From a828210b746c074c1e701a44f5f2ec3a69ba368a Mon Sep 17 00:00:00 2001 From: yakatz Date: Thu, 21 Apr 2011 14:29:54 -0400 Subject: checking moduli of ssl csr request and response --- etc/inc/certs.inc | 19 ++++++++++++++++++ usr/local/www/system_certmanager.php | 37 ++++++++++++++++++++++-------------- 2 files changed, 42 insertions(+), 14 deletions(-) diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 2b192c1..2e9718c 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -369,6 +369,25 @@ function cert_get_issuer($str_crt, $decode = true) { return $issuer; } +/* this function works on x509 (crt), rsa key (prv), and req(csr) */ +function cert_get_modulus($str_crt, $decode = true, $type = "crt"){ + if ($decode) + $str_crt = base64_decode($str_crt); + + $modulus = ""; + if ( in_array($type, array("crt", "prv", "csr")) ) { + $type = str_replace( array("crt","prv","csr"), array("x509","rsa","req"), $type); + $modulus = exec("echo \"{$str_crt}\" | openssl {$type} -noout -modulus"); + } + return $modulus; +} +function csr_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "csr"); +} +function prv_get_modulus($str_crt, $decode = true){ + return cert_get_modulus($str_crt, $decode, "prv"); +} + function is_user_cert($certref) { global $config; if (!is_array($config['system']['user'])) diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 7ab59fd..c986d76 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -280,16 +280,25 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); +// old way /* make sure this csr and certificate subjects match */ - $subj_csr = csr_get_subject($pconfig['csr'], false); - $subj_cert = cert_get_subject($pconfig['cert'], false); - - if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { - if (strcmp($subj_csr,$subj_cert)) { - $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); - $subject_mismatch = true; - } - } +// $subj_csr = csr_get_subject($pconfig['csr'], false); +// $subj_cert = cert_get_subject($pconfig['cert'], false); +// +// if ( !isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes") ) { +// if (strcmp($subj_csr,$subj_cert)) { +// $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."),$subj_cert); +// $subject_mismatch = true; +// } +// } + $mod_csr = csr_get_modulus($pconfig['csr']); + $mod_cert = cert_get_modulus($pconfig['cert']); + + if (strcmp($mod_csr,$mod_cert)) { + // simply: if the moduli don't match, then the private key and public key won't match + $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."),$subj_cert); + $subject_mismatch = true; + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -318,7 +327,7 @@ if ($_POST) { include("head.inc"); ?> -"> +">