From 46bc6e545a17e77202aaf01ec0cd8d5a46567525 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 25 Aug 2015 08:08:24 -0300 Subject: Move main pfSense content to src/ --- usr/local/www/system_certmanager.php | 1349 ---------------------------------- 1 file changed, 1349 deletions(-) delete mode 100644 usr/local/www/system_certmanager.php (limited to 'usr/local/www/system_certmanager.php') diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php deleted file mode 100644 index cd553e6..0000000 --- a/usr/local/www/system_certmanager.php +++ /dev/null @@ -1,1349 +0,0 @@ - gettext("Import an existing Certificate"), - "internal" => gettext("Create an internal Certificate"), - "external" => gettext("Create a Certificate Signing Request"), -); - -$cert_keylens = array("512", "1024", "2048", "4096"); -$cert_types = array( - "ca" => "Certificate Authority", - "server" => "Server Certificate", - "user" => "User Certificate"); - -$altname_types = array("DNS", "IP", "email", "URI"); -$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512"); - -$pgtitle = array(gettext("System"), gettext("Certificate Manager")); - -if (is_numericint($_GET['userid'])) { - $userid = $_GET['userid']; -} -if (isset($_POST['userid']) && is_numericint($_POST['userid'])) { - $userid = $_POST['userid']; -} - -if (isset($userid)) { - $cert_methods["existing"] = gettext("Choose an existing certificate"); - if (!is_array($config['system']['user'])) { - $config['system']['user'] = array(); - } - $a_user =& $config['system']['user']; -} - -if (is_numericint($_GET['id'])) { - $id = $_GET['id']; -} -if (isset($_POST['id']) && is_numericint($_POST['id'])) { - $id = $_POST['id']; -} - -if (!is_array($config['ca'])) { - $config['ca'] = array(); -} - -$a_ca =& $config['ca']; - -if (!is_array($config['cert'])) { - $config['cert'] = array(); -} - -$a_cert =& $config['cert']; - -$internal_ca_count = 0; -foreach ($a_ca as $ca) { - if ($ca['prv']) { - $internal_ca_count++; - } -} - -$act = $_GET['act']; -if ($_POST['act']) { - $act = $_POST['act']; -} - -if ($act == "del") { - - if (!isset($a_cert[$id])) { - pfSenseHeader("system_certmanager.php"); - exit; - } - - unset($a_cert[$id]); - write_config(); - $savemsg = sprintf(gettext("Certificate %s successfully deleted"), htmlspecialchars($a_cert[$id]['descr'])) . "
"; - pfSenseHeader("system_certmanager.php"); - exit; -} - -if ($act == "new") { - $pconfig['method'] = $_GET['method']; - $pconfig['keylen'] = "2048"; - $pconfig['digest_alg'] = "sha256"; - $pconfig['csr_keylen'] = "2048"; - $pconfig['csr_digest_alg'] = "sha256"; - $pconfig['type'] = "user"; - $pconfig['lifetime'] = "3650"; -} - -if ($act == "exp") { - - if (!$a_cert[$id]) { - pfSenseHeader("system_certmanager.php"); - exit; - } - - $exp_name = urlencode("{$a_cert[$id]['descr']}.crt"); - $exp_data = base64_decode($a_cert[$id]['crt']); - $exp_size = strlen($exp_data); - - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; - exit; -} - -if ($act == "key") { - - if (!$a_cert[$id]) { - pfSenseHeader("system_certmanager.php"); - exit; - } - - $exp_name = urlencode("{$a_cert[$id]['descr']}.key"); - $exp_data = base64_decode($a_cert[$id]['prv']); - $exp_size = strlen($exp_data); - - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; - exit; -} - -if ($act == "p12") { - if (!$a_cert[$id]) { - pfSenseHeader("system_certmanager.php"); - exit; - } - - $exp_name = urlencode("{$a_cert[$id]['descr']}.p12"); - $args = array(); - $args['friendly_name'] = $a_cert[$id]['descr']; - - $ca = lookup_ca($a_cert[$id]['caref']); - if ($ca) { - $args['extracerts'] = openssl_x509_read(base64_decode($ca['crt'])); - } - - $res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt'])); - $res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']) , 1 => "")); - - $exp_data = ""; - openssl_pkcs12_export($res_crt, $exp_data, $res_key, null, $args); - $exp_size = strlen($exp_data); - - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; - exit; -} - -if ($act == "csr") { - - if (!$a_cert[$id]) { - pfSenseHeader("system_certmanager.php"); - exit; - } - - $pconfig['descr'] = $a_cert[$id]['descr']; - $pconfig['csr'] = base64_decode($a_cert[$id]['csr']); -} - -if ($_POST) { - if ($_POST['save'] == gettext("Save")) { - $input_errors = array(); - $pconfig = $_POST; - - /* input validation */ - if ($pconfig['method'] == "import") { - $reqdfields = explode(" ", - "descr cert key"); - $reqdfieldsn = array( - gettext("Descriptive name"), - gettext("Certificate data"), - gettext("Key data")); - if ($_POST['cert'] && (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))) { - $input_errors[] = gettext("This certificate does not appear to be valid."); - } - } - - if ($pconfig['method'] == "internal") { - $reqdfields = explode(" ", - "descr caref keylen type lifetime dn_country dn_state dn_city ". - "dn_organization dn_email dn_commonname"); - $reqdfieldsn = array( - gettext("Descriptive name"), - gettext("Certificate authority"), - gettext("Key length"), - gettext("Certificate Type"), - gettext("Lifetime"), - gettext("Distinguished name Country Code"), - gettext("Distinguished name State or Province"), - gettext("Distinguished name City"), - gettext("Distinguished name Organization"), - gettext("Distinguished name Email Address"), - gettext("Distinguished name Common Name")); - } - - if ($pconfig['method'] == "external") { - $reqdfields = explode(" ", - "descr csr_keylen csr_dn_country csr_dn_state csr_dn_city ". - "csr_dn_organization csr_dn_email csr_dn_commonname"); - $reqdfieldsn = array( - gettext("Descriptive name"), - gettext("Key length"), - gettext("Distinguished name Country Code"), - gettext("Distinguished name State or Province"), - gettext("Distinguished name City"), - gettext("Distinguished name Organization"), - gettext("Distinguished name Email Address"), - gettext("Distinguished name Common Name")); - } - - if ($pconfig['method'] == "existing") { - $reqdfields = array("certref"); - $reqdfieldsn = array(gettext("Existing Certificate Choice")); - } - - $altnames = array(); - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - if ($pconfig['method'] != "import" && $pconfig['method'] != "existing") { - /* subjectAltNames */ - foreach ($_POST as $key => $value) { - $entry = ''; - if (!substr_compare('altname_type', $key, 0, 12)) { - $entry = substr($key, 12); - $field = 'type'; - } - elseif (!substr_compare('altname_value', $key, 0, 13)) { - $entry = substr($key, 13); - $field = 'value'; - } - if (ctype_digit($entry)) { - $altnames[$entry][$field] = $value; - } - } - $pconfig['altnames']['item'] = $altnames; - - /* Input validation for subjectAltNames */ - foreach ($altnames as $idx => $altname) { - switch ($altname['type']) { - case "DNS": - if (!is_hostname($altname['value'])) { - array_push($input_errors, "DNS subjectAltName values must be valid hostnames or FQDNs"); - } - break; - case "IP": - if (!is_ipaddr($altname['value'])) { - array_push($input_errors, "IP subjectAltName values must be valid IP Addresses"); - } - break; - case "email": - if (empty($altname['value'])) { - array_push($input_errors, "You must provide an e-mail address for this type of subjectAltName"); - } - if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $altname['value'])) { - array_push($input_errors, "The e-mail provided in a subjectAltName contains invalid characters."); - } - break; - case "URI": - /* Close enough? */ - if (!is_URL($altname['value'])) { - $input_errors[] = "URI subjectAltName types must be a valid URI"; - } - break; - default: - $input_errors[] = "Unrecognized subjectAltName type."; - } - } - - /* Make sure we do not have invalid characters in the fields for the certificate */ - - if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { - array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); - } - - for ($i = 0; $i < count($reqdfields); $i++) { - if (preg_match('/email/', $reqdfields[$i])) { /* dn_email or csr_dn_name */ - if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) { - array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); - } - } else if (preg_match('/commonname/', $reqdfields[$i])) { /* dn_commonname or csr_dn_commonname */ - if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) { - array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); - } - } else if (($reqdfields[$i] != "descr") && preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST[$reqdfields[$i]])) { - array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); - } - } - - if (($pconfig['method'] != "external") && isset($_POST["keylen"]) && !in_array($_POST["keylen"], $cert_keylens)) { - array_push($input_errors, gettext("Please select a valid Key Length.")); - } - if (($pconfig['method'] != "external") && !in_array($_POST["digest_alg"], $openssl_digest_algs)) { - array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); - } - - if (($pconfig['method'] == "external") && isset($_POST["csr_keylen"]) && !in_array($_POST["csr_keylen"], $cert_keylens)) { - array_push($input_errors, gettext("Please select a valid Key Length.")); - } - if (($pconfig['method'] == "external") && !in_array($_POST["csr_digest_alg"], $openssl_digest_algs)) { - array_push($input_errors, gettext("Please select a valid Digest Algorithm.")); - } - } - - /* if this is an AJAX caller then handle via JSON */ - if (isAjax() && is_array($input_errors)) { - input_errors2Ajax($input_errors); - exit; - } - - /* save modifications */ - if (!$input_errors) { - - if ($pconfig['method'] == "existing") { - $cert = lookup_cert($pconfig['certref']); - if ($cert && $a_user) { - $a_user[$userid]['cert'][] = $cert['refid']; - } - } else { - $cert = array(); - $cert['refid'] = uniqid(); - if (isset($id) && $a_cert[$id]) { - $cert = $a_cert[$id]; - } - - $cert['descr'] = $pconfig['descr']; - - $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ - - if ($pconfig['method'] == "import") { - cert_import($cert, $pconfig['cert'], $pconfig['key']); - } - - if ($pconfig['method'] == "internal") { - $dn = array( - 'countryName' => $pconfig['dn_country'], - 'stateOrProvinceName' => $pconfig['dn_state'], - 'localityName' => $pconfig['dn_city'], - 'organizationName' => $pconfig['dn_organization'], - 'emailAddress' => $pconfig['dn_email'], - 'commonName' => $pconfig['dn_commonname']); - if (count($altnames)) { - $altnames_tmp = ""; - foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; - } - $dn['subjectAltName'] = implode(",", $altnames_tmp); - } - if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'], - $pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])) { - while ($ssl_err = openssl_error_string()) { - $input_errors = array(); - array_push($input_errors, "openssl library returns: " . $ssl_err); - } - } - } - - if ($pconfig['method'] == "external") { - $dn = array( - 'countryName' => $pconfig['csr_dn_country'], - 'stateOrProvinceName' => $pconfig['csr_dn_state'], - 'localityName' => $pconfig['csr_dn_city'], - 'organizationName' => $pconfig['csr_dn_organization'], - 'emailAddress' => $pconfig['csr_dn_email'], - 'commonName' => $pconfig['csr_dn_commonname']); - if (count($altnames)) { - $altnames_tmp = ""; - foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; - } - $dn['subjectAltName'] = implode(",", $altnames_tmp); - } - if (!csr_generate($cert, $pconfig['csr_keylen'], $dn, $pconfig['csr_digest_alg'])) { - while ($ssl_err = openssl_error_string()) { - $input_errors = array(); - array_push($input_errors, "openssl library returns: " . $ssl_err); - } - } - } - error_reporting($old_err_level); - - if (isset($id) && $a_cert[$id]) { - $a_cert[$id] = $cert; - } else { - $a_cert[] = $cert; - } - if (isset($a_user) && isset($userid)) { - $a_user[$userid]['cert'][] = $cert['refid']; - } - } - - if (!$input_errors) { - write_config(); - } - - if ($userid) { - post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid)); - exit; - } - } - } - - if ($_POST['save'] == gettext("Update")) { - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "descr cert"); - $reqdfieldsn = array( - gettext("Descriptive name"), - gettext("Final Certificate data")); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - - if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { - array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); - } - -// old way - /* make sure this csr and certificate subjects match */ -// $subj_csr = csr_get_subject($pconfig['csr'], false); -// $subj_cert = cert_get_subject($pconfig['cert'], false); -// -// if (!isset($_POST['ignoresubjectmismatch']) && !($_POST['ignoresubjectmismatch'] == "yes")) { -// if (strcmp($subj_csr, $subj_cert)) { -// $input_errors[] = sprintf(gettext("The certificate subject '%s' does not match the signing request subject."), $subj_cert); -// $subject_mismatch = true; -// } -// } - $mod_csr = csr_get_modulus($pconfig['csr'], false); - $mod_cert = cert_get_modulus($pconfig['cert'], false); - - if (strcmp($mod_csr, $mod_cert)) { - // simply: if the moduli don't match, then the private key and public key won't match - $input_errors[] = sprintf(gettext("The certificate modulus does not match the signing request modulus."), $subj_cert); - $subject_mismatch = true; - } - - /* if this is an AJAX caller then handle via JSON */ - if (isAjax() && is_array($input_errors)) { - input_errors2Ajax($input_errors); - exit; - } - - /* save modifications */ - if (!$input_errors) { - - $cert = $a_cert[$id]; - - $cert['descr'] = $pconfig['descr']; - - csr_complete($cert, $pconfig['cert']); - - $a_cert[$id] = $cert; - - write_config(); - - pfSenseHeader("system_certmanager.php"); - } - } -} - -include("head.inc"); -?> - -"> - - - - - - - - - - - - - - -
- -
-
- - - -
- - - - - - - - - - - - -
- -
- -
- - - - - - - - - - - - - - - - - -
- -
- -
- -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
- -
- - -
- -
-
- -
- -
- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
:   - -
:   - -
:   - -
:   - -
:   - -   - ex: -   - -
:   - - -   - ex: -   - -
:   - - - - - - - - - - - - - - - - - -
- - - - - " /> -
 
- - " /> - - -
NOTE: Type must be one of DNS (FQDN or Hostname), IP (IP address), URI, or email. -
-
- - - - - - - - - - - - - - - - - - - - -
- - bits -
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - -
:   - -
:   - -   - ex: -   - -
:   - -   - ex: -   - -
:   - -   - ex: -   - -
:   - -   - ex: -   - -
:   - -   - ex: -   - -
-
- - - - - - - - - - - - -
- - - - -
- - - - - - -
  - " /> - - - -
-
- - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
- -
-
- -
-
  - - -
- " . - "response subject verification. "); - ?>
- - " /> - - - - -
-
- - - - - - - - - - - - " . gettext("self-signed") . ""; - } else { - $caname = "" . gettext("external"). ""; - } - $subj = htmlspecialchars($subj); - } - - if ($cert['csr']) { - $subj = htmlspecialchars(csr_get_subject($cert['csr'])); - $caname = "" . gettext("external - signature pending") . ""; - } - - $ca = lookup_ca($cert['caref']); - if ($ca) { - $caname = htmlspecialchars($ca['descr']); - } - - if ($cert['prv']) { - $certimg = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; - } else { - $certimg = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; - } - ?> - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - -
- CA - - -
 
- CA: , - Server: -
- 		  
- - - - - - - - - - - -
 :
 :
- 		- - Revoked
- - - webConfigurator
- - - User Cert
- - - OpenVPN Server
- - - OpenVPN Client
- - - IPsec Tunnel
- - - Captive Portal
- - $package) { - if (isset($package['certificatelist'][$refid])) { - $hint = "" ; - if (is_array($package['certificatelist'][$refid])) { - foreach ($package['certificatelist'][$refid] as $cert_used) { - $hint = $hint . $cert_used['usedby']."\n"; - } - } - $count = count($package['certificatelist'][$refid]); - echo "
"; - echo htmlspecialchars($package['pkgname'])." ($count)
"; - echo "
"; - } - } - } - ?> - 		- - " alt="" width="17" height="17" border="0" /> - - - " alt="" width="17" height="17" border="0" /> - - - " alt="" width="17" height="17" border="0" /> - - - ')"> - " alt="" width="17" height="17" border="0" /> - - - -   - - " alt="" width="17" height="17" border="0" /> - - -
- - " alt="" width="17" height="17" border="0" /> - -
 
- - - -
-
- - - - - -- cgit v1.1