-
Notifications
You must be signed in to change notification settings - Fork 586
/
exportCerts.php
executable file
·138 lines (131 loc) · 7.74 KB
/
exportCerts.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2016-2021 Frank Wall
* Copyright (C) 2015 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
// Use legacy code to export certificates to the filesystem.
require_once("config.inc");
require_once("certs.inc");
require_once("legacy_bindings.inc");
use OPNsense\Core\Config;
$export_path = '/tmp/haproxy/ssl/';
// configure ssl elements
$configNodes = [
'frontends' => ['ssl_certificates', 'ssl_clientAuthCAs', 'ssl_clientAuthCRLs', 'ssl_default_certificate'],
'servers' => ['sslCA', 'sslCRL', 'sslClientCertificate'],
];
$certTypes = ['cert', 'ca', 'crl'];
// traverse HAProxy configuration
$configObj = Config::getInstance()->object();
foreach ($configNodes as $key => $value) {
// lookup all config nodes
if (isset($configObj->OPNsense->HAProxy->$key)) {
foreach ($configObj->OPNsense->HAProxy->$key->children() as $child) {
// search in all matching child elements for ssl data
foreach ($configNodes[$key] as $sslchild) {
if (isset($child->$sslchild)) {
// generate a list for every known cert type
foreach ($certTypes as $type) {
// every child node needs its own set of lists
$crtlist = array();
$crtlist_filename = $export_path . (string)$child->id . "." . $type . "list";
// multiple comma-separated values are possible
$certs = explode(',', $child->$sslchild);
foreach ($certs as $cert_refid) {
// if the element has a cert attached, search for its contents
if ($cert_refid != "") {
// search for cert (type) in config
foreach ($configObj->$type as $cert) {
if ($cert_refid == (string)$cert->refid) {
$pem_content = '';
// CRLs require special export
if ($type == 'crl') {
$crl =& lookup_crl($cert_refid);
$pem_content = base64_decode($crl['text']);
} else {
$pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
$pem_content .= "\n" . str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
// check if a CA is linked
if (!empty((string)$cert->caref)) {
$cert = (array)$cert;
$ca = ca_chain($cert);
// append the CA to the certificate data
$pem_content .= "\n" . $ca;
// additionally export CA to it's own file,
// not required for HAProxy, but makes OCSP handling easier
$output_ca_filename = $export_path . $cert_refid . ".issuer";
file_put_contents($output_ca_filename, $ca);
chmod($output_ca_filename, 0600);
}
}
// generate pem file for individual certs
// (not supported for CRLs)
if ($type == 'cert') {
$output_pem_filename = $export_path . $cert_refid . ".pem";
file_put_contents($output_pem_filename, $pem_content);
chmod($output_pem_filename, 0600);
echo "exported $type to " . $output_pem_filename . "\n";
$crtlist[] = $output_pem_filename;
} else {
// In contrast to certificates, CA/CRL content needs to be put in a single file.
// A list of individual files is not supported by HAproxy.
$crtlist[] = $pem_content;
}
}
}
}
}
// generate list file
// (only supported for frontends and servers)
if (($key == 'frontends') or ($key == 'servers')) {
// ignore if list is empty
if (empty($crtlist)) {
continue;
}
// skip for ssl_default_certificate, it's only used to ensure
// that the default certificate is exported to a file
if ($sslchild == 'ssl_default_certificate') {
continue;
}
// check if a default certificate is configured
if (($type == 'cert') and isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
$default_cert = (string)$child->ssl_default_certificate;
$default_cert_filename = $export_path . $default_cert . ".pem";
// ensure that the default certificate is the first entry on the list
$crtlist = array_diff($crtlist, [$default_cert_filename]);
array_unshift($crtlist, $default_cert_filename);
}
$crtlist_content = implode("\n", $crtlist) . "\n";
file_put_contents($crtlist_filename, $crtlist_content);
chmod($crtlist_filename, 0600);
echo "exported $type list to " . $crtlist_filename . "\n";
}
}
}
}
}
}
}