diff options
| author | jim-p <jimp@pfsense.org> | 2010-09-16 16:57:34 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2010-09-16 16:57:34 -0400 |
| commit | c5f010aa1904120294da1b4d97cbff87ba061960 (patch) | |
| tree | 138828c41b53b384d0f48c32c614208bfb14360e /etc | |
| parent | 999111cb73957679debbe5831e1b7d01c3985b1f (diff) | |
| download | pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.zip pfsense-c5f010aa1904120294da1b4d97cbff87ba061960.tar.gz | |
Add some CRL support functions, not active or used in the GUI yet.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/certs.inc | 121 |
1 files changed, 119 insertions, 2 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 9ac7120..22831a1 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -1,8 +1,9 @@ <?php /* $Id$ */ /* - Copyright (C) 2008 Shrew Soft Inc - All rights reserved. + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2010 Jim Pingle <jimp@pfsense.org> + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -67,6 +68,25 @@ function & lookup_cert($refid) { return false; } +function & lookup_cert_by_name($name) { + global $config; + if (is_array($config['cert'])) + foreach ($config['cert'] as & $cert) + if ($cert['name'] == $name) + return $cert; +} + +function & lookup_crl($refid) { + global $config; + + if (is_array($config['crl'])) + foreach ($config['crl'] as & $crl) + if ($crl['refid'] == $refid) + return $crl; + + return false; +} + function ca_chain_array(& $cert) { if($cert['caref']) { $chain = array(); @@ -397,4 +417,101 @@ function cert_in_use($certref) { is_ipsec_cert($certref)); } +/* +CRL code is a *WORK IN PROGRESS* do not try to use these functions yet. + +OpenSSL CRL status code constants. +OCSP_REVOKED_STATUS_NOSTATUS +OCSP_REVOKED_STATUS_UNSPECIFIED +OCSP_REVOKED_STATUS_KEYCOMPROMISE +OCSP_REVOKED_STATUS_CACOMPROMISE +OCSP_REVOKED_STATUS_AFFILIATIONCHANGED +OCSP_REVOKED_STATUS_SUPERSEDED +OCSP_REVOKED_STATUS_CESSATIONOFOPERATION +OCSP_REVOKED_STATUS_CERTIFICATEHOLD +OCSP_REVOKED_STATUS_REMOVEFROMCRL +*/ + +$openssl_crl_status = array( + OCSP_REVOKED_STATUS_NOSTATUS => "No Status (default)", + OCSP_REVOKED_STATUS_UNSPECIFIED => "Unspecified", + OCSP_REVOKED_STATUS_KEYCOMPROMISE => "Key Compromise", + OCSP_REVOKED_STATUS_CACOMPROMISE => "CA Compromise", + OCSP_REVOKED_STATUS_AFFILIATIONCHANGED => "Affiliation Changed", + OCSP_REVOKED_STATUS_SUPERSEDED => "Superseded", + OCSP_REVOKED_STATUS_CESSATIONOFOPERATION => "Cessation of Operation", + OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold", + OCSP_REVOKED_STATUS_REMOVEFROMCRL => "Remove from CRL" +); + +function crl_create(& $crl, $caref, $name, $serial=0, $lifetime=9999) { + global $config; + $ca =& lookup_ca($caref); + if (!$ca) + return false; + $crl['name'] = $name; + $crl['caref'] = $caref; + $crl['serial'] = $serial; + $crl['lifetime'] = $lifetime; + $crl['cert'] = array(); + $crl_res = crl_update($crl); + $config['crl'][] = $crl; + return $crl_res; +} + +function crl_update(& $crl) { + global $config; + $ca =& lookup_ca($crl['caref']); + if (!$ca) + return false; + $crl['serial']++; + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); + foreach ($crl['cert'] as $cert) { + openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + } + openssl_crl_export($crl_res, $crl_text, $ca_str_key); + $crl['text'] = base64_encode($crl_text); + return $crl_res; +} + +function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) { + global $config; + if (is_cert_revoked($cert)) + return true; + $cert["reason"] = $reason; + $cert["revoke_time"] = time(); + $crl["cert"][] = $cert; + crl_update($crl); +} + +function cert_unrevoke($cert, & $crl) { + global $config; + foreach ($crl['cert'] as $id => $rcert) { + if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name'])) { + unset($crl['cert'][$id]); + crl_update($crl); + return true; + } + } + return false; +} + +function is_cert_revoked($cert) { + global $config; + if (!is_array($config['crl']) || is_array($config['crl']['cert'])) + return false; + + foreach ($config['crl'] as $crl) { + if (!is_array($config['crl']['cert'])) + continue; + foreach ($config['crl']['cert'] as $rcert) { + if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name'])) + return true; + } + } + return false; +} + ?> |
