From patchwork Thu Feb 18 16:24:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonatan Schlag X-Patchwork-Id: 3901 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DhKmg50Q5z3wps for ; Thu, 18 Feb 2021 16:24:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DhKmf5lhrztg; Thu, 18 Feb 2021 16:24:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DhKmf59FKz2xkD; Thu, 18 Feb 2021 16:24:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DhKmd5Wdmz2xXd for ; Thu, 18 Feb 2021 16:24:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DhKmd008Jznm; Thu, 18 Feb 2021 16:24:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1613665489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3Dd/hQgxVs6vMQQQbvjvITKpwUU0irJPPDgy4bRyQ74=; b=1cnxyRYlsVhljm1HRtC5Md8H29E9KIVy2qxM/xZvrCPYzsdRBQvhmf9N9ZxKVMg98Hj9pQ qY2pvBaiG9Z8BIDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1613665489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3Dd/hQgxVs6vMQQQbvjvITKpwUU0irJPPDgy4bRyQ74=; b=ma6GIGH2znzRs/heXlyiXx+f2Sr5og2bLJGv/fbmIOX5Nmf8h/0bXk25WY8H1hoNTrwGwH 0KdZYG4G+W/wsB8TNMKEMZlv6Aua39SurYeMsl+XXTETkCI32GGBizNLvOhurzx7WLZO/3 fsIJSVbgfccXUDpymzcjAJG3gQqVElzhThItP5SxtNi+nQqcRbq2w32p5asogtUbFN/6Vo Y0W+kk8WDck3B+6TQo0rrHwZLnCt8Cz8dbKskA2fmS3v8LV7xMpuVBDdXEMSnPAhueKcyW j8kkaCLKXrG0wzotVjrihkvL/K25+HxaMApBFQyH1erDMjB3v7Yc9OpVR0hiFQ== From: Jonatan Schlag To: development@lists.ipfire.org Subject: [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Date: Thu, 18 Feb 2021 17:24:26 +0100 Message-Id: <20210218162427.11327-1-jonatan.schlag@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This page has the only usage to show a certificate of the ipsec vpn. It should decrease complexity of the vpnmain.cgi. This decrease might not be huge but at least there. This also should introduce usage of templates. Signed-off-by: Jonatan Schlag --- html/cgi-bin/vpn-show-cert.cgi | 132 ++++++++++++++++++++++++++++++ html/html/templates/vpn-cert.html | 14 ++++ 2 files changed, 146 insertions(+) create mode 100644 html/cgi-bin/vpn-show-cert.cgi create mode 100644 html/html/templates/vpn-cert.html diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi new file mode 100644 index 000000000..4c3f99c5f --- /dev/null +++ b/html/cgi-bin/vpn-show-cert.cgi @@ -0,0 +1,132 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2020 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +use HTML::Entities(); +use HTML::Template; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +# Functions + +sub is_valid_cert_key { + my $key = $_[0]; + return 1; +} + +sub is_valid_ca_cert_key { + my $key = $_[0]; + return 1; +} + +my %color = (); +my %mainsettings = (); +my %cgiparams=(); +my %confighash=(); +my %cahash=(); + +# Initialize template +my $tmpl = HTML::Template->new( + filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html", + die_on_bad_params => 0 +); + + +# Read-in main settings, for language, theme and colors. +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + + +#Get GUI values +&Header::getcgihash(\%cgiparams); + + +if (($cgiparams{'ACTION'} eq "showCert" || + $cgiparams{'ACTION'} eq "showCaCert" || + $cgiparams{'ACTION'} eq "showRootCert" || + $cgiparams{'ACTION'} eq "showHostCert" )) { + + my $action = $cgiparams{'ACTION'}; + my $file = ""; + + if ($action eq "showRootCert"){ + $file = "${General::swroot}/ca/cacert.pem"; + } elsif ($action eq "showHostCert"){ + $file = "${General::swroot}/ca/cacert.pem"; + } elsif ($action eq "showCert" ){ + my $key = $cgiparams{'KEY'}; + if (is_valid_cert_key($key)){ + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + $file = "${General::swroot}/certs/$confighash{$key}[1]cert.pem"; + } else { + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'}); + } + } elsif ($action eq "showCaCert"){ + my $key = $cgiparams{'KEY'}; + if (is_valid_ca_cert_key($key)){ + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem"; + } else { + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'}); + } + } + + if (not "$file" eq "" && -f $file){ + my $output = `/usr/bin/openssl x509 -text -in $file`; + $output = &Header::cleanhtml($output,"y"); + + + + $tmpl->param(OUTPUT => $output); + + # Some translated strings + if ($action eq "showRootCert") { + $tmpl->param(L_TITLE => $Lang::tr{'root certificate'}); + } elsif ($action eq "showHostCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'host certificate'}); + } elsif ($action eq "showCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'cert'}); + } elsif ($action eq "showCaCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'}); + } + + $tmpl->param(L_BACK => $Lang::tr{'back'}); + } + +} else { + + my $keys = join "\n", keys %cgiparams; + $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys"); +} + +&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'ipsec'}, 1, ''); + +# Print rendered template +print $tmpl->output(); + +&Header::closepage(); diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html new file mode 100644 index 000000000..43ec759f1 --- /dev/null +++ b/html/html/templates/vpn-cert.html @@ -0,0 +1,14 @@ +
+ + + +

+
+            
+        
+
+
+ +
+ +
\ No newline at end of file From patchwork Thu Feb 18 16:24:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonatan Schlag X-Patchwork-Id: 3902 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DhKmk1dtWz3wps for ; Thu, 18 Feb 2021 16:24:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DhKmj6Qw6z26N; Thu, 18 Feb 2021 16:24:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DhKmj5qf0z2xqV; Thu, 18 Feb 2021 16:24:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DhKmh3zBNz2xXd for ; Thu, 18 Feb 2021 16:24:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DhKmh29WYz1VD; Thu, 18 Feb 2021 16:24:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1613665492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=od49EgEJJzAlcpd6aqctUH4LPWa5WjNqdRAxtbAFiA0=; b=GDcYcctZn1ud0jSD/xayDBHTryyluq+woou+zy0gQF8IPAGVXpafvp72KKpsHtQVl3m2RG yD0QsHx6Tq2VLCAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1613665492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=od49EgEJJzAlcpd6aqctUH4LPWa5WjNqdRAxtbAFiA0=; b=j9yZxVlCdHu71V++YG5gYu9xjA6ZXYsOnID3VT78obyzgHiCckJpCwyjbUtFfIgunp6e16 yW0huOaAQsLBANSenurBKb/dnSqXXV+iH9qNx2RcuQpuR2HGmM77tQr40z8t9EWpO3Qn+9 ZbfIgKjssKNXMVa94R5ncw558l18QstBKi/flsOTH7z8UEhBtsK5IqdHcf21ay0/GQmcn6 jsJDydfxYVIPdy0s40LrPaxxspeKpzmvGbonwzxw5vTkyFCo361sm80IQaNFkfnHCuPjol 9GMMGN455egP2n0ybbYnrCVWcoicm1FeF5GVJ9zgNSfA2BZfqETgi5HxUUNSRA== From: Jonatan Schlag To: development@lists.ipfire.org Subject: [RFC PATCH 2/2] Use new vpn-show-cert.cgi in vpnmain.cgi Date: Thu, 18 Feb 2021 17:24:27 +0100 Message-Id: <20210218162427.11327-2-jonatan.schlag@ipfire.org> In-Reply-To: <20210218162427.11327-1-jonatan.schlag@ipfire.org> References: <20210218162427.11327-1-jonatan.schlag@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Jonatan Schlag --- html/cgi-bin/vpnmain.cgi | 81 ++++------------------------------------ 1 file changed, 8 insertions(+), 73 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index db442e111..55993e852 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -638,28 +638,6 @@ END UPLOADCA_ERROR: -### -### Display ca certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Export ca certificate to browser @@ -759,29 +737,6 @@ END $errormessage = $Lang::tr{'invalid key'}; } -### -### Display root certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || - $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { - &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; - } else { - &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; - } - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); ### ### Export root certificate to browser @@ -1178,26 +1133,6 @@ END print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; exit (0); -### -### Display certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } ### ### Export Certificate to browser @@ -3047,9 +2982,9 @@ END if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { print < -
+ - +
@@ -3173,8 +3108,8 @@ EOF $Lang::tr{'root certificate'} $casubject -
- + +
@@ -3206,8 +3141,8 @@ END $Lang::tr{'host certificate'} $hostsubject -
- + +
@@ -3245,9 +3180,9 @@ END print "$cahash{$key}[1]\n"; print < -
+ - +