diff options
author | jim-p <jimp@pfsense.org> | 2017-09-11 13:44:40 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-09-11 13:44:40 -0400 |
commit | aec3a259271be5dae63b148a48b7778c0cd0660e (patch) | |
tree | fab7eb6bbd5621590053c71ee2dd42a8a5aad92d /src | |
parent | d071acf5296f4f5a2d606c67ea94b1b5bd6e1dcb (diff) | |
download | pfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.zip pfsense-aec3a259271be5dae63b148a48b7778c0cd0660e.tar.gz |
Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853
While here, add the cert serial number and sig digest type to the info block for each cert.
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/certs.inc | 23 | ||||
-rw-r--r-- | src/usr/local/www/system_certmanager.php | 27 |
2 files changed, 47 insertions, 3 deletions
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 1ed1b6e..53bebeb 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -435,7 +435,7 @@ function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha2 return true; } -function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { +function csr_sign($csr, & $ca, $duration, $type = "user", $altnames, $digest_alg = "sha256") { global $config; $old_err_level = error_reporting(0); @@ -460,6 +460,7 @@ function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { $args = array( "x509_extensions" => $cert_type, + "digest_alg" => $digest_alg, "req_extensions" => "req_{$cert_type}" ); @@ -682,6 +683,26 @@ function cert_get_serial($str_crt, $decode = true) { } } +function cert_get_sigtype($str_crt, $decode = true) { + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $crt_details = openssl_x509_parse($str_crt); + + $signature = array(); + if (isset($crt_details['signatureTypeSN']) && !empty($crt_details['signatureTypeSN'])) { + $signature['shortname'] = $crt_details['signatureTypeSN']; + } + if (isset($crt_details['signatureTypeLN']) && !empty($crt_details['signatureTypeLN'])) { + $signature['longname'] = $crt_details['signatureTypeLN']; + } + if (isset($crt_details['signatureTypeNID']) && !empty($crt_details['signatureTypeNID'])) { + $signature['nid'] = $crt_details['signatureTypeNID']; + } + + return $signature; +} + function is_openvpn_server_ca($caref) { global $config; if (!is_array($config['openvpn']['openvpn-server'])) { diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 0278b5e..0cc0dd0 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -103,6 +103,7 @@ if ($act == "new") { $pconfig['digest_alg'] = "sha256"; $pconfig['csr_keylen'] = "2048"; $pconfig['csr_digest_alg'] = "sha256"; + $pconfig['csrsign_digest_alg'] = "sha256"; $pconfig['type'] = "user"; $pconfig['lifetime'] = "3650"; } @@ -371,6 +372,9 @@ if ($_POST['save']) { if (($pconfig['method'] == "external") && !in_array($_POST["csr_digest_alg"], $openssl_digest_algs)) { array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); } + if (($pconfig['method'] == "sign") && !in_array($_POST["csrsign_digest_alg"], $openssl_digest_algs)) { + array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); + } } /* save modifications */ @@ -398,7 +402,7 @@ if ($_POST['save']) { $altname_str = implode(",", $altnames_tmp); } - $n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str); + $n509 = csr_sign($csr, $ca, $pconfig['csrsign_lifetime'], $pconfig['type'], $altname_str, $pconfig['csrsign_digest_alg']); if ($n509) { // Gather the details required to save the new cert @@ -718,8 +722,15 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { 'csrsign_lifetime', '*Certificate Lifetime (days)', 'number', - $pconfig['duration'] ? $pconfig['duration']:'3650' + $pconfig['csrsign_lifetime'] ? $pconfig['csrsign_lifetime']:'3650' )); + $section->addInput(new Form_Select( + 'csrsign_digest_alg', + '*Digest Algorithm', + $pconfig['csrsign_digest_alg'], + array_combine($openssl_digest_algs, $openssl_digest_algs) + ))->setHelp('NOTE: It is recommended to use an algorithm stronger than '. + 'SHA1 when possible'); $form->add($section); @@ -1173,6 +1184,18 @@ foreach ($a_cert as $i => $cert): <?=$subj?> <?php $certextinfo = ""; + $certserial = cert_get_serial($cert['crt']); + if (!empty($certserial)) { + $certextinfo .= '<b>' . gettext("Serial: ") . '</b> '; + $certextinfo .= htmlspecialchars(cert_escape_x509_chars($certserial, true)); + $certextinfo .= '<br/>'; + } + $certsig = cert_get_sigtype($cert['crt']); + if (is_array($certsig) && !empty($certsig) && !empty($certsig['shortname'])) { + $certextinfo .= '<b>' . gettext("Signature Digest: ") . '</b> '; + $certextinfo .= htmlspecialchars(cert_escape_x509_chars($certsig['shortname'], true)); + $certextinfo .= '<br/>'; + } if (is_array($sans) && !empty($sans)) { $certextinfo .= '<b>' . gettext("SAN: ") . '</b> '; $certextinfo .= htmlspecialchars(implode(', ', cert_escape_x509_chars($sans, true))); |