Commit 7aacc7c6 authored by Franco Fichtner's avatar Franco Fichtner

certificates: second half of openssl_pkey_new() fixes

parent 60c8f88f
...@@ -66,40 +66,53 @@ function ca_import(& $ca, $str, $key="", $serial=0) { ...@@ -66,40 +66,53 @@ function ca_import(& $ca, $str, $key="", $serial=0) {
return true; return true;
} }
function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") { function ca_inter_create(&$ca, $keylen, $lifetime, $dn, $caref, $digest_alg = 'sha256')
{
// Create Intermediate Certificate Authority // Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref); $signing_ca = &lookup_ca($caref);
if (!$signing_ca) if (!$signing_ca) {
return false; return false;
}
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt'])); $signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => "")); $signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) return false; if (!$signing_ca_res_crt || !$signing_ca_res_key) {
return false;
}
$signing_ca_serial = ++$signing_ca['serial']; $signing_ca_serial = ++$signing_ca['serial'];
$args = array( $args = array(
"x509_extensions" => "v3_ca", 'config' => '/usr/local/etc/ssl/opnsense.cnf',
"digest_alg" => $digest_alg, 'private_key_type' => OPENSSL_KEYTYPE_RSA,
"private_key_bits" => (int)$keylen, 'private_key_bits' => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA, 'x509_extensions' => 'v3_ca',
"encrypt_key" => false); 'digest_alg' => $digest_alg,
'encrypt_key' => false
);
// generate a new key pair // generate a new key pair
$res_key = openssl_pkey_new($args); $res_key = openssl_pkey_new($args);
if (!$res_key) return false; if (!$res_key) {
return false;
}
// generate a certificate signing request // generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args); $res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) return false; if (!$res_csr) {
return false;
}
// Sign the certificate // Sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial); $res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) return false; if (!$res_crt) {
return false;
}
// export our certificate data // export our certificate data
if (!openssl_pkey_export($res_key, $str_key) || if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt)) !openssl_x509_export($res_crt, $str_crt)) {
return false; return false;
}
// return our ca information // return our ca information
$ca['crt'] = base64_encode($str_crt); $ca['crt'] = base64_encode($str_crt);
...@@ -109,7 +122,6 @@ function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = " ...@@ -109,7 +122,6 @@ function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "
return true; return true;
} }
$ca_methods = array( $ca_methods = array(
"existing" => gettext("Import an existing Certificate Authority"), "existing" => gettext("Import an existing Certificate Authority"),
"internal" => gettext("Create an internal Certificate Authority"), "internal" => gettext("Create an internal Certificate Authority"),
......
...@@ -30,27 +30,34 @@ ...@@ -30,27 +30,34 @@
require_once('guiconfig.inc'); require_once('guiconfig.inc');
require_once("system.inc"); require_once("system.inc");
function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { function csr_generate(&$cert, $keylen, $dn, $digest_alg = 'sha256')
{
$args = array( $args = array(
"x509_extensions" => "v3_req", 'config' => '/usr/local/etc/ssl/opnsense.cnf',
"digest_alg" => $digest_alg, 'private_key_type' => OPENSSL_KEYTYPE_RSA,
"private_key_bits" => (int)$keylen, 'private_key_bits' => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA, 'x509_extensions' => 'v3_req',
"encrypt_key" => false); 'digest_alg' => $digest_alg,
'encrypt_key' => false
);
// generate a new key pair // generate a new key pair
$res_key = openssl_pkey_new($args); $res_key = openssl_pkey_new($args);
if(!$res_key) return false; if (!$res_key) {
return false;
}
// generate a certificate signing request // generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args); $res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false; if (!$res_csr) {
return false;
}
// export our request data // export our request data
if (!openssl_pkey_export($res_key, $str_key) || if (!openssl_pkey_export($res_key, $str_key) ||
!openssl_csr_export($res_csr, $str_csr)) !openssl_csr_export($res_csr, $str_csr)) {
return false; return false;
}
// return our request information // return our request information
$cert['csr'] = base64_encode($str_csr); $cert['csr'] = base64_encode($str_csr);
...@@ -59,8 +66,8 @@ function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { ...@@ -59,8 +66,8 @@ function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
return true; return true;
} }
function csr_complete(& $cert, $str_crt) { function csr_complete(& $cert, $str_crt)
{
// return our request information // return our request information
$cert['crt'] = base64_encode($str_crt); $cert['crt'] = base64_encode($str_crt);
unset($cert['csr']); unset($cert['csr']);
...@@ -73,7 +80,6 @@ function csr_get_modulus($str_crt, $decode = true) ...@@ -73,7 +80,6 @@ function csr_get_modulus($str_crt, $decode = true)
return cert_get_modulus($str_crt, $decode, 'csr'); return cert_get_modulus($str_crt, $decode, 'csr');
} }
$cert_methods = array( $cert_methods = array(
"import" => gettext("Import an existing Certificate"), "import" => gettext("Import an existing Certificate"),
"internal" => gettext("Create an internal Certificate"), "internal" => gettext("Create an internal Certificate"),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment