cacert-devel - Patch request: Bug #440

Subject: CAcert Code Development list.

List archive

Patch request: Bug #440

From: Michael Tänzer <michael.taenzer AT cacert.org>
To: "critical-admin AT cacert.org" <critical-admin AT cacert.org>
Cc: cacert-devel AT lists.cacert.org, dirk astrath <dirk AT cacert.org>, Ulrich Schröter CAcert <ulrich AT cacert.org>, Eva Stöwe <eva.stoewe AT cacert.org>
Subject: Patch request: Bug #440
Date: Wed, 15 Jan 2014 01:25:00 +0100
Openpgp: id=9940BEF1

Hi folks,

We have a fix for https://bugs.cacert.org/view.php?id=440
"Problem with subjectAltName"

The fix was reviewed by Dirk Astrath (dastrath) and me (NEOatNHNG) and
tested by Eva Stöwe (Eva) and Ulrich Schröter (Uli60).

Diff is attached. Please also run the locale makefile so that our
translators see the new strings (if present) on
https://translations.cacert.org and new translations get imported into
the system.

Changed files:
/includes/account.php
/pages/account/11.php
/pages/account/21.php

--
Have a nice day,
Michael Tänzer

diff --git a/includes/account.php b/includes/account.php
index 5be932b..7c3748d 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -22,6 +22,57 @@
 
 	loadem("account");
 
+/**
+ * Build a subject string as needed by the signer
+ *
+ * @param array(string) $domains
+ *     First domain is used as CN and repeated in subjectAltName. Duplicates
+ *     should already been removed
+ *
+ * @param bool $include_xmpp_addr
+ *     [default: true] Whether to include the XmppAddr in the subjectAltName.
+ *     This is needed if the Jabber server is jabber.example.com but a Jabber ID
+ *     on that server would be alice AT example.com
+ *
+ * @return string
+ */
+function buildSubject(array $domains, $include_xmpp_addr = true) {
+	$subject = "/CN=${domains[0]}";
+
+	foreach ($domains as $domain) {
+		$subject .= "/subjectAltName=DNS:$domain";
+
+		if ($include_xmpp_addr) {
+			$subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$domain";
+		}
+	}
+
+	return $subject;
+}
+
+/**
+ * Builds the subject string from the session variables
+ * $_SESSION['_config']['rows'] and $_SESSION['_config']['altrows']
+ *
+ * @return string
+ */
+function buildSubjectFromSession() {
+	$domains = array();
+
+	if (is_array($_SESSION['_config']['rows'])) {
+		$domains = array_merge($domains, $_SESSION['_config']['rows']);
+	}
+
+	if (is_array($_SESSION['_config']['altrows']))
+		foreach ($_SESSION['_config']['altrows'] as $row) {
+			if (substr($row, 0, 4) === "DNS:") {
+				$domains[] = substr($row, 4);
+			}
+		}
+
+	return buildSubject(array_unique($domains));
+}
+
 	$id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
 	$oldid = array_key_exists("oldid",$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
 	$process = array_key_exists("process",$_REQUEST) ? $_REQUEST['process'] : "";
@@ -741,35 +792,8 @@
 			exit;
 		}
 
-		$subject = "";
-		$count = 0;
-		$supressSAN=0;
-		if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+		$subject = buildSubjectFromSession();
 
-		if(is_array($_SESSION['_config']['rows']))
-			foreach($_SESSION['_config']['rows'] as $row)
-			{
-				$count++;
-				if($count <= 1)
-				{
-					$subject .= "/CN=$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				} else {
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
-		if(is_array($_SESSION['_config']['altrows']))
-			foreach($_SESSION['_config']['altrows'] as $row)
-			{
-				if(substr($row, 0, 4) == "DNS:")
-				{
-					$row = substr($row, 4);
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
 		if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 			$_SESSION['_config']['rootcert'] = 1;
 
@@ -795,7 +819,6 @@
 			echo _("Domain not verified.");
 			showfooter();
 			exit;
-
 		}
 
 		mysql_query($query);
@@ -894,29 +917,7 @@
 					continue;
 				}
 
-				$subject = "";
-				$count = 0;
-				if(is_array($_SESSION['_config']['rows']))
-					foreach($_SESSION['_config']['rows'] as $row)
-					{
-						$count++;
-						if($count <= 1)
-						{
-							$subject .= "/CN=$row";
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						} else {
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						}
-					}
-				if(is_array($_SESSION['_config']['altrows']))
-					foreach($_SESSION['_config']['altrows'] as $row)
-						if(!strstr($subject, "=$row/") &&
-							substr($subject, -strlen("=$row")) != "=$row")
-							$subject .= "/subjectAltName=$row";
+				$subject = buildSubjectFromSession();
 				$subject = mysql_real_escape_string($subject);
 				mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
 
@@ -938,6 +939,7 @@
 		{
 			echo _("You did not select any certificates for renewal.");
 		}
+
 		showfooter();
 		exit;
 	}
@@ -1445,7 +1447,6 @@
 
 	if($oldid == 16 && $process != "")
 	{
-
 		if(array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] && $_SESSION['profile']['codesign'] && ($_SESSION['profile']['points'] >= 100))
 		{
 			$_REQUEST['codesign'] = 1;
@@ -1948,20 +1949,7 @@
 		//if($org['contact'])
 		//	$csrsubject .= "/emailAddress=".trim($org['contact']);
 
-		if(is_array($_SESSION['_config']['rows']))
-			foreach($_SESSION['_config']['rows'] as $row)
-				$csrsubject .= "/commonName=$row";
-		$SAN="";
-		if(is_array($_SESSION['_config']['altrows']))
-			foreach($_SESSION['_config']['altrows'] as $subalt)
-			{
-				if($SAN != "")
-					$SAN .= ",";
-				$SAN .= "$subalt";
-			}
-
-		if($SAN != "")
-			$csrsubject .= "/subjectAltName=".$SAN;
+		$csrsubject .= buildSubjectFromSession();
 
 		$type="";
 		if($_REQUEST["ocspcert"]!="" && $_SESSION['profile']['admin'] == 1) $type="8";
@@ -2757,8 +2745,8 @@
 
 			sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
 						"support AT cacert.org", "", "", "CAcert Support");
-
 		}
+
 		showfooter();
 		exit;
 	}
diff --git a/pages/account/11.php b/pages/account/11.php
index 4e070cb..5f94122 100644
--- a/pages/account/11.php
+++ b/pages/account/11.php
@@ -15,39 +15,61 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
+
 <p>
-<?=_("Please make sure the following details are correct before proceeding any further.")?>
+<?=_("Please make sure the following details are correct before proceeding ".
+		"any further.")?>
 </p>
-<?// print_r($_SESSION['_config']['altrows']); ?>
+
+<p><?
+if (is_array($_SESSION['_config']['rows'])) {
+	foreach ($_SESSION['_config']['rows'] as $row) {
+		echo _("CommonName"), ": $row<br>\n";
+	}
+}
+
+if (is_array($_SESSION['_config']['altrows'])) {
+	foreach ($_SESSION['_config']['altrows'] as $row) {
+		echo _("subjectAltName"), ": $row<br>\n";
+	}
+}
+?></p>
+
 <p>
-<? if(is_array($_SESSION['_config']['rows']))
-	foreach($_SESSION['_config']['rows'] as $row) { ?>
-<?=_("CommonName")?>: <?=$row?><br>
-<? } ?>
-<? if(is_array($_SESSION['_config']['altrows']))
-	foreach($_SESSION['_config']['altrows'] as $row) { ?>
-<?=_("subjectAltName")?>: <?=$row?><br>
-<? } ?>
-<? if(1 == 0) { ?>
-<?=_("Organisation")?>: <?=$_SESSION['_config']['O']?><br>
-<?=_("Org. Unit")?>: <?=$_SESSION['_config']['OU']?><br>
-<?=_("Location")?>: <?=$_SESSION['_config']['L']?><br>
-<?=_("State/Province")?>: <?=$_SESSION['_config']['ST']?><br>
-<?=_("Country")?>: <?=$_SESSION['_config']['C']?><br>
-<?=_("Email Address")?>: <?=$_SESSION['_config']['emailAddress']?><br>
-<? } ?>
-<?=_("No additional information will be included on certificates because it can not be automatically checked by the system.")?>
-<? if(array_key_exists('rejected',$_SESSION['_config']) && is_array($_SESSION['_config']['rejected'])) { ?>
-<br><br><?=_("The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.")?><br>
-<? foreach($_SESSION['_config']['rejected'] as $row) { ?>
-<?=_("Rejected")?>: <a href="account.php?id=7&amp;newdomain=<?=$row?>"><?=$row?></a><br>
-<? } } ?>
-<? if(is_array($_SESSION['_config']['rows']) || is_array($_SESSION['_config']['altrows'])) { ?>
-<form method="post" action="account.php">
-<input type="submit" name="process" value="<?=_("Submit")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
-</form>
-<? } else { ?>
-<br><br><b><?=_("Unable to continue as no valid commonNames or subjectAltNames were present on your certificate request.")?></b>
-<? } ?>
+<?=_("No additional information will be included on certificates because it ".
+		"can not be automatically checked by the system.")?>
 </p>
+
+<p><?
+if (array_key_exists('rejected',$_SESSION['_config']) &&
+		is_array($_SESSION['_config']['rejected'])) {
+	echo _("The following hostnames were rejected because the system couldn't ".
+			"link them to your account, if they are valid please verify the ".
+			"domains against your account."), "<br>\n";
+	
+	foreach ($_SESSION['_config']['rejected'] as $row) {
+		echo _("Rejected");
+		echo ": <a href='account.php?id=7&amp;newdomain=$row'>$row</a><br>\n";
+	}
+}
+?></p>
+
+<?
+if (is_array($_SESSION['_config']['rows']) ||
+		is_array($_SESSION['_config']['altrows'])) {
+	?>
+	<form method="post" action="account.php">
+		<p>
+			<input type="submit" name="process" value="<?=_("Submit")?>">
+			<input type="hidden" name="oldid" value="<?=$id?>">
+		</p>
+	</form>
+	<?
+} else {
+	?>
+	<p>
+		<b><?=_("Unable to continue as no valid commonNames or ".
+				"subjectAltNames were present on your certificate request.")?></b>
+	</p>
+	<?
+}
diff --git a/pages/account/21.php b/pages/account/21.php
index 6c3786b..75827fb 100644
--- a/pages/account/21.php
+++ b/pages/account/21.php
@@ -14,41 +14,57 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/ ?>
-<?
-	$org = $_SESSION['_config']['row'];
-	if($org['id'] <= 0)
-		$org = $_SESSION['_config']['altrow'];
+*/
+
+$org = $_SESSION['_config']['row'];
+if ($org['id'] <= 0) {
+	$org = $_SESSION['_config']['altrow'];
+}
 ?>
-<p>
-<?=_("Please make sure the following details are correct before proceeding any further.")?>
-</p>
 
 <p>
-<? if(is_array($_SESSION['_config']['rows']))
-	foreach($_SESSION['_config']['rows'] as $row) { ?>
-<?=_("CommonName")?>: <?=$row?><br>
-<? } ?>
-<? if(is_array($_SESSION['_config']['altrows']))
-	foreach($_SESSION['_config']['altrows'] as $row) { ?>
-<?=_("subjectAltName")?>: <?=$row?><br>
-<? } ?>
-<?=_("Organisation")?>: <?=$org['O']?><br>
-<?=_("Org. Unit")?>: <?=($_SESSION['_config']['OU'])?><br>
-<?=_("Location")?>: <?=$org['L']?><br>
-<?=_("State/Province")?>: <?=$org['ST']?><br>
-<?=_("Country")?>: <?=$org['C']?><br>
+<?=_("Please make sure the following details are correct before proceeding ".
+		"any further.")?>
+</p>
 
+<p><?
+if (is_array($_SESSION['_config']['rows'])) {
+	foreach ($_SESSION['_config']['rows'] as $row) {
+		echo _("CommonName"), ": $row<br>\n";
+	}
+}
 
-<form method="post" action="account.php">
-<input type="submit" name="process" value="<?=_("Submit")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
+if (is_array($_SESSION['_config']['altrows'])) {
+	foreach ($_SESSION['_config']['altrows'] as $row) {
+		echo _("subjectAltName"), ": $row<br>\n";
+	}
+}
 
+echo _("Organisation"), ": {$org['O']}<br>\n";
+echo _("Org. Unit"), ": {$_SESSION['_config']['OU']}<br>\n";
+echo _("Location"), ": {$org['L']}<br>\n";
+echo _("State/Province"), ": {$org['ST']}<br>\n";
+echo _("Country"), ": {$org['C']}<br>\n";
+?>
 
-<? if($_SESSION['profile']['admin'] == 1) { ?>
-<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
-<input type="checkbox" name="ocspcert" value="OCSPCert"/> <?=_("OCSP certificate")?>
-<? } ?>
+<form method="post" action="account.php">
+	<p>
+		<input type="submit" name="process" value="<?=_("Submit")?>">
+		<input type="hidden" name="oldid" value="<?=$id?>">
+	</p>
+	
+	<?
+	if ($_SESSION['profile']['admin'] == 1) {
+		?>
+		<p>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
+			<input type="checkbox" name="ocspcert" value="OCSPCert"/>
+				<?=_("OCSP certificate")?>
+		</p>
+		<?
+	}
+	?>
 
 </form>
-</p>

Attachment: signature.asc
Description: OpenPGP digital signature

Patch request: Bug #440, Michael Tänzer, 01/15/2014
- Re: Patch request: Bug #440, Wytze van der Raay, 01/15/2014

List archive

Patch request: Bug #440