diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | etc/inc/certs.inc | 19 | ||||
| -rw-r--r-- | usr/local/www/system_certmanager.php | 37 |
3 files changed, 49 insertions, 8 deletions
@@ -1 +1,2 @@ .DS_Store +_notes/ diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 357ac05..3595f45 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -369,6 +369,25 @@ function cert_get_issuer($str_crt, $decode = true) { return $issuer; } +/* this function works on x509 (crt), rsa key (prv), and req(csr) */ +function cert_get_modulus($str_crt, $decode = true, $type = "crt"){ + if ($decode) + $str_crt = base64_decode($str_crt); + + $modulus = ""; + if ( in_array($type, array("crt", "prv", "csr")) ) { + $type = str_replace( array("crt","prv","csr"), array("x509","rsa","req"), $type); + $modulus = exec("echo \"{$str_crt}\" | openssl {$type} -noout -modulus"); + } + return $modulus; +} +function csr_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "csr"); +} +function prv_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "prv"); +} + function is_user_cert($certref) { global $config; if (!is_array($config['system']['user'])) diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 9ef6d64..cc1c65a 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -280,12 +280,25 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); +// old way /* make sure this csr and certificate subjects match */ - $subj_csr = csr_get_subject($pconfig['csr'], false); - $subj_cert = cert_get_subject($pconfig['cert'], false); - - if (strcmp($subj_csr,$subj_cert)) - $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); +// $subj_csr = csr_get_subject($pconfig['csr'], false); +// $subj_cert = cert_get_subject($pconfig['cert'], false); +// +// if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { +// if (strcmp($subj_csr,$subj_cert)) { +// $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); +// $subject_mismatch = true; +// } +// } + $mod_csr = csr_get_modulus($pconfig['csr'], false); + $mod_cert = cert_get_modulus($pconfig['cert'], false); + + if (strcmp($mod_csr,$mod_cert)) { + // simply: if the moduli don't match, then the private key and public key won't match + $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."),$subj_cert); + $subject_mismatch = true; + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -314,7 +327,7 @@ if ($_POST) { include("head.inc"); ?> -<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<body link="#000000" vlink="#000000" alink="#000000" onLoad="<?= $jsevents["body"]["onload"] ?>"> <?php include("fbegin.inc"); ?> <script type="text/javascript"> <!-- @@ -776,6 +789,14 @@ function internalca_change() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> + <?php /* if ( isset($subject_mismatch) && $subject_mismatch === true): ?> + <input id="ignoresubjectmismatch" name="ignoresubjectmismatch" type="checkbox" class="formbtn" value="yes" /> + <label for="ignoresubjectmismatch"><strong><?=gettext("Ignore certificate subject mismatch"); ?></strong></label><br /> + <?php echo gettext("Warning: Using this option may create an " . + "invalid certificate. Check this box to disable the request -> " . + "response subject verification. "); + ?><br/> + <?php endif; */ ?> <input id="submit" name="save" type="submit" class="formbtn" value="<?=gettext("Update");?>" /> <?php if (isset($id) && $a_cert[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>" /> @@ -800,7 +821,7 @@ function internalca_change() { $i = 0; foreach($a_cert as $cert): $name = htmlspecialchars($cert['descr']); - + if ($cert['crt']) { $subj = cert_get_subject($cert['crt']); $issuer = cert_get_issuer($cert['crt']); @@ -868,7 +889,7 @@ function internalca_change() { <img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="<?=gettext("export key");?>" alt="<?=gettext("export ca");?>" width="17" height="17" border="0" /> </a> <?php if (!cert_in_use($cert['refid'])): ?> - <a href="system_certmanager.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this Certificate?");?>')"> + <a href="system_certmanager.php?act=del&id=<?=$i;?>" onClick="return confirm('<?=gettext("Do you really want to delete this Certificate?");?>')"> <img src="/themes/<?= $g['theme'];?>/images/icons/icon_x.gif" title="<?=gettext("delete cert");?>" alt="<?=gettext("delete cert");?>" width="17" height="17" border="0" /> </a> <?php endif; ?> |
