Révision 7c4c77ee
Ajouté par jim-p il y a plus de 9 ans
| etc/inc/certs.inc | ||
|---|---|---|
| 270 | 270 |
|
| 271 | 271 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {
|
| 272 | 272 |
|
| 273 |
$ca =& lookup_ca($caref); |
|
| 274 |
if (!$ca) |
|
| 275 |
return false; |
|
| 273 |
$cert['type'] = $type; |
|
| 276 | 274 |
|
| 277 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 278 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 279 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 280 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
| 281 |
if(!$ca_res_key) return false; |
|
| 282 |
$ca_serial = ++$ca['serial']; |
|
| 275 |
if ($type != "self-signed") {
|
|
| 276 |
$cert['caref'] = $caref; |
|
| 277 |
$ca =& lookup_ca($caref); |
|
| 278 |
if (!$ca) |
|
| 279 |
return false; |
|
| 280 |
|
|
| 281 |
$ca_str_crt = base64_decode($ca['crt']); |
|
| 282 |
$ca_str_key = base64_decode($ca['prv']); |
|
| 283 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
| 284 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
| 285 |
if(!$ca_res_key) return false; |
|
| 286 |
$ca_serial = ++$ca['serial']; |
|
| 287 |
} |
|
| 283 | 288 |
|
| 284 | 289 |
switch ($type) {
|
| 285 | 290 |
case "ca": |
| 286 | 291 |
$cert_type = "v3_ca"; |
| 287 | 292 |
break; |
| 288 | 293 |
case "server": |
| 294 |
case "self-signed": |
|
| 289 | 295 |
$cert_type = "server"; |
| 290 | 296 |
break; |
| 291 | 297 |
default: |
| ... | ... | |
| 312 | 318 |
$res_key = openssl_pkey_new($args); |
| 313 | 319 |
if(!$res_key) return false; |
| 314 | 320 |
|
| 321 |
// If this is a self-signed cert, blank out the CA and sign with the cert's key |
|
| 322 |
if ($type == "self-signed") {
|
|
| 323 |
$ca = null; |
|
| 324 |
$ca_res_crt = null; |
|
| 325 |
$ca_res_key = $res_key; |
|
| 326 |
$ca_serial = 0; |
|
| 327 |
$cert['type'] = "server"; |
|
| 328 |
} |
|
| 329 |
|
|
| 315 | 330 |
// generate a certificate signing request |
| 316 | 331 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
| 317 | 332 |
if(!$res_csr) return false; |
| 318 | 333 |
|
| 319 |
// self sign the certificate
|
|
| 334 |
// sign the certificate using an internal CA
|
|
| 320 | 335 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
| 321 | 336 |
$args, $ca_serial); |
| 322 | 337 |
if(!$res_crt) return false; |
| ... | ... | |
| 327 | 342 |
return false; |
| 328 | 343 |
|
| 329 | 344 |
// return our certificate information |
| 330 |
$cert['caref'] = $caref; |
|
| 331 | 345 |
$cert['crt'] = base64_encode($str_crt); |
| 332 | 346 |
$cert['prv'] = base64_encode($str_key); |
| 333 |
$cert['type'] = $type; |
|
| 334 | 347 |
|
| 335 | 348 |
return true; |
| 336 | 349 |
} |
Formats disponibles : Unified diff
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.
Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.