summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2010-09-16 16:57:34 -0400
committerjim-p <jimp@pfsense.org>2010-09-16 16:57:34 -0400
commitc5f010aa1904120294da1b4d97cbff87ba061960 (patch)
tree138828c41b53b384d0f48c32c614208bfb14360e /etc
parent999111cb73957679debbe5831e1b7d01c3985b1f (diff)
downloadpfsense-c5f010aa1904120294da1b4d97cbff87ba061960.zip
pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.tar.gz
Add some CRL support functions, not active or used in the GUI yet.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/certs.inc121
1 files changed, 119 insertions, 2 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 9ac7120..22831a1 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -1,8 +1,9 @@
<?php
/* $Id$ */
/*
- Copyright (C) 2008 Shrew Soft Inc
- All rights reserved.
+ Copyright (C) 2008 Shrew Soft Inc
+ Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
+ All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -67,6 +68,25 @@ function & lookup_cert($refid) {
return false;
}
+function & lookup_cert_by_name($name) {
+ global $config;
+ if (is_array($config['cert']))
+ foreach ($config['cert'] as & $cert)
+ if ($cert['name'] == $name)
+ return $cert;
+}
+
+function & lookup_crl($refid) {
+ global $config;
+
+ if (is_array($config['crl']))
+ foreach ($config['crl'] as & $crl)
+ if ($crl['refid'] == $refid)
+ return $crl;
+
+ return false;
+}
+
function ca_chain_array(& $cert) {
if($cert['caref']) {
$chain = array();
@@ -397,4 +417,101 @@ function cert_in_use($certref) {
is_ipsec_cert($certref));
}
+/*
+CRL code is a *WORK IN PROGRESS* do not try to use these functions yet.
+
+OpenSSL CRL status code constants.
+OCSP_REVOKED_STATUS_NOSTATUS
+OCSP_REVOKED_STATUS_UNSPECIFIED
+OCSP_REVOKED_STATUS_KEYCOMPROMISE
+OCSP_REVOKED_STATUS_CACOMPROMISE
+OCSP_REVOKED_STATUS_AFFILIATIONCHANGED
+OCSP_REVOKED_STATUS_SUPERSEDED
+OCSP_REVOKED_STATUS_CESSATIONOFOPERATION
+OCSP_REVOKED_STATUS_CERTIFICATEHOLD
+OCSP_REVOKED_STATUS_REMOVEFROMCRL
+*/
+
+$openssl_crl_status = array(
+ OCSP_REVOKED_STATUS_NOSTATUS => "No Status (default)",
+ OCSP_REVOKED_STATUS_UNSPECIFIED => "Unspecified",
+ OCSP_REVOKED_STATUS_KEYCOMPROMISE => "Key Compromise",
+ OCSP_REVOKED_STATUS_CACOMPROMISE => "CA Compromise",
+ OCSP_REVOKED_STATUS_AFFILIATIONCHANGED => "Affiliation Changed",
+ OCSP_REVOKED_STATUS_SUPERSEDED => "Superseded",
+ OCSP_REVOKED_STATUS_CESSATIONOFOPERATION => "Cessation of Operation",
+ OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold",
+ OCSP_REVOKED_STATUS_REMOVEFROMCRL => "Remove from CRL"
+);
+
+function crl_create(& $crl, $caref, $name, $serial=0, $lifetime=9999) {
+ global $config;
+ $ca =& lookup_ca($caref);
+ if (!$ca)
+ return false;
+ $crl['name'] = $name;
+ $crl['caref'] = $caref;
+ $crl['serial'] = $serial;
+ $crl['lifetime'] = $lifetime;
+ $crl['cert'] = array();
+ $crl_res = crl_update($crl);
+ $config['crl'][] = $crl;
+ return $crl_res;
+}
+
+function crl_update(& $crl) {
+ global $config;
+ $ca =& lookup_ca($crl['caref']);
+ if (!$ca)
+ return false;
+ $crl['serial']++;
+ $ca_str_crt = base64_decode($ca['crt']);
+ $ca_str_key = base64_decode($ca['prv']);
+ $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']);
+ foreach ($crl['cert'] as $cert) {
+ openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]);
+ }
+ openssl_crl_export($crl_res, $crl_text, $ca_str_key);
+ $crl['text'] = base64_encode($crl_text);
+ return $crl_res;
+}
+
+function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
+ global $config;
+ if (is_cert_revoked($cert))
+ return true;
+ $cert["reason"] = $reason;
+ $cert["revoke_time"] = time();
+ $crl["cert"][] = $cert;
+ crl_update($crl);
+}
+
+function cert_unrevoke($cert, & $crl) {
+ global $config;
+ foreach ($crl['cert'] as $id => $rcert) {
+ if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name'])) {
+ unset($crl['cert'][$id]);
+ crl_update($crl);
+ return true;
+ }
+ }
+ return false;
+}
+
+function is_cert_revoked($cert) {
+ global $config;
+ if (!is_array($config['crl']) || is_array($config['crl']['cert']))
+ return false;
+
+ foreach ($config['crl'] as $crl) {
+ if (!is_array($config['crl']['cert']))
+ continue;
+ foreach ($config['crl']['cert'] as $rcert) {
+ if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name']))
+ return true;
+ }
+ }
+ return false;
+}
+
?>
OpenPOWER on IntegriCloud