Revision f0b38e39
Added by Jim Pingle over 5 years ago
| src/usr/local/www/system_certmanager.php | ||
|---|---|---|
| 52 | 52 |
$max_lifetime = cert_get_max_lifetime(); |
| 53 | 53 |
$default_lifetime = min(3650, $max_lifetime); |
| 54 | 54 |
$openssl_ecnames = openssl_get_curve_names(); |
| 55 |
$class = "success"; |
|
| 55 | 56 |
|
| 56 | 57 |
if (isset($_REQUEST['userid']) && is_numericint($_REQUEST['userid'])) {
|
| 57 | 58 |
$userid = $_REQUEST['userid']; |
| ... | ... | |
| 63 | 64 |
$a_user =& $config['system']['user']; |
| 64 | 65 |
} |
| 65 | 66 |
|
| 66 |
if (isset($_REQUEST['id']) && is_numericint($_REQUEST['id'])) {
|
|
| 67 |
$id = $_REQUEST['id']; |
|
| 68 |
} |
|
| 69 |
|
|
| 70 | 67 |
init_config_arr(array('ca'));
|
| 71 | 68 |
$a_ca = &$config['ca']; |
| 72 | 69 |
|
| ... | ... | |
| 82 | 79 |
|
| 83 | 80 |
$act = $_REQUEST['act']; |
| 84 | 81 |
|
| 82 |
if (isset($_REQUEST['id']) && ctype_alnum($_REQUEST['id'])) {
|
|
| 83 |
$id = $_REQUEST['id']; |
|
| 84 |
} |
|
| 85 |
if (!empty($id)) {
|
|
| 86 |
$thiscert =& lookup_cert($id); |
|
| 87 |
} |
|
| 88 |
|
|
| 85 | 89 |
/* Actions other than 'new' require an ID. |
| 86 | 90 |
* 'del' action must be submitted via POST. */ |
| 87 | 91 |
if ((!empty($act) && |
| 88 | 92 |
($act != 'new') && |
| 89 |
!$a_cert[$id]) ||
|
|
| 93 |
!$thiscert) ||
|
|
| 90 | 94 |
(($act == 'del') && empty($_POST))) {
|
| 91 | 95 |
pfSenseHeader("system_certmanager.php");
|
| 92 | 96 |
exit; |
| ... | ... | |
| 94 | 98 |
|
| 95 | 99 |
switch ($act) {
|
| 96 | 100 |
case 'del': |
| 97 |
unset($a_cert[$id]); |
|
| 98 |
write_config(); |
|
| 99 |
$savemsg = sprintf(gettext("Certificate %s successfully deleted."), htmlspecialchars($a_cert[$id]['descr']));
|
|
| 100 |
pfSenseHeader("system_certmanager.php");
|
|
| 101 |
exit; |
|
| 101 |
$name = htmlspecialchars($thiscert['descr']); |
|
| 102 |
if (cert_in_use($id)) {
|
|
| 103 |
$savemsg = sprintf(gettext("Certificate %s is in use and cannot be deleted"), $name);
|
|
| 104 |
$class = "danger"; |
|
| 105 |
} else {
|
|
| 106 |
foreach ($a_cert as $cid => $acrt) {
|
|
| 107 |
if ($acrt['refid'] == $thiscert['refid']) {
|
|
| 108 |
unset($a_cert[$cid]); |
|
| 109 |
} |
|
| 110 |
} |
|
| 111 |
$savemsg = sprintf(gettext("Deleted certificate %s"), $name);
|
|
| 112 |
write_config($savemsg); |
|
| 113 |
} |
|
| 114 |
unset($act); |
|
| 115 |
break; |
|
| 102 | 116 |
case 'new': |
| 103 | 117 |
/* New certificate, so set default values */ |
| 104 | 118 |
$pconfig['method'] = $_POST['method']; |
| ... | ... | |
| 116 | 130 |
break; |
| 117 | 131 |
case 'csr': |
| 118 | 132 |
/* Editing a CSR, so populate values */ |
| 119 |
$pconfig['descr'] = $a_cert[$id]['descr'];
|
|
| 120 |
$pconfig['csr'] = base64_decode($a_cert[$id]['csr']);
|
|
| 133 |
$pconfig['descr'] = $thiscert['descr'];
|
|
| 134 |
$pconfig['csr'] = base64_decode($thiscert['csr']);
|
|
| 121 | 135 |
break; |
| 122 | 136 |
case 'exp': |
| 123 | 137 |
/* Exporting a certificate */ |
| 124 |
send_user_download('data', base64_decode($a_cert[$id]['crt']), "{$a_cert[$id]['descr']}.crt");
|
|
| 138 |
send_user_download('data', base64_decode($thiscert['crt']), "{$thiscert['descr']}.crt");
|
|
| 125 | 139 |
break; |
| 126 | 140 |
case 'req': |
| 127 | 141 |
/* Exporting a certificate signing request */ |
| 128 |
send_user_download('data', base64_decode($a_cert[$id]['csr']), "{$a_cert[$id]['descr']}.req");
|
|
| 142 |
send_user_download('data', base64_decode($thiscert['csr']), "{$thiscert['descr']}.req");
|
|
| 129 | 143 |
break; |
| 130 | 144 |
case 'key': |
| 131 | 145 |
/* Exporting a private key */ |
| 132 |
send_user_download('data', base64_decode($a_cert[$id]['prv']), "{$a_cert[$id]['descr']}.key");
|
|
| 146 |
send_user_download('data', base64_decode($thiscert['prv']), "{$thiscert['descr']}.key");
|
|
| 133 | 147 |
break; |
| 134 | 148 |
case 'p12': |
| 135 | 149 |
/* Exporting a PKCS#12 file containing the certificate, key, and (if present) CA */ |
| 136 | 150 |
$args = array(); |
| 137 |
$args['friendly_name'] = $a_cert[$id]['descr'];
|
|
| 138 |
$ca = lookup_ca($a_cert[$id]['caref']);
|
|
| 151 |
$args['friendly_name'] = $thiscert['descr'];
|
|
| 152 |
$ca = lookup_ca($thiscert['caref']);
|
|
| 139 | 153 |
if ($ca) {
|
| 140 | 154 |
/* If the CA can be found, then add the CA to the container */ |
| 141 | 155 |
$args['extracerts'] = openssl_x509_read(base64_decode($ca['crt'])); |
| 142 | 156 |
} |
| 143 |
$res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt']));
|
|
| 144 |
$res_key = openssl_pkey_get_private(base64_decode($a_cert[$id]['prv']));
|
|
| 157 |
$res_crt = openssl_x509_read(base64_decode($thiscert['crt']));
|
|
| 158 |
$res_key = openssl_pkey_get_private(base64_decode($thiscert['prv']));
|
|
| 145 | 159 |
$exp_data = ""; |
| 146 | 160 |
openssl_pkcs12_export($res_crt, $exp_data, $res_key, null, $args); |
| 147 |
send_user_download('data', $exp_data, "{$a_cert[$id]['descr']}.p12");
|
|
| 161 |
send_user_download('data', $exp_data, "{$thiscert['descr']}.p12");
|
|
| 148 | 162 |
break; |
| 149 | 163 |
default: |
| 150 | 164 |
break; |
| ... | ... | |
| 342 | 356 |
$cert = lookup_cert($pconfig['certref']); |
| 343 | 357 |
if ($cert && $a_user) {
|
| 344 | 358 |
$a_user[$userid]['cert'][] = $cert['refid']; |
| 359 |
$savemsg = sprintf(gettext("Added certificate %s to user %s"), $cert['descr'], $a_user[$userid]['name']);
|
|
| 345 | 360 |
} |
| 346 | 361 |
} elseif ($pconfig['method'] == "sign") { // Sign a CSR
|
| 347 | 362 |
$csrid = lookup_cert($pconfig['csrtosign']); |
| ... | ... | |
| 379 | 394 |
|
| 380 | 395 |
// Add it to the config file |
| 381 | 396 |
$config['cert'][] = $newcert; |
| 397 |
$savemsg = sprintf(gettext("Signed certificate %s"), $newcert['descr']);
|
|
| 382 | 398 |
} |
| 383 | 399 |
|
| 384 | 400 |
} else {
|
| 385 | 401 |
$cert = array(); |
| 386 | 402 |
$cert['refid'] = uniqid(); |
| 387 |
if (isset($id) && $a_cert[$id]) {
|
|
| 388 |
$cert = $a_cert[$id];
|
|
| 403 |
if (isset($id) && $thiscert) {
|
|
| 404 |
$cert = $thiscert;
|
|
| 389 | 405 |
} |
| 390 | 406 |
|
| 391 | 407 |
$cert['descr'] = $pconfig['descr']; |
| ... | ... | |
| 394 | 410 |
|
| 395 | 411 |
if ($pconfig['method'] == "import") {
|
| 396 | 412 |
cert_import($cert, $pconfig['cert'], $pconfig['key']); |
| 413 |
$savemsg = sprintf(gettext("Imported certificate %s"), $cert['descr']);
|
|
| 397 | 414 |
} |
| 398 | 415 |
|
| 399 | 416 |
if ($pconfig['method'] == "internal") {
|
| ... | ... | |
| 439 | 456 |
} |
| 440 | 457 |
} |
| 441 | 458 |
} |
| 459 |
$savemsg = sprintf(gettext("Created internal certificate %s"), $cert['descr']);
|
|
| 442 | 460 |
} |
| 443 | 461 |
|
| 444 | 462 |
if ($pconfig['method'] == "external") {
|
| ... | ... | |
| 484 | 502 |
} |
| 485 | 503 |
} |
| 486 | 504 |
} |
| 505 |
$savemsg = sprintf(gettext("Created certificate signing request %s"), $cert['descr']);
|
|
| 487 | 506 |
} |
| 488 | 507 |
|
| 489 | 508 |
error_reporting($old_err_level); |
| 490 | 509 |
|
| 491 |
if (isset($id) && $a_cert[$id]) {
|
|
| 492 |
$a_cert[$id] = $cert;
|
|
| 510 |
if (isset($id) && $thiscert) {
|
|
| 511 |
$thiscert = $cert;
|
|
| 493 | 512 |
} else {
|
| 494 | 513 |
$a_cert[] = $cert; |
| 495 | 514 |
} |
| ... | ... | |
| 500 | 519 |
} |
| 501 | 520 |
|
| 502 | 521 |
if (!$input_errors) {
|
| 503 |
write_config(); |
|
| 522 |
write_config($savemsg);
|
|
| 504 | 523 |
} |
| 505 | 524 |
|
| 506 | 525 |
if ((isset($userid) && is_numeric($userid)) && !$input_errors) {
|
| ... | ... | |
| 536 | 555 |
|
| 537 | 556 |
/* save modifications */ |
| 538 | 557 |
if (!$input_errors) {
|
| 539 |
$cert = $a_cert[$id];
|
|
| 558 |
$cert = $thiscert;
|
|
| 540 | 559 |
$cert['descr'] = $pconfig['descr']; |
| 541 | 560 |
csr_complete($cert, $pconfig['cert']); |
| 542 |
$a_cert[$id] = $cert; |
|
| 543 |
write_config(); |
|
| 561 |
$thiscert = $cert; |
|
| 562 |
$savemsg = sprintf(gettext("Updated certificate signing request %s"), $pconfig['descr']);
|
|
| 563 |
write_config($savemsg); |
|
| 544 | 564 |
pfSenseHeader("system_certmanager.php");
|
| 545 | 565 |
} |
| 546 | 566 |
} |
| ... | ... | |
| 560 | 580 |
} |
| 561 | 581 |
|
| 562 | 582 |
if ($savemsg) {
|
| 563 |
print_info_box($savemsg, 'success');
|
|
| 583 |
print_info_box($savemsg, $class);
|
|
| 564 | 584 |
} |
| 565 | 585 |
|
| 566 | 586 |
$tab_array = array(); |
| ... | ... | |
| 571 | 591 |
|
| 572 | 592 |
if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) {
|
| 573 | 593 |
$form = new Form(); |
| 574 |
$form->setAction('system_certmanager.php?act=edit');
|
|
| 594 |
$form->setAction('system_certmanager.php');
|
|
| 575 | 595 |
|
| 576 | 596 |
if (isset($userid) && $a_user) {
|
| 577 | 597 |
$form->addGlobal(new Form_Input( |
| ... | ... | |
| 582 | 602 |
)); |
| 583 | 603 |
} |
| 584 | 604 |
|
| 585 |
if (isset($id) && $a_cert[$id]) {
|
|
| 605 |
if (isset($id) && $thiscert) {
|
|
| 586 | 606 |
$form->addGlobal(new Form_Input( |
| 587 | 607 |
'id', |
| 588 | 608 |
null, |
| ... | ... | |
| 607 | 627 |
'*Descriptive name', |
| 608 | 628 |
'text', |
| 609 | 629 |
($a_user && empty($pconfig['descr'])) ? $a_user[$userid]['name'] : $pconfig['descr'] |
| 610 |
))->addClass('toggle-internal toggle-import toggle-external toggle-sign collapse');
|
|
| 630 |
))->addClass('toggle-internal toggle-import toggle-external toggle-sign toggle-existing collapse');
|
|
| 611 | 631 |
|
| 612 | 632 |
$form->add($section); |
| 613 | 633 |
|
| ... | ... | |
| 1080 | 1100 |
))->setWidth(7) |
| 1081 | 1101 |
->setHelp('Paste the certificate received from the certificate authority here.');
|
| 1082 | 1102 |
|
| 1083 |
if (isset($id) && $a_cert[$id]) {
|
|
| 1103 |
if (isset($id) && $thiscert) {
|
|
| 1084 | 1104 |
$form->addGlobal(new Form_Input( |
| 1085 | 1105 |
'id', |
| 1086 | 1106 |
null, |
| ... | ... | |
| 1164 | 1184 |
$pluginparams['type'] = 'certificates'; |
| 1165 | 1185 |
$pluginparams['event'] = 'used_certificates'; |
| 1166 | 1186 |
$certificates_used_by_packages = pkg_call_plugins('plugin_certificates', $pluginparams);
|
| 1167 |
$i = 0; |
|
| 1168 |
foreach ($a_cert as $i => $cert): |
|
| 1187 |
foreach ($a_cert as $cert): |
|
| 1169 | 1188 |
if (!is_array($cert) || empty($cert)) {
|
| 1170 | 1189 |
continue; |
| 1171 | 1190 |
} |
| ... | ... | |
| 1244 | 1263 |
</td> |
| 1245 | 1264 |
<td> |
| 1246 | 1265 |
<?php if (!$cert['csr']): ?> |
| 1247 |
<a href="system_certmanager.php?act=exp&id=<?=$i?>" class="fa fa-certificate" title="<?=gettext("Export Certificate")?>"></a>
|
|
| 1266 |
<a href="system_certmanager.php?act=exp&id=<?=$cert['refid']?>" class="fa fa-certificate" title="<?=gettext("Export Certificate")?>"></a>
|
|
| 1248 | 1267 |
<?php if ($cert['prv']): ?> |
| 1249 |
<a href="system_certmanager.php?act=key&id=<?=$i?>" class="fa fa-key" title="<?=gettext("Export Key")?>"></a>
|
|
| 1268 |
<a href="system_certmanager.php?act=key&id=<?=$cert['refid']?>" class="fa fa-key" title="<?=gettext("Export Key")?>"></a>
|
|
| 1250 | 1269 |
<?php endif?> |
| 1251 | 1270 |
<?php if (is_cert_locally_renewable($cert)): ?> |
| 1252 | 1271 |
<a href="system_certmanager_renew.php?type=cert&refid=<?=$cert['refid']?>" class="fa fa-repeat" title="<?=gettext("Reissue/Renew")?>"></a>
|
| 1253 | 1272 |
<?php endif ?> |
| 1254 |
<a href="system_certmanager.php?act=p12&id=<?=$i?>" class="fa fa-archive" title="<?=gettext("Export P12")?>"></a>
|
|
| 1273 |
<a href="system_certmanager.php?act=p12&id=<?=$cert['refid']?>" class="fa fa-archive" title="<?=gettext("Export P12")?>"></a>
|
|
| 1255 | 1274 |
<?php else: ?> |
| 1256 |
<a href="system_certmanager.php?act=csr&id=<?=$i?>" class="fa fa-pencil" title="<?=gettext("Update CSR")?>"></a>
|
|
| 1257 |
<a href="system_certmanager.php?act=req&id=<?=$i?>" class="fa fa-sign-in" title="<?=gettext("Export Request")?>"></a>
|
|
| 1258 |
<a href="system_certmanager.php?act=key&id=<?=$i?>" class="fa fa-key" title="<?=gettext("Export Key")?>"></a>
|
|
| 1275 |
<a href="system_certmanager.php?act=csr&id=<?=$cert['refid']?>" class="fa fa-pencil" title="<?=gettext("Update CSR")?>"></a>
|
|
| 1276 |
<a href="system_certmanager.php?act=req&id=<?=$cert['refid']?>" class="fa fa-sign-in" title="<?=gettext("Export Request")?>"></a>
|
|
| 1277 |
<a href="system_certmanager.php?act=key&id=<?=$cert['refid']?>" class="fa fa-key" title="<?=gettext("Export Key")?>"></a>
|
|
| 1259 | 1278 |
<?php endif?> |
| 1260 | 1279 |
<?php if (!cert_in_use($cert['refid'])): ?> |
| 1261 |
<a href="system_certmanager.php?act=del&id=<?=$i?>" class="fa fa-trash" title="<?=gettext("Delete Certificate")?>" usepost></a>
|
|
| 1280 |
<a href="system_certmanager.php?act=del&id=<?=$cert['refid']?>" class="fa fa-trash" title="<?=gettext("Delete Certificate")?>" usepost></a>
|
|
| 1262 | 1281 |
<?php endif?> |
| 1263 | 1282 |
</td> |
| 1264 | 1283 |
</tr> |
| 1265 | 1284 |
<?php |
| 1266 |
$i++; |
|
| 1267 | 1285 |
endforeach; ?> |
| 1268 | 1286 |
</tbody> |
| 1269 | 1287 |
</table> |
Also available in: Unified diff
CA/Cert optimizations
accurate and not as prone to being affected by parallel changes.