Revision 27fc5a30
Added by Jim Pingle about 1 year ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 2365 | 2365 |
|
| 2366 | 2366 |
function ca_setup_trust_store() {
|
| 2367 | 2367 |
/* This directory is trusted by OpenSSL on FreeBSD by default */ |
| 2368 |
$trust_store_directory = '/etc/ssl/certs'; |
|
| 2368 |
$trust_store_directory = '/usr/local/etc/ssl/certs';
|
|
| 2369 | 2369 |
|
| 2370 | 2370 |
/* Create the directory if it does not already exist, and clean it up if it does. */ |
| 2371 | 2371 |
safe_mkdir($trust_store_directory); |
| 2372 |
unlink_if_exists("{$trust_store_directory}/*.0");
|
|
| 2372 |
unlink_if_exists("{$trust_store_directory}/*.crt");
|
|
| 2373 |
unlink_if_exists("{$trust_store_directory}/*.crl");
|
|
| 2373 | 2374 |
|
| 2374 | 2375 |
foreach (config_get_path('ca', []) as $ca) {
|
| 2375 | 2376 |
/* If the entry is invalid or is not trusted, skip it. */ |
| ... | ... | |
| 2380 | 2381 |
continue; |
| 2381 | 2382 |
} |
| 2382 | 2383 |
|
| 2383 |
ca_setup_capath($ca, $trust_store_directory); |
|
| 2384 |
ca_setup_capath($ca, $trust_store_directory, '', false, 'crt', 'crl');
|
|
| 2384 | 2385 |
} |
| 2386 |
|
|
| 2385 | 2387 |
mwexec_bg('/usr/sbin/certctl rehash');
|
| 2386 | 2388 |
} |
| 2387 | 2389 |
|
| ... | ... | |
| 2395 | 2397 |
* $basedir: The directory which will contain the CA structure. |
| 2396 | 2398 |
* $crl : A CRL (not a refid) associated with the CA to write. |
| 2397 | 2399 |
* $refresh: Refresh CRLs -- When true, perform no cleanup and increment suffix |
| 2400 |
* $crtext : Certificate file extension |
|
| 2401 |
* $crlext : CRL file extension |
|
| 2398 | 2402 |
* RESULT |
| 2399 | 2403 |
* $basedir is populated with CA and CRL files in a format usable by OpenSSL |
| 2400 | 2404 |
* CApath. This has the filenames as the CA hash with the CA named <hash>.0 |
| 2401 | 2405 |
* and CRLs named <hash>.r0 |
| 2402 | 2406 |
******/ |
| 2403 | 2407 |
|
| 2404 |
function ca_setup_capath($ca, $basedir, $crl = "", $refresh = false) {
|
|
| 2408 |
function ca_setup_capath($ca, $basedir, $crl = "", $refresh = false, $crtext = '0', $crlext = 'r') {
|
|
| 2405 | 2409 |
/* Check for an invalid CA */ |
| 2406 | 2410 |
if (!$ca || !is_array($ca)) {
|
| 2407 | 2411 |
return false; |
| ... | ... | |
| 2432 | 2436 |
$fprefix = "{$basedir}/{$cert_details['hash']}";
|
| 2433 | 2437 |
|
| 2434 | 2438 |
|
| 2435 |
$ca_filename = "{$fprefix}.0";
|
|
| 2439 |
$ca_filename = "{$fprefix}.{$crtext}";
|
|
| 2436 | 2440 |
/* Cleanup old CA/CRL files for this hash */ |
| 2437 | 2441 |
@unlink_if_exists($ca_filename); |
| 2438 | 2442 |
/* Write CA to base dir and ensure it has correct permissions. */ |
| ... | ... | |
| 2443 | 2447 |
|
| 2444 | 2448 |
/* If there is a CRL, process it. */ |
| 2445 | 2449 |
if ($crl) {
|
| 2446 |
$crl_filename = "{$fprefix}.r";
|
|
| 2450 |
$crl_filename = "{$fprefix}.{$crlext}";
|
|
| 2447 | 2451 |
if (!$refresh) {
|
| 2448 | 2452 |
/* Cleanup old CA/CRL files for this hash */ |
| 2449 | 2453 |
@unlink_if_exists("{$crl_filename}*");
|
| 2450 | 2454 |
} |
| 2451 |
/* Find next suffix based on how many existing files there are (start=0) */ |
|
| 2452 |
$crl_filename .= count(glob("{$crl_filename}*"));
|
|
| 2455 |
|
|
| 2456 |
if ($crlext == 'r') {
|
|
| 2457 |
/* Find next suffix based on how many existing files there are (start=0) */ |
|
| 2458 |
$crl_filename .= count(glob("{$crl_filename}*"));
|
|
| 2459 |
} |
|
| 2460 |
|
|
| 2453 | 2461 |
/* Write CRL to base dir and ensure it has correct permissions. */ |
| 2454 | 2462 |
file_put_contents($crl_filename, base64_decode($crl['text'])); |
| 2455 | 2463 |
chmod($crl_filename, 0644); |
Also available in: Unified diff
Fix CA trust store custom entries. Fixes #15440
certctl rehash behavior changed, so we need to write the CA files out
differently now so it picks them up.