Commit 69a81ab1 authored by Franco Fichtner's avatar Franco Fichtner

certs: refactor ca_chain for #664

parent f2d200cd
...@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) { ...@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
return false; return false;
} }
function ca_chain(& $cert) { function ca_chain(&$cert)
if(isset($cert['caref'])) { {
$ca = ""; $ca = '';
if (!isset($cert['caref'])) {
return $ca;
}
$cas = ca_chain_array($cert); $cas = ca_chain_array($cert);
if (is_array($cas)) if (!is_array($cas)) {
foreach ($cas as & $ca_cert) return $ca;
{ }
foreach ($cas as &$ca_cert) {
$ca .= base64_decode($ca_cert['crt']); $ca .= base64_decode($ca_cert['crt']);
$ca .= "\n"; $ca .= "\n";
} }
return $ca;
} /* sanitise output to make sure we generate clean files */
return ""; return str_replace("\n\n", "\n", str_replace("\r", "", $ca));
} }
function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256') function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256')
......
...@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) { ...@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
$port = $settings['local_port']; $port = $settings['local_port'];
$filename_addition = ""; $filename_addition = "";
if ($usrid && is_numeric($usrid)) if ($usrid && is_numeric($usrid)) {
$filename_addition = "-".$config['system']['user'][$usrid]['name']; $filename_addition = "-".$config['system']['user'][$usrid]['name'];
elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn")) } elseif ($crtid && is_numeric($crtid)) {
$filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt'])); $filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt']));
}
return "{$host}-{$prot}-{$port}{$filename_addition}"; return "{$host}-{$prot}-{$port}{$filename_addition}";
} }
...@@ -95,14 +96,12 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { ...@@ -95,14 +96,12 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
{ {
$input_errors[] = gettext("Could not locate server certificate."); $input_errors[] = gettext("Could not locate server certificate.");
} else { } else {
$server_ca = isset($server_cert['caref']) ? str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($server_cert))) : null; $server_ca = ca_chain($server_cert);
if (!$server_ca) { if (empty($server_ca)) {
$input_errors[] = gettext("Could not locate the CA reference for the server certificate."); $input_errors[] = gettext("Could not locate the CA reference for the server certificate.");
} }
if (function_exists("cert_get_cn")) {
$servercn = cert_get_cn($server_cert['crt']); $servercn = cert_get_cn($server_cert['crt']);
} }
}
// lookup user info // lookup user info
if (is_numeric($usrid)) { if (is_numeric($usrid)) {
...@@ -277,11 +276,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys ...@@ -277,11 +276,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
// - Disable for now, it requires the server cert to include special options // - Disable for now, it requires the server cert to include special options
//$conf .= "remote-cert-tls server{$nl}"; //$conf .= "remote-cert-tls server{$nl}";
// Extra protection for the server cert, if it's supported
if (function_exists("cert_get_purpose")) {
if (is_array($server_cert) && ($server_cert['crt'])) { if (is_array($server_cert) && ($server_cert['crt'])) {
$purpose = cert_get_purpose($server_cert['crt'], true); $purpose = cert_get_purpose($server_cert['crt'], true);
if ($purpose['server'] == 'Yes') if ($purpose['server'] == 'Yes') {
$conf .= "ns-cert-type server{$nl}"; $conf .= "ns-cert-type server{$nl}";
} }
} }
...@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) { ...@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
} }
} }
?>
...@@ -970,16 +970,16 @@ function system_webgui_start() ...@@ -970,16 +970,16 @@ function system_webgui_start()
$a_cert[] = $cert; $a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid']; $config['system']['webgui']['ssl-certref'] = $cert['refid'];
write_config(gettext("Importing HTTPS certificate")); write_config(gettext("Importing HTTPS certificate"));
if(!$config['system']['webgui']['port'])
$portarg = "443";
$ca = ca_chain($cert);
} else { } else {
$crt = base64_decode($cert['crt']); $crt = base64_decode($cert['crt']);
$key = base64_decode($cert['prv']); $key = base64_decode($cert['prv']);
if(!$config['system']['webgui']['port'])
$portarg = "443";
$ca = ca_chain($cert);
} }
if (!$config['system']['webgui']['port']) {
$portarg = '443';
}
$ca = ca_chain($cert);
} }
/* generate lighttpd configuration */ /* generate lighttpd configuration */
......
#!/usr/local/bin/php #!/usr/local/bin/php
<?php <?php
/** /**
* Copyright (C) 2015 Deciso B.V. * Copyright (C) 2015 Deciso B.V.
* *
...@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) { ...@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
// generate ca pem file // generate ca pem file
if (!empty($cert->caref)) { if (!empty($cert->caref)) {
$output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ; $output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ;
$ca = str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($cert))); $ca = ca_chain($cert);
file_put_contents($output_pem_filename, $pem_content); file_put_contents($output_pem_filename, $pem_content);
chmod($output_pem_filename, 0600); chmod($output_pem_filename, 0600);
echo "certificate generated " .$output_pem_filename ."\n"; echo "certificate generated " .$output_pem_filename ."\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment