From 3ede122f7f6a5f2ecc03b19f37a1c6799b034f16 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 19 Jan 2016 14:17:11 +0100 Subject: [PATCH] (legacy) non functional changes to certs.inc, spacing, curly braces, etc. --- src/etc/inc/certs.inc | 974 ++++++++++++++++++++++-------------------- 1 file changed, 512 insertions(+), 462 deletions(-) diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 4f3c60ae2..c9daf6479 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -1,30 +1,30 @@ - All rights reserved. + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2010 Jim Pingle + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ global $openssl_digest_algs; @@ -32,594 +32,644 @@ $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512"); global $openssl_crl_status; $openssl_crl_status = array( - OCSP_REVOKED_STATUS_NOSTATUS => "No Status (default)", - OCSP_REVOKED_STATUS_UNSPECIFIED => "Unspecified", - OCSP_REVOKED_STATUS_KEYCOMPROMISE => "Key Compromise", - OCSP_REVOKED_STATUS_CACOMPROMISE => "CA Compromise", - OCSP_REVOKED_STATUS_AFFILIATIONCHANGED => "Affiliation Changed", - OCSP_REVOKED_STATUS_SUPERSEDED => "Superseded", - OCSP_REVOKED_STATUS_CESSATIONOFOPERATION => "Cessation of Operation", - OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold" + OCSP_REVOKED_STATUS_NOSTATUS => "No Status (default)", + OCSP_REVOKED_STATUS_UNSPECIFIED => "Unspecified", + OCSP_REVOKED_STATUS_KEYCOMPROMISE => "Key Compromise", + OCSP_REVOKED_STATUS_CACOMPROMISE => "CA Compromise", + OCSP_REVOKED_STATUS_AFFILIATIONCHANGED => "Affiliation Changed", + OCSP_REVOKED_STATUS_SUPERSEDED => "Superseded", + OCSP_REVOKED_STATUS_CESSATIONOFOPERATION => "Cessation of Operation", + OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold" ); function & lookup_ca($refid) { - global $config; - $false = false; + global $config; + $false = false; - if (is_array($config['ca'])) - foreach ($config['ca'] as & $ca) - if ($ca['refid'] == $refid) - return $ca; - return $false; + if (is_array($config['ca'])) { + foreach ($config['ca'] as & $ca) { + if ($ca['refid'] == $refid) { + return $ca; + } + } + } + return $false; } function & lookup_ca_by_subject($subject) { - global $config; - $false = false; + global $config; + $false = false; - if (is_array($config['ca'])) - foreach ($config['ca'] as & $ca) - { - $ca_subject = cert_get_subject($ca['crt']); - if ($ca_subject == $subject) - return $ca; - } - - return $false; + if (is_array($config['ca'])) { + foreach ($config['ca'] as & $ca) { + $ca_subject = cert_get_subject($ca['crt']); + if ($ca_subject == $subject) { + return $ca; + } + } + } + return $false; } function & lookup_cert($refid) { - global $config; - $false = false; + global $config; + $false = false; - if (is_array($config['cert'])) - foreach ($config['cert'] as & $cert) - if ($cert['refid'] == $refid) - return $cert; + if (is_array($config['cert'])) { + foreach ($config['cert'] as & $cert) { + if ($cert['refid'] == $refid) { + return $cert; + } + } + } - return $false; + return $false; } function & lookup_crl($refid) { - global $config; - $false = false; - - if (is_array($config['crl'])) - foreach ($config['crl'] as & $crl) - if ($crl['refid'] == $refid) - return $crl; - - return $false; + global $config; + $false = false; + if (is_array($config['crl'])) { + foreach ($config['crl'] as & $crl) { + if ($crl['refid'] == $refid) { + return $crl; + } + } + } + return $false; } function ca_chain_array(& $cert) { - if($cert['caref']) { - $chain = array(); - $crt = lookup_ca($cert['caref']); - $chain[] = $crt; - while ($crt) { - $caref = $crt['caref']; - if($caref) - $crt = lookup_ca($caref); - else - $crt = false; - if($crt) - $chain[] = $crt; - } - return $chain; - } - return false; + if($cert['caref']) { + $chain = array(); + $crt = lookup_ca($cert['caref']); + $chain[] = $crt; + while ($crt) { + $caref = $crt['caref']; + if($caref) { + $crt = lookup_ca($caref); + } else { + $crt = false; + } + if($crt) { + $chain[] = $crt; + } + } + return $chain; + } + return false; } function ca_chain(&$cert) { - $ca = ''; + $ca = ''; + if (!isset($cert['caref'])) { + return $ca; + } - if (!isset($cert['caref'])) { - return $ca; - } + $cas = ca_chain_array($cert); + if (!is_array($cas)) { + return $ca; + } - $cas = ca_chain_array($cert); - if (!is_array($cas)) { - return $ca; - } + foreach ($cas as &$ca_cert) { + $ca .= base64_decode($ca_cert['crt']); + $ca .= "\n"; + } - foreach ($cas as &$ca_cert) { - $ca .= base64_decode($ca_cert['crt']); - $ca .= "\n"; - } - - /* sanitise output to make sure we generate clean files */ - return str_replace("\n\n", "\n", str_replace("\r", "", $ca)); + /* sanitise output to make sure we generate clean files */ + return str_replace("\n\n", "\n", str_replace("\r", "", $ca)); } function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256') { - $args = array( - 'config' => '/usr/local/etc/ssl/opnsense.cnf', - 'private_key_type' => OPENSSL_KEYTYPE_RSA, - 'private_key_bits' => (int)$keylen, - 'x509_extensions' => 'v3_ca', - 'digest_alg' => $digest_alg, - 'encrypt_key' => false - ); + $args = array( + 'config' => '/usr/local/etc/ssl/opnsense.cnf', + 'private_key_type' => OPENSSL_KEYTYPE_RSA, + 'private_key_bits' => (int)$keylen, + 'x509_extensions' => 'v3_ca', + 'digest_alg' => $digest_alg, + 'encrypt_key' => false + ); - // generate a new key pair - $res_key = openssl_pkey_new($args); - if (!$res_key) return false; + // generate a new key pair + $res_key = openssl_pkey_new($args); + if (!$res_key) { + return false; + } - // generate a certificate signing request - $res_csr = openssl_csr_new($dn, $res_key, $args); - if (!$res_csr) return false; + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + if (!$res_csr) { + return false; + } - // self sign the certificate - $res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); - if (!$res_crt) return false; + // self sign the certificate + $res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); + if (!$res_crt) { + return false; + } - // export our certificate data - if (!openssl_pkey_export($res_key, $str_key) || - !openssl_x509_export($res_crt, $str_crt)) - return false; + // export our certificate data + if (!openssl_pkey_export($res_key, $str_key) || !openssl_x509_export($res_crt, $str_crt)) { + return false; + } - // return our ca information - $ca['crt'] = base64_encode($str_crt); - $ca['prv'] = base64_encode($str_key); - $ca['serial'] = 0; + // return our ca information + $ca['crt'] = base64_encode($str_crt); + $ca['prv'] = base64_encode($str_key); + $ca['serial'] = 0; - return true; + return true; } -function cert_import(& $cert, $crt_str, $key_str) { +function cert_import(& $cert, $crt_str, $key_str) +{ + $cert['crt'] = base64_encode($crt_str); + $cert['prv'] = base64_encode($key_str); - $cert['crt'] = base64_encode($crt_str); - $cert['prv'] = base64_encode($key_str); + $subject = cert_get_subject($crt_str, false); + $issuer = cert_get_issuer($crt_str, false); - $subject = cert_get_subject($crt_str, false); - $issuer = cert_get_issuer($crt_str, false); - - // Find my issuer unless self-signed - if($issuer <> $subject) { - $issuer_crt =& lookup_ca_by_subject($issuer); - if($issuer_crt) - $cert['caref'] = $issuer_crt['refid']; - } - return true; + // Find my issuer unless self-signed + if($issuer <> $subject) { + $issuer_crt =& lookup_ca_by_subject($issuer); + if($issuer_crt) { + $cert['caref'] = $issuer_crt['refid']; + } + } + return true; } function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha256', $x509_extensions = 'usr_cert') { - $ca = &lookup_ca($caref); - if (!$ca) { - return false; - } - // define temp filename to use for openssl.cnf - $config_filename = tempnam(sys_get_temp_dir(), 'ssl'); + $ca = &lookup_ca($caref); + if (!$ca) { + return false; + } + // define temp filename to use for openssl.cnf + $config_filename = tempnam(sys_get_temp_dir(), 'ssl'); - $ca_str_crt = base64_decode($ca['crt']); - $ca_str_key = base64_decode($ca['prv']); - $ca_res_crt = openssl_x509_read($ca_str_crt); - $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); - if (!$ca_res_key) { - return false; - } - $ca_serial = ++$ca['serial']; + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $ca_res_crt = openssl_x509_read($ca_str_crt); + $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); + if (!$ca_res_key) { + return false; + } + $ca_serial = ++$ca['serial']; - $template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf'); - // handle parameters which can only be set via the configuration file - $template_dn = ""; - foreach (array("subjectAltName") as $dnTag) { - if (isset($dn[$dnTag])) { - $template_dn .= $dnTag . "=" . $dn[$dnTag] . "\n"; - unset($dn[$dnTag]); - } - } - $template = str_replace("###OPNsense:".$x509_extensions."###", $template_dn, $template); - file_put_contents($config_filename, $template); + $template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf'); + // handle parameters which can only be set via the configuration file + $template_dn = ""; + foreach (array("subjectAltName") as $dnTag) { + if (isset($dn[$dnTag])) { + $template_dn .= $dnTag . "=" . $dn[$dnTag] . "\n"; + unset($dn[$dnTag]); + } + } + $template = str_replace("###OPNsense:".$x509_extensions."###", $template_dn, $template); + file_put_contents($config_filename, $template); - $args = array( - 'config' => $config_filename, - 'private_key_type' => OPENSSL_KEYTYPE_RSA, - 'private_key_bits' => (int)$keylen, - 'x509_extensions' => $x509_extensions, - 'digest_alg' => $digest_alg, - 'encrypt_key' => false - ); + $args = array( + 'config' => $config_filename, + 'private_key_type' => OPENSSL_KEYTYPE_RSA, + 'private_key_bits' => (int)$keylen, + 'x509_extensions' => $x509_extensions, + 'digest_alg' => $digest_alg, + 'encrypt_key' => false + ); - // generate a new key pair - $res_key = openssl_pkey_new($args); - if(!$res_key) { - return false; - } + // generate a new key pair + $res_key = openssl_pkey_new($args); + if(!$res_key) { + return false; + } - // generate a certificate signing request - $res_csr = openssl_csr_new($dn, $res_key, $args); - if(!$res_csr) { - return false; - } + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + if(!$res_csr) { + return false; + } - // self sign the certificate - $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, - $args, $ca_serial); - if(!$res_crt) { - return false; - } + // self sign the certificate + $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, + $args, $ca_serial); + if(!$res_crt) { + return false; + } - // export our certificate data - if (!openssl_pkey_export($res_key, $str_key) || - !openssl_x509_export($res_crt, $str_crt)) { - return false; - } + // export our certificate data + if (!openssl_pkey_export($res_key, $str_key) || + !openssl_x509_export($res_crt, $str_crt)) { + return false; + } - // return our certificate information - $cert['caref'] = $caref; - $cert['crt'] = base64_encode($str_crt); - $cert['prv'] = base64_encode($str_key); + // return our certificate information + $cert['caref'] = $caref; + $cert['crt'] = base64_encode($str_crt); + $cert['prv'] = base64_encode($str_key); - // remove tempfile (template) - unlink($config_filename); + // remove tempfile (template) + unlink($config_filename); - return true; + return true; } -function csr_get_subject($str_crt, $decode = true) { +function csr_get_subject($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } - if ($decode) - $str_crt = base64_decode($str_crt); + $components = openssl_csr_get_subject($str_crt); + if (empty($components) || !is_array($components)) { + return "unknown"; + } - $components = openssl_csr_get_subject($str_crt); + ksort($components); + foreach ($components as $a => $v) { + if (!strlen($subject)) { + $subject = "{$a}={$v}"; + } else { + $subject = "{$a}={$v}, {$subject}"; + } + } - if (empty($components) || !is_array($components)) - return "unknown"; - - ksort($components); - foreach ($components as $a => $v) { - if (!strlen($subject)) - $subject = "{$a}={$v}"; - else - $subject = "{$a}={$v}, {$subject}"; - } - - return $subject; + return $subject; } -function cert_get_subject($str_crt, $decode = true) { +function cert_get_subject($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } - if ($decode) - $str_crt = base64_decode($str_crt); + $inf_crt = openssl_x509_parse($str_crt); + $components = $inf_crt['subject']; - $inf_crt = openssl_x509_parse($str_crt); - $components = $inf_crt['subject']; + if (empty($components) || !is_array($components)) { + return "unknown"; + } - if (empty($components) || !is_array($components)) - return "unknown"; + ksort($components); + foreach ($components as $a => $v) { + if (is_array($v)) { + ksort($v); + foreach ($v as $w) { + $asubject = "{$a}={$w}"; + $subject = (isset($subject)) ? "{$asubject}, {$subject}" : $asubject; + } + } else { + $asubject = "{$a}={$v}"; + $subject = (isset($subject)) ? "{$asubject}, {$subject}" : $asubject; + } + } - ksort($components); - foreach ($components as $a => $v) { - if (is_array($v)) { - ksort($v); - foreach ($v as $w) { - $asubject = "{$a}={$w}"; - $subject = (isset($subject)) ? "{$asubject}, {$subject}" : $asubject; - } - } else { - $asubject = "{$a}={$v}"; - $subject = (isset($subject)) ? "{$asubject}, {$subject}" : $asubject; - } - } - - return $subject; + return $subject; } -function cert_get_subject_array($crt) { - $str_crt = base64_decode($crt); - $inf_crt = openssl_x509_parse($str_crt); - $components = $inf_crt['subject']; +function cert_get_subject_array($crt) +{ + $str_crt = base64_decode($crt); + $inf_crt = openssl_x509_parse($str_crt); + $components = $inf_crt['subject']; - if (!is_array($components)) - return; + if (!is_array($components)) { + return; + } - $subject_array = array(); + $subject_array = array(); - foreach($components as $a => $v) - $subject_array[] = array('a' => $a, 'v' => $v); + foreach($components as $a => $v) { + $subject_array[] = array('a' => $a, 'v' => $v); + } - return $subject_array; + return $subject_array; } -function cert_get_issuer($str_crt, $decode = true) { +function cert_get_issuer($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $inf_crt = openssl_x509_parse($str_crt); + $components = $inf_crt['issuer']; - if ($decode) - $str_crt = base64_decode($str_crt); + if (empty($components) || !is_array($components)) { + return "unknown"; + } + ksort($components); + foreach ($components as $a => $v) { + if (is_array($v)) { + ksort($v); + foreach ($v as $w) { + $aissuer = "{$a}={$w}"; + $issuer = (isset($issuer)) ? "{$aissuer}, {$issuer}" : $aissuer; + } + } else { + $aissuer = "{$a}={$v}"; + $issuer = (isset($issuer)) ? "{$aissuer}, {$issuer}" : $aissuer; + } + } - $inf_crt = openssl_x509_parse($str_crt); - $components = $inf_crt['issuer']; - - if (empty($components) || !is_array($components)) - return "unknown"; - - ksort($components); - foreach ($components as $a => $v) { - if (is_array($v)) { - ksort($v); - foreach ($v as $w) { - $aissuer = "{$a}={$w}"; - $issuer = (isset($issuer)) ? "{$aissuer}, {$issuer}" : $aissuer; - } - } else { - $aissuer = "{$a}={$v}"; - $issuer = (isset($issuer)) ? "{$aissuer}, {$issuer}" : $aissuer; - } - } - - return $issuer; -} + return $issuer; + } /* this function works on x509 (crt), rsa key (prv), and req(csr) */ function cert_get_modulus($str_crt, $decode = true, $type = 'crt') { - $type_list = array('crt', 'prv', 'csr'); - $type_cmd = array('x509', 'rsa', 'req'); - $modulus = ''; + $type_list = array('crt', 'prv', 'csr'); + $type_cmd = array('x509', 'rsa', 'req'); + $modulus = ''; - if ($decode) { - $str_crt = base64_decode($str_crt); - } + if ($decode) { + $str_crt = base64_decode($str_crt); + } - if (in_array($type, $type_list)) { - $type = str_replace($type_list, $type_cmd, $type); - $modulus = exec(sprintf( - 'echo %s | /usr/local/bin/openssl %s -noout -modulus', - escapeshellarg($str_crt), - escapeshellarg($type) - )); - } + if (in_array($type, $type_list)) { + $type = str_replace($type_list, $type_cmd, $type); + $modulus = exec(sprintf( + 'echo %s | /usr/local/bin/openssl %s -noout -modulus', + escapeshellarg($str_crt), + escapeshellarg($type) + )); + } - return $modulus; + return $modulus; } -function cert_get_purpose($str_crt, $decode = true) { - if ($decode) - $str_crt = base64_decode($str_crt); - $crt_details = openssl_x509_parse($str_crt); - $purpose = array(); - $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes'; - if (isset($crt_details['extensions']['nsCertType']) && $crt_details['extensions']['nsCertType'] == "SSL Server") { - $purpose['server'] = 'Yes'; - } else { - $purpose['server'] = 'No'; - } - return $purpose; +function cert_get_purpose($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } + + $crt_details = openssl_x509_parse($str_crt); + $purpose = array(); + $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes'; + if (isset($crt_details['extensions']['nsCertType']) && $crt_details['extensions']['nsCertType'] == "SSL Server") { + $purpose['server'] = 'Yes'; + } else { + $purpose['server'] = 'No'; + } + return $purpose; } -function cert_get_dates($str_crt, $decode = true) { - if ($decode) - $str_crt = base64_decode($str_crt); - $crt_details = openssl_x509_parse($str_crt); - if ($crt_details['validFrom_time_t'] > 0) - $start = date('r', $crt_details['validFrom_time_t']); - if ($crt_details['validTo_time_t'] > 0) - $end = date('r', $crt_details['validTo_time_t']); - return array($start, $end); +function cert_get_dates($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $crt_details = openssl_x509_parse($str_crt); + if ($crt_details['validFrom_time_t'] > 0) { + $start = date('r', $crt_details['validFrom_time_t']); + } + if ($crt_details['validTo_time_t'] > 0) { + $end = date('r', $crt_details['validTo_time_t']); + } + return array($start, $end); } -function cert_get_serial($str_crt, $decode = true) { - if ($decode) - $str_crt = base64_decode($str_crt); - $crt_details = openssl_x509_parse($str_crt); - if (isset($crt_details['serialNumber']) && !empty($crt_details['serialNumber'])) - return $crt_details['serialNumber']; - else - return NULL; +function cert_get_serial($str_crt, $decode = true) +{ + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $crt_details = openssl_x509_parse($str_crt); + if (isset($crt_details['serialNumber']) && !empty($crt_details['serialNumber'])) { + return $crt_details['serialNumber']; + } else { + return NULL; + } } function is_user_cert($certref) { - global $config; + global $config; + if (!isset($config['system']['user'])) { + return; + } - if (!isset($config['system']['user'])) { - return; - } + foreach ($config['system']['user'] as $user) { + if (!isset($user['cert']) || !is_array($user['cert'])) { + continue; + } + foreach ($user['cert'] as $cert) { + if ($certref == $cert) { + return true; + } + } + } - foreach ($config['system']['user'] as $user) { - if (!isset($user['cert']) || !is_array($user['cert'])) { - continue; - } - foreach ($user['cert'] as $cert) { - if ($certref == $cert) { - return true; - } - } - } - - return false; + return false; } function is_openvpn_server_cert($certref) { - global $config; + global $config; - if (!isset($config['openvpn']['openvpn-server'])) { - return; - } + if (!isset($config['openvpn']['openvpn-server'])) { + return; + } - foreach ($config['openvpn']['openvpn-server'] as $ovpns) { - if (isset($ovpns['certref']) && $ovpns['certref'] == $certref) { - return true; - } - } + foreach ($config['openvpn']['openvpn-server'] as $ovpns) { + if (isset($ovpns['certref']) && $ovpns['certref'] == $certref) { + return true; + } + } - return false; + return false; } function is_openvpn_client_cert($certref) { - global $config; + global $config; - if (!isset($config['openvpn']['openvpn-client'])) { - return; - } + if (!isset($config['openvpn']['openvpn-client'])) { + return; + } - foreach ($config['openvpn']['openvpn-client'] as $ovpnc) { - if (isset($ovpnc['certref']) && $ovpnc['certref'] == $certref) { - return true; - } - } + foreach ($config['openvpn']['openvpn-client'] as $ovpnc) { + if (isset($ovpnc['certref']) && $ovpnc['certref'] == $certref) { + return true; + } + } - return false; + return false; } function is_ipsec_cert($certref) { - global $config; + global $config; - if (!isset($config['ipsec']['phase1'])) { - return; - } + if (!isset($config['ipsec']['phase1'])) { + return; + } - foreach ($config['ipsec']['phase1'] as $ipsec) { - if ($ipsec['certref'] == $certref) { - return true; - } - } + foreach ($config['ipsec']['phase1'] as $ipsec) { + if ($ipsec['certref'] == $certref) { + return true; + } + } - return false; + return false; } function is_webgui_cert($certref) { - global $config; - - return $config['system']['webgui']['ssl-certref'] == $certref && - $config['system']['webgui']['protocol'] != 'http'; + global $config; + return $config['system']['webgui']['ssl-certref'] == $certref && $config['system']['webgui']['protocol'] != 'http'; } function cert_in_use($certref) { - return (is_webgui_cert($certref) || - is_user_cert($certref) || - is_openvpn_server_cert($certref) || - is_openvpn_client_cert($certref) || - is_ipsec_cert($certref)); + return (is_webgui_cert($certref) || + is_user_cert($certref) || + is_openvpn_server_cert($certref) || + is_openvpn_client_cert($certref) || + is_ipsec_cert($certref)); } -function crl_update(& $crl) { - global $config; - $ca =& lookup_ca($crl['caref']); - if (!$ca) - return false; - // If we have text but no certs, it was imported and cannot be updated. - if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) - return false; - $crl['serial']++; - $ca_str_crt = base64_decode($ca['crt']); - $ca_str_key = base64_decode($ca['prv']); - $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); - if (is_array($crl['cert']) && (count($crl['cert']) > 0)) { - foreach ($crl['cert'] as $cert) { - openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); - } - } - openssl_crl_export($crl_res, $crl_text, $ca_str_key); - $crl['text'] = base64_encode($crl_text); - return $crl_res; +function crl_update(& $crl) +{ + global $config; + $ca =& lookup_ca($crl['caref']); + if (!$ca) { + return false; + } + // If we have text but no certs, it was imported and cannot be updated. + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) { + return false; + } + $crl['serial']++; + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); + if (is_array($crl['cert']) && (count($crl['cert']) > 0)) { + foreach ($crl['cert'] as $cert) { + openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + } + } + openssl_crl_export($crl_res, $crl_text, $ca_str_key); + $crl['text'] = base64_encode($crl_text); + return $crl_res; } -function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) { - global $config; - if (is_cert_revoked($cert, $crl['refid'])) - return true; - // If we have text but no certs, it was imported and cannot be updated. - if (!is_crl_internal($crl)) - return false; - $cert["reason"] = $reason; - $cert["revoke_time"] = time(); - $crl["cert"][] = $cert; - crl_update($crl); - return true; +function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) +{ + global $config; + if (is_cert_revoked($cert, $crl['refid'])) { + return true; + } + // If we have text but no certs, it was imported and cannot be updated. + if (!is_crl_internal($crl)) { + return false; + } + $cert["reason"] = $reason; + $cert["revoke_time"] = time(); + $crl["cert"][] = $cert; + crl_update($crl); + return true; } /* Compare two certificates to see if they match. */ function cert_compare($cert1, $cert2) { - /* Ensure two certs are identical by first checking that their issuers match, then - subjects, then serial numbers, and finally the moduli. Anything less strict - could accidentally count two similar, but different, certificates as - being identical. */ - $c1 = base64_decode($cert1['crt']); - $c2 = base64_decode($cert2['crt']); - if ((cert_get_issuer($c1, false) == cert_get_issuer($c2, false)) - && (cert_get_subject($c1, false) == cert_get_subject($c2, false)) - && (cert_get_serial($c1, false) == cert_get_serial($c2, false)) - && (cert_get_modulus($c1, false) == cert_get_modulus($c2, false))) - return true; - return false; + /* Ensure two certs are identical by first checking that their issuers match, then + subjects, then serial numbers, and finally the moduli. Anything less strict + could accidentally count two similar, but different, certificates as + being identical. */ + $c1 = base64_decode($cert1['crt']); + $c2 = base64_decode($cert2['crt']); + if ((cert_get_issuer($c1, false) == cert_get_issuer($c2, false)) + && (cert_get_subject($c1, false) == cert_get_subject($c2, false)) + && (cert_get_serial($c1, false) == cert_get_serial($c2, false)) + && (cert_get_modulus($c1, false) == cert_get_modulus($c2, false))) { + return true; + } else { + return false; + } } -function is_cert_revoked($cert, $crlref = "") { - global $config; - if (!isset($config['crl']) || !is_array($config['crl'])) - return false; +function is_cert_revoked($cert, $crlref = "") +{ + global $config; + if (!isset($config['crl']) || !is_array($config['crl'])) { + return false; + } - if (!empty($crlref)) { - $crl = lookup_crl($crlref); - if (!isset($crl['cert']) || !is_array($crl['cert'])) - return false; - foreach ($crl['cert'] as $rcert) { - if (cert_compare($rcert, $cert)) - return true; - } - } else { - foreach ($config['crl'] as $crl) { - if (!is_array($crl['cert'])) - continue; - foreach ($crl['cert'] as $rcert) { - if (cert_compare($rcert, $cert)) - return true; - } - } - } - return false; + if (!empty($crlref)) { + $crl = lookup_crl($crlref); + if (!isset($crl['cert']) || !is_array($crl['cert'])) { + return false; + } + foreach ($crl['cert'] as $rcert) { + if (cert_compare($rcert, $cert)) { + return true; + } + } + } else { + foreach ($config['crl'] as $crl) { + if (!is_array($crl['cert'])) { + continue; + } + foreach ($crl['cert'] as $rcert) { + if (cert_compare($rcert, $cert)) { + return true; + } + } + } + } + return false; } -function is_openvpn_server_crl($crlref) { - global $config; - if (!isset($config['openvpn']['openvpn-server']) || !is_array($config['openvpn']['openvpn-server'])) - return; - foreach ($config['openvpn']['openvpn-server'] as $ovpns) { - if (!empty($ovpns['crlref']) && ($ovpns['crlref'] == $crlref)) - return true; - } - return false; +function is_openvpn_server_crl($crlref) +{ + global $config; + if (!isset($config['openvpn']['openvpn-server']) || !is_array($config['openvpn']['openvpn-server'])) { + return; + } + foreach ($config['openvpn']['openvpn-server'] as $ovpns) { + if (!empty($ovpns['crlref']) && ($ovpns['crlref'] == $crlref)) { + return true; + } + } + return false; } -function is_crl_internal($crl) { - return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); +function is_crl_internal($crl) +{ + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } -function cert_get_cn($crt, $isref = false) { - /* If this is a certref, not an actual cert, look up the cert first */ - if ($isref) { - $cert = lookup_cert($crt); - /* If it's not a valid cert, bail. */ - if (!(is_array($cert) && !empty($cert['crt']))) - return ""; - $cert = $cert['crt']; - } else { - $cert = $crt; - } - $sub = cert_get_subject_array($cert); - if (is_array($sub)) { - foreach ($sub as $s) { - if (strtoupper($s['a']) == "CN") - return $s['v']; - } - } - return ""; +function cert_get_cn($crt, $isref = false) +{ + /* If this is a certref, not an actual cert, look up the cert first */ + if ($isref) { + $cert = lookup_cert($crt); + /* If it's not a valid cert, bail. */ + if (!(is_array($cert) && !empty($cert['crt']))) { + return ""; + } + $cert = $cert['crt']; + } else { + $cert = $crt; + } + $sub = cert_get_subject_array($cert); + if (is_array($sub)) { + foreach ($sub as $s) { + if (strtoupper($s['a']) == "CN") { + return $s['v']; + } + } + } + return ""; } ?>