From 4906f4ee6622c66a46d179cee6a2da963d962ca1 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Tue, 2 May 2017 15:12:10 -0400
Subject: Show SAN, KU, and EKU info in the certificate list. Implements #7505
 While here, also fix "server" cert detection to key off of the EKU For "TLS
 Web Server Authentication" since nsCertType has been deprecated.

---
 src/etc/inc/certs.inc                    | 40 +++++++++++++++++++++++++++++++-
 src/usr/local/www/system_certmanager.php | 38 ++++++++++++++++++++++++++++--
 2 files changed, 75 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index ef12843..cb3d1b1 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -511,6 +511,18 @@ function cert_get_subject_hash($crt) {
 	return $inf_crt['subject'];
 }
 
+function cert_get_sans($str_crt, $decode = true) {
+	if ($decode) {
+		$str_crt = base64_decode($str_crt);
+	}
+	$sans = array();
+	$crt_details = openssl_x509_parse($str_crt);
+	if (!empty($crt_details['extensions']['subjectAltName'])) {
+		$sans = explode(',', $crt_details['extensions']['subjectAltName']);
+	}
+	return $sans;
+}
+
 function cert_get_issuer($str_crt, $decode = true) {
 
 	if ($decode) {
@@ -564,13 +576,39 @@ function cert_get_publickey($str_crt, $decode = true, $type = "crt") {
 }
 
 function cert_get_purpose($str_crt, $decode = true) {
+	$extended_oids = array(
+		"1.3.6.1.5.5.8.2.2" => "IP Security IKE Intermediate",
+	);
 	if ($decode) {
 		$str_crt = base64_decode($str_crt);
 	}
 	$crt_details = openssl_x509_parse($str_crt);
 	$purpose = array();
+	if (!empty($crt_details['extensions']['keyUsage'])) {
+		$purpose['ku'] = explode(',', $crt_details['extensions']['keyUsage']);
+		foreach ($purpose['ku'] as & $ku) {
+			$ku = trim($ku);
+			if (array_key_exists($ku, $extended_oids)) {
+				$ku = $extended_oids[$ku];
+			}
+		}
+	} else {
+		$purpose['ku'] = array();
+	}
+	if (!empty($crt_details['extensions']['extendedKeyUsage'])) {
+		$purpose['eku'] = explode(',', $crt_details['extensions']['extendedKeyUsage']);
+		foreach ($purpose['eku'] as & $eku) {
+			$eku = trim($eku);
+			if (array_key_exists($eku, $extended_oids)) {
+				$eku = $extended_oids[$eku];
+			}
+		}
+	} else {
+		$purpose['eku'] = array();
+	}
 	$purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
-	$purpose['server'] = (strpos($crt_details['extensions']['nsCertType'], 'SSL Server') !== FALSE) ? 'Yes': 'No';
+	$purpose['server'] = (in_array('TLS Web Server Authentication', $purpose['eku'])) ? 'Yes': 'No';
+
 	return $purpose;
 }
 
diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php
index 04c41ab..229a471 100644
--- a/src/usr/local/www/system_certmanager.php
+++ b/src/usr/local/www/system_certmanager.php
@@ -1110,6 +1110,7 @@ foreach ($a_cert as $i => $cert):
 		$subj = cert_get_subject($cert['crt']);
 		$issuer = cert_get_issuer($cert['crt']);
 		$purpose = cert_get_purpose($cert['crt']);
+		$sans = cert_get_sans($cert['crt']);
 		list($startdate, $enddate) = cert_get_dates($cert['crt']);
 
 		if ($subj == $issuer) {
@@ -1130,6 +1131,7 @@ foreach ($a_cert as $i => $cert):
 
 	if ($cert['csr']) {
 		$subj = htmlspecialchars(csr_get_subject($cert['csr']));
+		$sans = cert_get_sans($cert['crt']);
 		$caname = "<em>" . gettext("external - signature pending") . "</em>";
 	}
 
@@ -1145,14 +1147,46 @@ foreach ($a_cert as $i => $cert):
 							<i><?=$cert_types[$cert['type']]?></i><br />
 						<?php endif?>
 						<?php if (is_array($purpose)): ?>
-							CA: <b><?=$purpose['ca']?></b>, <?=gettext("Server")?>: <b><?=$purpose['server']?></b>
+							CA: <b><?=$purpose['ca']?></b><br/>
+							<?=gettext("Server")?>: <b><?=$purpose['server']?></b><br/>
 						<?php endif?>
 					</td>
 					<td><?=$caname?></td>
 					<td>
 						<?=$subj?>
-						<?php if (!empty($startdate) || !empty($enddate)): ?>
 						<br />
+
+						<?php
+						$certextinfo = "";
+						if (is_array($sans) && !empty($sans)) {
+							$certextinfo .= '<b>' . gettext("SAN: ") . '</b> ';
+							$certextinfo .= htmlspecialchars(implode(', ', $sans));
+							$certextinfo .= '<br/>';
+						}
+						if (is_array($purpose) && !empty($purpose['ku'])) {
+							$certextinfo .= '<b>' . gettext("KU: ") . '</b> ';
+							$certextinfo .= htmlspecialchars(implode(', ', $purpose['ku']));
+							$certextinfo .= '<br/>';
+						}
+						if (is_array($purpose) && !empty($purpose['eku'])) {
+							$certextinfo .= '<b>' . gettext("EKU: ") . '</b> ';
+							$certextinfo .= htmlspecialchars(implode(', ', $purpose['eku']));
+							$certextinfo .= '<br/>';
+						}
+						?>
+						<?php if (!empty($certextinfo)): ?>
+							<br />
+							<?= $certextinfo ?>
+						<?php endif?>
+						<!-- FIXME: Infoblock does not currently work inside a table
+						<?php if (!empty($certextinfo)): ?>
+							<div class="infoblock">
+							<? print_info_box($certextinfo, 'info', false); ?>
+							</div>
+						<?php endif?>
+						-->
+
+						<?php if (!empty($startdate) || !empty($enddate)): ?>
 						<small>
 							<?=gettext("Valid From")?>: <b><?=$startdate ?></b><br /><?=gettext("Valid Until")?>: <b><?=$enddate ?></b>
 						</small>
-- 
cgit v1.1