Revision a6bd9e78
Added by Jim Pingle over 5 years ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 1126 | 1126 |
/* Entry is an array with certificate text which can be used to |
| 1127 | 1127 |
* determine the serial */ |
| 1128 | 1128 |
return cert_get_serial($entry['crt'], true); |
| 1129 |
} elseif (cert_validate_serial($entry) != null) {
|
|
| 1129 |
} elseif (cert_validate_serial($entry, false, true) != null) {
|
|
| 1130 | 1130 |
/* Entry is a valid serial string */ |
| 1131 | 1131 |
return $entry; |
| 1132 | 1132 |
} |
| ... | ... | |
| 1148 | 1148 |
* is valid. |
| 1149 | 1149 |
******/ |
| 1150 | 1150 |
|
| 1151 |
function cert_validate_serial($serial, $returnvalue = false) {
|
|
| 1151 |
function cert_validate_serial($serial, $returnvalue = false, $allowlarge = false) {
|
|
| 1152 | 1152 |
require_once('ASN1.php');
|
| 1153 | 1153 |
require_once('ASN1_INT.php');
|
| 1154 | 1154 |
/* The ASN.1 parsing function will throw an exception if the value is |
| ... | ... | |
| 1169 | 1169 |
/* Convert to decimal */ |
| 1170 | 1170 |
$serial = base_convert($serial, 16, 10); |
| 1171 | 1171 |
} |
| 1172 |
|
|
| 1173 |
/* Unfortunately, PHP openssl_csr_sign() limits serial numbers to a |
|
| 1174 |
* PHP integer, so we cannot generate large numbers up to the maximum |
|
| 1175 |
* allowed ASN.1 size (2^159). We are limited to PHP_INT_MAX -- |
|
| 1176 |
* As such, numbers larger than that limit should be rejected */ |
|
| 1177 |
if ($serial > PHP_INT_MAX) {
|
|
| 1178 |
throw new Exception('Serial too large for PHP OpenSSL');
|
|
| 1179 |
} |
|
| 1180 |
|
|
| 1172 | 1181 |
/* Attempt to create an ASN.1 integer, if it fails, an exception will be thrown */ |
| 1173 | 1182 |
$asn1serial = new \Ukrbublik\openssl_x509_crl\ASN1_INT( $serial ); |
| 1174 | 1183 |
return ($returnvalue) ? $asn1serial->content : true; |
| src/usr/local/www/system_camanager.php | ||
|---|---|---|
| 236 | 236 |
} |
| 237 | 237 |
} |
| 238 | 238 |
|
| 239 |
if (!empty($_POST['serial']) && !cert_validate_serial($_POST['serial'])) {
|
|
| 240 |
$input_errors[] = gettext("Please enter a valid integer serial number.");
|
|
| 241 |
} |
|
| 242 |
|
|
| 239 | 243 |
/* save modifications */ |
| 240 | 244 |
if (!$input_errors) {
|
| 241 | 245 |
$ca = array(); |
| src/usr/local/www/system_crlmanager.php | ||
|---|---|---|
| 156 | 156 |
if (empty($serial)) {
|
| 157 | 157 |
continue; |
| 158 | 158 |
} |
| 159 |
$vserial = cert_validate_serial($serial, true); |
|
| 159 |
$vserial = cert_validate_serial($serial, true, true);
|
|
| 160 | 160 |
if ($vserial != null) {
|
| 161 | 161 |
$revoke_list[] = $vserial; |
| 162 | 162 |
} else {
|
| ... | ... | |
| 241 | 241 |
$input_errors[] = gettext("Lifetime is longer than the maximum allowed value. Use a shorter lifetime.");
|
| 242 | 242 |
} |
| 243 | 243 |
|
| 244 |
if (!empty($pconfig['serial']) && !cert_validate_serial($pconfig['serial'])) {
|
|
| 245 |
$input_errors[] = gettext("Please enter a valid integer serial number.");
|
|
| 246 |
} |
|
| 247 |
|
|
| 244 | 248 |
/* save modifications */ |
| 245 | 249 |
if (!$input_errors) {
|
| 246 | 250 |
$result = false; |
Also available in: Unified diff
Validate CA/CRL serial input. Issue #9883 Issue #9869