Project

General

Profile

« Previous | Next » 

Revision a7e50981

Added by Jim Pingle almost 3 years ago

Allow user to select PKCS#12 encryption. Fixes #13257

View differences:

src/etc/inc/certs.inc
51 51 
	'email' => gettext('email address'),
52 52 
);
53 53 

  		




  
  54
  
    
global $p12_encryption_levels;


  		




  
  55
  
    
$p12_encryption_levels = array(


  		




  
  56
  
    
	'high'   => gettext('High: AES-256 + SHA256 (pfSense Software, FreeBSD, Linux, Windows 10)'),


  		




  
  57
  
    
	'low'    => gettext('Low: 3DES + SHA1 (macOS, older Windows versions)'),


  		




  
  58
  
    
	'legacy' => gettext('Legacy: RC2-40 + SHA1 (legacy OS versions)'),


  		




  
  59
  
    
);


  		




  
  60
  
    

  		




  54
  61
  
    
global $cert_max_lifetime;


  		




  55
  62
  
    
$cert_max_lifetime = 12000;


  		




  56
  63
  
    

  		




  ......




  2612
  2619
  
    
 *                        and optional CA and passphrase.


  		




  2613
  2620
  
    
 * INPUTS


  		




  2614
  2621
  
    
 *   $cert      : Certificate entry array.


  		




  
  2622
  
    
 *   $encryption: Strength of encryption to use:


  		




  
  2623
  
    
 *                "high" (AES-256 + SHA256)


  		




  
  2624
  
    
 *                "low" (3DES + SHA1)


  		




  
  2625
  
    
 *                "legacy" (RC2-40 + SHA1)


  		




  2615
  2626
  
    
 *   $passphrase: Optional passphrase used to encrypt the archive contents and


  		




  2616
  2627
  
    
 *                private key.


  		




  2617
  2628
  
    
 *   $add_ca    : Boolean flag which determines whether or not the certificate


  		




  ......




  2633
  2644
  
    
 *   also not contain a key.


  		




  2634
  2645
  
    
 ******/


  		




  2635
  2646
  
    

  		




  2636
  
  
    
function cert_pkcs12_export($cert, $passphrase = '', $add_ca = true, $delivery = 'download') {


  		




  
  2647
  
    
function cert_pkcs12_export($cert, $encryption = 'high', $passphrase = '', $add_ca = true, $delivery = 'download') {


  		




  2637
  2648
  
    
	global $g;


  		




  2638
  2649
  
    

  		




  2639
  2650
  
    
	/* Unusable certificate entry, bail early. */


  		




  ......




  2642
  2653
  
    
	}


  		




  2643
  2654
  
    

  		




  2644
  2655
  
    
	/* Encryption and Digest */


  		




  2645
  
  
    
	$algo = '-aes256 -certpbe AES-256-CBC -keypbe AES-256-CBC';


  		




  2646
  
  
    
	$hash = '-macalg sha256';


  		




  
  2656
  
    
	switch ($encryption) {


  		




  
  2657
  
    
		case 'legacy':


  		




  
  2658
  
    
			$algo = '-certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';


  		




  
  2659
  
    
			$hash = '';


  		




  
  2660
  
    
			break;


  		




  
  2661
  
    
		case 'low':


  		




  
  2662
  
    
			$algo = '-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES';


  		




  
  2663
  
    
			$hash = '-macalg SHA1';


  		




  
  2664
  
    
			break;


  		




  
  2665
  
    
		case 'high':


  		




  
  2666
  
    
		default:


  		




  
  2667
  
    
			$algo = '-aes256 -certpbe AES-256-CBC -keypbe AES-256-CBC';


  		




  
  2668
  
    
			$hash = '-macalg sha256';


  		




  
  2669
  
    
	}


  		




  2647
  2670
  
    

  		




  2648
  2671
  
    
	/* Make a secure temporary directory */


  		




  2649
  2672
  
    
	$workdir = tempnam("{$g['tmp_path']}/", "p12export");


  		












Also available in:  Unified diff