Commit 33b25087 authored by Franco Fichtner's avatar Franco Fichtner

certificates: second half of openssl_pkey_new() fixes

parent 1b59c113
......@@ -66,40 +66,53 @@ function ca_import(& $ca, $str, $key="", $serial=0) {
return true;
}
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
function ca_inter_create(&$ca, $keylen, $lifetime, $dn, $caref, $digest_alg = 'sha256')
{
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
$signing_ca = &lookup_ca($caref);
if (!$signing_ca) {
return false;
}
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
if (!$signing_ca_res_crt || !$signing_ca_res_key) {
return false;
}
$signing_ca_serial = ++$signing_ca['serial'];
$args = array(
"x509_extensions" => "v3_ca",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
'config' => '/usr/local/etc/ssl/opnsense.cnf',
'private_key_type' => OPENSSL_KEYTYPE_RSA,
'private_key_bits' => (int)$keylen,
'x509_extensions' => 'v3_ca',
'digest_alg' => $digest_alg,
'encrypt_key' => false
);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) return false;
if (!$res_key) {
return false;
}
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false;
if (!$res_csr) {
return false;
}
// Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false;
if (!$res_crt) {
return false;
}
// export our certificate data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt))
!openssl_x509_export($res_crt, $str_crt)) {
return false;
}
// return our ca information
$ca['crt'] = base64_encode($str_crt);
......@@ -109,7 +122,6 @@ function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "
return true;
}
$ca_methods = array(
"existing" => gettext("Import an existing Certificate Authority"),
"internal" => gettext("Create an internal Certificate Authority"),
......
......@@ -30,27 +30,34 @@
require_once('guiconfig.inc');
require_once("system.inc");
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
function csr_generate(&$cert, $keylen, $dn, $digest_alg = 'sha256')
{
$args = array(
"x509_extensions" => "v3_req",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
'config' => '/usr/local/etc/ssl/opnsense.cnf',
'private_key_type' => OPENSSL_KEYTYPE_RSA,
'private_key_bits' => (int)$keylen,
'x509_extensions' => 'v3_req',
'digest_alg' => $digest_alg,
'encrypt_key' => false
);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;
if (!$res_key) {
return false;
}
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;
if (!$res_csr) {
return false;
}
// export our request data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr))
!openssl_csr_export($res_csr, $str_csr)) {
return false;
}
// return our request information
$cert['csr'] = base64_encode($str_csr);
......@@ -59,8 +66,8 @@ function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
return true;
}
function csr_complete(& $cert, $str_crt) {
function csr_complete(& $cert, $str_crt)
{
// return our request information
$cert['crt'] = base64_encode($str_crt);
unset($cert['csr']);
......@@ -73,7 +80,6 @@ function csr_get_modulus($str_crt, $decode = true)
return cert_get_modulus($str_crt, $decode, 'csr');
}
$cert_methods = array(
"import" => gettext("Import an existing Certificate"),
"internal" => gettext("Create an internal Certificate"),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment