You are here

SelfSigned.php in Aegir HTTPS 7.3

File

submodules/self_signed/drush/Provision/Service/Certificate/SelfSigned.php
View source
<?php

/**
 *   A SelfSigned implementation of the Certificate service type.
 */
class Provision_Service_Certificate_SelfSigned extends Provision_Service_Certificate {
  public $service = 'SelfSigned';
  public $can_generate_default = TRUE;

  /**
   * Initialize this class, including option handling.
   */
  function init_server() {
    parent::init_server();

    /**
     * Register configuration classes for the create_config / delete_config methods.
     */
    $this->configs['server'][] = 'Provision_Config_SelfSigned';

    /**
     * Configurable values.
     */
    $this->server
      ->setProperty('self_signed_field', 'default');

    /**
     * Non configurable values.
     */
    $this->server->self_signed_config_path = $this->server->aegir_root . '/config/self_signed.d';
  }

  /**
   * Pass additional values to the config file templates.
   *
   * Even though the $server variable will be available in your template files,
   * you may wish to pass additional calculated values to your template files.
   *
   * Consider this something like the hook_preprocess stuff in drupal.
   */
  function config_data($config = null, $class = null) {

    // This format of calling the parent is very important!
    $data = parent::config_data($config, $class);

    /**
     * This value will become available as $self_signed_current_time
     * in all the config files generated by this service.
     *
     * You could also choose to only conditionally pass values based on
     * the parameters.
     */
    $data['self_signed_current_time'] = date(DATE_COOKIE, time());
    return $data;
  }

  /**
   * Return the path where we'll generate our certificates.
   */
  function get_source_path($https_key) {
    return "{$this->server->self_signed_config_path}/{$https_key}";
  }

  /**
   * Retrieve an array containing the actual files for this https_key.
   */
  function get_certificates($https_key) {
    $certs = parent::get_certificates($https_key);

    // This method is not strictly required, since it's just calling the parent
    // implementation. However, for illustrative purposes, this is where we'd
    // alter certificate paths, if we wanted to.
    return $certs;
  }

  /**
   * Retrieve an array containing source and target paths for this https_key.
   */
  function get_certificate_paths($https_key) {
    $source_path = $this
      ->get_source_path($https_key);
    $target_path = "{$this->server->http_ssld_path}/{$https_key}";
    $certs = array();
    $certs['https_cert_key_source'] = "{$source_path}/openssl.key";
    $certs['https_cert_key'] = "{$target_path}/openssl.key";
    $certs['https_cert_source'] = "{$source_path}/openssl.crt";
    $certs['https_cert'] = "{$target_path}/openssl.crt";
    return $certs;
  }

  /**
   * Generate a self-signed certificate for the provided key.
   *
   * Because we only generate certificates for sites we make some assumptions
   * based on the uri, but this cert may be replaced by the admin if they
   * already have an existing certificate.
   */
  function generate_certificates($https_key) {
    $path = $this
      ->get_source_path($https_key);
    provision_file()
      ->create_dir($path, dt("HTTPS certificate directory for %https_key", array(
      '%https_key' => $https_key,
    )), 0700);
    if (provision_file()
      ->exists($path)
      ->status()) {
      drush_log(dt('generating 2048 bit RSA key in %path/', array(
        '%path' => $path,
      )));

      /*
       * according to RSA security and most sites I could read, 1024
       * was recommended until 2010-2015 and 2048 is now the
       * recommended length for more sensitive data. we are therefore
       * taking the safest route.
       *
       * http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
       * http://www.vocal.com/cryptography/rsa-key-size-selection/
       * https://en.wikipedia.org/wiki/Key_size#Key_size_and_encryption_system
       * http://www.redkestrel.co.uk/Articles/CSR.html
       */
      drush_shell_exec('openssl genrsa -out %s/openssl.key 2048', $path) || drush_set_error('HTTPS_KEY_GEN_FAIL', dt('failed to generate HTTPS key in %path', array(
        '%path' => $path . '/openssl.key',
      )));

      // Generate the CSR to make the key certifiable by third parties
      $domain = $https_key == 'default' ? 'default.invalid' : d()->uri;
      $ident = "/CN={$domain}/emailAddress=abuse@{$domain}";
      drush_shell_exec("openssl req -new -subj '%s' -key %s/openssl.key -out %s/openssl.csr -batch", $ident, $path, $path) || drush_log(dt('failed to generate signing request for certificate in %path', array(
        '%path' => $path . '/openssl.csr',
      )));

      // sign the certificate with itself, generating a self-signed
      // certificate. this will make a SHA1 certificate by default in
      // current OpenSSL.
      drush_shell_exec("openssl x509 -req -days 365 -in %s/openssl.csr -signkey %s/openssl.key  -out %s/openssl.crt", $path, $path, $path) || drush_set_error('HTTPS_CERT_GEN_FAIL', dt('failed to generate self-signed certificate in %path', array(
        '%path' => $path . '/openssl.crt',
      )));
    }
  }

}

Classes

Namesort descending Description
Provision_Service_Certificate_SelfSigned A SelfSigned implementation of the Certificate service type.