[RFC,1/2] Add a cgi page to show a vpn certificate

Message ID 20210218162427.11327-1-jonatan.schlag@ipfire.org
State New
Headers show
Series [RFC,1/2] Add a cgi page to show a vpn certificate | expand

Commit Message

Jonatan Schlag Feb. 18, 2021, 4:24 p.m. UTC
This page has the only usage to show a certificate of the ipsec vpn.
It should decrease complexity of the vpnmain.cgi. This decrease might
not be huge but at least there. This also should introduce usage of
templates.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
 html/cgi-bin/vpn-show-cert.cgi    | 132 ++++++++++++++++++++++++++++++
 html/html/templates/vpn-cert.html |  14 ++++
 2 files changed, 146 insertions(+)
 create mode 100644 html/cgi-bin/vpn-show-cert.cgi
 create mode 100644 html/html/templates/vpn-cert.html

Comments

Tom Rymes Feb. 18, 2021, 10:06 p.m. UTC | #1
I like this idea. One thing I’d like to mention while the idea is being discussed is that Windows allows stronger encryption if ECDSA certificates are used for RW connections.

For this reason, it would be nice if IPSec could use ECDSA.

Tom

> On Feb 18, 2021, at 11:24 AM, Jonatan Schlag <jonatan.schlag@ipfire.org> wrote:
> 
> This page has the only usage to show a certificate of the ipsec vpn.
> It should decrease complexity of the vpnmain.cgi. This decrease might
> not be huge but at least there. This also should introduce usage of
> templates.
> 
> Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
> ---
> html/cgi-bin/vpn-show-cert.cgi    | 132 ++++++++++++++++++++++++++++++
> html/html/templates/vpn-cert.html |  14 ++++
> 2 files changed, 146 insertions(+)
> create mode 100644 html/cgi-bin/vpn-show-cert.cgi
> create mode 100644 html/html/templates/vpn-cert.html
> 
> diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi
> new file mode 100644
> index 000000000..4c3f99c5f
> --- /dev/null
> +++ b/html/cgi-bin/vpn-show-cert.cgi
> @@ -0,0 +1,132 @@
> +#!/usr/bin/perl
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
> +
> +use strict;
> +use HTML::Entities();
> +use HTML::Template;
> +
> +# enable only the following on debugging purpose
> +#use warnings;
> +#use CGI::Carp 'fatalsToBrowser';
> +
> +require '/var/ipfire/general-functions.pl';
> +require "${General::swroot}/lang.pl";
> +require "${General::swroot}/header.pl";
> +
> +# Functions
> +
> +sub is_valid_cert_key {
> +    my $key = $_[0];
> +    return 1;
> +}
> +
> +sub is_valid_ca_cert_key {
> +    my $key = $_[0];
> +    return 1;
> +}
> +
> +my %color = ();
> +my %mainsettings = ();
> +my %cgiparams=();
> +my %confighash=();
> +my %cahash=();
> +
> +# Initialize template
> +my $tmpl = HTML::Template->new(
> +    filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html",
> +    die_on_bad_params => 0
> +);
> +
> +
> +# Read-in main settings, for language, theme and colors.
> +&General::readhash("${General::swroot}/main/settings", \%mainsettings);
> +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
> +
> +
> +#Get GUI values
> +&Header::getcgihash(\%cgiparams);
> +
> +
> +if (($cgiparams{'ACTION'} eq "showCert" ||
> +    $cgiparams{'ACTION'} eq "showCaCert" ||
> +    $cgiparams{'ACTION'} eq "showRootCert" ||
> +    $cgiparams{'ACTION'} eq "showHostCert" )) {
> +
> +        my $action = $cgiparams{'ACTION'};
> +        my $file = "";
> +
> +        if ($action eq "showRootCert"){
> +            $file = "${General::swroot}/ca/cacert.pem";
> +        } elsif ($action eq "showHostCert"){
> +            $file = "${General::swroot}/ca/cacert.pem";
> +        } elsif ($action eq "showCert" ){
> +            my $key = $cgiparams{'KEY'};
> +            if (is_valid_cert_key($key)){
> +                &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
> +                $file =  "${General::swroot}/certs/$confighash{$key}[1]cert.pem";
> +            } else {
> +                $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
> +            }
> +        } elsif ($action eq "showCaCert"){
> +            my $key = $cgiparams{'KEY'};
> +            if (is_valid_ca_cert_key($key)){
> +                &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
> +                $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem";
> +            } else {
> +                $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
> +            }
> +        }
> +
> +        if (not "$file" eq "" && -f $file){
> +            my $output = `/usr/bin/openssl x509 -text -in $file`;
> +            $output = &Header::cleanhtml($output,"y");
> +
> +
> +
> +            $tmpl->param(OUTPUT => $output);
> +
> +            # Some translated strings
> +            if ($action eq "showRootCert") {
> +                $tmpl->param(L_TITLE => $Lang::tr{'root certificate'});
> +            } elsif ($action eq "showHostCert"){
> +                $tmpl->param(L_TITLE => $Lang::tr{'host certificate'});
> +            } elsif ($action eq "showCert"){
> +                $tmpl->param(L_TITLE => $Lang::tr{'cert'});
> +            } elsif ($action eq "showCaCert"){
> +                $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'});
> +            }
> +
> +            $tmpl->param(L_BACK => $Lang::tr{'back'});
> +        }
> +
> +} else {
> +
> +    my $keys = join "\n", keys %cgiparams;
> +    $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys");
> +}
> +
> +&Header::showhttpheaders();
> +&Header::openpage($Lang::tr{'ipsec'}, 1, '');
> +
> +# Print rendered template
> +print $tmpl->output();
> +
> +&Header::closepage();
> diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html
> new file mode 100644
> index 000000000..43ec759f1
> --- /dev/null
> +++ b/html/html/templates/vpn-cert.html
> @@ -0,0 +1,14 @@
> +<div class="post">
> +    <TMPL_IF NAME="ERRORMESSAGE">
> +        <TMPL_VAR NAME="ERRORMESSAGE">
> +    <TMPL_ELSE>
> +    <h2><TMPL_VAR NAME="L_TITLE"></h2>
> +        <pre>
> +            <TMPL_VAR NAME="OUTPUT">
> +        </pre>
> +    </TMPL_IF>
> +</div>
> +
> +<div align="center">
> +    <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a>
> +</div>
> \ No newline at end of file
> -- 
> 2.20.1
>

Patch

diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi
new file mode 100644
index 000000000..4c3f99c5f
--- /dev/null
+++ b/html/cgi-bin/vpn-show-cert.cgi
@@ -0,0 +1,132 @@ 
+#!/usr/bin/perl
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+use strict;
+use HTML::Entities();
+use HTML::Template;
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+# Functions
+
+sub is_valid_cert_key {
+    my $key = $_[0];
+    return 1;
+}
+
+sub is_valid_ca_cert_key {
+    my $key = $_[0];
+    return 1;
+}
+
+my %color = ();
+my %mainsettings = ();
+my %cgiparams=();
+my %confighash=();
+my %cahash=();
+
+# Initialize template
+my $tmpl = HTML::Template->new(
+    filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html",
+    die_on_bad_params => 0
+);
+
+
+# Read-in main settings, for language, theme and colors.
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
+
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
+
+
+if (($cgiparams{'ACTION'} eq "showCert" ||
+    $cgiparams{'ACTION'} eq "showCaCert" ||
+    $cgiparams{'ACTION'} eq "showRootCert" ||
+    $cgiparams{'ACTION'} eq "showHostCert" )) {
+
+        my $action = $cgiparams{'ACTION'};
+        my $file = "";
+
+        if ($action eq "showRootCert"){
+            $file = "${General::swroot}/ca/cacert.pem";
+        } elsif ($action eq "showHostCert"){
+            $file = "${General::swroot}/ca/cacert.pem";
+        } elsif ($action eq "showCert" ){
+            my $key = $cgiparams{'KEY'};
+            if (is_valid_cert_key($key)){
+                &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+                $file =  "${General::swroot}/certs/$confighash{$key}[1]cert.pem";
+            } else {
+                $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
+            }
+        } elsif ($action eq "showCaCert"){
+            my $key = $cgiparams{'KEY'};
+            if (is_valid_ca_cert_key($key)){
+                &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+                $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem";
+            } else {
+                $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
+            }
+        }
+
+        if (not "$file" eq "" && -f $file){
+            my $output = `/usr/bin/openssl x509 -text -in $file`;
+            $output = &Header::cleanhtml($output,"y");
+
+
+
+            $tmpl->param(OUTPUT => $output);
+
+            # Some translated strings
+            if ($action eq "showRootCert") {
+                $tmpl->param(L_TITLE => $Lang::tr{'root certificate'});
+            } elsif ($action eq "showHostCert"){
+                $tmpl->param(L_TITLE => $Lang::tr{'host certificate'});
+            } elsif ($action eq "showCert"){
+                $tmpl->param(L_TITLE => $Lang::tr{'cert'});
+            } elsif ($action eq "showCaCert"){
+                $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'});
+            }
+
+            $tmpl->param(L_BACK => $Lang::tr{'back'});
+        }
+
+} else {
+
+    my $keys = join "\n", keys %cgiparams;
+    $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys");
+}
+
+&Header::showhttpheaders();
+&Header::openpage($Lang::tr{'ipsec'}, 1, '');
+
+# Print rendered template
+print $tmpl->output();
+
+&Header::closepage();
diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html
new file mode 100644
index 000000000..43ec759f1
--- /dev/null
+++ b/html/html/templates/vpn-cert.html
@@ -0,0 +1,14 @@ 
+<div class="post">
+    <TMPL_IF NAME="ERRORMESSAGE">
+        <TMPL_VAR NAME="ERRORMESSAGE">
+    <TMPL_ELSE>
+    <h2><TMPL_VAR NAME="L_TITLE"></h2>
+        <pre>
+            <TMPL_VAR NAME="OUTPUT">
+        </pre>
+    </TMPL_IF>
+</div>
+
+<div align="center">
+    <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a>
+</div>
\ No newline at end of file