From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tom Rymes <tom@rymes.net>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH 1/2] Add a cgi page to show a vpn certificate
Date: Thu, 18 Feb 2021 17:06:32 -0500
Message-ID: <9A787E39-4A8B-4F8D-BE09-B9295CCD623B@rymes.net>
In-Reply-To: <20210218162427.11327-1-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4463218094977849437=="
List-Id: <development.lists.ipfire.org>

--===============4463218094977849437==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I like this idea. One thing I=E2=80=99d like to mention while the idea is bei=
ng discussed is that Windows allows stronger encryption if ECDSA certificates=
 are used for RW connections.

For this reason, it would be nice if IPSec could use ECDSA.

Tom

> On Feb 18, 2021, at 11:24 AM, Jonatan Schlag <jonatan.schlag(a)ipfire.org> =
wrote:
>=20
> =EF=BB=BFThis page has the only usage to show a certificate of the ipsec vp=
n.
> It should decrease complexity of the vpnmain.cgi. This decrease might
> not be huge but at least there. This also should introduce usage of
> templates.
>=20
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
> html/cgi-bin/vpn-show-cert.cgi    | 132 ++++++++++++++++++++++++++++++
> html/html/templates/vpn-cert.html |  14 ++++
> 2 files changed, 146 insertions(+)
> create mode 100644 html/cgi-bin/vpn-show-cert.cgi
> create mode 100644 html/html/templates/vpn-cert.html
>=20
> diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi
> new file mode 100644
> index 000000000..4c3f99c5f
> --- /dev/null
> +++ b/html/cgi-bin/vpn-show-cert.cgi
> @@ -0,0 +1,132 @@
> +#!/usr/bin/perl
> +##########################################################################=
#####
> +#                                                                         =
    #
> +# IPFire.org - A linux based firewall                                     =
    #
> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>               =
      #
> +#                                                                         =
    #
> +# This program is free software: you can redistribute it and/or modify    =
    #
> +# it under the terms of the GNU General Public License as published by    =
    #
> +# the Free Software Foundation, either version 3 of the License, or       =
    #
> +# (at your option) any later version.                                     =
    #
> +#                                                                         =
    #
> +# This program is distributed in the hope that it will be useful,         =
    #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of          =
    #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           =
    #
> +# GNU General Public License for more details.                            =
    #
> +#                                                                         =
    #
> +# You should have received a copy of the GNU General Public License       =
    #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.   =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +use strict;
> +use HTML::Entities();
> +use HTML::Template;
> +
> +# enable only the following on debugging purpose
> +#use warnings;
> +#use CGI::Carp 'fatalsToBrowser';
> +
> +require '/var/ipfire/general-functions.pl';
> +require "${General::swroot}/lang.pl";
> +require "${General::swroot}/header.pl";
> +
> +# Functions
> +
> +sub is_valid_cert_key {
> +    my $key =3D $_[0];
> +    return 1;
> +}
> +
> +sub is_valid_ca_cert_key {
> +    my $key =3D $_[0];
> +    return 1;
> +}
> +
> +my %color =3D ();
> +my %mainsettings =3D ();
> +my %cgiparams=3D();
> +my %confighash=3D();
> +my %cahash=3D();
> +
> +# Initialize template
> +my $tmpl =3D HTML::Template->new(
> +    filename =3D> "/srv/web/ipfire/html/html/templates/vpn-cert.html",
> +    die_on_bad_params =3D> 0
> +);
> +
> +
> +# Read-in main settings, for language, theme and colors.
> +&General::readhash("${General::swroot}/main/settings", \%mainsettings);
> +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."=
/include/colors.txt", \%color);
> +
> +
> +#Get GUI values
> +&Header::getcgihash(\%cgiparams);
> +
> +
> +if (($cgiparams{'ACTION'} eq "showCert" ||
> +    $cgiparams{'ACTION'} eq "showCaCert" ||
> +    $cgiparams{'ACTION'} eq "showRootCert" ||
> +    $cgiparams{'ACTION'} eq "showHostCert" )) {
> +
> +        my $action =3D $cgiparams{'ACTION'};
> +        my $file =3D "";
> +
> +        if ($action eq "showRootCert"){
> +            $file =3D "${General::swroot}/ca/cacert.pem";
> +        } elsif ($action eq "showHostCert"){
> +            $file =3D "${General::swroot}/ca/cacert.pem";
> +        } elsif ($action eq "showCert" ){
> +            my $key =3D $cgiparams{'KEY'};
> +            if (is_valid_cert_key($key)){
> +                &General::readhasharray("${General::swroot}/vpn/config", \=
%confighash);
> +                $file =3D  "${General::swroot}/certs/$confighash{$key}[1]c=
ert.pem";
> +            } else {
> +                $tmpl->param(ERRORMESSAGE =3D> $Lang::tr{'invalid key'});
> +            }
> +        } elsif ($action eq "showCaCert"){
> +            my $key =3D $cgiparams{'KEY'};
> +            if (is_valid_ca_cert_key($key)){
> +                &General::readhasharray("${General::swroot}/vpn/caconfig",=
 \%cahash);
> +                $file =3D "${General::swroot}/ca/$cahash{$key}[0]cert.pem";
> +            } else {
> +                $tmpl->param(ERRORMESSAGE =3D> $Lang::tr{'invalid key'});
> +            }
> +        }
> +
> +        if (not "$file" eq "" && -f $file){
> +            my $output =3D `/usr/bin/openssl x509 -text -in $file`;
> +            $output =3D &Header::cleanhtml($output,"y");
> +
> +
> +
> +            $tmpl->param(OUTPUT =3D> $output);
> +
> +            # Some translated strings
> +            if ($action eq "showRootCert") {
> +                $tmpl->param(L_TITLE =3D> $Lang::tr{'root certificate'});
> +            } elsif ($action eq "showHostCert"){
> +                $tmpl->param(L_TITLE =3D> $Lang::tr{'host certificate'});
> +            } elsif ($action eq "showCert"){
> +                $tmpl->param(L_TITLE =3D> $Lang::tr{'cert'});
> +            } elsif ($action eq "showCaCert"){
> +                $tmpl->param(L_TITLE =3D> $Lang::tr{'ca certificate'});
> +            }
> +
> +            $tmpl->param(L_BACK =3D> $Lang::tr{'back'});
> +        }
> +
> +} else {
> +
> +    my $keys =3D join "\n", keys %cgiparams;
> +    $tmpl->param(ERRORMESSAGE =3D> "Invalid Paramter: \n $keys");
> +}
> +
> +&Header::showhttpheaders();
> +&Header::openpage($Lang::tr{'ipsec'}, 1, '');
> +
> +# Print rendered template
> +print $tmpl->output();
> +
> +&Header::closepage();
> diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-ce=
rt.html
> new file mode 100644
> index 000000000..43ec759f1
> --- /dev/null
> +++ b/html/html/templates/vpn-cert.html
> @@ -0,0 +1,14 @@
> +<div class=3D"post">
> +    <TMPL_IF NAME=3D"ERRORMESSAGE">
> +        <TMPL_VAR NAME=3D"ERRORMESSAGE">
> +    <TMPL_ELSE>
> +    <h2><TMPL_VAR NAME=3D"L_TITLE"></h2>
> +        <pre>
> +            <TMPL_VAR NAME=3D"OUTPUT">
> +        </pre>
> +    </TMPL_IF>
> +</div>
> +
> +<div align=3D"center">
> +    <a href=3D"/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME=3D"L_BACK"></a>
> +</div>
> \ No newline at end of file
> --=20
> 2.20.1
>=20

--===============4463218094977849437==--