(legacy) fix uninitialized issues, move single used, remove unused in certs.inc

207b3f70 · Ad Schellevis · 0a8bb42f · 207b3f70 · 207b3f70 · 207b3f70
Commit 207b3f70 authored Jul 09, 2015 by Ad Schellevis
5 changed files
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -84,16 +84,6 @@ function & lookup_cert($refid) {
 	return $false;
 }

-function & lookup_cert_by_name($name) {
-	global $config;
-	$null = null;
-	if (is_array($config['cert']))
-		foreach ($config['cert'] as & $cert)
-			if ($cert['descr'] == $name)
-				return $cert;
-	return $null;
-}
-
 function & lookup_crl($refid) {
 	global $config;
 	$false = false;
@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) {
 }

 function ca_chain(& $cert) {
-	if($cert['caref']) {
+	if(isset($cert['caref'])) {
 		$ca = "";
 		$cas = ca_chain_array($cert);
 		if (is_array($cas))
@@ -140,41 +130,6 @@ function ca_chain(& $cert) {
 	return "";
 }

-function ca_import(& $ca, $str, $key="", $serial=0) {
-	global $config;
-
-	$ca['crt'] = base64_encode($str);
-	if (!empty($key))
-		$ca['prv'] = base64_encode($key);
-	if (!empty($serial))
-		$ca['serial'] = $serial;
-	$subject = cert_get_subject($str, false);
-	$issuer = cert_get_issuer($str, false);
-
-	// Find my issuer unless self-signed
-	if($issuer <> $subject) {
-		$issuer_crt =& lookup_ca_by_subject($issuer);
-		if($issuer_crt)
-			$ca['caref'] = $issuer_crt['refid'];
-	}
-
-	/* Correct if child certificate was loaded first */
-	if (is_array($config['ca']))
-		foreach ($config['ca'] as & $oca)
-		{
-			$issuer = cert_get_issuer($oca['crt']);
-			if($ca['refid']<>$oca['refid'] && $issuer==$subject)
-				$oca['caref'] = $ca['refid'];
-		}
-	if (is_array($config['cert']))
-		foreach ($config['cert'] as & $cert)
-		{
-			$issuer = cert_get_issuer($cert['crt']);
-			if($issuer==$subject)
-				$cert['caref'] = $ca['refid'];
-		}
-	return true;
-}

 function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {

@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
 	return true;
 }

-function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
-	// Create Intermediate Certificate Authority
-	$signing_ca =& lookup_ca($caref);
-	if (!$signing_ca)
-		return false;
-
-	$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
-	$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
-	if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
-	$signing_ca_serial = ++$signing_ca['serial'];
-
-	$args = array(
-		"x509_extensions" => "v3_ca",
-		"digest_alg" => $digest_alg,
-		"private_key_bits" => (int)$keylen,
-		"private_key_type" => OPENSSL_KEYTYPE_RSA,
-		"encrypt_key" => false);
-
-	// generate a new key pair
-	$res_key = openssl_pkey_new($args);
-	if (!$res_key) return false;
-
-	// generate a certificate signing request
-	$res_csr = openssl_csr_new($dn, $res_key, $args);
-	if (!$res_csr) return false;
-
-	// Sign the certificate
-	$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
-	if (!$res_crt) return false;
-
-	// export our certificate data
-	if (!openssl_pkey_export($res_key, $str_key) ||
-	    !openssl_x509_export($res_crt, $str_crt))
-		return false;
-
-	// return our ca information
-	$ca['crt'] = base64_encode($str_crt);
-	$ca['prv'] = base64_encode($str_key);
-	$ca['serial'] = 0;
-
-	return true;
-}

 function cert_import(& $cert, $crt_str, $key_str) {

@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh
 	return true;
 }

-function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {

-	$args = array(
-		"x509_extensions" => "v3_req",
-		"digest_alg" => $digest_alg,
-		"private_key_bits" => (int)$keylen,
-		"private_key_type" => OPENSSL_KEYTYPE_RSA,
-		"encrypt_key" => false);
-
-	// generate a new key pair
-	$res_key = openssl_pkey_new($args);
-	if(!$res_key) return false;
-
-	// generate a certificate signing request
-	$res_csr = openssl_csr_new($dn, $res_key, $args);
-	if(!$res_csr) return false;
-
-	// export our request data
-	if (!openssl_pkey_export($res_key, $str_key) ||
-	    !openssl_csr_export($res_csr, $str_csr))
-		return false;
-
-	// return our request information
-	$cert['csr'] = base64_encode($str_csr);
-	$cert['prv'] = base64_encode($str_key);
-
-	return true;
-}
-
-function csr_complete(& $cert, $str_crt) {
-
-	// return our request information
-	$cert['crt'] = base64_encode($str_crt);
-	unset($cert['csr']);
-
-	return true;
-}

 function csr_get_subject($str_crt, $decode = true) {

@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) {
 	return $subject_array;
 }

-function cert_get_subject_hash($crt) {
-	$str_crt = base64_decode($crt);
-	$inf_crt = openssl_x509_parse($str_crt);
-	return $inf_crt['subject'];
-}

 function cert_get_issuer($str_crt, $decode = true) {

@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt')
 	return $modulus;
 }

-function csr_get_modulus($str_crt, $decode = true)
-{
-	return cert_get_modulus($str_crt, $decode, 'csr');
-}

 function cert_get_purpose($str_crt, $decode = true) {
 	if ($decode)
@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
 	return true;
 }

-function cert_unrevoke($cert, & $crl) {
-	global $config;
-	if (!is_crl_internal($crl))
-		return false;
-	foreach ($crl['cert'] as $id => $rcert) {
-		if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
-			unset($crl['cert'][$id]);
-			if (count($crl['cert']) == 0) {
-				// Protect against accidentally switching the type to imported, for older CRLs
-				if (!isset($crl['method']))
-					$crl['method'] = "internal";
-				crl_update($crl);
-			} else
-				crl_update($crl);
-			return true;
-		}
-	}
-	return false;
-}

 /* Compare two certificates to see if they match. */
 function cert_compare($cert1, $cert2) {
@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) {
 	return false;
 }

-// Keep this general to allow for future expansion. See cert_in_use() above.
-function crl_in_use($crlref) {
-	return (is_openvpn_server_crl($crlref));
-}

 function is_crl_internal($crl) {
 	return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal"));

--- a/src/www/system_camanager.php
+++ b/src/www/system_camanager.php
@@ -30,6 +30,86 @@
 require_once('guiconfig.inc');
 require_once('certs.inc');

+function ca_import(& $ca, $str, $key="", $serial=0) {
+	global $config;
+
+	$ca['crt'] = base64_encode($str);
+	if (!empty($key))
+		$ca['prv'] = base64_encode($key);
+	if (!empty($serial))
+		$ca['serial'] = $serial;
+	$subject = cert_get_subject($str, false);
+	$issuer = cert_get_issuer($str, false);
+
+	// Find my issuer unless self-signed
+	if($issuer <> $subject) {
+		$issuer_crt =& lookup_ca_by_subject($issuer);
+		if($issuer_crt)
+			$ca['caref'] = $issuer_crt['refid'];
+	}
+
+	/* Correct if child certificate was loaded first */
+	if (is_array($config['ca']))
+		foreach ($config['ca'] as & $oca)
+		{
+			$issuer = cert_get_issuer($oca['crt']);
+			if($ca['refid']<>$oca['refid'] && $issuer==$subject)
+				$oca['caref'] = $ca['refid'];
+		}
+	if (is_array($config['cert']))
+		foreach ($config['cert'] as & $cert)
+		{
+			$issuer = cert_get_issuer($cert['crt']);
+			if($issuer==$subject)
+				$cert['caref'] = $ca['refid'];
+		}
+	return true;
+}
+
+function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
+	// Create Intermediate Certificate Authority
+	$signing_ca =& lookup_ca($caref);
+	if (!$signing_ca)
+		return false;
+
+	$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
+	$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
+	if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
+	$signing_ca_serial = ++$signing_ca['serial'];
+
+	$args = array(
+		"x509_extensions" => "v3_ca",
+		"digest_alg" => $digest_alg,
+		"private_key_bits" => (int)$keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new($args);
+	if (!$res_key) return false;
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+	if (!$res_csr) return false;
+
+	// Sign the certificate
+	$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
+	if (!$res_crt) return false;
+
+	// export our certificate data
+	if (!openssl_pkey_export($res_key, $str_key) ||
+	    !openssl_x509_export($res_crt, $str_crt))
+		return false;
+
+	// return our ca information
+	$ca['crt'] = base64_encode($str_crt);
+	$ca['prv'] = base64_encode($str_key);
+	$ca['serial'] = 0;
+
+	return true;
+}
+
+
 $ca_methods = array(
    "existing" => gettext("Import an existing Certificate Authority"),
    "internal" => gettext("Create an internal Certificate Authority"),

--- a/src/www/system_certmanager.php
+++ b/src/www/system_certmanager.php
@@ -30,6 +30,50 @@
 require_once('guiconfig.inc');
 require_once('certs.inc');

+function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
+
+	$args = array(
+		"x509_extensions" => "v3_req",
+		"digest_alg" => $digest_alg,
+		"private_key_bits" => (int)$keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new($args);
+	if(!$res_key) return false;
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+	if(!$res_csr) return false;
+
+	// export our request data
+	if (!openssl_pkey_export($res_key, $str_key) ||
+	    !openssl_csr_export($res_csr, $str_csr))
+		return false;
+
+	// return our request information
+	$cert['csr'] = base64_encode($str_csr);
+	$cert['prv'] = base64_encode($str_key);
+
+	return true;
+}
+
+function csr_complete(& $cert, $str_crt) {
+
+	// return our request information
+	$cert['crt'] = base64_encode($str_crt);
+	unset($cert['csr']);
+
+	return true;
+}
+
+function csr_get_modulus($str_crt, $decode = true)
+{
+	return cert_get_modulus($str_crt, $decode, 'csr');
+}
+
+
 $cert_methods = array(
    "import" => gettext("Import an existing Certificate"),
    "internal" => gettext("Create an internal Certificate"),

--- a/src/www/system_crlmanager.php
+++ b/src/www/system_crlmanager.php
@@ -30,6 +30,32 @@ require_once("guiconfig.inc");
 require_once("certs.inc");
 require_once('openvpn.inc');

+function cert_unrevoke($cert, & $crl) {
+	global $config;
+	if (!is_crl_internal($crl))
+		return false;
+	foreach ($crl['cert'] as $id => $rcert) {
+		if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
+			unset($crl['cert'][$id]);
+			if (count($crl['cert']) == 0) {
+				// Protect against accidentally switching the type to imported, for older CRLs
+				if (!isset($crl['method']))
+					$crl['method'] = "internal";
+				crl_update($crl);
+			} else
+				crl_update($crl);
+			return true;
+		}
+	}
+	return false;
+}
+
+// Keep this general to allow for future expansion. See cert_in_use() above.
+function crl_in_use($crlref) {
+	return (is_openvpn_server_crl($crlref));
+}
+
+
 global $openssl_crl_status;

 $pgtitle = array(gettext("System"), gettext("Certificate Revocation List Manager"));

--- a/src/www/wizards/openvpn_wizard.inc
+++ b/src/www/wizards/openvpn_wizard.inc
@@ -27,6 +27,12 @@
 */
 require_once("openvpn.inc");

+function cert_get_subject_hash($crt) {
+	$str_crt = base64_decode($crt);
+	$inf_crt = openssl_x509_parse($str_crt);
+	return $inf_crt['subject'];
+}
+
 function has_special_chars($text) {
 	return preg_match('/[^A-Za-z0-9 _-]/', $text);
 }