADER("Generate SSL Certificate for user: $target_uid");

75 76 77
#
# Only admin people can create SSL certs for another user.
#
78 79 80
if (!$isadmin && !$target_user->SameUser($this_user)) {
    USERERROR("You do not have permission to create SSL certs ".
	      "for $target_uid!", 1);
81 82
}

83
function SPITFORM($target_user, $formfields, $errors)
84
{
85
    global $isadmin, $BOSSNODE;
86 87 88

    $target_uid    = $target_user->uid();
    $target_webid  = $target_user->webid();
89 90 91 92 93 94 95 96 97

    echo "<blockquote>
          By downloading an encrypted SSL certificate, you are able to use
          Emulab's XMLRPC server from your desktop or home machine. This
          certificate must be pass phrase protected, and allows you to issue
          any of the RPC requests documented in the <a href=xmlrpcapi.php3>
          Emulab XMLRPC Reference</a>.</blockquote><br>\n";
    
    echo "<center>
98
          Create an SSL Certificate[<b>1</b>]
99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125
          </center><br>\n";

    if ($errors) {
	echo "<table class=nogrid
                     align=center border=0 cellpadding=6 cellspacing=0>
              <tr>
                 <th align=center colspan=2>
                   <font size=+1 color=red>
                      &nbsp;Oops, please fix the following errors!&nbsp;
                   </font>
                 </td>
              </tr>\n";

	while (list ($name, $message) = each ($errors)) {
	    echo "<tr>
                     <td align=right>
                       <font color=red>$name:&nbsp;</font></td>
                     <td align=left>
                       <font color=red>$message</font></td>
                  </tr>\n";
	}
	echo "</table><br>\n";
    }

    echo "<table align=center border=1> 
          <form enctype=multipart/form-data
                action=gensslcert.php3 method=post>\n";
126 127
    echo "<input type=hidden name=\"formfields[user]\" ".
	         "value=$target_webid>\n";
128 129

    echo "<tr>
130
              <td>PassPhrase[<b>2</b>]:</td>
131 132 133 134 135 136 137 138 139 140 141 142 143 144
              <td class=left>
                  <input type=password
                         name=\"formfields[passphrase1]\"
                         size=24></td>
          </tr>\n";

    echo "<tr>
              <td>Confirm PassPhrase:</td>
              <td class=left>
                  <input type=password
                         name=\"formfields[passphrase2]\"
                         size=24></td>
          </tr>\n";

145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161
    if (1) {
	echo "<tr>
  	          <td>Reuse Private Key?[<b>3</b>]:</td>
		  <td class=left>
		      <input type=checkbox
			     name=\"formfields[reusekey]\"
			     value=Yep";

	if (isset($formfields["reusekey"]) &&
	    strcmp($formfields["reusekey"], "Yep") == 0)
	    echo "           checked";
	    
	echo "                       > Yes
		  </td>
	      </tr>\n";
    }
    
162 163 164 165 166
    #
    # Verify with password.
    #
    if (!$isadmin) {
	echo "<tr>
167
                  <td>Emulab Password[<b>4</b>]:</td>
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
                  <td class=left>
                      <input type=password
                             name=\"formfields[password]\"
                             size=12></td>
              </tr>\n";
    }

    echo "<tr>
              <td colspan=2 align=center>
                 <b><input type=submit name=submit value='Create SSL Cert'></b>
              </td>
          </tr>\n";

    echo "</form>
          </table>\n";

    echo "<blockquote><blockquote><blockquote>
          <ol>
186 187
            <li> This is an <b>encrypted key</b> and should <b>not</b> replace
                 your <tt>emulab.pem</tt> in your <tt>.ssl</tt> directory.
188 189 190
            <li> You must supply a passphrase to use when encrypting the
                 private key for your SSL certificate. You will be prompted
                 for this passphrase whenever you attempt to use it. Pick
191 192 193
                 a good one!
            <li> Reuse your existing private key unless you think it has been
                 compromised. Must provide correct passphrase for your key.";
194 195 196 197 198
    if (!$isadmin) {
	echo "<li> As a security precaution, you must supply your Emulab user
                 password when creating new ssl certificates. ";
    }
    echo "</ol>
199 200 201 202 203 204 205 206
          </blockquote></blockquote></blockquote>\n";
}

#
# On first load, display a form of current values.
#
if (! isset($_POST['submit'])) {
    $defaults = array();
207
    $defaults["reusekey"] = "Yep";
208
    
209
    SPITFORM($target_user, $defaults, 0);
210 211 212 213
    PAGEFOOTER();
    return;
}

214 215 216 217 218
# Must get formfields.
if (!isset($formfields)) {
    PAGEARGERROR("Invalid form arguments; no formfields arrary.");
}

219 220 221 222 223 224 225 226
#
# Otherwise, must validate and redisplay if errors
#
$errors = array();

#
# Need this for checkpass.
#
227 228
$user_name  = $target_user->name();
$user_email = $target_user->email();
229

230 231 232
#TBERROR("$target_uid, $user_name, $user_email, " .
#	$formfields[passphrase1], 0); 

233 234 235
#
# Must supply a reasonable passphrase.
# 
236 237
if (!isset($formfields["passphrase1"]) ||
    strcmp($formfields["passphrase1"], "") == 0) {
238 239
    $errors["Passphrase"] = "Missing Field";
}
240 241
if (!isset($formfields["passphrase2"]) ||
    strcmp($formfields["passphrase2"], "") == 0) {
242 243
    $errors["Confirm Passphrase"] = "Missing Field";
}
244
elseif (strcmp($formfields["passphrase1"], $formfields["passphrase2"])) {
245 246 247
    $errors["Confirm Passphrase"] = "Does not match Passphrase";
}
elseif (! CHECKPASSWORD($target_uid,
248
			$formfields["passphrase1"],
249 250 251 252 253 254 255 256 257
			$user_name,
			$user_email, $checkerror)) {
    $errors["Passphrase"] = "$checkerror";
}

#
# Must verify passwd to create an SSL key.
#
if (! $isadmin) {
258 259
    if (!isset($formfields["password"]) ||
	strcmp($formfields["password"], "") == 0) {
260 261
	$errors["Password"] = "Must supply a verification password";
    }
262
    elseif (VERIFYPASSWD($target_uid, $formfields["password"]) != 0) {
263 264 265 266 267 268
	$errors["Password"] = "Incorrect password";
    }
}

# Spit the errors
if (count($errors)) {
269
    SPITFORM($target_user, $formfields, $errors);
270 271 272 273
    PAGEFOOTER();
    return;
}

274 275 276 277 278 279
$reusekey = "";
if (isset($formfields["reusekey"]) &&
    strcmp($formfields["reusekey"], "Yep") == 0) {
    $reusekey = "-r";
}

280 281 282
#
# Insert key, update authkeys files and nodes if appropriate.
#
283
STARTBUSY("Generating Certificate");
284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310
$retval = SUEXEC($target_uid, "nobody",
		 "webmkusercert $reusekey -p " .
		 escapeshellarg($formfields["passphrase1"]) . " $target_uid",
		 SUEXEC_ACTION_IGNORE);
HIDEBUSY();

#
# Fatal Error. Report to tbops.
# 
if ($retval < 0) {
    SUEXECERROR(SUEXEC_ACTION_DIE);
    #
    # Never returns ...
    #
    die("");
}

#
# User Error. Report to user.
#
if ($retval > 0) {
    $errors["PassPhrase"] = $suexec_output;
    
    SPITFORM($target_user, $formfields, $errors);
    PAGEFOOTER();
    return;
}
311 312 313

#
# Redirect back, avoiding a POST in the history.
314 315
#
PAGEREPLACE(CreateURL("gensslcert", $target_user, "finished", 1));
316

317
PAGEFOOTER();
318
?>