Révision 7c4c77ee
Ajouté par jim-p il y a plus de 9 ans
| etc/inc/certs.inc | ||
|---|---|---|
| 270 | 270 |
|
| 271 | 271 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
|
| 272 | 272 |
|
| 273 |
$ca =& lookup_ca($caref); |
|
| 274 |
if (!$ca) |
|
| 275 |
return false; |
|
| 273 |
$cert['type'] = $type; |
|
| 276 | 274 |
|
| 277 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 278 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 279 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 280 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
| 281 |
if(!$ca_res_key) return false; |
|
| 282 |
$ca_serial = ++$ca['serial']; |
|
| 275 |
if ($type != "self-signed") {
|
|
| 276 |
$cert['caref'] = $caref; |
|
| 277 |
$ca =& lookup_ca($caref); |
|
| 278 |
if (!$ca) |
|
| 279 |
return false; |
|
| 280 |
|
|
| 281 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 282 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 283 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 284 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
| 285 |
if(!$ca_res_key) return false; |
|
| 286 |
$ca_serial = ++$ca['serial']; |
|
| 287 |
} |
|
| 283 | 288 |
|
| 284 | 289 |
switch ($type) {
|
| 285 | 290 |
case "ca": |
| 286 | 291 |
$cert_type = "v3_ca"; |
| 287 | 292 |
break; |
| 288 | 293 |
case "server": |
| 294 |
case "self-signed": |
|
| 289 | 295 |
$cert_type = "server"; |
| 290 | 296 |
break; |
| 291 | 297 |
default: |
| ... | ... | |
| 312 | 318 |
$res_key = openssl_pkey_new($args); |
| 313 | 319 |
if(!$res_key) return false; |
| 314 | 320 |
|
| 321 |
// If this is a self-signed cert, blank out the CA and sign with the cert's key |
|
| 322 |
if ($type == "self-signed") {
|
|
| 323 |
$ca = null; |
|
| 324 |
$ca_res_crt = null; |
|
| 325 |
$ca_res_key = $res_key; |
|
| 326 |
$ca_serial = 0; |
|
| 327 |
$cert['type'] = "server"; |
|
| 328 |
} |
|
| 329 |
|
|
| 315 | 330 |
// generate a certificate signing request |
| 316 | 331 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
| 317 | 332 |
if(!$res_csr) return false; |
| 318 | 333 |
|
| 319 |
// self sign the certificate
|
|
| 334 |
// sign the certificate using an internal CA
|
|
| 320 | 335 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
| 321 | 336 |
$args, $ca_serial); |
| 322 | 337 |
if(!$res_crt) return false; |
| ... | ... | |
| 327 | 342 |
return false; |
| 328 | 343 |
|
| 329 | 344 |
// return our certificate information |
| 330 |
$cert['caref'] = $caref; |
|
| 331 | 345 |
$cert['crt'] = base64_encode($str_crt); |
| 332 | 346 |
$cert['prv'] = base64_encode($str_key); |
| 333 |
$cert['type'] = $type; |
|
| 334 | 347 |
|
| 335 | 348 |
return true; |
| 336 | 349 |
} |
| etc/inc/system.inc | ||
|---|---|---|
| 830 | 830 |
return $retval; |
| 831 | 831 |
} |
| 832 | 832 |
|
| 833 |
function system_webgui_create_certificate() {
|
|
| 834 |
global $config, $g; |
|
| 835 |
|
|
| 836 |
if (!is_array($config['ca'])) |
|
| 837 |
$config['ca'] = array(); |
|
| 838 |
$a_ca =& $config['ca']; |
|
| 839 |
if (!is_array($config['cert'])) |
|
| 840 |
$config['cert'] = array(); |
|
| 841 |
$a_cert =& $config['cert']; |
|
| 842 |
log_error("Creating SSL Certificate for this host");
|
|
| 843 |
|
|
| 844 |
$cert = array(); |
|
| 845 |
$cert['refid'] = uniqid(); |
|
| 846 |
$cert['descr'] = gettext("webConfigurator default");
|
|
| 847 |
|
|
| 848 |
$dn = array( |
|
| 849 |
'countryName' => "US", |
|
| 850 |
'stateOrProvinceName' => "State", |
|
| 851 |
'localityName' => "Locality", |
|
| 852 |
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",
|
|
| 853 |
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",
|
|
| 854 |
'commonName' => $config['system']['hostname'] . '-' . uniqid()); |
|
| 855 |
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */ |
|
| 856 |
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){
|
|
| 857 |
while($ssl_err = openssl_error_string()){
|
|
| 858 |
log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err);
|
|
| 859 |
} |
|
| 860 |
error_reporting($old_err_level); |
|
| 861 |
return null; |
|
| 862 |
} |
|
| 863 |
error_reporting($old_err_level); |
|
| 864 |
|
|
| 865 |
$a_cert[] = $cert; |
|
| 866 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
| 867 |
write_config(gettext("Importing HTTPS certificate"));
|
|
| 868 |
return $cert; |
|
| 869 |
} |
|
| 870 |
|
|
| 833 | 871 |
function system_webgui_start() {
|
| 834 | 872 |
global $config, $g; |
| 835 | 873 |
|
| ... | ... | |
| 852 | 890 |
// Ensure that we have a webConfigurator CERT |
| 853 | 891 |
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']); |
| 854 | 892 |
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) {
|
| 855 |
if (!is_array($config['ca'])) |
|
| 856 |
$config['ca'] = array(); |
|
| 857 |
$a_ca =& $config['ca']; |
|
| 858 |
if (!is_array($config['cert'])) |
|
| 859 |
$config['cert'] = array(); |
|
| 860 |
$a_cert =& $config['cert']; |
|
| 861 |
log_error("Creating SSL Certificate for this host");
|
|
| 862 |
$cert = array(); |
|
| 863 |
$cert['refid'] = uniqid(); |
|
| 864 |
$cert['descr'] = gettext("webConfigurator default");
|
|
| 865 |
mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
|
|
| 866 |
mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
|
|
| 867 |
$crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
|
|
| 868 |
$key = file_get_contents("{$g['tmp_path']}/ssl.key");
|
|
| 869 |
unlink("{$g['tmp_path']}/ssl.key");
|
|
| 870 |
unlink("{$g['tmp_path']}/ssl.crt");
|
|
| 871 |
cert_import($cert, $crt, $key); |
|
| 872 |
$a_cert[] = $cert; |
|
| 873 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
| 874 |
write_config(gettext("Importing HTTPS certificate"));
|
|
| 875 |
if(!$config['system']['webgui']['port']) |
|
| 876 |
$portarg = "443"; |
|
| 877 |
$ca = ca_chain($cert); |
|
| 893 |
$cert = system_webgui_create_certificate(); |
|
| 894 |
$crt = $cert['crt']; |
|
| 895 |
$key = $cert['prv']; |
|
| 878 | 896 |
} else {
|
| 879 | 897 |
$crt = base64_decode($cert['crt']); |
| 880 | 898 |
$key = base64_decode($cert['prv']); |
| 881 |
if(!$config['system']['webgui']['port']) |
|
| 882 |
$portarg = "443"; |
|
| 883 |
$ca = ca_chain($cert); |
|
| 884 | 899 |
} |
| 900 |
|
|
| 901 |
if(!$config['system']['webgui']['port']) |
|
| 902 |
$portarg = "443"; |
|
| 903 |
$ca = ca_chain($cert); |
|
| 885 | 904 |
} |
| 886 | 905 |
|
| 887 | 906 |
/* generate lighttpd configuration */ |
Formats disponibles : Unified diff
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.
Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.