crl management small adjustments (#5943)

add some debug info dont add cert to crl if cert_revoke() / crl_update() failed check if CA can sign anything before CRL create set "method" param to set Method select value
2026-03-17 01:54:49 +00:00 · 2022-08-17 12:32:15 +03:00 · 2022-08-17 12:32:15 +03:00 · 3c53058805
commit 3c53058805
parent fc7d892c3c
2 changed files with 46 additions and 11 deletions
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@ -612,6 +612,10 @@ function crl_update(&$crl)
    $crl['serial']++;
    $ca_str_crt = base64_decode($ca['crt']);
    $ca_str_key = base64_decode($ca['prv']);
+    if (!openssl_x509_check_private_key($ca_str_crt, $ca_str_key)) {
+        syslog(LOG_ERR, "Cert revocation error: CA keys mismatch");
+        return false;
+    }

    /* Load in the CA's cert */
    $ca_cert = new \phpseclib\File\X509();
@ -632,10 +636,18 @@ function crl_update(&$crl)
     * CRL container must load the same CA using loadCA() with a direct reference
     * to the CA's public cert.
     */
+
    $x509_crl->loadCRL($x509_crl->saveCRL($x509_crl->signCRL($ca_cert, $x509_crl)));

    /* Now validate the CRL to see if everything went well */
    if (!$x509_crl->validateSignature(false)) {
+        /* phpseclib2 not throws exceptions on validation fail. let's try to guess */
+        if (openssl_pkey_get_details(openssl_pkey_get_private($ca_str_key))['type'] === 0) {
+            syslog(LOG_ERR, "Cert revocation error: CRL validation failed at first step.");
+        } else {
+            /* phpseclib2 Crypt not supporting ECDSA / ECDH algorithms. May be the reason of sign/validateion fail */
+            syslog(LOG_ERR, "Cert revocation error: Only RSA key type currently supported for CRL signing.");
+        }
        return false;
    }

@ -646,6 +658,7 @@ function crl_update(&$crl)
            $x509_cert->loadCA($ca_str_crt);
            $raw_cert = $x509_cert->loadX509(base64_decode($cert['crt']));
            if (!$x509_cert->validateSignature(false)) {
+                syslog(LOG_ERR, "Cert revocation error: CA validation failed.");
                return false;
            }
            /* Get serial number of cert */
@ -672,10 +685,14 @@ function cert_revoke($cert, &$crl, $reason = CERT_CRL_STATUS_UNSPECIFIED)
    if (!is_crl_internal($crl)) {
        return false;
    }
+    $crl_before = $crl;
    $cert["reason"] = $reason;
    $cert["revoke_time"] = time();
    $crl["cert"][] = $cert;
-    crl_update($crl);
+    if (!crl_update($crl)) {
+        $crl = $crl_before;
+        return false;
+    }
    return true;
 }

--- a/src/www/system_crlmanager.php
+++ b/src/www/system_crlmanager.php
@ -169,11 +169,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {

        if (!count($input_errors)) {
            $reason = (empty($pconfig['crlreason'])) ? CERT_CRL_STATUS_UNSPECIFIED : $pconfig['crlreason'];
-            cert_revoke($cert, $crl, $reason);
-            plugins_configure('crl');
-            write_config(sprintf('Revoked certificate %s in CRL %s', $cert['descr'], $crl['descr']));
-            header(url_safe('Location: /system_crlmanager.php'));
-            exit;
+            if (cert_revoke($cert, $crl, $reason)) {
+                plugins_configure('crl');
+                write_config(sprintf('Revoked certificate %s in CRL %s', $cert['descr'], $crl['descr']));
+                header(url_safe('Location: /system_crlmanager.php'));
+                exit;
+            } else {
+                $savemsg = gettext("Cannot revoke certificate. See general log for details.") . "<br />";
+                $act="edit";
+            }
        }
    } else {
        $input_errors = array();
@ -217,6 +221,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            }

            if ($pconfig['crlmethod'] == "internal") {
+                 /* check if new CRL CA have private key and it match public key so this CA can sign anything */
+                if (isset($pconfig['caref']) && !isset($id)) {
+                    $cacert = lookup_ca($pconfig['caref']);
+                    $ca_str_crt = base64_decode($cacert['crt']);
+                    $ca_str_key = base64_decode($cacert['prv']);
+                    if (!openssl_x509_check_private_key($ca_str_crt, $ca_str_key)) {
+                        syslog(LOG_ERR, "CRL error: CA keys mismatch");
+                        $savemsg = gettext("Cannot create CRL for this CA. CA keys mismatch or key missing.") . "<br />";
+                        $act="edit";
+                    }
+                }
+
                $crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial'];
                $crl['lifetime'] = empty($pconfig['lifetime']) ? 9999 : $pconfig['lifetime'];
                $crl['cert'] = array();
@ -226,10 +242,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                $a_crl[] = $crl;
            }

-            write_config(sprintf('Saved CRL %s', $crl['descr']));
-            plugins_configure('crl');
-            header(url_safe('Location: /system_crlmanager.php'));
-            exit;
+            if (!isset($savemsg)) {
+                write_config(sprintf('Saved CRL %s', $crl['descr']));
+                plugins_configure('crl');
+                header(url_safe('Location: /system_crlmanager.php'));
+                exit;
+            }
        }
    }

@ -596,7 +614,7 @@ include("head.inc");
                    </a>
 <?php
                  else :?>
-                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;importonly=yes" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
+                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;method=existing" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
                      <i class="fa fa-plus fa-fw"></i>
                    </a>
 <?php