Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
207b3f70
Commit
207b3f70
authored
Jul 09, 2015
by
Ad Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(legacy) fix uninitialized issues, move single used, remove unused in certs.inc
parent
0a8bb42f
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
157 additions
and
156 deletions
+157
-156
certs.inc
src/etc/inc/certs.inc
+1
-156
system_camanager.php
src/www/system_camanager.php
+80
-0
system_certmanager.php
src/www/system_certmanager.php
+44
-0
system_crlmanager.php
src/www/system_crlmanager.php
+26
-0
openvpn_wizard.inc
src/www/wizards/openvpn_wizard.inc
+6
-0
No files found.
src/etc/inc/certs.inc
View file @
207b3f70
...
@@ -84,16 +84,6 @@ function & lookup_cert($refid) {
...
@@ -84,16 +84,6 @@ function & lookup_cert($refid) {
return
$false
;
return
$false
;
}
}
function
&
lookup_cert_by_name
(
$name
)
{
global
$config
;
$null
=
null
;
if
(
is_array
(
$config
[
'cert'
]))
foreach
(
$config
[
'cert'
]
as
&
$cert
)
if
(
$cert
[
'descr'
]
==
$name
)
return
$cert
;
return
$null
;
}
function
&
lookup_crl
(
$refid
)
{
function
&
lookup_crl
(
$refid
)
{
global
$config
;
global
$config
;
$false
=
false
;
$false
=
false
;
...
@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) {
...
@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) {
}
}
function
ca_chain
(
&
$cert
)
{
function
ca_chain
(
&
$cert
)
{
if
(
$cert
[
'caref'
]
)
{
if
(
isset
(
$cert
[
'caref'
])
)
{
$ca
=
""
;
$ca
=
""
;
$cas
=
ca_chain_array
(
$cert
);
$cas
=
ca_chain_array
(
$cert
);
if
(
is_array
(
$cas
))
if
(
is_array
(
$cas
))
...
@@ -140,41 +130,6 @@ function ca_chain(& $cert) {
...
@@ -140,41 +130,6 @@ function ca_chain(& $cert) {
return
""
;
return
""
;
}
}
function
ca_import
(
&
$ca
,
$str
,
$key
=
""
,
$serial
=
0
)
{
global
$config
;
$ca
[
'crt'
]
=
base64_encode
(
$str
);
if
(
!
empty
(
$key
))
$ca
[
'prv'
]
=
base64_encode
(
$key
);
if
(
!
empty
(
$serial
))
$ca
[
'serial'
]
=
$serial
;
$subject
=
cert_get_subject
(
$str
,
false
);
$issuer
=
cert_get_issuer
(
$str
,
false
);
// Find my issuer unless self-signed
if
(
$issuer
<>
$subject
)
{
$issuer_crt
=&
lookup_ca_by_subject
(
$issuer
);
if
(
$issuer_crt
)
$ca
[
'caref'
]
=
$issuer_crt
[
'refid'
];
}
/* Correct if child certificate was loaded first */
if
(
is_array
(
$config
[
'ca'
]))
foreach
(
$config
[
'ca'
]
as
&
$oca
)
{
$issuer
=
cert_get_issuer
(
$oca
[
'crt'
]);
if
(
$ca
[
'refid'
]
<>
$oca
[
'refid'
]
&&
$issuer
==
$subject
)
$oca
[
'caref'
]
=
$ca
[
'refid'
];
}
if
(
is_array
(
$config
[
'cert'
]))
foreach
(
$config
[
'cert'
]
as
&
$cert
)
{
$issuer
=
cert_get_issuer
(
$cert
[
'crt'
]);
if
(
$issuer
==
$subject
)
$cert
[
'caref'
]
=
$ca
[
'refid'
];
}
return
true
;
}
function
ca_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$digest_alg
=
"sha256"
)
{
function
ca_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$digest_alg
=
"sha256"
)
{
...
@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
...
@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
return
true
;
return
true
;
}
}
function
ca_inter_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$caref
,
$digest_alg
=
"sha256"
)
{
// Create Intermediate Certificate Authority
$signing_ca
=&
lookup_ca
(
$caref
);
if
(
!
$signing_ca
)
return
false
;
$signing_ca_res_crt
=
openssl_x509_read
(
base64_decode
(
$signing_ca
[
'crt'
]));
$signing_ca_res_key
=
openssl_pkey_get_private
(
array
(
0
=>
base64_decode
(
$signing_ca
[
'prv'
])
,
1
=>
""
));
if
(
!
$signing_ca_res_crt
||
!
$signing_ca_res_key
)
return
false
;
$signing_ca_serial
=
++
$signing_ca
[
'serial'
];
$args
=
array
(
"x509_extensions"
=>
"v3_ca"
,
"digest_alg"
=>
$digest_alg
,
"private_key_bits"
=>
(
int
)
$keylen
,
"private_key_type"
=>
OPENSSL_KEYTYPE_RSA
,
"encrypt_key"
=>
false
);
// generate a new key pair
$res_key
=
openssl_pkey_new
(
$args
);
if
(
!
$res_key
)
return
false
;
// generate a certificate signing request
$res_csr
=
openssl_csr_new
(
$dn
,
$res_key
,
$args
);
if
(
!
$res_csr
)
return
false
;
// Sign the certificate
$res_crt
=
openssl_csr_sign
(
$res_csr
,
$signing_ca_res_crt
,
$signing_ca_res_key
,
$lifetime
,
$args
,
$signing_ca_serial
);
if
(
!
$res_crt
)
return
false
;
// export our certificate data
if
(
!
openssl_pkey_export
(
$res_key
,
$str_key
)
||
!
openssl_x509_export
(
$res_crt
,
$str_crt
))
return
false
;
// return our ca information
$ca
[
'crt'
]
=
base64_encode
(
$str_crt
);
$ca
[
'prv'
]
=
base64_encode
(
$str_key
);
$ca
[
'serial'
]
=
0
;
return
true
;
}
function
cert_import
(
&
$cert
,
$crt_str
,
$key_str
)
{
function
cert_import
(
&
$cert
,
$crt_str
,
$key_str
)
{
...
@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh
...
@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh
return
true
;
return
true
;
}
}
function
csr_generate
(
&
$cert
,
$keylen
,
$dn
,
$digest_alg
=
"sha256"
)
{
$args
=
array
(
"x509_extensions"
=>
"v3_req"
,
"digest_alg"
=>
$digest_alg
,
"private_key_bits"
=>
(
int
)
$keylen
,
"private_key_type"
=>
OPENSSL_KEYTYPE_RSA
,
"encrypt_key"
=>
false
);
// generate a new key pair
$res_key
=
openssl_pkey_new
(
$args
);
if
(
!
$res_key
)
return
false
;
// generate a certificate signing request
$res_csr
=
openssl_csr_new
(
$dn
,
$res_key
,
$args
);
if
(
!
$res_csr
)
return
false
;
// export our request data
if
(
!
openssl_pkey_export
(
$res_key
,
$str_key
)
||
!
openssl_csr_export
(
$res_csr
,
$str_csr
))
return
false
;
// return our request information
$cert
[
'csr'
]
=
base64_encode
(
$str_csr
);
$cert
[
'prv'
]
=
base64_encode
(
$str_key
);
return
true
;
}
function
csr_complete
(
&
$cert
,
$str_crt
)
{
// return our request information
$cert
[
'crt'
]
=
base64_encode
(
$str_crt
);
unset
(
$cert
[
'csr'
]);
return
true
;
}
function
csr_get_subject
(
$str_crt
,
$decode
=
true
)
{
function
csr_get_subject
(
$str_crt
,
$decode
=
true
)
{
...
@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) {
...
@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) {
return
$subject_array
;
return
$subject_array
;
}
}
function
cert_get_subject_hash
(
$crt
)
{
$str_crt
=
base64_decode
(
$crt
);
$inf_crt
=
openssl_x509_parse
(
$str_crt
);
return
$inf_crt
[
'subject'
];
}
function
cert_get_issuer
(
$str_crt
,
$decode
=
true
)
{
function
cert_get_issuer
(
$str_crt
,
$decode
=
true
)
{
...
@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt')
...
@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt')
return
$modulus
;
return
$modulus
;
}
}
function
csr_get_modulus
(
$str_crt
,
$decode
=
true
)
{
return
cert_get_modulus
(
$str_crt
,
$decode
,
'csr'
);
}
function
cert_get_purpose
(
$str_crt
,
$decode
=
true
)
{
function
cert_get_purpose
(
$str_crt
,
$decode
=
true
)
{
if
(
$decode
)
if
(
$decode
)
...
@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
...
@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
return
true
;
return
true
;
}
}
function
cert_unrevoke
(
$cert
,
&
$crl
)
{
global
$config
;
if
(
!
is_crl_internal
(
$crl
))
return
false
;
foreach
(
$crl
[
'cert'
]
as
$id
=>
$rcert
)
{
if
((
$rcert
[
'refid'
]
==
$cert
[
'refid'
])
||
(
$rcert
[
'descr'
]
==
$cert
[
'descr'
]))
{
unset
(
$crl
[
'cert'
][
$id
]);
if
(
count
(
$crl
[
'cert'
])
==
0
)
{
// Protect against accidentally switching the type to imported, for older CRLs
if
(
!
isset
(
$crl
[
'method'
]))
$crl
[
'method'
]
=
"internal"
;
crl_update
(
$crl
);
}
else
crl_update
(
$crl
);
return
true
;
}
}
return
false
;
}
/* Compare two certificates to see if they match. */
/* Compare two certificates to see if they match. */
function
cert_compare
(
$cert1
,
$cert2
)
{
function
cert_compare
(
$cert1
,
$cert2
)
{
...
@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) {
...
@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) {
return
false
;
return
false
;
}
}
// Keep this general to allow for future expansion. See cert_in_use() above.
function
crl_in_use
(
$crlref
)
{
return
(
is_openvpn_server_crl
(
$crlref
));
}
function
is_crl_internal
(
$crl
)
{
function
is_crl_internal
(
$crl
)
{
return
(
!
(
!
empty
(
$crl
[
'text'
])
&&
empty
(
$crl
[
'cert'
]))
||
(
$crl
[
"method"
]
==
"internal"
));
return
(
!
(
!
empty
(
$crl
[
'text'
])
&&
empty
(
$crl
[
'cert'
]))
||
(
$crl
[
"method"
]
==
"internal"
));
...
...
src/www/system_camanager.php
View file @
207b3f70
...
@@ -30,6 +30,86 @@
...
@@ -30,6 +30,86 @@
require_once
(
'guiconfig.inc'
);
require_once
(
'guiconfig.inc'
);
require_once
(
'certs.inc'
);
require_once
(
'certs.inc'
);
function
ca_import
(
&
$ca
,
$str
,
$key
=
""
,
$serial
=
0
)
{
global
$config
;
$ca
[
'crt'
]
=
base64_encode
(
$str
);
if
(
!
empty
(
$key
))
$ca
[
'prv'
]
=
base64_encode
(
$key
);
if
(
!
empty
(
$serial
))
$ca
[
'serial'
]
=
$serial
;
$subject
=
cert_get_subject
(
$str
,
false
);
$issuer
=
cert_get_issuer
(
$str
,
false
);
// Find my issuer unless self-signed
if
(
$issuer
<>
$subject
)
{
$issuer_crt
=&
lookup_ca_by_subject
(
$issuer
);
if
(
$issuer_crt
)
$ca
[
'caref'
]
=
$issuer_crt
[
'refid'
];
}
/* Correct if child certificate was loaded first */
if
(
is_array
(
$config
[
'ca'
]))
foreach
(
$config
[
'ca'
]
as
&
$oca
)
{
$issuer
=
cert_get_issuer
(
$oca
[
'crt'
]);
if
(
$ca
[
'refid'
]
<>
$oca
[
'refid'
]
&&
$issuer
==
$subject
)
$oca
[
'caref'
]
=
$ca
[
'refid'
];
}
if
(
is_array
(
$config
[
'cert'
]))
foreach
(
$config
[
'cert'
]
as
&
$cert
)
{
$issuer
=
cert_get_issuer
(
$cert
[
'crt'
]);
if
(
$issuer
==
$subject
)
$cert
[
'caref'
]
=
$ca
[
'refid'
];
}
return
true
;
}
function
ca_inter_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$caref
,
$digest_alg
=
"sha256"
)
{
// Create Intermediate Certificate Authority
$signing_ca
=&
lookup_ca
(
$caref
);
if
(
!
$signing_ca
)
return
false
;
$signing_ca_res_crt
=
openssl_x509_read
(
base64_decode
(
$signing_ca
[
'crt'
]));
$signing_ca_res_key
=
openssl_pkey_get_private
(
array
(
0
=>
base64_decode
(
$signing_ca
[
'prv'
])
,
1
=>
""
));
if
(
!
$signing_ca_res_crt
||
!
$signing_ca_res_key
)
return
false
;
$signing_ca_serial
=
++
$signing_ca
[
'serial'
];
$args
=
array
(
"x509_extensions"
=>
"v3_ca"
,
"digest_alg"
=>
$digest_alg
,
"private_key_bits"
=>
(
int
)
$keylen
,
"private_key_type"
=>
OPENSSL_KEYTYPE_RSA
,
"encrypt_key"
=>
false
);
// generate a new key pair
$res_key
=
openssl_pkey_new
(
$args
);
if
(
!
$res_key
)
return
false
;
// generate a certificate signing request
$res_csr
=
openssl_csr_new
(
$dn
,
$res_key
,
$args
);
if
(
!
$res_csr
)
return
false
;
// Sign the certificate
$res_crt
=
openssl_csr_sign
(
$res_csr
,
$signing_ca_res_crt
,
$signing_ca_res_key
,
$lifetime
,
$args
,
$signing_ca_serial
);
if
(
!
$res_crt
)
return
false
;
// export our certificate data
if
(
!
openssl_pkey_export
(
$res_key
,
$str_key
)
||
!
openssl_x509_export
(
$res_crt
,
$str_crt
))
return
false
;
// return our ca information
$ca
[
'crt'
]
=
base64_encode
(
$str_crt
);
$ca
[
'prv'
]
=
base64_encode
(
$str_key
);
$ca
[
'serial'
]
=
0
;
return
true
;
}
$ca_methods
=
array
(
$ca_methods
=
array
(
"existing"
=>
gettext
(
"Import an existing Certificate Authority"
),
"existing"
=>
gettext
(
"Import an existing Certificate Authority"
),
"internal"
=>
gettext
(
"Create an internal Certificate Authority"
),
"internal"
=>
gettext
(
"Create an internal Certificate Authority"
),
...
...
src/www/system_certmanager.php
View file @
207b3f70
...
@@ -30,6 +30,50 @@
...
@@ -30,6 +30,50 @@
require_once
(
'guiconfig.inc'
);
require_once
(
'guiconfig.inc'
);
require_once
(
'certs.inc'
);
require_once
(
'certs.inc'
);
function
csr_generate
(
&
$cert
,
$keylen
,
$dn
,
$digest_alg
=
"sha256"
)
{
$args
=
array
(
"x509_extensions"
=>
"v3_req"
,
"digest_alg"
=>
$digest_alg
,
"private_key_bits"
=>
(
int
)
$keylen
,
"private_key_type"
=>
OPENSSL_KEYTYPE_RSA
,
"encrypt_key"
=>
false
);
// generate a new key pair
$res_key
=
openssl_pkey_new
(
$args
);
if
(
!
$res_key
)
return
false
;
// generate a certificate signing request
$res_csr
=
openssl_csr_new
(
$dn
,
$res_key
,
$args
);
if
(
!
$res_csr
)
return
false
;
// export our request data
if
(
!
openssl_pkey_export
(
$res_key
,
$str_key
)
||
!
openssl_csr_export
(
$res_csr
,
$str_csr
))
return
false
;
// return our request information
$cert
[
'csr'
]
=
base64_encode
(
$str_csr
);
$cert
[
'prv'
]
=
base64_encode
(
$str_key
);
return
true
;
}
function
csr_complete
(
&
$cert
,
$str_crt
)
{
// return our request information
$cert
[
'crt'
]
=
base64_encode
(
$str_crt
);
unset
(
$cert
[
'csr'
]);
return
true
;
}
function
csr_get_modulus
(
$str_crt
,
$decode
=
true
)
{
return
cert_get_modulus
(
$str_crt
,
$decode
,
'csr'
);
}
$cert_methods
=
array
(
$cert_methods
=
array
(
"import"
=>
gettext
(
"Import an existing Certificate"
),
"import"
=>
gettext
(
"Import an existing Certificate"
),
"internal"
=>
gettext
(
"Create an internal Certificate"
),
"internal"
=>
gettext
(
"Create an internal Certificate"
),
...
...
src/www/system_crlmanager.php
View file @
207b3f70
...
@@ -30,6 +30,32 @@ require_once("guiconfig.inc");
...
@@ -30,6 +30,32 @@ require_once("guiconfig.inc");
require_once
(
"certs.inc"
);
require_once
(
"certs.inc"
);
require_once
(
'openvpn.inc'
);
require_once
(
'openvpn.inc'
);
function
cert_unrevoke
(
$cert
,
&
$crl
)
{
global
$config
;
if
(
!
is_crl_internal
(
$crl
))
return
false
;
foreach
(
$crl
[
'cert'
]
as
$id
=>
$rcert
)
{
if
((
$rcert
[
'refid'
]
==
$cert
[
'refid'
])
||
(
$rcert
[
'descr'
]
==
$cert
[
'descr'
]))
{
unset
(
$crl
[
'cert'
][
$id
]);
if
(
count
(
$crl
[
'cert'
])
==
0
)
{
// Protect against accidentally switching the type to imported, for older CRLs
if
(
!
isset
(
$crl
[
'method'
]))
$crl
[
'method'
]
=
"internal"
;
crl_update
(
$crl
);
}
else
crl_update
(
$crl
);
return
true
;
}
}
return
false
;
}
// Keep this general to allow for future expansion. See cert_in_use() above.
function
crl_in_use
(
$crlref
)
{
return
(
is_openvpn_server_crl
(
$crlref
));
}
global
$openssl_crl_status
;
global
$openssl_crl_status
;
$pgtitle
=
array
(
gettext
(
"System"
),
gettext
(
"Certificate Revocation List Manager"
));
$pgtitle
=
array
(
gettext
(
"System"
),
gettext
(
"Certificate Revocation List Manager"
));
...
...
src/www/wizards/openvpn_wizard.inc
View file @
207b3f70
...
@@ -27,6 +27,12 @@
...
@@ -27,6 +27,12 @@
*/
*/
require_once
(
"openvpn.inc"
);
require_once
(
"openvpn.inc"
);
function
cert_get_subject_hash
(
$crt
)
{
$str_crt
=
base64_decode
(
$crt
);
$inf_crt
=
openssl_x509_parse
(
$str_crt
);
return
$inf_crt
[
'subject'
];
}
function
has_special_chars
(
$text
)
{
function
has_special_chars
(
$text
)
{
return
preg_match
(
'/[^A-Za-z0-9 _-]/'
,
$text
);
return
preg_match
(
'/[^A-Za-z0-9 _-]/'
,
$text
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment