diff options
author | jim-p <jimp@pfsense.org> | 2017-09-11 13:44:40 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-09-11 13:44:40 -0400 |
commit | aec3a259271be5dae63b148a48b7778c0cd0660e (patch) | |
tree | fab7eb6bbd5621590053c71ee2dd42a8a5aad92d /src/etc | |
parent | d071acf5296f4f5a2d606c67ea94b1b5bd6e1dcb (diff) | |
download | pfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.zip pfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.tar.gz |
Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853
While here, add the cert serial number and sig digest type to the info block for each cert.
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/certs.inc | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 1ed1b6e..53bebeb 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -435,7 +435,7 @@ function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha2 return true; } -function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { +function csr_sign($csr, & $ca, $duration, $type = "user", $altnames, $digest_alg = "sha256") { global $config; $old_err_level = error_reporting(0); @@ -460,6 +460,7 @@ function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { $args = array( "x509_extensions" => $cert_type, + "digest_alg" => $digest_alg, "req_extensions" => "req_{$cert_type}" ); @@ -682,6 +683,26 @@ function cert_get_serial($str_crt, $decode = true) { } } +function cert_get_sigtype($str_crt, $decode = true) { + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $crt_details = openssl_x509_parse($str_crt); + + $signature = array(); + if (isset($crt_details['signatureTypeSN']) && !empty($crt_details['signatureTypeSN'])) { + $signature['shortname'] = $crt_details['signatureTypeSN']; + } + if (isset($crt_details['signatureTypeLN']) && !empty($crt_details['signatureTypeLN'])) { + $signature['longname'] = $crt_details['signatureTypeLN']; + } + if (isset($crt_details['signatureTypeNID']) && !empty($crt_details['signatureTypeNID'])) { + $signature['nid'] = $crt_details['signatureTypeNID']; + } + + return $signature; +} + function is_openvpn_server_ca($caref) { global $config; if (!is_array($config['openvpn']['openvpn-server'])) { |