Trust / Authorities - prevent expired certificates from being flushed to disk to avoid non valid paths being trusted. (ref https://github.com/opnsense/core/issues/5257)

ca-root-nss should be valid at all times, we shouldn't (ever) try to cleanse whats being shipped as part of the system, but user input can be unsafe leading to dangerous situations. Eventually we could also consider preventing bundles being imported in the authorities section, but that wouldn't fix issues with already deployed certificates and user input can still lead to broken chains easily.
2026-03-20 11:26:13 +00:00 · 2021-10-05 11:40:54 +02:00 · 2021-10-05 11:40:54 +02:00 · d8ddef45e8
commit d8ddef45e8
parent f129c4682b
1 changed files with 28 additions and 1 deletions
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@ -825,7 +825,34 @@ function system_trust_configure($verbose = false)
        $ca = file_get_contents($ca_root_nss);
        foreach (config_read_array('ca') as $entry) {
            if (!empty($entry['crt'])) {
-                $ca .= "\n# {$entry['descr']}\n" . str_replace("\r", '', base64_decode($entry['crt']));
+                // Split and cleans ca certificates, one entry could contain multiple certs if a user imported a bundle
+                // avoid expired ca's from being considered as valid alternatives.
+                $certlist = str_replace("\r", '', base64_decode($entry['crt']));
+                $user_cas = [""];
+                foreach (explode("\n", $certlist) as $row) {
+                    $user_cas[count($user_cas)-1] .= $row ."\n";
+                    if (strpos($row, '---END') > 0) {
+                        $user_cas[] = "";
+                    }
+                }
+                $ca .= "\n# {$entry['descr']}\n";
+                foreach ($user_cas as $user_ca) {
+                    if (!empty(trim($user_ca))) {
+                        $certinfo = @openssl_x509_parse($user_ca);
+                        if (!empty($certinfo['validTo']) && $certinfo['validTo_time_t'] < time()) {
+                            $error_line = sprintf(
+                                "refusing to import %s from %s (expired @ %s)",
+                                $certinfo['name'],
+                                $entry['descr'],
+                                date('r', $certinfo['validFrom_time_t'])
+                            );
+                            log_error($error_line);
+                            $ca .= "#" .  str_replace("\n", "", $error_line);
+                            continue;
+                        }
+                        $ca .= $user_ca;
+                    }
+                }
            }
        }