summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2017-09-11 13:44:40 -0400
committerjim-p <jimp@pfsense.org>2017-09-11 13:44:40 -0400
commitaec3a259271be5dae63b148a48b7778c0cd0660e (patch)
treefab7eb6bbd5621590053c71ee2dd42a8a5aad92d /src
parentd071acf5296f4f5a2d606c67ea94b1b5bd6e1dcb (diff)
downloadpfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.zip
pfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.tar.gz
Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853
While here, add the cert serial number and sig digest type to the info block for each cert.
Diffstat (limited to 'src')
-rw-r--r--src/etc/inc/certs.inc23
-rw-r--r--src/usr/local/www/system_certmanager.php27
2 files changed, 47 insertions, 3 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index 1ed1b6e..53bebeb 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -435,7 +435,7 @@ function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha2
return true;
}
-function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) {
+function csr_sign($csr, & $ca, $duration, $type = "user", $altnames, $digest_alg = "sha256") {
global $config;
$old_err_level = error_reporting(0);
@@ -460,6 +460,7 @@ function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) {
$args = array(
"x509_extensions" => $cert_type,
+ "digest_alg" => $digest_alg,
"req_extensions" => "req_{$cert_type}"
);
@@ -682,6 +683,26 @@ function cert_get_serial($str_crt, $decode = true) {
}
}
+function cert_get_sigtype($str_crt, $decode = true) {
+ if ($decode) {
+ $str_crt = base64_decode($str_crt);
+ }
+ $crt_details = openssl_x509_parse($str_crt);
+
+ $signature = array();
+ if (isset($crt_details['signatureTypeSN']) && !empty($crt_details['signatureTypeSN'])) {
+ $signature['shortname'] = $crt_details['signatureTypeSN'];
+ }
+ if (isset($crt_details['signatureTypeLN']) && !empty($crt_details['signatureTypeLN'])) {
+ $signature['longname'] = $crt_details['signatureTypeLN'];
+ }
+ if (isset($crt_details['signatureTypeNID']) && !empty($crt_details['signatureTypeNID'])) {
+ $signature['nid'] = $crt_details['signatureTypeNID'];
+ }
+
+ return $signature;
+}
+
function is_openvpn_server_ca($caref) {
global $config;
if (!is_array($config['openvpn']['openvpn-server'])) {
diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php
index 0278b5e..0cc0dd0 100644
--- a/src/usr/local/www/system_certmanager.php
+++ b/src/usr/local/www/system_certmanager.php
@@ -103,6 +103,7 @@ if ($act == "new") {
$pconfig['digest_alg'] = "sha256";
$pconfig['csr_keylen'] = "2048";
$pconfig['csr_digest_alg'] = "sha256";
+ $pconfig['csrsign_digest_alg'] = "sha256";
$pconfig['type'] = "user";
$pconfig['lifetime'] = "3650";
}
@@ -371,6 +372,9 @@ if ($_POST['save']) {
if (($pconfig['method'] == "external") && !in_array($_POST["csr_digest_alg"], $openssl_digest_algs)) {
array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
}
+ if (($pconfig['method'] == "sign") && !in_array($_POST["csrsign_digest_alg"], $openssl_digest_algs)) {
+ array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
+ }
}
/* save modifications */
@@ -398,7 +402,7 @@ if ($_POST['save']) {
$altname_str = implode(",", $altnames_tmp);
}
- $n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str);
+ $n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str, $pconfig['csrsign_digest_alg']);
if ($n509) {
// Gather the details required to save the new cert
@@ -718,8 +722,15 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) {
'csrsign_lifetime',
'*Certificate Lifetime (days)',
'number',
- $pconfig['duration'] ? $pconfig['duration']:'3650'
+ $pconfig['csrsign_lifetime'] ? $pconfig['csrsign_lifetime']:'3650'
));
+ $section->addInput(new Form_Select(
+ 'csrsign_digest_alg',
+ '*Digest Algorithm',
+ $pconfig['csrsign_digest_alg'],
+ array_combine($openssl_digest_algs, $openssl_digest_algs)
+ ))->setHelp('NOTE: It is recommended to use an algorithm stronger than '.
+ 'SHA1 when possible');
$form->add($section);
@@ -1173,6 +1184,18 @@ foreach ($a_cert as $i => $cert):
<?=$subj?>
<?php
$certextinfo = "";
+ $certserial = cert_get_serial($cert['crt']);
+ if (!empty($certserial)) {
+ $certextinfo .= '<b>' . gettext("Serial: ") . '</b> ';
+ $certextinfo .= htmlspecialchars(cert_escape_x509_chars($certserial, true));
+ $certextinfo .= '<br/>';
+ }
+ $certsig = cert_get_sigtype($cert['crt']);
+ if (is_array($certsig) && !empty($certsig) && !empty($certsig['shortname'])) {
+ $certextinfo .= '<b>' . gettext("Signature Digest: ") . '</b> ';
+ $certextinfo .= htmlspecialchars(cert_escape_x509_chars($certsig['shortname'], true));
+ $certextinfo .= '<br/>';
+ }
if (is_array($sans) && !empty($sans)) {
$certextinfo .= '<b>' . gettext("SAN: ") . '</b> ';
$certextinfo .= htmlspecialchars(implode(', ', cert_escape_x509_chars($sans, true)));
OpenPOWER on IntegriCloud