Révision 7c4c77ee
Ajouté par jim-p il y a plus de 9 ans
etc/inc/certs.inc | ||
---|---|---|
270 | 270 |
|
271 | 271 |
function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") { |
272 | 272 |
|
273 |
$ca =& lookup_ca($caref); |
|
274 |
if (!$ca) |
|
275 |
return false; |
|
273 |
$cert['type'] = $type; |
|
276 | 274 |
|
277 |
$ca_str_crt = base64_decode($ca['crt']); |
|
278 |
$ca_str_key = base64_decode($ca['prv']); |
|
279 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
280 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
281 |
if(!$ca_res_key) return false; |
|
282 |
$ca_serial = ++$ca['serial']; |
|
275 |
if ($type != "self-signed") { |
|
276 |
$cert['caref'] = $caref; |
|
277 |
$ca =& lookup_ca($caref); |
|
278 |
if (!$ca) |
|
279 |
return false; |
|
280 |
|
|
281 |
$ca_str_crt = base64_decode($ca['crt']); |
|
282 |
$ca_str_key = base64_decode($ca['prv']); |
|
283 |
$ca_res_crt = openssl_x509_read($ca_str_crt); |
|
284 |
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); |
|
285 |
if(!$ca_res_key) return false; |
|
286 |
$ca_serial = ++$ca['serial']; |
|
287 |
} |
|
283 | 288 |
|
284 | 289 |
switch ($type) { |
285 | 290 |
case "ca": |
286 | 291 |
$cert_type = "v3_ca"; |
287 | 292 |
break; |
288 | 293 |
case "server": |
294 |
case "self-signed": |
|
289 | 295 |
$cert_type = "server"; |
290 | 296 |
break; |
291 | 297 |
default: |
... | ... | |
312 | 318 |
$res_key = openssl_pkey_new($args); |
313 | 319 |
if(!$res_key) return false; |
314 | 320 |
|
321 |
// If this is a self-signed cert, blank out the CA and sign with the cert's key |
|
322 |
if ($type == "self-signed") { |
|
323 |
$ca = null; |
|
324 |
$ca_res_crt = null; |
|
325 |
$ca_res_key = $res_key; |
|
326 |
$ca_serial = 0; |
|
327 |
$cert['type'] = "server"; |
|
328 |
} |
|
329 |
|
|
315 | 330 |
// generate a certificate signing request |
316 | 331 |
$res_csr = openssl_csr_new($dn, $res_key, $args); |
317 | 332 |
if(!$res_csr) return false; |
318 | 333 |
|
319 |
// self sign the certificate
|
|
334 |
// sign the certificate using an internal CA
|
|
320 | 335 |
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, |
321 | 336 |
$args, $ca_serial); |
322 | 337 |
if(!$res_crt) return false; |
... | ... | |
327 | 342 |
return false; |
328 | 343 |
|
329 | 344 |
// return our certificate information |
330 |
$cert['caref'] = $caref; |
|
331 | 345 |
$cert['crt'] = base64_encode($str_crt); |
332 | 346 |
$cert['prv'] = base64_encode($str_key); |
333 |
$cert['type'] = $type; |
|
334 | 347 |
|
335 | 348 |
return true; |
336 | 349 |
} |
Formats disponibles : Unified diff
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.
Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.