MISP/app/Lib/Tools/SyncTool.php

<?php

class SyncTool
{
    /**
     * Take a server as parameter and return a HttpSocket object using the ssl options defined in the server settings
     * @param array|null $server
     * @param false $timeout
     * @param string $model
     * @return HttpSocketExtended
     * @throws Exception
     */
    public function setupHttpSocket($server = null, $timeout = false, $model = 'Server')
    {
        $params = ['compress' => true];
        if (!empty($server)) {
            if (!empty($server[$model]['cert_file'])) {
                $params['ssl_cafile'] = APP . "files" . DS . "certs" . DS . $server[$model]['id'] . '.pem';
            }
            if (!empty($server[$model]['client_cert_file'])) {
                $params['ssl_local_cert'] = APP . "files" . DS . "certs" . DS . $server[$model]['id'] . '_client.pem';
            }
            if (!empty($server[$model]['self_signed'])) {
                $params['ssl_allow_self_signed'] = true;
                $params['ssl_verify_peer_name'] = false;
                if (!isset($server[$model]['cert_file'])) {
                    $params['ssl_verify_peer'] = false;
                }
            }
            if (!empty($server[$model]['skip_proxy'])) {
                $params['skip_proxy'] = 1;
            }
            if (!empty($timeout)) {
                $params['timeout'] = $timeout;
            }
        }

        return $this->createHttpSocket($params);
    }

    public function setupHttpSocketFeed($feed = null)
    {
        return $this->createHttpSocket(['compress' => true]);
    }

    /**
     * @param array $params
     * @return HttpSocketExtended
     * @throws Exception
     */
    public function createHttpSocket($params = array())
    {
        // Use own CA PEM file
        $caPath = Configure::read('MISP.ca_path');
        if (!isset($params['ssl_cafile']) && $caPath) {
            if (!file_exists($caPath)) {
                throw new Exception("CA file '$caPath' doesn't exists.");
            }
            $params['ssl_cafile'] = $caPath;
        }

        App::uses('HttpSocketExtended', 'Tools');
        $HttpSocket = new HttpSocketExtended($params);
        $proxy = Configure::read('Proxy');
        if (empty($params['skip_proxy']) && isset($proxy['host']) && !empty($proxy['host'])) {
            $HttpSocket->configProxy($proxy['host'], $proxy['port'], $proxy['method'], $proxy['user'], $proxy['password']);
        }
        return $HttpSocket;
    }

    /**
     * @param array $server
     * @return array|void
     * @throws Exception
     */
    public static function getServerClientCertificateInfo(array $server)
    {
        if (!$server['Server']['client_cert_file']) {
            return;
        }

        $clientCertificate = new File(APP . "files" . DS . "certs" . DS . $server['Server']['id'] . '_client.pem');
        if (!$clientCertificate->exists()) {
            throw new Exception("Certificate file '{$clientCertificate->pwd()}' doesn't exists.");
        }

        $certificateContent = $clientCertificate->read();
        if ($certificateContent === false) {
            throw new Exception("Could not read '{$clientCertificate->pwd()}' file with client certificate.");
        }

        return self::getClientCertificateInfo($certificateContent);
    }

    /**
     * @param array $server
     * @return array|void
     * @throws Exception
     */
    public static function getServerCaCertificateInfo(array $server)
    {
        if (!$server['Server']['cert_file']) {
            return;
        }

        $caCertificate = new File(APP . "files" . DS . "certs" . DS . $server['Server']['id'] . '.pem');
        if (!$caCertificate->exists()) {
            throw new Exception("Certificate file '{$caCertificate->pwd()}' doesn't exists.");
        }

        $certificateContent = $caCertificate->read();
        if ($certificateContent === false) {
            throw new Exception("Could not read '{$caCertificate->pwd()}' file with certificate.");
        }

        $certificate = openssl_x509_read($certificateContent);
        if (!$certificate) {
            throw new Exception("Couldn't read certificate: " . openssl_error_string());
        }

        return self::parseCertificate($certificate);
    }

    /**
     * @param string $certificateContent PEM encoded certificate and private key.
     * @return array
     * @throws Exception
     */
    private static function getClientCertificateInfo($certificateContent)
    {
        $certificate = openssl_x509_read($certificateContent);
        if (!$certificate) {
            throw new Exception("Couldn't read certificate: " . openssl_error_string());
        }
        $privateKey = openssl_pkey_get_private($certificateContent);
        if (!$privateKey) {
            throw new Exception("Couldn't get private key from certificate: " . openssl_error_string());
        }
        $verify = openssl_x509_check_private_key($certificate, $privateKey);
        if (!$verify) {
            throw new Exception('Public and private key do not match.');
        }
        return self::parseCertificate($certificate);
    }

    /**
     * @param mixed $certificate
     * @return array
     * @throws Exception
     */
    private static function parseCertificate($certificate)
    {
        $parsed = openssl_x509_parse($certificate);
        if (!$parsed) {
            throw new Exception("Couldn't get parse X.509 certificate: " . openssl_error_string());
        }
        $currentTime = new DateTime();
        $output = [
            'serial_number' => $parsed['serialNumberHex'],
            'signature_type' => $parsed['signatureTypeSN'],
            'valid_from' => isset($parsed['validFrom_time_t']) ? new DateTime("@{$parsed['validFrom_time_t']}") : null,
            'valid_to' => isset($parsed['validTo_time_t']) ? new DateTime("@{$parsed['validTo_time_t']}") : null,
            'public_key_size' => null,
            'public_key_type' => null,
            'public_key_size_ok' => null,
        ];

        $output['valid_from_ok'] = $output['valid_from'] ? ($output['valid_from'] <= $currentTime) : null;
        $output['valid_to_ok'] = $output['valid_to'] ? ($output['valid_to'] >= $currentTime) : null;

        $subject = [];
        foreach ($parsed['subject'] as $type => $value) {
            $subject[] = "$type=$value";
        }
        $output['subject'] = implode(', ', $subject);

        $issuer = [];
        foreach ($parsed['issuer'] as $type => $value) {
            $issuer[] = "$type=$value";
        }
        $output['issuer'] = implode(', ', $issuer);

        $publicKey = openssl_pkey_get_public($certificate);
        if ($publicKey) {
            $publicKeyDetails = openssl_pkey_get_details($publicKey);
            if ($publicKeyDetails) {
                $output['public_key_size'] = $publicKeyDetails['bits'];
                switch ($publicKeyDetails['type']) {
                    case OPENSSL_KEYTYPE_RSA:
                        $output['public_key_type'] = 'RSA';
                        $output['public_key_size_ok'] = $output['public_key_size'] >= 2048;
                        break;
                    case OPENSSL_KEYTYPE_DSA:
                        $output['public_key_type'] = 'DSA';
                        $output['public_key_size_ok'] = $output['public_key_size'] >= 2048;
                        break;
                    case OPENSSL_KEYTYPE_DH:
                        $output['public_key_type'] = 'DH';
                        break;
                    case OPENSSL_KEYTYPE_EC:
                        $output['public_key_type'] = "EC ({$publicKeyDetails['ec']['curve_name']})";
                        $output['public_key_size_ok'] = $output['public_key_size'] >= 224;
                        break;
                }
            }
        }

        return $output;
    }
}
SSL certificate changes - you can now upload a certificate file and allow a server link to use a provided self signed certificate. This should solve the issues that some organisations are having when trying to connect their instances 2014-01-16 08:47:25 +01:00			`<?php`

chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`class SyncTool`
			`{`
new: [feed] Support brotli compression 2021-01-05 16:45:25 +01:00			`/**`
			`* Take a server as parameter and return a HttpSocket object using the ssl options defined in the server settings`
			`* @param array\|null $server`
			`* @param false $timeout`
			`* @param string $model`
			`* @return HttpSocketExtended`
			`* @throws Exception`
			`*/`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`public function setupHttpSocket($server = null, $timeout = false, $model = 'Server')`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`{`
new: [sync] Enable compression for server sync 2021-01-06 10:23:00 +01:00			`$params = ['compress' => true];`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`if (!empty($server)) {`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`if (!empty($server[$model]['cert_file'])) {`
			`$params['ssl_cafile'] = APP . "files" . DS . "certs" . DS . $server[$model]['id'] . '.pem';`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`}`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`if (!empty($server[$model]['client_cert_file'])) {`
			`$params['ssl_local_cert'] = APP . "files" . DS . "certs" . DS . $server[$model]['id'] . '_client.pem';`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`}`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`if (!empty($server[$model]['self_signed'])) {`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`$params['ssl_allow_self_signed'] = true;`
			`$params['ssl_verify_peer_name'] = false;`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`if (!isset($server[$model]['cert_file'])) {`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`$params['ssl_verify_peer'] = false;`
			`}`
			`}`
chg: [synctool] added custom model support for the setuphttpsocket() function 2020-11-30 23:37:59 +01:00			`if (!empty($server[$model]['skip_proxy'])) {`
fix: [proxy] Skip_proxy was broken up until now, fixes #5324 - was simply ignored, added the hook for it for the sync tool 2019-11-08 10:06:44 +01:00			`$params['skip_proxy'] = 1;`
			`}`
fix: [synctool] tests improved 2020-03-02 23:09:47 +01:00			`if (!empty($timeout)) {`
			`$params['timeout'] = $timeout;`
			`}`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`}`
new: [internal] Allow to use custom CA 2019-09-26 14:26:58 +02:00
			`return $this->createHttpSocket($params);`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`}`
remove whitespace (space/tab) from empty lines 2016-06-04 01:08:16 +02:00
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`public function setupHttpSocketFeed($feed = null)`
			`{`
new: [feed] Support brotli compression 2021-01-05 16:45:25 +01:00			`return $this->createHttpSocket(['compress' => true]);`
new: [internal] Allow to use custom CA 2019-09-26 14:26:58 +02:00			`}`

			`/**`
			`* @param array $params`
new: [feed] Support brotli compression 2021-01-05 16:45:25 +01:00			`* @return HttpSocketExtended`
new: [internal] Allow to use custom CA 2019-09-26 14:26:58 +02:00			`* @throws Exception`
			`*/`
new: [SightingDB] Added integration with SightingDB - Added configuration tool - Added lookups from the event view - Added includeSightingdb flag for the restSearch searches - Added SightingDB search tool - Added SightingDB connection test tool 2019-11-06 21:20:04 +01:00			`public function createHttpSocket($params = array())`
new: [internal] Allow to use custom CA 2019-09-26 14:26:58 +02:00			`{`
			`// Use own CA PEM file`
			`$caPath = Configure::read('MISP.ca_path');`
			`if (!isset($params['ssl_cafile']) && $caPath) {`
			`if (!file_exists($caPath)) {`
			`throw new Exception("CA file '$caPath' doesn't exists.");`
			`}`
			`$params['ssl_cafile'] = $caPath;`
			`}`

new: [feed] Support brotli compression 2021-01-05 16:45:25 +01:00			`App::uses('HttpSocketExtended', 'Tools');`
			`$HttpSocket = new HttpSocketExtended($params);`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`$proxy = Configure::read('Proxy');`
fix: [proxy] Skip_proxy was broken up until now, fixes #5324 - was simply ignored, added the hook for it for the sync tool 2019-11-08 10:06:44 +01:00			`if (empty($params['skip_proxy']) && isset($proxy['host']) && !empty($proxy['host'])) {`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`$HttpSocket->configProxy($proxy['host'], $proxy['port'], $proxy['method'], $proxy['user'], $proxy['password']);`
			`}`
			`return $HttpSocket;`
			`}`
new: [sync] Show client certificate info in connection test 2020-10-16 17:34:55 +02:00
			`/**`
			`* @param array $server`
			`* @return array\|void`
			`* @throws Exception`
			`*/`
			`public static function getServerClientCertificateInfo(array $server)`
			`{`
			`if (!$server['Server']['client_cert_file']) {`
			`return;`
			`}`

			`$clientCertificate = new File(APP . "files" . DS . "certs" . DS . $server['Server']['id'] . '_client.pem');`
			`if (!$clientCertificate->exists()) {`
			`throw new Exception("Certificate file '{$clientCertificate->pwd()}' doesn't exists.");`
			`}`

			`$certificateContent = $clientCertificate->read();`
			`if ($certificateContent === false) {`
			`throw new Exception("Could not read '{$clientCertificate->pwd()}' file with client certificate.");`
			`}`

			`return self::getClientCertificateInfo($certificateContent);`
			`}`

new: [security] Security audit 2020-12-11 08:54:40 +01:00			`/**`
			`* @param array $server`
			`* @return array\|void`
			`* @throws Exception`
			`*/`
			`public static function getServerCaCertificateInfo(array $server)`
			`{`
			`if (!$server['Server']['cert_file']) {`
			`return;`
			`}`

			`$caCertificate = new File(APP . "files" . DS . "certs" . DS . $server['Server']['id'] . '.pem');`
			`if (!$caCertificate->exists()) {`
			`throw new Exception("Certificate file '{$caCertificate->pwd()}' doesn't exists.");`
			`}`

			`$certificateContent = $caCertificate->read();`
			`if ($certificateContent === false) {`
			`throw new Exception("Could not read '{$caCertificate->pwd()}' file with certificate.");`
			`}`

			`$certificate = openssl_x509_read($certificateContent);`
			`if (!$certificate) {`
			`throw new Exception("Couldn't read certificate: " . openssl_error_string());`
			`}`

			`return self::parseCertificate($certificate);`
			`}`

new: [sync] Show client certificate info in connection test 2020-10-16 17:34:55 +02:00			`/**`
			`* @param string $certificateContent PEM encoded certificate and private key.`
			`* @return array`
			`* @throws Exception`
			`*/`
			`private static function getClientCertificateInfo($certificateContent)`
			`{`
			`$certificate = openssl_x509_read($certificateContent);`
			`if (!$certificate) {`
new: [security] Security audit 2020-12-11 08:54:40 +01:00			`throw new Exception("Couldn't read certificate: " . openssl_error_string());`
new: [sync] Show client certificate info in connection test 2020-10-16 17:34:55 +02:00			`}`
			`$privateKey = openssl_pkey_get_private($certificateContent);`
			`if (!$privateKey) {`
new: [security] Security audit 2020-12-11 08:54:40 +01:00			`throw new Exception("Couldn't get private key from certificate: " . openssl_error_string());`
new: [sync] Show client certificate info in connection test 2020-10-16 17:34:55 +02:00			`}`
			`$verify = openssl_x509_check_private_key($certificate, $privateKey);`
			`if (!$verify) {`
			`throw new Exception('Public and private key do not match.');`
			`}`
			`return self::parseCertificate($certificate);`
			`}`

			`/**`
			`* @param mixed $certificate`
			`* @return array`
			`* @throws Exception`
			`*/`
			`private static function parseCertificate($certificate)`
			`{`
			`$parsed = openssl_x509_parse($certificate);`
			`if (!$parsed) {`
new: [security] Security audit 2020-12-11 08:54:40 +01:00			`throw new Exception("Couldn't get parse X.509 certificate: " . openssl_error_string());`
new: [sync] Show client certificate info in connection test 2020-10-16 17:34:55 +02:00			`}`
			`$currentTime = new DateTime();`
			`$output = [`
			`'serial_number' => $parsed['serialNumberHex'],`
			`'signature_type' => $parsed['signatureTypeSN'],`
			`'valid_from' => isset($parsed['validFrom_time_t']) ? new DateTime("@{$parsed['validFrom_time_t']}") : null,`
			`'valid_to' => isset($parsed['validTo_time_t']) ? new DateTime("@{$parsed['validTo_time_t']}") : null,`
			`'public_key_size' => null,`
			`'public_key_type' => null,`
			`'public_key_size_ok' => null,`
			`];`

			`$output['valid_from_ok'] = $output['valid_from'] ? ($output['valid_from'] <= $currentTime) : null;`
			`$output['valid_to_ok'] = $output['valid_to'] ? ($output['valid_to'] >= $currentTime) : null;`

			`$subject = [];`
			`foreach ($parsed['subject'] as $type => $value) {`
			`$subject[] = "$type=$value";`
			`}`
			`$output['subject'] = implode(', ', $subject);`

			`$issuer = [];`
			`foreach ($parsed['issuer'] as $type => $value) {`
			`$issuer[] = "$type=$value";`
			`}`
			`$output['issuer'] = implode(', ', $issuer);`

			`$publicKey = openssl_pkey_get_public($certificate);`
			`if ($publicKey) {`
			`$publicKeyDetails = openssl_pkey_get_details($publicKey);`
			`if ($publicKeyDetails) {`
			`$output['public_key_size'] = $publicKeyDetails['bits'];`
			`switch ($publicKeyDetails['type']) {`
			`case OPENSSL_KEYTYPE_RSA:`
			`$output['public_key_type'] = 'RSA';`
			`$output['public_key_size_ok'] = $output['public_key_size'] >= 2048;`
			`break;`
			`case OPENSSL_KEYTYPE_DSA:`
			`$output['public_key_type'] = 'DSA';`
			`$output['public_key_size_ok'] = $output['public_key_size'] >= 2048;`
			`break;`
			`case OPENSSL_KEYTYPE_DH:`
			`$output['public_key_type'] = 'DH';`
			`break;`
			`case OPENSSL_KEYTYPE_EC:`
			`$output['public_key_type'] = "EC ({$publicKeyDetails['ec']['curve_name']})";`
			`$output['public_key_size_ok'] = $output['public_key_size'] >= 224;`
			`break;`
			`}`
			`}`
			`}`

			`return $output;`
			`}`
SSL certificate changes - you can now upload a certificate file and allow a server link to use a provided self signed certificate. This should solve the issues that some organisations are having when trying to connect their instances 2014-01-16 08:47:25 +01:00			`}`