Skip to content
Browse files

Intermediate CA in cert manager.

  • Loading branch information...
1 parent 127beaf commit 5c00a2bb2ec04f8d436eae4c9113fad41028a329 @EvgenyY committed Jun 22, 2011
Showing with 93 additions and 3 deletions.
  1. +39 −0 etc/inc/certs.inc
  2. +54 −3 usr/local/www/system_camanager.php
View
39 etc/inc/certs.inc
@@ -186,6 +186,45 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) {
return true;
}
+function ca_inter_create(& $ca, $keylen, $lifetime, $dn, $caref) {
+ // Create Intermediate Certificate Authority
+ $signing_ca =& lookup_ca($caref);
+ if (!$signing_ca)
+ return false;
+
+ $signing_ca_str_crt = base64_decode($signing_ca['crt']);
@ermal
ermal added a note Jun 22, 2011

Why create this temporary variables when you know that base_* functions will not fail!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ $signing_ca_str_key = base64_decode($signing_ca['prv']);
+ $signing_ca_res_crt = openssl_x509_read($signing_ca_str_crt);
+ $signing_ca_res_key = openssl_pkey_get_private(array(0 => $signing_ca_str_key, 1 => ""));
+ $signing_ca_serial = ++$signing_ca['serial'];
+
+ $args = array(
+ "digest_alg" => "sha1",
+ "private_key_bits" => (int)$keylen,
+ "private_key_type" => OPENSSL_KEYTYPE_RSA,
+ "encrypt_key" => false);
+
+ // generate a new key pair
+ $res_key = openssl_pkey_new($args);
+
+ // generate a certificate signing request
+ $res_csr = openssl_csr_new($dn, $res_key, $args);
+
+ // Sign the certificate
+ $res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
@ermal
ermal added a note Jun 22, 2011

Here you should check for errors and is very important to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
+ // export our certificate data
+ openssl_pkey_export($res_key, $str_key);
+ openssl_x509_export($res_crt, $str_crt);
+
+ // return our ca information
+ $ca['crt'] = base64_encode($str_crt);
+ $ca['prv'] = base64_encode($str_key);
+ $ca['serial'] = 0;
+
+ return true;
+}
+
function cert_import(& $cert, $crt_str, $key_str) {
$cert['crt'] = base64_encode($crt_str);
View
57 usr/local/www/system_camanager.php
@@ -42,7 +42,8 @@
$ca_methods = array(
"existing" => gettext("Import an existing Certificate Authority"),
- "internal" => gettext("Create an internal Certificate Authority"));
+ "internal" => gettext("Create an internal Certificate Authority"),
+ "intermediate" => gettext("Create an intermediate Certificate Authority"));
$ca_keylens = array( "512", "1024", "2048", "4096");
@@ -154,7 +155,7 @@
if ($_POST) {
- $input_errors = array();
+ unset($input_errors);
$pconfig = $_POST;
/* input validation */
@@ -183,6 +184,22 @@
gettext("Distinguished name Email Address"),
gettext("Distinguished name Common Name"));
}
+ if ($pconfig['method'] == "intermediate") {
+ $reqdfields = explode(" ",
+ "descr caref keylen lifetime dn_country dn_state dn_city ".
+ "dn_organization dn_email dn_commonname");
+ $reqdfieldsn = array(
+ gettext("Descriptive name"),
+ gettext("Signing Certificate Authority"),
+ gettext("Key length"),
+ gettext("Lifetime"),
+ gettext("Distinguished name Country Code"),
+ gettext("Distinguished name State or Province"),
+ gettext("Distinguished name City"),
+ gettext("Distinguished name Organization"),
+ gettext("Distinguished name Email Address"),
+ gettext("Distinguished name Common Name"));
+ }
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
if ($pconfig['method'] != "existing")
@@ -229,7 +246,7 @@
if ($pconfig['method'] == "existing")
ca_import($ca, $pconfig['cert'], $pconfig['key'], $pconfig['serial']);
- if ($pconfig['method'] == "internal") {
+ else if ($pconfig['method'] == "internal") {
$dn = array(
'countryName' => $pconfig['dn_country'],
'stateOrProvinceName' => $pconfig['dn_state'],
@@ -239,6 +256,16 @@
'commonName' => $pconfig['dn_commonname']);
ca_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn);
}
+ else if ($pconfig['method'] == "intermediate") {
+ $dn = array(
+ 'countryName' => $pconfig['dn_country'],
+ 'stateOrProvinceName' => $pconfig['dn_state'],
+ 'localityName' => $pconfig['dn_city'],
+ 'organizationName' => $pconfig['dn_organization'],
+ 'emailAddress' => $pconfig['dn_email'],
+ 'commonName' => $pconfig['dn_commonname']);
+ ca_inter_create($ca, $pconfig['keylen'], $pconfig['lifetime'], $dn, $pconfig['caref']);
@ermal
ermal added a note Jun 22, 2011

No error checking even here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ }
}
if (isset($id) && $a_ca[$id])
@@ -268,10 +295,17 @@ function method_change() {
case 0:
document.getElementById("existing").style.display="";
document.getElementById("internal").style.display="none";
+ document.getElementById("intermediate").style.display="none";
break;
case 1:
document.getElementById("existing").style.display="none";
document.getElementById("internal").style.display="";
+ document.getElementById("intermediate").style.display="none";
+ break;
+ case 2:
+ document.getElementById("existing").style.display="none";
+ document.getElementById("internal").style.display="";
+ document.getElementById("intermediate").style.display="";
break;
}
}
@@ -385,6 +419,23 @@ function method_change() {
<tr>
<td colspan="2" valign="top" class="listtopic"><?=gettext("Internal Certificate Authority");?></td>
</tr>
+ <tr id='intermediate'>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Signing Certificate Authority");?></td>
+ <td width="78%" class="vtable">
+ <select name='caref' id='caref' class="formselect" onChange='internalca_change()'>
+ <?php
+ foreach( $a_ca as $ca):
@ermal
ermal added a note Jun 22, 2011

Can you create functions for kind of API get_ca_list() ....?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ if (!$ca['prv'])
+ continue;
+ $selected = "";
+ if ($pconfig['caref'] == $ca['refid'])
+ $selected = "selected";
+ ?>
+ <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Key length");?></td>
<td width="78%" class="vtable">

1 comment on commit 5c00a2b

@EvgenyY
Owner

This commit introduces ability to create Intermediate Certificate Authorities in certificate manager.

Please sign in to comment.
Something went wrong with that request. Please try again.