mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-19 02:54:38 +00:00
Merge pull request #683 from opnsense/ca_chain_refactor
certs: refactor ca_chain for #664
This commit is contained in:
Ad Schellevis
commit
1699d3182a
@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
|
||||
return false;
|
||||
}
|
||||
|
||||
function ca_chain(& $cert) {
|
||||
if(isset($cert['caref'])) {
|
||||
$ca = "";
|
||||
$cas = ca_chain_array($cert);
|
||||
if (is_array($cas))
|
||||
foreach ($cas as & $ca_cert)
|
||||
{
|
||||
$ca .= base64_decode($ca_cert['crt']);
|
||||
$ca .= "\n";
|
||||
}
|
||||
function ca_chain(&$cert)
|
||||
{
|
||||
$ca = '';
|
||||
|
||||
if (!isset($cert['caref'])) {
|
||||
return $ca;
|
||||
}
|
||||
return "";
|
||||
|
||||
$cas = ca_chain_array($cert);
|
||||
if (!is_array($cas)) {
|
||||
return $ca;
|
||||
}
|
||||
|
||||
foreach ($cas as &$ca_cert) {
|
||||
$ca .= base64_decode($ca_cert['crt']);
|
||||
$ca .= "\n";
|
||||
}
|
||||
|
||||
/* sanitise output to make sure we generate clean files */
|
||||
return str_replace("\n\n", "\n", str_replace("\r", "", $ca));
|
||||
}
|
||||
|
||||
function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256')
|
||||
|
||||
@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
|
||||
$port = $settings['local_port'];
|
||||
|
||||
$filename_addition = "";
|
||||
if ($usrid && is_numeric($usrid))
|
||||
if ($usrid && is_numeric($usrid)) {
|
||||
$filename_addition = "-".$config['system']['user'][$usrid]['name'];
|
||||
elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn"))
|
||||
} elseif ($crtid && is_numeric($crtid)) {
|
||||
$filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt']));
|
||||
}
|
||||
|
||||
return "{$host}-{$prot}-{$port}{$filename_addition}";
|
||||
}
|
||||
@ -95,13 +96,11 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
|
||||
{
|
||||
$input_errors[] = gettext("Could not locate server certificate.");
|
||||
} else {
|
||||
$server_ca = isset($server_cert['caref']) ? str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($server_cert))) : null;
|
||||
if (!$server_ca) {
|
||||
$server_ca = ca_chain($server_cert);
|
||||
if (empty($server_ca)) {
|
||||
$input_errors[] = gettext("Could not locate the CA reference for the server certificate.");
|
||||
}
|
||||
if (function_exists("cert_get_cn")) {
|
||||
$servercn = cert_get_cn($server_cert['crt']);
|
||||
}
|
||||
$servercn = cert_get_cn($server_cert['crt']);
|
||||
}
|
||||
|
||||
// lookup user info
|
||||
@ -277,12 +276,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
|
||||
// - Disable for now, it requires the server cert to include special options
|
||||
//$conf .= "remote-cert-tls server{$nl}";
|
||||
|
||||
// Extra protection for the server cert, if it's supported
|
||||
if (function_exists("cert_get_purpose")) {
|
||||
if (is_array($server_cert) && ($server_cert['crt'])) {
|
||||
$purpose = cert_get_purpose($server_cert['crt'], true);
|
||||
if ($purpose['server'] == 'Yes')
|
||||
$conf .= "ns-cert-type server{$nl}";
|
||||
if (is_array($server_cert) && ($server_cert['crt'])) {
|
||||
$purpose = cert_get_purpose($server_cert['crt'], true);
|
||||
if ($purpose['server'] == 'Yes') {
|
||||
$conf .= "ns-cert-type server{$nl}";
|
||||
}
|
||||
}
|
||||
|
||||
@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
|
||||
}
|
||||
|
||||
}
|
||||
?>
|
||||
|
||||
@ -970,16 +970,16 @@ function system_webgui_start()
|
||||
$a_cert[] = $cert;
|
||||
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
|
||||
write_config(gettext("Importing HTTPS certificate"));
|
||||
if(!$config['system']['webgui']['port'])
|
||||
$portarg = "443";
|
||||
$ca = ca_chain($cert);
|
||||
} else {
|
||||
$crt = base64_decode($cert['crt']);
|
||||
$key = base64_decode($cert['prv']);
|
||||
if(!$config['system']['webgui']['port'])
|
||||
$portarg = "443";
|
||||
$ca = ca_chain($cert);
|
||||
}
|
||||
|
||||
if (!$config['system']['webgui']['port']) {
|
||||
$portarg = '443';
|
||||
}
|
||||
|
||||
$ca = ca_chain($cert);
|
||||
}
|
||||
|
||||
/* generate lighttpd configuration */
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
#!/usr/local/bin/php
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Copyright (C) 2015 Deciso B.V.
|
||||
*
|
||||
@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
|
||||
// generate ca pem file
|
||||
if (!empty($cert->caref)) {
|
||||
$output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ;
|
||||
$ca = str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($cert)));
|
||||
$ca = ca_chain($cert);
|
||||
file_put_contents($output_pem_filename, $pem_content);
|
||||
chmod($output_pem_filename, 0600);
|
||||
echo "certificate generated " .$output_pem_filename ."\n";
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user