import org.cacert.gigi.pages.account.domain.DomainOverview;
import org.cacert.gigi.pages.account.mail.MailOverview;
import org.cacert.gigi.pages.admin.TTPAdminPage;
+import org.cacert.gigi.pages.admin.support.FindCertPage;
import org.cacert.gigi.pages.admin.support.FindUserByDomainPage;
import org.cacert.gigi.pages.admin.support.FindUserByEmailPage;
import org.cacert.gigi.pages.admin.support.SupportEnterTicketPage;
putPage("/secure", new TestSecure(), null);
putPage(Verify.PATH, new Verify(), null);
- putPage(Certificates.PATH + "/*", new Certificates(), "Certificates");
+ putPage(Certificates.PATH + "/*", new Certificates(false), "Certificates");
putPage(RegisterPage.PATH, new RegisterPage(), "SomeCA.org");
putPage(CertificateAdd.PATH, new CertificateAdd(), "Certificates");
putPage(MailOverview.DEFAULT_PATH, new MailOverview(), "Certificates");
putPage(SupportEnterTicketPage.PATH, new SupportEnterTicketPage(), "Support Console");
putPage(FindUserByEmailPage.PATH, new FindUserByEmailPage(), "Support Console");
putPage(FindUserByDomainPage.PATH, new FindUserByDomainPage(), "Support Console");
+ putPage(FindCertPage.PATH, new FindCertPage(), "Support Console");
putPage(SupportUserDetailsPage.PATH + "*", new SupportUserDetailsPage(), null);
putPage(ChangePasswordPage.PATH, new ChangePasswordPage(), "My Account");
putPage(MyDetails.PATH, new MyDetails(), "My Account");
putPage(UserTrainings.SUPPORT_PATH, new UserTrainings(true), null);
putPage(Points.SUPPORT_PATH, new Points(true), null);
+ putPage(Certificates.SUPPORT_PATH + "/*", new Certificates(true), null);
putPage(PasswordResetPage.PATH, new PasswordResetPage(), null);
putPage(LogoutPage.PATH, new LogoutPage(), null);
return res.next();
}
}
+
+ public static Certificate[] findBySerialPattern(String serial) {
+ try (GigiPreparedStatement prep = new GigiPreparedStatement("SELECT `id` FROM `certs` WHERE `serial` LIKE ? GROUP BY `id` LIMIT 100", true)) {
+ prep.setString(1, serial);
+ return fetchCertsToArray(prep);
+ }
+ }
+
+ public static Certificate[] findBySANPattern(String request, SANType type) {
+ try (GigiPreparedStatement prep = new GigiPreparedStatement("SELECT `certId` FROM `subjectAlternativeNames` WHERE `contents` LIKE ? and `type`=?::`SANType` GROUP BY `certId` LIMIT 100", true)) {
+ prep.setString(1, request);
+ prep.setString(2, type.getOpensslName());
+ return fetchCertsToArray(prep);
+ }
+ }
+
+ private static Certificate[] fetchCertsToArray(GigiPreparedStatement prep) {
+ GigiResultSet res = prep.executeQuery();
+ res.last();
+ Certificate[] certs = new Certificate[res.getRow()];
+ res.beforeFirst();
+ for (int i = 0; res.next(); i++) {
+ certs[i] = Certificate.getById(res.getInt(1));
+ }
+ return certs;
+ }
}
}
}
+ public void revokeCertificate(Certificate cert) throws GigiApiException {
+
+ // TODO Check for open jobs!
+ if (cert.getStatus() == CertificateStatus.ISSUED) {
+ writeSELog("SE Revoke certificate");
+ cert.revoke().waitFor(60000);
+ }
+ }
+
private void writeSELog(String type) throws GigiApiException {
if (ticket == null) {
throw new GigiApiException("No ticket set!");
--- /dev/null
+package org.cacert.gigi.output;
+
+import java.util.Map;
+
+import org.cacert.gigi.dbObjects.CACertificate;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.IterableDataset;
+
+public class TrustchainIterable implements IterableDataset {
+
+ CACertificate cert;
+
+ public TrustchainIterable(CACertificate cert) {
+ this.cert = cert;
+ }
+
+ @Override
+ public boolean next(Language l, Map<String, Object> vars) {
+ if (cert == null) {
+ return false;
+ }
+ vars.put("name", cert.getKeyname());
+ vars.put("link", cert.getLink());
+ if (cert.isSelfsigned()) {
+ cert = null;
+ return true;
+ }
+ cert = cert.getParent();
+ return true;
+ }
+}
-<a href='<?=$serial?>.crt'><?=_PEM encoded Certificate?></a>
-<? foreach($trustchain) { ?>
- <?=_issued by?> <a href='<?=$link?>'><?=$name?></a>
-<? } ?><br/>
-<a href='<?=$serial?>.crt?chain'><?=_PEM encoded Certificate Cain?></a><br/>
-<a href='<?=$serial?>.crt?chain&noAnchor'><?=_PEM encoded Certificate Cain (Excluding Anchor)?></a><br/>
-<a href='<?=$serial?>.cer'><?=_DER encoded Certificate?></a><br/>
-<a href='<?=$serial?>.cer?install&chain'><?=_Install into browser.?></a><br/>
-<a href='<?=$serial?>.cer?install'><?=_Install into browser. (Chrome)?></a>. <?=_Please ensure that the intermediate certificates listed above are installed prior to installing the certificate.?><br/>
-<pre>
-<?=$cert?>
-</pre>
+<table>
+<? if($support) {?>
+
+ <tr>
+ <th colspan="2"><?=_Support Info?>:</th>
+ </tr>
+
+ <tr>
+ <td><?=$type?>:</td>
+ <td><a href="<?=$link?>"><?=$name?></a></td>
+ </tr>
+<? } ?>
+
+
+ <tr>
+ <th colspan="2"><?=_X.509 Info?>:</th>
+ </tr>
+
+ <tr>
+ <td><?=_Profile?>:</td>
+ <td><?=$profile?></td>
+ </tr
+
+ <tr>
+ <td><?=_Serial Number?>:</td>
+ <td><?=$serial?></td>
+ </tr
+
+<? if($support) {?>
+ <tr>
+ <td><?=_Trustchain?>:</td>
+ <td>
+ <? foreach($trustchain) { ?>
+ <?=_issued by?> <code><?=$name?></code>
+ <? } ?>
+ </td>
+ </tr>
+<? } else { ?>
+ <tr>
+ <td valign="top"><?=_Certificate and Chain?>:</td>
+ <td>
+ <a href='<?=$serial?>.crt'><?=_PEM encoded Certificate?></a>
+ <? foreach($trustchain) { ?>
+ <?=_issued by?> <a href='<?=$link?>'><?=$name?></a>
+ <? } ?><br/>
+ <a href='<?=$serial?>.crt?chain'><?=_PEM encoded Certificate Chain?></a><br/>
+ <a href='<?=$serial?>.crt?chain&noAnchor'><?=_PEM encoded Certificate Chain (Excluding Anchor)?></a><br/>
+ <a href='<?=$serial?>.cer'><?=_DER encoded Certificate?></a><br/>
+ <a href='<?=$serial?>.cer?install&chain'><?=_Install into browser.?></a><br/>
+ <a href='<?=$serial?>.cer?install'><?=_Install into browser. (Chrome)?></a>. <?=_Please ensure that the intermediate certificates listed above are installed prior to installing the certificate.?><br/>
+ </td>
+ </tr>
+<? } ?>
+
+ <tr>
+ <th colspan="2"><?=_Validity?>:</th>
+ </tr>
+
+ <tr>
+ <td><?=_Status?>:</td>
+ <td><?=$status?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Issue Date?>:</td>
+ <td><?=$issued?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Expire Date?>:</td>
+ <td><?=$expire?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Revocation Date?>:</td>
+ <td><?=$revoked?></td>
+ </tr>
+
+ <tr>
+ <th colspan="2"><?=_Certificate Info?>:</th>
+ </tr>
+
+ <tr>
+ <td><?=_Fingerprint?>:</td>
+ <td><?=$fingerprint?></td>
+ </tr>
+
+ <tr>
+ <td valign="top"><?=_Certificate (PEM)?>:</td>
+ <td><pre><?=$cert?></pre></td>
+ </tr>
+
+ <tr>
+ <th colspan="2"><?=_Certificate Details?>:</th>
+ </tr>
+
+ <tr>
+ <td><?=_Login enabled?>:</td>
+ <td><?=$login?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Digest?>:</td>
+ <td><?=$digest?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Distinguished Name (DN)?>:</td>
+ <td><?=$DN?></td>
+ </tr>
+
+ <tr>
+ <td><?=_Subject Alternative Names (SAN)?>:</td>
+ <td>
+ <? foreach($san) { ?>
+ <?=$entry?>
+ <? } ?>
+ </td>
+ </tr>
+
+</table>
+<? if($revokeForm) {?>
+<?=$revokeForm?>
+<? } ?>
import java.io.PrintWriter;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.cacert.gigi.dbObjects.CACertificate;
import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.dbObjects.SupportedUser;
+import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.TrustchainIterable;
import org.cacert.gigi.output.template.Form;
import org.cacert.gigi.output.template.IterableDataset;
import org.cacert.gigi.output.template.Template;
import org.cacert.gigi.pages.HandlesMixedRequest;
import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.AuthorizationContext;
import org.cacert.gigi.util.CertExporter;
import org.cacert.gigi.util.PEM;
public static final String PATH = "/account/certs";
- static class TrustchainIterable implements IterableDataset {
+ public static final String SUPPORT_PATH = "/support/certs";
- CACertificate cert;
+ private final boolean support;
- public TrustchainIterable(CACertificate cert) {
- this.cert = cert;
- }
-
- @Override
- public boolean next(Language l, Map<String, Object> vars) {
- if (cert == null) {
- return false;
- }
- vars.put("name", cert.getKeyname());
- vars.put("link", cert.getLink());
- if (cert.isSelfsigned()) {
- cert = null;
- return true;
- }
- cert = cert.getParent();
- return true;
- }
-
- }
-
- public Certificates() {
- super("Certificates");
+ public Certificates(boolean support) {
+ super(support ? "Support Certificates" : "Certificates");
+ this.support = support;
}
@Override
if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) {
return;// Block actions by get parameters.
}
+ if (support && "revoke".equals(req.getParameter("action"))) {
+ if (Form.getForm(req, RevokeSingleCertForm.class).submitProtected(resp.getWriter(), req)) {
+ resp.sendRedirect(req.getPathInfo());
+ return;
+ }
+ }
if ( !req.getPathInfo().equals(PATH)) {
resp.sendError(500);
return;
}
Form.getForm(req, CertificateModificationForm.class).submit(resp.getWriter(), req);
+
doGet(req, resp);
}
String serial = pi;
Certificate c = Certificate.getBySerial(serial);
- if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
+ Language l = LoginPage.getLanguage(req);
+
+ if ( !support && (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
resp.sendError(404);
return;
}
HashMap<String, Object> vars = new HashMap<>();
vars.put("serial", URLEncoder.encode(serial, "UTF-8"));
- vars.put("trustchain", new TrustchainIterable(c.getParent()));
+
+ CertificateStatus st = c.getStatus();
+
+ if (support) {
+ vars.put("support", "support");
+ CertificateOwner user = c.getOwner();
+ if (st == CertificateStatus.ISSUED) {
+ if (user instanceof User) {
+ vars.put("revokeForm", new RevokeSingleCertForm(req, c, new SupportedUser((User) user, getUser(req), LoginPage.getAuthorizationContext(req).getSupporterTicketId())));
+ }
+ }
+ }
+
+ CertificateOwner co = c.getOwner();
+ int ownerId = co.getId();
+ vars.put("certid", c.getStatus());
+ if (co instanceof Organisation) {
+ vars.put("type", l.getTranslation("Organisation Acount"));
+ vars.put("name", Organisation.getById(ownerId).getName());
+ vars.put("link", ""); // TODO
+ } else {
+ vars.put("type", l.getTranslation("Personal Account"));
+ vars.put("name", User.getById(ownerId).getPreferredName());
+ vars.put("link", "/support/user/" + ownerId + "/");
+ }
+ vars.put("status", c.getStatus());
+ vars.put("DN", c.getDistinguishedName());
+ vars.put("digest", c.getMessageDigest());
+ vars.put("profile", c.getProfile().getVisibleName());
+ vars.put("fingerprint", "TBD"); // TODO function needs to be
+ // implemented in Certificate.java
try {
- vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
+
+ if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
+ X509Certificate certx = c.cert();
+ vars.put("issued", certx.getNotBefore());
+ vars.put("expire", certx.getNotAfter());
+ vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
+ } else {
+ vars.put("issued", l.getTranslation("N/A"));
+ vars.put("expire", l.getTranslation("N/A"));
+ vars.put("cert", l.getTranslation("N/A"));
+ }
+ if (st == CertificateStatus.REVOKED) {
+ vars.put("revoked", c.getRevocationDate());
+ } else {
+ vars.put("revoked", l.getTranslation("N/A"));
+ }
+ if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
+ vars.put("trustchain", new TrustchainIterable(c.getParent()));
+ try {
+ vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
+ } catch (GeneralSecurityException e) {
+ e.printStackTrace();
+ }
+ } else {
+ vars.put("trustchain", l.getTranslation("N/A"));
+ vars.put("cert", l.getTranslation("N/A"));
+ }
+ final List<SubjectAlternateName> san = c.getSANs();
+ vars.put("san", new IterableDataset() {
+
+ int j = 0;
+
+ @Override
+ public boolean next(Language l, Map<String, Object> vars) {
+ if (j == san.size()) {
+ return false;
+ }
+ vars.put("entry", san.get(j).getName() + (j < san.size() - 1 ? ", " : ""));
+ j++;
+ return true;
+ }
+ });
+ if (c.isLoginEnabled()) {
+ vars.put("login", l.getTranslation("Yes"));
+ } else {
+ vars.put("login", l.getTranslation("No"));
+ }
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
new CertificateModificationForm(req, req.getParameter("withRevoked") != null).output(out, getLanguage(req), vars);
}
+ @Override
+ public boolean isPermitted(AuthorizationContext ac) {
+ if (ac == null) {
+ return false;
+ }
+ if (support) {
+ return ac.canSupport();
+ } else {
+ return true;
+ }
+ }
}
--- /dev/null
+package org.cacert.gigi.pages.account.certs;
+
+import java.io.PrintWriter;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.SupportedUser;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.Template;
+
+public class RevokeSingleCertForm extends Form {
+
+ private static final Template t = new Template(RevokeSingleCertForm.class.getResource("RevokeSingleCertForm.templ"));
+
+ private Certificate c;
+
+ private SupportedUser target;
+
+ public RevokeSingleCertForm(HttpServletRequest hsr, Certificate c, SupportedUser target) {
+ super(hsr);
+ this.c = c;
+ this.target = target;
+ }
+
+ @Override
+ public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+ if (target != null) {
+ target.revokeCertificate(c);
+ } else {
+ c.revoke().waitFor(60000);
+ }
+ return true;
+ }
+
+ @Override
+ protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
+ t.output(out, l, vars);
+ }
+
+}
--- /dev/null
+<button class="btn btn-danger" type="submit" name="action" value="revoke"><?=_Revoke Certificate?></button>
--- /dev/null
+package org.cacert.gigi.pages.admin.support;
+
+import java.io.PrintWriter;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.SANType;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.SprintfCommand;
+import org.cacert.gigi.output.template.Template;
+
+public class FindCertForm extends Form {
+
+ private static final Template t = new Template(FindCertForm.class.getResource("FindCertForm.templ"));
+
+ private final String SERIAL = "serial";
+
+ private String certType = SERIAL;
+
+ public Certificate certs[];
+
+ public FindCertForm(HttpServletRequest hsr) {
+ super(hsr);
+ }
+
+ @Override
+ public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+ this.certType = req.getParameter("certType");
+ String request = req.getParameter("cert").trim();
+
+ if ( !SERIAL.equals(certType) && !SANType.EMAIL.getOpensslName().equals(certType) && !SANType.DNS.getOpensslName().equals(certType)) {
+ throw new GigiApiException("Invalid search type.");
+ }
+
+ if (SERIAL.equals(certType)) {
+ certs = Certificate.findBySerialPattern(request);
+ if (certs.length <= 0) {
+ throw new GigiApiException(SprintfCommand.createSimple("No certificate found matching serial number {0}", request));
+ }
+ }
+
+ if (SANType.EMAIL.getOpensslName().equals(certType) || SANType.DNS.getOpensslName().equals(certType)) {
+ SANType stype = SANType.valueOf(certType.toUpperCase());
+ certs = Certificate.findBySANPattern(request, stype);
+ if (certs.length <= 0) {
+ throw new GigiApiException(SprintfCommand.createSimple("No certificate found matching {0}", request));
+ }
+ }
+ return true;
+ }
+
+ @Override
+ protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
+ vars.put("serial", !SERIAL.equals(certType) ? "" : "checked");
+ vars.put("email", !SANType.EMAIL.getOpensslName().equals(certType) ? "" : "checked");
+ vars.put("dns", !SANType.DNS.getOpensslName().equals(certType) ? "" : "checked");
+
+ t.output(out, l, vars);
+ }
+
+ public Certificate[] getCerts() {
+ return certs;
+ }
+
+}
--- /dev/null
+<table class="table">
+ <tbody><tr>
+ <th colspan="2"><?=_Find Certificate?></th>
+ </tr>
+
+ <tr>
+ <td><?=_Search for?>:</td>
+ <td>
+ <input type="radio" name="certType" value="serial" <?=$serial?>> <?=_Serial Number?></input>
+ <input type="radio" name="certType" value="email" <?=$email?>> <?=_Email Address?></input>
+ <input type="radio" name="certType" value="DNS" <?=$dns?>> <?=_Domain?></input>
+ </td>
+ </tr>
+
+ <tr>
+ <td><?=_Data?>:</td>
+ <td><input class="form-control" name="cert" value="" size="30" title="<?=_use % as wildcard?>" placeholder="<?=_use % as wildcard?>" type="text" required/></td>
+ </tr>
+
+ <tr>
+ <td colspan="2"><input class="btn btn-primary" name="process" value="<?=_Next?>" type="submit"/></td>
+ </tr>
+</tbody></table>
\ No newline at end of file
--- /dev/null
+package org.cacert.gigi.pages.admin.support;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.ArrayIterable;
+import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.IterableDataset;
+import org.cacert.gigi.output.template.SprintfCommand;
+import org.cacert.gigi.pages.LoginPage;
+import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.pages.account.certs.Certificates;
+import org.cacert.gigi.util.AuthorizationContext;
+
+public class FindCertPage extends Page {
+
+ public static final String PATH = "/support/find/certs";
+
+ public FindCertPage() {
+ super("Find Certificate");
+ }
+
+ @Override
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ new FindCertForm(req).output(resp.getWriter(), Page.getLanguage(req), new HashMap<String, Object>());
+ }
+
+ @Override
+ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ FindCertForm form = Form.getForm(req, FindCertForm.class);
+ if (form.submitProtected(resp.getWriter(), req)) {
+ final Certificate[] certs = form.getCerts();
+ if (certs.length == 1) {
+ resp.sendRedirect(Certificates.SUPPORT_PATH + certs[0].getSerial() + "/");
+ } else {
+ HashMap<String, Object> vars = new HashMap<String, Object>();
+ Language l = LoginPage.getLanguage(req);
+ if (certs.length >= 100) {
+ vars.put("limit", l.getTranslation("100 or more entries available, only the first 100 are displayed."));
+ } else {
+ vars.put("limit", SprintfCommand.createSimple("{0} entries found", certs.length));
+ }
+ vars.put("certtable", new ArrayIterable<Certificate>(certs) {
+
+ @Override
+ public void apply(Certificate t, Language l, Map<String, Object> vars) {
+ vars.put("id", t.getId());
+ vars.put("serial", t.getSerial());
+
+ final List<SubjectAlternateName> san = t.getSANs();
+ vars.put("san", new IterableDataset() {
+
+ int j = 0;
+
+ @Override
+ public boolean next(Language l, Map<String, Object> vars) {
+ if (j == san.size()) {
+ return false;
+ }
+ vars.put("entry", san.get(j).getName() + (j < san.size() - 1 ? ", " : ""));
+ j++;
+ return true;
+ }
+
+ });
+ }
+ });
+ getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
+ }
+ }
+ }
+
+ @Override
+ public boolean isPermitted(AuthorizationContext ac) {
+ return ac != null && ac.canSupport();
+ }
+}
--- /dev/null
+<p><?=_Multiple certificates?>: <?=$limit?></p>
+<table class="table">
+<tr>
+<th>Id</th><th><?=_Serial number?></th><th><?=_SAN?></th></tr>
+<? foreach($certtable) {?>
+ <tr>
+ <td><a href="/support/certs/<?=$serial?>"><?=$id?></a></td>
+ <td><a href="/support/certs/<?=$serial?>"><?=$serial?></a></td>
+ <td>
+ <? foreach($san) {?>
+ <?=$entry?>
+ <? } ?>
+ </td>
+ </tr>
+<? } ?>
+</table>