lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 17:14:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

OpenVPN export, support cryptoapicert to load certificates from the windows certificate system store, for https://github.com/opnsense/core/issues/3500

Browse Source
This commit is contained in:
Ad Schellevis 2019-05-26 14:47:45 +02:00
parent e8dbda338f
commit 8bb3f1f38c
5 changed files with 55 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
View File

@ -45,6 +45,15 @@
<type>checkbox</type>
<help>Verify the server certificate name when the client connects</help>
</field>
<field>
<id>openvpn_export.cryptoapi</id>
<label>Windows Certificate System Store</label>
<type>checkbox</type>
<style>export_option</style>
<help>
Load the certificate and private key from the Windows Certificate System Store (Windows/OpenSSL Only).
</help>
</field>
<field>
<id>openvpn_export.auth_nocache</id>
<label>Disable password save</label>

28
src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
View File

@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN
*/
public function supportedOptions()
{
return array("plain_config", "p12_password", "random_local_port", "auth_nocache");
return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
}
/**
@ -74,15 +74,25 @@ class ArchiveOpenVPN extends PlainOpenVPN
}
mkdir($content_dir, 0700, true);
$p12 = $this->export_pkcs12(
$this->config['client_crt'],
$this->config['client_prv'],
!empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
!empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
);
if (empty($this->config['cryptoapi'])) {
// export keypair
$p12 = $this->export_pkcs12(
$this->config['client_crt'],
$this->config['client_prv'],
!empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
!empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
);
file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
$conf[] = "pkcs12 {$base_filename}.p12";
file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
$conf[] = "pkcs12 {$base_filename}.p12";
} else {
// use internal Windows store, only flush ca (when available)
if (!empty($this->config['server_ca_chain'])) {
$cafilename = "{$base_filename}.crt";
file_put_contents("{$content_dir}/$cafilename", implode("\n", $this->config['server_ca_chain']));
$conf[] = "ca {$cafilename}";
}
}
if (!empty($this->config['tls'])) {
$conf[] = "tls-auth {$base_filename}-tls.key 1";
file_put_contents("{$content_dir}/{$base_filename}-tls.key", trim(base64_decode($this->config['tls'])));

8
src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
View File

@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
*/
public function supportedOptions()
{
return array("plain_config", "random_local_port", "auth_nocache");
return array("plain_config", "random_local_port", "auth_nocache", "cryptoapi");
}
/**
@ -130,6 +130,9 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
$conf[] = "remote-cert-tls server";
}
}
if (!empty($this->config['cryptoapi'])) {
$conf[] = "cryptoapicert \"SUBJ:{$this->config['client_cn']}\"";
}
if (in_array($this->config['mode'], array('server_user', 'server_tls_user'))) {
$conf[] = "auth-user-pass";
if (!empty($this->config['auth_nocache'])) {
@ -148,7 +151,6 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
}
}
}
return $conf;
}
@ -166,7 +168,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
}
$conf[] = "</ca>";
}
if ($this->config['mode'] !== "server_user") {
if ($this->config['mode'] !== "server_user" && empty($this->config['cryptoapi'])) {
$conf[] = "<cert>";
$conf = array_merge($conf, explode("\n", trim($this->config['client_crt'])));
$conf[] = "</cert>";

27
src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
View File

@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN
*/
public function supportedOptions()
{
return array("plain_config", "p12_password", "random_local_port", "auth_nocache");
return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
}
/**
@ -108,15 +108,24 @@ class ViscosityVisz extends PlainOpenVPN
}
mkdir($content_dir, 0700, true);
$p12 = $this->export_pkcs12(
$this->config['client_crt'],
$this->config['client_prv'],
!empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
!empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
);
if (empty($this->config['cryptoapi'])) {
// export keypair
$p12 = $this->export_pkcs12(
$this->config['client_crt'],
$this->config['client_prv'],
!empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
!empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
);
file_put_contents("{$content_dir}/pkcs.p12", $p12);
$conf[] = "pkcs12 pkcs.p12";
file_put_contents("{$content_dir}/pkcs.p12", $p12);
$conf[] = "pkcs12 pkcs.p12";
} else {
// use internal Windows store, only flush ca (when available)
if (!empty($this->config['server_ca_chain'])) {
file_put_contents("{$content_dir}/ca.crt", implode("\n", $this->config['server_ca_chain']));
$conf[] = "ca ca.crt";
}
}
if (!empty($this->config['tls'])) {
$conf[] = "tls-auth ta.key 1";
file_put_contents("{$content_dir}/ta.key", trim(base64_decode($this->config['tls'])));

4
src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
View File

@ -27,6 +27,10 @@
<default>1</default>
<Required>Y</Required>
</validate_server_cn>
<cryptoapi type="BooleanField">
<default>0</default>
<Required>N</Required>
</cryptoapi>
<auth_nocache type="BooleanField">
<default>0</default>
<Required>N</Required>