Project

General

Profile

Download (15.9 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * system_crlmanager.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2016 Electric Sheep Fencing, LLC
7
 * All rights reserved.
8
 *
9
 * Licensed under the Apache License, Version 2.0 (the "License");
10
 * you may not use this file except in compliance with the License.
11
 * You may obtain a copy of the License at
12
 *
13
 * http://www.apache.org/licenses/LICENSE-2.0
14
 *
15
 * Unless required by applicable law or agreed to in writing, software
16
 * distributed under the License is distributed on an "AS IS" BASIS,
17
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18
 * See the License for the specific language governing permissions and
19
 * limitations under the License.
20
 */
21

    
22
##|+PRIV
23
##|*IDENT=page-system-crlmanager
24
##|*NAME=System: CRL Manager
25
##|*DESCR=Allow access to the 'System: CRL Manager' page.
26
##|*MATCH=system_crlmanager.php*
27
##|-PRIV
28

    
29
require_once("guiconfig.inc");
30
require_once("certs.inc");
31
require_once("openvpn.inc");
32
require_once("vpn.inc");
33

    
34
global $openssl_crl_status;
35

    
36
$crl_methods = array(
37
	"internal" => gettext("Create an internal Certificate Revocation List"),
38
	"existing" => gettext("Import an existing Certificate Revocation List"));
39

    
40
if (ctype_alnum($_GET['id'])) {
41
	$id = $_GET['id'];
42
}
43
if (isset($_POST['id']) && ctype_alnum($_POST['id'])) {
44
	$id = $_POST['id'];
45
}
46

    
47
if (!is_array($config['ca'])) {
48
	$config['ca'] = array();
49
}
50

    
51
$a_ca =& $config['ca'];
52

    
53
if (!is_array($config['cert'])) {
54
	$config['cert'] = array();
55
}
56

    
57
$a_cert =& $config['cert'];
58

    
59
if (!is_array($config['crl'])) {
60
	$config['crl'] = array();
61
}
62

    
63
$a_crl =& $config['crl'];
64

    
65
foreach ($a_crl as $cid => $acrl) {
66
	if (!isset($acrl['refid'])) {
67
		unset ($a_crl[$cid]);
68
	}
69
}
70

    
71
$act = $_GET['act'];
72
if ($_POST['act']) {
73
	$act = $_POST['act'];
74
}
75

    
76
if (!empty($id)) {
77
	$thiscrl =& lookup_crl($id);
78
}
79

    
80
// If we were given an invalid crlref in the id, no sense in continuing as it would only cause errors.
81
if (!$thiscrl && (($act != "") && ($act != "new"))) {
82
	pfSenseHeader("system_crlmanager.php");
83
	$act="";
84
	$savemsg = gettext("Invalid CRL reference.");
85
}
86

    
87
if ($act == "del") {
88
	$name = htmlspecialchars($thiscrl['descr']);
89
	if (crl_in_use($id)) {
90
		$savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted."), $name);
91
	} else {
92
		foreach ($a_crl as $cid => $acrl) {
93
			if ($acrl['refid'] == $thiscrl['refid']) {
94
				unset($a_crl[$cid]);
95
			}
96
		}
97
		write_config("Deleted CRL {$name}.");
98
		$savemsg = sprintf(gettext("Certificate Revocation List %s successfully deleted."), $name);
99
	}
100
}
101

    
102
if ($act == "new") {
103
	$pconfig['method'] = $_GET['method'];
104
	$pconfig['caref'] = $_GET['caref'];
105
	$pconfig['lifetime'] = "9999";
106
	$pconfig['serial'] = "0";
107
}
108

    
109
if ($act == "exp") {
110
	crl_update($thiscrl);
111
	$exp_name = urlencode("{$thiscrl['descr']}.crl");
112
	$exp_data = base64_decode($thiscrl['text']);
113
	$exp_size = strlen($exp_data);
114

    
115
	header("Content-Type: application/octet-stream");
116
	header("Content-Disposition: attachment; filename={$exp_name}");
117
	header("Content-Length: $exp_size");
118
	echo $exp_data;
119
	exit;
120
}
121

    
122
if ($act == "addcert") {
123
	if ($_POST) {
124
		unset($input_errors);
125
		$pconfig = $_POST;
126

    
127
		if (!$pconfig['crlref'] || !$pconfig['certref']) {
128
			pfSenseHeader("system_crlmanager.php");
129
			exit;
130
		}
131

    
132
		// certref, crlref
133
		$crl =& lookup_crl($pconfig['crlref']);
134
		$cert = lookup_cert($pconfig['certref']);
135

    
136
		if (!$crl['caref'] || !$cert['caref']) {
137
			$input_errors[] = gettext("Both the Certificate and CRL must be specified.");
138
		}
139

    
140
		if ($crl['caref'] != $cert['caref']) {
141
			$input_errors[] = gettext("CA mismatch between the Certificate and CRL. Unable to Revoke.");
142
		}
143
		if (!is_crl_internal($crl)) {
144
			$input_errors[] = gettext("Cannot revoke certificates for an imported/external CRL.");
145
		}
146

    
147
		if (!$input_errors) {
148
			$reason = (empty($pconfig['crlreason'])) ? OCSP_REVOKED_STATUS_UNSPECIFIED : $pconfig['crlreason'];
149
			cert_revoke($cert, $crl, $reason);
150
			// refresh IPsec and OpenVPN CRLs
151
			openvpn_refresh_crls();
152
			vpn_ipsec_configure();
153
			write_config("Revoked cert {$cert['descr']} in CRL {$crl['descr']}.");
154
			pfSenseHeader("system_crlmanager.php");
155
			exit;
156
		}
157
	}
158
}
159

    
160
if ($act == "delcert") {
161
	if (!is_array($thiscrl['cert'])) {
162
		pfSenseHeader("system_crlmanager.php");
163
		exit;
164
	}
165
	$found = false;
166
	foreach ($thiscrl['cert'] as $acert) {
167
		if ($acert['refid'] == $_GET['certref']) {
168
			$found = true;
169
			$thiscert = $acert;
170
		}
171
	}
172
	if (!$found) {
173
		pfSenseHeader("system_crlmanager.php");
174
		exit;
175
	}
176
	$certname = htmlspecialchars($thiscert['descr']);
177
	$crlname = htmlspecialchars($thiscrl['descr']);
178
	if (cert_unrevoke($thiscert, $thiscrl)) {
179
		$savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s."), $certname, $crlname);
180
		// refresh IPsec and OpenVPN CRLs
181
		openvpn_refresh_crls();
182
		vpn_ipsec_configure();
183
		write_config($savemsg);
184
	} else {
185
		$savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s."), $certname, $crlname);
186
	}
187
	$act="edit";
188
}
189

    
190
if ($_POST) {
191
	$input_errors = array();
192
	$pconfig = $_POST;
193

    
194
	/* input validation */
195
	if (($pconfig['method'] == "existing") || ($act == "editimported")) {
196
		$reqdfields = explode(" ", "descr crltext");
197
		$reqdfieldsn = array(
198
			gettext("Descriptive name"),
199
			gettext("Certificate Revocation List data"));
200
	}
201
	if ($pconfig['method'] == "internal") {
202
		$reqdfields = explode(" ", "descr caref");
203
		$reqdfieldsn = array(
204
			gettext("Descriptive name"),
205
			gettext("Certificate Authority"));
206
	}
207

    
208
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
209

    
210
	if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) {
211
		array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
212
	}
213

    
214
	/* save modifications */
215
	if (!$input_errors) {
216
		$result = false;
217

    
218
		if ($thiscrl) {
219
			$crl =& $thiscrl;
220
		} else {
221
			$crl = array();
222
			$crl['refid'] = uniqid();
223
		}
224

    
225
		$crl['descr'] = $pconfig['descr'];
226
		if ($act != "editimported") {
227
			$crl['caref'] = $pconfig['caref'];
228
			$crl['method'] = $pconfig['method'];
229
		}
230

    
231
		if (($pconfig['method'] == "existing") || ($act == "editimported")) {
232
			$crl['text'] = base64_encode($pconfig['crltext']);
233
		}
234

    
235
		if ($pconfig['method'] == "internal") {
236
			$crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial'];
237
			$crl['lifetime'] = empty($pconfig['lifetime']) ? 9999 : $pconfig['lifetime'];
238
			$crl['cert'] = array();
239
		}
240

    
241
		if (!$thiscrl) {
242
			$a_crl[] = $crl;
243
		}
244

    
245
		write_config("Saved CRL {$crl['descr']}");
246
		// refresh IPsec and OpenVPN CRLs
247
		openvpn_refresh_crls();
248
		vpn_ipsec_configure();
249
		pfSenseHeader("system_crlmanager.php");
250
	}
251
}
252

    
253
$pgtitle = array(gettext("System"), gettext("Certificate Manager"), gettext("Certificate Revocation"));
254

    
255
if ($act == "new" || $act == gettext("Save") || $input_errors || $act == "edit") {
256
	$pgtitle[] = gettext('Edit');
257
}
258
include("head.inc");
259
?>
260

    
261
<script type="text/javascript">
262
//<![CDATA[
263

    
264
function method_change() {
265

    
266
	method = document.iform.method.value;
267

    
268
	switch (method) {
269
		case "internal":
270
			document.getElementById("existing").style.display="none";
271
			document.getElementById("internal").style.display="";
272
			break;
273
		case "existing":
274
			document.getElementById("existing").style.display="";
275
			document.getElementById("internal").style.display="none";
276
			break;
277
	}
278
}
279

    
280
//]]>
281
</script>
282

    
283
<?php
284

    
285
function build_method_list() {
286
	global $_GET, $crl_methods;
287

    
288
	$list = array();
289

    
290
	foreach ($crl_methods as $method => $desc) {
291
		if (($_GET['importonly'] == "yes") && ($method != "existing")) {
292
			continue;
293
		}
294

    
295
		$list[$method] = $desc;
296
	}
297

    
298
	return($list);
299
}
300

    
301
function build_ca_list() {
302
	global $a_ca;
303

    
304
	$list = array();
305

    
306
	foreach ($a_ca as $ca) {
307
		$list[$ca['refid']] = $ca['descr'];
308
	}
309

    
310
	return($list);
311
}
312

    
313
function build_cacert_list() {
314
	global $ca_certs;
315

    
316
	$list = array();
317

    
318
	foreach ($ca_certs as $cert) {
319
		$list[$cert['refid']] = $cert['descr'];
320
	}
321

    
322
	return($list);
323
}
324

    
325
if ($input_errors) {
326
	print_input_errors($input_errors);
327
}
328

    
329
if ($savemsg) {
330
	print_info_box($savemsg, 'success');
331
}
332

    
333
$tab_array = array();
334
$tab_array[] = array(gettext("CAs"), false, "system_camanager.php");
335
$tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php");
336
$tab_array[] = array(gettext("Certificate Revocation"), true, "system_crlmanager.php");
337
display_top_tabs($tab_array);
338

    
339
if ($act == "new" || $act == gettext("Save") || $input_errors) {
340
	if (!isset($id)) {
341
		$form = new Form();
342

    
343
		$section = new Form_Section('Create new Revocation List');
344

    
345
		$section->addInput(new Form_Select(
346
			'method',
347
			'Method',
348
			$pconfig['method'],
349
			build_method_list()
350
		));
351

    
352
	}
353

    
354
	$section->addInput(new Form_Input(
355
		'descr',
356
		'Descriptive name',
357
		'text',
358
		$pconfig['descr']
359
	));
360

    
361
	$section->addInput(new Form_Select(
362
		'caref',
363
		'Certificate Authority',
364
		$pconfig['caref'],
365
		build_ca_list()
366
	));
367

    
368
	$form->add($section);
369

    
370
	$section = new Form_Section('Existing Certificate Revocation List');
371
	$section->addClass('existing');
372

    
373
	$section->addInput(new Form_Textarea(
374
		'crltext',
375
		'CRL data',
376
		$pconfig['crltext']
377
		))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
378

    
379
	$form->add($section);
380

    
381
	$section = new Form_Section('Internal Certificate Revocation List');
382
	$section->addClass('internal');
383

    
384
	$section->addInput(new Form_Input(
385
		'lifetime',
386
		'Lifetime (Days)',
387
		'number',
388
		$pconfig['lifetime'],
389
		[max => '9999']
390
	));
391

    
392
	$section->addInput(new Form_Input(
393
		'serial',
394
		'Serial',
395
		'number',
396
		$pconfig['serial'],
397
		['min' => '0', 'max' => '9999']
398
	));
399

    
400
	$form->add($section);
401

    
402
	if (isset($id) && $thiscrl) {
403
		$section->addInput(new Form_Input(
404
			'id',
405
			null,
406
			'hidden',
407
			$id
408
		));
409
	}
410

    
411
	print($form);
412

    
413
} elseif ($act == "editimported") {
414

    
415
	$form = new Form();
416

    
417
	$section = new Form_Section('Edit Imported Certificate Revocation List');
418

    
419
	$section->addInput(new Form_Input(
420
		'descr',
421
		'Descriptive name',
422
		'text',
423
		$pconfig['descr']
424
	));
425

    
426
	$section->addInput(new Form_Textarea(
427
		'crltext',
428
		'CRL data',
429
		$pconfig['crltext']
430
	))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
431

    
432
	$section->addInput(new Form_Input(
433
		'id',
434
		null,
435
		'hidden',
436
		$id
437
	));
438

    
439
	$section->addInput(new Form_Input(
440
		'act',
441
		null,
442
		'hidden',
443
		'editimported'
444
	));
445

    
446
	$form->add($section);
447

    
448
	print($form);
449

    
450
} elseif ($act == "edit") {
451
	$crl = $thiscrl;
452

    
453
	$form = new Form(false);
454
?>
455

    
456
	<div class="panel panel-default">
457
		<div class="panel-heading"><h2 class="panel-title"><?=gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']?></h2></div>
458
		<div class="panel-body table-responsive">
459
<?php
460
	if (!is_array($crl['cert']) || (count($crl['cert']) == 0)) {
461
		print_info_box(gettext("No certificates found for this CRL."), 'danger');
462
	} else {
463
?>
464
			<table class="table table-striped table-hover table-condensed">
465
				<thead>
466
					<tr>
467
						<th><?=gettext("Certificate Name")?></th>
468
						<th><?=gettext("Revocation Reason")?></th>
469
						<th><?=gettext("Revoked At")?></th>
470
						<th></th>
471
					</tr>
472
				</thead>
473
				<tbody>
474
<?php
475
		foreach ($crl['cert'] as $i => $cert):
476
			$name = htmlspecialchars($cert['descr']);
477
?>
478
					<tr>
479
						<td class="listlr">
480
							<?=$name; ?>
481
						</td>
482
						<td class="listlr">
483
							<?=$openssl_crl_status[$cert["reason"]]; ?>
484
						</td>
485
						<td class="listlr">
486
							<?=date("D M j G:i:s T Y", $cert["revoke_time"]); ?>
487
						</td>
488
						<td class="list">
489
							<a href="system_crlmanager.php?act=delcert&amp;id=<?=$crl['refid']; ?>&amp;certref=<?=$cert['refid']; ?>">
490
								<i class="fa fa-trash" title="<?=gettext("Delete this certificate from the CRL")?>" alt="<?=gettext("Delete this certificate from the CRL")?>"></i>
491
							</a>
492
						</td>
493
					</tr>
494
<?php
495
		endforeach;
496
?>
497
				</tbody>
498
			</table>
499
<?php
500
	}
501
?>
502
		</div>
503
	</div>
504
<?php
505

    
506
	$ca_certs = array();
507
	foreach ($a_cert as $cert) {
508
		if ($cert['caref'] == $crl['caref']) {
509
			$ca_certs[] = $cert;
510
		}
511
	}
512

    
513
	if (count($ca_certs) == 0) {
514
		print_info_box(gettext("No certificates found for this CA."), 'danger');
515
	} else {
516
		$section = new Form_Section('Choose a Certificate to Revoke');
517
		$group = new Form_Group(null);
518

    
519
		$group->add(new Form_Select(
520
			'certref',
521
			null,
522
			$pconfig['certref'],
523
			build_cacert_list()
524
			))->setWidth(4)->setHelp('Certificate');
525

    
526
		$group->add(new Form_Select(
527
			'crlreason',
528
			null,
529
			-1,
530
			$openssl_crl_status
531
			))->setHelp('Reason');
532

    
533
		$group->add(new Form_Button(
534
			'submit',
535
			'Add',
536
			null,
537
			'fa-plus'
538
			))->addClass('btn-success btn-sm');
539

    
540
		$section->add($group);
541

    
542
		$section->addInput(new Form_Input(
543
			'id',
544
			null,
545
			'hidden',
546
			$crl['refid']
547
		));
548

    
549
		$section->addInput(new Form_Input(
550
			'act',
551
			null,
552
			'hidden',
553
			'addcert'
554
		));
555

    
556
		$section->addInput(new Form_Input(
557
			'crlref',
558
			null,
559
			'hidden',
560
			$crl['refid']
561
		));
562

    
563
		$form->add($section);
564
	}
565

    
566
	print($form);
567
} else {
568
?>
569

    
570
	<div class="panel panel-default">
571
		<div class="panel-heading"><h2 class="panel-title"><?=gettext("Additional Certificate Revocation Lists")?></h2></div>
572
		<div class="panel-body table-responsive">
573
			<table class="table table-striped table-hover table-condensed table-rowdblclickedit">
574
				<thead>
575
					<tr>
576
						<th><?=gettext("Name")?></th>
577
						<th><?=gettext("Internal")?></th>
578
						<th><?=gettext("Certificates")?></th>
579
						<th><?=gettext("In Use")?></th>
580
						<th><?=gettext("Actions")?></th>
581
					</tr>
582
				</thead>
583
				<tbody>
584
<?php
585
	// Map CRLs to CAs in one pass
586
	$ca_crl_map = array();
587
	foreach ($a_crl as $crl) {
588
		$ca_crl_map[$crl['caref']][] = $crl['refid'];
589
	}
590

    
591
	$i = 0;
592
	foreach ($a_ca as $ca):
593
		$name = htmlspecialchars($ca['descr']);
594

    
595
		if ($ca['prv']) {
596
			$cainternal = "YES";
597
		} else {
598
			$cainternal = "NO";
599
		}
600
?>
601
					<tr>
602
						<td colspan="4">
603
							<?=$name?>
604
						</td>
605
						<td>
606
<?php
607
		if ($cainternal == "YES"):
608
?>
609
							<a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>" class="btn btn-xs btn-success">
610
								<i class="fa fa-plus icon-embed-btn"></i>
611
								<?=gettext("Add or Import CRL")?>
612
							</a>
613
<?php
614
		else:
615
?>
616
							<a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;importonly=yes" class="btn btn-xs btn-success">
617
								<i class="fa fa-plus icon-embed-btn"></i>
618
								<?=gettext("Add or Import CRL")?>
619
							</a>
620
<?php
621
		endif;
622
?>
623
						</td>
624
					</tr>
625
<?php
626
		if (is_array($ca_crl_map[$ca['refid']])):
627
			foreach ($ca_crl_map[$ca['refid']] as $crl):
628
				$tmpcrl = lookup_crl($crl);
629
				$internal = is_crl_internal($tmpcrl);
630
				$inuse = crl_in_use($tmpcrl['refid']);
631
?>
632
					<tr>
633
						<td><?=$tmpcrl['descr']; ?></td>
634
						<td><i class="fa fa-<?=($internal) ? "check" : "times"; ?>"></i></td>
635
						<td><?=($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td>
636
						<td><i class="fa fa-<?=($inuse) ? "check" : "times"; ?>"></i></td>
637
						<td>
638
							<a href="system_crlmanager.php?act=exp&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-download" title="<?=gettext("Export CRL")?>"></a>
639
<?php
640
				if ($internal): ?>
641
							<a href="system_crlmanager.php?act=edit&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-pencil" title="<?=gettext("Edit CRL")?>"></a>
642
<?php
643
				else:
644
?>
645
							<a href="system_crlmanager.php?act=editimported&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-pencil" title="<?=gettext("Edit CRL")?>"></a>
646
<?php			endif;
647
				if (!$inuse):
648
?>
649
							<a href="system_crlmanager.php?act=del&amp;id=<?=$tmpcrl['refid']?>" class="fa fa-trash" title="<?=gettext("Delete CRL")?>"></a>
650
<?php
651
				endif;
652
?>
653
						</td>
654
					</tr>
655
<?php
656
				$i++;
657
				endforeach;
658
			endif;
659
			$i++;
660
		endforeach;
661
?>
662
				</tbody>
663
			</table>
664
		</div>
665
	</div>
666

    
667

    
668
<?php
669
}
670
?>
671

    
672
<script>
673
//<![CDATA[
674
events.push(function() {
675

    
676
	// Hides all elements of the specified class. This will usually be a section or group
677
	function hideClass(s_class, hide) {
678
		if (hide) {
679
			$('.' + s_class).hide();
680
		} else {
681
			$('.' + s_class).show();
682
		}
683
	}
684

    
685
	// When the 'method" selector is changed, we show/hide certain sections
686
	$('#method').on('change', function() {
687
		hideClass('internal', ($('#method').val() == 'existing'));
688
		hideClass('existing', ($('#method').val() == 'internal'));
689
	});
690

    
691
	hideClass('internal', ($('#method').val() == 'existing'));
692
	hideClass('existing', ($('#method').val() == 'internal'));
693
});
694
//]]>
695
</script>
696

    
697
<?php include("foot.inc");
698

    
(196-196/227)