From ca6219025cabd3edbe53e522b345a167381a0171 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Mon, 21 Jan 2013 14:30:30 -0500
Subject: Allow selecting the digest algorithm when creating a CA or Cert.
 Implements #2765

---
 usr/local/www/system_camanager.php       | 28 +++++++++++++++++++++++++---
 usr/local/www/system_certmanager.php     | 25 +++++++++++++++++++++++--
 usr/local/www/wizards/openvpn_wizard.inc |  4 ++--
 3 files changed, 50 insertions(+), 7 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php
index 4d0c961..814c4c5 100644
--- a/usr/local/www/system_camanager.php
+++ b/usr/local/www/system_camanager.php
@@ -46,6 +46,7 @@ $ca_methods = array(
 	"intermediate" => gettext("Create an intermediate Certificate Authority"));
 
 $ca_keylens = array( "512", "1024", "2048", "4096");
+global $openssl_digest_algs;
 
 $pgtitle = array(gettext("System"), gettext("Certificate Authority Manager"));
 
@@ -202,7 +203,7 @@ if ($_POST) {
 	}
 
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
-	if ($pconfig['method'] != "existing")
+	if ($pconfig['method'] != "existing") {
 		/* Make sure we do not have invalid characters in the fields for the certificate */
 		for ($i = 0; $i < count($reqdfields); $i++) {
 			if ($reqdfields[$i] == 'dn_email'){
@@ -214,6 +215,11 @@ if ($_POST) {
 			}else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"]))
 				array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters.");
 		}
+		if (!in_array($_POST["keylen"], $ca_keylens))
+			array_push($input_errors, gettext("Please select a valid Key Length."));
+		if (!in_array($_POST["digest_alg"], $openssl_digest_algs))
+			array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
+	}
 
 	/* if this is an AJAX caller then handle via JSON */
 	if (isAjax() && is_array($input_errors)) {
@@ -255,7 +261,7 @@ if ($_POST) {
 					'organizationName' => $pconfig['dn_organization'],
 					'emailAddress' => $pconfig['dn_email'],
 					'commonName' => $pconfig['dn_commonname']);
-				if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn)){
+				if (!ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['digest_alg'])){
 					while($ssl_err = openssl_error_string()){
 						$input_errors = array();
 						array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -270,7 +276,7 @@ if ($_POST) {
 					'organizationName' => $pconfig['dn_organization'],
 					'emailAddress' => $pconfig['dn_email'],
 					'commonName' => $pconfig['dn_commonname']);
-				if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'])){
+				if (!ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref'], $pconfig['digest_alg'])){
 					while($ssl_err = openssl_error_string()){
 						$input_errors = array();
 						array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -467,6 +473,22 @@ function method_change() {
 							</td>
 						</tr>
 						<tr>
+							<td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td>
+							<td width="78%" class="vtable">
+								<select name='digest_alg' id='digest_alg' class="formselect">
+								<?php
+									foreach( $openssl_digest_algs as $digest_alg):
+									$selected = "";
+									if ($pconfig['digest_alg'] == $digest_alg)
+										$selected = "selected";
+								?>
+									<option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option>
+								<?php endforeach; ?>
+								</select>
+								<br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
+							</td>
+						</tr>
+						<tr>
 							<td width="22%" valign="top" class="vncellreq"><?=gettext("Lifetime");?></td>
 							<td width="78%" class="vtable">
 								<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="5" value="<?=htmlspecialchars($pconfig['lifetime']);?>"/>
diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php
index c9e9826..d8ca0b6 100644
--- a/usr/local/www/system_certmanager.php
+++ b/usr/local/www/system_certmanager.php
@@ -52,6 +52,7 @@ $cert_types = array(	"ca" => "Certificate Authority",
 			"user" => "User Certificate");
 
 $altname_types = array("DNS", "IP", "email", "URI");
+global $openssl_digest_algs;
 
 $pgtitle = array(gettext("System"), gettext("Certificate Manager"));
 
@@ -292,6 +293,10 @@ if ($_POST) {
 				}else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"]))
 					array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters.");
 			}
+			if (!in_array($_POST["keylen"], $cert_keylens))
+				array_push($input_errors, gettext("Please select a valid Key Length."));
+			if (!in_array($_POST["digest_alg"], $openssl_digest_algs))
+				array_push($input_errors, gettext("Please select a valid Digest Algorithm."));
 		}
 
 		/* if this is an AJAX caller then handle via JSON */
@@ -336,7 +341,7 @@ if ($_POST) {
 						$dn['subjectAltName'] = implode(",", $altnames_tmp);
 					}
 					if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'],
-						$pconfig['lifetime'], $dn, $pconfig['type'])){
+						$pconfig['lifetime'], $dn, $pconfig['type'], $pconfig['digest_alg'])){
 						while($ssl_err = openssl_error_string()){
 							$input_errors = array();
 							array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -359,7 +364,7 @@ if ($_POST) {
 						}
 						$dn['subjectAltName'] = implode(",", $altnames_tmp);
 					}
-					if(!csr_generate($cert, $pconfig['csr_keylen'], $dn)){
+					if(!csr_generate($cert, $pconfig['csr_keylen'], $dn, $pconfig['digest_alg'])){
 						while($ssl_err = openssl_error_string()){
 							$input_errors = array();
 							array_push($input_errors, "openssl library returns: " . $ssl_err);
@@ -678,6 +683,22 @@ function internalca_change() {
 							</td>
 						</tr>
 						<tr>
+							<td width="22%" valign="top" class="vncellreq"><?=gettext("Digest Algorithm");?></td>
+							<td width="78%" class="vtable">
+								<select name='digest_alg' id='digest_alg' class="formselect">
+								<?php
+									foreach( $openssl_digest_algs as $digest_alg):
+									$selected = "";
+									if ($pconfig['digest_alg'] == $digest_alg)
+										$selected = "selected";
+								?>
+									<option value="<?=$digest_alg;?>"<?=$selected;?>><?=strtoupper($digest_alg);?></option>
+								<?php endforeach; ?>
+								</select>
+								<br/><?= gettext("NOTE: It is recommended to use an algorithm stronger than SHA1 when possible.") ?>
+							</td>
+						</tr>
+						<tr>
 							<td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Type");?></td>
 							<td width="78%" class="vtable">
 								<select name='type' class="formselect">
diff --git a/usr/local/www/wizards/openvpn_wizard.inc b/usr/local/www/wizards/openvpn_wizard.inc
index 8f6fbc9..f6b4af9 100644
--- a/usr/local/www/wizards/openvpn_wizard.inc
+++ b/usr/local/www/wizards/openvpn_wizard.inc
@@ -475,7 +475,7 @@ function step12_submitphpaction() {
 			'emailAddress' => $pconfig['step6']['email'],
 			'commonName' => $pconfig['step6']['certca']);
 
-		ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn);
+		ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn, "sha256");
 		if (!is_array($config['ca']))
 			$config['ca'] = array();
 
@@ -502,7 +502,7 @@ function step12_submitphpaction() {
 			'emailAddress' => $pconfig['step9']['email'],
 			'commonName' => $pconfig['step9']['certname']);
 
-		cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server');
+		cert_create($cert, $ca['refid'], $pconfig['step9']['keylength'], $pconfig['step9']['lifetime'], $dn, 'server', "sha256");
 		if (!is_array($config['cert']))
 			$config['cert'] = array();
 
-- 
cgit v1.1