Commit 589a4a6a authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(legacy) fix uninitialized issues, move single used, remove unused in certs.inc

parent 4ad7a3b6
......@@ -84,16 +84,6 @@ function & lookup_cert($refid) {
return $false;
}
function & lookup_cert_by_name($name) {
global $config;
$null = null;
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
if ($cert['descr'] == $name)
return $cert;
return $null;
}
function & lookup_crl($refid) {
global $config;
$false = false;
......@@ -126,7 +116,7 @@ function ca_chain_array(& $cert) {
}
function ca_chain(& $cert) {
if($cert['caref']) {
if(isset($cert['caref'])) {
$ca = "";
$cas = ca_chain_array($cert);
if (is_array($cas))
......@@ -140,41 +130,6 @@ function ca_chain(& $cert) {
return "";
}
function ca_import(& $ca, $str, $key="", $serial=0) {
global $config;
$ca['crt'] = base64_encode($str);
if (!empty($key))
$ca['prv'] = base64_encode($key);
if (!empty($serial))
$ca['serial'] = $serial;
$subject = cert_get_subject($str, false);
$issuer = cert_get_issuer($str, false);
// Find my issuer unless self-signed
if($issuer <> $subject) {
$issuer_crt =& lookup_ca_by_subject($issuer);
if($issuer_crt)
$ca['caref'] = $issuer_crt['refid'];
}
/* Correct if child certificate was loaded first */
if (is_array($config['ca']))
foreach ($config['ca'] as & $oca)
{
$issuer = cert_get_issuer($oca['crt']);
if($ca['refid']<>$oca['refid'] && $issuer==$subject)
$oca['caref'] = $ca['refid'];
}
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
{
$issuer = cert_get_issuer($cert['crt']);
if($issuer==$subject)
$cert['caref'] = $ca['refid'];
}
return true;
}
function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
......@@ -210,48 +165,6 @@ function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
return true;
}
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
return false;
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
$signing_ca_serial = ++$signing_ca['serial'];
$args = array(
"x509_extensions" => "v3_ca",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false;
// Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false;
// export our certificate data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt))
return false;
// return our ca information
$ca['crt'] = base64_encode($str_crt);
$ca['prv'] = base64_encode($str_key);
$ca['serial'] = 0;
return true;
}
function cert_import(& $cert, $crt_str, $key_str) {
......@@ -324,43 +237,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sh
return true;
}
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_req",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;
// export our request data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr))
return false;
// return our request information
$cert['csr'] = base64_encode($str_csr);
$cert['prv'] = base64_encode($str_key);
return true;
}
function csr_complete(& $cert, $str_crt) {
// return our request information
$cert['crt'] = base64_encode($str_crt);
unset($cert['csr']);
return true;
}
function csr_get_subject($str_crt, $decode = true) {
......@@ -427,11 +304,6 @@ function cert_get_subject_array($crt) {
return $subject_array;
}
function cert_get_subject_hash($crt) {
$str_crt = base64_decode($crt);
$inf_crt = openssl_x509_parse($str_crt);
return $inf_crt['subject'];
}
function cert_get_issuer($str_crt, $decode = true) {
......@@ -484,10 +356,6 @@ function cert_get_modulus($str_crt, $decode = true, $type = 'crt')
return $modulus;
}
function csr_get_modulus($str_crt, $decode = true)
{
return cert_get_modulus($str_crt, $decode, 'csr');
}
function cert_get_purpose($str_crt, $decode = true) {
if ($decode)
......@@ -667,25 +535,6 @@ function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
return true;
}
function cert_unrevoke($cert, & $crl) {
global $config;
if (!is_crl_internal($crl))
return false;
foreach ($crl['cert'] as $id => $rcert) {
if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
unset($crl['cert'][$id]);
if (count($crl['cert']) == 0) {
// Protect against accidentally switching the type to imported, for older CRLs
if (!isset($crl['method']))
$crl['method'] = "internal";
crl_update($crl);
} else
crl_update($crl);
return true;
}
}
return false;
}
/* Compare two certificates to see if they match. */
function cert_compare($cert1, $cert2) {
......@@ -740,10 +589,6 @@ function is_openvpn_server_crl($crlref) {
return false;
}
// Keep this general to allow for future expansion. See cert_in_use() above.
function crl_in_use($crlref) {
return (is_openvpn_server_crl($crlref));
}
function is_crl_internal($crl) {
return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal"));
......
......@@ -30,6 +30,86 @@
require_once('guiconfig.inc');
require_once('certs.inc');
function ca_import(& $ca, $str, $key="", $serial=0) {
global $config;
$ca['crt'] = base64_encode($str);
if (!empty($key))
$ca['prv'] = base64_encode($key);
if (!empty($serial))
$ca['serial'] = $serial;
$subject = cert_get_subject($str, false);
$issuer = cert_get_issuer($str, false);
// Find my issuer unless self-signed
if($issuer <> $subject) {
$issuer_crt =& lookup_ca_by_subject($issuer);
if($issuer_crt)
$ca['caref'] = $issuer_crt['refid'];
}
/* Correct if child certificate was loaded first */
if (is_array($config['ca']))
foreach ($config['ca'] as & $oca)
{
$issuer = cert_get_issuer($oca['crt']);
if($ca['refid']<>$oca['refid'] && $issuer==$subject)
$oca['caref'] = $ca['refid'];
}
if (is_array($config['cert']))
foreach ($config['cert'] as & $cert)
{
$issuer = cert_get_issuer($cert['crt']);
if($issuer==$subject)
$cert['caref'] = $ca['refid'];
}
return true;
}
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
return false;
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
$signing_ca_serial = ++$signing_ca['serial'];
$args = array(
"x509_extensions" => "v3_ca",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false;
// Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false;
// export our certificate data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt))
return false;
// return our ca information
$ca['crt'] = base64_encode($str_crt);
$ca['prv'] = base64_encode($str_key);
$ca['serial'] = 0;
return true;
}
$ca_methods = array(
"existing" => gettext("Import an existing Certificate Authority"),
"internal" => gettext("Create an internal Certificate Authority"),
......
......@@ -30,6 +30,50 @@
require_once('guiconfig.inc');
require_once('certs.inc');
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_req",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
// generate a new key pair
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;
// export our request data
if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr))
return false;
// return our request information
$cert['csr'] = base64_encode($str_csr);
$cert['prv'] = base64_encode($str_key);
return true;
}
function csr_complete(& $cert, $str_crt) {
// return our request information
$cert['crt'] = base64_encode($str_crt);
unset($cert['csr']);
return true;
}
function csr_get_modulus($str_crt, $decode = true)
{
return cert_get_modulus($str_crt, $decode, 'csr');
}
$cert_methods = array(
"import" => gettext("Import an existing Certificate"),
"internal" => gettext("Create an internal Certificate"),
......
......@@ -30,6 +30,32 @@ require_once("guiconfig.inc");
require_once("certs.inc");
require_once('openvpn.inc');
function cert_unrevoke($cert, & $crl) {
global $config;
if (!is_crl_internal($crl))
return false;
foreach ($crl['cert'] as $id => $rcert) {
if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
unset($crl['cert'][$id]);
if (count($crl['cert']) == 0) {
// Protect against accidentally switching the type to imported, for older CRLs
if (!isset($crl['method']))
$crl['method'] = "internal";
crl_update($crl);
} else
crl_update($crl);
return true;
}
}
return false;
}
// Keep this general to allow for future expansion. See cert_in_use() above.
function crl_in_use($crlref) {
return (is_openvpn_server_crl($crlref));
}
global $openssl_crl_status;
$pgtitle = array(gettext("System"), gettext("Certificate Revocation List Manager"));
......
......@@ -27,6 +27,12 @@
*/
require_once("openvpn.inc");
function cert_get_subject_hash($crt) {
$str_crt = base64_decode($crt);
$inf_crt = openssl_x509_parse($str_crt);
return $inf_crt['subject'];
}
function has_special_chars($text) {
return preg_match('/[^A-Za-z0-9 _-]/', $text);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment