lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-17 01:54:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

system_certmanager: take extensions out of a DN (#4761)

Browse Source
This commit is contained in:
kulikov-a 2021-02-27 15:49:20 +03:00 committed by GitHub
parent 8953d038e5
commit 71d6d0adeb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/etc/inc/certs.inc
View File

@ -209,7 +209,7 @@ function cert_import(&$cert, $crt_str, $key_str)
return true;
}
function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $x509_extensions = 'usr_cert')
function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $x509_extensions = 'usr_cert', $extns)
{
$ca = &lookup_ca($caref);
if (!$ca) {
@ -226,7 +226,7 @@ function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg,
$ca_serial = ++$ca['serial'];
// handle parameters which can only be set via the configuration file
$config_filename = create_temp_openssl_config($dn);
$config_filename = create_temp_openssl_config($extns);
$args = array(
'config' => $config_filename,
@ -286,7 +286,7 @@ function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg,
return true;
}
function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $dn)
function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $extns)
{
$ca = &lookup_ca($caref);
if (!$ca) {
@ -303,7 +303,7 @@ function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $dn)
$ca_serial = ++$ca['serial'];
// handle parameters which can only be set via the configuration file
$config_filename = create_temp_openssl_config($dn);
$config_filename = create_temp_openssl_config($extns);
$args = array(
'config' => $config_filename,
@ -715,18 +715,18 @@ function cert_get_cn($crt, $isref = false)
* @param $dn
* @return bool|string The name of the temporary config file.
*/
function create_temp_openssl_config(&$dn)
function create_temp_openssl_config(&$extns)
{
// define temp filename to use for openssl.cnf
// define temp filename to use for openssl.cnf and add extensions values to it
$configFilename = tempnam(sys_get_temp_dir(), 'ssl');
$template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf');
foreach (['subjectAltName', 'keyUsage', 'extendedKeyUsage', 'basicConstraints'] as $dnTag) {
if (isset($dn[$dnTag])) {
$template_dn = $dnTag . ' = ' . str_replace(array("\r", "\n"), '', $dn[$dnTag]);
foreach (['subjectAltName', 'keyUsage', 'extendedKeyUsage', 'basicConstraints'] as $extnTag) {
if (isset($extns[$extnTag])) {
$template_extn = $extnTag . ' = ' . str_replace(array("\r", "\n"), '', $extns[$extnTag]);
// Overwrite the placeholders for this property
$template = str_replace('###OPNsense:' . $dnTag . '###', $template_dn, $template);
$template = str_replace('###OPNsense:' . $extnTag . '###', $template_extn, $template);
}
}
file_put_contents($configFilename, $template);

29
src/www/system_certmanager.php
View File

@ -36,9 +36,9 @@ require_once('phpseclib/File/ASN1/Element.php');
require_once('phpseclib/Crypt/RSA.php');
require_once('phpseclib/Crypt/Hash.php');
function csr_generate(&$cert, $keylen_curve, $dn, $digest_alg)
function csr_generate(&$cert, $keylen_curve, $dn, $digest_alg, $extns)
{
$configFilename = create_temp_openssl_config($dn);
$configFilename = create_temp_openssl_config($extns);
$args = array(
@ -617,7 +617,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// validation and at the same time create $dn for sign_cert_csr
if ($pconfig['certmethod'] === 'sign_cert_csr') {
// XXX: we should separate validation and data gathering
$dn = array();
$extns = array();
if (isset($pconfig['key_usage_sign_csr'])) {
$san_str = '';
if (!empty($pconfig['altname_type_sign_csr'])) {
@ -638,7 +638,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
}
if ($san_str !== '') {
$dn['subjectAltName'] = $san_str;
$extns['subjectAltName'] = $san_str;
}
if (is_array($pconfig['key_usage_sign_csr']) && count($pconfig['key_usage_sign_csr']) > 0) {
$resstr = '';
@ -653,7 +653,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
break;
}
}
$dn['keyUsage'] = $resstr;
$extns['keyUsage'] = $resstr;
}
if (is_array($pconfig['extended_key_usage_sign_csr']) && count($pconfig['extended_key_usage_sign_csr']) > 0) {
$resstr = '';
@ -668,12 +668,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
break;
}
}
$dn['extendedKeyUsage'] = $resstr;
$extns['extendedKeyUsage'] = $resstr;
}
if ($pconfig['basic_constraints_is_ca_sign_csr'] === 'true') {
$dn['basicConstraints'] = 'CA:' . ((isset($pconfig['basic_constraints_is_ca_sign_csr']) && $pconfig['basic_constraints_is_ca_sign_csr'] === 'true') ? 'TRUE' : 'false');
$extns['basicConstraints'] = 'CA:' . ((isset($pconfig['basic_constraints_is_ca_sign_csr']) && $pconfig['basic_constraints_is_ca_sign_csr'] === 'true') ? 'TRUE' : 'false');
if (isset($pconfig['basic_constraints_path_len_sign_csr']) && $pconfig['basic_constraints_path_len_sign_csr'] != '') {
$dn['basicConstraints'] .= ', pathlen:' . ((int) $pconfig['basic_constraints_path_len_sign_csr']);
$extns['basicConstraints'] .= ', pathlen:' . ((int) $pconfig['basic_constraints_path_len_sign_csr']);
}
}
}
@ -716,12 +716,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
'organizationName' => $pconfig['dn_organization'],
'emailAddress' => $pconfig['dn_email'],
'commonName' => $pconfig['dn_commonname']);
$extns = array();
if (count($altnames)) {
$altnames_tmp = array();
foreach ($altnames as $altname) {
$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
}
$dn['subjectAltName'] = implode(",", $altnames_tmp);
$extns['subjectAltName'] = implode(",", $altnames_tmp);
}
if (!cert_create(
@ -731,7 +732,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['lifetime'],
$dn,
$pconfig['digest_alg'],
$pconfig['cert_type']
$pconfig['cert_type'],
$extns
)) {
$input_errors = array();
while ($ssl_err = openssl_error_string()) {
@ -746,7 +748,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
} elseif ($pconfig['certmethod'] === 'sign_cert_csr') {
if (!sign_cert_csr($cert, $pconfig['caref_sign_csr'], $pconfig['csr'], (int) $pconfig['lifetime_sign_csr'],
$pconfig['digest_alg_sign_csr'], $dn)) {
$pconfig['digest_alg_sign_csr'], $extns)) {
$input_errors = array();
while ($ssl_err = openssl_error_string()) {
$input_errors[] = gettext("openssl library returns:") . " " . $ssl_err;
@ -760,6 +762,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
'organizationName' => $pconfig['csr_dn_organization'],
'emailAddress' => $pconfig['csr_dn_email'],
'commonName' => $pconfig['csr_dn_commonname']);
$extns = array();
if (!empty($pconfig['csr_dn_organizationalunit'])) {
$dn['organizationalUnitName'] = $pconfig['csr_dn_organizationalunit'];
}
@ -768,9 +771,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
foreach ($altnames as $altname) {
$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
}
$dn['subjectAltName'] = implode(",", $altnames_tmp);
$extns['subjectAltName'] = implode(",", $altnames_tmp);
}
if (!csr_generate($cert, $pconfig['csr_keylen_curve'], $dn, $pconfig['csr_digest_alg'])) {
if (!csr_generate($cert, $pconfig['csr_keylen_curve'], $dn, $pconfig['csr_digest_alg'], $extns)) {
$input_errors = array();
while ($ssl_err = openssl_error_string()) {
$input_errors[] = gettext("openssl library returns:") . " " . $ssl_err;