Révision 7c4c77ee
Ajouté par jim-p il y a plus de 9 ans
etc/inc/certs.inc | ||
---|---|---|
270 | 270 |
|
271 | 271 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") { |
272 | 272 |
|
273 |
$ca =& lookup_ca($caref); |
|
274 |
if (!$ca) |
|
275 |
return false; |
|
273 |
$cert['type'] = $type; |
|
276 | 274 |
|
277 |
$ca_str_crt = base64_decode($ca['crt']); |
|
278 |
$ca_str_key = base64_decode($ca['prv']); |
|
279 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
280 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
281 |
if(!$ca_res_key) return false; |
|
282 |
$ca_serial = ++$ca['serial']; |
|
275 |
if ($type != "self-signed") { |
|
276 |
$cert['caref'] = $caref; |
|
277 |
$ca =& lookup_ca($caref); |
|
278 |
if (!$ca) |
|
279 |
return false; |
|
280 |
|
|
281 |
$ca_str_crt = base64_decode($ca['crt']); |
|
282 |
$ca_str_key = base64_decode($ca['prv']); |
|
283 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
284 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
285 |
if(!$ca_res_key) return false; |
|
286 |
$ca_serial = ++$ca['serial']; |
|
287 |
} |
|
283 | 288 |
|
284 | 289 |
switch ($type) { |
285 | 290 |
case "ca": |
286 | 291 |
$cert_type = "v3_ca"; |
287 | 292 |
break; |
288 | 293 |
case "server": |
294 |
case "self-signed": |
|
289 | 295 |
$cert_type = "server"; |
290 | 296 |
break; |
291 | 297 |
default: |
... | ... | |
312 | 318 |
$res_key = openssl_pkey_new($args); |
313 | 319 |
if(!$res_key) return false; |
314 | 320 |
|
321 |
// If this is a self-signed cert, blank out the CA and sign with the cert's key |
|
322 |
if ($type == "self-signed") { |
|
323 |
$ca = null; |
|
324 |
$ca_res_crt = null; |
|
325 |
$ca_res_key = $res_key; |
|
326 |
$ca_serial = 0; |
|
327 |
$cert['type'] = "server"; |
|
328 |
} |
|
329 |
|
|
315 | 330 |
// generate a certificate signing request |
316 | 331 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
317 | 332 |
if(!$res_csr) return false; |
318 | 333 |
|
319 |
// self sign the certificate
|
|
334 |
// sign the certificate using an internal CA
|
|
320 | 335 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
321 | 336 |
$args, $ca_serial); |
322 | 337 |
if(!$res_crt) return false; |
... | ... | |
327 | 342 |
return false; |
328 | 343 |
|
329 | 344 |
// return our certificate information |
330 |
$cert['caref'] = $caref; |
|
331 | 345 |
$cert['crt'] = base64_encode($str_crt); |
332 | 346 |
$cert['prv'] = base64_encode($str_key); |
333 |
$cert['type'] = $type; |
|
334 | 347 |
|
335 | 348 |
return true; |
336 | 349 |
} |
etc/inc/system.inc | ||
---|---|---|
830 | 830 |
return $retval; |
831 | 831 |
} |
832 | 832 |
|
833 |
function system_webgui_create_certificate() { |
|
834 |
global $config, $g; |
|
835 |
|
|
836 |
if (!is_array($config['ca'])) |
|
837 |
$config['ca'] = array(); |
|
838 |
$a_ca =& $config['ca']; |
|
839 |
if (!is_array($config['cert'])) |
|
840 |
$config['cert'] = array(); |
|
841 |
$a_cert =& $config['cert']; |
|
842 |
log_error("Creating SSL Certificate for this host"); |
|
843 |
|
|
844 |
$cert = array(); |
|
845 |
$cert['refid'] = uniqid(); |
|
846 |
$cert['descr'] = gettext("webConfigurator default"); |
|
847 |
|
|
848 |
$dn = array( |
|
849 |
'countryName' => "US", |
|
850 |
'stateOrProvinceName' => "State", |
|
851 |
'localityName' => "Locality", |
|
852 |
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", |
|
853 |
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", |
|
854 |
'commonName' => $config['system']['hostname'] . '-' . uniqid()); |
|
855 |
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */ |
|
856 |
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){ |
|
857 |
while($ssl_err = openssl_error_string()){ |
|
858 |
log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err); |
|
859 |
} |
|
860 |
error_reporting($old_err_level); |
|
861 |
return null; |
|
862 |
} |
|
863 |
error_reporting($old_err_level); |
|
864 |
|
|
865 |
$a_cert[] = $cert; |
|
866 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
867 |
write_config(gettext("Importing HTTPS certificate")); |
|
868 |
return $cert; |
|
869 |
} |
|
870 |
|
|
833 | 871 |
function system_webgui_start() { |
834 | 872 |
global $config, $g; |
835 | 873 |
|
... | ... | |
852 | 890 |
// Ensure that we have a webConfigurator CERT |
853 | 891 |
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']); |
854 | 892 |
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) { |
855 |
if (!is_array($config['ca'])) |
|
856 |
$config['ca'] = array(); |
|
857 |
$a_ca =& $config['ca']; |
|
858 |
if (!is_array($config['cert'])) |
|
859 |
$config['cert'] = array(); |
|
860 |
$a_cert =& $config['cert']; |
|
861 |
log_error("Creating SSL Certificate for this host"); |
|
862 |
$cert = array(); |
|
863 |
$cert['refid'] = uniqid(); |
|
864 |
$cert['descr'] = gettext("webConfigurator default"); |
|
865 |
mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key"); |
|
866 |
mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt"); |
|
867 |
$crt = file_get_contents("{$g['tmp_path']}/ssl.crt"); |
|
868 |
$key = file_get_contents("{$g['tmp_path']}/ssl.key"); |
|
869 |
unlink("{$g['tmp_path']}/ssl.key"); |
|
870 |
unlink("{$g['tmp_path']}/ssl.crt"); |
|
871 |
cert_import($cert, $crt, $key); |
|
872 |
$a_cert[] = $cert; |
|
873 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
874 |
write_config(gettext("Importing HTTPS certificate")); |
|
875 |
if(!$config['system']['webgui']['port']) |
|
876 |
$portarg = "443"; |
|
877 |
$ca = ca_chain($cert); |
|
893 |
$cert = system_webgui_create_certificate(); |
|
894 |
$crt = $cert['crt']; |
|
895 |
$key = $cert['prv']; |
|
878 | 896 |
} else { |
879 | 897 |
$crt = base64_decode($cert['crt']); |
880 | 898 |
$key = base64_decode($cert['prv']); |
881 |
if(!$config['system']['webgui']['port']) |
|
882 |
$portarg = "443"; |
|
883 |
$ca = ca_chain($cert); |
|
884 | 899 |
} |
900 |
|
|
901 |
if(!$config['system']['webgui']['port']) |
|
902 |
$portarg = "443"; |
|
903 |
$ca = ca_chain($cert); |
|
885 | 904 |
} |
886 | 905 |
|
887 | 906 |
/* generate lighttpd configuration */ |
Formats disponibles : Unified diff
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.
Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.