Internal cert and CSR creation error handling added.

2 files changed, 31 insertions, 8 deletions

diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index b1203cf..6ab448b 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -259,6 +259,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
 	$ca_str_key = base64_decode($ca['prv']);
 	$ca_res_crt = openssl_x509_read($ca_str_crt);
 	$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
+	if(!$ca_res_key) return false;
 	$ca_serial = ++$ca['serial'];
 
 	$args = array(
@@ -269,17 +270,21 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
 
 	// generate a new key pair
 	$res_key = openssl_pkey_new($args);
+	if(!$res_key) return false;
 
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
+	if(!$res_csr) return false;
 
 	// self sign the certificate
 	$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
 				 $args, $ca_serial);
+	if(!$res_crt) return false;
 
 	// export our certificate data
-	openssl_pkey_export($res_key, $str_key);
-	openssl_x509_export($res_crt, $str_crt);
+	if (!openssl_pkey_export($res_key, $str_key) ||
+	    !openssl_x509_export($res_crt, $str_crt))
+		return false;
 
 	// return our certificate information
 	$cert['caref'] = $caref;
@@ -299,13 +304,16 @@ function csr_generate(& $cert, $keylen, $dn) {
 
 	// generate a new key pair
 	$res_key = openssl_pkey_new($args);
+	if(!$res_key) return false;
 
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
+	if(!$res_csr) return false;
 
 	// export our request data
-	openssl_pkey_export($res_key, $str_key);
-	openssl_csr_export($res_csr, $str_csr);
+	if (!openssl_pkey_export($res_key, $str_key) ||
+	    !openssl_csr_export($res_csr, $str_csr))
+		return false;
 
 	// return our request information
 	$cert['csr'] = base64_encode($str_csr);
diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php
index 87b8d91..355621b 100644
--- a/usr/local/www/system_certmanager.php
+++ b/usr/local/www/system_certmanager.php
@@ -240,6 +240,8 @@ if ($_POST) {
 
 				$cert['descr'] = $pconfig['descr'];
 
+				$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */
+
 				if ($pconfig['method'] == "import")
 					cert_import($cert, $pconfig['cert'], $pconfig['key']);
 
@@ -252,8 +254,13 @@ if ($_POST) {
 						'emailAddress' => $pconfig['dn_email'],
 						'commonName' => $pconfig['dn_commonname']);
 	
-					cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
-						$pconfig['lifetime'], $dn);
+					if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
+						$pconfig['lifetime'], $dn)){
+						while($ssl_err = openssl_error_string()){
+							$input_errors = array();
+							array_push($input_errors, "openssl library returns: " . $ssl_err);
+						}
+					}
 				}
 
 				if ($pconfig['method'] == "external") {
@@ -265,8 +272,15 @@ if ($_POST) {
 						'emailAddress' => $pconfig['csr_dn_email'],
 						'commonName' => $pconfig['csr_dn_commonname']);
 
-					csr_generate($cert, $pconfig['csr_keylen'], $dn);
+					if(!csr_generate($cert, $pconfig['csr_keylen'], $dn)){
+						while($ssl_err = openssl_error_string()){
+							$input_errors = array();
+							array_push($input_errors, "openssl library returns: " . $ssl_err);
+						}
+					}
 				}
+				error_reporting($old_err_level);
+
 				if (isset($id) && $a_cert[$id])
 					$a_cert[$id] = $cert;
 				else
@@ -275,7 +289,8 @@ if ($_POST) {
 					$a_user[$userid]['cert'][] = $cert['refid'];
 			}
 
-			write_config();
+			if (!$input_errors)
+				write_config();
 
 			if ($userid)
 				pfSenseHeader("system_usermanager.php?act=edit&id={$userid}");