From aec3a259271be5dae63b148a48b7778c0cd0660e Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 11 Sep 2017 13:44:40 -0400 Subject: Add a field to pick a digest algo when signing a CSR, otherwise it ends up with SHA1. Fixes #7853 While here, add the cert serial number and sig digest type to the info block for each cert. --- src/etc/inc/certs.inc | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'src/etc') diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 1ed1b6e..53bebeb 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -435,7 +435,7 @@ function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha2 return true; } -function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { +function csr_sign($csr, & $ca, $duration, $type = "user", $altnames, $digest_alg = "sha256") { global $config; $old_err_level = error_reporting(0); @@ -460,6 +460,7 @@ function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { $args = array( "x509_extensions" => $cert_type, + "digest_alg" => $digest_alg, "req_extensions" => "req_{$cert_type}" ); @@ -682,6 +683,26 @@ function cert_get_serial($str_crt, $decode = true) { } } +function cert_get_sigtype($str_crt, $decode = true) { + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $crt_details = openssl_x509_parse($str_crt); + + $signature = array(); + if (isset($crt_details['signatureTypeSN']) && !empty($crt_details['signatureTypeSN'])) { + $signature['shortname'] = $crt_details['signatureTypeSN']; + } + if (isset($crt_details['signatureTypeLN']) && !empty($crt_details['signatureTypeLN'])) { + $signature['longname'] = $crt_details['signatureTypeLN']; + } + if (isset($crt_details['signatureTypeNID']) && !empty($crt_details['signatureTypeNID'])) { + $signature['nid'] = $crt_details['signatureTypeNID']; + } + + return $signature; +} + function is_openvpn_server_ca($caref) { global $config; if (!is_array($config['openvpn']['openvpn-server'])) { -- cgit v1.1