summaryrefslogtreecommitdiffstats
path: root/functions
diff options
context:
space:
mode:
authorRemy <relst@relst.nl>2015-03-30 12:26:17 +0200
committerRemy <relst@relst.nl>2015-03-30 12:26:17 +0200
commitb470f3e3cb6fd341da0b4eed465d6165d98cd441 (patch)
tree5123b500c9d774cd2e2d6d961359343346d7a4f3 /functions
parentfaa7f20fcc89bb1a1b77f2aaa78b88cda794b1b5 (diff)
downloadssl-decoder-b470f3e3cb6fd341da0b4eed465d6165d98cd441.zip
ssl-decoder-b470f3e3cb6fd341da0b4eed465d6165d98cd441.tar.gz
ssl-decoder-b470f3e3cb6fd341da0b4eed465d6165d98cd441.tar.bz2
Add json endpoint
Diffstat (limited to 'functions')
-rw-r--r--functions/connection.php1229
-rw-r--r--functions/crl.php79
-rw-r--r--functions/ocsp.php209
-rw-r--r--functions/parse_certificate.php1362
-rw-r--r--functions/textual.php6
-rw-r--r--functions/verify_certifitcate.php2
6 files changed, 1754 insertions, 1133 deletions
diff --git a/functions/connection.php b/functions/connection.php
index c9705ac..b1b318e 100644
--- a/functions/connection.php
+++ b/functions/connection.php
@@ -15,37 +15,36 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
function fixed_gethostbyname($host) {
- $ip = gethostbyname($host);
- if ($ip != $host) {
- return $ip;
- } else {
- return false;
- }
+ $ip = gethostbyname($host);
+ if ($ip != $host) {
+ return $ip;
+ } else {
+ return false;
+ }
}
function get(&$var, $default=null) {
- return isset($var) ? $var : $default;
+ return isset($var) ? $var : $default;
}
function server_http_headers($host, $port){
- stream_context_set_default(
- array("ssl" =>
- array("verify_peer" => false,
- "capture_session_meta" => true,
- "verify_peer_name" => false,
- "allow_self_signed" => true,
- "sni_enabled" => true),
- 'http' => array(
- 'method' => 'GET'
- )
- )
- );
- $headers = get_headers("https://$host:$port", 1);
-
- if (!empty($headers)) {
- $headers = array_change_key_case($headers, CASE_LOWER);
- return $headers;
- }
+ stream_context_set_default(
+ array("ssl" =>
+ array("verify_peer" => false,
+ "capture_session_meta" => true,
+ "verify_peer_name" => false,
+ "allow_self_signed" => true,
+ "sni_enabled" => true),
+ 'http' => array(
+ 'method' => 'GET'
+ )
+ )
+ );
+ $headers = get_headers("https://$host:$port", 1);
+ if (!empty($headers)) {
+ $headers = array_change_key_case($headers, CASE_LOWER);
+ return $headers;
+ }
}
function ssl_conn_ciphersuites($host, $port, $ciphersuites){
@@ -142,476 +141,790 @@ function ssl_conn_ciphersuites($host, $port, $ciphersuites){
function ssl_conn_metadata($host, $port, $chain=null) {
global $random_blurp;
global $current_folder;
-$stream = stream_context_create (array("ssl" =>
- array("verify_peer" => false,
- "capture_session_meta" => true,
- "verify_peer_name" => false,
- "allow_self_signed" => true,
- "sni_enabled" => true)));
-$read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream);
-if ( $read_stream === false ) {
- return false;
-} else {
- $context = stream_context_get_params($read_stream);
- $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta'];
- $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0];
+ $stream = stream_context_create (array("ssl" =>
+ array("verify_peer" => false,
+ "capture_session_meta" => true,
+ "verify_peer_name" => false,
+ "allow_self_signed" => true,
+ "sni_enabled" => true)));
+ $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream);
+ if ( $read_stream === false ) {
+ return false;
+ } else {
+ $context = stream_context_get_params($read_stream);
+ $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta'];
+ $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0];
- if ($context_meta) {
- ?>
- <section id="conndata">
- <h3>Connection Data</h3>
- <table class="table table-striped table-bordered">
- <tbody>
- <tr>
- <td colspan="2"><strong>Connection Data</strong></td>
- </tr>
- <?php
- if ( $chain ) {
- ?>
+ if ($context_meta) {
+ ?>
+ <section id="conndata">
+ <h3>Connection Data</h3>
+ <table class="table table-striped table-bordered">
+ <tbody>
<tr>
- <td>Chain sent by Server (in server order)</td>
- <td style="font-family: monospace;">
- <?php
- $chain_length = count($chain);
- $certificate_chain = array();
- if ($chain_length <= 10) {
- for ($i = 0; $i < $chain_length; $i++) {
- if (openssl_x509_parse($chain[$i])['issuer']['CN'] && openssl_x509_parse($chain[$i])['subject']['CN']) {
- echo "Name...........: <i>";
- echo htmlspecialchars(openssl_x509_parse($chain[$i])['subject']['CN']);
- echo " </i><br>Issued by......:<i> ";
- echo htmlspecialchars(openssl_x509_parse($chain[$i])['issuer']['CN']);
- echo "</i><br>";
-
- $export_pem = "";
- openssl_x509_export($chain[$i], $export_pem);
- array_push($certificate_chain, $export_pem);
-
- if (openssl_x509_parse($chain[$i])['issuer']['CN'] == openssl_x509_parse($chain[$i + 1])['subject']['CN']){
- continue;
- } else {
- if ($i != $chain_length - 1) {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.</span><br><br>";
+ <td colspan="2"><strong>Connection Data</strong></td>
+ </tr>
+ <?php
+ if ( $chain ) {
+ ?>
+ <tr>
+ <td>Chain sent by Server (in server order)</td>
+ <td style="font-family: monospace;">
+ <?php
+ $chain_length = count($chain);
+ $certificate_chain = array();
+ if ($chain_length <= 10) {
+ for ($i = 0; $i < $chain_length; $i++) {
+ if (openssl_x509_parse($chain[$i])['issuer']['CN'] && openssl_x509_parse($chain[$i])['subject']['CN']) {
+ echo "Name...........: <i>";
+ echo htmlspecialchars(openssl_x509_parse($chain[$i])['subject']['CN']);
+ echo " </i><br>Issued by......:<i> ";
+ echo htmlspecialchars(openssl_x509_parse($chain[$i])['issuer']['CN']);
+ echo "</i><br>";
+
+ $export_pem = "";
+ openssl_x509_export($chain[$i], $export_pem);
+ array_push($certificate_chain, $export_pem);
+
+ if (openssl_x509_parse($chain[$i])['issuer']['CN'] == openssl_x509_parse($chain[$i + 1])['subject']['CN']){
+ continue;
+ } else {
+ if ($i != $chain_length - 1) {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.</span><br><br>";
+ }
}
}
}
+ echo "<br>";
+ } else {
+ echo "<span class='text-danger'>Error: Certificate chain to large.</span><br>";
}
- echo "<br>";
- } else {
- echo "<span class='text-danger'>Error: Certificate chain to large.</span><br>";
- }
- file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND);
+ file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND);
- $verify_output = 0;
- $verify_exit_code = 0;
- $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code);
+ $verify_output = 0;
+ $verify_exit_code = 0;
+ $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code);
- if ($verify_exit_code != 1) {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Validating certificate chain failed:</span><br>";
- echo "<pre>";
- echo str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output));
- echo "</pre>";
- } else {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Sucessfully validated certificate chain.</span><br>";
- }
+ if ($verify_exit_code != 1) {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Validating certificate chain failed:</span><br>";
+ echo "<pre>";
+ echo str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output));
+ echo "</pre>";
+ } else {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Sucessfully validated certificate chain.</span><br>";
+ }
+
+ unlink('/tmp/verify_cert.' . $random_blurp . '.pem');
- unlink('/tmp/verify_cert.' . $random_blurp . '.pem');
+ ?>
+ </td>
+ </tr>
- ?>
+ <?php
+ }
+ if ( fixed_gethostbyname($host) ) {
+ ?>
+ <tr>
+ <td>IP / Hostname / Port</td>
+ <td>
+ <?php
+ echo htmlspecialchars(fixed_gethostbyname($host));
+ echo " - ";
+ echo htmlspecialchars(gethostbyaddr(fixed_gethostbyname($host)));
+ echo " - ";
+ echo htmlspecialchars($port);
+ ?>
</td>
</tr>
-
- <?php
- }
- if ( fixed_gethostbyname($host) ) {
- ?>
- <tr>
- <td>IP / Hostname / Port</td>
- <td>
- <?php
- echo htmlspecialchars(fixed_gethostbyname($host));
- echo " - ";
- echo htmlspecialchars(gethostbyaddr(fixed_gethostbyname($host)));
- echo " - ";
- echo htmlspecialchars($port);
- ?>
- </td>
- </tr>
- <?php
- }
- ?>
- <tr>
- <td>Protocol</td>
- <td>
- <?php
- $protocols = ssl_conn_protocols($host, $port);
- foreach (array_reverse($protocols) as $key => $value) {
- if ( $value == true ) {
- if ( $key == "tlsv1.2") {
- echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>';
- } else if ( $key == "tlsv1.1") {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>';
- } else if ( $key == "tlsv1.0") {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>';
- } else if ( $key == "sslv3") {
- echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported)</span></p>';
- } else {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>';
- }
- } else {
- if ( $key == "tlsv1.2") {
- echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span></p>';
- } else if ( $key == "tlsv1.1") {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>';
- } else if ( $key == "tlsv1.0") {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>';
- } else if ( $key == "sslv3") {
- echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>';
+ <?php
+ }
+ ?>
+ <tr>
+ <td>Protocol</td>
+ <td>
+ <?php
+ $protocols = ssl_conn_protocols($host, $port);
+ foreach (array_reverse($protocols) as $key => $value) {
+ if ( $value == true ) {
+ if ( $key == "tlsv1.2") {
+ echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>';
+ } else if ( $key == "tlsv1.1") {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>';
+ } else if ( $key == "tlsv1.0") {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>';
+ } else if ( $key == "sslv3") {
+ echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported)</span></p>';
+ } else {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>';
+ }
} else {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>';
+ if ( $key == "tlsv1.2") {
+ echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span></p>';
+ } else if ( $key == "tlsv1.1") {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>';
+ } else if ( $key == "tlsv1.0") {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>';
+ } else if ( $key == "sslv3") {
+ echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>';
+ } else {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>';
+ }
}
}
- }
- ?>
+ ?>
- </td>
- </tr>
- <?php
- if ($_GET['ciphersuites'] == 1) {
- ?>
- <tr>
- <td>Ciphersuites supported by server</td>
- <td>
- <?php
- $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- 'ECDHE-RSA-AES256-SHA384',
- 'ECDHE-ECDSA-AES256-SHA384',
- 'ECDHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES256-SHA',
- 'SRP-DSS-AES-256-CBC-SHA',
- 'SRP-RSA-AES-256-CBC-SHA',
- 'SRP-AES-256-CBC-SHA',
- 'DH-DSS-AES256-GCM-SHA384',
- 'DHE-DSS-AES256-GCM-SHA384',
- 'DH-RSA-AES256-GCM-SHA384',
- 'DHE-RSA-AES256-GCM-SHA384',
- 'DHE-RSA-AES256-SHA256',
- 'DHE-DSS-AES256-SHA256',
- 'DH-RSA-AES256-SHA256',
- 'DH-DSS-AES256-SHA256',
- 'DHE-RSA-AES256-SHA',
- 'DHE-DSS-AES256-SHA',
- 'DH-RSA-AES256-SHA',
- 'DH-DSS-AES256-SHA',
- 'DHE-RSA-CAMELLIA256-SHA',
- 'DHE-DSS-CAMELLIA256-SHA',
- 'DH-RSA-CAMELLIA256-SHA',
- 'DH-DSS-CAMELLIA256-SHA',
- 'ECDH-RSA-AES256-GCM-SHA384',
- 'ECDH-ECDSA-AES256-GCM-SHA384',
- 'ECDH-RSA-AES256-SHA384',
- 'ECDH-ECDSA-AES256-SHA384',
- 'ECDH-RSA-AES256-SHA',
- 'ECDH-ECDSA-AES256-SHA',
- 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- 'AES256-SHA',
- 'CAMELLIA256-SHA',
- 'PSK-AES256-CBC-SHA',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-SHA256',
- 'ECDHE-ECDSA-AES128-SHA256',
- 'ECDHE-RSA-AES128-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'SRP-DSS-AES-128-CBC-SHA',
- 'SRP-RSA-AES-128-CBC-SHA',
- 'SRP-AES-128-CBC-SHA',
- 'DH-DSS-AES128-GCM-SHA256',
- 'DHE-DSS-AES128-GCM-SHA256',
- 'DH-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-SHA256',
- 'DHE-DSS-AES128-SHA256',
- 'DH-RSA-AES128-SHA256',
- 'DH-DSS-AES128-SHA256',
- 'DHE-RSA-AES128-SHA',
- 'DHE-DSS-AES128-SHA',
- 'DH-RSA-AES128-SHA',
- 'DH-DSS-AES128-SHA',
- 'DHE-RSA-SEED-SHA',
- 'DHE-DSS-SEED-SHA',
- 'DH-RSA-SEED-SHA',
- 'DH-DSS-SEED-SHA',
- 'DHE-RSA-CAMELLIA128-SHA',
- 'DHE-DSS-CAMELLIA128-SHA',
- 'DH-RSA-CAMELLIA128-SHA',
- 'DH-DSS-CAMELLIA128-SHA',
- 'ECDH-RSA-AES128-GCM-SHA256',
- 'ECDH-ECDSA-AES128-GCM-SHA256',
- 'ECDH-RSA-AES128-SHA256',
- 'ECDH-ECDSA-AES128-SHA256',
- 'ECDH-RSA-AES128-SHA',
- 'ECDH-ECDSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES128-SHA256',
- 'AES128-SHA',
- 'SEED-SHA',
- 'CAMELLIA128-SHA',
- 'IDEA-CBC-SHA',
- 'PSK-AES128-CBC-SHA',
- 'ECDHE-RSA-RC4-SHA',
- 'ECDHE-ECDSA-RC4-SHA',
- 'ECDH-RSA-RC4-SHA',
- 'ECDH-ECDSA-RC4-SHA',
- 'RC4-SHA',
- 'RC4-MD5',
- 'PSK-RC4-SHA',
- 'ECDHE-RSA-DES-CBC3-SHA',
- 'ECDHE-ECDSA-DES-CBC3-SHA',
- 'SRP-DSS-3DES-EDE-CBC-SHA',
- 'SRP-RSA-3DES-EDE-CBC-SHA',
- 'SRP-3DES-EDE-CBC-SHA',
- 'EDH-RSA-DES-CBC3-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
- 'DH-RSA-DES-CBC3-SHA',
- 'DH-DSS-DES-CBC3-SHA',
- 'ECDH-RSA-DES-CBC3-SHA',
- 'ECDH-ECDSA-DES-CBC3-SHA',
- 'DES-CBC3-SHA',
- 'PSK-3DES-EDE-CBC-SHA',
- 'EDH-RSA-DES-CBC-SHA',
- 'EDH-DSS-DES-CBC-SHA',
- 'DH-RSA-DES-CBC-SHA',
- 'DH-DSS-DES-CBC-SHA',
- 'DES-CBC-SHA',
- 'EXP-EDH-RSA-DES-CBC-SHA',
- 'EXP-EDH-DSS-DES-CBC-SHA',
- 'EXP-DH-RSA-DES-CBC-SHA',
- 'EXP-DH-DSS-DES-CBC-SHA',
- 'EXP-DES-CBC-SHA',
- 'EXP-RC2-CBC-MD5',
- 'EXP-RC4-MD5',
- 'ECDHE-RSA-NULL-SHA',
- 'ECDHE-ECDSA-NULL-SHA',
- 'AECDH-NULL-SHA',
- 'ECDH-RSA-NULL-SHA',
- 'ECDH-ECDSA-NULL-SHA',
- 'NULL-SHA256',
- 'NULL-SHA',
- 'NULL-MD5');
-
- $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA',
- 'ECDHE-ECDSA-DES-CBC3-SHA',
- 'EDH-RSA-DES-CBC3-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
- 'DH-RSA-DES-CBC3-SHA',
- 'DH-DSS-DES-CBC3-SHA',
- 'ECDH-RSA-DES-CBC3-SHA',
- 'ECDH-ECDSA-DES-CBC3-SHA',
- 'DES-CBC3-SHA',
- 'EDH-RSA-DES-CBC-SHA',
- 'EDH-DSS-DES-CBC-SHA',
- 'DH-RSA-DES-CBC-SHA',
- 'DH-DSS-DES-CBC-SHA',
- 'DES-CBC-SHA',
- 'EXP-EDH-RSA-DES-CBC-SHA',
- 'EXP-EDH-DSS-DES-CBC-SHA',
- 'EXP-DH-RSA-DES-CBC-SHA',
- 'EXP-DH-DSS-DES-CBC-SHA',
- 'EXP-DES-CBC-SHA',
- 'EXP-EDH-RSA-DES-CBC-SHA',
- 'EXP-EDH-DSS-DES-CBC-SHA',
- 'EXP-DH-RSA-DES-CBC-SHA',
- 'EXP-DH-DSS-DES-CBC-SHA',
- 'EXP-DES-CBC-SHA',
- 'EXP-RC2-CBC-MD5',
- 'EXP-RC4-MD5',
- 'RC4-MD5',
- 'EXP-RC2-CBC-MD5',
- 'EXP-RC4-MD5',
- 'ECDHE-RSA-RC4-SHA',
- 'ECDHE-ECDSA-RC4-SHA',
- 'ECDH-RSA-RC4-SHA',
- 'ECDH-ECDSA-RC4-SHA',
- 'RC4-SHA',
- 'RC4-MD5',
- 'PSK-RC4-SHA',
- 'EXP-RC4-MD5',
- 'ECDHE-RSA-NULL-SHA',
- 'ECDHE-ECDSA-NULL-SHA',
- 'AECDH-NULL-SHA',
- 'RC4-SHA',
- 'RC4-MD5',
- 'ECDH-RSA-NULL-SHA',
- 'ECDH-ECDSA-NULL-SHA',
- 'NULL-SHA256',
- 'NULL-SHA',
- 'NULL-MD5');
- $supported_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test);
-
- foreach ($supported_ciphersuites as $key => $value) {
- if($value == true){
- if (in_array($key, $bad_ciphersuites)) {
- $bad_ciphersuite = 1;
- echo "";
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> ";
+ </td>
+ </tr>
+ <?php
+ if ($_GET['ciphersuites'] == 1) {
+ ?>
+ <tr>
+ <td>Ciphersuites supported by server</td>
+ <td>
+ <?php
+ $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-SHA384',
+ 'ECDHE-ECDSA-AES256-SHA384',
+ 'ECDHE-RSA-AES256-SHA',
+ 'ECDHE-ECDSA-AES256-SHA',
+ 'SRP-DSS-AES-256-CBC-SHA',
+ 'SRP-RSA-AES-256-CBC-SHA',
+ 'SRP-AES-256-CBC-SHA',
+ 'DH-DSS-AES256-GCM-SHA384',
+ 'DHE-DSS-AES256-GCM-SHA384',
+ 'DH-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-SHA256',
+ 'DHE-DSS-AES256-SHA256',
+ 'DH-RSA-AES256-SHA256',
+ 'DH-DSS-AES256-SHA256',
+ 'DHE-RSA-AES256-SHA',
+ 'DHE-DSS-AES256-SHA',
+ 'DH-RSA-AES256-SHA',
+ 'DH-DSS-AES256-SHA',
+ 'DHE-RSA-CAMELLIA256-SHA',
+ 'DHE-DSS-CAMELLIA256-SHA',
+ 'DH-RSA-CAMELLIA256-SHA',
+ 'DH-DSS-CAMELLIA256-SHA',
+ 'ECDH-RSA-AES256-GCM-SHA384',
+ 'ECDH-ECDSA-AES256-GCM-SHA384',
+ 'ECDH-RSA-AES256-SHA384',
+ 'ECDH-ECDSA-AES256-SHA384',
+ 'ECDH-RSA-AES256-SHA',
+ 'ECDH-ECDSA-AES256-SHA',
+ 'AES256-GCM-SHA384',
+ 'AES256-SHA256',
+ 'AES256-SHA',
+ 'CAMELLIA256-SHA',
+ 'PSK-AES256-CBC-SHA',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-SHA256',
+ 'ECDHE-ECDSA-AES128-SHA256',
+ 'ECDHE-RSA-AES128-SHA',
+ 'ECDHE-ECDSA-AES128-SHA',
+ 'SRP-DSS-AES-128-CBC-SHA',
+ 'SRP-RSA-AES-128-CBC-SHA',
+ 'SRP-AES-128-CBC-SHA',
+ 'DH-DSS-AES128-GCM-SHA256',
+ 'DHE-DSS-AES128-GCM-SHA256',
+ 'DH-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-SHA256',
+ 'DHE-DSS-AES128-SHA256',
+ 'DH-RSA-AES128-SHA256',
+ 'DH-DSS-AES128-SHA256',
+ 'DHE-RSA-AES128-SHA',
+ 'DHE-DSS-AES128-SHA',
+ 'DH-RSA-AES128-SHA',
+ 'DH-DSS-AES128-SHA',
+ 'DHE-RSA-SEED-SHA',
+ 'DHE-DSS-SEED-SHA',
+ 'DH-RSA-SEED-SHA',
+ 'DH-DSS-SEED-SHA',
+ 'DHE-RSA-CAMELLIA128-SHA',
+ 'DHE-DSS-CAMELLIA128-SHA',
+ 'DH-RSA-CAMELLIA128-SHA',
+ 'DH-DSS-CAMELLIA128-SHA',
+ 'ECDH-RSA-AES128-GCM-SHA256',
+ 'ECDH-ECDSA-AES128-GCM-SHA256',
+ 'ECDH-RSA-AES128-SHA256',
+ 'ECDH-ECDSA-AES128-SHA256',
+ 'ECDH-RSA-AES128-SHA',
+ 'ECDH-ECDSA-AES128-SHA',
+ 'AES128-GCM-SHA256',
+ 'AES128-SHA256',
+ 'AES128-SHA',
+ 'SEED-SHA',
+ 'CAMELLIA128-SHA',
+ 'IDEA-CBC-SHA',
+ 'PSK-AES128-CBC-SHA',
+ 'ECDHE-RSA-RC4-SHA',
+ 'ECDHE-ECDSA-RC4-SHA',
+ 'ECDH-RSA-RC4-SHA',
+ 'ECDH-ECDSA-RC4-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'PSK-RC4-SHA',
+ 'ECDHE-RSA-DES-CBC3-SHA',
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'SRP-DSS-3DES-EDE-CBC-SHA',
+ 'SRP-RSA-3DES-EDE-CBC-SHA',
+ 'SRP-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC3-SHA',
+ 'EDH-DSS-DES-CBC3-SHA',
+ 'DH-RSA-DES-CBC3-SHA',
+ 'DH-DSS-DES-CBC3-SHA',
+ 'ECDH-RSA-DES-CBC3-SHA',
+ 'ECDH-ECDSA-DES-CBC3-SHA',
+ 'DES-CBC3-SHA',
+ 'PSK-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC-SHA',
+ 'EDH-DSS-DES-CBC-SHA',
+ 'DH-RSA-DES-CBC-SHA',
+ 'DH-DSS-DES-CBC-SHA',
+ 'DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-NULL-SHA',
+ 'ECDHE-ECDSA-NULL-SHA',
+ 'AECDH-NULL-SHA',
+ 'ECDH-RSA-NULL-SHA',
+ 'ECDH-ECDSA-NULL-SHA',
+ 'NULL-SHA256',
+ 'NULL-SHA',
+ 'NULL-MD5');
+
+ $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA',
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'EDH-RSA-DES-CBC3-SHA',
+ 'EDH-DSS-DES-CBC3-SHA',
+ 'DH-RSA-DES-CBC3-SHA',
+ 'DH-DSS-DES-CBC3-SHA',
+ 'ECDH-RSA-DES-CBC3-SHA',
+ 'ECDH-ECDSA-DES-CBC3-SHA',
+ 'DES-CBC3-SHA',
+ 'EDH-RSA-DES-CBC-SHA',
+ 'EDH-DSS-DES-CBC-SHA',
+ 'DH-RSA-DES-CBC-SHA',
+ 'DH-DSS-DES-CBC-SHA',
+ 'DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'RC4-MD5',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-RC4-SHA',
+ 'ECDHE-ECDSA-RC4-SHA',
+ 'ECDH-RSA-RC4-SHA',
+ 'ECDH-ECDSA-RC4-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'PSK-RC4-SHA',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-NULL-SHA',
+ 'ECDHE-ECDSA-NULL-SHA',
+ 'AECDH-NULL-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'ECDH-RSA-NULL-SHA',
+ 'ECDH-ECDSA-NULL-SHA',
+ 'NULL-SHA256',
+ 'NULL-SHA',
+ 'NULL-MD5');
+ $supported_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test);
+
+ foreach ($supported_ciphersuites as $key => $value) {
+ if($value == true){
+ if (in_array($key, $bad_ciphersuites)) {
+ $bad_ciphersuite = 1;
+ echo "";
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> ";
+ } else {
+ echo "<span class='glyphicon glyphicon-minus'></span> ";
+ }
+ echo htmlspecialchars($key);
+ echo "<br>";
} else {
- echo "<span class='glyphicon glyphicon-minus'></span> ";
+ echo "<!-- ";
+ echo "<span class='glyphicon glyphicon-remove'></span> - ";
+ echo htmlspecialchars($key);
+ echo " <br -->";
}
- echo htmlspecialchars($key);
- echo "<br>";
- } else {
- echo "<!-- ";
- echo "<span class='glyphicon glyphicon-remove'></span> - ";
- echo htmlspecialchars($key);
- echo " <br -->";
}
- }
- if ($bad_ciphersuite) {
- ?>
- <p><br>Ciphersuites containing <a href="https://en.wikipedia.org/wiki/Null_cipher">NULL</a>, <a href="https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States">EXP(ort)</a>, <a href="https://en.wikipedia.org/wiki/Weak_key">DES and RC4</a> are marked RED because they are suboptimal.</p>
- <?php
- }
-
- ?>
- </td>
- </tr>
- <?php
- } else {
- ?>
- <tr>
- <td>Ciphersuite</td>
- <td>
- <?php
- echo htmlspecialchars($context_meta['cipher_name']);
- echo " (".htmlspecialchars($context_meta['cipher_bits'])." bits)";
- ?>
- </td>
- </tr>
- <?php
- }
- ?>
- <tr>
- <td>
- <a href="http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html">TLS_FALLBACK_SCSV</a>
+ if ($bad_ciphersuite) {
+ ?>
+ <p><br>Ciphersuites containing <a href="https://en.wikipedia.org/wiki/Null_cipher">NULL</a>, <a href="https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States">EXP(ort)</a>, <a href="https://en.wikipedia.org/wiki/Weak_key">DES and RC4</a> are marked RED because they are suboptimal.</p>
+ <?php
+ }
+
+ ?>
</td>
- <td>
+ </tr>
<?php
- $fallback = tls_fallback_scsv($host, $port);
- // echo "<pre>";
- // var_dump($fallback);
- // echo "</pre>";
- if ($fallback['protocol_count'] == 1) {
- echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required.";
} else {
- if ($fallback['tls_fallback_scsv_support'] == 1) {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>";
- } else {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>";
- }
+ ?>
+ <tr>
+ <td>Ciphersuite</td>
+ <td>
+ <?php
+ echo htmlspecialchars($context_meta['cipher_name']);
+ echo " (".htmlspecialchars($context_meta['cipher_bits'])." bits)";
+ ?>
+ </td>
+ </tr>
+ <?php
}
?>
- </td>
- </tr>
- <?php
- $headers = server_http_headers($host, $port);
- ?>
- <tr>
- <td><a href="https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html">Strict Transport Security</a></td>
- <td>
- <?php
- if ( $headers["strict-transport-security"] ) {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
- if ( is_array($headers["strict-transport-security"])) {
- echo htmlspecialchars(substr($headers["strict-transport-security"][0], 0, 50));
- echo "<br > <i>HSTS header was found multiple times. Only showing the first one.</i>";
+ <tr>
+ <td>
+ <a href="http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html">TLS_FALLBACK_SCSV</a>
+ </td>
+ <td>
+ <?php
+ $fallback = tls_fallback_scsv($host, $port);
+ // echo "<pre>";
+ // var_dump($fallback);
+ // echo "</pre>";
+ if ($fallback['protocol_count'] == 1) {
+ echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required.";
} else {
- echo htmlspecialchars(substr($headers["strict-transport-security"], 0, 50));
+ if ($fallback['tls_fallback_scsv_support'] == 1) {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>";
+ } else {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>";
+ }
}
- echo "</span>";
- } else {
- echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>';
- }
?>
- </td>
- </tr>
- <tr>
- <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">HTTP Public Key Pinning Extension (HPKP)</a></td>
- <td>
- <?php
- if ( $headers["public-key-pins"] ) {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
- if ( is_array($headers["public-key-pins"])) {
- echo htmlspecialchars(substr($headers["public-key-pins"][0], 0, 255));
- echo "<br > <i>HPKP header was found multiple times. Only showing the first one.</i>";
- echo "</span>";
+ </td>
+ </tr>
+ <?php
+ $headers = server_http_headers($host, $port);
+ ?>
+ <tr>
+ <td><a href="https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html">Strict Transport Security</a></td>
+ <td>
+ <?php
+ if ( $headers["strict-transport-security"] ) {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
+ if ( is_array($headers["strict-transport-security"])) {
+ echo htmlspecialchars(substr($headers["strict-transport-security"][0], 0, 50));
+ echo "<br > <i>HSTS header was found multiple times. Only showing the first one.</i>";
+ } else {
+ echo htmlspecialchars(substr($headers["strict-transport-security"], 0, 50));
+ }
+ echo "</span>";
} else {
- echo htmlspecialchars(substr($headers["public-key-pins"], 0, 255));
+ echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>';
}
- } else {
- echo '<span>Not Set</span>';
- }
- ?>
- <?php
- if ( $headers["public-key-pins-report-only"] ) {
- echo "<b>Report Only</b>: ";
- if ( is_array($headers["public-key-pins-report-only"])) {
- echo htmlspecialchars(substr($headers["public-key-pins-report-only"][0], 0, 255));
- echo "<br > <i>HPKP Report Only header was found multiple times. Only showing the first one.</i>";
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">HTTP Public Key Pinning Extension (HPKP)</a></td>
+ <td>
+ <?php
+ if ( $headers["public-key-pins"] ) {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
+ if ( is_array($headers["public-key-pins"])) {
+ echo htmlspecialchars(substr($headers["public-key-pins"][0], 0, 255));
+ echo "<br > <i>HPKP header was found multiple times. Only showing the first one.</i>";
+ echo "</span>";
+ } else {
+ echo htmlspecialchars(substr($headers["public-key-pins"], 0, 255));
+ }
} else {
- echo htmlspecialchars(substr($headers["public-key-pins-report-only"], 0, 255));
+ echo '<span>Not Set</span>';
}
- }
- ?>
- </td>
- </tr>
- <tr>
- <td>OCSP Stapling</td>
- <td>
- <?php
- $stapling = ocsp_stapling($host,$port);
- if($stapling["working"] == 1) {
- echo "<table class='table'>";
- foreach ($stapling as $key => $value) {
- if ($key != "working") {
- echo "<tr><td>" . $key . "</td><td>" . $value . "</td></tr>";
+ ?>
+ <?php
+ if ( $headers["public-key-pins-report-only"] ) {
+ echo "<b>Report Only</b>: ";
+ if ( is_array($headers["public-key-pins-report-only"])) {
+ echo htmlspecialchars(substr($headers["public-key-pins-report-only"][0], 0, 255));
+ echo "<br > <i>HPKP Report Only header was found multiple times. Only showing the first one.</i>";
+ } else {
+ echo htmlspecialchars(substr($headers["public-key-pins-report-only"], 0, 255));
}
}
- echo "</table>";
- } else {
- echo "No response received.";
- }
- ?>
- </td>
- </tr>
- <tr>
- <td>This Server' OpenSSL Version</td>
- <td>
- <?php
- echo htmlspecialchars(shell_exec("openssl version"));
- ?>
- </td>
- </tr>
- <tr>
- <td>This Server' Date (RFC 2822)</td>
- <td>
- <?php
- echo htmlspecialchars(shell_exec("date --rfc-2822"));
- ?>
- </td>
- </tr>
- </tbody>
- </table>
- </section>
- <?php
- } else {
- return false;
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>OCSP Stapling</td>
+ <td>
+ <?php
+ $stapling = ocsp_stapling($host,$port);
+ if($stapling["working"] == 1) {
+ echo "<table class='table'>";
+ foreach ($stapling as $key => $value) {
+ if ($key != "working") {
+ echo "<tr><td>" . $key . "</td><td>" . $value . "</td></tr>";
+ }
+ }
+ echo "</table>";
+ } else {
+ echo "No response received.";
+ }
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>This Server' OpenSSL Version</td>
+ <td>
+ <?php
+ echo htmlspecialchars(shell_exec("openssl version"));
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>This Server' Date (RFC 2822)</td>
+ <td>
+ <?php
+ echo htmlspecialchars(shell_exec("date --rfc-2822"));
+ ?>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </section>
+ <?php
+ } else {
+ return false;
+ }
}
}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) {
+ $result = array();
+ global $random_blurp;
+ global $current_folder;
+ $context = stream_context_get_params($read_stream);
+ $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta'];
+ $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0];
+ //chain
+ if (isset($context_meta)) {
+ if (isset($chain_data)) {
+
+ $chain_length = count($chain_data);
+ $certificate_chain = array();
+ if ($chain_length <= 10) {
+ for ($i = 0; $i < $chain_length; $i++) {
+ if (openssl_x509_parse($chain_data[$i])['issuer']['CN'] && openssl_x509_parse($chain_data[$i])['subject']['CN']) {
+ $result["chain"][$i]["name"] = openssl_x509_parse($chain_data[$i])['subject']['CN'];
+ $result["chain"][$i]["issuer"] = openssl_x509_parse($chain_data[$i])['issuer']['CN'];
+ $export_pem = "";
+ openssl_x509_export($chain_data[$i], $export_pem);
+ array_push($certificate_chain, $export_pem);
+ if (openssl_x509_parse($chain_data[$i])['issuer']['CN'] == openssl_x509_parse($chain_data[$i + 1])['subject']['CN']){
+ continue;
+ } else {
+ if ($i != $chain_length - 1) {
+ $result["chain"][$i]["error"] = "Issuer does not match the next certificate CN. Chain order is probaby wrong.";
+ }
+ }
+ }
+ }
+ }
+ // chain validation
+ file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND);
+ $verify_output = 0;
+ $verify_exit_code = 0;
+ $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code);
+
+ if ($verify_exit_code != 1) {
+ $result["chain"]["validation"]["status"] = "failed";
+ $result["chain"]["validation"]["error"] = "Error: Validating certificate chain failed: " . str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output));
+ } else {
+ $result["chain"]["validation"]["status"] = "success";
+ }
+ unlink('/tmp/verify_cert.' . $random_blurp . '.pem');
+ }
+ // hostname ip port
+ if (fixed_gethostbyname($host)) {
+ $result["ip"] = fixed_gethostbyname($host);
+ $result["hostname"] = gethostbyaddr(fixed_gethostbyname($host));
+ $result["port"] = $port;
+ }
+
+ // protocols
+ $result["protocols"] = array_reverse(ssl_conn_protocols($host, $port));
+
+ // ciphersuites
+ if ($_GET['ciphersuites'] == 1) {
+ $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-SHA384',
+ 'ECDHE-ECDSA-AES256-SHA384',
+ 'ECDHE-RSA-AES256-SHA',
+ 'ECDHE-ECDSA-AES256-SHA',
+ 'SRP-DSS-AES-256-CBC-SHA',
+ 'SRP-RSA-AES-256-CBC-SHA',
+ 'SRP-AES-256-CBC-SHA',
+ 'DH-DSS-AES256-GCM-SHA384',
+ 'DHE-DSS-AES256-GCM-SHA384',
+ 'DH-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-SHA256',
+ 'DHE-DSS-AES256-SHA256',
+ 'DH-RSA-AES256-SHA256',
+ 'DH-DSS-AES256-SHA256',
+ 'DHE-RSA-AES256-SHA',
+ 'DHE-DSS-AES256-SHA',
+ 'DH-RSA-AES256-SHA',
+ 'DH-DSS-AES256-SHA',
+ 'DHE-RSA-CAMELLIA256-SHA',
+ 'DHE-DSS-CAMELLIA256-SHA',
+ 'DH-RSA-CAMELLIA256-SHA',
+ 'DH-DSS-CAMELLIA256-SHA',
+ 'ECDH-RSA-AES256-GCM-SHA384',
+ 'ECDH-ECDSA-AES256-GCM-SHA384',
+ 'ECDH-RSA-AES256-SHA384',
+ 'ECDH-ECDSA-AES256-SHA384',
+ 'ECDH-RSA-AES256-SHA',
+ 'ECDH-ECDSA-AES256-SHA',
+ 'AES256-GCM-SHA384',
+ 'AES256-SHA256',
+ 'AES256-SHA',
+ 'CAMELLIA256-SHA',
+ 'PSK-AES256-CBC-SHA',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-SHA256',
+ 'ECDHE-ECDSA-AES128-SHA256',
+ 'ECDHE-RSA-AES128-SHA',
+ 'ECDHE-ECDSA-AES128-SHA',
+ 'SRP-DSS-AES-128-CBC-SHA',
+ 'SRP-RSA-AES-128-CBC-SHA',
+ 'SRP-AES-128-CBC-SHA',
+ 'DH-DSS-AES128-GCM-SHA256',
+ 'DHE-DSS-AES128-GCM-SHA256',
+ 'DH-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-SHA256',
+ 'DHE-DSS-AES128-SHA256',
+ 'DH-RSA-AES128-SHA256',
+ 'DH-DSS-AES128-SHA256',
+ 'DHE-RSA-AES128-SHA',
+ 'DHE-DSS-AES128-SHA',
+ 'DH-RSA-AES128-SHA',
+ 'DH-DSS-AES128-SHA',
+ 'DHE-RSA-SEED-SHA',
+ 'DHE-DSS-SEED-SHA',
+ 'DH-RSA-SEED-SHA',
+ 'DH-DSS-SEED-SHA',
+ 'DHE-RSA-CAMELLIA128-SHA',
+ 'DHE-DSS-CAMELLIA128-SHA',
+ 'DH-RSA-CAMELLIA128-SHA',
+ 'DH-DSS-CAMELLIA128-SHA',
+ 'ECDH-RSA-AES128-GCM-SHA256',
+ 'ECDH-ECDSA-AES128-GCM-SHA256',
+ 'ECDH-RSA-AES128-SHA256',
+ 'ECDH-ECDSA-AES128-SHA256',
+ 'ECDH-RSA-AES128-SHA',
+ 'ECDH-ECDSA-AES128-SHA',
+ 'AES128-GCM-SHA256',
+ 'AES128-SHA256',
+ 'AES128-SHA',
+ 'SEED-SHA',
+ 'CAMELLIA128-SHA',
+ 'IDEA-CBC-SHA',
+ 'PSK-AES128-CBC-SHA',
+ 'ECDHE-RSA-RC4-SHA',
+ 'ECDHE-ECDSA-RC4-SHA',
+ 'ECDH-RSA-RC4-SHA',
+ 'ECDH-ECDSA-RC4-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'PSK-RC4-SHA',
+ 'ECDHE-RSA-DES-CBC3-SHA',
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'SRP-DSS-3DES-EDE-CBC-SHA',
+ 'SRP-RSA-3DES-EDE-CBC-SHA',
+ 'SRP-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC3-SHA',
+ 'EDH-DSS-DES-CBC3-SHA',
+ 'DH-RSA-DES-CBC3-SHA',
+ 'DH-DSS-DES-CBC3-SHA',
+ 'ECDH-RSA-DES-CBC3-SHA',
+ 'ECDH-ECDSA-DES-CBC3-SHA',
+ 'DES-CBC3-SHA',
+ 'PSK-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC-SHA',
+ 'EDH-DSS-DES-CBC-SHA',
+ 'DH-RSA-DES-CBC-SHA',
+ 'DH-DSS-DES-CBC-SHA',
+ 'DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-NULL-SHA',
+ 'ECDHE-ECDSA-NULL-SHA',
+ 'AECDH-NULL-SHA',
+ 'ECDH-RSA-NULL-SHA',
+ 'ECDH-ECDSA-NULL-SHA',
+ 'NULL-SHA256',
+ 'NULL-SHA',
+ 'NULL-MD5');
+
+ $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA',
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'EDH-RSA-DES-CBC3-SHA',
+ 'EDH-DSS-DES-CBC3-SHA',
+ 'DH-RSA-DES-CBC3-SHA',
+ 'DH-DSS-DES-CBC3-SHA',
+ 'ECDH-RSA-DES-CBC3-SHA',
+ 'ECDH-ECDSA-DES-CBC3-SHA',
+ 'DES-CBC3-SHA',
+ 'EDH-RSA-DES-CBC-SHA',
+ 'EDH-DSS-DES-CBC-SHA',
+ 'DH-RSA-DES-CBC-SHA',
+ 'DH-DSS-DES-CBC-SHA',
+ 'DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'RC4-MD5',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-RC4-SHA',
+ 'ECDHE-ECDSA-RC4-SHA',
+ 'ECDH-RSA-RC4-SHA',
+ 'ECDH-ECDSA-RC4-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'PSK-RC4-SHA',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-NULL-SHA',
+ 'ECDHE-ECDSA-NULL-SHA',
+ 'AECDH-NULL-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'ECDH-RSA-NULL-SHA',
+ 'ECDH-ECDSA-NULL-SHA',
+ 'NULL-SHA256',
+ 'NULL-SHA',
+ 'NULL-MD5');
+
+ $tested_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test);
+ $result["supported_ciphersuites"] = array();
+ foreach ($tested_ciphersuites as $key => $value) {
+ if ($value == true) {
+ $result["supported_ciphersuites"][] = $key;
+ }
+ }
+
+ } else {
+ $result["used_ciphersuite"]["name"] = $context_meta['cipher_name'];
+ $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits'];
+ }
+ // tls_fallback_scsv
+ $fallback = tls_fallback_scsv($host, $port);
+ if ($fallback['protocol_count'] == 1) {
+ $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required.";
+ } else {
+ if ($fallback['tls_fallback_scsv_support'] == 1) {
+ $result["tls_fallback_scsv"] = "supported";
+ } else {
+ $result["tls_fallback_scsv"] = "unsupported";
+ }
+ }
+ //hsts
+ $headers = server_http_headers($host, $port);
+ if ($headers["strict-transport-security"]) {
+ if ( is_array($headers["strict-transport-security"])) {
+ $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50);
+ } else {
+ $result["strict_transport_security"] = substr($headers["strict-transport-security"], 0, 50);
+ }
+ } else {
+ $result["strict_transport_security"] = 'not set';
+ }
+ //hpkp
+ if ( $headers["public-key-pins"] ) {
+ if ( is_array($headers["public-key-pins"])) {
+ $result["public_key_pins"] = substr($headers["public-key-pins"][0], 0, 255);
+ } else {
+ $result["public_key_pins"] = substr($headers["public-key-pins"], 0, 255);
+ }
+ } else {
+ $result["public_key_pins"] = 'not set';
+ }
+ if ( $headers["public-key-pins-report-only"] ) {
+ if ( is_array($headers["public-key-pins-report-only"])) {
+ $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"][0], 0, 255);
+ } else {
+ $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"], 0, 255);
+ }
+ }
+ // ocsp stapling
+ $stapling = ocsp_stapling($host,$port);
+ if($stapling["working"] == 1) {
+ $result["ocsp_stapling"] = $stapling;
+ } else {
+ $result["ocsp_stapling"] = "not set";
+ }
+
+ $result["openssl_version"] = shell_exec("openssl version");
+ $result["datetime_rfc2822"] = shell_exec("date --rfc-2822");
+ }
+ return $result;
}
+
+
+
+
?>
diff --git a/functions/crl.php b/functions/crl.php
index 3491a95..9c062c5 100644
--- a/functions/crl.php
+++ b/functions/crl.php
@@ -98,4 +98,83 @@ function crl_verify($raw_cert_data, $verbose=true) {
}
}
+
+function crl_verify_json($raw_cert_data) {
+ global $random_blurp;
+ $result = [];
+ $cert_data = openssl_x509_parse($raw_cert_data);
+ $cert_serial_nm = strtoupper(bcdechex($cert_data['serialNumber']));
+ $crl_uris = [];
+ $crl_uri = explode("\nFull Name:\n ", $cert_data['extensions']['crlDistributionPoints']);
+ foreach ($crl_uri as $key => $uri) {
+ if (isset($uri) ) {
+ $uri = explode("URI:", $uri);
+ $uri = $uri[1];
+ if (isset($uri) ) {
+ $crl_uris[] = preg_replace('/\s+/', '', $uri);
+ }
+ }
+ }
+ foreach ($crl_uris as $key => $uri) {
+ $crl_no = $key+1;
+ if (0 === strpos($uri, 'http')) {
+ $result[$crl_no]["crl_uri"] = $uri;
+ $fp = fopen ("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+');
+ $ch = curl_init(($uri));
+ curl_setopt($ch, CURLOPT_TIMEOUT, 2);
+ curl_setopt($ch, CURLOPT_FILE, $fp);
+ curl_setopt($ch, CURLOPT_FAILONERROR, true);
+ curl_setopt($ch, CURLOPT_FRESH_CONNECT, true);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+ if(curl_exec($ch) === false) {
+ $result[$crl_no]["error"] = 'Curl error: ' . htmlspecialchars(curl_error($ch));
+ return $result;
+ }
+ curl_close($ch);
+ if(stat("/tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl")['size'] < 10 ) {
+ $result[$crl_no]["error"] = "crl could not be retreived";
+ }
+ $crl_text = shell_exec("openssl crl -noout -text -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl 2>&1");
+
+ $crl_last_update = shell_exec("openssl crl -noout -lastupdate -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl");
+ $crl_last_update = explode("=", $crl_last_update)[1];
+
+ $crl_next_update = shell_exec("openssl crl -noout -nextupdate -inform der -in /tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl");
+ $crl_next_update = explode("=", $crl_next_update)[1];
+
+ unlink("/tmp/" . $random_blurp . "." . escapeshellcmd($key) . ".crl");
+
+ if ( strpos($crl_text, "unable to load CRL") === 0 ) {
+ $result[$crl_no]["status"] = "invalid";
+ }
+
+ $crl_info = explode("Revoked Certificates:", $crl_text)[0];
+ $crl_certificates = explode("Revoked Certificates:", $crl_text)[1];
+ $crl_certificates = explode("Serial Number:", $crl_certificates);
+ $revcert = array();
+ foreach ($crl_certificates as $key => $revoked_certificate) {
+ if (!empty($revoked_certificate)) {
+ $revcert[str_replace(" ", "", explode("\n", $revoked_certificate)[0])] = str_replace(" Revocation Date: ", "", explode("\n", $revoked_certificate)[1]);
+ }
+ }
+ if( array_key_exists($cert_serial_nm, $revcert) ) {
+ $result[$crl_no]["status"] = "revoked";
+ $result[$crl_no]["revoked_on"] = $revcert[$cert_serial_nm];
+ $result[$crl_no]["crl_last_update"] = $crl_last_update;
+ $result[$crl_no]["crl_next_update"] = $crl_next_update;
+ } else {
+ $result[$crl_no]["status"] = "ok";
+ $result[$crl_no]["crl_last_update"] = $crl_last_update;
+ $result[$crl_no]["crl_next_update"] = $crl_next_update;
+ }
+ }
+ }
+ return $result;
+}
+
+
+
+
?> \ No newline at end of file
diff --git a/functions/ocsp.php b/functions/ocsp.php
index 299a1fd..c9d43eb 100644
--- a/functions/ocsp.php
+++ b/functions/ocsp.php
@@ -15,92 +15,153 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
function ocsp_stapling($host, $port){
- $result = "";
- $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"');
- if (strpos($output, "no response sent") !== false) {
- $result = array("working" => 0,
- "cert_status" => "No response sent");
- return;
- }
- if (strpos($output, "OCSP Response Data:") !== false) {
- $lines = array();
- $output = preg_replace("/[[:blank:]]+/"," ", $output);
- $stapling_status_lines = explode("\n", $output);
- $stapling_status_lines = array_map('trim', $stapling_status_lines);
- foreach($stapling_status_lines as $line) {
- if(endsWith($line, ":") == false) {
- list($k, $v) = explode(":", $line);
- $lines[trim($k)] = trim($v);
- }
- }
- $result = array("working" => 1,
- "Cert Status" => $lines["Cert Status"],
- "This Update" => $lines["This Update"],
- "Next Update" => $lines["Next Update"],
- "Responder ID" => $lines["Responder Id"],
- "Hash Algorithm" => $lines["Hash Algorithm"],
- "Signature Algorithm" => $lines["Signature Algorithm"],
- "Issuer Name Hash" => $lines["Issuer Name Hash"]);
+ $result = "";
+ $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"');
+ if (strpos($output, "no response sent") !== false) {
+ $result = array("working" => 0,
+ "cert_status" => "No response sent");
+ return;
+ }
+ if (strpos($output, "OCSP Response Data:") !== false) {
+ $lines = array();
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $stapling_status_lines = explode("\n", $output);
+ $stapling_status_lines = array_map('trim', $stapling_status_lines);
+ foreach($stapling_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line);
+ $lines[trim($k)] = trim($v);
+ }
}
- return $result;
+ $result = array("working" => 1,
+ "Cert Status" => $lines["Cert Status"],
+ "This Update" => $lines["This Update"],
+ "Next Update" => $lines["Next Update"],
+ "Responder ID" => $lines["Responder Id"],
+ "Hash Algorithm" => $lines["Hash Algorithm"],
+ "Signature Algorithm" => $lines["Signature Algorithm"],
+ "Issuer Name Hash" => $lines["Issuer Name Hash"]);
+ }
+ return $result;
}
function ocsp_verify($raw_cert_data, $raw_next_cert_data) {
- global $random_blurp;
- $cert_data = openssl_x509_parse($raw_cert_data);
- $tmp_dir = '/tmp/';
- $root_ca = getcwd() . '/cacert.pem';
-
- $pem_issuer = "";
- $pem_client = "";
- $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
- $ocsp_uri = explode("\n", $ocsp_uri)[0];
- $ocsp_uri = explode(" ", $ocsp_uri)[0];
- if (empty($ocsp_uri) ) {
- $result = array('unknown' => "Could not find OCSP URI", );
- return $result;
+ global $random_blurp;
+ $cert_data = openssl_x509_parse($raw_cert_data);
+ $tmp_dir = '/tmp/';
+ $root_ca = getcwd() . '/cacert.pem';
+
+ $pem_issuer = "";
+ $pem_client = "";
+ $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
+ $ocsp_uri = explode("\n", $ocsp_uri)[0];
+ $ocsp_uri = explode(" ", $ocsp_uri)[0];
+ if (empty($ocsp_uri) ) {
+ $result = array('unknown' => "Could not find OCSP URI", );
+ return $result;
+ }
+ openssl_x509_export($raw_cert_data, $pem_client);
+ openssl_x509_export($raw_next_cert_data, $pem_issuer);
+ openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
+ openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+
+ // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
+ $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+
+ //echo '<pre>' . htmlspecialchars('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1') . '</pre>';
+
+ $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
+ $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
+
+
+
+ $lines = array();
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $ocsp_status_lines = explode("\n", $output);
+ $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
+ foreach($ocsp_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line, 2);
+ $lines[trim($k)] = trim($v);
}
- openssl_x509_export($raw_cert_data, $pem_client);
- openssl_x509_export($raw_next_cert_data, $pem_issuer);
- openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
- openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+ }
- // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
- $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+ $result = array("This Update" => $lines["This Update"],
+ "Next Update" => $lines["Next Update"],
+ "Reason" => $lines["Reason"],
+ "Revocation Time" => $lines["Revocation Time"],
+ "ocsp_verify_status" => $lines[$tmp_dir . $random_blurp . ".cert_client.pem"]);
+ if ($result["ocsp_verify_status"] == "good") {
+ $result["good"] = $filter_output;
+ } else if ($result["ocsp_verify_status"] == "revoked") {
+ $result["revoked"] = $filter_output;
+ } else {
+ $result["unknown"] = $filter_output;
+ }
+ unlink($tmp_dir.$random_blurp.'.cert_client.pem');
+ unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
+ return $result;
+}
- //echo '<pre>' . htmlspecialchars('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1') . '</pre>';
- $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
- $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
+function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) {
+ global $random_blurp;
+ $result = array();
+ $tmp_dir = '/tmp/';
+ $root_ca = getcwd() . '/cacert.pem';
+ $pem_issuer = "";
+ $pem_client = "";
+ openssl_x509_export($raw_cert_data, $pem_client);
+ openssl_x509_export($raw_next_cert_data, $pem_issuer);
+ openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
+ openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+ // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
+ $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+ $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
+
+ $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
- $lines = array();
- $output = preg_replace("/[[:blank:]]+/"," ", $output);
- $ocsp_status_lines = explode("\n", $output);
- $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
- foreach($ocsp_status_lines as $line) {
- if(endsWith($line, ":") == false) {
- list($k, $v) = explode(":", $line, 2);
- $lines[trim($k)] = trim($v);
- }
- }
-
- $result = array("This Update" => $lines["This Update"],
- "Next Update" => $lines["Next Update"],
- "Reason" => $lines["Reason"],
- "Revocation Time" => $lines["Revocation Time"],
- "ocsp_verify_status" => $lines[$tmp_dir . $random_blurp . ".cert_client.pem"]);
- if ($result["ocsp_verify_status"] == "good") {
- $result["good"] = $filter_output;
- } else if ($result["ocsp_verify_status"] == "revoked") {
- $result["revoked"] = $filter_output;
- } else {
- $result["unknown"] = $filter_output;
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $ocsp_status_lines = explode("\n", $output);
+ $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
+ foreach($ocsp_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line, 2);
+ if (trim($k)) {
+ $lines[trim($k)] = trim($v);
+ }
}
- unlink($tmp_dir.$random_blurp.'.cert_client.pem');
- unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
- return $result;
+ }
+
+ if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "good") {
+ $result["status"] = "good";
+ } else if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "revoked") {
+ $result["status"] = "revoked";
+ } else {
+ $result["error"] = $filter_output;
+ $result["status"] = "unknown";
+ }
+
+ if (isset($lines["This Update"])) {
+ $result["this_update"] = $lines["This Update"];
+ }
+ if (isset($lines["Next Update"])) {
+ $result["next_update"] = $lines["Next Update"];
+ }
+ if (isset($lines["Reason"])) {
+ $result["reason"] = $lines["Reason"];
+ }
+ if (isset($lines["Revocation Time"])) {
+ $result["revocation_time"] = $lines["Revocation Time"];
+ }
+ $result["ocsp_uri"] = $ocsp_uri;
+
+ unlink($tmp_dir.$random_blurp.'.cert_client.pem');
+ unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
+
+ return $result;
}
?> \ No newline at end of file
diff --git a/functions/parse_certificate.php b/functions/parse_certificate.php
index 069b047..1c7c959 100644
--- a/functions/parse_certificate.php
+++ b/functions/parse_certificate.php
@@ -21,645 +21,807 @@ function get_cert_cn($raw_cert_data){
}
}
- function cert_parse($raw_cert_data, $raw_next_cert_data=null, $csr=false, $host=null, $port=null, $is_issuer=false) {
- global $random_blurp;
- global $ev_oids;
+function cert_parse($raw_cert_data, $raw_next_cert_data=null, $csr=false, $host=null, $port=null, $is_issuer=false) {
+ global $random_blurp;
+ global $ev_oids;
- if ($csr == true && strpos($raw_cert_data, "BEGIN CERTIFICATE REQUEST") !== false) {
- ?>
- <table class="table table-striped table-bordered">
- <tr>
- <td colspan="2"><strong>Certificate Data</strong></td>
- </tr>
- <?php
- $cert_data = openssl_csr_get_public_key($raw_cert_data);
-
- $cert_details = openssl_pkey_get_details($cert_data);
- $cert_key = $cert_details['key'];
- $cert_subject = openssl_csr_get_subject($raw_cert_data);
-
- foreach ($cert_subject as $key => $value) {
- echo "<tr><td>";
- switch ($key) {
- case 'C':
- echo "Country";
- break;
- case 'ST':
- echo "State";
- break;
- case 'L':
- echo "City";
- break;
- case 'O':
- echo "Organization";
- break;
- case 'OU':
- echo "Organizational Unit";
- break;
- case 'CN':
- echo "Common Name";
- break;
- case 'mail':
- echo "Email Address";
- break;
- default:
- echo htmlspecialchars($key);
- break;
- }
+ if ($csr == true && strpos($raw_cert_data, "BEGIN CERTIFICATE REQUEST") !== false) {
+ ?>
+ <table class="table table-striped table-bordered">
+ <tr>
+ <td colspan="2"><strong>Certificate Data</strong></td>
+ </tr>
+ <?php
+ $cert_data = openssl_csr_get_public_key($raw_cert_data);
- echo "</td><td>";
- switch ($key) {
- case 'C':
- echo htmlspecialchars($value);
- echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
- echo strtolower(htmlspecialchars($value));
- echo '" alt="" />';
- break;
- case 'DC':
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . ".";
- }
- break;
- default:
- if (is_array($value)) {
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . " ";
- }
- } else {
- echo htmlspecialchars($value);
- }
- break;
- }
+ $cert_details = openssl_pkey_get_details($cert_data);
+ $cert_key = $cert_details['key'];
+ $cert_subject = openssl_csr_get_subject($raw_cert_data);
- echo "</td></tr>\n";
+ foreach ($cert_subject as $key => $value) {
+ echo "<tr><td>";
+ switch ($key) {
+ case 'C':
+ echo "Country";
+ break;
+ case 'ST':
+ echo "State";
+ break;
+ case 'L':
+ echo "City";
+ break;
+ case 'O':
+ echo "Organization";
+ break;
+ case 'OU':
+ echo "Organizational Unit";
+ break;
+ case 'CN':
+ echo "Common Name";
+ break;
+ case 'mail':
+ echo "Email Address";
+ break;
+ default:
+ echo htmlspecialchars($key);
+ break;
+ }
+
+ echo "</td><td>";
+ switch ($key) {
+ case 'C':
+ echo htmlspecialchars($value);
+ echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
+ echo strtolower(htmlspecialchars($value));
+ echo '" alt="" />';
+ break;
+ case 'DC':
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . ".";
+ }
+ break;
+ default:
+ if (is_array($value)) {
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . " ";
}
- echo "</table>";
- return;
} else {
- $cert_data = openssl_x509_parse($raw_cert_data);
- }
- if (empty($cert_data)) {
- echo "Data not valid.";
- continue;
+ echo htmlspecialchars($value);
}
- ?>
- <table class="table table-striped table-bordered">
- <tr>
- <td colspan="2"><strong>Certificate Data</strong></td>
- </tr>
- <?php
- $next_cert_data = openssl_x509_parse($raw_next_cert_data);
- $today = date("Y-m-d");
- echo "<tr><td colspan='2'>\n";
- echo "<table class='table'>\n";
- echo "<thead><tr>\n";
- echo "<th>Hostname</th>\n";
- echo "<th>Not Expired</th>\n";
- echo "<th>Issuer</th>\n";
- echo "<th>CRL</th>\n";
- echo "<th>OCSP</th>\n";
- echo "<th>Signing Type</th>\n";
- echo "</tr>\n</thead>\n<tbody>\n<tr>";
- // hostname
- if ($is_issuer == false) {
- if ($csr == false) {
- if ($cert_data['subject']['CN']) {
- if ( verify_certificate_hostname($raw_cert_data, $host, $port) ) {
- echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1></td>';
- } else {
- echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1></td>';
- }
- }
- } else {
- echo "<td></td>";
- }
- } else {
- echo "<td></td>";
- }
- // expired
- if ( $today > date(DATE_RFC2822,$cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) {
+ break;
+ }
+
+ echo "</td></tr>\n";
+ }
+ echo "</table>";
+ return;
+ } else {
+ $cert_data = openssl_x509_parse($raw_cert_data);
+ }
+ if (empty($cert_data)) {
+ echo "Data not valid.";
+ continue;
+ }
+ ?>
+ <table class="table table-striped table-bordered">
+ <tr>
+ <td colspan="2"><strong>Certificate Data</strong></td>
+ </tr>
+ <?php
+ $next_cert_data = openssl_x509_parse($raw_next_cert_data);
+ $today = date("Y-m-d");
+ echo "<tr><td colspan='2'>\n";
+ echo "<table class='table'>\n";
+ echo "<thead><tr>\n";
+ echo "<th>Hostname</th>\n";
+ echo "<th>Not Expired</th>\n";
+ echo "<th>Issuer</th>\n";
+ echo "<th>CRL</th>\n";
+ echo "<th>OCSP</th>\n";
+ echo "<th>Signing Type</th>\n";
+ echo "</tr>\n</thead>\n<tbody>\n<tr>";
+ // hostname
+ if ($is_issuer == false) {
+ if ($csr == false) {
+ if ($cert_data['subject']['CN']) {
+ if ( verify_certificate_hostname($raw_cert_data, $host) ) {
echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1></td>';
} else {
echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1></td>';
}
+ }
+ } else {
+ echo "<td></td>";
+ }
+ } else {
+ echo "<td></td>";
+ }
+// expired
+ if ( $today > date(DATE_RFC2822,$cert_data['validFrom_time_t']) || strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) {
+ echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1></td>';
+ } else {
+ echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1></td>';
+ }
// issuer
- if ($raw_next_cert_data) {
- if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data) ) {
- echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1></td>';
- } else {
- echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1></td>';
+ if ($raw_next_cert_data) {
+ if (verify_cert_issuer_by_subject_hash($raw_cert_data, $raw_next_cert_data) ) {
+ echo '<td><h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1></td>';
+ } else {
+ echo '<td><h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1></td>';
+ }
+ } else {
+ echo '<td> </td>';
+ }
+// crl
+ if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) {
+ echo "<td><h1>" . crl_verify($raw_cert_data, false) . " &nbsp; </h1></td>";
+ } else {
+ echo '<td> </td>';
+ }
+// ocsp
+ if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) {
+ echo "<td>";
+ $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
+ $ocsp_uri = explode("\n", $ocsp_uri)[0];
+ $ocsp_uri = explode(" ", $ocsp_uri)[0];
+ if (!empty($ocsp_uri)) {
+ $ocsp_result = ocsp_verify($raw_cert_data, $raw_next_cert_data);
+ if ($ocsp_result["ocsp_verify_status"] == "good") {
+ echo '<h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1>';
+ } else if ($ocsp_result["ocsp_verify_status"] == "revoked") {
+ echo '<h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1>';
+ } else {
+ echo '<h1><span class="text-danger glyphicon glyphicon-question-sign"></span>&nbsp;</h1>';
+ }
+ } else {
+ echo "<td></td>";
+ }
+ echo "</td>";
+ } else {
+ echo "<td> </td>";
+ }
+ // self signed/ca/ca root
+ if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false && $cert_data['issuer']['CN'] == $cert_data['subject']['CN'] ) {
+ echo '<td><span class="text-success">CA Root Certificate</span></td>';
+ } else if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false) {
+ echo '<td><span class="text-success">CA Certificate</span></td>';
+ } else if ($cert_data['issuer']['CN'] == $cert_data['subject']['CN']) {
+ echo '<td><span class="text-danger">Self Signed</span></td>';
+ } else {
+ echo "<td>Signed by CA</td>";
+ }
+ echo "</tr>";
+ echo "</tbody></table>";
+ echo "</td></tr>";
+
+
+ if (!empty($cert_data['subject']) ) {
+ foreach ($cert_data['subject'] as $key => $value) {
+ echo "<tr><td>";
+ switch ($key) {
+ case 'C':
+ echo "Country";
+ break;
+ case 'ST':
+ echo "State";
+ break;
+ case 'L':
+ echo "City";
+ break;
+ case 'O':
+ echo "Organization";
+ break;
+ case 'OU':
+ echo "Organizational Unit";
+ break;
+ case 'CN':
+ echo "Common Name";
+ break;
+ case 'mail':
+ echo "Email Address";
+ break;
+ case 'businessCategory':
+ echo "Business Type";
+ break;
+ default:
+ echo htmlspecialchars($key);
+ break;
+ }
+ echo "</td><td>";
+ switch ($key) {
+ case 'C':
+ echo htmlspecialchars($value);
+ echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
+ echo strtolower(htmlspecialchars($value));
+ echo '" alt="" />';
+ break;
+ case 'DC':
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . ".";
+ }
+ break;
+ default:
+ if (is_array($value)) {
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . " ";
}
} else {
- echo '<td> </td>';
+ echo htmlspecialchars($value);
}
-// crl
- if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) {
- echo "<td><h1>" . crl_verify($raw_cert_data, false) . " &nbsp; </h1></td>";
- } else {
- echo '<td> </td>';
+ break;
+ }
+ echo "</td></tr>\n";
+ }
+
+
+ }
+ if (!empty($cert_data['extensions']['subjectAltName'])) {
+ ?>
+ <tr>
+ <td>Subject Alternative Names</td>
+ <td>
+ <?php
+ foreach ( explode("DNS:", $cert_data['extensions']['subjectAltName']) as $altName ) {
+ if ( !empty(str_replace(',', " ", "$altName"))) {
+ echo htmlspecialchars(str_replace(',', " ", "$altName"));
+ echo "<br>";
+ }
+ }
+ ?>
+ </td>
+ </tr>
+ <?php
+ }
+ ?>
+ <tr>
+ <td>Type</td>
+ <td>
+ <?php
+ if ( array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids) ) {
+ echo '<span class="text-success">Extended Validation</span>';
+ } else if ( isset($cert_data['subject']['O'] ) ) {
+ echo "Organisation Validation";
+ } else if ( isset($cert_data['subject']['CN'] ) ) {
+ echo "Domain Validation";
+ }
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>Full Subject</td>
+ <td><?php echo htmlspecialchars($cert_data['name']); ?></td>
+ </tr>
+ <tr>
+ <td colspan="2"><strong>Issuer</strong></td>
+ </tr>
+ <?php
+ if (!empty($cert_data['issuer']) ) {
+ foreach ($cert_data['issuer'] as $key => $value) {
+ echo "<tr><td>";
+ switch ($key) {
+ case 'C':
+ echo "Country";
+ break;
+ case 'ST':
+ echo "State";
+ break;
+ case 'L':
+ echo "City";
+ break;
+ case 'O':
+ echo "Organization";
+ break;
+ case 'OU':
+ echo "Organizational Unit";
+ break;
+ case 'CN':
+ echo "Common Name";
+ break;
+ case 'mail':
+ echo "Email Address";
+ break;
+ case 'emailAddress':
+ echo "Email Address";
+ break;
+ default:
+ echo htmlspecialchars($key);
+ break;
+ }
+ echo "</td><td>";
+ switch ($key) {
+ case 'C':
+ echo htmlspecialchars($value);
+ echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
+ echo strtolower(htmlspecialchars($value));
+ echo '" alt="" />';
+ break;
+ case 'DC':
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . ".";
}
-// ocsp
- if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) {
- echo "<td>";
- $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
- $ocsp_uri = explode("\n", $ocsp_uri)[0];
- $ocsp_uri = explode(" ", $ocsp_uri)[0];
- if (!empty($ocsp_uri)) {
- $ocsp_result = ocsp_verify($raw_cert_data, $raw_next_cert_data);
- if ($ocsp_result["ocsp_verify_status"] == "good") {
- echo '<h1><span class="text-success glyphicon glyphicon-ok"></span>&nbsp;</h1>';
- } else if ($ocsp_result["ocsp_verify_status"] == "revoked") {
- echo '<h1><span class="text-danger glyphicon glyphicon-remove"></span>&nbsp;</h1>';
- } else {
- echo '<h1><span class="text-danger glyphicon glyphicon-question-sign"></span>&nbsp;</h1>';
- }
- } else {
- echo "<td></td>";
+ break;
+ default:
+ if (is_array($value)) {
+ foreach ($value as $key => $value) {
+ echo htmlspecialchars($value) . " ";
}
- echo "</td>";
} else {
- echo "<td> </td>";
+ echo htmlspecialchars($value);
}
- // self signed/ca/ca root
- if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false && $cert_data['issuer']['CN'] == $cert_data['subject']['CN'] ) {
- echo '<td><span class="text-success">CA Root Certificate</span></td>';
- } else if (strpos($cert_data['extensions']['basicConstraints'], "CA:TRUE") !== false) {
- echo '<td><span class="text-success">CA Certificate</span></td>';
- } else if ($cert_data['issuer']['CN'] == $cert_data['subject']['CN']) {
- echo '<td><span class="text-danger">Self Signed</span></td>';
+ break;
+ }
+ echo "</td></tr>\n";
+ }
+ }
+ ?>
+ <tr>
+ <td colspan="2"><strong>Validity</strong></td>
+ </tr>
+ <?php
+ if ( !empty($cert_data['validFrom_time_t']) ) {
+ ?>
+ <tr>
+ <td>Valid From</td>
+ <td>
+ <?php
+ if ( $today < date(DATE_RFC2822,$cert_data['validFrom_time_t']) ) {
+ echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>';
+ echo '<span class="text-success"> - ';
} else {
- echo "<td>Signed by CA</td>";
+ echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>';
+ echo '<span class="text-danger"> - ';
+
}
- echo "</tr>";
- echo "</tbody></table>";
- echo "</td></tr>";
-
-
- if (!empty($cert_data['subject']) ) {
- foreach ($cert_data['subject'] as $key => $value) {
- echo "<tr><td>";
- switch ($key) {
- case 'C':
- echo "Country";
- break;
- case 'ST':
- echo "State";
- break;
- case 'L':
- echo "City";
- break;
- case 'O':
- echo "Organization";
- break;
- case 'OU':
- echo "Organizational Unit";
- break;
- case 'CN':
- echo "Common Name";
- break;
- case 'mail':
- echo "Email Address";
- break;
- case 'businessCategory':
- echo "Business Type";
- break;
- default:
- echo htmlspecialchars($key);
- break;
- }
- echo "</td><td>";
- switch ($key) {
- case 'C':
- echo htmlspecialchars($value);
- echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
- echo strtolower(htmlspecialchars($value));
- echo '" alt="" />';
- break;
- case 'DC':
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . ".";
- }
- break;
- default:
- if (is_array($value)) {
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . " ";
- }
- } else {
- echo htmlspecialchars($value);
- }
- break;
- }
- echo "</td></tr>\n";
- }
+ echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validFrom_time_t']));
+ echo "</span>";
+ ?>
+ </td>
+ </tr>
+ <?php
+ };
+ if ( !empty($cert_data['validTo_time_t']) ) {
+ ?>
+ <tr>
+ <td>Valid Until</td>
+ <td>
+ <?php
+ if ( strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) {
+ echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>';
+ echo '<span class="text-success"> - ';
+ } else {
+ echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>';
+ echo '<span class="text-danger"> - ';
+ }
+ echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validTo_time_t']));
+ echo "</span>";
+ ?>
+ </td>
+ </tr>
+ <?php
+ };
+ if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) {
+ ?>
+ <tr>
+ <td>CRL</td>
+ <td>
+ <?php
+ echo crl_verify($raw_cert_data);
+ ?>
+ </td>
+ </tr>
+ <?php
+ } else {
+ echo "<tr><td>CRL</td><td>No CRL URI found in certificate</td></tr>";
+ }
+ if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) {
+ ?>
+ <tr>
+ <td>OCSP</td>
+ <td>
+ <?php
+ $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
+ $ocsp_uri = explode("\n", $ocsp_uri)[0];
+ $ocsp_uri = explode(" ", $ocsp_uri)[0];
+ if ( isset($raw_next_cert_data) && !empty($ocsp_uri) ) {
+ if ($ocsp_result["ocsp_verify_status"] == "good") {
+ echo '<span class="text-success glyphicon glyphicon-ok-sign"></span> ';
+ echo '<span class="text-success"> - OK: ';
+ echo htmlspecialchars($ocsp_uri);
+ echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]) . " - ";
+ echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]) . "</pre>";
+ } else if ( $ocsp_result["ocsp_verify_status"] == "revoked") {
+ echo '<span class="text-danger glyphicon glyphicon-remove-sign"></span>';
+ echo '<span class="text-danger"> - REVOKED: ';
+ echo htmlspecialchars($ocsp_uri);
+ echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]);
+ echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]);
+ echo "<br>Revocation Time: " . htmlspecialchars($ocsp_result["Revocation Time"]);
+ echo "<br>Revocation Reason: " . htmlspecialchars($ocsp_result["Reason"]). "</pre>";
+ } else {
+ echo '<span class="text-danger glyphicon glyphicon-question-sign"></span>';
+ echo '<span class="text-danger"> - UNKNOWN: ';
+
+ echo " - " . htmlspecialchars($ocsp_uri) . "</span><br>";
+ echo "<pre>" . htmlspecialchars($ocsp_result["unknown"]) . "</pre>";
+ }
+ } else {
+ echo "No OCSP URI found in certificate";
+ }
+ ?>
+ </td>
+ </tr>
+ <?php
+ } else {
+ echo "<tr><td>OCSP</td><td>No OCSP URI found in certificate</td></tr>";
+ }
+ if ($is_issuer == false && $csr == false) {
+ if ($cert_data['subject']['CN']) {
+ echo '<tr><td>Hostname</td>';
+ if ( verify_certificate_hostname($raw_cert_data, $host, $port) ) {
+ echo "<td><span class='text-success glyphicon glyphicon-ok'></span>\n<span class='text-success'> - ";
+ echo htmlspecialchars($host);
+ echo " found in CN or SAN.</span></td></tr>";
+ } else {
+
+ echo '<td><span class="text-danger glyphicon glyphicon-remove"></span><span class="text-danger"> - ';
+ echo htmlspecialchars($host);
+ echo ' NOT found in CN or SAN.</span></td></tr>';
+ }
+ }
+ } else {
+ if ($csr == false) {
+ echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CA signing certificate.</td></tr>";
+ } else {
+ echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CSR.</td></tr>";
+ }
+ }
+ ?>
+ <tr>
+ <td colspan="2"><strong>Details</strong></td>
+ </tr>
+ <?php
+ if ( !empty($cert_data['purposes']) ) {
+ ?>
+ <tr>
+ <td>Purposes</td>
+ <td>
+ <?php
+ $purposes_len = count($cert_data['purposes']);
+ foreach ($cert_data['purposes'] as $key => $purpose) {
+ echo htmlspecialchars($purpose[2]);
+ if ( $key != $purposes_len - 1) {
+ echo ", ";
+ }
}
- if (!empty($cert_data['extensions']['subjectAltName'])) {
?>
- <tr>
- <td>Subject Alternative Names</td>
- <td>
- <?php
- foreach ( explode("DNS:", $cert_data['extensions']['subjectAltName']) as $altName ) {
- if ( !empty(str_replace(',', " ", "$altName"))) {
- echo htmlspecialchars(str_replace(',', " ", "$altName"));
- echo "<br>";
- }
- }
- ?>
- </td>
- </tr>
+ </td>
+ </tr>
+ <?php
+ };
+ if ( !empty($cert_data['serialNumber']) ) {
+ ?>
+ <tr>
+ <td>Serial</td>
+ <td><code>
<?php
+ $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2);
+ $sn_len = count($sn);
+ foreach ($sn as $key => $s) {
+ echo htmlspecialchars($s);
+ if ( $key != $sn_len - 1) {
+ echo ":";
+ }
}
?>
- <tr>
- <td>Type</td>
- <td>
- <?php
- if ( array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids) ) {
- echo '<span class="text-success">Extended Validation</span>';
- } else if ( isset($cert_data['subject']['O'] ) ) {
- echo "Organisation Validation";
- } else if ( isset($cert_data['subject']['CN'] ) ) {
- echo "Domain Validation";
- }
- ?>
+ </code></td>
+ </tr>
+ <?php
+ }
+ ?>
+ <tr>
+ <td>Key Size / Type</td>
+ <td>
+ <?php
+
+
+ $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data));
+ $export_pem = "";
+ openssl_x509_export($raw_cert_data, $export_pem);
+
+ if ( $key_details['rsa'] ) {
+ echo htmlspecialchars($key_details['bits']);
+ echo " bits RSA";
+ } else if ( $key_details['dsa'] ) {
+ echo htmlspecialchars($key_details['bits']);
+ echo " bits DSA";
+ } else if ( $key_details['dh'] ) {
+ echo htmlspecialchars($key_details['bits']);
+ echo " bits DH";
+ } else {
+ echo htmlspecialchars(var_dump($key_details['bits']));
+ echo " bits";
+ }
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>Signature Algorithm</td>
+ <td>
+ <?php
+ $signature_algorithm = cert_signature_algorithm($raw_cert_data);
+ echo htmlspecialchars($signature_algorithm);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>Extensions</td>
+ <td>
+ <div class="panel-group" id="accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
+ <div class="panel panel-default">
+ <div class="panel-heading" role="tab" id="heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <h4 class="panel-title">
+ <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ Click to Open/Close
+ </a>
+ </h4>
+ </div>
+ <div id="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <div class="panel-body">
+ <?php
+ foreach ( $cert_data['extensions'] as $name=>$extension ) {
+ if ( !empty(str_replace(',', " ", "$extension"))) {
+ echo "<strong>" . htmlspecialchars("$name") . "</strong>";
+ echo "<pre>";
+ echo htmlspecialchars($extension);
+ echo "</pre>";
+ }
+ }
+ ?>
+ </div>
+ </div>
+ </div>
+ </div>
</td>
</tr>
+ <?php
+ if(!empty($export_pem)) {
+ ?>
<tr>
- <td>Full Subject</td>
- <td><?php echo htmlspecialchars($cert_data['name']); ?></td>
- </tr>
- <tr>
- <td colspan="2"><strong>Issuer</strong></td>
+ <td>Certificate PEM </td>
+ <td>
+ <div class="panel-group" id="pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
+ <div class="panel panel-default">
+ <div class="panel-heading" role="tab" id="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <h4 class="panel-title">
+ <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ Click to Open/Close
+ </a>
+ </h4>
+ </div>
+ <div id="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <div class="panel-body">
+ <?php
+ echo "<pre>";
+ echo htmlspecialchars($export_pem);
+ ?>
+ </pre>
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
</tr>
- <?php
- if (!empty($cert_data['issuer']) ) {
- foreach ($cert_data['issuer'] as $key => $value) {
- echo "<tr><td>";
- switch ($key) {
- case 'C':
- echo "Country";
- break;
- case 'ST':
- echo "State";
- break;
- case 'L':
- echo "City";
- break;
- case 'O':
- echo "Organization";
- break;
- case 'OU':
- echo "Organizational Unit";
- break;
- case 'CN':
- echo "Common Name";
- break;
- case 'mail':
- echo "Email Address";
- break;
- case 'emailAddress':
- echo "Email Address";
- break;
- default:
- echo htmlspecialchars($key);
- break;
- }
- echo "</td><td>";
- switch ($key) {
- case 'C':
- echo htmlspecialchars($value);
- echo ' <img src="'.htmlspecialchars($current_folder) . 'img/blank.gif" class="flag flag-';
- echo strtolower(htmlspecialchars($value));
- echo '" alt="" />';
- break;
- case 'DC':
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . ".";
- }
- break;
- default:
- if (is_array($value)) {
- foreach ($value as $key => $value) {
- echo htmlspecialchars($value) . " ";
- }
- } else {
- echo htmlspecialchars($value);
- }
- break;
- }
- echo "</td></tr>\n";
- }
+ <?php
}
?>
+ <?php
+ if(!empty($key_details['key'])) {
+ ?>
<tr>
- <td colspan="2"><strong>Validity</strong></td>
+ <td>Public Key PEM </td>
+ <td>
+ <div class="panel-group" id="pub-pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
+ <div class="panel panel-default">
+ <div class="panel-heading" role="tab" id="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <h4 class="panel-title">
+ <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ Click to Open/Close
+ </a>
+ </h4>
+ </div>
+ <div id="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
+ <div class="panel-body">
+
+ <?php
+ echo "<pre>";
+ echo htmlspecialchars($key_details['key']);
+ ?>
+ </pre>
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
</tr>
- <?php
- if ( !empty($cert_data['validFrom_time_t']) ) {
- ?>
- <tr>
- <td>Valid From</td>
- <td>
- <?php
- if ( $today < date(DATE_RFC2822,$cert_data['validFrom_time_t']) ) {
- echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>';
- echo '<span class="text-success"> - ';
- } else {
- echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>';
- echo '<span class="text-danger"> - ';
-
- }
- echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validFrom_time_t']));
- echo "</span>";
- ?>
- </td>
- </tr>
-
- <?php
- };
- if ( !empty($cert_data['validTo_time_t']) ) {
- ?>
- <tr>
- <td>Valid Until</td>
- <td>
+ <tr>
+ <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">SPKI Hash</a></td>
+ <td>
<?php
- if ( strtotime($today) < strtotime(date(DATE_RFC2822,$cert_data['validTo_time_t'])) ) {
- echo '<span class="text-success glyphicon glyphicon-ok-sign"></span>';
- echo '<span class="text-success"> - ';
- } else {
- echo '<span class="text-danger glyphicon glyphicon-exclamation-sign"></span>';
- echo '<span class="text-danger"> - ';
- }
- echo htmlspecialchars(date(DATE_RFC2822,$cert_data['validTo_time_t']));
- echo "</span>";
- ?>
- </td>
- </tr>
- <?php
- };
- if ( !empty($cert_data['extensions']['crlDistributionPoints']) ) {
- ?>
- <tr>
- <td>CRL</td>
- <td>
- <?php
- echo crl_verify($raw_cert_data);
+ $spki_hash = spki_hash($export_pem);
+ print(htmlspecialchars($spki_hash));
?>
- </td>
- </tr>
- <?php
- } else {
- echo "<tr><td>CRL</td><td>No CRL URI found in certificate</td></tr>";
- }
- if ( !empty($cert_data['extensions']['authorityInfoAccess']) && !empty($next_cert_data) ) {
- ?>
- <tr>
- <td>OCSP</td>
- <td>
- <?php
- $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
- $ocsp_uri = explode("\n", $ocsp_uri)[0];
- $ocsp_uri = explode(" ", $ocsp_uri)[0];
-
- if ( isset($raw_next_cert_data) && !empty($ocsp_uri) ) {
- if ($ocsp_result["ocsp_verify_status"] == "good") {
- echo '<span class="text-success glyphicon glyphicon-ok-sign"></span> ';
- echo '<span class="text-success"> - OK: ';
- echo htmlspecialchars($ocsp_uri);
- echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]) . " - ";
- echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]) . "</pre>";
- } else if ( $ocsp_result["ocsp_verify_status"] == "revoked") {
- echo '<span class="text-danger glyphicon glyphicon-remove-sign"></span>';
- echo '<span class="text-danger"> - REVOKED: ';
- echo htmlspecialchars($ocsp_uri);
- echo "</span><br><pre>This update: " . htmlspecialchars($ocsp_result["This Update"]);
- echo "<br>Next update: " . htmlspecialchars($ocsp_result["Next Update"]);
- echo "<br>Revocation Time: " . htmlspecialchars($ocsp_result["Revocation Time"]);
- echo "<br>Revocation Reason: " . htmlspecialchars($ocsp_result["Reason"]). "</pre>";
- } else {
- echo '<span class="text-danger glyphicon glyphicon-question-sign"></span>';
- echo '<span class="text-danger"> - UNKNOWN: ';
-
- echo " - " . htmlspecialchars($ocsp_uri) . "</span><br>";
- echo "<pre>" . htmlspecialchars($ocsp_result["unknown"]) . "</pre>";
- }
- } else {
- echo "No OCSP URI found in certificate";
- }
- ?>
- </td>
- </tr>
- <?php
- } else {
- echo "<tr><td>OCSP</td><td>No OCSP URI found in certificate</td></tr>";
- }
- if ($is_issuer == false && $csr == false) {
- if ($cert_data['subject']['CN']) {
- echo '<tr><td>Hostname</td>';
- if ( verify_certificate_hostname($raw_cert_data, $host, $port) ) {
- echo "<td><span class='text-success glyphicon glyphicon-ok'></span>\n<span class='text-success'> - ";
- echo htmlspecialchars($host);
- echo " found in CN or SAN.</span></td></tr>";
- } else {
-
- echo '<td><span class="text-danger glyphicon glyphicon-remove"></span><span class="text-danger"> - ';
- echo htmlspecialchars($host);
- echo ' NOT found in CN or SAN.</span></td></tr>';
- }
- }
- } else {
- if ($csr == false) {
- echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CA signing certificate.</td></tr>";
- } else {
- echo "<tr><td>Hostname</td><td>Not applicable, this seems to be a CSR.</td></tr>";
- }
+ </td>
+ </tr>
+ <?php
}
?>
- <tr>
- <td colspan="2"><strong>Details</strong></td>
- </tr>
- <?php
- if ( !empty($cert_data['purposes']) ) {
- ?>
- <tr>
- <td>Purposes</td>
- <td>
- <?php
- $purposes_len = count($cert_data['purposes']);
- foreach ($cert_data['purposes'] as $key => $purpose) {
- echo htmlspecialchars($purpose[2]);
- if ( $key != $purposes_len - 1) {
- echo ", ";
- }
- }
- ?>
- </td>
- </tr>
- <?php
- };
- if ( !empty($cert_data['serialNumber']) ) {
- ?>
- <tr>
- <td>Serial</td>
- <td><code>
- <?php
- $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2);
- $sn_len = count($sn);
- foreach ($sn as $key => $s) {
- echo htmlspecialchars($s);
- if ( $key != $sn_len - 1) {
- echo ":";
- }
- }
- ?>
- </code></td>
- </tr>
- <?php
- }
- ?>
- <tr>
- <td>Key Size / Type</td>
- <td>
- <?php
-
+ </tbody>
+ </table>
+ <?php
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+function csr_parse_json($csr) {
+ $result = array();
+ if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) {
+ $cert_data = openssl_csr_get_public_key($csr);
+ $cert_details = openssl_pkey_get_details($cert_data);
+ $cert_key = $cert_details['key'];
+ $cert_subject = openssl_csr_get_subject($csr);
+ $result["subject"] = $cert_subject;
+ $result["key"] = $cert_key;
+ $result["details"] = $cert_details;
+ } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) {
+ $result = cert_parse_json($csr);
+ } else {
+ $result = array("error" => "data not valid csr");
+ }
+ return $result;
+}
+
+function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $validate_hostname=false) {
+ global $random_blurp;
+ global $ev_oids;
+ $result = array();
+ $cert_data = openssl_x509_parse($raw_cert_data);
+ if (isset($raw_next_cert_data)) {
+ $next_cert_data = openssl_x509_parse($raw_next_cert_data);
+ }
+ $today = date("Y-m-d");
+ //cert
+ if (isset($cert_data) ) {
+ // purposes
+ $purposes = array();
+ foreach ($cert_data['purposes'] as $key => $purpose) {
+ $purposes[$purpose[2]]["ca"] = $purpose[1];
+ $purposes[$purpose[2]]["general"] = $purpose[0];
+ }
+ unset($cert_data['purposes']);
+ $cert_data['purposes'] = $purposes;
+ $result["cert_data"] = $cert_data;
+ }
+ if ( array_search(explode("Policy: ", explode("\n", $cert_data['extensions']['certificatePolicies'])[0])[1], $ev_oids) ) {
+ $result["validation_type"] = "extended";
+ } else if ( isset($cert_data['subject']['O'] ) ) {
+ $result["validation_type"] = "organisation";
+ } else if ( isset($cert_data['subject']['CN'] ) ) {
+ $result["validation_type"] = "domain";
+ }
+ // crl
+ if (isset($cert_data['extensions']['crlDistributionPoints']) ) {
+ $result["crl"] = crl_verify_json($raw_cert_data);
+ } else {
+ $result["crl"] = "No CRL URI found in certificate";
+ }
+ // ocsp
+ if (isset($cert_data['extensions']['authorityInfoAccess']) && isset($next_cert_data) ) {
+ $ocsp_uris = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess']);
+ unset($ocsp_uris[0]);
+ if ( isset($raw_next_cert_data) && isset($ocsp_uris) ) {
+ foreach ($ocsp_uris as $key => $ocsp_uri) {
+ $ocsp_uri = explode("\n", $ocsp_uri)[0];
+ $ocsp_uri = explode(" ", $ocsp_uri)[0];
+ $result["ocsp"]["$key"] = ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri);
+ }
+
+ } else {
+ $result["ocsp"] = "No OCSP URI found in certificate";
+ }
+ } else {
+ $result["ocsp"] = "No OCSP URI found in certificate";
+ }
+ // hostname validation
+ if ($validate_hostname == true) {
+ if (isset($cert_data['subject']['CN'])) {
+ if ( verify_certificate_hostname($raw_cert_data, $host) ) {
+ $result["hostname_in_san_or_cn"] = "true";
+ } else {
+ $result["hostname_in_san_or_cn"] = "false";
+ }
+ }
+ } else {
+ $result["hostname_in_san_or_cn"] = "n/a; ca signing certificate";
+ }
+ //serial
+ if ( isset($cert_data['serialNumber']) ) {
+ $serial = "";
+ $sn = str_split(strtoupper(bcdechex($cert_data['serialNumber'])), 2);
+ $sn_len = count($sn);
+ foreach ($sn as $key => $s) {
+ $serial += htmlspecialchars($s);
+ if ( $key != $sn_len - 1) {
+ $serial += ":";
+ }
+ }
+ $result["serial"] = $serial;
+ }
+
+ // key details
+ $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data));
+ $export_pem = "";
+ openssl_x509_export($raw_cert_data, $export_pem);
+ if (isset($key_details['rsa'])) {
+ $result["key"]["type"] = "rsa";
+ $result["key"]["bits"] = $key_details['bits'];
+ } else if (isset($key_details['dsa'])) {
+ $result["key"]["type"] = "dsa";
+ $result["key"]["bits"] = $key_details['bits'];
+ } else if (isset($key_details['dh'])) {
+ $result["key"]["type"] = "dh";
+ $result["key"]["bits"] = $key_details['bits'];
+ } else if (isset($key_details['ec'])) {
+ $result["key"]["type"] = "ecdsa";
+ $result["key"]["bits"] = $key_details['bits'];
+ } else {
+ $result["key"]["type"] = "unknown";
+ $result["key"]["bits"] = $key_details['bits'];
+ }
+ // signature algorithm
+ $result["key"]["signature_algorithm"] = cert_signature_algorithm($raw_cert_data);
+ if(isset($export_pem)) {
+ $result["key"]["certificate_pem"] = $export_pem;
+ }
+ if(isset($key_details['key'])) {
+ $result["key"]["public_key_pem"] = $key_details['key'];
+ $result["key"]["spki_hash"] = spki_hash($export_pem);
+ }
+ return $result;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
- $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data));
- $export_pem = "";
- openssl_x509_export($raw_cert_data, $export_pem);
-
- if ( $key_details['rsa'] ) {
- echo htmlspecialchars($key_details['bits']);
- echo " bits RSA";
- } else if ( $key_details['dsa'] ) {
- echo htmlspecialchars($key_details['bits']);
- echo " bits DSA";
- } else if ( $key_details['dh'] ) {
- echo htmlspecialchars($key_details['bits']);
- echo " bits DH";
- } else {
- echo htmlspecialchars(var_dump($key_details['bits']));
- echo " bits";
- }
- ?>
- </td>
- </tr>
- <tr>
- <td>Signature Algorithm</td>
- <td>
- <?php
- $signature_algorithm = cert_signature_algorithm($raw_cert_data);
- echo htmlspecialchars($signature_algorithm);
- ?>
- </td>
- </tr>
- <tr>
- <td>Extensions</td>
- <td>
- <div class="panel-group" id="accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
- <div class="panel panel-default">
- <div class="panel-heading" role="tab" id="heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <h4 class="panel-title">
- <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
- Click to Open/Close
- </a>
- </h4>
- </div>
- <div id="collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <div class="panel-body">
- <?php
- foreach ( $cert_data['extensions'] as $name=>$extension ) {
- if ( !empty(str_replace(',', " ", "$extension"))) {
- echo "<strong>" . htmlspecialchars("$name") . "</strong>";
- echo "<pre>";
- echo htmlspecialchars($extension);
- echo "</pre>";
- }
- }
- ?>
- </div>
- </div>
- </div>
- </div>
- </td>
- </tr>
- <?php
- if(!empty($export_pem)) {
- ?>
- <tr>
- <td>Certificate PEM </td>
- <td>
- <div class="panel-group" id="pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
- <div class="panel panel-default">
- <div class="panel-heading" role="tab" id="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <h4 class="panel-title">
- <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
- Click to Open/Close
- </a>
- </h4>
- </div>
- <div id="pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <div class="panel-body">
- <?php
- echo "<pre>";
- echo htmlspecialchars($export_pem);
- ?>
- </pre>
- </div>
- </div>
- </div>
- </div>
- </td>
- </tr>
- <?php
- }
- ?>
- <?php
- if(!empty($key_details['key'])) {
- ?>
- <tr>
- <td>Public Key PEM </td>
- <td>
- <div class="panel-group" id="pub-pem-accordion<?php echo bcdechex($cert_data['serialNumber']); ?>" role="tablist" aria-multiselectable="true">
- <div class="panel panel-default">
- <div class="panel-heading" role="tab" id="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <h4 class="panel-title">
- <a class="collapsed" data-toggle="collapse" data-parent="#accordion" href="#pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" aria-expanded="false" aria-controls="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>">
- Click to Open/Close
- </a>
- </h4>
- </div>
- <div id="pub-pem-collapse<?php echo bcdechex($cert_data['serialNumber']); ?>" class="panel-collapse collapse" role="tabpanel" aria-labelledby="pub-pem-heading<?php echo bcdechex($cert_data['serialNumber']); ?>">
- <div class="panel-body">
-
- <?php
- echo "<pre>";
- echo htmlspecialchars($key_details['key']);
- ?>
- </pre>
- </div>
- </div>
- </div>
- </div>
- </td>
- </tr>
- <tr>
- <td><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">SPKI Hash</a></td>
- <td>
- <?php
- $spki_hash = spki_hash($export_pem);
- print(htmlspecialchars($spki_hash));
- ?>
- </td>
- </tr>
- <?php
- }
- ?>
- </tbody>
- </table>
- <?php
- }
?> \ No newline at end of file
diff --git a/functions/textual.php b/functions/textual.php
index b28a764..93a5838 100644
--- a/functions/textual.php
+++ b/functions/textual.php
@@ -14,6 +14,12 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
+function pre_dump($var) {
+ echo "<pre>";
+ var_dump($var);
+ echo "<pre>";
+}
+
function startsWith($haystack, $needle) {
// search backwards starting from haystack length characters from the end
return $needle === "" || strrpos($haystack, $needle, -strlen($haystack)) !== FALSE;
diff --git a/functions/verify_certifitcate.php b/functions/verify_certifitcate.php
index 4e80ea4..86312a1 100644
--- a/functions/verify_certifitcate.php
+++ b/functions/verify_certifitcate.php
@@ -14,7 +14,7 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
-function verify_certificate_hostname($raw_cert, $host, $port) {
+function verify_certificate_hostname($raw_cert, $host) {
$cert_data = openssl_x509_parse($raw_cert);
if ($cert_data['subject']['CN']) {
$cert_host_names = [];
generated by cgit v1.1 at 2025-05-11 07:34:00 +0000