<?php

/* CONFIG VARS */
$CRLURINEW_PATH = "/var/lib/3gates/crlurinew";
$CRLURI_PATH  = "/var/lib/3gates/crluri";
$CRL_PATH     = "/var/lib/3gates/crl";
$OPENSSL_PATH = "/usr/bin/openssl";

/* function crgt_certgate() return values */
define("CRGT_TRUE",  0);
define("CRGT_FALSE", 1);
define("CRGT_RETRY", 2);


/*
 * NAME
 *   string crgt_ret2str(er)
 * 
 * DESCRIPTION
 *   convert the return value of crgt_certgate() to a string   
 *
 *   er - value returned by crgt_certgate()
 *
 * RETURN
 *   Return a string description of the returned value of crgt_certgate() function, "value unknown" 
 *   elseXXX.
 *
 */
function crgt_ret2str($er)
{
  switch ($er) {
  case CRGT_TRUE:
    $ret = "CRGT_TRUE";
    break;
  case CRGT_FALSE:
    $ret = "CRGT_FALSE";
    break;
  case CRGT_RETRY:
    $ret = "CRGT_RETRY";
    break;
  default:
    $ret = "value unknown";
    break;
  }
  
  return ($ret);
}

/*
 * NAME
 *   lock_handle crgt_lock(mode)
 * 
 * DESCRIPTION
 *   lock the shared dir where cooperate with certgate python script
 *
 *   mode - LOCK_SH or LOCK_EX - to share as a reader or a writer
 *
 * RETURN
 *   Return a handle to lock the locked file, FALSE elseXXX.
 *
 */

class crgt_lock {
    var $fp;
    var $lck;

    function crgt_lock () {        
        $fp  = FALSE;
        $lck = FALSE;
    }

    function lock($mode)
    {
        GLOBAL $CRLURINEW_PATH;
        
        $umask_old = umask(002);
        if (($this->fp = fopen($CRLURINEW_PATH."/certgate.lck", "w+")) == FALSE) {
            echo "LOCK FALSE";
            return (FALSE);
        }
        umask($umask_old);
        $lck = flock($this->fp, $mode);
        return ($lck);
    }

    function unlock()
    {
        if ($this->lck) {
            flock($this->lck, LOCK_UN);
            $this->lck = FALSE;
        }
        if ($this->fp) {
            fclose($this->fp);
            $this->fp = FALSE;
        }
    }

}


/*
 * NAME
 *   lock_handle crgt_lock(mode)
 * 
 * DESCRIPTION
 *   lock the shared dir where cooperate with certgate python script
 *
 *   mode - LOCK_SH or LOCK_EX - to share as a reader or a writer
 *
 * RETURN
 *   Return a handle to lock the locked file, FALSE elseXXX.
 *
 */
function crgt_lock($mode)
{
  GLOBAL $CRLURINEW_PATH;
  
  $umask_old = umask(002);
  if (($fp = fopen($CRLURINEW_PATH."/certgate.lck", "w+")) == FALSE) {
    umask($umask_old);
    return (FALSE);
  }
  umask($umask_old);
  return (flock($fp, $mode));
}

/*
 * NAME
 *   void crgt_lock(lock_handle)
 * 
 * DESCRIPTION
 *   unlock a previews locked session
 *
 *   lock_handle - the handle of the lock
 *
 */
function crgt_unlock($lck)
{
  flock($lck, LOCK_UN);
  fclose($lck);
}

/*
 * NAME
 *   array &crgt_getcrluri($cert)
 * 
 * DESCRIPTION
 *   get crl URIS from a client certificate
 *
 * RETURN
 *   return an array of URIS (string) or FALSE if an error is occurred
 *
 */
function &crgt_getcrluri($cert)
{
  GLOBAL $OPENSSL_PATH;

  $retarr = array();
  $retarr_n = 0;
  $st = -1;
  $pipes = array();
  
  $descriptorspec = array(
                          0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
                          1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
                          2 => array("pipe", "w")   // stderr is a file to write to
                          );

  
  $process = proc_open($OPENSSL_PATH.' x509 -text -noout', $descriptorspec, $pipes);
  if (is_resource($process)) {
    // $pipes now looks like this:
    // 0 => writeable handle connected to child stdin
    // 1 => readable handle connected to child stdout
    // Any error output will be appended to /tmp/error-output.txt
    
    fwrite($pipes[0], $cert);
    $st = 0;
    while (!feof($pipes[1])) {
      $buffer = fgets($pipes[1], 4096);
      if ($st == 0) {
        if (stristr($buffer, 'CRL Distribution Points')) {
          $st = 1;
        }
      }
      else if ($st == 1) {
        // if (strstr($buffer, 'URI:')) {
        if (eregi('^ *URI:', $buffer)) {
          $retarr[$retarr_n++] = eregi_replace('^ *URI:', '', rtrim($buffer, "\r\n"));
        }
        else if ($buffer != "\n")
          $st = 2;
      }
    }

    fclose($pipes[0]);
    fclose($pipes[1]);
    fclose($pipes[2]);
    
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);
  }

  if ($st != 2 || $return_value != 0) 
    return (false);
  else
    return ($retarr);
}

/*
 * NAME
 *   string crgt_crluri2str(crluri)
 * 
 * DESCRIPTION
 *   convert the crluri array to a string
 *
 *   crluri - array of crluri (strings)
 *
 * RETURN
 *   return a string that is the sum of all crluri array entries ('\n' separated)
 *
 */
function crgt_crluri2str($crluri)
{
   $crluri_str = "";

   for ($i = 0 ; $i < count($crluri) ; $i++) 
     $crluri_str .= $crluri[$i]."\n";
   
   return ($crluri_str);
}


/*
 * NAME
 *   string crgt_str2hash(str)
 * 
 * DESCRIPTION
 *   compute the hash of a string
 *
 *   str - string to be hashed
 *
 * RETURN
 *   return the computed hash
 *
 */
function crgt_str2hash($str)
{
   $hash = mhash(MHASH_CRC32, $str);

   return ($hash);
}
    
function crgt_certgate($cert, $onlycheck)
{
  GLOBAL $CRLURI_PATH, $CRLURINEW_PATH, $CRL_PATH;

  $ret = CRGT_FALSE;
  $fp = FALSE;
  $umask_old = -1;

  $crluri = FALSE;
  $lock = new crgt_lock();
  do {
    if (($lock->lock(LOCK_SH)) == FALSE)
      break;
    if (($crluri = crgt_getcrluri($cert)) == FALSE)
      break;

    if (!is_array($crluri))
      break;

    $crluri_str = crgt_crluri2str($crluri);

    $crluri_hash = crgt_str2hash($crluri_str);

    $crluri_file = sprintf("%s/%s.cont", $CRLURI_PATH, bin2hex($crluri_hash));
    $crlurinew_file = sprintf("%s/%s.cont", $CRLURINEW_PATH, bin2hex($crluri_hash));
    $crluri_exists = file_exists($crluri_file);
    $crlurinew_exists = file_exists($crlurinew_file);


    // if crluri file don't exists: 
    if (!$crluri_exists && !$crlurinew_exists) {

      // if onlycheck return false
      if ($onlycheck) 
        break;
      
      // else add it in the list of crluri list
      $lock->unlock();
      
      // lock the dir as writer
      if (($lock->lock(LOCK_EX)) == FALSE)
        break;
      
      $umask_old = umask(002);
      if (($fp = fopen($crlurinew_file, "w")) == FALSE)
        break;
      if (fwrite($fp, $crluri_str) < strlen($crluri_str))
        break;
      $ret = CRGT_RETRY;
      break;
    }

    $crl_file = sprintf("%s/%s.crl", $CRL_PATH, bin2hex($crluri_hash));
    if (($crl_exists = file_exists($crl_file)) == FALSE) {
      $ret = CRGT_RETRY;
      break;
    }

    $ret = CRGT_TRUE;
  } while (0);


  if ($umask_old != -1)
    umask($umask_old);

  if ($fp != FALSE)
    fclose($fp);

  $lock->unlock();

  return ($ret);
}

?>