Initial commit
Change-Id: I6a4444e3c193dae437cd7929f4c39aba7b749efa
diff --git a/contrib/PKI/phpki-0.82.patch b/contrib/PKI/phpki-0.82.patch
new file mode 100644
index 0000000..e954d88
--- /dev/null
+++ b/contrib/PKI/phpki-0.82.patch
@@ -0,0 +1,284 @@
+diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php
+--- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900
++++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900
+@@ -36,7 +36,7 @@
+ else {
+ ?>
+ <font color=#ff0000>
+- <h2>There was an error updating the Certificate Revocation List.</h2></font><br>
++ <h2>There was an error updating the Certificate Revocation List.</h2></font><br />
+ <blockquote>
+ <h3>Debug Info:</h3>
+ <pre><?=$errtxt?></pre>
+@@ -53,8 +53,11 @@
+ default:
+ printHeader('ca');
+ ?>
+- <br>
+- <br>
++ <br />
++ <br />
++
++ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br />
++
+ <center>
+ <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>
+
+@@ -89,7 +92,57 @@
+
+ </table>
+ </center>
+- <br><br>
++ <br /><br />
++ <center>
++ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th>
++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
++ Create a new certificate</td>
++
++ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow:
++ <ul>
++ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li>
++ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li>
++ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li>
++ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br />
++ The password must be >= 8 chars.</li>
++ <li>The other fields can be filled at your taste.</li>
++ </ul>
++ Once you have validated, you can check the values, and then proceed to download the new certificate and private key.
++ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>.
++ It contains:
++ <ul>
++ <li>Your password-protected RSA private key.</li>
++ <li>Your certificate in PEM format.</li>
++ <li>The CA certificate.</li>
++ </ul></td></tr>
++
++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
++ Split the file</td>
++
++ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow:
++ <ul>
++ <li><strong>Decode the private key</strong>: <br />
++ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br />
++ OpenSSL will ask for the password you entered when creating the certificate.</li>
++ <li><strong>Extract your certificate</strong>: <br />
++ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li>
++ <li><strong>Get the CA certificate</strong>: <br />
++ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li>
++ </ul>
++ Note: for the last step, you could also extract it directly from the PEM file you received.<br />
++ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr>
++
++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
++ Configure freeDiameter</td>
++
++ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file:
++ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br />
++TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr>
++
++
++ </table>
++ </center>
++ <br /><br />
+ <?
+ printFooter();
+ }
+diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php
+--- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900
++++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900
+@@ -197,6 +197,7 @@
+
+ switch($cert_type) {
+ case 'server':
++ case 'freediameter':
+ upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert');
+ break;
+ case 'email':
+@@ -225,7 +226,7 @@
+ if (! $email) $email = "";
+ if (! $expiry) $expiry = 1;
+ if (! $keysize) $keysize = 1024;
+- if (! $cert_type) $cert_type = 'email';
++ if (! $cert_type) $cert_type = 'freediameter';
+
+ printHeader();
+ ?>
+@@ -302,13 +303,14 @@
+ <td>Certificate Use: </td>
+ <td><select name=cert_type>
+ <?
+- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
+- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
+- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
+- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
+- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
+- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
+- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
++ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>';
++ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>';
++ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>';
++ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>';
++ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>';
++ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>';
++ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>';
++ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>';
+ ?>
+ </select></td>
+ </tr>
+diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php
+--- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900
++++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900
+@@ -69,6 +69,13 @@
+ default_days = 365
+ policy = policy_supplied
+
++[ freediameter_cert ]
++x509_extensions = freediameter_ext
++default_days = 730
++policy = policy_supplied
++
++
++
+ [ vpn_cert ]
+ x509_extensions = vpn_client_server_ext
+ default_days = 365
+@@ -152,6 +159,24 @@
+ nsRevocationUrl = ns_revoke_query.php?
+ nsCaPolicyUrl = $config[base_url]policy.html
+
++[ freediameter_ext ]
++basicConstraints = CA:false
++keyUsage = critical, digitalSignature, keyEncipherment
++extendedKeyUsage = critical, serverAuth, clientAuth
++nsCertType = critical, server, client
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer:always
++subjectAltName = DNS:$common_name,email:copy
++issuerAltName = issuer:copy
++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
++nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\"
++nsBaseUrl = $config[base_url]
++nsRevocationUrl = ns_revoke_query.php?
++nsCaPolicyUrl = $config[base_url]policy.html
++
++
++
++
+ [ time_stamping_ext ]
+ basicConstraints = CA:false
+ keyUsage = critical, nonRepudiation, digitalSignature
+diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf
+--- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900
++++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900
+@@ -39,6 +39,11 @@
+ default_days = 365
+ policy = policy_supplied
+
++[ freediameter_cert ]
++x509_extensions = freediameter_ext
++default_days = 730
++policy = policy_supplied
++
+ [ vpn_cert ]
+ x509_extensions = vpn_client_server_ext
+ default_days = 365
+@@ -115,6 +120,23 @@
+ nsRevocationUrl = ns_revoke_query.php?
+ nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
+
++[ freediameter_ext ]
++basicConstraints = CA:false
++keyUsage = critical, digitalSignature, keyEncipherment
++extendedKeyUsage = critical, serverAuth, clientAuth
++nsCertType = critical, server, client
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer:always
++subjectAltName = DNS:$common_name,email:copy
++issuerAltName = issuer:copy
++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
++nsBaseUrl = $config[base_url]
++nsRevocationUrl = ns_revoke_query.php?
++nsCaPolicyUrl = $config[base_url]policy.html
++
++
++
+ [ vpn_client_ext ]
+ basicConstraints = critical, CA:false
+ keyUsage = critical, digitalSignature
+diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php
+--- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900
++++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900
+@@ -339,6 +339,11 @@
+ default_days = 365
+ policy = policy_supplied
+
++[ freediameter_cert ]
++x509_extensions = freediameter_ext
++default_days = 730
++policy = policy_supplied
++
+ [ vpn_cert ]
+ x509_extensions = vpn_client_server_ext
+ default_days = 365
+@@ -418,6 +423,22 @@
+ nsRevocationUrl = ns_revoke_query.php?
+ nsCaPolicyUrl = $config[base_url]policy.html
+
++[ freediameter_ext ]
++basicConstraints = CA:false
++keyUsage = critical, digitalSignature, keyEncipherment
++extendedKeyUsage = critical, serverAuth, clientAuth
++nsCertType = critical, server, client
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer:always
++subjectAltName = DNS:$common_name,email:copy
++issuerAltName = issuer:copy
++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
++nsBaseUrl = $config[base_url]
++nsRevocationUrl = ns_revoke_query.php?
++nsCaPolicyUrl = $config[base_url]policy.html
++
++
+ [ time_stamping_ext ]
+ basicConstraints = CA:false
+ keyUsage = critical, nonRepudiation, digitalSignature
+diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup
+--- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900
++++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900
+@@ -339,6 +339,11 @@
+ default_days = 365
+ policy = policy_supplied
+
++[ freediameter_cert ]
++x509_extensions = freediameter_ext
++default_days = 730
++policy = policy_supplied
++
+ [ vpn_cert ]
+ x509_extensions = vpn_client_server_ext
+ default_days = 365
+@@ -418,6 +423,22 @@
+ nsRevocationUrl = ns_revoke_query.php?
+ nsCaPolicyUrl = $config[base_url]policy.html
+
++[ freediameter_ext ]
++basicConstraints = CA:false
++keyUsage = critical, digitalSignature, keyEncipherment
++extendedKeyUsage = critical, serverAuth, clientAuth
++nsCertType = critical, server, client
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer:always
++subjectAltName = DNS:$common_name,email:copy
++issuerAltName = issuer:copy
++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl
++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter"
++nsBaseUrl = $config[base_url]
++nsRevocationUrl = ns_revoke_query.php?
++nsCaPolicyUrl = $config[base_url]policy.html
++
++
+ [ time_stamping_ext ]
+ basicConstraints = CA:false
+ keyUsage = critical, nonRepudiation, digitalSignature