summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2013-01-21 14:30:30 -0500
committerjim-p <jimp@pfsense.org>2013-01-21 14:33:19 -0500
commitca6219025cabd3edbe53e522b345a167381a0171 (patch)
tree2e076b0a5f92fbb9393009477528416d1be9690c
parentbc2b0144e83bed57262c44175acba00277988101 (diff)
downloadpfsense-ca6219025cabd3edbe53e522b345a167381a0171.zip
pfsense-ca6219025cabd3edbe53e522b345a167381a0171.tar.gz
Allow selecting the digest algorithm when creating a CA or Cert. Implements #2765
-rw-r--r--etc/inc/certs.inc18
-rw-r--r--usr/local/www/system_camanager.php28
-rw-r--r--usr/local/www/system_certmanager.php25
-rw-r--r--usr/local/www/wizards/openvpn_wizard.inc4
4 files changed, 60 insertions, 15 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index ed1f25c..84c028a 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -34,6 +34,8 @@ define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");
require_once("functions.inc");
+$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
+
function & lookup_ca($refid) {
global $config;
@@ -159,11 +161,11 @@ function ca_import(& $ca, $str, $key="", $serial=0) {
return true;
}
-function ca_create(& $ca, $keylen, $lifetime, $dn) {
+function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_ca",
- "digest_alg" => "sha1",
+ "digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
@@ -193,7 +195,7 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) {
return true;
}
-function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) {
+function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") {
// Create Intermediate Certificate Authority
$signing_ca =& lookup_ca($caref);
if (!$signing_ca)
@@ -206,7 +208,7 @@ function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) {
$args = array(
"x509_extensions" => "v3_ca",
- "digest_alg" => "sha1",
+ "digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
@@ -253,7 +255,7 @@ function cert_import(& $cert, $crt_str, $key_str) {
return true;
}
-function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") {
+function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
$ca =& lookup_ca($caref);
if (!$ca)
@@ -280,7 +282,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") {
$args = array(
"x509_extensions" => $cert_type,
- "digest_alg" => "sha1",
+ "digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
@@ -312,11 +314,11 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") {
return true;
}
-function csr_generate(& $cert, $keylen, $dn) {
+function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") {
$args = array(
"x509_extensions" => "v3_req",
- "digest_alg" => "sha1",
+ "digest_alg" => $digest_alg,
"private_key_bits" => (int)$keylen,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => false);
diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php
index 4d0c961..814c4c5 100644
--- a/usr/local/www/system_camanager.php
+++ b/usr/local/www/system_camanager.php
@@ -46,6 +46,7 @@ $ca_methods = array(
"intermediate" => gettext("Create an intermediate Certificate Authority"));
$ca_keylens = array( "512", "1024", "2048", "4096");
+global $openssl_digest_algs;
$pgtitle = array(gettext("System"), gettext("Certificate Authority Manager"));
@@ -202,7 +203,7 @@ if ($_POST) {
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
- if ($pconfig['method'] != "existing")
+ if ($pconfig['method'] != "existing") {
/* Make sure we do not have invalid characters in the fields for the certificate */
for ($i = 0; $i < count($reqdfields); $i++) {
if ($reqdfields[$i] == 'dn_email'){
@@ -214,6 +215,11 @@ if ($_POST) {
}else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"]))
array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters.");
}
+ if (!in_array($_POST["keylen"], $ca_keylens))
+ array_push($input_errors, gettext("Please select a valid Key Length."));
+ if (!in_array($_POST["digest_alg"], $openssl_digest_algs))
+ array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
+ }
/* if this is an AJAX caller then handle via JSON */
if (isAjax() && is_array($input_errors)) {
@@ -255,7 +261,7 @@ if ($_POST) {
'organizationName' => $pconfig['dn_organization'],
'emailAddress' => $pconfig['dn_email'],
'commonName' => $pconfig['dn_commonname']);
- if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn)){
+ if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -270,7 +276,7 @@ if ($_POST) {
'organizationName' => $pconfig['dn_organization'],
'emailAddress' => $pconfig['dn_email'],
'commonName' => $pconfig['dn_commonname']);
- if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'])){
+ if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'], $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -467,6 +473,22 @@ function method_change() {
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td>
+ <td width="78%" class="vtable">
+ <select name='digest_alg' id='digest_alg' class="formselect">
+ <?php
+ foreach( $openssl_digest_algs as $digest_alg):
+ $selected = "";
+ if ($pconfig['digest_alg'] == $digest_alg)
+ $selected = "selected";
+ ?>
+ <option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option>
+ <?php endforeach; ?>
+ </select>
+ <br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
<td width="78%" class="vtable">
<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="5" value="<?=htmlspecialchars($pconfig['lifetime']);?>"/>
diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php
index c9e9826..d8ca0b6 100644
--- a/usr/local/www/system_certmanager.php
+++ b/usr/local/www/system_certmanager.php
@@ -52,6 +52,7 @@ $cert_types = array( "ca" => "Certificate Authority",
"user" => "User Certificate");
$altname_types = array("DNS", "IP", "email", "URI");
+global $openssl_digest_algs;
$pgtitle = array(gettext("System"), gettext("Certificate Manager"));
@@ -292,6 +293,10 @@ if ($_POST) {
}else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"]))
array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters.");
}
+ if (!in_array($_POST["keylen"], $cert_keylens))
+ array_push($input_errors, gettext("Please select a valid Key Length."));
+ if (!in_array($_POST["digest_alg"], $openssl_digest_algs))
+ array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
}
/* if this is an AJAX caller then handle via JSON */
@@ -336,7 +341,7 @@ if ($_POST) {
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}
if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
- $pconfig['lifetime'], $dn, $pconfig['type'])){
+ $pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -359,7 +364,7 @@ if ($_POST) {
}
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}
- if(!csr_generate($cert, $pconfig['csr_keylen'], $dn)){
+ if(!csr_generate($cert, $pconfig['csr_keylen'], $dn, $pconfig['digest_alg'])){
while($ssl_err = openssl_error_string()){
$input_errors = array();
array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -678,6 +683,22 @@ function internalca_change() {
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td>
+ <td width="78%" class="vtable">
+ <select name='digest_alg' id='digest_alg' class="formselect">
+ <?php
+ foreach( $openssl_digest_algs as $digest_alg):
+ $selected = "";
+ if ($pconfig['digest_alg'] == $digest_alg)
+ $selected = "selected";
+ ?>
+ <option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option>
+ <?php endforeach; ?>
+ </select>
+ <br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
<td width="78%" class="vtable">
<select name='type' class="formselect">
diff --git a/usr/local/www/wizards/openvpn_wizard.inc b/usr/local/www/wizards/openvpn_wizard.inc
index 8f6fbc9..f6b4af9 100644
--- a/usr/local/www/wizards/openvpn_wizard.inc
+++ b/usr/local/www/wizards/openvpn_wizard.inc
@@ -475,7 +475,7 @@ function step12_submitphpaction() {
'emailAddress' => $pconfig['step6']['email'],
'commonName' => $pconfig['step6']['certca']);
- ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn);
+ ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn, "sha256");
if (!is_array($config['ca']))
$config['ca'] = array();
@@ -502,7 +502,7 @@ function step12_submitphpaction() {
'emailAddress' => $pconfig['step9']['email'],
'commonName' => $pconfig['step9']['certname']);
- cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server');
+ cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server', "sha256");
if (!is_array($config['cert']))
$config['cert'] = array();
OpenPOWER on IntegriCloud