diff options
| author | PiBa-NL <pba_2k3@yahoo.com> | 2013-11-22 16:29:16 +0100 |
|---|---|---|
| committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-11-22 16:29:16 +0100 |
| commit | cecde162c97ceb3309b29c98ef1648abcb0379bf (patch) | |
| tree | c57121f866e0d26e8a6b70bc3890ad41f4dfa345 /config/haproxy-devel/haproxy_utils.inc | |
| parent | 9824bac2ea71404e673d11fafbfd37f9a44dccc8 (diff) | |
| download | pfsense-packages-cecde162c97ceb3309b29c98ef1648abcb0379bf.tar.gz pfsense-packages-cecde162c97ceb3309b29c98ef1648abcb0379bf.tar.bz2 pfsense-packages-cecde162c97ceb3309b29c98ef1648abcb0379bf.zip | |
haproxy-devel, change certificate signer check haproxy_cert_signed_by(a,b)
Diffstat (limited to 'config/haproxy-devel/haproxy_utils.inc')
| -rw-r--r-- | config/haproxy-devel/haproxy_utils.inc | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index e826f530..940c816f 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -31,6 +31,8 @@ be moved to the general pfSense php library for possible easy use by other parts of pfSense */ +require_once("config.inc"); + function haproxy_interface_ip($interfacebindname,$userfriendly=false){ $list = haproxy_get_bindable_interfaces(); $item = $list[$interfacebindname]; @@ -153,11 +155,32 @@ function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,l return $bindable; } +function haproxy_get_cert_extensions($crt){ + $cert = openssl_x509_parse(base64_decode($crt['crt'])); + return $cert['extensions']; +} + +function haproxy_get_cert_authoritykeyidentifier($cert) +{ + $certextension = haproxy_get_cert_extensions($cert); + $lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']); + return substr($lines[0],6);// cut off the starting string 'keyid:' +} +function haproxy_get_cert_subjectKeyIdentifier($cert) +{ + $certextension = haproxy_get_cert_extensions($cert); + $lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']); + return $lines[0]; +} + function haproxy_cert_signed_by($cert, $signedbycert) { - // uses function isCertSigner(a,b) from isCertSigner.inc to check if $cert was signed by $signedbycert - // returns true if it is - return isCertSigner(base64_decode($cert['crt']), base64_decode($signedbycert['crt'])); + // checks if $cert was signed by $signedbycert + // this does NOT validate a proper signature but only checks if the extension properties match. + $authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert); + $subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert); + return $authoritykeyid == $subjectid; } + function haproxy_get_certificates(){ global $config; $allcerts = array(); |