/ - Diff - pfSense - pfSense bugtracker

« Previous | Next »

Revision 27127b4a

Added by Jim Pingle almost 8 years ago

ID 27127b4a41e6c95ed0bc6dd9c615bdcf9fc7963c
Parent f0b23d73
Child b71adf8c

Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853
While here, add the cert serial number and sig digest type to the info block for each cert.

(cherry picked from commit aec3a259271be5dae63b148a48b7778c0cd0660e)

     	return true;
+    }
     function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) {
     function csr_sign($csr, & $ca, $duration, $type = "user", $altnames, $digest_alg = "sha256") {
     	global $config;
     	$old_err_level = error_reporting(0);
-...
     	$args = array(
     		"x509_extensions" => $cert_type,
     		"digest_alg" => $digest_alg,
     		"req_extensions" => "req_{$cert_type}"
     	);
-...
+    	}
+    }
     function cert_get_sigtype($str_crt, $decode = true) {
     	if ($decode) {
     		$str_crt = base64_decode($str_crt);
+    	}
     	$crt_details = openssl_x509_parse($str_crt);
     	$signature = array();
     	if (isset($crt_details['signatureTypeSN']) && !empty($crt_details['signatureTypeSN'])) {
     		$signature['shortname'] = $crt_details['signatureTypeSN'];
+    	}
     	if (isset($crt_details['signatureTypeLN']) && !empty($crt_details['signatureTypeLN'])) {
     		$signature['longname'] = $crt_details['signatureTypeLN'];
+    	}
     	if (isset($crt_details['signatureTypeNID']) && !empty($crt_details['signatureTypeNID'])) {
     		$signature['nid'] = $crt_details['signatureTypeNID'];
+    	}
     	return $signature;
+    }
     function is_openvpn_server_ca($caref) {
     	global $config;
     	if (!is_array($config['openvpn']['openvpn-server'])) {

     	$pconfig['digest_alg'] = "sha256";
     	$pconfig['csr_keylen'] = "2048";
     	$pconfig['csr_digest_alg'] = "sha256";
     	$pconfig['csrsign_digest_alg'] = "sha256";
     	$pconfig['type'] = "user";
     	$pconfig['lifetime'] = "3650";
+    }
-...
     			if (($pconfig['method'] == "external") && !in_array($_POST["csr_digest_alg"], $openssl_digest_algs)) {
     				array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
+    			}
     			if (($pconfig['method'] == "sign") && !in_array($_POST["csrsign_digest_alg"], $openssl_digest_algs)) {
     				array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
+    			}
+    		}
     		/* save modifications */
-...
     					$altname_str = implode(",", $altnames_tmp);
+    				}
     				$n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str);
     				$n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str, $pconfig['csrsign_digest_alg']);
     				if ($n509) {
     					// Gather the details required to save the new cert
-...
     		'csrsign_lifetime',
     		'*Certificate Lifetime (days)',
     		'number',
     		$pconfig['duration'] ? $pconfig['duration']:'3650'
     		$pconfig['csrsign_lifetime'] ? $pconfig['csrsign_lifetime']:'3650'
     	));
     	$section->addInput(new Form_Select(
     		'csrsign_digest_alg',
     		'*Digest Algorithm',
     		$pconfig['csrsign_digest_alg'],
     		array_combine($openssl_digest_algs, $openssl_digest_algs)
     	))->setHelp('NOTE: It is recommended to use an algorithm stronger than '.
     		'SHA1 when possible');
     	$form->add($section);
-...
     						<?=$subj?>
     						<?php
     						$certextinfo = "";
     						$certserial = cert_get_serial($cert['crt']);
     						if (!empty($certserial)) {
     							$certextinfo .= '<b>' . gettext("Serial: ") . '</b> ';
     							$certextinfo .= htmlspecialchars(cert_escape_x509_chars($certserial, true));
     							$certextinfo .= '<br/>';
+    						}
     						$certsig = cert_get_sigtype($cert['crt']);
     						if (is_array($certsig) && !empty($certsig) && !empty($certsig['shortname'])) {
     							$certextinfo .= '<b>' . gettext("Signature Digest: ") . '</b> ';
     							$certextinfo .= htmlspecialchars(cert_escape_x509_chars($certsig['shortname'], true));
     							$certextinfo .= '<br/>';
+    						}
     						if (is_array($sans) && !empty($sans)) {
     							$certextinfo .= '<b>' . gettext("SAN: ") . '</b> ';
     							$certextinfo .= htmlspecialchars(implode(', ', cert_escape_x509_chars($sans, true)));

Also available in: Unified diff

Project

General

Profile

pfSense

Revision 27127b4a

Added by Jim Pingle almost 8 years ago

Project

General

Profile

pfSense

Revision 27127b4a

Added by Jim Pingle almost 8 years ago

Related issues