diff options
| author | Renato Botelho <renato@netgate.com> | 2017-04-20 15:49:40 -0300 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2017-04-20 15:49:40 -0300 |
| commit | 89cce183cedda765ab3ede33ad455ad171db9fc9 (patch) | |
| tree | 8abb3fb5105199659b2a6448a89b16907a027bf2 | |
| parent | 338a2121136a38c8649bc5e71edb880530f6e187 (diff) | |
| parent | 6d6ba6601997908dcea91b26feb07b760ad7105d (diff) | |
| download | pfsense-89cce183cedda765ab3ede33ad455ad171db9fc9.zip pfsense-89cce183cedda765ab3ede33ad455ad171db9fc9.tar.gz | |
Merge pull request #3693 from PiBa-NL/20170416-certmanager-import-ecc-certs
| -rw-r--r-- | src/etc/inc/certs.inc | 41 | ||||
| -rw-r--r-- | src/usr/local/www/system_camanager.php | 2 | ||||
| -rw-r--r-- | src/usr/local/www/system_certmanager.php | 8 |
3 files changed, 22 insertions, 29 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index bb114c8..0eb70cf 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -541,29 +541,26 @@ function cert_get_issuer($str_crt, $decode = true) { return $issuer; } -/* this function works on x509 (crt), rsa key (prv), and req(csr) */ -function cert_get_modulus($str_crt, $decode = true, $type = "crt") { +/* Works for both RSA and ECC (crt) and key (prv) */ +function cert_get_publickey($str_crt, $decode = true, $type = "crt") { if ($decode) { $str_crt = base64_decode($str_crt); } - - $modulus = ""; - if (in_array($type, array("crt", "prv", "csr"))) { - $type = str_replace(array("crt", "prv", "csr"), array("x509", "rsa", "req"), $type); - $modulus = exec("echo \"{$str_crt}\" | openssl {$type} -noout -modulus"); + switch ($type) { + case 'prv': + exec("echo \"{$str_crt}\" | openssl pkey -pubout", $out); + break; + case 'crt': + exec("echo \"{$str_crt}\" | openssl x509 -inform pem -noout -pubkey", $out); + break; + case 'csr': + exec("echo \"{$str_crt}\" | openssl req -inform pem -noout -pubkey", $out); + break; + default: + $out = array(); + break; } - return $modulus; -} - -/* Same but returns modulus keysize not modulus itself */ -function cert_get_modulus_keysize($str_crt, $decode = true, $type = "crt") { - // modulus usually returned as "modulus=.....". Remove anything before an "=" and return 4 x (hex string length) - $raw_modulus = explode('=', cert_get_modulus($str_crt, $decode, $type)); - return strlen(array_pop($raw_modulus))*4; -} - -function csr_get_modulus($str_crt, $decode = true) { - return cert_get_modulus($str_crt, $decode, "csr"); + return implode("\n", $out); } function cert_get_purpose($str_crt, $decode = true) { @@ -603,10 +600,6 @@ function cert_get_serial($str_crt, $decode = true) { } } -function prv_get_modulus($str_crt, $decode = true) { - return cert_get_modulus($str_crt, $decode, "prv"); -} - function is_openvpn_server_ca($caref) { global $config; if (!is_array($config['openvpn']['openvpn-server'])) { @@ -861,7 +854,7 @@ function cert_compare($cert1, $cert2) { if ((cert_get_issuer($c1, false) == cert_get_issuer($c2, false)) && (cert_get_subject($c1, false) == cert_get_subject($c2, false)) && (cert_get_serial($c1, false) == cert_get_serial($c2, false)) && - (cert_get_modulus($c1, false) == cert_get_modulus($c2, false))) { + (cert_get_publickey($c1, false) == cert_get_publickey($c2, false))) { return true; } return false; diff --git a/src/usr/local/www/system_camanager.php b/src/usr/local/www/system_camanager.php index 997ca8e..7505473 100644 --- a/src/usr/local/www/system_camanager.php +++ b/src/usr/local/www/system_camanager.php @@ -171,7 +171,7 @@ if ($_POST['save']) { if ($_POST['key'] && strstr($_POST['key'], "ENCRYPTED")) { $input_errors[] = gettext("Encrypted private keys are not yet supported."); } - if (!$input_errors && !empty($_POST['key']) && cert_get_modulus($_POST['cert'], false) != prv_get_modulus($_POST['key'], false)) { + if (!$input_errors && !empty($_POST['key']) && cert_get_publickey($_POST['cert'], false) != cert_get_publickey($_POST['key'], false, 'prv')) { $input_errors[] = gettext("The submitted private key does not match the submitted certificate data."); } } diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 7b5ea66..735b8ef 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -241,7 +241,7 @@ if ($_POST['save']) { $input_errors[] = gettext("This certificate does not appear to be valid."); } - if (cert_get_modulus($_POST['cert'], false) != prv_get_modulus($_POST['key'], false)) { + if (cert_get_publickey($_POST['cert'], false) != cert_get_publickey($_POST['key'], false, 'prv')) { $input_errors[] = gettext("The submitted private key does not match the submitted certificate data."); } } @@ -549,12 +549,12 @@ if ($_POST['save']) { // $subject_mismatch = true; // } // } - $mod_csr = csr_get_modulus($pconfig['csr'], false); - $mod_cert = cert_get_modulus($pconfig['cert'], false); + $mod_csr = cert_get_publickey($pconfig['csr'], false, 'csr'); + $mod_cert = cert_get_publickey($pconfig['cert'], false); if (strcmp($mod_csr, $mod_cert)) { // simply: if the moduli don't match, then the private key and public key won't match - $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."), $subj_cert); + $input_errors[] = sprintf(gettext("The certificate public key does not match the signing request public key."), $subj_cert); $subject_mismatch = true; } |
