Commit 207b3f70 authored by Ad Schellevis's avatar Ad Schellevis

(legacy) fix uninitialized issues, move single used, remove unused in certs.inc

parent 0a8bb42f
...@@ -84,16 +84,6 @@ function & lookup_cert($refid) { ...@@ -84,16 +84,6 @@ function & lookup_cert($refid) {
return $false; return $false;
} }
function & lookup_cert_by_name($name) {
global $config;
$null = null;
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
if ($cert['descr'] == $name)
return $cert;
return $null;
}
function & lookup_crl($refid) { function & lookup_crl($refid) {
global $config; global $config;
$false = false; $false = false;
...@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) { ...@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) {
} }
function ca_chain(& $cert) { function ca_chain(& $cert) {
if($cert['caref']) { if(isset($cert['caref'])) {
$ca = ""; $ca = "";
$cas = ca_chain_array($cert); $cas = ca_chain_array($cert);
if (is_array($cas)) if (is_array($cas))
...@@ -140,41 +130,6 @@ function ca_chain(& $cert) { ...@@ -140,41 +130,6 @@ function ca_chain(& $cert) {
return ""; return "";
} }
function ca_import(& $ca, $str, $key="", $serial=0) {
global $config;
$ca['crt'] = base64_encode($str);
if (!empty($key))
$ca['prv'] = base64_encode($key);
if (!empty($serial))
$ca['serial'] = $serial;
$subject = cert_get_subject($str, false);
$issuer = cert_get_issuer($str, false);
// Find my issuer unless self-signed
if($issuer <> $subject) {
$issuer_crt =& lookup_ca_by_subject($issuer);
if($issuer_crt)
$ca['caref'] = $issuer_crt['refid'];
}
/* Correct if child certificate was loaded first */
if (is_array($config['ca']))
foreach ($config['ca'] as & $oca)
{
$issuer = cert_get_issuer($oca['crt']);
if($ca['refid']<>$oca['refid'] && $issuer==$subject)
$oca['caref'] = $ca['refid'];
}
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
{
$issuer = cert_get_issuer($cert['crt']);
if($issuer==$subject)
$cert['caref'] = $ca['refid'];
}
return true;
}
function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") { function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
...@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") { ...@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
return true; return true;
} }
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
return false;
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
$signing_ca_serial = ++$signing_ca['serial'];
$args = array(
"x509_extensions" => "v3_ca",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false;
// Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false;
// export our certificate data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt))
return false;
// return our ca information
$ca['crt'] = base64_encode($str_crt);
$ca['prv'] = base64_encode($str_key);
$ca['serial'] = 0;
return true;
}
function cert_import(& $cert, $crt_str, $key_str) { function cert_import(& $cert, $crt_str, $key_str) {
...@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh ...@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh
return true; return true;
} }
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_req",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;
// export our request data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr))
return false;
// return our request information
$cert['csr'] = base64_encode($str_csr);
$cert['prv'] = base64_encode($str_key);
return true;
}
function csr_complete(& $cert, $str_crt) {
// return our request information
$cert['crt'] = base64_encode($str_crt);
unset($cert['csr']);
return true;
}
function csr_get_subject($str_crt, $decode = true) { function csr_get_subject($str_crt, $decode = true) {
...@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) { ...@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) {
return $subject_array; return $subject_array;
} }
function cert_get_subject_hash($crt) {
$str_crt = base64_decode($crt);
$inf_crt = openssl_x509_parse($str_crt);
return $inf_crt['subject'];
}
function cert_get_issuer($str_crt, $decode = true) { function cert_get_issuer($str_crt, $decode = true) {
...@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt') ...@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt')
return $modulus; return $modulus;
} }
function csr_get_modulus($str_crt, $decode = true)
{
return cert_get_modulus($str_crt, $decode, 'csr');
}
function cert_get_purpose($str_crt, $decode = true) { function cert_get_purpose($str_crt, $decode = true) {
if ($decode) if ($decode)
...@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) { ...@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
return true; return true;
} }
function cert_unrevoke($cert, & $crl) {
global $config;
if (!is_crl_internal($crl))
return false;
foreach ($crl['cert'] as $id => $rcert) {
if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
unset($crl['cert'][$id]);
if (count($crl['cert']) == 0) {
// Protect against accidentally switching the type to imported, for older CRLs
if (!isset($crl['method']))
$crl['method'] = "internal";
crl_update($crl);
} else
crl_update($crl);
return true;
}
}
return false;
}
/* Compare two certificates to see if they match. */ /* Compare two certificates to see if they match. */
function cert_compare($cert1, $cert2) { function cert_compare($cert1, $cert2) {
...@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) { ...@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) {
return false; return false;
} }
// Keep this general to allow for future expansion. See cert_in_use() above.
function crl_in_use($crlref) {
return (is_openvpn_server_crl($crlref));
}
function is_crl_internal($crl) { function is_crl_internal($crl) {
return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal"));
......
...@@ -30,6 +30,86 @@ ...@@ -30,6 +30,86 @@
require_once('guiconfig.inc'); require_once('guiconfig.inc');
require_once('certs.inc'); require_once('certs.inc');
function ca_import(& $ca, $str, $key="", $serial=0) {
global $config;
$ca['crt'] = base64_encode($str);
if (!empty($key))
$ca['prv'] = base64_encode($key);
if (!empty($serial))
$ca['serial'] = $serial;
$subject = cert_get_subject($str, false);
$issuer = cert_get_issuer($str, false);
// Find my issuer unless self-signed
if($issuer <> $subject) {
$issuer_crt =& lookup_ca_by_subject($issuer);
if($issuer_crt)
$ca['caref'] = $issuer_crt['refid'];
}
/* Correct if child certificate was loaded first */
if (is_array($config['ca']))
foreach ($config['ca'] as & $oca)
{
$issuer = cert_get_issuer($oca['crt']);
if($ca['refid']<>$oca['refid'] && $issuer==$subject)
$oca['caref'] = $ca['refid'];
}
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
{
$issuer = cert_get_issuer($cert['crt']);
if($issuer==$subject)
$cert['caref'] = $ca['refid'];
}
return true;
}
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
return false;
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
$signing_ca_serial = ++$signing_ca['serial'];
$args = array(
"x509_extensions" => "v3_ca",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false;
// Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false;
// export our certificate data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt))
return false;
// return our ca information
$ca['crt'] = base64_encode($str_crt);
$ca['prv'] = base64_encode($str_key);
$ca['serial'] = 0;
return true;
}
$ca_methods = array( $ca_methods = array(
"existing" => gettext("Import an existing Certificate Authority"), "existing" => gettext("Import an existing Certificate Authority"),
"internal" => gettext("Create an internal Certificate Authority"), "internal" => gettext("Create an internal Certificate Authority"),
......
...@@ -30,6 +30,50 @@ ...@@ -30,6 +30,50 @@
require_once('guiconfig.inc'); require_once('guiconfig.inc');
require_once('certs.inc'); require_once('certs.inc');
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_req",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;
// export our request data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr))
return false;
// return our request information
$cert['csr'] = base64_encode($str_csr);
$cert['prv'] = base64_encode($str_key);
return true;
}
function csr_complete(& $cert, $str_crt) {
// return our request information
$cert['crt'] = base64_encode($str_crt);
unset($cert['csr']);
return true;
}
function csr_get_modulus($str_crt, $decode = true)
{
return cert_get_modulus($str_crt, $decode, 'csr');
}
$cert_methods = array( $cert_methods = array(
"import" => gettext("Import an existing Certificate"), "import" => gettext("Import an existing Certificate"),
"internal" => gettext("Create an internal Certificate"), "internal" => gettext("Create an internal Certificate"),
......
...@@ -30,6 +30,32 @@ require_once("guiconfig.inc"); ...@@ -30,6 +30,32 @@ require_once("guiconfig.inc");
require_once("certs.inc"); require_once("certs.inc");
require_once('openvpn.inc'); require_once('openvpn.inc');
function cert_unrevoke($cert, & $crl) {
global $config;
if (!is_crl_internal($crl))
return false;
foreach ($crl['cert'] as $id => $rcert) {
if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
unset($crl['cert'][$id]);
if (count($crl['cert']) == 0) {
// Protect against accidentally switching the type to imported, for older CRLs
if (!isset($crl['method']))
$crl['method'] = "internal";
crl_update($crl);
} else
crl_update($crl);
return true;
}
}
return false;
}
// Keep this general to allow for future expansion. See cert_in_use() above.
function crl_in_use($crlref) {
return (is_openvpn_server_crl($crlref));
}
global $openssl_crl_status; global $openssl_crl_status;
$pgtitle = array(gettext("System"), gettext("Certificate Revocation List Manager")); $pgtitle = array(gettext("System"), gettext("Certificate Revocation List Manager"));
......
...@@ -27,6 +27,12 @@ ...@@ -27,6 +27,12 @@
*/ */
require_once("openvpn.inc"); require_once("openvpn.inc");
function cert_get_subject_hash($crt) {
$str_crt = base64_decode($crt);
$inf_crt = openssl_x509_parse($str_crt);
return $inf_crt['subject'];
}
function has_special_chars($text) { function has_special_chars($text) {
return preg_match('/[^A-Za-z0-9 _-]/', $text); return preg_match('/[^A-Za-z0-9 _-]/', $text);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment