deprecated/phpki-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Openvpn certificate handling

Browse Source
This commit is contained in:
John Crisp
2020-02-27 16:16:31 +01:00
parent 4277270c7f
commit 99d78dfa12
3 changed files with 169 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
ca/main.php
View File

@@ -10,6 +10,14 @@ $stage = gpvar('stage');
switch($stage) { switch($stage) {
case 'dl_takey':
upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream');
break;
case 'dl_dhparam':
upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream');
break;
case 'dl_root': case 'dl_root':
upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert'); upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert');
break; break;
@@ -18,6 +26,10 @@ case 'dl_crl':
upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
break; break;
case 'dl_crl_pem':
upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
break;
case 'gen_crl': case 'gen_crl':
list($ret,$errtxt) = CA_generate_crl(); list($ret,$errtxt) = CA_generate_crl();
@@ -47,9 +59,49 @@ case 'gen_crl':
<p> <p>
</form> </form>
<?php <?php
} }
break; break;
case 'display_takey':
printHeader(false);
?>
<center><h2>OpenVPN pre-shared Key</h2></center>
<p>
<form action="<?php echo $PHP_SELF?>" method="post">
<input type=submit name=submit value="Back to Menu">
</form>
<?php
print '<pre>'.ta_key_text().'</pre>';
break;
case 'display_dhparam':
printHeader(false);
?>
<center><h2>OpenVPN Diffie-Helman parameters</h2></center>
<p>
<form action="<?php echo $PHP_SELF?>" method="post">
<input type=submit name=submit value="Back to Menu">
</form>
<?php
print '<pre>'.dhparam_text().'</pre>';
break;
case 'display_root_pem':
printHeader(false);
?>
<center><h2>Root certificate file (PEM Encoded)</h2></center>
<p>
<form action="<?php echo $PHP_SELF?>" method="post">
<input type=submit name=submit value="Back to Menu">
</form>
<?php
print '<pre>'.root_pem_text().'</pre>';
break;
default: default:
printHeader('ca'); printHeader('ca');
?> ?>
@@ -57,7 +109,6 @@ default:
<br> <br>
<center> <center>
<table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=33%> <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;" width=33%>
<a href=request_cert.php>Create a New Certificate</a></td> <a href=request_cert.php>Create a New Certificate</a></td>
<td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates. <td>Use the <strong><cite>Certificate Request Form</cite></strong> to create and download new digital certificates.
@@ -70,23 +121,42 @@ default:
<strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr> <strong><cite>Certificate Management Control Panel</cite></strong>.</td></tr>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href="<?php echo $PHP_SELF?>"?stage="gen_crl">Update & View the Certificate Revocation List</a></td> <a href='<?php echo $PHP_SELF?>?stage=gen_crl'>Update & View the Certificate Revocation List</a></td>
<td>Some applications automagically reference the Certificate Revocation List to determine <td>Some applications automagically reference the Certificate Revocation List to determine
certificate validity. It is not necessary to perform this update function, as the CRL is certificate validity. It is not necessary to perform this update function, as the CRL is
updated when certificates are revoked. However, doing so is harmless. updated when certificates are revoked. However, doing so is harmless.
<a href=../help.php target=_help>Read the online help</a> to learn more about this.</td></tr> <a href=../help.php target=_help>Read the online help</a> to learn more about this.</td></tr>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href="<?php echo $PHP_SELF?>"?stage="dl_root">Download the Root Certificate</a></td> <a href='<?php echo $PHP_SELF?>?stage=dl_root'>Download the Root Certificate</a><br><br>
<a href="<?php echo $PHP_SELF?>"?stage="display_root_pem">Display the Root Certificate (PEM Encoded)</a></td> <a href='<?php echo $PHP_SELF?>?stage=display_root_pem'>Display the Root Certificate (PEM Encoded)</a></td>
<td>The "Root" certificate must be installed before using any of the <td>The "Root" certificate must be installed before using any of the
certificates issued here. <a href=../help.php target=_help>Read the online help</a> certificates issued here. <a href=../help.php target=_help>Read the online help</a>
to learn more about this.</td></tr> to learn more about this.</td></tr>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href="<?php echo $PHP_SELF?>"?stage="dl_crl">Download the Certificate Revocation List</a></td> <a href='<?php echo $PHP_SELF?>?stage=dl_crl'>Download the Certificate Revocation List</a><br><br>
<a href='<?php echo $PHP_SELF?>?stage=dl_crl_pem'>Download in PEM format.</a></td>
<td>This is the official list of revoked certificates. Using this list with your e-mail or <td>This is the official list of revoked certificates. Using this list with your e-mail or
browser application is optional. Some applications will automagically reference this list. </td></tr> browser application is optional. Some applications will automagically reference this list.</td></tr>
<?php
if (file_exists($config[private_dir] . '/takey.pem')) {
?>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href='<?php echo $PHP_SELF?>?stage=dl_takey'>Download the static pre-shared key</a><br><br>
<a href='<?php echo $PHP_SELF?>?stage=display_takey'>Display the static pre-shared key</a></td>
<td>This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication.</td></tr>
<?php }
?>
<?php if (file_exists ($config[private_dir] . '/dhparam1024.pem')) {
?>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href='<?php echo $PHP_SELF?>?stage=dl_dhparam'>Download the Diffie-Hellman parameters</a><br><br>
<a href='<?php echo $PHP_SELF?>?stage=display_dhparam'>Display the Diffie-Hellman parameters</a></td>
<td>This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement
protocol enables two communication partners to exchange a secret key safely.</td></tr>
<?php }
?>
</table> </table>
</center> </center>

48
include/openssl_functions.php
View File

@@ -232,7 +232,7 @@ $alt_names
# Write out the config file. # Write out the config file.
$cnf_file = tempnam('./tmp','cnf-'); $cnf_file = tempnam('./tmp','cnf-'); // Why is this not in the phpki dir ? why ../../ ?
$handle = fopen($cnf_file,"w"); $handle = fopen($cnf_file,"w");
fwrite($handle, $cnf_contents); fwrite($handle, $cnf_contents);
fclose($handle); fclose($handle);
@@ -367,6 +367,33 @@ function CAdb_explode_entry($dbentry) {
if (time() > strtotime("$mm-$dd-$yy")) if (time() > strtotime("$mm-$dd-$yy"))
$db['status'] = "Expired"; $db['status'] = "Expired";
// Compatibility with migrated certs from openvpn-bridge
if(count($b) == 7){
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = '';
$db['organization'] = $b[3];
$db['issuer'] = '';
$db['unit'] = $b[4];
$db['common_name'] = $b[5];
$db['email'] = $b[6];
}
// Compatibility with renewed certs from openvpn-bridge
elseif(count($b) == 8){
$db['serial'] = $a[3];
$db['country'] = $b[1];
$db['province'] = $b[2];
$db['locality'] = $b[3];
$db['organization'] = $b[4];
$db['issuer'] = '';
$db['unit'] = $b[5];
$db['common_name'] = $b[6];
$db['email'] = $b[7];
}
// Else, it's a certificate created with phpki
else{
$db['serial'] = $a[3]; $db['serial'] = $a[3];
$db['country'] = $b[1]; $db['country'] = $b[1];
$db['province'] = $b[2]; $db['province'] = $b[2];
@@ -376,6 +403,7 @@ function CAdb_explode_entry($dbentry) {
$db['unit'] = $b[6]; $db['unit'] = $b[6];
$db['common_name'] = $b[7]; $db['common_name'] = $b[7];
$db['email'] = $b[8]; $db['email'] = $b[8];
}
return $db; return $db;
} }
@@ -431,6 +459,24 @@ function CA_crl_text() {
return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1')); return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1'));
} }
// Returns the static takey.pem file
function ta_key_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1'));
}
// Returns the dhparam file
function dhparam_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1'));
}
// Returns the root CA certificate file (PEM Encoded)
function root_pem_text() {
global $config;
return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1'));
}
// //
// Returns the subject of a certificate. // Returns the subject of a certificate.
// //

10
main.php
View File

@@ -32,6 +32,10 @@ case 'dl_crl':
upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl');
break; break;
case 'dl_crl_pem':
upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream');
break;
default: default:
printHeader('public'); printHeader('public');
@@ -55,12 +59,14 @@ default:
<a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td> <a href=<?php echo $PHP_SELF?>?stage=display_root>Display Our Root Certificate (PEM Encoded)</a></td>
<td>This option provides the "Root" certificate PEM encoded text for advanced users <td>This option provides the "Root" certificate PEM encoded text for advanced users
to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a> to manually install via copy and paste. <a href=help.php target=_help>Read the online help</a>
to learn more about this.</td></tr> to learn more about this.</td>
<tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;">
<a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td> <a href=<?php echo $PHP_SELF?>?stage=dl_crl>Download Our Certificate Revocation List</a></td>
<td>The official list of certificates revoked by this site. Installation and use of <td>The official list of certificates revoked by this site. Installation and use of
this list is optional. Some e-mail programs will reference this list automagically. </td></tr> this list is optional. Some e-mail programs will reference this list automagically.
(<a href="<?php echo $PHP_SELF?>?stage=dl_crl_pem">Some will need it in PEM format.</a>)</td></tr>
</table> </table>
</center> </center>