Skip to content

/ pfsense

Permalink
Browse files

Teach the certificate generation code how to make a self-signed certi… 

…ficate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.

Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.
  • Loading branch information
@jim-p
jim-p committed Oct 14, 2014
1 parent 1f4ad8f commit 7c4c77ee62cf28ced5043761ece287d29d498cd7
Unified Split
Showing with 70 additions and 38 deletions.
  1. +25 −12 etc/inc/certs.inc
  2. +45 −26 etc/inc/system.inc
37 etc/inc/certs.inc
View file
@@ -270,22 +270,28 @@ function cert_import(& $cert, $crt_str, $key_str) {

function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {

$ca =& lookup_ca($caref);
if (!$ca)
return false;
$cert['type'] = $type;

$ca_str_crt = base64_decode($ca['crt']);
$ca_str_key = base64_decode($ca['prv']);
$ca_res_crt = openssl_x509_read($ca_str_crt);
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
if(!$ca_res_key) return false;
$ca_serial = ++$ca['serial'];
if ($type != "self-signed") {
$cert['caref'] = $caref;
$ca =& lookup_ca($caref);
if (!$ca)
return false;

$ca_str_crt = base64_decode($ca['crt']);
$ca_str_key = base64_decode($ca['prv']);
$ca_res_crt = openssl_x509_read($ca_str_crt);
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
if(!$ca_res_key) return false;
$ca_serial = ++$ca['serial'];
}

switch ($type) {
case "ca":
$cert_type = "v3_ca";
break;
case "server":
case "self-signed":
$cert_type = "server";
break;
default:
@@ -312,11 +318,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
$res_key = openssl_pkey_new($args);
if(!$res_key) return false;

// If this is a self-signed cert, blank out the CA and sign with the cert's key
if ($type == "self-signed") {
$ca = null;
$ca_res_crt = null;
$ca_res_key = $res_key;
$ca_serial = 0;
$cert['type'] = "server";
}

// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if(!$res_csr) return false;

// self sign the certificate
// sign the certificate using an internal CA
$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
$args, $ca_serial);
if(!$res_crt) return false;
@@ -327,10 +342,8 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
return false;

// return our certificate information
$cert['caref'] = $caref;
$cert['crt'] = base64_encode($str_crt);
$cert['prv'] = base64_encode($str_key);
$cert['type'] = $type;

return true;
}
71 etc/inc/system.inc
View file
@@ -830,6 +830,44 @@ EOD;
return $retval;
}

function system_webgui_create_certificate() {
global $config, $g;

if (!is_array($config['ca']))
$config['ca'] = array();
$a_ca =& $config['ca'];
if (!is_array($config['cert']))
$config['cert'] = array();
$a_cert =& $config['cert'];
log_error("Creating SSL Certificate for this host");

$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = gettext("webConfigurator default");

$dn = array(
'countryName' => "US",
'stateOrProvinceName' => "State",
'localityName' => "Locality",
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",
'commonName' => $config['system']['hostname'] . '-' . uniqid());
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */

This comment has been minimized.

Sign in to view
Copy link
@phil-davis

phil-davis Oct 15, 2014

Contributor

s/warings/warnings/
Nit: in comment only
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){
while($ssl_err = openssl_error_string()){
log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err);
}
error_reporting($old_err_level);
return null;
}
error_reporting($old_err_level);

$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
write_config(gettext("Importing HTTPS certificate"));
return $cert;
}

function system_webgui_start() {
global $config, $g;

@@ -852,36 +890,17 @@ function system_webgui_start() {
// Ensure that we have a webConfigurator CERT
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']);
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) {
if (!is_array($config['ca']))
$config['ca'] = array();
$a_ca =& $config['ca'];
if (!is_array($config['cert']))
$config['cert'] = array();
$a_cert =& $config['cert'];
log_error("Creating SSL Certificate for this host");
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = gettext("webConfigurator default");
mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
$crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
$key = file_get_contents("{$g['tmp_path']}/ssl.key");
unlink("{$g['tmp_path']}/ssl.key");
unlink("{$g['tmp_path']}/ssl.crt");
cert_import($cert, $crt, $key);
$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
write_config(gettext("Importing HTTPS certificate"));
if(!$config['system']['webgui']['port'])
$portarg = "443";
$ca = ca_chain($cert);
$cert = system_webgui_create_certificate();
$crt = $cert['crt'];
$key = $cert['prv'];
} else {
$crt = base64_decode($cert['crt']);
$key = base64_decode($cert['prv']);
if(!$config['system']['webgui']['port'])
$portarg = "443";
$ca = ca_chain($cert);
}

if(!$config['system']['webgui']['port'])
$portarg = "443";
$ca = ca_chain($cert);
}

/* generate lighttpd configuration */

0 comments on commit 7c4c77e

Please sign in to comment.