etc: remove ssl config and revert weird type changes

Also update the certificate generation process and put in our info. :)

etc: remove ssl config and revert weird type changes
Also update the certificate generation process and put in our info. :)
15482489 · Franco Fichtner · 17c0885c · 17c0885c · 15482489 · 15482489
Commit 15482489 authored Dec 09, 2014 by Franco Fichtner
Showing with 17 additions and 360 deletions

openssl.cnf etc/ssl/openssl.cnf +0 -309

certs.inc usr/local/etc/inc/certs.inc +3 -16

system.inc usr/local/etc/inc/system.inc +11 -6

system_certmanager.php usr/local/www/system_certmanager.php +3 -29

No files found.
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
-# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-#
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME                    = .
-RANDFILE                = $ENV::HOME/.rnd
-# default SAN value if $ENV::SAN is not defined
-#
-SAN                     =
-# Extra OBJECT IDENTIFIER info:
-#oid_file               = $ENV::HOME/.oid
-oid_section             = new_oids
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions            =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-[ new_oids ]
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-####################################################################
-[ CA_default ]
-dir             = ./demoCA              # Where everything is kept
-certs           = $dir/certs            # Where the issued certs are kept
-crl_dir         = $dir/crl              # Where the issued crl are kept
-database        = $dir/index.txt        # database index file.
-#unique_subject = no                    # Set to 'no' to allow creation of
-                                        # several ctificates with same subject.
-new_certs_dir   = $dir/newcerts         # default place for new certs.
-certificate     = $dir/cacert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-#crlnumber      = $dir/crlnumber        # the current crl number
-                                        # must be commented out to leave a V1 CRL
-crl             = $dir/crl.pem          # The current CRL
-private_key     = $dir/private/cakey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-x509_extensions = usr_cert              # The extentions to add to the cert
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt        = ca_default            # Subject Name options
-cert_opt        = ca_default            # Certificate field options
-# Extension copying option: use with caution.
-# copy_extensions = copy
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions        = crl_ext
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
-default_md      = md5                   # which md to use.
-preserve        = no                    # keep passed DN ordering
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy          = policy_match
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-####################################################################
-[ req ]
-distinguished_name=req_distinguished_name
-req_extensions = v3_req
-prompt=no
-default_bits            = 2048
-default_keyfile         = privkey.pem
-distinguished_name      = req_distinguished_name
-attributes              = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-# Passwords for private keys if not present they will be prompted for
-#input_password=""
-#output_password=""
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix   : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-# req_extensions = v3_req # The extensions to add to a certificate request
-[ req_distinguished_name ]
-countryName                     = US
-#countryName_default            = AU
-#countryName_min                        = 2
-#countryName_max                        = 2
-stateOrProvinceName             = Somewhere
-#stateOrProvinceName_default    = Somestate
-localityName                    = Somecity
-0.organizationName              = CompanyName
-#0.organizationName_default     = SampleNameDefault
-# we can do this but it is not needed normally :-)
-#1.organizationName             = Second Organization Name (eg, company)
-#1.organizationName_default     = World Wide Web Pty Ltd
-organizationalUnitName          = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-commonName                      = Common Name (eg, YOUR name)
-#commonName_max                 = 64
-emailAddress                    = Email Address
-#emailAddress_max               = 64
-# SET-ex3                       = SET extension number 3
-[ req_attributes ]
-challengePassword               = A challenge password
-#challengePassword_min          = 4
-#challengePassword_max          = 20
-unstructuredName                = An optional company name
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType                    = server
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-# For normal client use this is typical
-# nsCertType = client, email
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated User Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-# Copy subject details
-# issuerAltName=issuer:copy
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-[ usr_cert_san ]
-# copy of [ usr_cert ] plus nonempty Subject Alternative Names
-basicConstraints=CA:FALSE
-nsComment                       = "OpenSSL Generated User Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-subjectAltName=$ENV::SAN
-[ server ]
-# Make a cert with nsCertType=server
-basicConstraints=CA:FALSE
-nsCertType			= server
-nsComment			= "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-[ server_san ]
-# copy of [ server ] plus nonempty Subject Alternative Names
-basicConstraints=CA:FALSE
-nsCertType			= server
-nsComment			= "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
-keyUsage = digitalSignature, keyEncipherment
-subjectAltName=$ENV::SAN
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-[ v3_ca ]
-# Extensions for a typical CA
-# PKIX recommendation.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-# Some might want this also
-# nsCertType = sslCA, emailCA
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-[ v3_ca_san ]
-# copy of [ v3_ca ] plus nonempty Subject Alternative Names
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
-subjectAltName=$ENV::SAN
-[ crl_ext ]
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
--- a/usr/local/etc/inc/certs.inc
+++ b/usr/local/etc/inc/certs.inc
 <?php
-/* $Id$ */
 /*
 	Copyright (C) 2008 Shrew Soft Inc
 	Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
@@ -268,7 +268,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
 	return true;
 }
-function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
+function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
 	$ca =& lookup_ca($caref);
 	if (!$ca)
@@ -281,18 +281,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 	if(!$ca_res_key) return false;
 	$ca_serial = ++$ca['serial'];
-	switch ($type) {
-		case "ca":
-			$cert_type = "v3_ca";
-			break;
-		case "server":
-			$cert_type = "server";
-			break;
-		default:
-			$cert_type = "usr_cert";
-			break;
-	}
 	// in case of using Subject Alternative Names use other sections (with postfix '_san')
 	// pass subjectAltName over environment variable 'SAN'
 	if ($dn['subjectAltName']) {
@@ -302,7 +290,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 	}
 	$args = array(
-		"x509_extensions" => $cert_type,
+		"x509_extensions" => "usr_cert",
 		"digest_alg" => $digest_alg,
 		"private_key_bits" => (int)$keylen,
 		"private_key_type" => OPENSSL_KEYTYPE_RSA,
@@ -330,7 +318,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 	$cert['caref'] = $caref;
 	$cert['crt'] = base64_encode($str_crt);
 	$cert['prv'] = base64_encode($str_key);
-	$cert['type'] = $type;
 	return true;
 }

--- a/usr/local/etc/inc/system.inc
+++ b/usr/local/etc/inc/system.inc
@@ -862,12 +862,17 @@ function system_webgui_start() {
 			$cert = array();
 			$cert['refid'] = uniqid();
 			$cert['descr'] = gettext("webConfigurator default");
-			mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
+			/* mind the gap ->.<- */
-			mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
+			$openssl_args  = ' req -new -newkey rsa:4096 -sha256';
-			$crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
+			$openssl_args .= ' -days 365 -nodes -x509';
-			$key = file_get_contents("{$g['tmp_path']}/ssl.key");
+			$openssl_args .= ' -subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense"';
-			unlink("{$g['tmp_path']}/ssl.key");
+			$openssl_args .= ' -keyout /tmp/ssl.key';
-			unlink("{$g['tmp_path']}/ssl.crt");
+			$openssl_args .= ' -out /tmp/ssl.crt';
+			mwexec('/usr/bin/openssl' . $openssl_args);
+			$crt = file_get_contents('/tmp/ssl.crt');
+			$key = file_get_contents('/tmp/ssl.key');
+			unlink('/tmp/ssl.key');
+			unlink('/tmp/ssl.crt');
 			cert_import($cert, $crt, $key);
 			$a_cert[] = $cert;
 			$config['system']['webgui']['ssl-certref'] = $cert['refid'];

--- a/usr/local/www/system_certmanager.php
+++ b/usr/local/www/system_certmanager.php
 <?php
-/*
-    system_certmanager.php
+/*
    Copyright (C) 2008 Shrew Soft Inc.
    All rights reserved.
@@ -47,9 +46,6 @@ $cert_methods = array(
 );
 $cert_keylens = array( "512", "1024", "2048", "4096");
-$cert_types = array(	"ca" => "Certificate Authority",
-			"server" => "Server Certificate",
-			"user" => "User Certificate");
 $altname_types = array("DNS", "IP", "email", "URI");
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
@@ -113,7 +109,6 @@ if ($act == "new") {
 	$pconfig['digest_alg'] = "sha256";
 	$pconfig['csr_keylen'] = "2048";
 	$pconfig['csr_digest_alg'] = "sha256";
-	$pconfig['type'] = "user";
 	$pconfig['lifetime'] = "3650";
 }
@@ -211,13 +206,12 @@ if ($_POST) {
 		if ($pconfig['method'] == "internal") {
 			$reqdfields = explode(" ",
-					"descr caref keylen type lifetime dn_country dn_state dn_city ".
+					"descr caref keylen lifetime dn_country dn_state dn_city ".
 					"dn_organization dn_email dn_commonname");
 			$reqdfieldsn = array(
 					gettext("Descriptive name"),
 					gettext("Certificate authority"),
 					gettext("Key length"),
-					gettext("Certificate Type"),
 					gettext("Lifetime"),
 					gettext("Distinguished name Country Code"),
 					gettext("Distinguished name State or Province"),
@@ -359,7 +353,7 @@ if ($_POST) {
 						$dn['subjectAltName'] = implode(",", $altnames_tmp);
 					}
 					if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
-						$pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){
+						$pconfig['lifetime'], $dn, $pconfig['digest_alg'])){
 						while($ssl_err = openssl_error_string()){
 							$input_errors = array();
 							array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -722,23 +716,6 @@ function internalca_change() {
 								<br /><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
 							</td>
 						</tr>
-						<tr>
-							<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
-							<td width="78%" class="vtable">
-								<select name='type' class="formselect">
-								<?php
-									foreach( $cert_types as $ct => $ctdesc ):
-									$selected = "";
-									if ($pconfig['type'] == $ct)
-										$selected = " selected=\"selected\"";
-								?>
-									<option value="<?=$ct;?>"<?=$selected;?>><?=$ctdesc;?></option>
-								<?php endforeach; ?>
-								</select>
-								<br />
-								<?=gettext("Type of certificate to generate. Used for placing restrictions on the usage of the generated certificate.");?>
-							</td>
-						</tr>
 						<tr>
 							<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
 							<td width="78%" class="vtable">
@@ -1134,9 +1111,6 @@ function internalca_change() {
 									</td>
 								</tr>
 								<tr><td>&nbsp;</td></tr>
-								<?php if ($cert['type']): ?>
-								<tr><td colspan="2"><em><?php echo $cert_types[$cert['type']]; ?></em></td></tr>
-								<?php endif; ?>
 								<?php if (is_array($purpose)): ?>
 								<tr><td colspan="2">
 									CA: <?php echo $purpose['ca']; ?>,