certs: refactor ca_chain for #664

69a81ab1 · Franco Fichtner · f2d200cd · 69a81ab1 · 69a81ab1 · 69a81ab1
Commit 69a81ab1 authored Jan 17, 2016 by Franco Fichtner
4 changed files
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
 	return false;
 }

-function ca_chain(& $cert) {
-	if(isset($cert['caref'])) {
-		$ca = "";
-		$cas = ca_chain_array($cert);
-		if (is_array($cas))
-			foreach ($cas as & $ca_cert)
-			{
-				$ca .= base64_decode($ca_cert['crt']);
-				$ca .= "\n";
-			}
+function ca_chain(&$cert)
+{
+	$ca = '';
+
+	if (!isset($cert['caref'])) {
 		return $ca;
 	}
-	return "";
+
+	$cas = ca_chain_array($cert);
+	if (!is_array($cas)) {
+		return $ca;
+	}
+
+	foreach ($cas as &$ca_cert) {
+		$ca .= base64_decode($ca_cert['crt']);
+		$ca .= "\n";
+	}
+
+	/* sanitise output to make sure we generate clean files */
+	return str_replace("\n\n", "\n", str_replace("\r", "", $ca));
 }

 function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256')

--- a/src/etc/inc/openvpn-client-export.inc
+++ b/src/etc/inc/openvpn-client-export.inc
@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
 	$port = $settings['local_port'];

 	$filename_addition = "";
-	if ($usrid && is_numeric($usrid))
+	if ($usrid && is_numeric($usrid)) {
 		$filename_addition = "-".$config['system']['user'][$usrid]['name'];
-	elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn"))
+	} elseif ($crtid && is_numeric($crtid)) {
 		$filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt']));
+	}

 	return "{$host}-{$prot}-{$port}{$filename_addition}";
 }
@@ -95,13 +96,11 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
 	{
 		$input_errors[] = gettext("Could not locate server certificate.");
 	} else {
-		$server_ca = isset($server_cert['caref']) ? str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($server_cert))) : null;
-		if (!$server_ca) {
+		$server_ca = ca_chain($server_cert);
+		if (empty($server_ca)) {
 			$input_errors[] = gettext("Could not locate the CA reference for the server certificate.");
 		}
-		if (function_exists("cert_get_cn")) {
-			$servercn = cert_get_cn($server_cert['crt']);
-		}
+		$servercn = cert_get_cn($server_cert['crt']);
 	}

 	// lookup user info
@@ -277,12 +276,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
 	// - Disable for now, it requires the server cert to include special options
 	//$conf .= "remote-cert-tls server{$nl}";

-	// Extra protection for the server cert, if it's supported
-	if (function_exists("cert_get_purpose")) {
-		if (is_array($server_cert) && ($server_cert['crt'])) {
-			$purpose = cert_get_purpose($server_cert['crt'], true);
-			if ($purpose['server'] == 'Yes')
-				$conf .= "ns-cert-type server{$nl}";
+	if (is_array($server_cert) && ($server_cert['crt'])) {
+		$purpose = cert_get_purpose($server_cert['crt'], true);
+		if ($purpose['server'] == 'Yes') {
+			$conf .= "ns-cert-type server{$nl}";
 		}
 	}

@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
 	}

 }
-?>
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -970,16 +970,16 @@ function system_webgui_start()
 			$a_cert[] = $cert;
 			$config['system']['webgui']['ssl-certref'] = $cert['refid'];
 			write_config(gettext("Importing HTTPS certificate"));
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
 		} else {
 			$crt = base64_decode($cert['crt']);
 			$key = base64_decode($cert['prv']);
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
 		}
+
+		if (!$config['system']['webgui']['port']) {
+			$portarg = '443';
+		}
+
+		$ca = ca_chain($cert);
 	}

 	/* generate lighttpd configuration */

--- a/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
+++ b/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
 #!/usr/local/bin/php
 <?php
+
 /**
 *    Copyright (C) 2015 Deciso B.V.
 *
@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
                    // generate ca pem file
                    if (!empty($cert->caref)) {
                        $output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ;
-                        $ca = str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($cert)));
+                        $ca = ca_chain($cert);
                        file_put_contents($output_pem_filename, $pem_content);
                        chmod($output_pem_filename, 0600);
                        echo "certificate generated " .$output_pem_filename  ."\n";