source-function-F_getSSLCertificateHash

It appears that you are using AdBlocking software. The cost of running this website is covered by advertisements. If you like it please feel free to a small amount of money to secure the future of this website.
Overview

Classes

Interfaces

Exceptions

Functions

  1: <?php
  2: //============================================================+
  3: // File name   : tce_functions_authorization.php
  4: // Begin       : 2001-09-26
  5: // Last Update : 2013-07-02
  6: //
  7: // Description : Functions for Authorization / LOGIN
  8: //
  9: // Author: Nicola Asuni
 10: //
 11: // (c) Copyright:
 12: //               Nicola Asuni
 13: //               Tecnick.com LTD
 14: //               www.tecnick.com
 15: //               info@tecnick.com
 16: //
 17: // License:
 18: //    Copyright (C) 2004-2013 Nicola Asuni - Tecnick.com LTD
 19: //    See LICENSE.TXT file for more information.
 20: //============================================================+
 21: 
 22: /**
 23:  * @file
 24:  * Functions for Authorization / LOGIN
 25:  * @package com.tecnick.tcexam.shared
 26:  * @author Nicola Asuni
 27:  * @since 2001-09-26
 28:  */
 29: 
 30: /**
 31:  * Returns XHTML / CSS formatted string for login form.<br>
 32:  * The CSS classes used are:
 33:  * <ul>
 34:  * <li>div.login_form : container for login box</li>
 35:  * <li>div.login_form div.login_row : container for label + input field or button</li>
 36:  * <li>div.login_form div.login_row span.label : container for input label</li>
 37:  * <li>div.login_form div.login_row span.formw : container for input form</li>
 38:  * </ul>
 39:  * @param faction String action attribute
 40:  * @param fid String form ID attribute
 41:  * @param fmethod String method attribute (get/post)
 42:  * @param fenctype String enctype attribute
 43:  * @param username String user name
 44:  * @return XHTML string for login form
 45:  */
 46: function F_loginForm($faction, $fid, $fmethod, $fenctype, $username)
 47: {
 48:     global $l;
 49:     require_once('../config/tce_config.php');
 50:     require_once('../../shared/config/tce_user_registration.php');
 51:     $str = '';
 52:     $str .= '<div class="container">'.K_NEWLINE;
 53:     if (K_USRREG_ENABLED) {
 54:         $str .= '<small><a href="../../public/code/tce_user_registration.php" title="'.$l['t_user_registration'].'">'.$l['w_user_registration_link'].'</a></small>'.K_NEWLINE;
 55:     }
 56:     $str .= '<div class="tceformbox">'.K_NEWLINE;
 57:     $str .= '<form action="'.$faction.'" method="'.$fmethod.'" id="'.$fid.'" enctype="'.$fenctype.'">'.K_NEWLINE;
 58:     // user name
 59:     $str .= getFormRowTextInput('xuser_name', $l['w_username'], $l['h_login_name'], '', $username, '', 255, false, false, false, '');
 60:     // password
 61:     $str .= getFormRowTextInput('xuser_password', $l['w_password'], $l['h_password'], '', '', '', 255, false, false, true, '');
 62:     // One Time Password code (OTP)
 63:     if (K_OTP_LOGIN) {
 64:         $str .= getFormRowTextInput('xuser_otpcode', $l['w_otpcode'], $l['h_otpcode'], '', '', '', 255, false, false, true, '');
 65:     }
 66:     if (defined('K_PASSWORD_RESET') and K_PASSWORD_RESET) {
 67:         // print a link to password reset page
 68:         $str .= '<div class="row">'.K_NEWLINE;
 69:         $str .= '<span class="formw"><a href="../../public/code/tce_password_reset.php" title="'.$l['h_reset_password'].'" style="font-size:90%;">'.$l['w_forgot_password'].'</a></span>'.K_NEWLINE;
 70:         $str .= '</div>'.K_NEWLINE;
 71:     }
 72:     // buttons
 73:     $str .= '<div class="row">'.K_NEWLINE;
 74:     $str .= '<input type="submit" name="login" id="login" value="'.$l['w_login'].'" title="'.$l['h_login_button'].'" />'.K_NEWLINE;
 75:     // the following field is used to check if the form has been submitted
 76:     $str .= '<input type="hidden" name="logaction" id="logaction" value="login" />'.K_NEWLINE;
 77:     $str .= '</div>'.K_NEWLINE;
 78:     $str .= '</form>'.K_NEWLINE;
 79:     $str .= '</div>'.K_NEWLINE;
 80:     $str .= '<div class="pagehelp">'.$l['hp_login'].'</div>'.K_NEWLINE;
 81:     $str .= '</div>'.K_NEWLINE;
 82:     return $str;
 83: }
 84: 
 85: /**
 86:  * Display login page.
 87:  * NOTE: This function calls exit() after execution.
 88:  */
 89: function F_login_form()
 90: {
 91:     global $l, $thispage_title;
 92:     global $xuser_name, $xuser_password;
 93:     require_once('../config/tce_config.php');
 94:     // HTTP-Basic authentication
 95:     require_once('../../shared/config/tce_httpbasic.php');
 96:     if (K_HTTPBASIC_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
 97:         // force HTTP Basic Authentication
 98:         header('WWW-Authenticate: Basic realm="TCExam"');
 99:         header('HTTP/1.0 401 Unauthorized');
100:         require_once('../code/tce_page_header.php');
101:         F_print_error('WARNING', $l['m_authorization_denied']);
102:         require_once('../code/tce_page_footer.php');
103:         exit(); //break page here
104:     }
105:     // Shibboleth authentication
106:     require_once('../../shared/config/tce_shibboleth.php');
107:     if (K_SHIBBOLETH_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
108:         // redirect to Shibboleth Login Page
109:         header('Location: '.K_SHIBBOLETH_LOGIN);
110:         // html redirect
111:         echo '<'.'?xml version="1.0" encoding="'.$l['a_meta_charset'].'"?'.'>'.K_NEWLINE;
112:         echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'.K_NEWLINE;
113:         echo '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="'.$l['a_meta_language'].'" lang="'.$l['a_meta_language'].'" dir="'.$l['a_meta_dir'].'">'.K_NEWLINE;
114:         echo '<head>'.K_NEWLINE;
115:         echo '<title>LOGIN</title>'.K_NEWLINE;
116:         echo '<meta http-equiv="refresh" content="0" />'.K_NEWLINE; //reload page
117:         echo '</head>'.K_NEWLINE;
118:         echo '<body>'.K_NEWLINE;
119:         echo '<a href="'.K_SHIBBOLETH_LOGIN.'">LOGIN</a>'.K_NEWLINE;
120:         echo '</body>'.K_NEWLINE;
121:         echo '</html>'.K_NEWLINE;
122:         exit(); //break page here
123:     }
124:     require_once('../../shared/code/tce_functions_form.php');
125:     $thispage_title = $l['t_login_form']; //set page title
126:     require_once('../code/tce_page_header.php');
127:     echo F_loginForm($_SERVER['SCRIPT_NAME'], 'form_login', 'post', 'multipart/form-data', $xuser_name);
128:     require_once('../code/tce_page_footer.php');
129:     exit(); //break page here
130: }
131: 
132: 
133: /**
134:  * Display logout form.
135:  * @return XHTML string for logout form.
136:  */
137: function F_logout_form()
138: {
139:     global $l;
140:     require_once('../config/tce_config.php');
141:     require_once('../../shared/code/tce_functions_form.php');
142:     $str = K_NEWLINE;
143:     $str .= '<div class="container">'.K_NEWLINE;
144:     $str .= '<div class="tceformbox">'.K_NEWLINE;
145:     $str .= '<form action="../code/tce_logout.php" method="post" id="form_logout" enctype="multipart/form-data">'.K_NEWLINE;
146:     // description
147:     $str .= '<div class="row">'.K_NEWLINE;
148:     $str .= $l['d_logout_desc'].K_NEWLINE;
149:     $str .= '</div>'.K_NEWLINE;
150:     // buttons
151:     $str .= '<div class="row">'.K_NEWLINE;
152:     // the following field is used to check if form has been submitted
153:     $str .= '<input type="hidden" name="current_page" id="current_page" value="'.$_SERVER['SCRIPT_NAME'].'" />'.K_NEWLINE;
154:     $str .= '<input type="hidden" name="logaction" id="logaction" value="" />'.K_NEWLINE;
155:     $str .= '<input type="submit" name="login" id="login" value="'.$l['w_logout'].'" />'.K_NEWLINE;
156:     $str .= '</div>'.K_NEWLINE;
157:     $str .= '</form>'.K_NEWLINE;
158:     $str .= '</div>'.K_NEWLINE;
159:     return $str;
160: }
161: 
162: /**
163:  * Display logout page.
164:  * NOTE: This function calls exit() after execution.
165:  */
166: function F_logout_page()
167: {
168:     global $l, $thispage_title;
169:     require_once('../config/tce_config.php');
170:     $thispage_title = $l['t_logout_form']; // set page title
171:     require_once('../code/tce_page_header.php');
172:     echo F_logout_form();
173:     require_once('../code/tce_page_footer.php');
174:     exit();
175: }
176: 
177: /**
178:  * Returns true if the current user is authorized to update and delete the selected database record.
179:  * @author Nicola Asuni
180:  * @since 2006-03-11
181:  * @param $table (string) table to be modified
182:  * @param $field_id_name (string) name of the main ID field of the table
183:  * @param $value_id (int) value of the ID field of the table
184:  * @param $field_user_id (string) name of the foreign key to to user_id
185:  * @return boolean true if the user is authorized, false otherwise
186:  */
187: function F_isAuthorizedUser($table, $field_id_name, $value_id, $field_user_id)
188: {
189:     global $l,$db;
190:     require_once('../config/tce_config.php');
191:     $table = F_escape_sql($db, $table);
192:     $field_id_name = F_escape_sql($db, $field_id_name);
193:     $value_id = intval($value_id);
194:     $field_user_id = F_escape_sql($db, $field_user_id);
195:     $user_id = intval($_SESSION['session_user_id']);
196:     // check for administrator
197:     if (defined('K_AUTH_ADMINISTRATOR') and ($_SESSION['session_user_level'] >= K_AUTH_ADMINISTRATOR)) {
198:         return true;
199:     }
200:     // check for original author
201:     if (F_count_rows($table.' WHERE '.$field_id_name.'='.$value_id.' AND '.$field_user_id.'='.$user_id.' LIMIT 1') > 0) {
202:         return true;
203:     }
204:     // check for author's groups
205:     // get author ID
206:     $author_id = 0;
207:     $sql = 'SELECT '.$field_user_id.' FROM '.$table.' WHERE '.$field_id_name.'='.$value_id.' LIMIT 1';
208:     if ($r = F_db_query($sql, $db)) {
209:         if ($m = F_db_fetch_array($r)) {
210:             $author_id = $m[0];
211:         }
212:     } else {
213:         F_display_db_error();
214:     }
215:     if (($author_id > 1)
216:         and (F_count_rows(K_TABLE_USERGROUP.' AS ta, '.K_TABLE_USERGROUP.' AS tb
217:         WHERE ta.usrgrp_group_id=tb.usrgrp_group_id
218:             AND ta.usrgrp_user_id='.$author_id.'
219:             AND tb.usrgrp_user_id='.$user_id.'
220:             LIMIT 1') > 0)) {
221:         return true;
222:     }
223:     return false;
224: }
225: 
226: /**
227:  * Returns a comma separated string of ID of the users that belong to the same groups.
228:  * @author Nicola Asuni
229:  * @since 2006-03-11
230:  * @param $user_id (int) user ID
231:  * @return string
232:  */
233: function F_getAuthorizedUsers($user_id)
234: {
235:     global $l,$db;
236:     require_once('../config/tce_config.php');
237:     $str = ''; // string to return
238:     $user_id = intval($user_id);
239:     $sql = 'SELECT tb.usrgrp_user_id
240:         FROM '.K_TABLE_USERGROUP.' AS ta, '.K_TABLE_USERGROUP.' AS tb
241:         WHERE ta.usrgrp_group_id=tb.usrgrp_group_id
242:             AND ta.usrgrp_user_id='.$user_id.'';
243:     if ($r = F_db_query($sql, $db)) {
244:         while ($m = F_db_fetch_array($r)) {
245:             $str .= $m[0].',';
246:         }
247:     } else {
248:         F_display_db_error();
249:     }
250:     // add the user
251:     $str .= $user_id;
252:     return $str;
253: }
254: 
255: /**
256:  * Sync user groups with the ones specified on the configuration file for alternate authentication.
257:  * @param $usrid (int) ID of the user to update.
258:  * @param $grpids (mixed) Group ID or comma separated list of group IDs (0=all available groups).
259:  * @author Nicola Asuni
260:  * @since 2012-09-11
261:  */
262: function F_syncUserGroups($usrid, $grpids)
263: {
264:     global $l,$db;
265:     require_once('../config/tce_config.php');
266:     $usrid = intval($usrid);
267:     // select new group IDs
268:     $newgrps = array();
269:     if (is_string($grpids)) {
270:         // comma separated list of group IDs
271:         $newgrps = explode(',', $grpids);
272:         array_walk($newgrps, 'intval');
273:         $newgrps = array_unique($newgrps, SORT_NUMERIC);
274:     } elseif ($grpids == 0) {
275:         // all available groups
276:         $sqlg = 'SELECT group_id FROM '.K_TABLE_GROUPS.'';
277:         if ($rg = F_db_query($sqlg, $db)) {
278:             while ($mg = F_db_fetch_array($rg)) {
279:                 $newgrps[] = $mg['group_id'];
280:             }
281:         } else {
282:             F_display_db_error();
283:         }
284:     } elseif ($grpids > 0) {
285:         // single default group
286:         $newgrps[] = intval($grpids);
287:     }
288:     if (empty($newgrps)) {
289:         return;
290:     }
291:     // select existing group IDs
292:     $usrgrps = array();
293:     $sqlu = 'SELECT usrgrp_group_id FROM '.K_TABLE_USERGROUP.' WHERE usrgrp_user_id='.$usrid.'';
294:     if ($ru = F_db_query($sqlu, $db)) {
295:         while ($mu = F_db_fetch_array($ru)) {
296:             $usrgrps[] = $mu['usrgrp_group_id'];
297:         }
298:     } else {
299:         F_display_db_error();
300:     }
301:     // extract missing groups
302:     $diffgrps = array_values(array_diff($newgrps, $usrgrps));
303:     // add missing groups
304:     foreach ($diffgrps as $grpid) {
305:         if ($grpid > 0) {
306:             // add user to default user groups
307:             $sql = 'INSERT INTO '.K_TABLE_USERGROUP.' (
308:                 usrgrp_user_id,
309:                 usrgrp_group_id
310:                 ) VALUES (
311:                 \''.$usrid.'\',
312:                 \''.$grpid.'\'
313:                 )';
314:             if (!$r = F_db_query($sql, $db)) {
315:                 F_display_db_error();
316:             }
317:         }
318:     }
319: }
320: 
321: /**
322:  * Check if the client has a valid SSL certificate.
323:  * @return true if the client has a valid SSL certificate, false otherwise.
324:  * @author Nicola Asuni
325:  * @since 2013-03-26
326:  */
327: function F_isSslCertificateValid()
328: {
329:     if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) // The serial of the client certificate
330:         or !isset($_SERVER['SSL_CLIENT_I_DN']) // Issuer DN of client's certificate
331:         or !isset($_SERVER['SSL_CLIENT_V_END']) // Validity of server's certificate (end time)
332:         or !isset($_SERVER['SSL_CLIENT_VERIFY']) // NONE, SUCCESS, GENEROUS or FAILED:reason
333:         or ($_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS')
334:         or !isset($_SERVER['SSL_CLIENT_V_REMAIN']) // Number of days until client's certificate expires
335:         or ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0)) {
336:         // invalid certificate
337:         return false;
338:     }
339:     // valid certificate
340:     return true;
341: }
342: 
343: /**
344:  * Get the hash code of the specified SSL certificate
345:  * @param string $cert String containing the certificate data.
346:  * @param boolean $pkcs12 Set this variable to true if the certificate is in PKCS12 format.
347:  * @return array containing the hash code and the validity end date in unix epoch.
348:  * @author Nicola Asuni
349:  * @since 2013-07-01
350:  */
351: function F_getSSLCertificateHash($cert, $pkcs12 = false)
352: {
353:     if ($pkcs12) {
354:         $certs = array();
355:         openssl_pkcs12_read($cert, $certs, '');
356:         $cert = $certs['cert'];
357:     }
358:     $ssldata = openssl_x509_parse($cert);
359:     $sslhash = '';
360:     $sslhash .= isset($ssldata['serialNumber'])?bcdechex($ssldata['serialNumber']):'';
361:     $sslhash .= isset($ssldata['issuer']['C'])?$ssldata['issuer']['C']:'';
362:     $sslhash .= isset($ssldata['issuer']['ST'])?$ssldata['issuer']['ST']:'';
363:     $sslhash .= isset($ssldata['issuer']['O'])?$ssldata['issuer']['O']:'';
364:     $sslhash .= isset($ssldata['issuer']['OU'])?$ssldata['issuer']['OU']:'';
365:     $sslhash .= isset($ssldata['issuer']['CN'])?$ssldata['issuer']['CN']:'';
366:     $sslhash .= isset($ssldata['issuer']['emailAddress'])?$ssldata['issuer']['emailAddress']:'';
367:     $sslhash .= isset($ssldata['subject']['C'])?$ssldata['subject']['C']:'';
368:     $sslhash .= isset($ssldata['subject']['ST'])?$ssldata['subject']['ST']:'';
369:     $sslhash .= isset($ssldata['subject']['O'])?$ssldata['subject']['O']:'';
370:     $sslhash .= isset($ssldata['subject']['OU'])?$ssldata['subject']['OU']:'';
371:     $sslhash .= isset($ssldata['subject']['CN'])?$ssldata['subject']['CN']:'';
372:     $sslhash .= isset($ssldata['subject']['emailAddress'])?$ssldata['subject']['emailAddress']:'';
373:     if (isset($ssldata['validTo_time_t'])) {
374:         $endtime = $ssldata['validTo_time_t'];
375:     } else {
376:         $endtime = time();
377:     }
378:     $sslhash .= $endtime;
379:     return array(md5($sslhash), date(K_TIMESTAMP_FORMAT, $endtime));
380: }
381: 
382: /**
383:  * Get the hash code for the client certificate
384:  * @return string containing the hash code.
385:  * @author Nicola Asuni
386:  * @since 2013-07-01
387:  */
388: function F_getSSLClientHash()
389: {
390:     $crthash = '';
391:     $crthash .= isset($_SERVER['SSL_CLIENT_M_SERIAL'])?strtoupper($_SERVER['SSL_CLIENT_M_SERIAL']):'';
392:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_C'])?$_SERVER['SSL_CLIENT_I_DN_C']:'';
393:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_ST'])?$_SERVER['SSL_CLIENT_I_DN_ST']:'';
394:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_O'])?$_SERVER['SSL_CLIENT_I_DN_O']:'';
395:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_OU'])?$_SERVER['SSL_CLIENT_I_DN_OU']:'';
396:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_CN'])?$_SERVER['SSL_CLIENT_I_DN_CN']:'';
397:     $crthash .= isset($_SERVER['SSL_CLIENT_I_DN_Email'])?$_SERVER['SSL_CLIENT_I_DN_Email']:'';
398:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_C'])?$_SERVER['SSL_CLIENT_S_DN_C']:'';
399:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_ST'])?$_SERVER['SSL_CLIENT_S_DN_ST']:'';
400:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_O'])?$_SERVER['SSL_CLIENT_S_DN_O']:'';
401:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_OU'])?$_SERVER['SSL_CLIENT_S_DN_OU']:'';
402:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:'';
403:     $crthash .= isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:'';
404:     $crthash .= isset($_SERVER['SSL_CLIENT_V_END'])?strtotime($_SERVER['SSL_CLIENT_V_END']):'';
405:     return md5($crthash);
406: }
407: 
408: //============================================================+
409: // END OF FILE
410: //============================================================+
411: 
 

© 2004-2018 – Nicola Asuni - Tecnick.com - All rights reserved.
about - disclaimer - privacy