Project

General

Profile

Download (16.8 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * system_crlmanager.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2013 BSD Perimeter
7
 * Copyright (c) 2013-2016 Electric Sheep Fencing
8
 * Copyright (c) 2014-2019 Rubicon Communications, LLC (Netgate)
9
 * All rights reserved.
10
 *
11
 * Licensed under the Apache License, Version 2.0 (the "License");
12
 * you may not use this file except in compliance with the License.
13
 * You may obtain a copy of the License at
14
 *
15
 * http://www.apache.org/licenses/LICENSE-2.0
16
 *
17
 * Unless required by applicable law or agreed to in writing, software
18
 * distributed under the License is distributed on an "AS IS" BASIS,
19
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
 * See the License for the specific language governing permissions and
21
 * limitations under the License.
22
 */
23

    
24
##|+PRIV
25
##|*IDENT=page-system-crlmanager
26
##|*NAME=System: CRL Manager
27
##|*DESCR=Allow access to the 'System: CRL Manager' page.
28
##|*MATCH=system_crlmanager.php*
29
##|-PRIV
30

    
31
require_once("guiconfig.inc");
32
require_once("certs.inc");
33
require_once("openvpn.inc");
34
require_once("pfsense-utils.inc");
35
require_once("vpn.inc");
36

    
37
$max_lifetime = crl_get_max_lifetime();
38
$default_lifetime = 3650;
39
if ($max_lifetime < $default_lifetime) {
40
	$default_lifetime = $max_lifetime;
41
}
42

    
43
global $openssl_crl_status;
44

    
45
$crl_methods = array(
46
	"internal" => gettext("Create an internal Certificate Revocation List"),
47
	"existing" => gettext("Import an existing Certificate Revocation List"));
48

    
49
if (isset($_REQUEST['id']) && ctype_alnum($_REQUEST['id'])) {
50
	$id = $_REQUEST['id'];
51
}
52

    
53
init_config_arr(array('ca'));
54
$a_ca = &$config['ca'];
55

    
56
init_config_arr(array('cert'));
57
$a_cert = &$config['cert'];
58

    
59
init_config_arr(array('crl'));
60
$a_crl = &$config['crl'];
61

    
62
foreach ($a_crl as $cid => $acrl) {
63
	if (!isset($acrl['refid'])) {
64
		unset ($a_crl[$cid]);
65
	}
66
}
67

    
68
$act = $_REQUEST['act'];
69

    
70

    
71
if (!empty($id)) {
72
	$thiscrl =& lookup_crl($id);
73
}
74

    
75
// If we were given an invalid crlref in the id, no sense in continuing as it would only cause errors.
76
if (!$thiscrl && (($act != "") && ($act != "new"))) {
77
	pfSenseHeader("system_crlmanager.php");
78
	$act="";
79
	$savemsg = gettext("Invalid CRL reference.");
80
	$class = "danger";
81
}
82

    
83
if ($_POST['act'] == "del") {
84
	$name = htmlspecialchars($thiscrl['descr']);
85
	if (crl_in_use($id)) {
86
		$savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted."), $name);
87
		$class = "danger";
88
	} else {
89
		foreach ($a_crl as $cid => $acrl) {
90
			if ($acrl['refid'] == $thiscrl['refid']) {
91
				unset($a_crl[$cid]);
92
			}
93
		}
94
		write_config("Deleted CRL {$name}.");
95
		$savemsg = sprintf(gettext("Certificate Revocation List %s successfully deleted."), $name);
96
		$class = "success";
97
	}
98
}
99

    
100
if ($act == "new") {
101
	$pconfig['method'] = $_REQUEST['method'];
102
	$pconfig['caref'] = $_REQUEST['caref'];
103
	$pconfig['lifetime'] = $default_lifetime;
104
	$pconfig['serial'] = "0";
105
}
106

    
107
if ($act == "exp") {
108
	crl_update($thiscrl);
109
	$exp_name = urlencode("{$thiscrl['descr']}.crl");
110
	$exp_data = base64_decode($thiscrl['text']);
111
	$exp_size = strlen($exp_data);
112

    
113
	header("Content-Type: application/octet-stream");
114
	header("Content-Disposition: attachment; filename={$exp_name}");
115
	header("Content-Length: $exp_size");
116
	echo $exp_data;
117
	exit;
118
}
119

    
120
if ($act == "addcert") {
121
	unset($input_errors);
122
	$pconfig = $_REQUEST;
123

    
124
	if (!$pconfig['crlref'] || !$pconfig['certref']) {
125
		pfSenseHeader("system_crlmanager.php");
126
		exit;
127
	}
128

    
129
	// certref, crlref
130
	$crl =& lookup_crl($pconfig['crlref']);
131
	$cert = lookup_cert($pconfig['certref']);
132

    
133
	if (!$crl['caref'] || !$cert['caref']) {
134
		$input_errors[] = gettext("Both the Certificate and CRL must be specified.");
135
	}
136

    
137
	if ($crl['caref'] != $cert['caref']) {
138
		$input_errors[] = gettext("CA mismatch between the Certificate and CRL. Unable to Revoke.");
139
	}
140
	if (!is_crl_internal($crl)) {
141
		$input_errors[] = gettext("Cannot revoke certificates for an imported/external CRL.");
142
	}
143

    
144
	if (!$input_errors) {
145
		$reason = (empty($pconfig['crlreason'])) ? 0 : $pconfig['crlreason'];
146
		cert_revoke($cert, $crl, $reason);
147
		// refresh IPsec and OpenVPN CRLs
148
		openvpn_refresh_crls();
149
		vpn_ipsec_configure();
150
		write_config("Revoked cert {$cert['descr']} in CRL {$crl['descr']}.");
151
		pfSenseHeader("system_crlmanager.php");
152
		exit;
153
	}
154
}
155

    
156
if ($act == "delcert") {
157
	if (!is_array($thiscrl['cert'])) {
158
		pfSenseHeader("system_crlmanager.php");
159
		exit;
160
	}
161
	$found = false;
162
	foreach ($thiscrl['cert'] as $acert) {
163
		if ($acert['refid'] == $_REQUEST['certref']) {
164
			$found = true;
165
			$thiscert = $acert;
166
		}
167
	}
168
	if (!$found) {
169
		pfSenseHeader("system_crlmanager.php");
170
		exit;
171
	}
172
	$certname = htmlspecialchars($thiscert['descr']);
173
	$crlname = htmlspecialchars($thiscrl['descr']);
174
	if (cert_unrevoke($thiscert, $thiscrl)) {
175
		$savemsg = sprintf(gettext('Deleted Certificate %1$s from CRL %2$s.'), $certname, $crlname);
176
		$class = "success";
177
		// refresh IPsec and OpenVPN CRLs
178
		openvpn_refresh_crls();
179
		vpn_ipsec_configure();
180
		write_config($savemsg);
181
	} else {
182
		$savemsg = sprintf(gettext('Failed to delete Certificate %1$s from CRL %2$s.'), $certname, $crlname);
183
		$class = "danger";
184
	}
185
	$act="edit";
186
}
187

    
188
if ($_POST['save']) {
189
	$input_errors = array();
190
	$pconfig = $_POST;
191

    
192
	/* input validation */
193
	if (($pconfig['method'] == "existing") || ($act == "editimported")) {
194
		$reqdfields = explode(" ", "descr crltext");
195
		$reqdfieldsn = array(
196
			gettext("Descriptive name"),
197
			gettext("Certificate Revocation List data"));
198
	}
199
	if ($pconfig['method'] == "internal") {
200
		$reqdfields = explode(" ", "descr caref");
201
		$reqdfieldsn = array(
202
			gettext("Descriptive name"),
203
			gettext("Certificate Authority"));
204
	}
205

    
206
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
207

    
208
	if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) {
209
		array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
210
	}
211
	if ($pconfig['lifetime'] > $max_lifetime) {
212
		$input_errors[] = gettext("Lifetime is longer than the maximum allowed value. Use a shorter lifetime.");
213
	}
214

    
215
	/* save modifications */
216
	if (!$input_errors) {
217
		$result = false;
218

    
219
		if ($thiscrl) {
220
			$crl =& $thiscrl;
221
		} else {
222
			$crl = array();
223
			$crl['refid'] = uniqid();
224
		}
225

    
226
		$crl['descr'] = $pconfig['descr'];
227
		if ($act != "editimported") {
228
			$crl['caref'] = $pconfig['caref'];
229
			$crl['method'] = $pconfig['method'];
230
		}
231

    
232
		if (($pconfig['method'] == "existing") || ($act == "editimported")) {
233
			$crl['text'] = base64_encode($pconfig['crltext']);
234
		}
235

    
236
		if ($pconfig['method'] == "internal") {
237
			$crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial'];
238
			$crl['lifetime'] = empty($pconfig['lifetime']) ? $default_lifetime : $pconfig['lifetime'];
239
			$crl['cert'] = array();
240
		}
241

    
242
		if (!$thiscrl) {
243
			$a_crl[] = $crl;
244
		}
245

    
246
		write_config("Saved CRL {$crl['descr']}");
247
		// refresh IPsec and OpenVPN CRLs
248
		openvpn_refresh_crls();
249
		vpn_ipsec_configure();
250
		pfSenseHeader("system_crlmanager.php");
251
	}
252
}
253

    
254
$pgtitle = array(gettext("System"), gettext("Certificate Manager"), gettext("Certificate Revocation"));
255
$pglinks = array("", "system_camanager.php", "system_crlmanager.php");
256

    
257
if ($act == "new" || $act == gettext("Save") || $input_errors || $act == "edit") {
258
	$pgtitle[] = gettext('Edit');
259
	$pglinks[] = "@self";
260
}
261
include("head.inc");
262
?>
263

    
264
<script type="text/javascript">
265
//<![CDATA[
266

    
267
function method_change() {
268

    
269
	method = document.iform.method.value;
270

    
271
	switch (method) {
272
		case "internal":
273
			document.getElementById("existing").style.display="none";
274
			document.getElementById("internal").style.display="";
275
			break;
276
		case "existing":
277
			document.getElementById("existing").style.display="";
278
			document.getElementById("internal").style.display="none";
279
			break;
280
	}
281
}
282

    
283
//]]>
284
</script>
285

    
286
<?php
287

    
288
function build_method_list() {
289
	global $_POST, $crl_methods;
290

    
291
	$list = array();
292

    
293
	foreach ($crl_methods as $method => $desc) {
294
		if (($_POST['importonly'] == "yes") && ($method != "existing")) {
295
			continue;
296
		}
297

    
298
		$list[$method] = $desc;
299
	}
300

    
301
	return($list);
302
}
303

    
304
function build_ca_list() {
305
	global $a_ca;
306

    
307
	$list = array();
308

    
309
	foreach ($a_ca as $ca) {
310
		$list[$ca['refid']] = $ca['descr'];
311
	}
312

    
313
	return($list);
314
}
315

    
316
function build_cacert_list() {
317
	global $ca_certs;
318

    
319
	$list = array();
320

    
321
	foreach ($ca_certs as $cert) {
322
		$list[$cert['refid']] = $cert['descr'];
323
	}
324

    
325
	return($list);
326
}
327

    
328
if ($input_errors) {
329
	print_input_errors($input_errors);
330
}
331

    
332
if ($savemsg) {
333
	print_info_box($savemsg, $class);
334
}
335

    
336
$tab_array = array();
337
$tab_array[] = array(gettext("CAs"), false, "system_camanager.php");
338
$tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php");
339
$tab_array[] = array(gettext("Certificate Revocation"), true, "system_crlmanager.php");
340
display_top_tabs($tab_array);
341

    
342
if ($act == "new" || $act == gettext("Save") || $input_errors) {
343
	$form = new Form();
344

    
345
	$section = new Form_Section('Create new Revocation List');
346

    
347
	if (!isset($id)) {
348
		$section->addInput(new Form_Select(
349
			'method',
350
			'*Method',
351
			$pconfig['method'],
352
			build_method_list()
353
		));
354
	}
355

    
356
	$section->addInput(new Form_Input(
357
		'descr',
358
		'*Descriptive name',
359
		'text',
360
		$pconfig['descr']
361
	));
362

    
363
	$section->addInput(new Form_Select(
364
		'caref',
365
		'*Certificate Authority',
366
		$pconfig['caref'],
367
		build_ca_list()
368
	));
369

    
370
	$form->add($section);
371

    
372
	$section = new Form_Section('Existing Certificate Revocation List');
373
	$section->addClass('existing');
374

    
375
	$section->addInput(new Form_Textarea(
376
		'crltext',
377
		'*CRL data',
378
		$pconfig['crltext']
379
		))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
380

    
381
	$form->add($section);
382

    
383
	$section = new Form_Section('Internal Certificate Revocation List');
384
	$section->addClass('internal');
385

    
386
	$section->addInput(new Form_Input(
387
		'lifetime',
388
		'Lifetime (Days)',
389
		'number',
390
		$pconfig['lifetime'],
391
		['max' => $max_lifetime]
392
	));
393

    
394
	$section->addInput(new Form_Input(
395
		'serial',
396
		'Serial',
397
		'number',
398
		$pconfig['serial'],
399
		['min' => '0', 'max' => '9999']
400
	));
401

    
402
	$form->add($section);
403

    
404
	if (isset($id) && $thiscrl) {
405
		$form->addGlobal(new Form_Input(
406
			'id',
407
			null,
408
			'hidden',
409
			$id
410
		));
411
	}
412

    
413
	print($form);
414

    
415
} elseif ($act == "editimported") {
416

    
417
	$form = new Form();
418

    
419
	$section = new Form_Section('Edit Imported Certificate Revocation List');
420

    
421
	$section->addInput(new Form_Input(
422
		'descr',
423
		'*Descriptive name',
424
		'text',
425
		$pconfig['descr']
426
	));
427

    
428
	$section->addInput(new Form_Textarea(
429
		'crltext',
430
		'*CRL data',
431
		$pconfig['crltext']
432
	))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
433

    
434
	$form->addGlobal(new Form_Input(
435
		'id',
436
		null,
437
		'hidden',
438
		$id
439
	));
440

    
441
	$form->addGlobal(new Form_Input(
442
		'act',
443
		null,
444
		'hidden',
445
		'editimported'
446
	));
447

    
448
	$form->add($section);
449

    
450
	print($form);
451

    
452
} elseif ($act == "edit") {
453
	$crl = $thiscrl;
454

    
455
	$form = new Form(false);
456
?>
457

    
458
	<div class="panel panel-default">
459
		<div class="panel-heading"><h2 class="panel-title"><?=gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']?></h2></div>
460
		<div class="panel-body table-responsive">
461
<?php
462
	if (!is_array($crl['cert']) || (count($crl['cert']) == 0)) {
463
		print_info_box(gettext("No certificates found for this CRL."), 'danger');
464
	} else {
465
?>
466
			<table class="table table-striped table-hover table-condensed">
467
				<thead>
468
					<tr>
469
						<th><?=gettext("Certificate Name")?></th>
470
						<th><?=gettext("Revocation Reason")?></th>
471
						<th><?=gettext("Revoked At")?></th>
472
						<th></th>
473
					</tr>
474
				</thead>
475
				<tbody>
476
<?php
477
		foreach ($crl['cert'] as $i => $cert):
478
			$name = htmlspecialchars($cert['descr']);
479
?>
480
					<tr>
481
						<td class="listlr">
482
							<?=$name; ?>
483
						</td>
484
						<td class="listlr">
485
							<?=$openssl_crl_status[$cert["reason"]]; ?>
486
						</td>
487
						<td class="listlr">
488
							<?=date("D M j G:i:s T Y", $cert["revoke_time"]); ?>
489
						</td>
490
						<td class="list">
491
							<a href="system_crlmanager.php?act=delcert&amp;id=<?=$crl['refid']; ?>&amp;certref=<?=$cert['refid']; ?>" usepost>
492
								<i class="fa fa-trash" title="<?=gettext("Delete this certificate from the CRL")?>" alt="<?=gettext("Delete this certificate from the CRL")?>"></i>
493
							</a>
494
						</td>
495
					</tr>
496
<?php
497
		endforeach;
498
?>
499
				</tbody>
500
			</table>
501
<?php
502
	}
503
?>
504
		</div>
505
	</div>
506
<?php
507

    
508
	$ca_certs = array();
509
	foreach ($a_cert as $cert) {
510
		if ($cert['caref'] == $crl['caref'] && !is_cert_revoked($cert, $id)) {
511
			$ca_certs[] = $cert;
512
		}
513
	}
514

    
515
	if (count($ca_certs) == 0) {
516
		print_info_box(gettext("No certificates found for this CA."), 'danger');
517
	} else {
518
		$section = new Form_Section('Choose a Certificate to Revoke');
519
		$group = new Form_Group(null);
520

    
521
		$group->add(new Form_Select(
522
			'certref',
523
			null,
524
			$pconfig['certref'],
525
			build_cacert_list()
526
			))->setWidth(4)->setHelp('Certificate');
527

    
528
		$group->add(new Form_Select(
529
			'crlreason',
530
			null,
531
			-1,
532
			$openssl_crl_status
533
			))->setHelp('Reason');
534

    
535
		$group->add(new Form_Button(
536
			'submit',
537
			'Add',
538
			null,
539
			'fa-plus'
540
			))->addClass('btn-success btn-sm');
541

    
542
		$section->add($group);
543

    
544
		$form->addGlobal(new Form_Input(
545
			'id',
546
			null,
547
			'hidden',
548
			$crl['refid']
549
		));
550

    
551
		$form->addGlobal(new Form_Input(
552
			'act',
553
			null,
554
			'hidden',
555
			'addcert'
556
		));
557

    
558
		$form->addGlobal(new Form_Input(
559
			'crlref',
560
			null,
561
			'hidden',
562
			$crl['refid']
563
		));
564

    
565
		$form->add($section);
566
	}
567

    
568
	print($form);
569
} else {
570
?>
571

    
572
	<div class="panel panel-default">
573
		<div class="panel-heading"><h2 class="panel-title"><?=gettext("Additional Certificate Revocation Lists")?></h2></div>
574
		<div class="panel-body table-responsive">
575
			<table class="table table-striped table-hover table-condensed table-rowdblclickedit">
576
				<thead>
577
					<tr>
578
						<th><?=gettext("Name")?></th>
579
						<th><?=gettext("Internal")?></th>
580
						<th><?=gettext("Certificates")?></th>
581
						<th><?=gettext("In Use")?></th>
582
						<th><?=gettext("Actions")?></th>
583
					</tr>
584
				</thead>
585
				<tbody>
586
<?php
587
	$pluginparams = array();
588
	$pluginparams['type'] = 'certificates';
589
	$pluginparams['event'] = 'used_crl';
590
	$certificates_used_by_packages = pkg_call_plugins('plugin_certificates', $pluginparams);
591
	// Map CRLs to CAs in one pass
592
	$ca_crl_map = array();
593
	foreach ($a_crl as $crl) {
594
		$ca_crl_map[$crl['caref']][] = $crl['refid'];
595
	}
596

    
597
	$i = 0;
598
	foreach ($a_ca as $ca):
599
		$name = htmlspecialchars($ca['descr']);
600

    
601
		if ($ca['prv']) {
602
			$cainternal = "YES";
603
		} else {
604
			$cainternal = "NO";
605
		}
606
?>
607
					<tr>
608
						<td colspan="4">
609
							<?=$name?>
610
						</td>
611
						<td>
612
<?php
613
		if ($cainternal == "YES"):
614
?>
615
							<a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>" class="btn btn-xs btn-success">
616
								<i class="fa fa-plus icon-embed-btn"></i>
617
								<?=gettext("Add or Import CRL")?>
618
							</a>
619
<?php
620
		else:
621
?>
622
							<a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;importonly=yes" class="btn btn-xs btn-success">
623
								<i class="fa fa-plus icon-embed-btn"></i>
624
								<?=gettext("Add or Import CRL")?>
625
							</a>
626
<?php
627
		endif;
628
?>
629
						</td>
630
					</tr>
631
<?php
632
		if (is_array($ca_crl_map[$ca['refid']])):
633
			foreach ($ca_crl_map[$ca['refid']] as $crl):
634
				$tmpcrl = lookup_crl($crl);
635
				$internal = is_crl_internal($tmpcrl);
636
				if ($internal && (!isset($tmpcrl['cert']) || empty($tmpcrl['cert'])) ) {
637
					$tmpcrl['cert'] = array();
638
				}
639
				$inuse = crl_in_use($tmpcrl['refid']);
640
?>
641
					<tr>
642
						<td><?=$tmpcrl['descr']; ?></td>
643
						<td><i class="fa fa-<?=($internal) ? "check" : "times"; ?>"></i></td>
644
						<td><?=($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td>
645
						<td><i class="fa fa-<?=($inuse) ? "check" : "times"; ?>"></i>
646
						<?php echo cert_usedby_description($tmpcrl['refid'], $certificates_used_by_packages); ?>
647
						</td>
648
						<td>
649
							<a href="system_crlmanager.php?act=exp&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-download" title="<?=gettext("Export CRL")?>" ></a>
650
<?php
651
				if ($internal): ?>
652
							<a href="system_crlmanager.php?act=edit&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-pencil" title="<?=gettext("Edit CRL")?>"></a>
653
<?php
654
				else:
655
?>
656
							<a href="system_crlmanager.php?act=editimported&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-pencil" title="<?=gettext("Edit CRL")?>"></a>
657
<?php			endif;
658
				if (!$inuse):
659
?>
660
							<a href="system_crlmanager.php?act=del&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-trash" title="<?=gettext("Delete CRL")?>" usepost></a>
661
<?php
662
				endif;
663
?>
664
						</td>
665
					</tr>
666
<?php
667
				$i++;
668
				endforeach;
669
			endif;
670
			$i++;
671
		endforeach;
672
?>
673
				</tbody>
674
			</table>
675
		</div>
676
	</div>
677

    
678

    
679
<?php
680
}
681
?>
682

    
683
<script type="text/javascript">
684
//<![CDATA[
685
events.push(function() {
686

    
687
	// Hides all elements of the specified class. This will usually be a section or group
688
	function hideClass(s_class, hide) {
689
		if (hide) {
690
			$('.' + s_class).hide();
691
		} else {
692
			$('.' + s_class).show();
693
		}
694
	}
695

    
696
	// When the 'method" selector is changed, we show/hide certain sections
697
	$('#method').on('change', function() {
698
		hideClass('internal', ($('#method').val() == 'existing'));
699
		hideClass('existing', ($('#method').val() == 'internal'));
700
	});
701

    
702
	hideClass('internal', ($('#method').val() == 'existing'));
703
	hideClass('existing', ($('#method').val() == 'internal'));
704
});
705
//]]>
706
</script>
707

    
708
<?php include("foot.inc");
(194-194/226)