Alternc
latest
Alternc logiel libre pour l'hébergement
|
SSL Certificates management class. More...
Public Member Functions | |
m_ssl () | |
Constructor. More... | |
get_fqdn_specials () | |
Return the list of special FQDN for which we'd like to obtain a certificate too. More... | |
expire_certificates () | |
set expired certificates as such : More... | |
cron_new_certs () | |
Crontab launched every minute to search for new certificates and launch web_action="UPDATE". More... | |
fqdnmatch ($cert, $fqdn) | |
update_specials_match ($id, $fqdn) | |
update special system certificate that matches the cert fqdn: More... | |
searchSubDomain ($fqdn) | |
search for a FQDN as a fqdn or a wildcard in all subdomains currently hosted return a list of subdomain-id More... | |
delete_old_certificates () | |
delete old certificates (expired for more than a year) More... | |
get_list (&$filter=null) | |
Return all the SSL certificates for an account (or the searched one) More... | |
new_csr ($fqdn, $provider="manual") | |
Generate a new CSR, a new Private RSA Key, for FQDN. More... | |
get_certificate ($id, $anyuser=false) | |
Return all informations of a given certificate for the current user. More... | |
get_certificate_path ($id) | |
Return paths to certificate, key, and chain for a certificate given it's ID. More... | |
get_valid_certs ($fqdn, $provider="") | |
Return all the valid certificates that can be used for a specific FQDN return the list of certificates by order of preference (the 2 last will be the default FQDN and the snakeoil if necessary) keys: id, provider, crt, chain, key, validstart, validend. More... | |
import_cert ($key, $crt, $chain="", $provider="") | |
Import an existing ssl Key, Certificate and (maybe) a Chained Cert. More... | |
finalize ($certid, $crt, $chain) | |
Import an ssl certificate into an existing certificate entry in the DB. More... | |
alternc_del_member () | |
Function called by a hook when an AlternC member is deleted. More... | |
updateDomain ($action, $type, $fqdn, $mail=0, $value="") | |
Launched by hosting_functions.sh launched by update_domaines.sh Action may be create/postinst/delete/enable/disable Change the template for this domain name to have the proper CERTIFICATE An algorithm determine the best possible certificate, which may be a BAD one (like a generic self-signed for localhost as a last chance) More... | |
hook_updatedomains_web_before ($subdomid) | |
Launched by hosting_functions.sh launched by update_domaines.sh Action may be create/postinst/delete/enable/disable Change the template for this domain name to have the proper CERTIFICATE An algorithm determine the best possible certificate, which may be a BAD one (like a generic self-signed for localhost as a last chance) More... | |
searchBestCert ($subdom, $fqdn) | |
Search for the best certificate for a user and a fqdn Return a hash with crt, key and maybe chain. More... | |
write_cert_file ($cert) | |
Write certificate file into KEY_REPOSITORY. More... | |
alternc_export_conf () | |
Export every information for an AlternC's account @access private EXPERIMENTAL 'sid' function ;) More... | |
parseAltNames ($str) | |
Returns the list of alternate names of an X.509 SSL Certificate from the attribute list. More... | |
check_cert ($crt, $chain, $key="", $certid=null) | |
Check that a crt is a proper certificate. More... | |
Public Attributes | |
const | STATUS_PENDING = 0 |
const | STATUS_OK = 1 |
const | STATUS_EXPIRED = 99 |
$error = "" | |
const | FILTER_PENDING = 1 |
const | FILTER_OK = 2 |
const | FILTER_EXPIRED = 4 |
const | KEY_REPOSITORY = "/var/lib/alternc/ssl/private" |
const | SPECIAL_CERTIFICATE_ID_PATH = "/var/lib/alternc/ssl/special_id.json" |
Private Member Functions | |
copycert ($target, $id) | |
copy a certificate (by its ID) to the system files set the correct permissions try to minimize zero-file-size risk or timing attack More... | |
m_ssl::alternc_del_member | ( | ) |
Function called by a hook when an AlternC member is deleted.
@access private TODO: delete unused ssl certificates ?? > do this in the crontab.
m_ssl::alternc_export_conf | ( | ) |
m_ssl::check_cert | ( | $crt, | |
$chain, | |||
$key = "" , |
|||
$certid = null |
|||
) |
Check that a crt is a proper certificate.
$crt | string an SSL Certificate |
$chain | string is a list of certificates |
$key | string is a rsa key associated with certificate |
$certid | if no key is specified, use it from this certificate ID in the table |
Definition at line 794 of file m_ssl.php.
Referenced by finalize(), and import_cert().
|
private |
copy a certificate (by its ID) to the system files set the correct permissions try to minimize zero-file-size risk or timing attack
Definition at line 181 of file m_ssl.php.
Referenced by update_specials_match().
m_ssl::cron_new_certs | ( | ) |
Crontab launched every minute to search for new certificates and launch web_action="UPDATE".
Definition at line 95 of file m_ssl.php.
References searchSubDomain(), and update_specials_match().
m_ssl::delete_old_certificates | ( | ) |
delete old certificates (expired for more than a year)
Definition at line 233 of file m_ssl.php.
References $c.
m_ssl::expire_certificates | ( | ) |
set expired certificates as such :
Definition at line 84 of file m_ssl.php.
Referenced by get_list(), and get_valid_certs().
m_ssl::finalize | ( | $certid, | |
$crt, | |||
$chain | |||
) |
Import an ssl certificate into an existing certificate entry in the DB.
(finalize an enrollment process)
$certid | integer the ID in the database of the SSL Certificate |
$crt | string the X.509 PEM-encoded certificate, which must be the one signing the private RSA key in certificate $certid |
$chain | string the X.509 PEM-encoded list of SSL Certificate chain if intermediate authorities |
Definition at line 538 of file m_ssl.php.
References check_cert(), and parseAltNames().
m_ssl::fqdnmatch | ( | $cert, | |
$fqdn | |||
) |
m_ssl::get_certificate | ( | $id, | |
$anyuser = false |
|||
) |
Return all informations of a given certificate for the current user.
$id | integer the certificate by id |
$anyuser | integer if you want to search cert for any user, set this to true |
m_ssl::get_certificate_path | ( | $id | ) |
m_ssl::get_fqdn_specials | ( | ) |
Return the list of special FQDN for which we'd like to obtain a certificate too.
(apart from sub+domaine from sub_domaines table) used by providers to get the certs they should generate also used by update_domaines to choose which cert to use for a specific fqdn
Definition at line 66 of file m_ssl.php.
m_ssl::get_list | ( | & | $filter = null | ) |
Return all the SSL certificates for an account (or the searched one)
$filter | an integer telling which certificate we want to see (see FILTER_* constants above) the default is showing all certificate, but only Pending and OK certificates, not expired when there is more than 10. |
Definition at line 268 of file m_ssl.php.
References expire_certificates(), FILTER_EXPIRED, FILTER_OK, STATUS_EXPIRED, STATUS_OK, and STATUS_PENDING.
m_ssl::get_valid_certs | ( | $fqdn, | |
$provider = "" |
|||
) |
Return all the valid certificates that can be used for a specific FQDN return the list of certificates by order of preference (the 2 last will be the default FQDN and the snakeoil if necessary) keys: id, provider, crt, chain, key, validstart, validend.
Definition at line 409 of file m_ssl.php.
References expire_certificates().
Referenced by hook_updatedomains_web_before(), and searchBestCert().
m_ssl::hook_updatedomains_web_before | ( | $subdomid | ) |
Launched by hosting_functions.sh launched by update_domaines.sh Action may be create/postinst/delete/enable/disable Change the template for this domain name to have the proper CERTIFICATE An algorithm determine the best possible certificate, which may be a BAD one (like a generic self-signed for localhost as a last chance)
Definition at line 660 of file m_ssl.php.
References get_valid_certs(), and write_cert_file().
m_ssl::import_cert | ( | $key, | |
$crt, | |||
$chain = "" , |
|||
$provider = "" |
|||
) |
Import an existing ssl Key, Certificate and (maybe) a Chained Cert.
$key | string the X.509 PEM-encoded RSA key |
$crt | string the X.509 PEM-encoded certificate, which must be the one signing the private RSA key in $key (we will check that anyway...) |
$chain | string the X.509 PEM-encoded list of SSL Certificate chain if intermediate authorities TODO: check that the chain is effectively a chain to the CRT ... |
$provider | string the ssl cert provider |
Definition at line 490 of file m_ssl.php.
References check_cert(), and parseAltNames().
m_ssl::m_ssl | ( | ) |
Constructor.
Definition at line 52 of file m_ssl.php.
m_ssl::new_csr | ( | $fqdn, | |
$provider = "manual" |
|||
) |
Generate a new CSR, a new Private RSA Key, for FQDN.
$fqdn | string the FQDN of the domain name for which we want a CSR. a wildcard certificate must start by *. |
$provider | string a provider if necessary |
Definition at line 315 of file m_ssl.php.
m_ssl::parseAltNames | ( | $str | ) |
Returns the list of alternate names of an X.509 SSL Certificate from the attribute list.
$str | string the $crtdata["extensions"]["subjectAltName"] from openssl |
Definition at line 776 of file m_ssl.php.
Referenced by finalize(), and import_cert().
m_ssl::searchBestCert | ( | $subdom, | |
$fqdn | |||
) |
Search for the best certificate for a user and a fqdn Return a hash with crt, key and maybe chain.
they are the full path to the best certificate for this FQDN. if necessary, use "default_certificate_fqdn" or a "snakeoil"
$subdom | array the subdomain entry from sub_domaines table |
$fqdn | string the fully qualified domain name to search for |
Definition at line 690 of file m_ssl.php.
References get_valid_certs(), and write_cert_file().
Referenced by updateDomain().
m_ssl::searchSubDomain | ( | $fqdn | ) |
search for a FQDN as a fqdn or a wildcard in all subdomains currently hosted return a list of subdomain-id
Definition at line 213 of file m_ssl.php.
Referenced by cron_new_certs().
m_ssl::update_specials_match | ( | $id, | |
$fqdn | |||
) |
update special system certificate that matches the cert fqdn:
Definition at line 154 of file m_ssl.php.
References copycert(), and fqdnmatch().
Referenced by cron_new_certs().
m_ssl::updateDomain | ( | $action, | |
$type, | |||
$fqdn, | |||
$mail = 0 , |
|||
$value = "" |
|||
) |
Launched by hosting_functions.sh launched by update_domaines.sh Action may be create/postinst/delete/enable/disable Change the template for this domain name to have the proper CERTIFICATE An algorithm determine the best possible certificate, which may be a BAD one (like a generic self-signed for localhost as a last chance)
Definition at line 590 of file m_ssl.php.
References searchBestCert().
m_ssl::write_cert_file | ( | $cert | ) |
Write certificate file into KEY_REPOSITORY.
$cert | array an array with ID sslcrt sslkey sslchain |
Definition at line 713 of file m_ssl.php.
Referenced by hook_updatedomains_web_before(), and searchBestCert().
const m_ssl::FILTER_EXPIRED = 4 |
Definition at line 43 of file m_ssl.php.
Referenced by get_list().
const m_ssl::FILTER_OK = 2 |
Definition at line 42 of file m_ssl.php.
Referenced by get_list().
const m_ssl::KEY_REPOSITORY = "/var/lib/alternc/ssl/private" |
const m_ssl::SPECIAL_CERTIFICATE_ID_PATH = "/var/lib/alternc/ssl/special_id.json" |
const m_ssl::STATUS_EXPIRED = 99 |
Definition at line 35 of file m_ssl.php.
Referenced by get_list().
const m_ssl::STATUS_OK = 1 |
Definition at line 34 of file m_ssl.php.
Referenced by get_list().
const m_ssl::STATUS_PENDING = 0 |
Definition at line 33 of file m_ssl.php.
Referenced by get_list().