Add some CRL support functions, not active or used in the GUI yet.

author: jim-p <jimp@pfsense.org> 2010-09-16 16:57:34 -0400
committer: jim-p <jimp@pfsense.org> 2010-09-16 16:57:34 -0400
commit: c5f010aa1904120294da1b4d97cbff87ba061960 (patch)
tree: 138828c41b53b384d0f48c32c614208bfb14360e /etc/inc/certs.inc
parent: 999111cb73957679debbe5831e1b7d01c3985b1f (diff)
download: pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.zip
pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.tar.gz
1 files changed, 119 insertions, 2 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 9ac7120..22831a1 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -1,8 +1,9 @@
 <?php
 /* $Id$ */
 /*
-		Copyright (C) 2008 Shrew Soft Inc
-		All rights reserved.
+	Copyright (C) 2008 Shrew Soft Inc
+	Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
+	All rights reserved.
 
         Redistribution and use in source and binary forms, with or without
         modification, are permitted provided that the following conditions are met:
@@ -67,6 +68,25 @@ function & lookup_cert($refid) {
 	return false;
 }
 
+function & lookup_cert_by_name($name) {
+	global $config;
+	if (is_array($config['cert']))
+		foreach ($config['cert'] as & $cert)
+			if ($cert['name'] == $name)
+				return $cert;
+}
+
+function & lookup_crl($refid) {
+	global $config;
+
+	if (is_array($config['crl']))
+		foreach ($config['crl'] as & $crl)
+			if ($crl['refid'] == $refid)
+				return $crl;
+
+	return false;
+}
+
 function ca_chain_array(& $cert) {
 	if($cert['caref']) {
 		$chain = array();
@@ -397,4 +417,101 @@ function cert_in_use($certref) {
 		is_ipsec_cert($certref));
 }
 
+/*
+CRL code is a *WORK IN PROGRESS* do not try to use these functions yet.
+
+OpenSSL CRL status code constants.
+OCSP_REVOKED_STATUS_NOSTATUS
+OCSP_REVOKED_STATUS_UNSPECIFIED
+OCSP_REVOKED_STATUS_KEYCOMPROMISE
+OCSP_REVOKED_STATUS_CACOMPROMISE
+OCSP_REVOKED_STATUS_AFFILIATIONCHANGED
+OCSP_REVOKED_STATUS_SUPERSEDED
+OCSP_REVOKED_STATUS_CESSATIONOFOPERATION
+OCSP_REVOKED_STATUS_CERTIFICATEHOLD
+OCSP_REVOKED_STATUS_REMOVEFROMCRL
+*/
+
+$openssl_crl_status = array(
+	OCSP_REVOKED_STATUS_NOSTATUS              => "No Status (default)",
+	OCSP_REVOKED_STATUS_UNSPECIFIED           => "Unspecified",
+	OCSP_REVOKED_STATUS_KEYCOMPROMISE         => "Key Compromise",
+	OCSP_REVOKED_STATUS_CACOMPROMISE          => "CA Compromise",
+	OCSP_REVOKED_STATUS_AFFILIATIONCHANGED    => "Affiliation Changed",
+	OCSP_REVOKED_STATUS_SUPERSEDED            => "Superseded",
+	OCSP_REVOKED_STATUS_CESSATIONOFOPERATION  => "Cessation of Operation",
+	OCSP_REVOKED_STATUS_CERTIFICATEHOLD       => "Certificate Hold",
+	OCSP_REVOKED_STATUS_REMOVEFROMCRL         => "Remove from CRL"
+);
+
+function crl_create(& $crl, $caref, $name, $serial=0, $lifetime=9999) {
+	global $config;
+	$ca =& lookup_ca($caref);
+	if (!$ca)
+		return false;
+	$crl['name'] = $name;
+	$crl['caref'] = $caref;
+	$crl['serial'] = $serial;
+	$crl['lifetime'] = $lifetime;
+	$crl['cert'] = array();
+	$crl_res = crl_update($crl);
+	$config['crl'][] = $crl;
+	return $crl_res;
+}
+
+function crl_update(& $crl) {
+	global $config;
+	$ca =& lookup_ca($crl['caref']);
+	if (!$ca)
+		return false;
+	$crl['serial']++;
+	$ca_str_crt = base64_decode($ca['crt']);
+	$ca_str_key = base64_decode($ca['prv']);
+	$crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']);
+	foreach ($crl['cert'] as $cert) {
+		openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]);
+	}
+	openssl_crl_export($crl_res, $crl_text, $ca_str_key);
+	$crl['text'] = base64_encode($crl_text);
+	return $crl_res;
+}
+
+function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
+	global $config;
+	if (is_cert_revoked($cert))
+		return true;
+	$cert["reason"] = $reason;
+	$cert["revoke_time"] = time();
+	$crl["cert"][] = $cert;
+	crl_update($crl);
+}
+
+function cert_unrevoke($cert, & $crl) {
+	global $config;
+	foreach ($crl['cert'] as $id => $rcert) {
+		if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name'])) {
+			unset($crl['cert'][$id]);
+			crl_update($crl);
+			return true;
+		}
+	}
+	return false;
+}
+
+function is_cert_revoked($cert) {
+	global $config;
+	if (!is_array($config['crl']) || is_array($config['crl']['cert']))
+		return false;
+
+	foreach ($config['crl'] as $crl) {
+		if (!is_array($config['crl']['cert']))
+			continue;
+		foreach ($config['crl']['cert'] as $rcert) {
+			if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name']))
+				return true;
+		}
+	}
+	return false;
+}
+
 ?>
author	jim-p <jimp@pfsense.org>	2010-09-16 16:57:34 -0400
committer	jim-p <jimp@pfsense.org>	2010-09-16 16:57:34 -0400
commit	c5f010aa1904120294da1b4d97cbff87ba061960 (patch)
tree	138828c41b53b384d0f48c32c614208bfb14360e /etc/inc/certs.inc
parent	999111cb73957679debbe5831e1b7d01c3985b1f (diff)
download	pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.zip pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.tar.gz