* [RFC PATCH 1/2] Add a cgi page to show a vpn certificate
@ 2021-02-18 16:24 Jonatan Schlag
2021-02-18 16:24 ` [RFC PATCH 2/2] Use new vpn-show-cert.cgi in vpnmain.cgi Jonatan Schlag
2021-02-18 22:06 ` [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Tom Rymes
0 siblings, 2 replies; 3+ messages in thread
From: Jonatan Schlag @ 2021-02-18 16:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6435 bytes --]
This page has the only usage to show a certificate of the ipsec vpn.
It should decrease complexity of the vpnmain.cgi. This decrease might
not be huge but at least there. This also should introduce usage of
templates.
Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
html/cgi-bin/vpn-show-cert.cgi | 132 ++++++++++++++++++++++++++++++
html/html/templates/vpn-cert.html | 14 ++++
2 files changed, 146 insertions(+)
create mode 100644 html/cgi-bin/vpn-show-cert.cgi
create mode 100644 html/html/templates/vpn-cert.html
diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi
new file mode 100644
index 000000000..4c3f99c5f
--- /dev/null
+++ b/html/cgi-bin/vpn-show-cert.cgi
@@ -0,0 +1,132 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+use HTML::Entities();
+use HTML::Template;
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+# Functions
+
+sub is_valid_cert_key {
+ my $key = $_[0];
+ return 1;
+}
+
+sub is_valid_ca_cert_key {
+ my $key = $_[0];
+ return 1;
+}
+
+my %color = ();
+my %mainsettings = ();
+my %cgiparams=();
+my %confighash=();
+my %cahash=();
+
+# Initialize template
+my $tmpl = HTML::Template->new(
+ filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html",
+ die_on_bad_params => 0
+);
+
+
+# Read-in main settings, for language, theme and colors.
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
+
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
+
+
+if (($cgiparams{'ACTION'} eq "showCert" ||
+ $cgiparams{'ACTION'} eq "showCaCert" ||
+ $cgiparams{'ACTION'} eq "showRootCert" ||
+ $cgiparams{'ACTION'} eq "showHostCert" )) {
+
+ my $action = $cgiparams{'ACTION'};
+ my $file = "";
+
+ if ($action eq "showRootCert"){
+ $file = "${General::swroot}/ca/cacert.pem";
+ } elsif ($action eq "showHostCert"){
+ $file = "${General::swroot}/ca/cacert.pem";
+ } elsif ($action eq "showCert" ){
+ my $key = $cgiparams{'KEY'};
+ if (is_valid_cert_key($key)){
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ $file = "${General::swroot}/certs/$confighash{$key}[1]cert.pem";
+ } else {
+ $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
+ }
+ } elsif ($action eq "showCaCert"){
+ my $key = $cgiparams{'KEY'};
+ if (is_valid_ca_cert_key($key)){
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem";
+ } else {
+ $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
+ }
+ }
+
+ if (not "$file" eq "" && -f $file){
+ my $output = `/usr/bin/openssl x509 -text -in $file`;
+ $output = &Header::cleanhtml($output,"y");
+
+
+
+ $tmpl->param(OUTPUT => $output);
+
+ # Some translated strings
+ if ($action eq "showRootCert") {
+ $tmpl->param(L_TITLE => $Lang::tr{'root certificate'});
+ } elsif ($action eq "showHostCert"){
+ $tmpl->param(L_TITLE => $Lang::tr{'host certificate'});
+ } elsif ($action eq "showCert"){
+ $tmpl->param(L_TITLE => $Lang::tr{'cert'});
+ } elsif ($action eq "showCaCert"){
+ $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'});
+ }
+
+ $tmpl->param(L_BACK => $Lang::tr{'back'});
+ }
+
+} else {
+
+ my $keys = join "\n", keys %cgiparams;
+ $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys");
+}
+
+&Header::showhttpheaders();
+&Header::openpage($Lang::tr{'ipsec'}, 1, '');
+
+# Print rendered template
+print $tmpl->output();
+
+&Header::closepage();
diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html
new file mode 100644
index 000000000..43ec759f1
--- /dev/null
+++ b/html/html/templates/vpn-cert.html
@@ -0,0 +1,14 @@
+<div class="post">
+ <TMPL_IF NAME="ERRORMESSAGE">
+ <TMPL_VAR NAME="ERRORMESSAGE">
+ <TMPL_ELSE>
+ <h2><TMPL_VAR NAME="L_TITLE"></h2>
+ <pre>
+ <TMPL_VAR NAME="OUTPUT">
+ </pre>
+ </TMPL_IF>
+</div>
+
+<div align="center">
+ <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a>
+</div>
\ No newline at end of file
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [RFC PATCH 2/2] Use new vpn-show-cert.cgi in vpnmain.cgi
2021-02-18 16:24 [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Jonatan Schlag
@ 2021-02-18 16:24 ` Jonatan Schlag
2021-02-18 22:06 ` [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Tom Rymes
1 sibling, 0 replies; 3+ messages in thread
From: Jonatan Schlag @ 2021-02-18 16:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6101 bytes --]
Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
html/cgi-bin/vpnmain.cgi | 81 ++++------------------------------------
1 file changed, 8 insertions(+), 73 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index db442e111..55993e852 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -638,28 +638,6 @@ END
UPLOADCA_ERROR:
-###
-### Display ca certificate
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Export ca certificate to browser
@@ -759,29 +737,6 @@ END
$errormessage = $Lang::tr{'invalid key'};
}
-###
-### Display root certificate
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
- $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
- my $output;
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
- &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
- } else {
- &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
- }
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
###
### Export root certificate to browser
@@ -1178,26 +1133,6 @@ END
print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
exit (0);
-###
-### Display certificate
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
- }
###
### Export Certificate to browser
@@ -3047,9 +2982,9 @@ END
if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
print <<END
<td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <form method='post' action='/cgi-bin/vpn-show-cert.cgi'>
<input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
+ <input type='hidden' name='ACTION' value='showCert' />
<input type='hidden' name='KEY' value='$key' />
</form>
</td>
@@ -3173,8 +3108,8 @@ EOF
<td class='base' $col1>$Lang::tr{'root certificate'}</td>
<td class='base' $col1>$casubject</td>
<td width='3%' align='center' $col1>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
+ <form method='post' action='/cgi-bin/vpn-show-cert.cgi'>
+ <input type='hidden' name='ACTION' value='showRootCert' />
<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
</form>
</td>
@@ -3206,8 +3141,8 @@ END
<td class='base' $col2>$Lang::tr{'host certificate'}</td>
<td class='base' $col2>$hostsubject</td>
<td width='3%' align='center' $col2>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
+ <form method='post' action='/cgi-bin/vpn-show-cert.cgi'>
+ <input type='hidden' name='ACTION' value='showHostCert' />
<input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
</form>
</td>
@@ -3245,9 +3180,9 @@ END
print "<td class='base' $col>$cahash{$key}[1]</td>\n";
print <<END
<td align='center' $col>
- <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
+ <form method='post' name='cafrm${key}a' action='/cgi-bin/vpn-show-cert.cgi'>
<input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
+ <input type='hidden' name='ACTION' value='showCaCert' />
<input type='hidden' name='KEY' value='$key' />
</form>
</td>
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH 1/2] Add a cgi page to show a vpn certificate
2021-02-18 16:24 [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Jonatan Schlag
2021-02-18 16:24 ` [RFC PATCH 2/2] Use new vpn-show-cert.cgi in vpnmain.cgi Jonatan Schlag
@ 2021-02-18 22:06 ` Tom Rymes
1 sibling, 0 replies; 3+ messages in thread
From: Tom Rymes @ 2021-02-18 22:06 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7123 bytes --]
I like this idea. One thing I’d like to mention while the idea is being discussed is that Windows allows stronger encryption if ECDSA certificates are used for RW connections.
For this reason, it would be nice if IPSec could use ECDSA.
Tom
> On Feb 18, 2021, at 11:24 AM, Jonatan Schlag <jonatan.schlag(a)ipfire.org> wrote:
>
> This page has the only usage to show a certificate of the ipsec vpn.
> It should decrease complexity of the vpnmain.cgi. This decrease might
> not be huge but at least there. This also should introduce usage of
> templates.
>
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
> html/cgi-bin/vpn-show-cert.cgi | 132 ++++++++++++++++++++++++++++++
> html/html/templates/vpn-cert.html | 14 ++++
> 2 files changed, 146 insertions(+)
> create mode 100644 html/cgi-bin/vpn-show-cert.cgi
> create mode 100644 html/html/templates/vpn-cert.html
>
> diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi
> new file mode 100644
> index 000000000..4c3f99c5f
> --- /dev/null
> +++ b/html/cgi-bin/vpn-show-cert.cgi
> @@ -0,0 +1,132 @@
> +#!/usr/bin/perl
> +###############################################################################
> +# #
> +# IPFire.org - A linux based firewall #
> +# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
> +# #
> +# This program is free software: you can redistribute it and/or modify #
> +# it under the terms of the GNU General Public License as published by #
> +# the Free Software Foundation, either version 3 of the License, or #
> +# (at your option) any later version. #
> +# #
> +# This program is distributed in the hope that it will be useful, #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
> +# GNU General Public License for more details. #
> +# #
> +# You should have received a copy of the GNU General Public License #
> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
> +# #
> +###############################################################################
> +
> +use strict;
> +use HTML::Entities();
> +use HTML::Template;
> +
> +# enable only the following on debugging purpose
> +#use warnings;
> +#use CGI::Carp 'fatalsToBrowser';
> +
> +require '/var/ipfire/general-functions.pl';
> +require "${General::swroot}/lang.pl";
> +require "${General::swroot}/header.pl";
> +
> +# Functions
> +
> +sub is_valid_cert_key {
> + my $key = $_[0];
> + return 1;
> +}
> +
> +sub is_valid_ca_cert_key {
> + my $key = $_[0];
> + return 1;
> +}
> +
> +my %color = ();
> +my %mainsettings = ();
> +my %cgiparams=();
> +my %confighash=();
> +my %cahash=();
> +
> +# Initialize template
> +my $tmpl = HTML::Template->new(
> + filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html",
> + die_on_bad_params => 0
> +);
> +
> +
> +# Read-in main settings, for language, theme and colors.
> +&General::readhash("${General::swroot}/main/settings", \%mainsettings);
> +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
> +
> +
> +#Get GUI values
> +&Header::getcgihash(\%cgiparams);
> +
> +
> +if (($cgiparams{'ACTION'} eq "showCert" ||
> + $cgiparams{'ACTION'} eq "showCaCert" ||
> + $cgiparams{'ACTION'} eq "showRootCert" ||
> + $cgiparams{'ACTION'} eq "showHostCert" )) {
> +
> + my $action = $cgiparams{'ACTION'};
> + my $file = "";
> +
> + if ($action eq "showRootCert"){
> + $file = "${General::swroot}/ca/cacert.pem";
> + } elsif ($action eq "showHostCert"){
> + $file = "${General::swroot}/ca/cacert.pem";
> + } elsif ($action eq "showCert" ){
> + my $key = $cgiparams{'KEY'};
> + if (is_valid_cert_key($key)){
> + &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
> + $file = "${General::swroot}/certs/$confighash{$key}[1]cert.pem";
> + } else {
> + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
> + }
> + } elsif ($action eq "showCaCert"){
> + my $key = $cgiparams{'KEY'};
> + if (is_valid_ca_cert_key($key)){
> + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
> + $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem";
> + } else {
> + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});
> + }
> + }
> +
> + if (not "$file" eq "" && -f $file){
> + my $output = `/usr/bin/openssl x509 -text -in $file`;
> + $output = &Header::cleanhtml($output,"y");
> +
> +
> +
> + $tmpl->param(OUTPUT => $output);
> +
> + # Some translated strings
> + if ($action eq "showRootCert") {
> + $tmpl->param(L_TITLE => $Lang::tr{'root certificate'});
> + } elsif ($action eq "showHostCert"){
> + $tmpl->param(L_TITLE => $Lang::tr{'host certificate'});
> + } elsif ($action eq "showCert"){
> + $tmpl->param(L_TITLE => $Lang::tr{'cert'});
> + } elsif ($action eq "showCaCert"){
> + $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'});
> + }
> +
> + $tmpl->param(L_BACK => $Lang::tr{'back'});
> + }
> +
> +} else {
> +
> + my $keys = join "\n", keys %cgiparams;
> + $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys");
> +}
> +
> +&Header::showhttpheaders();
> +&Header::openpage($Lang::tr{'ipsec'}, 1, '');
> +
> +# Print rendered template
> +print $tmpl->output();
> +
> +&Header::closepage();
> diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html
> new file mode 100644
> index 000000000..43ec759f1
> --- /dev/null
> +++ b/html/html/templates/vpn-cert.html
> @@ -0,0 +1,14 @@
> +<div class="post">
> + <TMPL_IF NAME="ERRORMESSAGE">
> + <TMPL_VAR NAME="ERRORMESSAGE">
> + <TMPL_ELSE>
> + <h2><TMPL_VAR NAME="L_TITLE"></h2>
> + <pre>
> + <TMPL_VAR NAME="OUTPUT">
> + </pre>
> + </TMPL_IF>
> +</div>
> +
> +<div align="center">
> + <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a>
> +</div>
> \ No newline at end of file
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-18 22:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-18 16:24 [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Jonatan Schlag
2021-02-18 16:24 ` [RFC PATCH 2/2] Use new vpn-show-cert.cgi in vpnmain.cgi Jonatan Schlag
2021-02-18 22:06 ` [RFC PATCH 1/2] Add a cgi page to show a vpn certificate Tom Rymes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox