diff options
author | jim-p <jimp@pfsense.org> | 2017-05-02 15:12:10 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-05-02 15:13:57 -0400 |
commit | 4906f4ee6622c66a46d179cee6a2da963d962ca1 (patch) | |
tree | f115562371b20e4a9d13eba2986b10fdc34e7e0a /src | |
parent | 744978948014b1e068685be5f3270d08f671c480 (diff) | |
download | pfsense-4906f4ee6622c66a46d179cee6a2da963d962ca1.zip pfsense-4906f4ee6622c66a46d179cee6a2da963d962ca1.tar.gz |
Show SAN, KU, and EKU info in the certificate list. Implements #7505
While here, also fix "server" cert detection to key off of the EKU For "TLS Web Server Authentication" since nsCertType has been deprecated.
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/certs.inc | 40 | ||||
-rw-r--r-- | src/usr/local/www/system_certmanager.php | 38 |
2 files changed, 75 insertions, 3 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index ef12843..cb3d1b1 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -511,6 +511,18 @@ function cert_get_subject_hash($crt) { return $inf_crt['subject']; } +function cert_get_sans($str_crt, $decode = true) { + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $sans = array(); + $crt_details = openssl_x509_parse($str_crt); + if (!empty($crt_details['extensions']['subjectAltName'])) { + $sans = explode(',', $crt_details['extensions']['subjectAltName']); + } + return $sans; +} + function cert_get_issuer($str_crt, $decode = true) { if ($decode) { @@ -564,13 +576,39 @@ function cert_get_publickey($str_crt, $decode = true, $type = "crt") { } function cert_get_purpose($str_crt, $decode = true) { + $extended_oids = array( + "1.3.6.1.5.5.8.2.2" => "IP Security IKE Intermediate", + ); if ($decode) { $str_crt = base64_decode($str_crt); } $crt_details = openssl_x509_parse($str_crt); $purpose = array(); + if (!empty($crt_details['extensions']['keyUsage'])) { + $purpose['ku'] = explode(',', $crt_details['extensions']['keyUsage']); + foreach ($purpose['ku'] as & $ku) { + $ku = trim($ku); + if (array_key_exists($ku, $extended_oids)) { + $ku = $extended_oids[$ku]; + } + } + } else { + $purpose['ku'] = array(); + } + if (!empty($crt_details['extensions']['extendedKeyUsage'])) { + $purpose['eku'] = explode(',', $crt_details['extensions']['extendedKeyUsage']); + foreach ($purpose['eku'] as & $eku) { + $eku = trim($eku); + if (array_key_exists($eku, $extended_oids)) { + $eku = $extended_oids[$eku]; + } + } + } else { + $purpose['eku'] = array(); + } $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes'; - $purpose['server'] = (strpos($crt_details['extensions']['nsCertType'], 'SSL Server') !== FALSE) ? 'Yes': 'No'; + $purpose['server'] = (in_array('TLS Web Server Authentication', $purpose['eku'])) ? 'Yes': 'No'; + return $purpose; } diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 04c41ab..229a471 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -1110,6 +1110,7 @@ foreach ($a_cert as $i => $cert): $subj = cert_get_subject($cert['crt']); $issuer = cert_get_issuer($cert['crt']); $purpose = cert_get_purpose($cert['crt']); + $sans = cert_get_sans($cert['crt']); list($startdate, $enddate) = cert_get_dates($cert['crt']); if ($subj == $issuer) { @@ -1130,6 +1131,7 @@ foreach ($a_cert as $i => $cert): if ($cert['csr']) { $subj = htmlspecialchars(csr_get_subject($cert['csr'])); + $sans = cert_get_sans($cert['crt']); $caname = "<em>" . gettext("external - signature pending") . "</em>"; } @@ -1145,14 +1147,46 @@ foreach ($a_cert as $i => $cert): <i><?=$cert_types[$cert['type']]?></i><br /> <?php endif?> <?php if (is_array($purpose)): ?> - CA: <b><?=$purpose['ca']?></b>, <?=gettext("Server")?>: <b><?=$purpose['server']?></b> + CA: <b><?=$purpose['ca']?></b><br/> + <?=gettext("Server")?>: <b><?=$purpose['server']?></b><br/> <?php endif?> </td> <td><?=$caname?></td> <td> <?=$subj?> - <?php if (!empty($startdate) || !empty($enddate)): ?> <br /> + + <?php + $certextinfo = ""; + if (is_array($sans) && !empty($sans)) { + $certextinfo .= '<b>' . gettext("SAN: ") . '</b> '; + $certextinfo .= htmlspecialchars(implode(', ', $sans)); + $certextinfo .= '<br/>'; + } + if (is_array($purpose) && !empty($purpose['ku'])) { + $certextinfo .= '<b>' . gettext("KU: ") . '</b> '; + $certextinfo .= htmlspecialchars(implode(', ', $purpose['ku'])); + $certextinfo .= '<br/>'; + } + if (is_array($purpose) && !empty($purpose['eku'])) { + $certextinfo .= '<b>' . gettext("EKU: ") . '</b> '; + $certextinfo .= htmlspecialchars(implode(', ', $purpose['eku'])); + $certextinfo .= '<br/>'; + } + ?> + <?php if (!empty($certextinfo)): ?> + <br /> + <?= $certextinfo ?> + <?php endif?> + <!-- FIXME: Infoblock does not currently work inside a table + <?php if (!empty($certextinfo)): ?> + <div class="infoblock"> + <? print_info_box($certextinfo, 'info', false); ?> + </div> + <?php endif?> + --> + + <?php if (!empty($startdate) || !empty($enddate)): ?> <small> <?=gettext("Valid From")?>: <b><?=$startdate ?></b><br /><?=gettext("Valid Until")?>: <b><?=$enddate ?></b> </small> |