diff options
| author | jim-p <jimp@pfsense.org> | 2013-01-21 14:30:30 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-01-21 14:33:19 -0500 |
| commit | ca6219025cabd3edbe53e522b345a167381a0171 (patch) | |
| tree | 2e076b0a5f92fbb9393009477528416d1be9690c | |
| parent | bc2b0144e83bed57262c44175acba00277988101 (diff) | |
| download | pfsense-ca6219025cabd3edbe53e522b345a167381a0171.zip pfsense-ca6219025cabd3edbe53e522b345a167381a0171.tar.gz | |
Allow selecting the digest algorithm when creating a CA or Cert. Implements #2765
| -rw-r--r-- | etc/inc/certs.inc | 18 | ||||
| -rw-r--r-- | usr/local/www/system_camanager.php | 28 | ||||
| -rw-r--r-- | usr/local/www/system_certmanager.php | 25 | ||||
| -rw-r--r-- | usr/local/www/wizards/openvpn_wizard.inc | 4 |
4 files changed, 60 insertions, 15 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index ed1f25c..84c028a 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -34,6 +34,8 @@ define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf"); require_once("functions.inc"); +$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512"); + function & lookup_ca($refid) { global $config; @@ -159,11 +161,11 @@ function ca_import(& $ca, $str, $key="", $serial=0) { return true; } -function ca_create(& $ca, $keylen, $lifetime, $dn) { +function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") { $args = array( "x509_extensions" => "v3_ca", - "digest_alg" => "sha1", + "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, "encrypt_key" => false); @@ -193,7 +195,7 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) { return true; } -function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) { +function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref, $digest_alg = "sha256") { // Create Intermediate Certificate Authority $signing_ca =& lookup_ca($caref); if (!$signing_ca) @@ -206,7 +208,7 @@ function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) { $args = array( "x509_extensions" => "v3_ca", - "digest_alg" => "sha1", + "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, "encrypt_key" => false); @@ -253,7 +255,7 @@ function cert_import(& $cert, $crt_str, $key_str) { return true; } -function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") { +function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") { $ca =& lookup_ca($caref); if (!$ca) @@ -280,7 +282,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") { $args = array( "x509_extensions" => $cert_type, - "digest_alg" => "sha1", + "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, "encrypt_key" => false); @@ -312,11 +314,11 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user") { return true; } -function csr_generate(& $cert, $keylen, $dn) { +function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { $args = array( "x509_extensions" => "v3_req", - "digest_alg" => "sha1", + "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, "encrypt_key" => false); diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index 4d0c961..814c4c5 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -46,6 +46,7 @@ $ca_methods = array( "intermediate" => gettext("Create an intermediate Certificate Authority")); $ca_keylens = array( "512", "1024", "2048", "4096"); +global $openssl_digest_algs; $pgtitle = array(gettext("System"), gettext("Certificate Authority Manager")); @@ -202,7 +203,7 @@ if ($_POST) { } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - if ($pconfig['method'] != "existing") + if ($pconfig['method'] != "existing") { /* Make sure we do not have invalid characters in the fields for the certificate */ for ($i = 0; $i < count($reqdfields); $i++) { if ($reqdfields[$i] == 'dn_email'){ @@ -214,6 +215,11 @@ if ($_POST) { }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); } + if (!in_array($_POST["keylen"], $ca_keylens)) + array_push($input_errors, gettext("Please select a valid Key Length.")); + if (!in_array($_POST["digest_alg"], $openssl_digest_algs)) + array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -255,7 +261,7 @@ if ($_POST) { 'organizationName' => $pconfig['dn_organization'], 'emailAddress' => $pconfig['dn_email'], 'commonName' => $pconfig['dn_commonname']); - if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn)){ + if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['digest_alg'])){ while($ssl_err = openssl_error_string()){ $input_errors = array(); array_push($input_errors, "openssl library returns: " . $ssl_err); @@ -270,7 +276,7 @@ if ($_POST) { 'organizationName' => $pconfig['dn_organization'], 'emailAddress' => $pconfig['dn_email'], 'commonName' => $pconfig['dn_commonname']); - if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'])){ + if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'], $pconfig['digest_alg'])){ while($ssl_err = openssl_error_string()){ $input_errors = array(); array_push($input_errors, "openssl library returns: " . $ssl_err); @@ -467,6 +473,22 @@ function method_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td> + <td width="78%" class="vtable"> + <select name='digest_alg' id='digest_alg' class="formselect"> + <?php + foreach( $openssl_digest_algs as $digest_alg): + $selected = ""; + if ($pconfig['digest_alg'] == $digest_alg) + $selected = "selected"; + ?> + <option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option> + <?php endforeach; ?> + </select> + <br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td> <td width="78%" class="vtable"> <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="5" value="<?=htmlspecialchars($pconfig['lifetime']);?>"/> diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index c9e9826..d8ca0b6 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -52,6 +52,7 @@ $cert_types = array( "ca" => "Certificate Authority", "user" => "User Certificate"); $altname_types = array("DNS", "IP", "email", "URI"); +global $openssl_digest_algs; $pgtitle = array(gettext("System"), gettext("Certificate Manager")); @@ -292,6 +293,10 @@ if ($_POST) { }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); } + if (!in_array($_POST["keylen"], $cert_keylens)) + array_push($input_errors, gettext("Please select a valid Key Length.")); + if (!in_array($_POST["digest_alg"], $openssl_digest_algs)) + array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); } /* if this is an AJAX caller then handle via JSON */ @@ -336,7 +341,7 @@ if ($_POST) { $dn['subjectAltName'] = implode(",", $altnames_tmp); } if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'], - $pconfig['lifetime'], $dn, $pconfig['type'])){ + $pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){ while($ssl_err = openssl_error_string()){ $input_errors = array(); array_push($input_errors, "openssl library returns: " . $ssl_err); @@ -359,7 +364,7 @@ if ($_POST) { } $dn['subjectAltName'] = implode(",", $altnames_tmp); } - if(!csr_generate($cert, $pconfig['csr_keylen'], $dn)){ + if(!csr_generate($cert, $pconfig['csr_keylen'], $dn, $pconfig['digest_alg'])){ while($ssl_err = openssl_error_string()){ $input_errors = array(); array_push($input_errors, "openssl library returns: " . $ssl_err); @@ -678,6 +683,22 @@ function internalca_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td> + <td width="78%" class="vtable"> + <select name='digest_alg' id='digest_alg' class="formselect"> + <?php + foreach( $openssl_digest_algs as $digest_alg): + $selected = ""; + if ($pconfig['digest_alg'] == $digest_alg) + $selected = "selected"; + ?> + <option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option> + <?php endforeach; ?> + </select> + <br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td> <td width="78%" class="vtable"> <select name='type' class="formselect"> diff --git a/usr/local/www/wizards/openvpn_wizard.inc b/usr/local/www/wizards/openvpn_wizard.inc index 8f6fbc9..f6b4af9 100644 --- a/usr/local/www/wizards/openvpn_wizard.inc +++ b/usr/local/www/wizards/openvpn_wizard.inc @@ -475,7 +475,7 @@ function step12_submitphpaction() { 'emailAddress' => $pconfig['step6']['email'], 'commonName' => $pconfig['step6']['certca']); - ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn); + ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn, "sha256"); if (!is_array($config['ca'])) $config['ca'] = array(); @@ -502,7 +502,7 @@ function step12_submitphpaction() { 'emailAddress' => $pconfig['step9']['email'], 'commonName' => $pconfig['step9']['certname']); - cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server'); + cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server', "sha256"); if (!is_array($config['cert'])) $config['cert'] = array(); |
