diff options
| author | jim-p <jimp@pfsense.org> | 2017-07-05 12:06:42 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2017-07-05 13:30:23 -0400 |
| commit | 2e1809ddc3a50f11b88ba12e196b0f62bcb222a7 (patch) | |
| tree | 5bdb17377f581b31a8cb420416595aaa6c039297 | |
| parent | 7fbb45be082e3ef6a427ed68aa63fa81e46c9883 (diff) | |
| download | pfsense-2e1809ddc3a50f11b88ba12e196b0f62bcb222a7.zip pfsense-2e1809ddc3a50f11b88ba12e196b0f62bcb222a7.tar.gz | |
Fix some additional cases for CN->SAN handling, and move some code to a function to avoid duplication for other pending uses. Ticket #7666
| -rw-r--r-- | src/etc/inc/certs.inc | 27 | ||||
| -rw-r--r-- | src/usr/local/www/system_certmanager.php | 19 |
2 files changed, 32 insertions, 14 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index b30a607..9e85177 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -39,6 +39,15 @@ $openssl_crl_status = array( OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold" ); +global $cert_altname_types; +$cert_altname_types = array( + 'DNS' => gettext('FQDN or Hostname'), + 'IP' => gettext('IP address'), + 'URI' => gettext('URI'), + 'email' => gettext('email address'), +); + + function & lookup_ca($refid) { global $config; @@ -1011,4 +1020,22 @@ function cert_escape_x509_chars($str, $reverse = false) { } } +function cert_add_altname_type($str) { + $type = ""; + if (is_ipaddr($str)) { + $type = "IP"; + } elseif (is_hostname($str)) { + $type = "DNS"; + } elseif (is_URL($str)) { + $type = "URI"; + } elseif (filter_var($str, FILTER_VALIDATE_EMAIL)) { + $type = "email"; + } + if (!empty($type)) { + return "{$type}:" . cert_escape_x509_chars($str); + } else { + return ""; + } +} + ?> diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 34fc326..97fdc14 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -43,7 +43,7 @@ $cert_types = array( "server" => "Server Certificate", "user" => "User Certificate"); -$altname_types = array("DNS", "IP", "email", "URI"); +global $cert_altname_types; global $openssl_digest_algs; if (isset($_REQUEST['userid']) && is_numericint($_REQUEST['userid'])) { @@ -445,16 +445,12 @@ if ($_POST['save']) { if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = cert_escape_x509_chars($pconfig['dn_organizationalunit']); } - if (is_ipaddr($pconfig['dn_commonname'])) { - $altnames_tmp = array("IP:{$pconfig['dn_commonname']}"); - } else { - $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}"); - } + $altnames_tmp = array(cert_add_altname_type($pconfig['dn_commonname'])); if (count($altnames)) { foreach ($altnames as $altname) { // The CN is added as a SAN automatically, do not add it again. if ($altname['value'] != $pconfig['dn_commonname']) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + $altnames_tmp[] = "{$altname['type']}:" . cert_escape_x509_chars($altname['value']); } } } @@ -867,12 +863,7 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { 'altname_type' . $counter, 'Type', $item['type'], - array( - 'DNS' => gettext('FQDN or Hostname'), - 'IP' => gettext('IP address'), - 'URI' => gettext('URI'), - 'email' => gettext('email address'), - ) + $cert_altname_types ))->setHelp(($counter == $numrows) ? 'Type':null); $group->add(new Form_Input( @@ -1152,7 +1143,7 @@ foreach ($a_cert as $i => $cert): $certextinfo = ""; if (is_array($sans) && !empty($sans)) { $certextinfo .= '<b>' . gettext("SAN: ") . '</b> '; - $certextinfo .= htmlspecialchars(implode(', ', $sans)); + $certextinfo .= htmlspecialchars(implode(', ', cert_escape_x509_chars($sans, true))); $certextinfo .= '<br/>'; } if (is_array($purpose) && !empty($purpose['ku'])) { |
