diff options
| author | Remy <relst@relst.nl> | 2015-03-31 10:41:16 +0200 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2015-03-31 10:41:16 +0200 |
| commit | 294ac6676ec9c02eb741f819fc76e6ed950ceb50 (patch) | |
| tree | 0ef4029c7e43f4be7e6e75e7ebb34df94c95d6d4 /functions | |
| parent | 0fdb444fccbe3535d8b766446bb95bc1390f6442 (diff) | |
| download | ssl-decoder-294ac6676ec9c02eb741f819fc76e6ed950ceb50.zip ssl-decoder-294ac6676ec9c02eb741f819fc76e6ed950ceb50.tar.gz ssl-decoder-294ac6676ec9c02eb741f819fc76e6ed950ceb50.tar.bz2 | |
Use json endpoint internally and add warnings
Diffstat (limited to 'functions')
| -rw-r--r-- | functions/connection.php | 979 | ||||
| -rw-r--r-- | functions/json.php | 61 | ||||
| -rw-r--r-- | functions/ocsp.php | 69 | ||||
| -rw-r--r-- | functions/parse_certificate.php | 1295 | ||||
| -rw-r--r-- | functions/textual.php | 16 | ||||
| -rw-r--r-- | functions/variables.php | 2 |
6 files changed, 1109 insertions, 1313 deletions
diff --git a/functions/connection.php b/functions/connection.php index 3cd4fc4..a1e718e 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -49,591 +49,367 @@ function server_http_headers($host, $port){ } function ssl_conn_ciphersuites($host, $port, $ciphersuites){ - $old_error_reporting = error_reporting(); - error_reporting($old_error_reporting ^ E_WARNING); - $results = array(); - foreach ($ciphersuites as $value) { - $results[$value] = false; - $stream = stream_context_create (array("ssl" => - array("verify_peer" => false, - "verify_peer_name" => false, - "allow_self_signed" => true, - 'ciphers' => $value, - "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); - if ( $read_stream === false ) { - $results[$value] = false; - } else { - $results[$value] = true; - } - } - error_reporting($old_error_reporting); - return $results; - } - - function ssl_conn_protocols($host, $port){ - $old_error_reporting = error_reporting(); - error_reporting($old_error_reporting ^ E_WARNING); - $results = array('sslv3' => false, - 'tlsv1.0' => false, - 'tlsv1.1' => false, - 'tlsv1.2' => false); - - $stream_sslv3 = stream_context_create (array("ssl" => - array("verify_peer" => false, - "capture_session_meta" => true, - "verify_peer_name" => false, - "allow_self_signed" => true, - 'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT, - "sni_enabled" => true))); - $read_stream_sslv3 = stream_socket_client("sslv3://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_sslv3); - if ( $read_stream_sslv3 === false ) { - $results['sslv3'] = false; - } else { - $results['sslv3'] = true; - } - - $stream_tlsv10 = stream_context_create (array("ssl" => - array("verify_peer" => false, - "capture_session_meta" => true, - "verify_peer_name" => false, - "allow_self_signed" => true, - 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_0_CLIENT, - "sni_enabled" => true))); - $read_stream_tlsv10 = stream_socket_client("tlsv1.0://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv10); - if ( $read_stream_tlsv10 === false ) { - $results['tlsv1.0'] = false; - } else { - $results['tlsv1.0'] = true; - } - - $stream_tlsv11 = stream_context_create (array("ssl" => - array("verify_peer" => false, - "capture_session_meta" => true, - "verify_peer_name" => false, - "allow_self_signed" => true, - 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_1_CLIENT, - "sni_enabled" => true))); - $read_stream_tlsv11 = stream_socket_client("tlsv1.1://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv11); - if ( $read_stream_tlsv11 === false ) { - $results['tlsv1.1'] = false; - } else { - $results['tlsv1.1'] = true; - } - - $stream_tlsv12 = stream_context_create (array("ssl" => - array("verify_peer" => false, - "capture_session_meta" => true, - "verify_peer_name" => false, - "allow_self_signed" => true, - 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_2_CLIENT, - "sni_enabled" => true))); - $read_stream_tlsv12 = stream_socket_client("tlsv1.2://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv12); - if ( $read_stream_tlsv12 === false ) { - $results['tlsv1.2'] = false; - } else { - $results['tlsv1.2'] = true; - } - error_reporting($old_error_reporting); - return $results; - } + $old_error_reporting = error_reporting(); + error_reporting($old_error_reporting ^ E_WARNING); + $results = array(); + foreach ($ciphersuites as $value) { + $results[$value] = false; + $stream = stream_context_create (array("ssl" => + array("verify_peer" => false, + "verify_peer_name" => false, + "allow_self_signed" => true, + 'ciphers' => $value, + "sni_enabled" => true))); + $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); + if ( $read_stream === false ) { + $results[$value] = false; + } else { + $results[$value] = true; + } + } + error_reporting($old_error_reporting); + return $results; +} +function ssl_conn_protocols($host, $port){ + $old_error_reporting = error_reporting(); + error_reporting($old_error_reporting ^ E_WARNING); + $results = array('sslv3' => false, + 'tlsv1.0' => false, + 'tlsv1.1' => false, + 'tlsv1.2' => false); -function ssl_conn_metadata($host, $port, $chain=null) { - global $random_blurp; - global $current_folder; - $stream = stream_context_create (array("ssl" => + $stream_sslv3 = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, + 'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT, "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); - if ( $read_stream === false ) { - return false; + $read_stream_sslv3 = stream_socket_client("sslv3://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_sslv3); + if ( $read_stream_sslv3 === false ) { + $results['sslv3'] = false; } else { - $context = stream_context_get_params($read_stream); - $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; - $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; - - if ($context_meta) { - ?> - <section id="conndata"> - <h3>Connection Data</h3> - <table class="table table-striped table-bordered"> - <tbody> - <tr> - <td colspan="2"><strong>Connection Data</strong></td> - </tr> - <?php - if ( $chain ) { - ?> - <tr> - <td>Chain sent by Server (in server order)</td> - <td style="font-family: monospace;"> - <?php - $chain_length = count($chain); - $certificate_chain = array(); - if ($chain_length <= 10) { - for ($i = 0; $i < $chain_length; $i++) { - if (openssl_x509_parse($chain[$i])['issuer']['CN'] && openssl_x509_parse($chain[$i])['subject']['CN']) { - echo "Name...........: <i>"; - echo htmlspecialchars(openssl_x509_parse($chain[$i])['subject']['CN']); - echo " </i><br>Issued by......:<i> "; - echo htmlspecialchars(openssl_x509_parse($chain[$i])['issuer']['CN']); - echo "</i><br>"; - - $export_pem = ""; - openssl_x509_export($chain[$i], $export_pem); - array_push($certificate_chain, $export_pem); - - if (openssl_x509_parse($chain[$i])['issuer']['CN'] == openssl_x509_parse($chain[$i + 1])['subject']['CN']){ - continue; - } else { - if ($i != $chain_length - 1) { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.</span><br><br>"; - } - } - } - } - echo "<br>"; - } else { - echo "<span class='text-danger'>Error: Certificate chain to large.</span><br>"; - } - - file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND); - - $verify_output = 0; - $verify_exit_code = 0; - $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code); - - if ($verify_exit_code != 1) { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Validating certificate chain failed:</span><br>"; - echo "<pre>"; - echo str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output)); - echo "</pre>"; - } else { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Sucessfully validated certificate chain.</span><br>"; - } + $results['sslv3'] = true; + } - unlink('/tmp/verify_cert.' . $random_blurp . '.pem'); + $stream_tlsv10 = stream_context_create (array("ssl" => + array("verify_peer" => false, + "capture_session_meta" => true, + "verify_peer_name" => false, + "allow_self_signed" => true, + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_0_CLIENT, + "sni_enabled" => true))); + $read_stream_tlsv10 = stream_socket_client("tlsv1.0://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv10); + if ( $read_stream_tlsv10 === false ) { + $results['tlsv1.0'] = false; + } else { + $results['tlsv1.0'] = true; + } - ?> - </td> - </tr> + $stream_tlsv11 = stream_context_create (array("ssl" => + array("verify_peer" => false, + "capture_session_meta" => true, + "verify_peer_name" => false, + "allow_self_signed" => true, + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_1_CLIENT, + "sni_enabled" => true))); + $read_stream_tlsv11 = stream_socket_client("tlsv1.1://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv11); + if ( $read_stream_tlsv11 === false ) { + $results['tlsv1.1'] = false; + } else { + $results['tlsv1.1'] = true; + } - <?php - } - if ( fixed_gethostbyname($host) ) { - ?> - <tr> - <td>IP / Hostname / Port</td> - <td> - <?php - echo htmlspecialchars(fixed_gethostbyname($host)); - echo " - "; - echo htmlspecialchars(gethostbyaddr(fixed_gethostbyname($host))); - echo " - "; - echo htmlspecialchars($port); - ?> - </td> - </tr> - <?php - } - ?> - <tr> - <td>Protocol</td> - <td> - <?php - $protocols = ssl_conn_protocols($host, $port); - foreach (array_reverse($protocols) as $key => $value) { - if ( $value == true ) { - if ( $key == "tlsv1.2") { - echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>'; - } else if ( $key == "tlsv1.1") { - echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>'; - } else if ( $key == "tlsv1.0") { - echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>'; - } else if ( $key == "sslv3") { - echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported)</span></p>'; - } else { - echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>'; - } - } else { - if ( $key == "tlsv1.2") { - echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span></p>'; - } else if ( $key == "tlsv1.1") { - echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>'; - } else if ( $key == "tlsv1.0") { - echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>'; - } else if ( $key == "sslv3") { - echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>'; - } else { - echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>'; - } - } - } - ?> + $stream_tlsv12 = stream_context_create (array("ssl" => + array("verify_peer" => false, + "capture_session_meta" => true, + "verify_peer_name" => false, + "allow_self_signed" => true, + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_2_CLIENT, + "sni_enabled" => true))); + $read_stream_tlsv12 = stream_socket_client("tlsv1.2://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv12); + if ( $read_stream_tlsv12 === false ) { + $results['tlsv1.2'] = false; + } else { + $results['tlsv1.2'] = true; + } + error_reporting($old_error_reporting); + return $results; +} - </td> - </tr> - <?php - if ($_GET['ciphersuites'] == 1) { - ?> - <tr> - <td>Ciphersuites supported by server</td> - <td> - <?php - $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES256-SHA384', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'SRP-DSS-AES-256-CBC-SHA', - 'SRP-RSA-AES-256-CBC-SHA', - 'SRP-AES-256-CBC-SHA', - 'DH-DSS-AES256-GCM-SHA384', - 'DHE-DSS-AES256-GCM-SHA384', - 'DH-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES256-SHA256', - 'DHE-DSS-AES256-SHA256', - 'DH-RSA-AES256-SHA256', - 'DH-DSS-AES256-SHA256', - 'DHE-RSA-AES256-SHA', - 'DHE-DSS-AES256-SHA', - 'DH-RSA-AES256-SHA', - 'DH-DSS-AES256-SHA', - 'DHE-RSA-CAMELLIA256-SHA', - 'DHE-DSS-CAMELLIA256-SHA', - 'DH-RSA-CAMELLIA256-SHA', - 'DH-DSS-CAMELLIA256-SHA', - 'ECDH-RSA-AES256-GCM-SHA384', - 'ECDH-ECDSA-AES256-GCM-SHA384', - 'ECDH-RSA-AES256-SHA384', - 'ECDH-ECDSA-AES256-SHA384', - 'ECDH-RSA-AES256-SHA', - 'ECDH-ECDSA-AES256-SHA', - 'AES256-GCM-SHA384', - 'AES256-SHA256', - 'AES256-SHA', - 'CAMELLIA256-SHA', - 'PSK-AES256-CBC-SHA', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-ECDSA-AES128-SHA', - 'SRP-DSS-AES-128-CBC-SHA', - 'SRP-RSA-AES-128-CBC-SHA', - 'SRP-AES-128-CBC-SHA', - 'DH-DSS-AES128-GCM-SHA256', - 'DHE-DSS-AES128-GCM-SHA256', - 'DH-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES128-SHA256', - 'DHE-DSS-AES128-SHA256', - 'DH-RSA-AES128-SHA256', - 'DH-DSS-AES128-SHA256', - 'DHE-RSA-AES128-SHA', - 'DHE-DSS-AES128-SHA', - 'DH-RSA-AES128-SHA', - 'DH-DSS-AES128-SHA', - 'DHE-RSA-SEED-SHA', - 'DHE-DSS-SEED-SHA', - 'DH-RSA-SEED-SHA', - 'DH-DSS-SEED-SHA', - 'DHE-RSA-CAMELLIA128-SHA', - 'DHE-DSS-CAMELLIA128-SHA', - 'DH-RSA-CAMELLIA128-SHA', - 'DH-DSS-CAMELLIA128-SHA', - 'ECDH-RSA-AES128-GCM-SHA256', - 'ECDH-ECDSA-AES128-GCM-SHA256', - 'ECDH-RSA-AES128-SHA256', - 'ECDH-ECDSA-AES128-SHA256', - 'ECDH-RSA-AES128-SHA', - 'ECDH-ECDSA-AES128-SHA', - 'AES128-GCM-SHA256', - 'AES128-SHA256', - 'AES128-SHA', - 'SEED-SHA', - 'CAMELLIA128-SHA', - 'IDEA-CBC-SHA', - 'PSK-AES128-CBC-SHA', - 'ECDHE-RSA-RC4-SHA', - 'ECDHE-ECDSA-RC4-SHA', - 'ECDH-RSA-RC4-SHA', - 'ECDH-ECDSA-RC4-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'PSK-RC4-SHA', - 'ECDHE-RSA-DES-CBC3-SHA', - 'ECDHE-ECDSA-DES-CBC3-SHA', - 'SRP-DSS-3DES-EDE-CBC-SHA', - 'SRP-RSA-3DES-EDE-CBC-SHA', - 'SRP-3DES-EDE-CBC-SHA', - 'EDH-RSA-DES-CBC3-SHA', - 'EDH-DSS-DES-CBC3-SHA', - 'DH-RSA-DES-CBC3-SHA', - 'DH-DSS-DES-CBC3-SHA', - 'ECDH-RSA-DES-CBC3-SHA', - 'ECDH-ECDSA-DES-CBC3-SHA', - 'DES-CBC3-SHA', - 'PSK-3DES-EDE-CBC-SHA', - 'EDH-RSA-DES-CBC-SHA', - 'EDH-DSS-DES-CBC-SHA', - 'DH-RSA-DES-CBC-SHA', - 'DH-DSS-DES-CBC-SHA', - 'DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'ECDHE-RSA-NULL-SHA', - 'ECDHE-ECDSA-NULL-SHA', - 'AECDH-NULL-SHA', - 'ECDH-RSA-NULL-SHA', - 'ECDH-ECDSA-NULL-SHA', - 'NULL-SHA256', - 'NULL-SHA', - 'NULL-MD5'); +function ssl_conn_metadata($data) { + global $random_blurp; + global $current_folder; + $chain_length = count($data["chain"]); + echo "<section id='conndata'>"; + if (is_array($data["warning"]) && count($data["warning"]) >= 1) { + $data["warning"] = array_unique($data["warning"]); + if (count($data["warning"]) == 1) { + echo "<h3>" . count($data["warning"]) . " warning!</h3>"; + } else { + echo "<h3>" . count($data["warning"]) . " warnings!</h3>"; + } + foreach ($data["warning"] as $key => $value) { + echo "<div class='alert alert-danger' role='alert'>"; + echo htmlspecialchars($value); + echo "</div>"; + } + } + echo "<table class='table table-striped table-bordered'>"; + echo "<tbody>"; + echo "<tr>"; + echo "<td colspan='2'><strong>Connection Data</strong></td>"; + echo "</tr>"; + echo "<tr>"; + // chain + echo "<td>Chain sent by Server <br>(in server order)</td>"; + echo "<td style='font-family: monospace;'>"; + foreach ($data["chain"] as $key => $value) { + if (!empty($value['name'])) { + echo "Name...........: <i>"; + echo htmlspecialchars(htmlspecialchars($value['name'])); + echo " </i><br>Issued by......:<i> "; + echo htmlspecialchars(htmlspecialchars($value['issuer'])); + echo "</i><br>"; + } + if (isset($value["error"])) { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.</span><br><br>"; + } + } + echo "<br>"; + if ($data["validation"]["status"] == "failed") { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Validating certificate chain failed:</span><br>"; + echo "<pre>"; + echo htmlspecialchars($data["validation"]["error"]); + echo "</pre>"; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Sucessfully validated certificate chain.</span><br>"; + } + echo "</td>"; + echo "</tr>"; + // ip hostname port + if ( $data["hostname"] ) { + echo "<tr>"; + echo "<td>IP / Hostname / Port</td>"; + echo "<td>"; + echo htmlspecialchars($data["ip"]); + echo " - "; + echo htmlspecialchars($data["hostname"]); + echo " - "; + echo htmlspecialchars($data["port"]); + echo "</td>"; + echo "</tr>"; + } + // protocols + echo "<tr>"; + echo "<td>Protocols</td>"; + echo "<td>"; + $protocols = $data["protocols"]; + foreach ($protocols as $key => $value) { + if ( $value == true ) { + if ( $key == "tlsv1.2") { + echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>'; + } else if ( $key == "tlsv1.1") { + echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>'; + } else if ( $key == "tlsv1.0") { + echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>'; + } else if ( $key == "sslv3") { + echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported)</span></p>'; + } else { + echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>'; + } + } else { + if ( $key == "tlsv1.2") { + echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span></p>'; + } else if ( $key == "tlsv1.1") { + echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>'; + } else if ( $key == "tlsv1.0") { + echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>'; + } else if ( $key == "sslv3") { + echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>'; + } else { + echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>'; + } + } + } + echo "</td>"; + echo "</tr>"; + //ciphersuites + if ($_GET['ciphersuites'] == 1) { + echo "<tr>"; + echo "<td>Ciphersuites supported by server</td>"; + echo "<td>"; + $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA', + 'ECDHE-ECDSA-DES-CBC3-SHA', + 'EDH-RSA-DES-CBC3-SHA', + 'EDH-DSS-DES-CBC3-SHA', + 'DH-RSA-DES-CBC3-SHA', + 'DH-DSS-DES-CBC3-SHA', + 'ECDH-RSA-DES-CBC3-SHA', + 'ECDH-ECDSA-DES-CBC3-SHA', + 'DES-CBC3-SHA', + 'EDH-RSA-DES-CBC-SHA', + 'EDH-DSS-DES-CBC-SHA', + 'DH-RSA-DES-CBC-SHA', + 'DH-DSS-DES-CBC-SHA', + 'DES-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DH-RSA-DES-CBC-SHA', + 'EXP-DH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DH-RSA-DES-CBC-SHA', + 'EXP-DH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5', + 'RC4-MD5', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5', + 'ECDHE-RSA-RC4-SHA', + 'ECDHE-ECDSA-RC4-SHA', + 'ECDH-RSA-RC4-SHA', + 'ECDH-ECDSA-RC4-SHA', + 'RC4-SHA', + 'RC4-MD5', + 'PSK-RC4-SHA', + 'EXP-RC4-MD5', + 'ECDHE-RSA-NULL-SHA', + 'ECDHE-ECDSA-NULL-SHA', + 'AECDH-NULL-SHA', + 'RC4-SHA', + 'RC4-MD5', + 'ECDH-RSA-NULL-SHA', + 'ECDH-ECDSA-NULL-SHA', + 'NULL-SHA256', + 'NULL-SHA', + 'NULL-MD5'); + foreach ($data["supported_ciphersuites"] as $key => $value) { + if (in_array($value, $bad_ciphersuites)) { + $bad_ciphersuite = 1; + echo "<span class='text-danger glyphicon glyphicon-remove'></span>"; + echo "<span class='text-danger'> "; + echo htmlspecialchars($value); + echo "</span>"; + } else { + echo "<span class='glyphicon glyphicon-minus'></span> "; + echo htmlspecialchars($value); + } + echo "<br>"; + } + if ($bad_ciphersuite) { + echo "<p><br>Ciphersuites containing <a href='https://en.wikipedia.org/wiki/Null_cipher'>NULL</a>,"; + echo " <a href='https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States'>EXP(ort)</a>,"; + echo " <a href='https://en.wikipedia.org/wiki/Weak_key'>DES"; + echo " and RC4</a> are marked RED because they are suboptimal.</p>"; + } + echo "</td>"; + echo "</tr>"; + } else { + echo "<tr>"; + echo "<td>Ciphersuite Used</td>"; + echo "<td>"; + echo htmlspecialchars($data['used_ciphersuite']['name']); + echo " (".htmlspecialchars($data['used_ciphersuite']['bits'])." bits)"; + echo "</td>"; + echo "</tr>"; + } + //tls fallback scsv + echo "<tr>"; + echo "<td>"; + echo "<a href='http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html'>TLS_FALLBACK_SCSV</a>"; + echo "</td>"; + echo "<td>"; + + if ($data["tls_fallback_scsv"] == "supported") { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>"; + } elseif ($data["tls_fallback_scsv"] == "unsupported") { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>"; + } else { + echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; + } + echo "</td>"; + echo "</tr>"; + + // headers + echo "<tr>"; + echo "<td>"; + echo "<a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html'>Strict Transport Security</a>"; + echo "</td>"; + echo "<td>"; + // hsts + if ( $data["strict_transport_security"] == "not set" ) { + echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>'; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; + echo htmlspecialchars($data["strict_transport_security"]); + echo "</span>"; + } + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>"; + echo "<a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>HTTP Public Key Pinning Extension (HPKP)</a>"; + echo "</td>"; + echo "<td>"; + //hpkp + if ( $data["public_key_pins"] == "not set" ) { + echo '<span>Not Set</span>'; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; + echo htmlspecialchars($data["public_key_pins"]); + } + if ( $data["public_key-pins_report_only"] ) { + echo "<b>Report Only</b>: "; + echo htmlspecialchars($data["public_key_pins_report_only"]); + } - $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA', - 'ECDHE-ECDSA-DES-CBC3-SHA', - 'EDH-RSA-DES-CBC3-SHA', - 'EDH-DSS-DES-CBC3-SHA', - 'DH-RSA-DES-CBC3-SHA', - 'DH-DSS-DES-CBC3-SHA', - 'ECDH-RSA-DES-CBC3-SHA', - 'ECDH-ECDSA-DES-CBC3-SHA', - 'DES-CBC3-SHA', - 'EDH-RSA-DES-CBC-SHA', - 'EDH-DSS-DES-CBC-SHA', - 'DH-RSA-DES-CBC-SHA', - 'DH-DSS-DES-CBC-SHA', - 'DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'RC4-MD5', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'ECDHE-RSA-RC4-SHA', - 'ECDHE-ECDSA-RC4-SHA', - 'ECDH-RSA-RC4-SHA', - 'ECDH-ECDSA-RC4-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'PSK-RC4-SHA', - 'EXP-RC4-MD5', - 'ECDHE-RSA-NULL-SHA', - 'ECDHE-ECDSA-NULL-SHA', - 'AECDH-NULL-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'ECDH-RSA-NULL-SHA', - 'ECDH-ECDSA-NULL-SHA', - 'NULL-SHA256', - 'NULL-SHA', - 'NULL-MD5'); - $supported_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test); - - foreach ($supported_ciphersuites as $key => $value) { - if($value == true){ - if (in_array($key, $bad_ciphersuites)) { - $bad_ciphersuite = 1; - echo ""; - echo "<span class='text-danger glyphicon glyphicon-remove'></span> "; - } else { - echo "<span class='glyphicon glyphicon-minus'></span> "; - } - echo htmlspecialchars($key); - echo "<br>"; - } else { - echo "<!-- "; - echo "<span class='glyphicon glyphicon-remove'></span> - "; - echo htmlspecialchars($key); - echo " <br -->"; - } - } - if ($bad_ciphersuite) { - ?> - <p><br>Ciphersuites containing <a href="https://en.wikipedia.org/wiki/Null_cipher">NULL</a>, <a href="https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States">EXP(ort)</a>, <a href="https://en.wikipedia.org/wiki/Weak_key">DES and RC4</a> are marked RED because they are suboptimal.</p> - <?php - } - - ?> - </td> - </tr> - <?php - } else { - ?> - <tr> - <td>Ciphersuite</td> - <td> - <?php - echo htmlspecialchars($context_meta['cipher_name']); - echo " (".htmlspecialchars($context_meta['cipher_bits'])." bits)"; - ?> - </td> - </tr> - <?php - } - ?> - <tr> - <td> - <a href="http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html">TLS_FALLBACK_SCSV</a> - </td> - <td> - <?php - $fallback = tls_fallback_scsv($host, $port); - // echo "<pre>"; - // var_dump($fallback); - // echo "</pre>"; - if ($fallback['protocol_count'] == 1) { - echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; - } else { - if ($fallback['tls_fallback_scsv_support'] == 1) { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>"; - } else { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>"; - } - } - ?> - </td> - </tr> - <?php - $headers = server_http_headers($host, $port); - ?> - <tr> - <td><a href="https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html">Strict Transport Security</a></td> - <td> - <?php - if ( $headers["strict-transport-security"] ) { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; - if ( is_array($headers["strict-transport-security"])) { - echo htmlspecialchars(substr($headers["strict-transport-security"][0], 0, 50)); - echo "<br > <i>HSTS header was found multiple times. Only showing the first one.</i>"; - } else { - echo htmlspecialchars(substr($headers["strict-transport-security"], 0, 50)); - } - echo "</span>"; - } else { - echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>'; - } - ?> - </td> - </tr> - <tr> - <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">HTTP Public Key Pinning Extension (HPKP)</a></td> - <td> - <?php - if ( $headers["public-key-pins"] ) { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; - if ( is_array($headers["public-key-pins"])) { - echo htmlspecialchars(substr($headers["public-key-pins"][0], 0, 255)); - echo "<br > <i>HPKP header was found multiple times. Only showing the first one.</i>"; - echo "</span>"; - } else { - echo htmlspecialchars(substr($headers["public-key-pins"], 0, 255)); - } - } else { - echo '<span>Not Set</span>'; - } - ?> - <?php - if ( $headers["public-key-pins-report-only"] ) { - echo "<b>Report Only</b>: "; - if ( is_array($headers["public-key-pins-report-only"])) { - echo htmlspecialchars(substr($headers["public-key-pins-report-only"][0], 0, 255)); - echo "<br > <i>HPKP Report Only header was found multiple times. Only showing the first one.</i>"; - } else { - echo htmlspecialchars(substr($headers["public-key-pins-report-only"], 0, 255)); - } - } - ?> - </td> - </tr> - <tr> - <td>OCSP Stapling</td> - <td> - <?php - $stapling = ocsp_stapling($host,$port); - if($stapling["working"] == 1) { - echo "<table class='table'>"; - foreach ($stapling as $key => $value) { - if ($key != "working") { - echo "<tr><td>" . $key . "</td><td>" . $value . "</td></tr>"; - } - } - echo "</table>"; - } else { - echo "No response received."; - } - ?> - </td> - </tr> - <tr> - <td>This Server' OpenSSL Version</td> - <td> - <?php - echo htmlspecialchars(shell_exec("openssl version")); - ?> - </td> - </tr> - <tr> - <td>This Server' Date (RFC 2822)</td> - <td> - <?php - echo htmlspecialchars(shell_exec("date --rfc-2822")); - ?> - </td> - </tr> - </tbody> - </table> - </section> - <?php + echo "</td>"; + echo "</tr>"; + // ocsp stapling + echo "<tr>"; + echo "<td>OCSP Stapling</td>"; + echo "<td>"; + if (isset($data["ocsp_stapling"]["working"])) { + if($data["ocsp_stapling"]["working"] == 1) { + echo "<table class='table'>"; + foreach ($data["ocsp_stapling"] as $key => $value) { + if ($key != "working") { + echo "<tr><td>" . htmlspecialchars($key) . "</td><td>" . htmlspecialchars($value) . "</td></tr>"; + } + } + echo "</table>"; } else { - return false; + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>"; } + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>"; } + echo "</td>"; + // openssl version + echo "</tr>"; + echo "<tr>"; + echo "<td>This Server's OpenSSL Version</td>"; + echo "<td>"; + echo htmlspecialchars(shell_exec("openssl version")); + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + //date + echo "<td>This Server's Date <br>(RFC 2822)</td>"; + echo "<td>"; + echo htmlspecialchars(shell_exec("date --rfc-2822")); + echo "</td>"; + echo "</tr>"; + echo "</tbody>"; + echo "</table>"; } - - - - - - - - - - - - - - - - - - - function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $result = array(); global $random_blurp; @@ -641,10 +417,10 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $context = stream_context_get_params($read_stream); $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; + $result["checked_hostname"] = $host; //chain if (isset($context_meta)) { if (isset($chain_data)) { - $chain_length = count($chain_data); $certificate_chain = array(); if ($chain_length <= 10) { @@ -660,6 +436,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { } else { if ($i != $chain_length - 1) { $result["chain"][$i]["error"] = "Issuer does not match the next certificate CN. Chain order is probaby wrong."; + $result["warning"][] = "Issuer does not match the next certificate CN. Chain order is probaby wrong."; } } } @@ -672,10 +449,11 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code); if ($verify_exit_code != 1) { - $result["chain"]["validation"]["status"] = "failed"; - $result["chain"]["validation"]["error"] = "Error: Validating certificate chain failed: " . str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output)); + $result["validation"]["status"] = "failed"; + $result["validation"]["error"] = "Error: Validating certificate chain failed: " . str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output)); + $result["warning"][] = "Error: Validating certificate chain failed. Probably non-trusted root/self signed certificate, or the chain order is wrong."; } else { - $result["chain"]["validation"]["status"] = "success"; + $result["validation"]["status"] = "success"; } unlink('/tmp/verify_cert.' . $random_blurp . '.pem'); } @@ -688,6 +466,17 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { // protocols $result["protocols"] = array_reverse(ssl_conn_protocols($host, $port)); + foreach ($result["protocols"] as $key => $value) { + if ( $value == true ) { + if ( $key == "sslv3") { + $result["warning"][] = 'SSLv3 supported. Please disable and upgrade to a newer protocol like TLSv1.2.'; + } + } else { + if ( $key == "tlsv1.2") { + $result["warning"][] = 'TLSv1.2 unsupported. Please enable TLSv1.2.'; + } + } + } // ciphersuites if ($_GET['ciphersuites'] == 1) { @@ -809,55 +598,6 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { 'NULL-SHA256', 'NULL-SHA', 'NULL-MD5'); - - $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA', - 'ECDHE-ECDSA-DES-CBC3-SHA', - 'EDH-RSA-DES-CBC3-SHA', - 'EDH-DSS-DES-CBC3-SHA', - 'DH-RSA-DES-CBC3-SHA', - 'DH-DSS-DES-CBC3-SHA', - 'ECDH-RSA-DES-CBC3-SHA', - 'ECDH-ECDSA-DES-CBC3-SHA', - 'DES-CBC3-SHA', - 'EDH-RSA-DES-CBC-SHA', - 'EDH-DSS-DES-CBC-SHA', - 'DH-RSA-DES-CBC-SHA', - 'DH-DSS-DES-CBC-SHA', - 'DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'RC4-MD5', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'ECDHE-RSA-RC4-SHA', - 'ECDHE-ECDSA-RC4-SHA', - 'ECDH-RSA-RC4-SHA', - 'ECDH-ECDSA-RC4-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'PSK-RC4-SHA', - 'EXP-RC4-MD5', - 'ECDHE-RSA-NULL-SHA', - 'ECDHE-ECDSA-NULL-SHA', - 'AECDH-NULL-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'ECDH-RSA-NULL-SHA', - 'ECDH-ECDSA-NULL-SHA', - 'NULL-SHA256', - 'NULL-SHA', - 'NULL-MD5'); - $tested_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test); $result["supported_ciphersuites"] = array(); foreach ($tested_ciphersuites as $key => $value) { @@ -879,6 +619,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $result["tls_fallback_scsv"] = "supported"; } else { $result["tls_fallback_scsv"] = "unsupported"; + $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; } } //hsts @@ -891,6 +632,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { } } else { $result["strict_transport_security"] = 'not set'; + $result["warning"][] = "HTTP Strict Transport Security not set."; } //hpkp if ( $headers["public-key-pins"] ) { @@ -915,6 +657,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $result["ocsp_stapling"] = $stapling; } else { $result["ocsp_stapling"] = "not set"; + $result["warning"][] = "OCSP Stapling not enabled."; } $result["openssl_version"] = shell_exec("openssl version"); diff --git a/functions/json.php b/functions/json.php new file mode 100644 index 0000000..26058a6 --- /dev/null +++ b/functions/json.php @@ -0,0 +1,61 @@ +<?php +// Copyright (C) 2015 Remy van Elst + +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. + +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + + +function check_json($host,$port) { + $data = []; + $stream = stream_context_create (array("ssl" => + array("capture_peer_cert" => true, + "capture_peer_cert_chain" => true, + "verify_peer" => false, + "verify_peer_name" => false, + "allow_self_signed" => true, + "capture_session_meta" => true, + "sni_enabled" => true))); + $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); + if ( $read_stream === false ) { + $data["error"] = ["Failed to connect: " . htmlspecialchars($errstr)]; + return $data; + } else { + $context = stream_context_get_params($read_stream); + $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; + $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"]); + $chain_data = $context["options"]["ssl"]["peer_certificate_chain"]; + $chain_length = count($chain_data); + if (isset($chain_data) && $chain_length < 10) { + $chain_length = count($chain_data); + $chain_arr_keys = ($chain_data); + foreach(array_keys($chain_arr_keys) as $key) { + $curr = $chain_data[$key]; + $next = $chain_data[$key+1]; + $prev = $chain_data[$key-1]; + $chain_key = (string)$key+1; + if ($key == 0) { + $data["connection"] = ssl_conn_metadata_json($host, $port, $read_stream, $chain_data); + $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, true); + } else { + $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false); + } + } + } else { + $data["error"] = ["Chain too long."]; + return $data; + } + } + return $data; +} + +?>
\ No newline at end of file diff --git a/functions/ocsp.php b/functions/ocsp.php index c9d43eb..ca8ada6 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -20,7 +20,6 @@ function ocsp_stapling($host, $port){ if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); - return; } if (strpos($output, "OCSP Response Data:") !== false) { $lines = array(); @@ -45,65 +44,6 @@ function ocsp_stapling($host, $port){ return $result; } -function ocsp_verify($raw_cert_data, $raw_next_cert_data) { - global $random_blurp; - $cert_data = openssl_x509_parse($raw_cert_data); - $tmp_dir = '/tmp/'; - $root_ca = getcwd() . '/cacert.pem'; - - $pem_issuer = ""; - $pem_client = ""; - $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1]; - $ocsp_uri = explode("\n", $ocsp_uri)[0]; - $ocsp_uri = explode(" ", $ocsp_uri)[0]; - if (empty($ocsp_uri) ) { - $result = array('unknown' => "Could not find OCSP URI", ); - return $result; - } - openssl_x509_export($raw_cert_data, $pem_client); - openssl_x509_export($raw_next_cert_data, $pem_issuer); - openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem'); - openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem'); - - // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround. - $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST); - - //echo '<pre>' . htmlspecialchars('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1') . '</pre>'; - - $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); - $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); - - - - $lines = array(); - $output = preg_replace("/[[:blank:]]+/"," ", $output); - $ocsp_status_lines = explode("\n", $output); - $ocsp_status_lines = array_map('trim', $ocsp_status_lines); - foreach($ocsp_status_lines as $line) { - if(endsWith($line, ":") == false) { - list($k, $v) = explode(":", $line, 2); - $lines[trim($k)] = trim($v); - } - } - - $result = array("This Update" => $lines["This Update"], - "Next Update" => $lines["Next Update"], - "Reason" => $lines["Reason"], - "Revocation Time" => $lines["Revocation Time"], - "ocsp_verify_status" => $lines[$tmp_dir . $random_blurp . ".cert_client.pem"]); - if ($result["ocsp_verify_status"] == "good") { - $result["good"] = $filter_output; - } else if ($result["ocsp_verify_status"] == "revoked") { - $result["revoked"] = $filter_output; - } else { - $result["unknown"] = $filter_output; - } - unlink($tmp_dir.$random_blurp.'.cert_client.pem'); - unlink($tmp_dir.$random_blurp.'.cert_issuer.pem'); - return $result; -} - - function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { global $random_blurp; $result = array(); @@ -112,16 +52,19 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { $pem_issuer = ""; $pem_client = ""; openssl_x509_export($raw_cert_data, $pem_client); + openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem'); openssl_x509_export($raw_next_cert_data, $pem_issuer); openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem'); - openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem'); + $isser_loc = $tmp_dir.$random_blurp.'.cert_issuer.pem'; // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround. $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST); - $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); + //pre_dump('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc.' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); + + $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); - $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); + $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); $output = preg_replace("/[[:blank:]]+/"," ", $output); $ocsp_status_lines = explode("\n", $output); diff --git a/functions/parse_certificate.php b/functions/parse_certificate.php index 1c7c959..e926e47 100644 --- a/functions/parse_certificate.php +++ b/functions/parse_certificate.php @@ -14,653 +14,636 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. -function get_cert_cn($raw_cert_data){ - $cert_data = openssl_x509_parse($raw_cert_data); - if ($cert_data['subject']['CN']) { - return $cert_data['subject']['CN']; + +function csr_parse($data) { + echo "<table class='table table-striped table-bordered'>"; + echo "<tr>"; + echo "<td colspan='2'><strong>Certificate Data</strong></td>"; + echo "</tr>"; + foreach ($data['subject'] as $key => $value) { + echo "<tr><td>"; + switch ($key) { + case 'C': + echo "Country"; + break; + case 'ST': + echo "State"; + break; + case 'L': + echo "City"; + break; + case 'O': + echo "Organization"; + break; + case 'OU': + echo "Organizational Unit"; + break; + case 'CN': + echo "Common Name"; + break; + case 'mail': + echo "Email Address"; + break; + default: + echo htmlspecialchars($key); + break; + } + echo "</td><td>"; + switch ($key) { + case 'C': + echo htmlspecialchars($value); + echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; + echo strtolower(htmlspecialchars($value)); + echo '" alt="" />'; + break; + case 'DC': + foreach ($value as $key => $value) { + echo htmlspecialchars($value) . "."; + } + break; + default: + if (is_array($value)) { + foreach ($value as $key => $value) { + echo htmlspecialchars($value) . " "; + } + } else { + echo htmlspecialchars($value); + } + break; + } + echo "</td></tr>\n"; + } + echo "<tr><td>Public Key PEM ("; + echo htmlspecialchars($data['details']['bits']); + if ($data['details']['rsa']) { + echo " RSA"; + } + if ($data['details']['dsa']) { + echo " DSA"; + } + if ($data['details']['dh']) { + echo " DH"; } + if ($data['details']['ec']) { + echo " ECDSA"; + } + echo ")</td><td><pre>"; + echo htmlspecialchars($data['details']['key']); + echo "</pre></td>"; + echo "</table>"; } -function cert_parse($raw_cert_data, $raw_next_cert_data=null, $csr=false, $host=null, $port=null, $is_issuer=false) { - global $random_blurp; - global $ev_oids; - if ($csr == true && strpos($raw_cert_data, "BEGIN CERTIFICATE REQUEST") !== false) { - ?> - <table class="table table-striped table-bordered"> - <tr> - <td colspan="2"><strong>Certificate Data</strong></td> - </tr> - <?php - $cert_data = openssl_csr_get_public_key($raw_cert_data); - - $cert_details = openssl_pkey_get_details($cert_data); - $cert_key = $cert_details['key']; - $cert_subject = openssl_csr_get_subject($raw_cert_data); - - foreach ($cert_subject as $key => $value) { - echo "<tr><td>"; - switch ($key) { - case 'C': - echo "Country"; - break; - case 'ST': - echo "State"; - break; - case 'L': - echo "City"; - break; - case 'O': - echo "Organization"; - break; - case 'OU': - echo "Organizational Unit"; - break; - case 'CN': - echo "Common Name"; - break; - case 'mail': - echo "Email Address"; - break; - default: - echo htmlspecialchars($key); - break; +function cert_parse($data) { + if (is_array($data["warning"]) && count($data["warning"]) >= 1) { + $data["warning"] = array_unique($data["warning"]); + if (count($data["warning"]) == 1) { + echo "<h3>" . count($data["warning"]) . " warning!</h3>"; + } else { + echo "<h3>" . count($data["warning"]) . " warnings!</h3>"; + } + foreach ($data["warning"] as $key => $value) { + echo "<div class='alert alert-danger' role='alert'>"; + echo htmlspecialchars($value); + echo "</div>"; + } + } + echo "<table class='table table-striped table-bordered'>"; + echo "<tr>"; + echo "<td colspan='2'><strong>Certificate Data</strong></td>"; + echo "</tr>"; + $today = date("Y-m-d"); + echo "<tr><td colspan='2'>\n"; + echo "<table class='table'>\n"; + echo "<thead><tr>\n"; + echo "<th>Hostname</th>\n"; + echo "<th>Not Expired</th>\n"; + echo "<th>Issuer</th>\n"; + echo "<th>CRL</th>\n"; + echo "<th>OCSP</th>\n"; + echo "<th>Signing Type</th>\n"; + echo "</tr>\n</thead>\n<tbody>\n<tr>"; + // hostname validation + if ($data["hostname_in_san_or_cn"] == "true") { + echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; + } elseif ($data["hostname_in_san_or_cn"] == "false") { + echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + } elseif ($data["hostname_in_san_or_cn"] == "n/a; ca signing certificate") { + echo "<td></td>"; + } else { + echo "<td><h1><span class='text-danger glyphicon glyphicon-question-sign'></span> </h1></td>"; + } + // expired + if ( $today > date(DATE_RFC2822,$data['cert_data']['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822,$data['cert_data']['validTo_time_t'])) ) { + echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; + } else { + echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + } + // issuer + if (!empty($data["issuer_valid"])) { + if ($data["issuer_valid"] == true) { + echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; + } else { + echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + } + } else { + echo '<td> </td>'; + } + // crl + if ( !empty($data['crl'][1]['status']) ) { + if ($data['crl'][1]['status'] == "ok") { + echo "<td><h1><span class='text-success glyphicon glyphicon-ok'></span> </h1></td>"; + } else { + echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + } + } else { + echo '<td> </td>'; + } + // ocsp + if (!empty($data['ocsp'][1]['ocsp_uri'])) { + echo "<td>"; + if ($data['ocsp'][1]["status"] == "good") { + echo '<h1><span class="text-success glyphicon glyphicon-ok"></span> </h1>'; + } else if ($data['ocsp'][1]["status"] == "revoked") { + echo '<h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1>'; + } else { + echo '<h1><span class="text-danger glyphicon glyphicon-question-sign"></span> </h1>'; + } + echo "</td>"; + } else { + echo "<td> </td>"; + } + // self signed/ca/ca root + if (strpos($data['cert_data']['extensions']['basicConstraints'], "CA:TRUE") !== false && $data['cert_data']['issuer']['CN'] == $data['cert_data']['subject']['CN'] ) { + echo '<td><span class="text-success">CA Root Certificate</span></td>'; + } else if (strpos($data['cert_data']['extensions']['basicConstraints'], "CA:TRUE") !== false) { + echo '<td><span class="text-success">CA Certificate</span></td>'; + } else if ($data['cert_data']['issuer']['CN'] == $data['cert_data']['subject']['CN']) { + echo '<td><span class="text-danger">Self Signed</span></td>'; + } else { + echo "<td>Signed by CA</td>"; + } + echo "</tr>"; + echo "</tbody></table>"; + echo "</td></tr>"; + if (!empty($data['cert_data']['subject']) ) { + foreach ($data['cert_data']['subject'] as $key => $value) { + echo "<tr><td>"; + switch ($key) { + case 'C': + echo "Country"; + break; + case 'ST': + echo "State"; + break; + case 'L': + echo "City"; + break; + case 'O': + echo "Organization"; + break; + case 'OU': + echo "Organizational Unit"; + break; + case 'CN': + echo "Common Name"; + break; + case 'mail': + echo "Email Address"; + break; + case 'businessCategory': + echo "Business Type"; + break; + default: + echo htmlspecialchars($key); + break; + } + echo "</td><td>"; + switch ($key) { + case 'C': + echo htmlspecialchars($value); + echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; + echo strtolower(htmlspecialchars($value)); + echo '" alt="" />'; + break; + case 'DC': + foreach ($value as $key => $value) { + echo htmlspecialchars($value) . "."; } - - echo "</td><td>"; - switch ($key) { - case 'C': - echo htmlspecialchars($value); - echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; - echo strtolower(htmlspecialchars($value)); - echo '" alt="" />'; - break; - case 'DC': + break; + default: + if (is_array($value)) { foreach ($value as $key => $value) { - echo htmlspecialchars($value) . "."; + echo htmlspecialchars($value) . " "; } - break; - default: - if (is_array($value)) { - foreach ($value as $key => $value) { - echo htmlspecialchars($value) . " "; - } - } else { - echo htmlspecialchars($value); - } - break; + } else { + echo htmlspecialchars($value); } - - echo "</td></tr>\n"; + break; } - echo "</table>"; - return; - } else { - $cert_data = openssl_x509_parse($raw_cert_data); + echo "</td>"; + echo "</tr>"; } - if (empty($cert_data)) { - echo "Data not valid."; - continue; + } + // san + if (!empty($data['cert_data']['extensions']['subjectAltName'])) { + echo "<tr>"; + echo "<td>Subject Alternative Names</td>"; + echo "<td>"; + foreach ( explode("DNS:", $data['cert_data']['extensions']['subjectAltName']) as $altName ) { + if ( !empty(str_replace(',', " ", "$altName"))) { + echo htmlspecialchars(str_replace(',', " ", "$altName")); + echo "<br>"; } - ?> - <table class="table table-striped table-bordered"> - <tr> - <td colspan="2"><strong>Certificate Data</strong></td> - </tr> - <?php - $next_cert_data = openssl_x509_parse($raw_next_cert_data); - $today = date("Y-m-d"); - echo "<tr><td colspan='2'>\n"; - echo "<table class='table'>\n"; - echo "<thead><tr>\n"; - echo "<th>Hostname</th>\n"; - echo "<th>Not Expired</th>\n"; - echo "<th>Issuer</th>\n"; - echo "<th>CRL</th>\n"; - echo "<th>OCSP</th>\n"; - echo "<th>Signing Type</th>\n"; - echo "</tr>\n</thead>\n<tbody>\n<tr>"; - // hostname - if ($is_issuer == false) { - if ($csr == false) { - if ($cert_data['subject']['CN']) { - if ( verify_certificate_hostname($raw_cert_data, $host) ) { - echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; - } else { - echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; - } + } + echo "</td>"; + echo "</tr>"; + } + // validation type + echo "<tr>"; + echo "<td>Type</td>"; + echo "<td>"; + if ($data["validation_type"] == "extended") { + echo '<span class="text-success">Extended Validation</span>'; + } elseif ($data["validation_type"] == "organization") { + echo "Organization Validation"; + } elseif ($data["validation_type"] == "domain") { + echo "Domain Validation"; + } + // full subject + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>Full Subject</td>"; + echo "<td>"; + echo htmlspecialchars($data['cert_data']['name']); + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td colspan='2'><strong>Issuer</strong></td>"; + echo "</tr>"; + if (!empty($data['cert_data']['issuer']) ) { + foreach ($data['cert_data']['issuer'] as $key => $value) { + echo "<tr><td>"; + switch ($key) { + case 'C': + echo "Country"; + break; + case 'ST': + echo "State"; + break; + case 'L': + echo "City"; + break; + case 'O': + echo "Organization"; + break; + case 'OU': + echo "Organizational Unit"; + break; + case 'CN': + echo "Common Name"; + break; + case 'mail': + echo "Email Address"; + break; + case 'emailAddress': + echo "Email Address"; + break; + default: + echo htmlspecialchars($key); + break; + } + echo "</td><td>"; + switch ($key) { + case 'C': + echo htmlspecialchars($value); + echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; + echo strtolower(htmlspecialchars($value)); + echo '" alt="" />'; + break; + case 'DC': + foreach ($value as $key => $value) { + echo htmlspecialchars($value) . "."; + } + break; + default: + if (is_array($value)) { + foreach ($value as $key => $value) { + echo htmlspecialchars($value) . " "; } } else { - echo "<td></td>"; + echo htmlspecialchars($value); } - } else { - echo "<td></td>"; - } -// expired - if ( $today > date(DATE_RFC2822,$cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) { - echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; - } else { - echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + break; } -// issuer - if ($raw_next_cert_data) { - if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data) ) { - echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span> </h1></td>'; + echo "</td>"; + echo "</tr>"; + } + } + // valid from + echo "<tr>"; + echo "<td colspan='2'><strong>Validity</strong></td>"; + echo "</tr>"; + if ( !empty($data['cert_data']['validFrom_time_t']) ) { + echo "<tr>"; + echo "<td>Valid From</td>"; + echo "<td>"; + if ( $today < date(DATE_RFC2822,$data['cert_data']['validFrom_time_t']) ) { + echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>'; + echo '<span class="text-success"> - '; + } else { + echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>'; + echo '<span class="text-danger"> - '; + } + echo htmlspecialchars(date(DATE_RFC2822,$data['cert_data']['validFrom_time_t'])); + echo "</span>"; + echo "</td>"; + echo "</tr>"; + } + // issued to expired + if ( !empty($data['cert_data']['validTo_time_t']) ) { + echo "<tr>"; + echo "<td>Valid Until</td>"; + echo "<td>"; + if ( strtotime($today) < strtotime(date(DATE_RFC2822,$data['cert_data']['validTo_time_t'])) ) { + echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>'; + echo '<span class="text-success"> - '; + } else { + echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>'; + echo '<span class="text-danger"> - '; + } + echo htmlspecialchars(date(DATE_RFC2822,$data['cert_data']['validTo_time_t'])); + echo "</span>"; + echo "</td>"; + echo "</tr>"; + }; + if ( is_array($data['crl']) ) { + echo "<tr>"; + echo "<td>CRL</td>"; + echo "<td>"; + foreach ($data['crl'] as $key => $value) { + if ($value) { + if ($value["status"] == "ok") { + echo "<span class='text-success glyphicon glyphicon-ok-sign'></span>"; + echo "<span class='text-success'> - Not on CRL: " . htmlspecialchars($value["crl_uri"]) . "</span><br>"; + echo "Last update: " . htmlspecialchars($value['crl_last_update']) . "<br>\n"; + echo "Next update: " . htmlspecialchars($value['crl_next_update']) . "<br>\n"; + } elseif ($value["status"] == "revoked") { + echo "<span class='text-danger glyphicon glyphicon-exclamation-sign'></span>"; + echo "<span class='text-danger'> - Revoked on CRL: " . htmlspecialchars($value["crl_uri"]) . "</span><br>\n"; + echo "<span class='text-danger'>Revocation date: " . htmlspecialchars($value["revoked_on"]) . "</span><br>\n"; + echo "<br>Last update: " . htmlspecialchars($value['crl_last_update']) . "<br>\n"; + echo "Next update: " . htmlspecialchars($value['crl_next_update']) . "<br>\n"; } else { - echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1></td>'; + echo "<span class='text-danger glyphicon glyphicon-exclamation-sign'></span>"; + echo "<span class='text-danger'> - CRL invalid: (" . htmlspecialchars($value["crl_uri"]) . ")</span><br>"; + echo "<pre> " . htmlspecialchars($value["error"]) . "</pre>"; } - } else { - echo '<td> </td>'; } -// crl - if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) { - echo "<td><h1>" . crl_verify($raw_cert_data, false) . " </h1></td>"; - } else { - echo '<td> </td>'; + if (count($data['ocsp']) > 1) { + echo "<hr>"; } -// ocsp - if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) { - echo "<td>"; - $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1]; - $ocsp_uri = explode("\n", $ocsp_uri)[0]; - $ocsp_uri = explode(" ", $ocsp_uri)[0]; - if (!empty($ocsp_uri)) { - $ocsp_result = ocsp_verify($raw_cert_data, $raw_next_cert_data); - if ($ocsp_result["ocsp_verify_status"] == "good") { - echo '<h1><span class="text-success glyphicon glyphicon-ok"></span> </h1>'; - } else if ($ocsp_result["ocsp_verify_status"] == "revoked") { - echo '<h1><span class="text-danger glyphicon glyphicon-remove"></span> </h1>'; - } else { - echo '<h1><span class="text-danger glyphicon glyphicon-question-sign"></span> </h1>'; - } + } + echo "</td>"; + echo "</tr>"; + } else { + echo "<tr><td>CRL</td><td>No CRL URI found in certificate</td></tr>"; + } + // ocsp + if ( is_array($data['ocsp'])) { + echo "<tr>"; + echo "<td>OCSP</td>"; + echo "<td>"; + foreach ($data['ocsp'] as $key => $value) { + if ($value) { + if ($value["status"] == "good") { + echo '<span class="text-success glyphicon glyphicon-ok-sign"></span> '; + echo '<span class="text-success"> - OK: '; + echo htmlspecialchars($value['ocsp_uri']); + echo "</span><br>"; + echo "Last update: " . htmlspecialchars($value["this_update"]) . "<br>\n"; + echo "Next update: " . htmlspecialchars($value["next_update"]) . "<br>\n"; + } else if ( $value["status"] == "revoked") { + echo '<span class="text-danger glyphicon glyphicon-remove-sign"></span>'; + echo '<span class="text-danger"> - REVOKED: '; + echo htmlspecialchars($value['ocsp_uri']); + echo "</span><br>"; + echo "<span class='text-danger'>Revocation Time: " . htmlspecialchars($value["revocation_time"]) . "<br>\n"; + echo "Revocation Reason: " . htmlspecialchars($value["reason"]). "</span><br>"; + echo "<br>Last update: " . htmlspecialchars($value["this_update"]) . "<br>\n"; + echo "Next update: " . htmlspecialchars($value["next_update"]) . "<br>\n"; } else { - echo "<td></td>"; + echo '<span class="text-danger glyphicon glyphicon-question-sign"></span>'; + echo '<span class="text-danger"> - UNKNOWN: '; + echo " - " . htmlspecialchars($value['ocsp_uri']) . "</span><br>"; + echo "<pre>" . htmlspecialchars($value["error"]) . "</pre>"; } - echo "</td>"; - } else { - echo "<td> </td>"; } - // self signed/ca/ca root - if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false && $cert_data['issuer']['CN'] == $cert_data['subject']['CN'] ) { - echo '<td><span class="text-success">CA Root Certificate</span></td>'; - } else if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false) { - echo '<td><span class="text-success">CA Certificate</span></td>'; - } else if ($cert_data['issuer']['CN'] == $cert_data['subject']['CN']) { - echo '<td><span class="text-danger">Self Signed</span></td>'; - } else { - echo "<td>Signed by CA</td>"; + if (count($data['ocsp']) > 1) { + echo "<hr>"; } - echo "</tr>"; - echo "</tbody></table>"; - echo "</td></tr>"; - - - if (!empty($cert_data['subject']) ) { - foreach ($cert_data['subject'] as $key => $value) { - echo "<tr><td>"; - switch ($key) { - case 'C': - echo "Country"; - break; - case 'ST': - echo "State"; - break; - case 'L': - echo "City"; - break; - case 'O': - echo "Organization"; - break; - case 'OU': - echo "Organizational Unit"; - break; - case 'CN': - echo "Common Name"; - break; - case 'mail': - echo "Email Address"; - break; - case 'businessCategory': - echo "Business Type"; - break; - default: - echo htmlspecialchars($key); - break; - } - echo "</td><td>"; - switch ($key) { - case 'C': - echo htmlspecialchars($value); - echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; - echo strtolower(htmlspecialchars($value)); - echo '" alt="" />'; - break; - case 'DC': - foreach ($value as $key => $value) { - echo htmlspecialchars($value) . "."; - } - break; - default: - if (is_array($value)) { - foreach ($value as $key => $value) { - echo htmlspecialchars($value) . " "; - } - } else { - echo htmlspecialchars($value); - } - break; - } - echo "</td></tr>\n"; - } - - + } + } else { + if ($data["ocsp"] == "No issuer cert provided. Unable to send OCSP request.") { + echo "<tr><td>OCSP</td><td>No issuer certificate provided. Unable to send OCSP request.</td></tr>"; + } else { + echo "<tr><td>OCSP</td><td>No OCSP URI found in certificate</td></tr>"; + } + } + echo "<tr>"; + echo "<td>Hostname Validation</td>"; + echo "<td>"; + // hostname validation + if ($data["hostname_in_san_or_cn"] == "true") { + echo "<span class='text-success glyphicon glyphicon-ok'></span>\n<span class='text-success'> - "; + echo htmlspecialchars($data['hostname_checked']); + echo " found in CN or SAN.</span>"; + } elseif ($data["hostname_in_san_or_cn"] == "false") { + echo '<span class="text-danger glyphicon glyphicon-remove"></span><span class="text-danger"> - '; + echo htmlspecialchars($data['hostname_checked']); + echo ' NOT found in CN or SAN.</span>'; + } elseif ($data["hostname_in_san_or_cn"] == "n/a; ca signing certificate") { + echo "Not applicable, this seems to be a CA signing certificate."; + } else { + echo "Not applicable, this seems to be a CA signing certificate."; + } + echo "</td>"; + echo "</tr>"; + // details + echo "<tr>"; + echo "<td colspan='2'><strong>Details</strong></td>"; + echo "</tr>"; + if ( !empty($data['cert_data']['purposes']) ) { + echo "<tr>"; + echo "<td>Purposes</td>"; + echo "<td>"; + foreach ($data['cert_data']['purposes'] as $key => $purpose) { + if ($purpose["general"]) { + echo htmlspecialchars($key); + echo " "; } - if (!empty($cert_data['extensions']['subjectAltName'])) { - ?> - <tr> - <td>Subject Alternative Names</td> - <td> + } + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>Purposes CA</td>"; + echo "<td>"; + foreach ($data['cert_data']['purposes'] as $key => $purpose) { + if ($purpose["ca"]) { + echo htmlspecialchars($key); + echo " "; + } + } + echo "</td>"; + echo "</tr>"; + } + // serial number + if (!empty($data['serialNumber']) ) { + echo "<tr>"; + echo "<td>Serial</td>"; + echo "<td>"; + echo htmlspecialchars($data['serialNumber']); + echo "</td>"; + echo "</tr>"; + } + echo "<tr>"; + echo "<td>Key Size / Type</td>"; + echo "<td>"; + // key details + echo htmlspecialchars($data["key"]['bits']); + echo " bits "; + echo htmlspecialchars($data["key"]['type']); + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>Signature Algorithm</td>"; + echo "<td>"; + echo $data["key"]["signature_algorithm"]; + echo "</td>"; + echo "</tr>"; + if (count($data['cert_data']['extensions']) >= 1) { + echo "<tr>"; + echo "<td>Extensions</td>"; + echo "<td>"; + ?> + <div class="panel-group" id="accordion<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> + <div class="panel panel-default"> + <div class="panel-heading" role="tab" id="heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <h4 class="panel-title"> + <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" aria-expanded="false" aria-controls="collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + Click to Open/Close + </a> + </h4> + </div> + <div id="collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <div class="panel-body"> <?php - foreach ( explode("DNS:", $cert_data['extensions']['subjectAltName']) as $altName ) { - if ( !empty(str_replace(',', " ", "$altName"))) { - echo htmlspecialchars(str_replace(',', " ", "$altName")); - echo "<br>"; + foreach ($data['cert_data']['extensions'] as $name=>$extension) { + + if ( !empty(str_replace(',', " ", "$extension"))) { + echo "<strong>" . htmlspecialchars("$name") . "</strong>"; + echo "<pre>"; + echo htmlspecialchars($extension); + echo "</pre>"; } } - ?> - </td> - </tr> - <?php - } - ?> - <tr> - <td>Type</td> - <td> - <?php - if ( array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids) ) { - echo '<span class="text-success">Extended Validation</span>'; - } else if ( isset($cert_data['subject']['O'] ) ) { - echo "Organisation Validation"; - } else if ( isset($cert_data['subject']['CN'] ) ) { - echo "Domain Validation"; - } - ?> - </td> - </tr> - <tr> - <td>Full Subject</td> - <td><?php echo htmlspecialchars($cert_data['name']); ?></td> - </tr> - <tr> - <td colspan="2"><strong>Issuer</strong></td> - </tr> - <?php - if (!empty($cert_data['issuer']) ) { - foreach ($cert_data['issuer'] as $key => $value) { - echo "<tr><td>"; - switch ($key) { - case 'C': - echo "Country"; - break; - case 'ST': - echo "State"; - break; - case 'L': - echo "City"; - break; - case 'O': - echo "Organization"; - break; - case 'OU': - echo "Organizational Unit"; - break; - case 'CN': - echo "Common Name"; - break; - case 'mail': - echo "Email Address"; - break; - case 'emailAddress': - echo "Email Address"; - break; - default: - echo htmlspecialchars($key); - break; - } - echo "</td><td>"; - switch ($key) { - case 'C': - echo htmlspecialchars($value); - echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-'; - echo strtolower(htmlspecialchars($value)); - echo '" alt="" />'; - break; - case 'DC': - foreach ($value as $key => $value) { - echo htmlspecialchars($value) . "."; - } - break; - default: - if (is_array($value)) { - foreach ($value as $key => $value) { - echo htmlspecialchars($value) . " "; - } - } else { - echo htmlspecialchars($value); - } - break; - } - echo "</td></tr>\n"; - } - } - ?> - <tr> - <td colspan="2"><strong>Validity</strong></td> - </tr> - <?php - if ( !empty($cert_data['validFrom_time_t']) ) { - ?> - <tr> - <td>Valid From</td> - <td> - <?php - if ( $today < date(DATE_RFC2822,$cert_data['validFrom_time_t']) ) { - echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>'; - echo '<span class="text-success"> - '; - } else { - echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>'; - echo '<span class="text-danger"> - '; - - } - echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validFrom_time_t'])); - echo "</span>"; - ?> - </td> - </tr> - - <?php - }; - if ( !empty($cert_data['validTo_time_t']) ) { - ?> - <tr> - <td>Valid Until</td> - <td> + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</td>"; + echo "</tr>"; + } else { + echo "<tr>"; + echo "<td>Extensions</td>"; + echo "<td>"; + echo "None"; + echo "</td>"; + echo "</tr>"; + } + if(!empty($data["key"]["certificate_pem"])) { + echo "<tr>"; + echo "<td>Certificate PEM </td>"; + echo "<td>"; + ?> + <div class="panel-group" id="pem-accordion<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> + <div class="panel panel-default"> + <div class="panel-heading" role="tab" id="pem-heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <h4 class="panel-title"> + <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" aria-expanded="false" aria-controls="pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + Click to Open/Close + </a> + </h4> + </div> + <div id="pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pem-heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <div class="panel-body"> <?php - if ( strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) { - echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>'; - echo '<span class="text-success"> - '; - } else { - echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>'; - echo '<span class="text-danger"> - '; - } - echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validTo_time_t'])); - echo "</span>"; - ?> - </td> - </tr> - <?php - }; - if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) { - ?> - <tr> - <td>CRL</td> - <td> - <?php - echo crl_verify($raw_cert_data); - ?> - </td> - </tr> - <?php - } else { - echo "<tr><td>CRL</td><td>No CRL URI found in certificate</td></tr>"; - } - if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) { - ?> - <tr> - <td>OCSP</td> - <td> - <?php - $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1]; - $ocsp_uri = explode("\n", $ocsp_uri)[0]; - $ocsp_uri = explode(" ", $ocsp_uri)[0]; - - if ( isset($raw_next_cert_data) && !empty($ocsp_uri) ) { - if ($ocsp_result["ocsp_verify_status"] == "good") { - echo '<span class="text-success glyphicon glyphicon-ok-sign"></span> '; - echo '<span class="text-success"> - OK: '; - echo htmlspecialchars($ocsp_uri); - echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]) . " - "; - echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]) . "</pre>"; - } else if ( $ocsp_result["ocsp_verify_status"] == "revoked") { - echo '<span class="text-danger glyphicon glyphicon-remove-sign"></span>'; - echo '<span class="text-danger"> - REVOKED: '; - echo htmlspecialchars($ocsp_uri); - echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]); - echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]); - echo "<br>Revocation Time: " . htmlspecialchars($ocsp_result["Revocation Time"]); - echo "<br>Revocation Reason: " . htmlspecialchars($ocsp_result["Reason"]). "</pre>"; - } else { - echo '<span class="text-danger glyphicon glyphicon-question-sign"></span>'; - echo '<span class="text-danger"> - UNKNOWN: '; - - echo " - " . htmlspecialchars($ocsp_uri) . "</span><br>"; - echo "<pre>" . htmlspecialchars($ocsp_result["unknown"]) . "</pre>"; - } - } else { - echo "No OCSP URI found in certificate"; - } - ?> - </td> - </tr> - <?php - } else { - echo "<tr><td>OCSP</td><td>No OCSP URI found in certificate</td></tr>"; - } - if ($is_issuer == false && $csr == false) { - if ($cert_data['subject']['CN']) { - echo '<tr><td>Hostname</td>'; - if ( verify_certificate_hostname($raw_cert_data, $host, $port) ) { - echo "<td><span class='text-success glyphicon glyphicon-ok'></span>\n<span class='text-success'> - "; - echo htmlspecialchars($host); - echo " found in CN or SAN.</span></td></tr>"; - } else { + echo "<pre>"; + echo htmlspecialchars($data["key"]["certificate_pem"]); + echo "</pre>"; + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</td>"; + echo "</tr>"; + } - echo '<td><span class="text-danger glyphicon glyphicon-remove"></span><span class="text-danger"> - '; - echo htmlspecialchars($host); - echo ' NOT found in CN or SAN.</span></td></tr>'; - } - } - } else { - if ($csr == false) { - echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CA signing certificate.</td></tr>"; - } else { - echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CSR.</td></tr>"; - } - } - ?> - <tr> - <td colspan="2"><strong>Details</strong></td> - </tr> - <?php - if ( !empty($cert_data['purposes']) ) { - ?> - <tr> - <td>Purposes</td> - <td> - <?php - $purposes_len = count($cert_data['purposes']); - foreach ($cert_data['purposes'] as $key => $purpose) { - echo htmlspecialchars($purpose[2]); - if ( $key != $purposes_len - 1) { - echo ", "; - } - } - ?> - </td> - </tr> - <?php - }; - if ( !empty($cert_data['serialNumber']) ) { - ?> - <tr> - <td>Serial</td> - <td><code> - <?php - $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); - $sn_len = count($sn); - foreach ($sn as $key => $s) { - echo htmlspecialchars($s); - if ( $key != $sn_len - 1) { - echo ":"; - } - } - ?> - </code></td> - </tr> - <?php - } - ?> - <tr> - <td>Key Size / Type</td> - <td> + if(!empty($data['key']['public_key_pem'])) { + echo "<tr>"; + echo "<td>Public Key PEM </td>"; + echo "<td>"; + ?> + <div class="panel-group" id="pub-pem-accordion<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> + <div class="panel panel-default"> + <div class="panel-heading" role="tab" id="pub-pem-heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <h4 class="panel-title"> + <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pub-pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" aria-expanded="false" aria-controls="pub-pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + Click to Open/Close + </a> + </h4> + </div> + <div id="pub-pem-collapse<?php echo bcdechex($data['cert_data']['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pub-pem-heading<?php echo bcdechex($data['cert_data']['serialNumber']); ?>"> + <div class="panel-body"> <?php - + echo "<pre>"; + echo htmlspecialchars($data['key']['public_key_pem']); + echo "</pre>"; + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</div>"; + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td><a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>SPKI Hash</a></td>"; + echo "<td>"; + print(htmlspecialchars($data['key']['spki_hash'])); + echo "</td>"; + echo "</tr>"; + } + echo "</tbody>"; + echo "</table>"; +} + + + + + + + + + + + + + + + + + - $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data)); - $export_pem = ""; - openssl_x509_export($raw_cert_data, $export_pem); - - if ( $key_details['rsa'] ) { - echo htmlspecialchars($key_details['bits']); - echo " bits RSA"; - } else if ( $key_details['dsa'] ) { - echo htmlspecialchars($key_details['bits']); - echo " bits DSA"; - } else if ( $key_details['dh'] ) { - echo htmlspecialchars($key_details['bits']); - echo " bits DH"; - } else { - echo htmlspecialchars(var_dump($key_details['bits'])); - echo " bits"; - } - ?> - </td> - </tr> - <tr> - <td>Signature Algorithm</td> - <td> - <?php - $signature_algorithm = cert_signature_algorithm($raw_cert_data); - echo htmlspecialchars($signature_algorithm); - ?> - </td> - </tr> - <tr> - <td>Extensions</td> - <td> - <div class="panel-group" id="accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> - <div class="panel panel-default"> - <div class="panel-heading" role="tab" id="heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <h4 class="panel-title"> - <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>"> - Click to Open/Close - </a> - </h4> - </div> - <div id="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <div class="panel-body"> - <?php - foreach ( $cert_data['extensions'] as $name=>$extension ) { - if ( !empty(str_replace(',', " ", "$extension"))) { - echo "<strong>" . htmlspecialchars("$name") . "</strong>"; - echo "<pre>"; - echo htmlspecialchars($extension); - echo "</pre>"; - } - } - ?> - </div> - </div> - </div> - </div> - </td> - </tr> - <?php - if(!empty($export_pem)) { - ?> - <tr> - <td>Certificate PEM </td> - <td> - <div class="panel-group" id="pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> - <div class="panel panel-default"> - <div class="panel-heading" role="tab" id="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <h4 class="panel-title"> - <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>"> - Click to Open/Close - </a> - </h4> - </div> - <div id="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <div class="panel-body"> - <?php - echo "<pre>"; - echo htmlspecialchars($export_pem); - ?> - </pre> - </div> - </div> - </div> - </div> - </td> - </tr> - <?php - } - ?> - <?php - if(!empty($key_details['key'])) { - ?> - <tr> - <td>Public Key PEM </td> - <td> - <div class="panel-group" id="pub-pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true"> - <div class="panel panel-default"> - <div class="panel-heading" role="tab" id="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <h4 class="panel-title"> - <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>"> - Click to Open/Close - </a> - </h4> - </div> - <div id="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>"> - <div class="panel-body"> - - <?php - echo "<pre>"; - echo htmlspecialchars($key_details['key']); - ?> - </pre> - </div> - </div> - </div> - </div> - </td> - </tr> - <tr> - <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">SPKI Hash</a></td> - <td> - <?php - $spki_hash = spki_hash($export_pem); - print(htmlspecialchars($spki_hash)); - ?> - </td> - </tr> - <?php - } - ?> - </tbody> - </table> - <?php - } @@ -692,7 +675,7 @@ function csr_parse_json($csr) { $cert_subject = openssl_csr_get_subject($csr); $result["subject"] = $cert_subject; $result["key"] = $cert_key; - $result["details"] = $cert_details; + $result["details"] = $cert_details; } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) { $result = cert_parse_json($csr); } else { @@ -722,30 +705,74 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $ $cert_data['purposes'] = $purposes; $result["cert_data"] = $cert_data; } + +// valid from + if ( !empty($result['cert_data']['validFrom_time_t']) ) { + if ( $today < date(DATE_RFC2822,$result['cert_data']['validFrom_time_t']) ) { + $result['cert_issued_in_future'] = false; + } else { + $result['cert_issued_in_future'] = true; + $result['warning'][] = "Certificate issue date is in the future: " . date(DATE_RFC2822,$data['cert_data']['validFrom_time_t']); + } + } + // expired + if (!empty($cert_data['validTo_time_t'])) { + if ($today > date(DATE_RFC2822,$cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t']))) { + $result['cert_expired'] = false; + } else { + $result['cert_expired'] = true; + $result['warning'][] = "Certificate expired! Expiration date: " . date(DATE_RFC2822,$cert_data['validTo_time_t']); + } + } + if ( array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids) ) { $result["validation_type"] = "extended"; } else if ( isset($cert_data['subject']['O'] ) ) { - $result["validation_type"] = "organisation"; + $result["validation_type"] = "organization"; } else if ( isset($cert_data['subject']['CN'] ) ) { $result["validation_type"] = "domain"; } + // issuer + if ($raw_next_cert_data) { + if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data) ) { + $result["issuer_valid"] = true; + } else { + $result["issuer_valid"] = false; + $result['warning'][] = "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong."; + } + } // crl if (isset($cert_data['extensions']['crlDistributionPoints']) ) { $result["crl"] = crl_verify_json($raw_cert_data); + if (is_array($result["crl"])) { + foreach ($result["crl"] as $key => $value) { + if ($value["status"] == "revoked") { + $result['warning'][] = "Certificate revoked on CRL: " . $value['crl_uri'] . ". Revocation time: " . $value['revoked_on'] . "."; + } + } + } } else { $result["crl"] = "No CRL URI found in certificate"; } // ocsp - if (isset($cert_data['extensions']['authorityInfoAccess']) && isset($next_cert_data) ) { + if (isset($cert_data['extensions']['authorityInfoAccess'])) { $ocsp_uris = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess']); unset($ocsp_uris[0]); - if ( isset($raw_next_cert_data) && isset($ocsp_uris) ) { - foreach ($ocsp_uris as $key => $ocsp_uri) { - $ocsp_uri = explode("\n", $ocsp_uri)[0]; - $ocsp_uri = explode(" ", $ocsp_uri)[0]; - $result["ocsp"]["$key"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri); + if (isset($ocsp_uris) ) { + if (isset($raw_next_cert_data)) { + foreach ($ocsp_uris as $key => $ocsp_uri) { + $ocsp_uri = explode("\n", $ocsp_uri)[0]; + $ocsp_uri = explode(" ", $ocsp_uri)[0]; + $result["ocsp"]["$key"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri); + if ($result['ocsp'][$key]["status"] == "revoked") { + $result['warning'][] = "Certificate revoked on OCSP: " . $result['ocsp'][$key]['ocsp_uri'] . ". Revocation time: " . $result['ocsp'][$key]['revocation_time'] . "."; + } elseif ($result['ocsp'][$key]["status"] == "unknown") { + $result['warning'][] = "OCSP error on: " . $result['ocsp'][$key]['ocsp_uri'] . "."; + } + } + } else { + $result["ocsp"] = "No issuer cert provided. Unable to send OCSP request."; } - } else { $result["ocsp"] = "No OCSP URI found in certificate"; } @@ -754,28 +781,30 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $ } // hostname validation if ($validate_hostname == true) { + $result["hostname_checked"] = $host; if (isset($cert_data['subject']['CN'])) { if ( verify_certificate_hostname($raw_cert_data, $host) ) { $result["hostname_in_san_or_cn"] = "true"; } else { $result["hostname_in_san_or_cn"] = "false"; + $result['warning'][] = "Hostname " . $host . " not found in certificate."; } } } else { $result["hostname_in_san_or_cn"] = "n/a; ca signing certificate"; } - //serial + //serial number if ( isset($cert_data['serialNumber']) ) { - $serial = ""; + $serial = []; $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2); $sn_len = count($sn); foreach ($sn as $key => $s) { - $serial += htmlspecialchars($s); + $serial[] = htmlspecialchars($s); if ( $key != $sn_len - 1) { - $serial += ":"; + $serial[] = ":"; } } - $result["serial"] = $serial; + $result["serialNumber"] = implode("", $serial); } // key details @@ -785,6 +814,9 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $ if (isset($key_details['rsa'])) { $result["key"]["type"] = "rsa"; $result["key"]["bits"] = $key_details['bits']; + if ($key_details['bits'] < 2048) { + $result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits."; + } } else if (isset($key_details['dsa'])) { $result["key"]["type"] = "dsa"; $result["key"]["bits"] = $key_details['bits']; @@ -800,6 +832,9 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $ } // signature algorithm $result["key"]["signature_algorithm"] = cert_signature_algorithm($raw_cert_data); + if ($result["key"]["signature_algorithm"] == "sha1WithRSAEncryption") { + $result['warning'][] = "SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better."; + } if(isset($export_pem)) { $result["key"]["certificate_pem"] = $export_pem; } diff --git a/functions/textual.php b/functions/textual.php index 93a5838..4a1a48d 100644 --- a/functions/textual.php +++ b/functions/textual.php @@ -17,7 +17,20 @@ function pre_dump($var) { echo "<pre>"; var_dump($var); - echo "<pre>"; + echo "</pre>"; +} + +function utf8encodeNestedArray($arr) { + // json_encode fails with binary data. utf-8 encode that first, some ca's like to encode images in their OID's (verisign, 1.3.6.1.5.5.7.1.12)... + $encoded_arr = array(); + foreach ($arr as $key => $value) { + if (is_array($value)) { + $encoded_arr[utf8_encode($key)] = utf8encodeNestedArray($value); + } else { + $encoded_arr[utf8_encode($key)] = utf8_encode($value); + } + } + return $encoded_arr; } function startsWith($haystack, $needle) { @@ -31,7 +44,6 @@ function endsWith($haystack, $needle) { } } - function get_current_folder(){ $url = $_SERVER['REQUEST_URI']; $parts = explode('/',$url); diff --git a/functions/variables.php b/functions/variables.php index e58b59e..1154bb4 100644 --- a/functions/variables.php +++ b/functions/variables.php @@ -14,6 +14,8 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. +date_default_timezone_set('UTC'); + $random_blurp = rand(1000,99999); # 2014-11-10 (nov) from wikipedia |