hostap/hs20/server/www/est.php

<?php

require('config.php');

$params = explode("/", $_SERVER["PATH_INFO"], 3);
$realm = $params[1];
$cmd = $params[2];
$method = $_SERVER["REQUEST_METHOD"];

unset($user);
unset($rowid);

$db = new PDO($osu_db);
if (!$db) {
  error_log("EST: Could not access database");
  die("Could not access database");
}

if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {
  $needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,
		  'uri'=>1, 'response'=>1);
  $data = array();
  $keys = implode('|', array_keys($needed));
  preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
		 $_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);
  foreach ($matches as $m) {
    $data[$m[1]] = $m[3] ? $m[3] : $m[4];
    unset($needed[$m[1]]);
  }
  if ($needed) {
    error_log("EST: Missing auth parameter");
    die('Authentication failed');
  }
  $user = $data['username'];
  if (strlen($user) < 1) {
    error_log("EST: Empty username");
    die('Authentication failed');
  }

  $sql = "SELECT rowid,password,operation FROM sessions " .
    "WHERE user='$user' AND realm='$realm'";
  $q = $db->query($sql);
  if (!$q) {
    error_log("EST: Session not found for user=$user realm=$realm");
    die("Session not found");
  }
  $row = $q->fetch();
  if (!$row) {
    error_log("EST: Session fetch failed for user=$user realm=$realm");
    die('Session not found');
  }
  $rowid = $row['rowid'];

  $oper = $row['operation'];
  if ($oper != '5') {
    error_log("EST: Unexpected operation $oper for user=$user realm=$realm");
    die("Session not found");
  }
  $pw = $row['password'];
  if (strlen($pw) < 1) {
    error_log("EST: Empty password for user=$user realm=$realm");
    die('Authentication failed');
  }

  $A1 = md5($user . ':' . $realm . ':' . $pw);
  $A2 = md5($method . ':' . $data['uri']);
  $resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
	      $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
  if ($data['response'] != $resp) {
    error_log("EST: Incorrect authentication response for user=$user realm=$realm");
    die('Authentication failed');
  }
} else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) &&
	   $_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" &&
	   isset($_SERVER["SSL_CLIENT_M_SERIAL"])) {
  $user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"];
  $sql = "SELECT rowid,password,operation FROM sessions " .
    "WHERE user='$user' AND realm='$realm'";
  $q = $db->query($sql);
  if (!$q) {
    error_log("EST: Session not found for user=$user realm=$realm");
    die("Session not found");
  }
  $row = $q->fetch();
  if (!$row) {
    error_log("EST: Session fetch failed for user=$user realm=$realm");
    die('Session not found');
  }
  $rowid = $row['rowid'];

  $oper = $row['operation'];
  if ($oper != '10') {
    error_log("EST: Unexpected operation $oper for user=$user realm=$realm");
    die("Session not found");
  }
}


if ($method == "GET" && $cmd == "cacerts") {
  $fname = "$osu_root/est/$realm-cacerts.pkcs7";
  if (!file_exists($fname)) {
    error_log("EST: cacerts - unknown realm $realm");
    die("Unknown realm");
  }

  header("Content-Transfer-Encoding: base64");
  header("Content-Type: application/pkcs7-mime");

  $data = file_get_contents($fname);
  echo wordwrap(base64_encode($data), 72, "\n", true);
  echo "\n";
  error_log("EST: cacerts");
} else if ($method == "GET" && $cmd == "csrattrs") {
  header("Content-Transfer-Encoding: base64");
  header("Content-Type: application/csrattrs");
  readfile("$osu_root/est/est-attrs.b64");
  error_log("EST: csrattrs");
} else if ($method == "POST" &&
           ($cmd == "simpleenroll" || $cmd == "simplereenroll")) {
  $reenroll = $cmd == "simplereenroll";
  if (!$reenroll && (!isset($user) || strlen($user) == 0)) {
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Digest realm="'.$realm.
	   '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    error_log("EST: simpleenroll - require authentication");
    die('Authentication required');
  }
  if ($reenroll &&
      (!isset($user) ||
       !isset($_SERVER["SSL_CLIENT_VERIFY"]) ||
       $_SERVER["SSL_CLIENT_VERIFY"] != "SUCCESS")) {
    header('HTTP/1.1 403 Forbidden');
    error_log("EST: simplereenroll - require certificate authentication");
    die('Authentication required');
  }
  if (!isset($_SERVER["CONTENT_TYPE"])) {
    error_log("EST: simpleenroll without Content-Type");
    die("Missing Content-Type");
  }
  if (!stristr($_SERVER["CONTENT_TYPE"], "application/pkcs10")) {
    error_log("EST: simpleenroll - unexpected Content-Type: " .
	      $_SERVER["CONTENT_TYPE"]);
    die("Unexpected Content-Type");
  }

  $data = file_get_contents("php://input");
  error_log("EST: simpleenroll - POST data from php://input: " . $data);
  $req = base64_decode($data);
  if ($req == FALSE) {
    error_log("EST: simpleenroll - Invalid base64-encoded PKCS#10 data");
    die("Invalid base64-encoded PKCS#10 data");
  }
  $cadir = "$osu_root/est";
  $reqfile = "$cadir/tmp/cert-req.pkcs10";
  $f = fopen($reqfile, "wb");
  fwrite($f, $req);
  fclose($f);

  $req_pem = "$reqfile.pem";
  if (file_exists($req_pem))
    unlink($req_pem);
  exec("openssl req -in $reqfile -inform DER -out $req_pem -outform PEM");
  if (!file_exists($req_pem)) {
    error_log("EST: simpleenroll - Failed to parse certificate request");
    die("Failed to parse certificate request");
  }

  /* FIX: validate request and add HS 2.0 extensions to cert */
  $cert_pem = "$cadir/tmp/req-signed.pem";
  if (file_exists($cert_pem))
    unlink($cert_pem);
  exec("openssl x509 -req -in $req_pem -CAkey $cadir/cakey.pem -out $cert_pem -CA $cadir/cacert.pem -CAserial $cadir/serial -days 365 -text");
  if (!file_exists($cert_pem)) {
    error_log("EST: simpleenroll - Failed to sign certificate");
    die("Failed to sign certificate");
  }

  $cert = file_get_contents($cert_pem);
  $handle = popen("openssl x509 -in $cert_pem -serial -noout", "r");
  $serial = fread($handle, 200);
  pclose($handle);
  $pattern = "/serial=(?P<snhex>[0-9a-fA-F:]*)/m";
  preg_match($pattern, $serial, $matches);
  if (!isset($matches['snhex']) || strlen($matches['snhex']) < 1) {
    error_log("EST: simpleenroll - Could not get serial number");
    die("Could not get serial number");
  }
  $sn = str_replace(":", "", strtoupper($matches['snhex']));

  $user = "cert-$sn";
  error_log("EST: user = $user");

  $cert_der = "$cadir/tmp/req-signed.der";
  if (file_exists($cert_der))
    unlink($cert_der);
  exec("openssl x509 -in $cert_pem -inform PEM -out $cert_der -outform DER");
  if (!file_exists($cert_der)) {
    error_log("EST: simpleenroll - Failed to convert certificate");
    die("Failed to convert certificate");
  }
  $der = file_get_contents($cert_der);
  $fingerprint = hash("sha256", $der);
  error_log("EST: sha256(DER cert): $fingerprint");

  $pkcs7 = "$cadir/tmp/est-client.pkcs7";
  if (file_exists($pkcs7))
    unlink($pkcs7);
  exec("openssl crl2pkcs7 -nocrl -certfile $cert_pem -out $pkcs7 -outform DER");
  if (!file_exists($pkcs7)) {
    error_log("EST: simpleenroll - Failed to prepare PKCS#7 file");
    die("Failed to prepare PKCS#7 file");
  }

  if (!$db->exec("UPDATE sessions SET user='$user', cert='$fingerprint', cert_pem='$cert' WHERE rowid=$rowid")) {
    error_log("EST: simpleenroll - Failed to update session database");
    die("Failed to update session database");
  }

  header("Content-Transfer-Encoding: base64");
  header("Content-Type: application/pkcs7-mime");

  $data = file_get_contents($pkcs7);
  $resp = wordwrap(base64_encode($data), 72, "\n", true);
  echo $resp . "\n";
  error_log("EST: simpleenroll - PKCS#7 response: " . $resp);
} else {
  header("HTTP/1.0 404 Not Found");
  error_log("EST: Unexpected method or path");
  die("Unexpected method or path");
}

?>
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`<?php`

			`require('config.php');`

HS 2.0 server: Replace deprecated PHP function split() Use explode() instead of split() because split() has been removed from PHP 7.0.0 and there is no need for using full regular expression here. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-09-10 22:41:35 +02:00			`$params = explode("/", $_SERVER["PATH_INFO"], 3);`
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`$realm = $params[1];`
			`$cmd = $params[2];`
			`$method = $_SERVER["REQUEST_METHOD"];`

			`unset($user);`
			`unset($rowid);`

HS 2.0 server: Client certificate reenrollment This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-12-04 13:11:39 +01:00			`$db = new PDO($osu_db);`
			`if (!$db) {`
			`error_log("EST: Could not access database");`
			`die("Could not access database");`
			`}`

HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {`
			`$needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,`
			`'uri'=>1, 'response'=>1);`
			`$data = array();`
			`$keys = implode('\|', array_keys($needed));`
			`preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2\|([^\s,]+))@',`
			`$_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);`
			`foreach ($matches as $m) {`
			`$data[$m[1]] = $m[3] ? $m[3] : $m[4];`
			`unset($needed[$m[1]]);`
			`}`
			`if ($needed) {`
			`error_log("EST: Missing auth parameter");`
			`die('Authentication failed');`
			`}`
			`$user = $data['username'];`
			`if (strlen($user) < 1) {`
			`error_log("EST: Empty username");`
			`die('Authentication failed');`
			`}`

			`$sql = "SELECT rowid,password,operation FROM sessions " .`
			`"WHERE user='$user' AND realm='$realm'";`
			`$q = $db->query($sql);`
			`if (!$q) {`
			`error_log("EST: Session not found for user=$user realm=$realm");`
			`die("Session not found");`
			`}`
			`$row = $q->fetch();`
			`if (!$row) {`
			`error_log("EST: Session fetch failed for user=$user realm=$realm");`
			`die('Session not found');`
			`}`
			`$rowid = $row['rowid'];`

			`$oper = $row['operation'];`
			`if ($oper != '5') {`
			`error_log("EST: Unexpected operation $oper for user=$user realm=$realm");`
			`die("Session not found");`
			`}`
			`$pw = $row['password'];`
			`if (strlen($pw) < 1) {`
			`error_log("EST: Empty password for user=$user realm=$realm");`
			`die('Authentication failed');`
			`}`

			`$A1 = md5($user . ':' . $realm . ':' . $pw);`
			`$A2 = md5($method . ':' . $data['uri']);`
			`$resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .`
			`$data['cnonce'] . ':' . $data['qop'] . ':' . $A2);`
			`if ($data['response'] != $resp) {`
			`error_log("EST: Incorrect authentication response for user=$user realm=$realm");`
			`die('Authentication failed');`
			`}`
HS 2.0 server: Client certificate reenrollment This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-12-04 13:11:39 +01:00			`} else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) &&`
			`$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" &&`
			`isset($_SERVER["SSL_CLIENT_M_SERIAL"])) {`
			`$user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"];`
			`$sql = "SELECT rowid,password,operation FROM sessions " .`
			`"WHERE user='$user' AND realm='$realm'";`
			`$q = $db->query($sql);`
			`if (!$q) {`
			`error_log("EST: Session not found for user=$user realm=$realm");`
			`die("Session not found");`
			`}`
			`$row = $q->fetch();`
			`if (!$row) {`
			`error_log("EST: Session fetch failed for user=$user realm=$realm");`
			`die('Session not found');`
			`}`
			`$rowid = $row['rowid'];`

			`$oper = $row['operation'];`
			`if ($oper != '10') {`
			`error_log("EST: Unexpected operation $oper for user=$user realm=$realm");`
			`die("Session not found");`
			`}`
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`}`


			`if ($method == "GET" && $cmd == "cacerts") {`
			`$fname = "$osu_root/est/$realm-cacerts.pkcs7";`
			`if (!file_exists($fname)) {`
			`error_log("EST: cacerts - unknown realm $realm");`
			`die("Unknown realm");`
			`}`

			`header("Content-Transfer-Encoding: base64");`
			`header("Content-Type: application/pkcs7-mime");`

			`$data = file_get_contents($fname);`
			`echo wordwrap(base64_encode($data), 72, "\n", true);`
			`echo "\n";`
			`error_log("EST: cacerts");`
			`} else if ($method == "GET" && $cmd == "csrattrs") {`
			`header("Content-Transfer-Encoding: base64");`
			`header("Content-Type: application/csrattrs");`
			`readfile("$osu_root/est/est-attrs.b64");`
			`error_log("EST: csrattrs");`
HS 2.0 server: Client certificate reenrollment This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-12-04 13:11:39 +01:00			`} else if ($method == "POST" &&`
			`($cmd == "simpleenroll" \|\| $cmd == "simplereenroll")) {`
			`$reenroll = $cmd == "simplereenroll";`
			`if (!$reenroll && (!isset($user) \|\| strlen($user) == 0)) {`
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`header('HTTP/1.1 401 Unauthorized');`
			`header('WWW-Authenticate: Digest realm="'.$realm.`
			`'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');`
			`error_log("EST: simpleenroll - require authentication");`
			`die('Authentication required');`
			`}`
HS 2.0 server: Client certificate reenrollment This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-12-04 13:11:39 +01:00			`if ($reenroll &&`
			`(!isset($user) \|\|`
			`!isset($_SERVER["SSL_CLIENT_VERIFY"]) \|\|`
			`$_SERVER["SSL_CLIENT_VERIFY"] != "SUCCESS")) {`
			`header('HTTP/1.1 403 Forbidden');`
			`error_log("EST: simplereenroll - require certificate authentication");`
			`die('Authentication required');`
			`}`
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00			`if (!isset($_SERVER["CONTENT_TYPE"])) {`
			`error_log("EST: simpleenroll without Content-Type");`
			`die("Missing Content-Type");`
			`}`
			`if (!stristr($_SERVER["CONTENT_TYPE"], "application/pkcs10")) {`
			`error_log("EST: simpleenroll - unexpected Content-Type: " .`
			`$_SERVER["CONTENT_TYPE"]);`
			`die("Unexpected Content-Type");`
			`}`

			`$data = file_get_contents("php://input");`
			`error_log("EST: simpleenroll - POST data from php://input: " . $data);`
			`$req = base64_decode($data);`
			`if ($req == FALSE) {`
			`error_log("EST: simpleenroll - Invalid base64-encoded PKCS#10 data");`
			`die("Invalid base64-encoded PKCS#10 data");`
			`}`
			`$cadir = "$osu_root/est";`
			`$reqfile = "$cadir/tmp/cert-req.pkcs10";`
			`$f = fopen($reqfile, "wb");`
			`fwrite($f, $req);`
			`fclose($f);`

			`$req_pem = "$reqfile.pem";`
			`if (file_exists($req_pem))`
			`unlink($req_pem);`
			`exec("openssl req -in $reqfile -inform DER -out $req_pem -outform PEM");`
			`if (!file_exists($req_pem)) {`
			`error_log("EST: simpleenroll - Failed to parse certificate request");`
			`die("Failed to parse certificate request");`
			`}`

			`/* FIX: validate request and add HS 2.0 extensions to cert */`
			`$cert_pem = "$cadir/tmp/req-signed.pem";`
			`if (file_exists($cert_pem))`
			`unlink($cert_pem);`
			`exec("openssl x509 -req -in $req_pem -CAkey $cadir/cakey.pem -out $cert_pem -CA $cadir/cacert.pem -CAserial $cadir/serial -days 365 -text");`
			`if (!file_exists($cert_pem)) {`
			`error_log("EST: simpleenroll - Failed to sign certificate");`
			`die("Failed to sign certificate");`
			`}`

			`$cert = file_get_contents($cert_pem);`
			`$handle = popen("openssl x509 -in $cert_pem -serial -noout", "r");`
			`$serial = fread($handle, 200);`
			`pclose($handle);`
			`$pattern = "/serial=(?P<snhex>[0-9a-fA-F:]*)/m";`
			`preg_match($pattern, $serial, $matches);`
			`if (!isset($matches['snhex']) \|\| strlen($matches['snhex']) < 1) {`
			`error_log("EST: simpleenroll - Could not get serial number");`
			`die("Could not get serial number");`
			`}`
			`$sn = str_replace(":", "", strtoupper($matches['snhex']));`

			`$user = "cert-$sn";`
			`error_log("EST: user = $user");`

			`$cert_der = "$cadir/tmp/req-signed.der";`
			`if (file_exists($cert_der))`
			`unlink($cert_der);`
			`exec("openssl x509 -in $cert_pem -inform PEM -out $cert_der -outform DER");`
			`if (!file_exists($cert_der)) {`
			`error_log("EST: simpleenroll - Failed to convert certificate");`
			`die("Failed to convert certificate");`
			`}`
			`$der = file_get_contents($cert_der);`
			`$fingerprint = hash("sha256", $der);`
HS 2.0 server: Client certificate reenrollment This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2018-12-04 13:11:39 +01:00			`error_log("EST: sha256(DER cert): $fingerprint");`
HS 2.0R2: Add example OSU SPP server implementation This is meant mainly for testing purposes and as a reference implementation showing how OSU SPP server could be implemented. This is not suitable for any real production use in its current form. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-03-28 09:27:27 +01:00
			`$pkcs7 = "$cadir/tmp/est-client.pkcs7";`
			`if (file_exists($pkcs7))`
			`unlink($pkcs7);`
			`exec("openssl crl2pkcs7 -nocrl -certfile $cert_pem -out $pkcs7 -outform DER");`
			`if (!file_exists($pkcs7)) {`
			`error_log("EST: simpleenroll - Failed to prepare PKCS#7 file");`
			`die("Failed to prepare PKCS#7 file");`
			`}`

			`if (!$db->exec("UPDATE sessions SET user='$user', cert='$fingerprint', cert_pem='$cert' WHERE rowid=$rowid")) {`
			`error_log("EST: simpleenroll - Failed to update session database");`
			`die("Failed to update session database");`
			`}`

			`header("Content-Transfer-Encoding: base64");`
			`header("Content-Type: application/pkcs7-mime");`

			`$data = file_get_contents($pkcs7);`
			`$resp = wordwrap(base64_encode($data), 72, "\n", true);`
			`echo $resp . "\n";`
			`error_log("EST: simpleenroll - PKCS#7 response: " . $resp);`
			`} else {`
			`header("HTTP/1.0 404 Not Found");`
			`error_log("EST: Unexpected method or path");`
			`die("Unexpected method or path");`
			`}`

			`?>`