* SAML: generate a self-signed certificate (not just the public key)

This commit is contained in:
ralf 2022-07-11 20:27:26 +02:00
parent 0ca7508cd3
commit 733770ea36

View File

@ -650,37 +650,40 @@ class Saml implements BackendSSO
} }
} }
// create a default configuration // create a key-pair, if not existing
if (!file_exists($config_dir.'/config.php') || filesize($config_dir.'/config.php') < 1000)
{
// create a key-pair
$cert_dir = $config_dir.'/cert'; $cert_dir = $config_dir.'/cert';
$private_key_path = $cert_dir.'/saml.pem'; $private_key_path = $cert_dir.'/saml.pem';
$public_key_path = $cert_dir.'/saml.crt'; $public_key_path = $cert_dir.'/saml.crt';
if (!file_exists($private_key_path) || !file_exists($public_key_path)) if (!file_exists($private_key_path) || !file_exists($public_key_path) ||
!preg_match('/^-----BEGIN CERTIFICATE-----$/m', file_get_contents($public_key_path)))
{ {
// Create the private and public key $config = [
$res = openssl_pkey_new([
"digest_alg" => "sha512", "digest_alg" => "sha512",
"private_key_bits" => 2048, "private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA, "private_key_type" => OPENSSL_KEYTYPE_RSA,
]); ];
// Read or generate the private key
if ($res === false) if ((!file_exists($private_key_path) ||
($pkey = openssl_pkey_get_private(file_get_contents($private_key_path))) === false) &&
($pkey = openssl_pkey_new($config)) === false)
{ {
throw new Exception('Error generating key-pair!'); throw new Exception('Error generating key-pair!');
} }
// generate CSR and self-sign it
if (($csr = openssl_csr_new([
'commonName' => Api\Header\Http::host(),
], $pkey, $config)) === false ||
($cert = openssl_csr_sign($csr, null, $pkey, 3650, $config)) === false)
{
throw new Exception('Error self-signing cert!');
}
// Extract the public key from $res to $pubKey // Extract the public key from $res to $pubKey
$details = openssl_pkey_get_details($res); if (openssl_x509_export_to_file($cert, $public_key_path) === false ||
// Extract the private key
// Extract the private key from $res openssl_pkey_export_to_file($pkey, $private_key_path) === false) // ToDo: db-password as passphrase
$public_key = null;
openssl_pkey_export($res, $public_key); // ToDo: db-password as passphrase
if (!file_put_contents($public_key_path, $details["key"]) ||
!file_put_contents($private_key_path, $public_key.$details["key"]))
{ {
throw new Exception('Error storing key-pair!'); throw new Exception('Error storing key-pair!');
} }
@ -690,6 +693,9 @@ class Saml implements BackendSSO
chmod($private_key_path, 0600); chmod($private_key_path, 0600);
} }
// create a default configuration
if (!file_exists($config_dir.'/config.php') || filesize($config_dir.'/config.php') < 1000)
{
$simplesaml_dir = EGW_SERVER_ROOT.'/vendor/simplesamlphp/simplesamlphp'; $simplesaml_dir = EGW_SERVER_ROOT.'/vendor/simplesamlphp/simplesamlphp';
foreach(glob($simplesaml_dir.'/config-templates/*.php') as $path) foreach(glob($simplesaml_dir.'/config-templates/*.php') as $path)