certs: refactor ca_chain for #664

src/etc/inc/certs.inc

@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
 	return false;
 }
 
-function ca_chain(& $cert) {
-	if(isset($cert['caref'])) {
-		$ca = "";
+function ca_chain(&$cert)
+{
+	$ca = '';
+
+	if (!isset($cert['caref'])) {
+		return $ca;
+	}
+
 	$cas = ca_chain_array($cert);
-		if (is_array($cas))
-			foreach ($cas as & $ca_cert)
-			{
+	if (!is_array($cas)) {
+		return $ca;
+	}
+
+	foreach ($cas as &$ca_cert) {
 		$ca .= base64_decode($ca_cert['crt']);
 		$ca .= "\n";
 	}
-		return $ca;
-	}
-	return "";
+
+	/* sanitise output to make sure we generate clean files */
+	return str_replace("\n\n", "\n", str_replace("\r", "", $ca));
 }
 
 function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256')

src/etc/inc/openvpn-client-export.inc

@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
 	$port = $settings['local_port'];
 
 	$filename_addition = "";
-	if ($usrid && is_numeric($usrid))
+	if ($usrid && is_numeric($usrid)) {
 		$filename_addition = "-".$config['system']['user'][$usrid]['name'];
-	elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn"))
+	} elseif ($crtid && is_numeric($crtid)) {
 		$filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt']));
+	}
 
 	return "{$host}-{$prot}-{$port}{$filename_addition}";
 }
@@ -95,14 +96,12 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
 	{
 		$input_errors[] = gettext("Could not locate server certificate.");
 	} else {
-		$server_ca = isset($server_cert['caref']) ? str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($server_cert))) : null;
-		if (!$server_ca) {
+		$server_ca = ca_chain($server_cert);
+		if (empty($server_ca)) {
 			$input_errors[] = gettext("Could not locate the CA reference for the server certificate.");
 		}
-		if (function_exists("cert_get_cn")) {
 		$servercn = cert_get_cn($server_cert['crt']);
 	}
-	}
 
 	// lookup user info
 	if (is_numeric($usrid)) {
@@ -277,11 +276,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
 	// - Disable for now, it requires the server cert to include special options
 	//$conf .= "remote-cert-tls server{$nl}";
 
-	// Extra protection for the server cert, if it's supported
-	if (function_exists("cert_get_purpose")) {
 	if (is_array($server_cert) && ($server_cert['crt'])) {
 		$purpose = cert_get_purpose($server_cert['crt'], true);
-			if ($purpose['server'] == 'Yes')
+		if ($purpose['server'] == 'Yes') {
 			$conf .= "ns-cert-type server{$nl}";
 		}
 	}
@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
 	}
 
 }
-?>

src/etc/inc/system.inc

@@ -970,16 +970,16 @@ function system_webgui_start()
 			$a_cert[] = $cert;
 			$config['system']['webgui']['ssl-certref'] = $cert['refid'];
 			write_config(gettext("Importing HTTPS certificate"));
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
 		} else {
 			$crt = base64_decode($cert['crt']);
 			$key = base64_decode($cert['prv']);
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
 		}
+
+		if (!$config['system']['webgui']['port']) {
+			$portarg = '443';
+		}
+
+		$ca = ca_chain($cert);
 	}
 
 	/* generate lighttpd configuration */

src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php

 #!/usr/local/bin/php
 <?php
+
 /**
  *    Copyright (C) 2015 Deciso B.V.
  *
@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
                     // generate ca pem file
                     if (!empty($cert->caref)) {
                         $output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ;
-                        $ca = str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($cert)));
+                        $ca = ca_chain($cert);
                         file_put_contents($output_pem_filename, $pem_content);
                         chmod($output_pem_filename, 0600);
                         echo "certificate generated " .$output_pem_filename  ."\n";