lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 01:24:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

etc: remove ssl config and revert weird type changes

Browse Source 
Also update the certificate generation process and put in our info.  :)
This commit is contained in:
Franco Fichtner 2014-12-09 16:41:24 +01:00
parent 17c0885cd5
commit 15482489e6
4 changed files with 17 additions and 360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

309
etc/ssl/openssl.cnf
View File

@ -1,309 +0,0 @@
# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# default SAN value if $ENV::SAN is not defined
#
SAN =
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
distinguished_name=req_distinguished_name
req_extensions = v3_req
prompt=no
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
#input_password=""
#output_password=""
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = US
#countryName_default = AU
#countryName_min = 2
#countryName_max = 2
stateOrProvinceName = Somewhere
#stateOrProvinceName_default = Somestate
localityName = Somecity
0.organizationName = CompanyName
#0.organizationName_default = SampleNameDefault
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
#commonName_max = 64
emailAddress = Email Address
#emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated User Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ usr_cert_san ]
# copy of [ usr_cert ] plus nonempty Subject Alternative Names
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated User Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=$ENV::SAN
[ server ]
# Make a cert with nsCertType=server
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ server_san ]
# copy of [ server ] plus nonempty Subject Alternative Names
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::SAN
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ v3_ca_san ]
# copy of [ v3_ca ] plus nonempty Subject Alternative Names
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
subjectAltName=$ENV::SAN
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

19
usr/local/etc/inc/certs.inc
View File

@ -1,5 +1,5 @@
<?php
/* $Id$ */
/*
Copyright (C) 2008 Shrew Soft Inc
Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
@ -268,7 +268,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
return true;
}
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
$ca =& lookup_ca($caref);
if (!$ca)
@ -281,18 +281,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
if(!$ca_res_key) return false;
$ca_serial = ++$ca['serial'];
switch ($type) {
case "ca":
$cert_type = "v3_ca";
break;
case "server":
$cert_type = "server";
break;
default:
$cert_type = "usr_cert";
break;
}
// in case of using Subject Alternative Names use other sections (with postfix '_san')
// pass subjectAltName over environment variable 'SAN'
if ($dn['subjectAltName']) {
@ -302,7 +290,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
}
$args = array(
"x509_extensions" => $cert_type,
"x509_extensions" => "usr_cert",
"digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
@ -330,7 +318,6 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
$cert['caref'] = $caref;
$cert['crt'] = base64_encode($str_crt);
$cert['prv'] = base64_encode($str_key);
$cert['type'] = $type;
return true;
}

17
usr/local/etc/inc/system.inc
View File

@ -862,12 +862,17 @@ function system_webgui_start() {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = gettext("webConfigurator default");
mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
$crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
$key = file_get_contents("{$g['tmp_path']}/ssl.key");
unlink("{$g['tmp_path']}/ssl.key");
unlink("{$g['tmp_path']}/ssl.crt");
/* mind the gap ->.<- */
$openssl_args = ' req -new -newkey rsa:4096 -sha256';
$openssl_args .= ' -days 365 -nodes -x509';
$openssl_args .= ' -subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense"';
$openssl_args .= ' -keyout /tmp/ssl.key';
$openssl_args .= ' -out /tmp/ssl.crt';
mwexec('/usr/bin/openssl' . $openssl_args);
$crt = file_get_contents('/tmp/ssl.crt');
$key = file_get_contents('/tmp/ssl.key');
unlink('/tmp/ssl.key');
unlink('/tmp/ssl.crt');
cert_import($cert, $crt, $key);
$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];

32
usr/local/www/system_certmanager.php
View File

@ -1,7 +1,6 @@
<?php
/*
system_certmanager.php
/*
Copyright (C) 2008 Shrew Soft Inc.
All rights reserved.
@ -47,9 +46,6 @@ $cert_methods = array(
);
$cert_keylens = array( "512", "1024", "2048", "4096");
$cert_types = array( "ca" => "Certificate Authority",
"server" => "Server Certificate",
"user" => "User Certificate");
$altname_types = array("DNS", "IP", "email", "URI");
$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
@ -113,7 +109,6 @@ if ($act == "new") {
$pconfig['digest_alg'] = "sha256";
$pconfig['csr_keylen'] = "2048";
$pconfig['csr_digest_alg'] = "sha256";
$pconfig['type'] = "user";
$pconfig['lifetime'] = "3650";
}
@ -211,13 +206,12 @@ if ($_POST) {
if ($pconfig['method'] == "internal") {
$reqdfields = explode(" ",
"descr caref keylen type lifetime dn_country dn_state dn_city ".
"descr caref keylen lifetime dn_country dn_state dn_city ".
"dn_organization dn_email dn_commonname");
$reqdfieldsn = array(
gettext("Descriptive name"),
gettext("Certificate authority"),
gettext("Key length"),
gettext("Certificate Type"),
gettext("Lifetime"),
gettext("Distinguished name Country Code"),
gettext("Distinguished name State or Province"),
@ -359,7 +353,7 @@ if ($_POST) {
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}
if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
$pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){
$pconfig['lifetime'], $dn, $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@ -722,23 +716,6 @@ function internalca_change() {
<br /><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
<td width="78%" class="vtable">
<select name='type' class="formselect">
<?php
foreach( $cert_types as $ct => $ctdesc ):
$selected = "";
if ($pconfig['type'] == $ct)
$selected = " selected=\"selected\"";
?>
<option value="<?=$ct;?>"<?=$selected;?>><?=$ctdesc;?></option>
<?php endforeach; ?>
</select>
<br />
<?=gettext("Type of certificate to generate. Used for placing restrictions on the usage of the generated certificate.");?>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
<td width="78%" class="vtable">
@ -1134,9 +1111,6 @@ function internalca_change() {
</td>
</tr>
<tr><td>&nbsp;</td></tr>
<?php if ($cert['type']): ?>
<tr><td colspan="2"><em><?php echo $cert_types[$cert['type']]; ?></em></td></tr>
<?php endif; ?>
<?php if (is_array($purpose)): ?>
<tr><td colspan="2">
CA: <?php echo $purpose['ca']; ?>,