diff options
author | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-23 19:02:34 -0400 |
---|---|---|
committer | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-23 19:02:34 -0400 |
commit | 95c8cf48f9bd72da5371aa01a03a070885411dbf (patch) | |
tree | f2e31bd16778856299f6101028949e712b53198a /etc/inc/certs.inc | |
parent | ca4acbcdd84195c9917363fceabcd4b5294bf1d0 (diff) | |
download | pfsense-95c8cf48f9bd72da5371aa01a03a070885411dbf.zip pfsense-95c8cf48f9bd72da5371aa01a03a070885411dbf.tar.gz |
Intermediate CAs and openssl_xxx() error checking in CA management.
Diffstat (limited to 'etc/inc/certs.inc')
-rw-r--r-- | etc/inc/certs.inc | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 3595f45..67a3540 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -186,6 +186,48 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) { return true; } +function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) { + // Create Intermediate Certificate Authority + $signing_ca =& lookup_ca($caref); + if (!$signing_ca) + return false; + + $signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt'])); + $signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => "")); + if (!$signing_ca_res_crt || !$signing_ca_res_key) return false; + $signing_ca_serial = ++$signing_ca['serial']; + + $args = array( + "digest_alg" => "sha1", + "private_key_bits" => (int)$keylen, + "private_key_type" => OPENSSL_KEYTYPE_RSA, + "encrypt_key" => false); + + // generate a new key pair + $res_key = openssl_pkey_new($args); + if (!$res_key) return false; + + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + if (!$res_csr) return false; + + // Sign the certificate + $res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial); + if (!$res_crt) return false; + + // export our certificate data + if (!openssl_pkey_export($res_key, $str_key) || + !openssl_x509_export($res_crt, $str_crt)) + return false; + + // return our ca information + $ca['crt'] = base64_encode($str_crt); + $ca['prv'] = base64_encode($str_key); + $ca['serial'] = 0; + + return true; +} + function cert_import(& $cert, $crt_str, $key_str) { $cert['crt'] = base64_encode($crt_str); |