[16/16] IPsec: Add CA certificate in Apple profile

Message ID 20200528175850.12638-17-michael.tremer@ipfire.org
State New
Headers show
Series
  • [01/16] IPsec: Use sane defaults for certificate lifetimes
Related show

Commit Message

Michael Tremer May 28, 2020, 5:58 p.m. UTC
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

Patch

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index bcbe6227e..fa97ed531 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1246,13 +1246,23 @@  END
 	my $uuid1 = $uuid->create_str();
 	my $uuid2 = $uuid->create_str();
 
+	my $ca = "";
+	my $ca_uuid = $uuid->create_str();
+
 	my $cert = "";
 	my $cert_uuid = $uuid->create_str();
 
-	# Read and encode certificate
+	# Read and encode the CA & certificate
 	if ($confighash{$key}[4] eq "cert") {
+		my $ca_path = "${General::swroot}/ca/cacert.pem";
 		my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
 
+		# Read the CA and encode it into Base64
+		open(CA, "<${ca_path}");
+		local($/) = undef; # slurp
+		$ca = MIME::Base64::encode_base64(<CA>);
+		close(CA);
+
 		# Read certificate and encode it into Base64
 		open(CERT, "<${cert_path}");
 		local($/) = undef; # slurp
@@ -1465,6 +1475,25 @@  END
 
 		print "				</data>\n";
 		print "			</dict>\n";
+
+		print "			<dict>\n";
+		print "				<key>PayloadIdentifier</key>\n";
+		print "				<string>org.example.ca</string>\n";
+		print "				<key>PayloadUUID</key>\n";
+		print "				<string>${ca_uuid}</string>\n";
+		print "				<key>PayloadType</key>\n";
+		print "				<string>com.apple.security.root</string>\n";
+		print "				<key>PayloadVersion</key>\n";
+		print "				<integer>1</integer>\n";
+		print "				<key>PayloadContent</key>\n";
+		print "				<data>\n";
+
+		foreach (split /\n/,${ca}) {
+			print "					$_\n";
+		}
+
+		print "				</data>\n";
+		print "			</dict>\n";
 	}
 
 	print "		</array>\n";