diff options
author | yakatz <yehuda@ymkatz.net> | 2011-04-21 14:29:54 -0400 |
---|---|---|
committer | yakatz <yehuda@ymkatz.net> | 2011-04-21 14:29:54 -0400 |
commit | a828210b746c074c1e701a44f5f2ec3a69ba368a (patch) | |
tree | 6bc76319d1b423c686e72e6377ef69041fda4327 | |
parent | e2e934e0c976bae835b58de7c2595666ad59d2a0 (diff) | |
download | pfsense-a828210b746c074c1e701a44f5f2ec3a69ba368a.zip pfsense-a828210b746c074c1e701a44f5f2ec3a69ba368a.tar.gz |
checking moduli of ssl csr request and response
-rw-r--r-- | etc/inc/certs.inc | 19 | ||||
-rw-r--r-- | usr/local/www/system_certmanager.php | 37 |
2 files changed, 42 insertions, 14 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 2b192c1..2e9718c 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -369,6 +369,25 @@ function cert_get_issuer($str_crt, $decode = true) { return $issuer; } +/* this function works on x509 (crt), rsa key (prv), and req(csr) */ +function cert_get_modulus($str_crt, $decode = true, $type = "crt"){ + if ($decode) + $str_crt = base64_decode($str_crt); + + $modulus = ""; + if ( in_array($type, array("crt", "prv", "csr")) ) { + $type = str_replace( array("crt","prv","csr"), array("x509","rsa","req"), $type); + $modulus = exec("echo \"{$str_crt}\" | openssl {$type} -noout -modulus"); + } + return $modulus; +} +function csr_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "csr"); +} +function prv_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "prv"); +} + function is_user_cert($certref) { global $config; if (!is_array($config['system']['user'])) diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 7ab59fd..c986d76 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -280,16 +280,25 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); +// old way /* make sure this csr and certificate subjects match */ - $subj_csr = csr_get_subject($pconfig['csr'], false); - $subj_cert = cert_get_subject($pconfig['cert'], false); - - if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { - if (strcmp($subj_csr,$subj_cert)) { - $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); - $subject_mismatch = true; - } - } +// $subj_csr = csr_get_subject($pconfig['csr'], false); +// $subj_cert = cert_get_subject($pconfig['cert'], false); +// +// if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { +// if (strcmp($subj_csr,$subj_cert)) { +// $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); +// $subject_mismatch = true; +// } +// } + $mod_csr = csr_get_modulus($pconfig['csr']); + $mod_cert = cert_get_modulus($pconfig['cert']); + + if (strcmp($mod_csr,$mod_cert)) { + // simply: if the moduli don't match, then the private key and public key won't match + $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."),$subj_cert); + $subject_mismatch = true; + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -318,7 +327,7 @@ if ($_POST) { include("head.inc"); ?> -<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<body link="#000000" vlink="#000000" alink="#000000" onLoad="<?= $jsevents["body"]["onload"] ?>"> <?php include("fbegin.inc"); ?> <script type="text/javascript"> <!-- @@ -780,14 +789,14 @@ function internalca_change() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <?php if ( isset($subject_mismatch) && $subject_mismatch === true): ?> + <?php /* if ( isset($subject_mismatch) && $subject_mismatch === true): ?> <input id="ignoresubjectmismatch" name="ignoresubjectmismatch" type="checkbox" class="formbtn" value="yes" /> <label for="ignoresubjectmismatch"><strong><?=gettext("Ignore certificate subject mismatch"); ?></strong></label><br /> <?php echo gettext("Warning: Using this option may create an " . "invalid certificate. Check this box to disable the request -> " . "response subject verification. "); ?><br/> - <?php endif;?> + <?php endif; */ ?> <input id="submit" name="save" type="submit" class="formbtn" value="<?=gettext("Update");?>" /> <?php if (isset($id) && $a_cert[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>" /> @@ -812,7 +821,7 @@ function internalca_change() { $i = 0; foreach($a_cert as $cert): $name = htmlspecialchars($cert['descr']); - + if ($cert['crt']) { $subj = cert_get_subject($cert['crt']); $issuer = cert_get_issuer($cert['crt']); @@ -880,7 +889,7 @@ function internalca_change() { <img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="<?=gettext("export key");?>" alt="<?=gettext("export ca");?>" width="17" height="17" border="0" /> </a> <?php if (!cert_in_use($cert['refid'])): ?> - <a href="system_certmanager.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this Certificate?");?>')"> + <a href="system_certmanager.php?act=del&id=<?=$i;?>" onClick="return confirm('<?=gettext("Do you really want to delete this Certificate?");?>')"> <img src="/themes/<?= $g['theme'];?>/images/icons/icon_x.gif" title="<?=gettext("delete cert");?>" alt="<?=gettext("delete cert");?>" width="17" height="17" border="0" /> </a> <?php endif; ?> |