From 2f65de893d1eea2522947a8097bfa641b1ec1e59 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 9 May 2012 16:55:43 -0400 Subject: Add initial support for subjectAltName - still needs some select love for the "type" field, freetext for now for testing (it does work, cert gets the specified subjectAltName). --- usr/local/www/system_certmanager.php | 123 ++++++++++++++++++++++++++++++++++- 1 file changed, 121 insertions(+), 2 deletions(-) (limited to 'usr') diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 2b49e35..aa01209 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -51,6 +51,8 @@ $cert_types = array( "ca" => "Certificate Authority", "server" => "Server Certificate", "user" => "User Certificate"); +$altname_types = array("DNS", "IP", "email", "URI"); + $pgtitle = array(gettext("System"), gettext("Certificate Manager")); $userid = $_GET['userid']; @@ -234,6 +236,51 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if ($pconfig['method'] != "import") + /* subjectAltNames */ + $altnames = array(); + foreach ($_POST as $key => $value) { + $entry = ''; + if (!substr_compare('altname_type', $key, 0, 12)) { + $entry = substr($key, 12); + $field = 'type'; + } + elseif (!substr_compare('altname_value', $key, 0, 13)) { + $entry = substr($key, 13); + $field = 'value'; + } + if (ctype_digit($entry)) { + $altnames[$entry][$field] = $value; + } + } + $pconfig['aliases']['item'] = $aliases; + + /* Input validation for subjectAltNames */ + foreach ($altnames as $idx => $altname) { + switch ($altname['type']) { + case "DNS": + if (!is_hostname($altname['value'])) + array_push($input_errors, "DNS subjectAltName values must be valid hostnames or FQDNs"); + break; + case "IP": + if (!is_ipaddr($altname['value'])) + array_push($input_errors, "IP subjectAltName values must be valid IP Addresses"); + break; + case "email": + if (empty($altname['value'])) + array_push($input_errors, "You must provide an e-mail address for this type of subjectAltName"); + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $altname['value'])) + array_push($input_errors, "The e-mail provided in a subjectAltName contains invalid characters."); + break; + case "URI": + /* Close enough? */ + if (!is_URL($altname['value'])) + $input_errors[] = "URI subjectAltName types must be a valid URI"; + break; + default: + $input_errors[] = "Unrecognized subjectAltName type."; + } + } + /* Make sure we do not have invalid characters in the fields for the certificate */ for ($i = 0; $i < count($reqdfields); $i++) { if (preg_match('/email/', $reqdfields[$i])){ /* dn_email or csr_dn_name */ @@ -280,7 +327,13 @@ if ($_POST) { 'organizationName' => $pconfig['dn_organization'], 'emailAddress' => $pconfig['dn_email'], 'commonName' => $pconfig['dn_commonname']); - + if (count($altnames)) { + $altnames_tmp = ""; + foreach ($altnames as $altname) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } + $dn['subjectAltName'] = implode(",", $altnames_tmp); + } if (!cert_create($cert, $pconfig['caref'], $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['type'])){ while($ssl_err = openssl_error_string()){ @@ -298,7 +351,13 @@ if ($_POST) { 'organizationName' => $pconfig['csr_dn_organization'], 'emailAddress' => $pconfig['csr_dn_email'], 'commonName' => $pconfig['csr_dn_commonname']); - + if (count($altnames)) { + $altnames_tmp = ""; + foreach ($altnames as $altname) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } + $dn['subjectAltName'] = implode(",", $altnames_tmp); + } if(!csr_generate($cert, $pconfig['csr_keylen'], $dn)){ while($ssl_err = openssl_error_string()){ $input_errors = array(); @@ -462,6 +521,18 @@ function internalca_change() { //--> + + + + + + :   + + + + + + + + + + + + + + + + + +
+ + + + + " /> +
+ + " /> + + +
NOTE: Type must be one of DNS (FQDN or Hostname), IP (IP address), URI, or email. + + -- cgit v1.1