Intermediate CAs and openssl_xxx() error checking in CA management.

1 files changed, 42 insertions, 0 deletions

diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 3595f45..67a3540 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -186,6 +186,48 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) {
 	return true;
 }
 
+function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) {
+	// Create Intermediate Certificate Authority
+	$signing_ca =& lookup_ca($caref);
+	if (!$signing_ca)
+		return false;
+
+	$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
+	$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
+	if (!$signing_ca_res_crt || !$signing_ca_res_key) return false;
+	$signing_ca_serial = ++$signing_ca['serial'];
+
+	$args = array(
+		"digest_alg" => "sha1",
+		"private_key_bits" => (int)$keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new($args);
+	if (!$res_key) return false;
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+	if (!$res_csr) return false;
+
+	// Sign the certificate
+	$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
+	if (!$res_crt) return false;
+
+	// export our certificate data
+	if (!openssl_pkey_export($res_key, $str_key) ||
+	    !openssl_x509_export($res_crt, $str_crt))
+		return false;
+
+	// return our ca information
+	$ca['crt'] = base64_encode($str_crt);
+	$ca['prv'] = base64_encode($str_key);
+	$ca['serial'] = 0;
+
+	return true;
+}
+
 function cert_import(& $cert, $crt_str, $key_str) {
 
 	$cert['crt'] = base64_encode($crt_str);