diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 65a973a7f..b6cd87c1e 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -209,7 +209,7 @@ function cert_import(&$cert, $crt_str, $key_str) return true; } -function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $x509_extensions = 'usr_cert') +function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $x509_extensions = 'usr_cert', $extns) { $ca = &lookup_ca($caref); if (!$ca) { @@ -226,7 +226,7 @@ function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $ca_serial = ++$ca['serial']; // handle parameters which can only be set via the configuration file - $config_filename = create_temp_openssl_config($dn); + $config_filename = create_temp_openssl_config($extns); $args = array( 'config' => $config_filename, @@ -286,7 +286,7 @@ function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, return true; } -function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $dn) +function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $extns) { $ca = &lookup_ca($caref); if (!$ca) { @@ -303,7 +303,7 @@ function sign_cert_csr(&$cert, $caref, $csr, $lifetime, $digest_alg, $dn) $ca_serial = ++$ca['serial']; // handle parameters which can only be set via the configuration file - $config_filename = create_temp_openssl_config($dn); + $config_filename = create_temp_openssl_config($extns); $args = array( 'config' => $config_filename, @@ -715,18 +715,18 @@ function cert_get_cn($crt, $isref = false) * @param $dn * @return bool|string The name of the temporary config file. */ -function create_temp_openssl_config(&$dn) +function create_temp_openssl_config(&$extns) { - // define temp filename to use for openssl.cnf + // define temp filename to use for openssl.cnf and add extensions values to it $configFilename = tempnam(sys_get_temp_dir(), 'ssl'); $template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf'); - foreach (['subjectAltName', 'keyUsage', 'extendedKeyUsage', 'basicConstraints'] as $dnTag) { - if (isset($dn[$dnTag])) { - $template_dn = $dnTag . ' = ' . str_replace(array("\r", "\n"), '', $dn[$dnTag]); + foreach (['subjectAltName', 'keyUsage', 'extendedKeyUsage', 'basicConstraints'] as $extnTag) { + if (isset($extns[$extnTag])) { + $template_extn = $extnTag . ' = ' . str_replace(array("\r", "\n"), '', $extns[$extnTag]); // Overwrite the placeholders for this property - $template = str_replace('###OPNsense:' . $dnTag . '###', $template_dn, $template); + $template = str_replace('###OPNsense:' . $extnTag . '###', $template_extn, $template); } } file_put_contents($configFilename, $template); diff --git a/src/www/system_certmanager.php b/src/www/system_certmanager.php index 0b73758d1..d133ec0c9 100644 --- a/src/www/system_certmanager.php +++ b/src/www/system_certmanager.php @@ -36,9 +36,9 @@ require_once('phpseclib/File/ASN1/Element.php'); require_once('phpseclib/Crypt/RSA.php'); require_once('phpseclib/Crypt/Hash.php'); -function csr_generate(&$cert, $keylen_curve, $dn, $digest_alg) +function csr_generate(&$cert, $keylen_curve, $dn, $digest_alg, $extns) { - $configFilename = create_temp_openssl_config($dn); + $configFilename = create_temp_openssl_config($extns); $args = array( @@ -617,7 +617,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { // validation and at the same time create $dn for sign_cert_csr if ($pconfig['certmethod'] === 'sign_cert_csr') { // XXX: we should separate validation and data gathering - $dn = array(); + $extns = array(); if (isset($pconfig['key_usage_sign_csr'])) { $san_str = ''; if (!empty($pconfig['altname_type_sign_csr'])) { @@ -638,7 +638,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } } if ($san_str !== '') { - $dn['subjectAltName'] = $san_str; + $extns['subjectAltName'] = $san_str; } if (is_array($pconfig['key_usage_sign_csr']) && count($pconfig['key_usage_sign_csr']) > 0) { $resstr = ''; @@ -653,7 +653,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { break; } } - $dn['keyUsage'] = $resstr; + $extns['keyUsage'] = $resstr; } if (is_array($pconfig['extended_key_usage_sign_csr']) && count($pconfig['extended_key_usage_sign_csr']) > 0) { $resstr = ''; @@ -668,12 +668,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { break; } } - $dn['extendedKeyUsage'] = $resstr; + $extns['extendedKeyUsage'] = $resstr; } if ($pconfig['basic_constraints_is_ca_sign_csr'] === 'true') { - $dn['basicConstraints'] = 'CA:' . ((isset($pconfig['basic_constraints_is_ca_sign_csr']) && $pconfig['basic_constraints_is_ca_sign_csr'] === 'true') ? 'TRUE' : 'false'); + $extns['basicConstraints'] = 'CA:' . ((isset($pconfig['basic_constraints_is_ca_sign_csr']) && $pconfig['basic_constraints_is_ca_sign_csr'] === 'true') ? 'TRUE' : 'false'); if (isset($pconfig['basic_constraints_path_len_sign_csr']) && $pconfig['basic_constraints_path_len_sign_csr'] != '') { - $dn['basicConstraints'] .= ', pathlen:' . ((int) $pconfig['basic_constraints_path_len_sign_csr']); + $extns['basicConstraints'] .= ', pathlen:' . ((int) $pconfig['basic_constraints_path_len_sign_csr']); } } } @@ -716,12 +716,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { 'organizationName' => $pconfig['dn_organization'], 'emailAddress' => $pconfig['dn_email'], 'commonName' => $pconfig['dn_commonname']); + $extns = array(); if (count($altnames)) { $altnames_tmp = array(); foreach ($altnames as $altname) { $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; } - $dn['subjectAltName'] = implode(",", $altnames_tmp); + $extns['subjectAltName'] = implode(",", $altnames_tmp); } if (!cert_create( @@ -731,7 +732,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['lifetime'], $dn, $pconfig['digest_alg'], - $pconfig['cert_type'] + $pconfig['cert_type'], + $extns )) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { @@ -746,7 +748,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } } elseif ($pconfig['certmethod'] === 'sign_cert_csr') { if (!sign_cert_csr($cert, $pconfig['caref_sign_csr'], $pconfig['csr'], (int) $pconfig['lifetime_sign_csr'], - $pconfig['digest_alg_sign_csr'], $dn)) { + $pconfig['digest_alg_sign_csr'], $extns)) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { $input_errors[] = gettext("openssl library returns:") . " " . $ssl_err; @@ -760,6 +762,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { 'organizationName' => $pconfig['csr_dn_organization'], 'emailAddress' => $pconfig['csr_dn_email'], 'commonName' => $pconfig['csr_dn_commonname']); + $extns = array(); if (!empty($pconfig['csr_dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['csr_dn_organizationalunit']; } @@ -768,9 +771,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { foreach ($altnames as $altname) { $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; } - $dn['subjectAltName'] = implode(",", $altnames_tmp); + $extns['subjectAltName'] = implode(",", $altnames_tmp); } - if (!csr_generate($cert, $pconfig['csr_keylen_curve'], $dn, $pconfig['csr_digest_alg'])) { + if (!csr_generate($cert, $pconfig['csr_keylen_curve'], $dn, $pconfig['csr_digest_alg'], $extns)) { $input_errors = array(); while ($ssl_err = openssl_error_string()) { $input_errors[] = gettext("openssl library returns:") . " " . $ssl_err;