Commit 25c0f1a6 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(legacy) add x509_extensions selection to cert_created, related to...

(legacy) add x509_extensions selection to cert_created, related to https://github.com/opnsense/core/issues/81

(cherry picked from commit 9d6473f5)
parent 8f5efde3
...@@ -180,7 +180,7 @@ function cert_import(& $cert, $crt_str, $key_str) { ...@@ -180,7 +180,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
return true; return true;
} }
function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha256') function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha256', $x509_extensions = 'usr_cert')
{ {
$ca = &lookup_ca($caref); $ca = &lookup_ca($caref);
if (!$ca) { if (!$ca) {
...@@ -207,35 +207,42 @@ function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha ...@@ -207,35 +207,42 @@ function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha
unset($dn[$dnTag]); unset($dn[$dnTag]);
} }
} }
$template = str_replace("###OPNsense:usr_cert###", $template_dn, $template); $template = str_replace("###OPNsense:".$x509_extensions."###", $template_dn, $template);
file_put_contents($config_filename, $template); file_put_contents($config_filename, $template);
$args = array( $args = array(
'config' => $config_filename, 'config' => $config_filename,
'private_key_type' => OPENSSL_KEYTYPE_RSA, 'private_key_type' => OPENSSL_KEYTYPE_RSA,
'private_key_bits' => (int)$keylen, 'private_key_bits' => (int)$keylen,
'x509_extensions' => 'usr_cert', 'x509_extensions' => $x509_extensions,
'digest_alg' => $digest_alg, 'digest_alg' => $digest_alg,
'encrypt_key' => false 'encrypt_key' => false
); );
// generate a new key pair // generate a new key pair
$res_key = openssl_pkey_new($args); $res_key = openssl_pkey_new($args);
if(!$res_key) return false; if(!$res_key) {
return false;
}
// generate a certificate signing request // generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args); $res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false; if(!$res_csr) {
return false;
}
// self sign the certificate // self sign the certificate
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
$args, $ca_serial); $args, $ca_serial);
if(!$res_crt) return false; if(!$res_crt) {
return false;
}
// export our certificate data // export our certificate data
if (!openssl_pkey_export($res_key, $str_key) || if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt)) !openssl_x509_export($res_crt, $str_crt)) {
return false; return false;
}
// return our certificate information // return our certificate information
$cert['caref'] = $caref; $cert['caref'] = $caref;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment