From 359954ddbbfe9b49aab64f6a07826f18c4cbebea Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 27 Feb 2024 18:41:03 +0100 Subject: [PATCH] System: Trust: Certificates - work in progress for https://github.com/opnsense/core/issues/7248 --- .../OPNsense/Trust/Api/CertController.php | 9 ++++- .../OPNsense/Trust/forms/dialogCert.xml | 15 ++++++++ .../mvc/app/library/OPNsense/Trust/Store.php | 24 +++++++++++- .../mvc/app/models/OPNsense/Trust/Cert.xml | 37 +++++++++++++++++++ .../Trust/FieldTypes/CertificatesField.php | 3 +- .../mvc/app/views/OPNsense/Trust/cert.volt | 1 + 6 files changed, 86 insertions(+), 3 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php index f71450059..4c373eb03 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php @@ -29,6 +29,7 @@ namespace OPNsense\Trust\Api; use OPNsense\Base\ApiMutableModelControllerBase; +use OPNsense\Base\UserException; /** * Class CertController @@ -39,9 +40,15 @@ class CertController extends ApiMutableModelControllerBase protected static $internalModelName = 'cert'; protected static $internalModelClass = 'OPNsense\Trust\Cert'; + + protected function setBaseHook($node) + { + throw new UserException("Not allowed to save yet", (string)$node->action); + } + public function searchAction() { - return $this->searchBase('cert', ['descr', 'caref', 'valid_from', 'valid_to']); + return $this->searchBase('cert', ['descr', 'caref', 'name', 'valid_from', 'valid_to']); } public function getAction($uuid = null) { diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Trust/forms/dialogCert.xml b/src/opnsense/mvc/app/controllers/OPNsense/Trust/forms/dialogCert.xml index 5438b17bd..419d20a98 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Trust/forms/dialogCert.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Trust/forms/dialogCert.xml @@ -1,4 +1,9 @@
+ + cert.action + + dropdown + header @@ -8,6 +13,16 @@ text + + cert.key + + dropdown + + + cert.digest + + dropdown + cert.caref diff --git a/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php b/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php index 4a86b8ec2..67028549a 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php +++ b/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php @@ -31,7 +31,7 @@ namespace OPNsense\Trust; use OPNsense\Core\Config; /** - * Wrapper around legacy trust store + * Wrapper around [legacy] trust store * @package OPNsense\Trust */ class Store @@ -125,4 +125,26 @@ class Store } return implode("\n", $chain); } + + /** + * Create a temporary config file, to help with calls that require properties that can only be set via the config file. + * + * @param $dn + * @return string The name of the temporary config file. + */ + public static function createTempOpenSSLconfig($extns = []) + { + // define temp filename to use for openssl.cnf and add extensions values to it + $configFilename = tempnam(sys_get_temp_dir(), 'ssl'); + + $template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf'); + + foreach (array_keys($extns) as $extnTag) { + $template_extn = $extnTag . ' = ' . str_replace(array("\r", "\n"), '', $extns[$extnTag]); + // Overwrite the placeholders for this property + $template = str_replace('###OPNsense:' . $extnTag . '###', $template_extn, $template); + } + file_put_contents($configFilename, $template); + return $configFilename; + } } diff --git a/src/opnsense/mvc/app/models/OPNsense/Trust/Cert.xml b/src/opnsense/mvc/app/models/OPNsense/Trust/Cert.xml index de0f55fbb..2992a1742 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Trust/Cert.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Trust/Cert.xml @@ -13,6 +13,42 @@ + + internal + Y + + Create an internal Certificate + Create a Certificate Signing Request + Import an existing Certificate + Sign a Certificate Signing Request + + + + Y + RSA-2048 + + RSA-512 + RSA-1024 + RSA-2048 + RSA-3072 + RSA-4096 + RSA-8192 + Elliptic Curve prime256v1 + Elliptic Curve secp384r1 + Elliptic Curve secp521r1 + + + + Y + sha256 + + SHA1 + SHA224 + SHA256 + SHA384 + SHA512 + + /^[^\x00-\x08\x0b\x0c\x0e-\x1f\n]*$/ @@ -43,6 +79,7 @@ /^[^\x00-\x08\x0b\x0c\x0e-\x1f]*$/ + diff --git a/src/opnsense/mvc/app/models/OPNsense/Trust/FieldTypes/CertificatesField.php b/src/opnsense/mvc/app/models/OPNsense/Trust/FieldTypes/CertificatesField.php index ed403565a..d9f4f0f61 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Trust/FieldTypes/CertificatesField.php +++ b/src/opnsense/mvc/app/models/OPNsense/Trust/FieldTypes/CertificatesField.php @@ -54,9 +54,10 @@ class CertificatesField extends ArrayField if (!empty($cert_data)) { $crt = @openssl_x509_parse($cert_data); if ($crt !== null) { - // valid from/to + // valid from/to and name of this cert $node->valid_from = $crt['validFrom_time_t']; $node->valid_to = $crt['validTo_time_t']; + $node->name = $crt['name']; foreach ($issue_map as $key => $target) { if (!empty($crt['issuer'][$key])) { $node->$target = $crt['issuer'][$key]; diff --git a/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt b/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt index e98fd2626..46ca9602b 100644 --- a/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt +++ b/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt @@ -57,6 +57,7 @@ {{ lang._('ID') }} {{ lang._('Description') }} {{ lang._('Issuer') }} + {{ lang._('Name') }} {{ lang._('Valid from') }} {{ lang._('Valid to') }} {{ lang._('Commands') }}