gettext("Create an internal Certificate Revocation List"),
"existing" => gettext("Import an existing Certificate Revocation List"));
if (isset($_REQUEST['id']) && ctype_alnum($_REQUEST['id'])) {
$id = $_REQUEST['id'];
}
if (!is_array($config['ca'])) {
$config['ca'] = array();
}
$a_ca =& $config['ca'];
if (!is_array($config['cert'])) {
$config['cert'] = array();
}
$a_cert =& $config['cert'];
if (!is_array($config['crl'])) {
$config['crl'] = array();
}
$a_crl =& $config['crl'];
foreach ($a_crl as $cid => $acrl) {
if (!isset($acrl['refid'])) {
unset ($a_crl[$cid]);
}
}
$act = $_REQUEST['act'];
if (!empty($id)) {
$thiscrl =& lookup_crl($id);
}
// If we were given an invalid crlref in the id, no sense in continuing as it would only cause errors.
if (!$thiscrl && (($act != "") && ($act != "new"))) {
pfSenseHeader("system_crlmanager.php");
$act="";
$savemsg = gettext("Invalid CRL reference.");
$class = "danger";
}
if ($_POST['act'] == "del") {
$name = htmlspecialchars($thiscrl['descr']);
if (crl_in_use($id)) {
$savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted."), $name);
$class = "danger";
} else {
foreach ($a_crl as $cid => $acrl) {
if ($acrl['refid'] == $thiscrl['refid']) {
unset($a_crl[$cid]);
}
}
write_config("Deleted CRL {$name}.");
$savemsg = sprintf(gettext("Certificate Revocation List %s successfully deleted."), $name);
$class = "success";
}
}
if ($act == "new") {
$pconfig['method'] = $_REQUEST['method'];
$pconfig['caref'] = $_REQUEST['caref'];
$pconfig['lifetime'] = "9999";
$pconfig['serial'] = "0";
}
if ($act == "exp") {
crl_update($thiscrl);
$exp_name = urlencode("{$thiscrl['descr']}.crl");
$exp_data = base64_decode($thiscrl['text']);
$exp_size = strlen($exp_data);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename={$exp_name}");
header("Content-Length: $exp_size");
echo $exp_data;
exit;
}
if ($act == "addcert") {
unset($input_errors);
$pconfig = $_REQUEST;
if (!$pconfig['crlref'] || !$pconfig['certref']) {
pfSenseHeader("system_crlmanager.php");
exit;
}
// certref, crlref
$crl =& lookup_crl($pconfig['crlref']);
$cert = lookup_cert($pconfig['certref']);
if (!$crl['caref'] || !$cert['caref']) {
$input_errors[] = gettext("Both the Certificate and CRL must be specified.");
}
if ($crl['caref'] != $cert['caref']) {
$input_errors[] = gettext("CA mismatch between the Certificate and CRL. Unable to Revoke.");
}
if (!is_crl_internal($crl)) {
$input_errors[] = gettext("Cannot revoke certificates for an imported/external CRL.");
}
if (!$input_errors) {
$reason = (empty($pconfig['crlreason'])) ? OCSP_REVOKED_STATUS_UNSPECIFIED : $pconfig['crlreason'];
cert_revoke($cert, $crl, $reason);
// refresh IPsec and OpenVPN CRLs
openvpn_refresh_crls();
vpn_ipsec_configure();
write_config("Revoked cert {$cert['descr']} in CRL {$crl['descr']}.");
pfSenseHeader("system_crlmanager.php");
exit;
}
}
if ($act == "delcert") {
if (!is_array($thiscrl['cert'])) {
pfSenseHeader("system_crlmanager.php");
exit;
}
$found = false;
foreach ($thiscrl['cert'] as $acert) {
if ($acert['refid'] == $_REQUEST['certref']) {
$found = true;
$thiscert = $acert;
}
}
if (!$found) {
pfSenseHeader("system_crlmanager.php");
exit;
}
$certname = htmlspecialchars($thiscert['descr']);
$crlname = htmlspecialchars($thiscrl['descr']);
if (cert_unrevoke($thiscert, $thiscrl)) {
$savemsg = sprintf(gettext('Deleted Certificate %1$s from CRL %2$s.'), $certname, $crlname);
$class = "success";
// refresh IPsec and OpenVPN CRLs
openvpn_refresh_crls();
vpn_ipsec_configure();
write_config($savemsg);
} else {
$savemsg = sprintf(gettext('Failed to delete Certificate %1$s from CRL %2$s.'), $certname, $crlname);
$class = "danger";
}
$act="edit";
}
if ($_POST['save']) {
$input_errors = array();
$pconfig = $_POST;
/* input validation */
if (($pconfig['method'] == "existing") || ($act == "editimported")) {
$reqdfields = explode(" ", "descr crltext");
$reqdfieldsn = array(
gettext("Descriptive name"),
gettext("Certificate Revocation List data"));
}
if ($pconfig['method'] == "internal") {
$reqdfields = explode(" ", "descr caref");
$reqdfieldsn = array(
gettext("Descriptive name"),
gettext("Certificate Authority"));
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) {
array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
}
/* save modifications */
if (!$input_errors) {
$result = false;
if ($thiscrl) {
$crl =& $thiscrl;
} else {
$crl = array();
$crl['refid'] = uniqid();
}
$crl['descr'] = $pconfig['descr'];
if ($act != "editimported") {
$crl['caref'] = $pconfig['caref'];
$crl['method'] = $pconfig['method'];
}
if (($pconfig['method'] == "existing") || ($act == "editimported")) {
$crl['text'] = base64_encode($pconfig['crltext']);
}
if ($pconfig['method'] == "internal") {
$crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial'];
$crl['lifetime'] = empty($pconfig['lifetime']) ? 9999 : $pconfig['lifetime'];
$crl['cert'] = array();
}
if (!$thiscrl) {
$a_crl[] = $crl;
}
write_config("Saved CRL {$crl['descr']}");
// refresh IPsec and OpenVPN CRLs
openvpn_refresh_crls();
vpn_ipsec_configure();
pfSenseHeader("system_crlmanager.php");
}
}
$pgtitle = array(gettext("System"), gettext("Certificate Manager"), gettext("Certificate Revocation"));
$pglinks = array("", "system_camanager.php", "system_crlmanager.php");
if ($act == "new" || $act == gettext("Save") || $input_errors || $act == "edit") {
$pgtitle[] = gettext('Edit');
$pglinks[] = "@self";
}
include("head.inc");
?>
$desc) {
if (($_POST['importonly'] == "yes") && ($method != "existing")) {
continue;
}
$list[$method] = $desc;
}
return($list);
}
function build_ca_list() {
global $a_ca;
$list = array();
foreach ($a_ca as $ca) {
$list[$ca['refid']] = $ca['descr'];
}
return($list);
}
function build_cacert_list() {
global $ca_certs;
$list = array();
foreach ($ca_certs as $cert) {
$list[$cert['refid']] = $cert['descr'];
}
return($list);
}
if ($input_errors) {
print_input_errors($input_errors);
}
if ($savemsg) {
print_info_box($savemsg, $class);
}
$tab_array = array();
$tab_array[] = array(gettext("CAs"), false, "system_camanager.php");
$tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php");
$tab_array[] = array(gettext("Certificate Revocation"), true, "system_crlmanager.php");
display_top_tabs($tab_array);
if ($act == "new" || $act == gettext("Save") || $input_errors) {
if (!isset($id)) {
$form = new Form();
$section = new Form_Section('Create new Revocation List');
$section->addInput(new Form_Select(
'method',
'*Method',
$pconfig['method'],
build_method_list()
));
}
$section->addInput(new Form_Input(
'descr',
'*Descriptive name',
'text',
$pconfig['descr']
));
$section->addInput(new Form_Select(
'caref',
'*Certificate Authority',
$pconfig['caref'],
build_ca_list()
));
$form->add($section);
$section = new Form_Section('Existing Certificate Revocation List');
$section->addClass('existing');
$section->addInput(new Form_Textarea(
'crltext',
'*CRL data',
$pconfig['crltext']
))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
$form->add($section);
$section = new Form_Section('Internal Certificate Revocation List');
$section->addClass('internal');
$section->addInput(new Form_Input(
'lifetime',
'Lifetime (Days)',
'number',
$pconfig['lifetime'],
[max => '9999']
));
$section->addInput(new Form_Input(
'serial',
'Serial',
'number',
$pconfig['serial'],
['min' => '0', 'max' => '9999']
));
$form->add($section);
if (isset($id) && $thiscrl) {
$section->addInput(new Form_Input(
'id',
null,
'hidden',
$id
));
}
print($form);
} elseif ($act == "editimported") {
$form = new Form();
$section = new Form_Section('Edit Imported Certificate Revocation List');
$section->addInput(new Form_Input(
'descr',
'*Descriptive name',
'text',
$pconfig['descr']
));
$section->addInput(new Form_Textarea(
'crltext',
'*CRL data',
$pconfig['crltext']
))->setHelp('Paste a Certificate Revocation List in X.509 CRL format here.');
$section->addInput(new Form_Input(
'id',
null,
'hidden',
$id
));
$section->addInput(new Form_Input(
'act',
null,
'hidden',
'editimported'
));
$form->add($section);
print($form);
} elseif ($act == "edit") {
$crl = $thiscrl;
$form = new Form(false);
?>
=gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']?>
=gettext("Certificate Name")?> |
=gettext("Revocation Reason")?> |
=gettext("Revoked At")?> |
|
$cert):
$name = htmlspecialchars($cert['descr']);
?>
=$name; ?>
|
=$openssl_crl_status[$cert["reason"]]; ?>
|
=date("D M j G:i:s T Y", $cert["revoke_time"]); ?>
|
" alt="=gettext("Delete this certificate from the CRL")?>">
|
add(new Form_Select(
'certref',
null,
$pconfig['certref'],
build_cacert_list()
))->setWidth(4)->setHelp('Certificate');
$group->add(new Form_Select(
'crlreason',
null,
-1,
$openssl_crl_status
))->setHelp('Reason');
$group->add(new Form_Button(
'submit',
'Add',
null,
'fa-plus'
))->addClass('btn-success btn-sm');
$section->add($group);
$section->addInput(new Form_Input(
'id',
null,
'hidden',
$crl['refid']
));
$section->addInput(new Form_Input(
'act',
null,
'hidden',
'addcert'
));
$section->addInput(new Form_Input(
'crlref',
null,
'hidden',
$crl['refid']
));
$form->add($section);
}
print($form);
} else {
?>
=gettext("Additional Certificate Revocation Lists")?>