Project

General

Profile

« Previous | Next » 

Revision a7e50981

Added by Jim Pingle almost 3 years ago

Allow user to select PKCS#12 encryption. Fixes #13257

View differences:

src/etc/inc/certs.inc
51 51 
	'email' => gettext('email address'),
52 52 
);
53 53 

  		




  
  54
  
    
global $p12_encryption_levels;


  		




  
  55
  
    
$p12_encryption_levels = array(


  		




  
  56
  
    
	'high'   => gettext('High: AES-256 + SHA256 (pfSense Software, FreeBSD, Linux, Windows 10)'),


  		




  
  57
  
    
	'low'    => gettext('Low: 3DES + SHA1 (macOS, older Windows versions)'),


  		




  
  58
  
    
	'legacy' => gettext('Legacy: RC2-40 + SHA1 (legacy OS versions)'),


  		




  
  59
  
    
);


  		




  
  60
  
    

  		




  54
  61
  
    
global $cert_max_lifetime;


  		




  55
  62
  
    
$cert_max_lifetime = 12000;


  		




  56
  63
  
    

  		




  ......




  2612
  2619
  
    
 *                        and optional CA and passphrase.


  		




  2613
  2620
  
    
 * INPUTS


  		




  2614
  2621
  
    
 *   $cert      : Certificate entry array.


  		




  
  2622
  
    
 *   $encryption: Strength of encryption to use:


  		




  
  2623
  
    
 *                "high" (AES-256 + SHA256)


  		




  
  2624
  
    
 *                "low" (3DES + SHA1)


  		




  
  2625
  
    
 *                "legacy" (RC2-40 + SHA1)


  		




  2615
  2626
  
    
 *   $passphrase: Optional passphrase used to encrypt the archive contents and


  		




  2616
  2627
  
    
 *                private key.


  		




  2617
  2628
  
    
 *   $add_ca    : Boolean flag which determines whether or not the certificate


  		




  ......




  2633
  2644
  
    
 *   also not contain a key.


  		




  2634
  2645
  
    
 ******/


  		




  2635
  2646
  
    

  		




  2636
  
  
    
function cert_pkcs12_export($cert, $passphrase = '', $add_ca = true, $delivery = 'download') {


  		




  
  2647
  
    
function cert_pkcs12_export($cert, $encryption = 'high', $passphrase = '', $add_ca = true, $delivery = 'download') {


  		




  2637
  2648
  
    
	global $g;


  		




  2638
  2649
  
    

  		




  2639
  2650
  
    
	/* Unusable certificate entry, bail early. */


  		




  ......




  2642
  2653
  
    
	}


  		




  2643
  2654
  
    

  		




  2644
  2655
  
    
	/* Encryption and Digest */


  		




  2645
  
  
    
	$algo = '-aes256 -certpbe AES-256-CBC -keypbe AES-256-CBC';


  		




  2646
  
  
    
	$hash = '-macalg sha256';


  		




  
  2656
  
    
	switch ($encryption) {


  		




  
  2657
  
    
		case 'legacy':


  		




  
  2658
  
    
			$algo = '-certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';


  		




  
  2659
  
    
			$hash = '';


  		




  
  2660
  
    
			break;


  		




  
  2661
  
    
		case 'low':


  		




  
  2662
  
    
			$algo = '-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES';


  		




  
  2663
  
    
			$hash = '-macalg SHA1';


  		




  
  2664
  
    
			break;


  		




  
  2665
  
    
		case 'high':


  		




  
  2666
  
    
		default:


  		




  
  2667
  
    
			$algo = '-aes256 -certpbe AES-256-CBC -keypbe AES-256-CBC';


  		




  
  2668
  
    
			$hash = '-macalg sha256';


  		




  
  2669
  
    
	}


  		




  2647
  2670
  
    

  		




  2648
  2671
  
    
	/* Make a secure temporary directory */


  		




  2649
  2672
  
    
	$workdir = tempnam("{$g['tmp_path']}/", "p12export");


  		












  

    
      src/usr/local/www/system_certmanager.php
    
  





  49
  49
  
    
global $cert_altname_types;


  		




  50
  50
  
    
global $openssl_digest_algs;


  		




  51
  51
  
    
global $cert_strict_values;


  		




  
  52
  
    
global $p12_encryption_levels;


  		




  
  53
  
    

  		




  52
  54
  
    
$max_lifetime = cert_get_max_lifetime();


  		




  53
  55
  
    
$default_lifetime = min(3650, $max_lifetime);


  		




  54
  56
  
    
$openssl_ecnames = cert_build_curve_list();


  		




  ......




  195
  197
  
    
		} else {


  		




  196
  198
  
    
			$password = null;


  		




  197
  199
  
    
		}


  		




  198
  
  
    
		cert_pkcs12_export($thiscert, $password, true, 'download');


  		




  
  200
  
    
		if (isset($_POST['p12encryption']) &&


  		




  
  201
  
    
		    array_key_exists($_POST['p12encryption'], $p12_encryption_levels)) {


  		




  
  202
  
    
			$encryption = $_POST['p12encryption'];


  		




  
  203
  
    
		} else {


  		




  
  204
  
    
			$encryption = 'high';


  		




  
  205
  
    
		}


  		




  
  206
  
    
		cert_pkcs12_export($thiscert, $encryption, $password, true, 'download');


  		




  199
  207
  
    
		break;


  		




  200
  208
  
    
	default:


  		




  201
  209
  
    
		break;


  		




  ......




  898
  906
  
    
			null,


  		




  899
  907
  
    
			['placeholder' => gettext('Export Password'), 'autocomplete' => 'new-password']


  		




  900
  908
  
    
		))->setHelp('Enter the password to use when using the export buttons below (not stored)')->addClass('toggle-edit collapse');


  		




  
  909
  
    
		$section->addInput(new Form_Select(


  		




  
  910
  
    
		'p12encryption',


  		




  
  911
  
    
		'PKCS#12 Encryption',


  		




  
  912
  
    
		'high',


  		




  
  913
  
    
		$p12_encryption_levels


  		




  
  914
  
    
		))->setHelp('Select the level of encryption to use when exporting a PKCS#12 archive. ' .


  		




  
  915
  
    
				'Encryption support varies by Operating System and program');


  		




  901
  916
  
    
	}


  		




  902
  917
  
    

  		




  903
  918
  
    
	$form->add($section);


  		












Also available in:  Unified diff