From 64cc39d3dd0c79701087f99978ad8134ab7db2dc Mon Sep 17 00:00:00 2001
From: Matthew Grooms <mgrooms@pfsense.org>
Date: Sat, 9 Aug 2008 00:06:08 +0000
Subject: Implement a certificate authority and certificate webui that can be
 used to centrally manage this data. There are no consumers at this time. This
 interface allow for the following ...

Certificate Authority Manager:
- List certificates authorities
- Import existing certificate authority
- Create internal certificate authority

Certificate Manager:
- List certificates
- Import existing certificate
- Create internal certificate using an internal CA
- Generate certificate signing request for external CAs
- Process certificate signing response from external CAs

Certificate revocation is not currently implemented. The user system will
also be extended to allow for user specific certificate management in a
follow-up commit.
---
 etc/inc/certs.inc     | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++
 etc/inc/functions.inc |   1 +
 etc/inc/xmlparse.inc  |  16 ++--
 3 files changed, 236 insertions(+), 5 deletions(-)
 create mode 100644 etc/inc/certs.inc

(limited to 'etc/inc')

diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
new file mode 100644
index 0000000..f004abf
--- /dev/null
+++ b/etc/inc/certs.inc
@@ -0,0 +1,224 @@
+<?php
+/* $Id$ */
+/*
+		Copyright (C) 2008 Shrew Soft Inc
+		All rights reserved.
+
+        Redistribution and use in source and binary forms, with or without
+        modification, are permitted provided that the following conditions are met:
+
+        1. Redistributions of source code must retain the above copyright notice,
+           this list of conditions and the following disclaimer.
+
+        2. Redistributions in binary form must reproduce the above copyright
+           notice, this list of conditions and the following disclaimer in the
+           documentation and/or other materials provided with the distribution.
+
+        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+        POSSIBILITY OF SUCH DAMAGE.
+
+		DISABLE_PHP_LINT_CHECKING
+*/
+
+require_once("functions.inc");
+
+function & lookup_ca($refid) {
+	global $config;
+
+	foreach ($config['system']['ca'] as & $ca)
+		if ($ca['refid'] == $refid)
+			return $ca;
+
+	return false;
+}
+
+function & lookup_cert($refid) {
+	global $config;
+
+	foreach ($config['system']['cert'] as & $cert)
+		if ($cert['refid'] == $refid)
+			return $cert;
+
+	return false;
+}
+
+function ca_import(& $ca, $str) {
+
+	$ca['crt'] = base64_encode($str);
+
+	return true;
+}
+
+function ca_create(& $ca, $keylen, $lifetime, $dn) {
+
+	$args = array(
+		"digest_alg" => "sha1",
+		"private_key_bits" => $keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new();
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+
+	// self sign the certificate
+	$res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args);
+
+	// export our certificate data
+	openssl_pkey_export($res_key, $str_key);
+	openssl_x509_export($res_crt, $str_crt);
+
+	// return our ca information
+	$ca['crt'] = base64_encode($str_crt);
+	$ca['prv'] = base64_encode($str_key);
+	$ca['serial'] = 0;
+
+	return true;
+}
+
+function cert_import(& $cert, $crt_str, $key_str) {
+
+	$cert['crt'] = base64_encode($crt_str);
+	$cert['prv'] = base64_encode($key_str);
+
+	return true;
+}
+
+function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
+
+	$ca =& lookup_ca($caref);
+	if (!$ca)
+		return false;
+
+	$ca_str_crt = base64_decode($ca['crt']);
+	$ca_str_key = base64_decode($ca['prv']);
+	$ca_res_crt = openssl_x509_read($ca_str_crt);
+	$ca_res_key = openssl_pkey_get_private($ca_str_key);
+	$ca_serial = $ca['serial']++;
+
+	$args = array(
+		"digest_alg" => "sha1",
+		"private_key_bits" => $keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new();
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+
+	// self sign the certificate
+	$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
+				 $args, $ca_serial);
+
+	// export our certificate data
+	openssl_pkey_export($res_key, $str_key);
+	openssl_x509_export($res_crt, $str_crt);
+
+	// return our certificate information
+	$cert['caref'] = $caref;
+	$cert['crt'] = base64_encode($str_crt);
+	$cert['prv'] = base64_encode($str_key);
+
+	return true;
+}
+
+function csr_generate(& $cert, $keylen, $dn) {
+
+	$args = array(
+		"digest_alg" => "sha1",
+		"private_key_bits" => $keylen,
+		"private_key_type" => OPENSSL_KEYTYPE_RSA,
+		"encrypt_key" => false);
+
+	// generate a new key pair
+	$res_key = openssl_pkey_new();
+
+	// generate a certificate signing request
+	$res_csr = openssl_csr_new($dn, $res_key, $args);
+
+	// export our request data
+	openssl_pkey_export($res_key, $str_key);
+	openssl_csr_export($res_csr, $str_csr);
+
+	// return our request information
+	$cert['csr'] = base64_encode($str_csr);
+	$cert['prv'] = base64_encode($str_key);
+
+	return true;
+}
+
+function csr_complete(& $cert, $str_crt) {
+
+	// return our request information
+	$cert['crt'] = base64_encode($str_crt);
+	unset($cert['csr']);
+
+	return true;
+}
+
+function csr_get_subject($str_crt, $decode = true) {
+
+	if ($decode)
+		$str_crt = base64_decode($str_crt);
+
+	$components = openssl_csr_get_subject($str_crt);
+
+	if (!is_array($components))
+		return "unknown";
+
+	foreach ($components as $a => $v) {
+		if (!strlen($subject))
+			$subject = "{$a}={$v}";
+		else
+			$subject = "{$a}={$v}, {$subject}";
+	}
+
+	return $subject;
+}
+
+function cert_get_subject($str_crt, $decode = true) {
+
+	if ($decode)
+		$str_crt = base64_decode($str_crt);
+
+	$inf_crt = openssl_x509_parse($str_crt);
+	$components = $inf_crt['subject'];
+
+	if (!is_array($components))
+		return "unknown";
+
+	foreach ($components as $a => $v) {
+		if (!strlen($subject))
+			$subject = "{$a}={$v}";
+		else
+			$subject = "{$a}={$v}, {$subject}";
+	}
+
+	return $subject;
+}
+
+function cert_get_subject_array($crt) {
+	$str_crt = base64_decode($crt);
+	$inf_crt = openssl_x509_parse($str_crt);
+	$components = $inf_crt['subject'];
+	$subject_array = array();
+
+	foreach($components as $a => $v)
+		$subject_array[] = array('a' => $a, 'v' => $v);
+
+	return $subject_array;
+}
+
+?>
diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc
index 0fd4811..c5c7cca 100644
--- a/etc/inc/functions.inc
+++ b/etc/inc/functions.inc
@@ -72,6 +72,7 @@ if(!function_exists("pfSenseHeader")) {
 /* include all configuration functions */
 require_once("auth.inc");
 require_once("priv.inc");
+require_once("certs.inc");
 require_once("captiveportal.inc");
 require_once("filter.inc");
 require_once("interfaces.inc");
diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc
index fc74f3c..a7b3192 100644
--- a/etc/inc/xmlparse.inc
+++ b/etc/inc/xmlparse.inc
@@ -32,11 +32,17 @@
 
 /* The following items will be treated as arrays in config.xml */
 function listtags() {
-	$ret = explode(" ", "element alias aliasurl allowedip cacert config columnitem disk dnsserver domainoverrides " .
-		"earlyshellcmd encryption-algorithm-option field fieldname hash-algorithm-option " .
-		"hosts group member interface_array item key lbpool menu mobilekey monitor_type mount onetoone option ppp package passthrumac phase1 phase2 priv proxyarpnet " .
-		"queue pages pipe route row rule schedule service servernat servers serversdisabled earlyshellcmd shellcmd staticmap subqueue " .
-		"timerange tunnel user authserver vip virtual_server vlan winsserver ntpserver wolentry widget depends_on_package gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg");
+	$ret = explode(" ",
+		"element alias aliasurl allowedip cacert config columnitem disk ".
+		"dnsserver domainoverrides earlyshellcmd encryption-algorithm-option ".
+		"field fieldname hash-algorithm-option hosts group member ca cert ".
+		"interface_array item key lbpool menu mobilekey monitor_type ".
+		"mount onetoone option ppp package passthrumac phase1 phase2 priv ".
+		"proxyarpnet queue pages pipe route row rule schedule service ".
+		"servernat servers serversdisabled earlyshellcmd shellcmd staticmap ".
+		"subqueue timerange tunnel user authserver vip virtual_server vlan ".
+		"winsserver ntpserver wolentry widget depends_on_package ".
+		"gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg");
 	return $ret;
 }
 
-- 
cgit v1.1