This page has the only usage to show a certificate of the ipsec vpn. It should decrease complexity of the vpnmain.cgi. This decrease might not be huge but at least there. This also should introduce usage of templates.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- html/cgi-bin/vpn-show-cert.cgi | 132 ++++++++++++++++++++++++++++++ html/html/templates/vpn-cert.html | 14 ++++ 2 files changed, 146 insertions(+) create mode 100644 html/cgi-bin/vpn-show-cert.cgi create mode 100644 html/html/templates/vpn-cert.html
diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi new file mode 100644 index 000000000..4c3f99c5f --- /dev/null +++ b/html/cgi-bin/vpn-show-cert.cgi @@ -0,0 +1,132 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +use HTML::Entities(); +use HTML::Template; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +# Functions + +sub is_valid_cert_key { + my $key = $_[0]; + return 1; +} + +sub is_valid_ca_cert_key { + my $key = $_[0]; + return 1; +} + +my %color = (); +my %mainsettings = (); +my %cgiparams=(); +my %confighash=(); +my %cahash=(); + +# Initialize template +my $tmpl = HTML::Template->new( + filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html", + die_on_bad_params => 0 +); + + +# Read-in main settings, for language, theme and colors. +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); + + +#Get GUI values +&Header::getcgihash(%cgiparams); + + +if (($cgiparams{'ACTION'} eq "showCert" || + $cgiparams{'ACTION'} eq "showCaCert" || + $cgiparams{'ACTION'} eq "showRootCert" || + $cgiparams{'ACTION'} eq "showHostCert" )) { + + my $action = $cgiparams{'ACTION'}; + my $file = ""; + + if ($action eq "showRootCert"){ + $file = "${General::swroot}/ca/cacert.pem"; + } elsif ($action eq "showHostCert"){ + $file = "${General::swroot}/ca/cacert.pem"; + } elsif ($action eq "showCert" ){ + my $key = $cgiparams{'KEY'}; + if (is_valid_cert_key($key)){ + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + $file = "${General::swroot}/certs/$confighash{$key}[1]cert.pem"; + } else { + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'}); + } + } elsif ($action eq "showCaCert"){ + my $key = $cgiparams{'KEY'}; + if (is_valid_ca_cert_key($key)){ + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + $file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem"; + } else { + $tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'}); + } + } + + if (not "$file" eq "" && -f $file){ + my $output = `/usr/bin/openssl x509 -text -in $file`; + $output = &Header::cleanhtml($output,"y"); + + + + $tmpl->param(OUTPUT => $output); + + # Some translated strings + if ($action eq "showRootCert") { + $tmpl->param(L_TITLE => $Lang::tr{'root certificate'}); + } elsif ($action eq "showHostCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'host certificate'}); + } elsif ($action eq "showCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'cert'}); + } elsif ($action eq "showCaCert"){ + $tmpl->param(L_TITLE => $Lang::tr{'ca certificate'}); + } + + $tmpl->param(L_BACK => $Lang::tr{'back'}); + } + +} else { + + my $keys = join "\n", keys %cgiparams; + $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys"); +} + +&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'ipsec'}, 1, ''); + +# Print rendered template +print $tmpl->output(); + +&Header::closepage(); diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html new file mode 100644 index 000000000..43ec759f1 --- /dev/null +++ b/html/html/templates/vpn-cert.html @@ -0,0 +1,14 @@ +<div class="post"> + <TMPL_IF NAME="ERRORMESSAGE"> + <TMPL_VAR NAME="ERRORMESSAGE"> + <TMPL_ELSE> + <h2><TMPL_VAR NAME="L_TITLE"></h2> + <pre> + <TMPL_VAR NAME="OUTPUT"> + </pre> + </TMPL_IF> +</div> + +<div align="center"> + <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a> +</div> \ No newline at end of file
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- html/cgi-bin/vpnmain.cgi | 81 ++++------------------------------------ 1 file changed, 8 insertions(+), 73 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index db442e111..55993e852 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -638,28 +638,6 @@ END
UPLOADCA_ERROR:
-### -### Display ca certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - }
### ### Export ca certificate to browser @@ -759,29 +737,6 @@ END $errormessage = $Lang::tr{'invalid key'}; }
-### -### Display root certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || - $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { - &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; - } else { - &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; - } - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0);
### ### Export root certificate to browser @@ -1178,26 +1133,6 @@ END print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; exit (0);
-### -### Display certificate -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - }
### ### Export Certificate to browser @@ -3047,9 +2982,9 @@ END if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { print <<END <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <form method='post' action='/cgi-bin/vpn-show-cert.cgi'> <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' /> + <input type='hidden' name='ACTION' value='showCert' /> <input type='hidden' name='KEY' value='$key' /> </form> </td> @@ -3173,8 +3108,8 @@ EOF <td class='base' $col1>$Lang::tr{'root certificate'}</td> <td class='base' $col1>$casubject</td> <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> + <form method='post' action='/cgi-bin/vpn-show-cert.cgi'> + <input type='hidden' name='ACTION' value='showRootCert' /> <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> </form> </td> @@ -3206,8 +3141,8 @@ END <td class='base' $col2>$Lang::tr{'host certificate'}</td> <td class='base' $col2>$hostsubject</td> <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> + <form method='post' action='/cgi-bin/vpn-show-cert.cgi'> + <input type='hidden' name='ACTION' value='showHostCert' /> <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> </form> </td> @@ -3245,9 +3180,9 @@ END print "<td class='base' $col>$cahash{$key}[1]</td>\n"; print <<END <td align='center' $col> - <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> + <form method='post' name='cafrm${key}a' action='/cgi-bin/vpn-show-cert.cgi'> <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='ACTION' value='showCaCert' /> <input type='hidden' name='KEY' value='$key' /> </form> </td>
I like this idea. One thing I’d like to mention while the idea is being discussed is that Windows allows stronger encryption if ECDSA certificates are used for RW connections.
For this reason, it would be nice if IPSec could use ECDSA.
Tom
On Feb 18, 2021, at 11:24 AM, Jonatan Schlag jonatan.schlag@ipfire.org wrote:
This page has the only usage to show a certificate of the ipsec vpn. It should decrease complexity of the vpnmain.cgi. This decrease might not be huge but at least there. This also should introduce usage of templates.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org
html/cgi-bin/vpn-show-cert.cgi | 132 ++++++++++++++++++++++++++++++ html/html/templates/vpn-cert.html | 14 ++++ 2 files changed, 146 insertions(+) create mode 100644 html/cgi-bin/vpn-show-cert.cgi create mode 100644 html/html/templates/vpn-cert.html
diff --git a/html/cgi-bin/vpn-show-cert.cgi b/html/cgi-bin/vpn-show-cert.cgi new file mode 100644 index 000000000..4c3f99c5f --- /dev/null +++ b/html/cgi-bin/vpn-show-cert.cgi @@ -0,0 +1,132 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +###############################################################################
+use strict; +use HTML::Entities(); +use HTML::Template;
+# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser';
+require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl";
+# Functions
+sub is_valid_cert_key {
- my $key = $_[0];
- return 1;
+}
+sub is_valid_ca_cert_key {
- my $key = $_[0];
- return 1;
+}
+my %color = (); +my %mainsettings = (); +my %cgiparams=(); +my %confighash=(); +my %cahash=();
+# Initialize template +my $tmpl = HTML::Template->new(
- filename => "/srv/web/ipfire/html/html/templates/vpn-cert.html",
- die_on_bad_params => 0
+);
+# Read-in main settings, for language, theme and colors. +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color);
+#Get GUI values +&Header::getcgihash(%cgiparams);
+if (($cgiparams{'ACTION'} eq "showCert" ||
- $cgiparams{'ACTION'} eq "showCaCert" ||
- $cgiparams{'ACTION'} eq "showRootCert" ||
- $cgiparams{'ACTION'} eq "showHostCert" )) {
my $action = $cgiparams{'ACTION'};my $file = "";if ($action eq "showRootCert"){$file = "${General::swroot}/ca/cacert.pem";} elsif ($action eq "showHostCert"){$file = "${General::swroot}/ca/cacert.pem";} elsif ($action eq "showCert" ){my $key = $cgiparams{'KEY'};if (is_valid_cert_key($key)){&General::readhasharray("${General::swroot}/vpn/config", \%confighash);$file = "${General::swroot}/certs/$confighash{$key}[1]cert.pem";} else {$tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});}} elsif ($action eq "showCaCert"){my $key = $cgiparams{'KEY'};if (is_valid_ca_cert_key($key)){&General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);$file = "${General::swroot}/ca/$cahash{$key}[0]cert.pem";} else {$tmpl->param(ERRORMESSAGE => $Lang::tr{'invalid key'});}}if (not "$file" eq "" && -f $file){my $output = `/usr/bin/openssl x509 -text -in $file`;$output = &Header::cleanhtml($output,"y");$tmpl->param(OUTPUT => $output);# Some translated stringsif ($action eq "showRootCert") {$tmpl->param(L_TITLE => $Lang::tr{'root certificate'});} elsif ($action eq "showHostCert"){$tmpl->param(L_TITLE => $Lang::tr{'host certificate'});} elsif ($action eq "showCert"){$tmpl->param(L_TITLE => $Lang::tr{'cert'});} elsif ($action eq "showCaCert"){$tmpl->param(L_TITLE => $Lang::tr{'ca certificate'});}$tmpl->param(L_BACK => $Lang::tr{'back'});}+} else {
- my $keys = join "\n", keys %cgiparams;
- $tmpl->param(ERRORMESSAGE => "Invalid Paramter: \n $keys");
+}
+&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'ipsec'}, 1, '');
+# Print rendered template +print $tmpl->output();
+&Header::closepage(); diff --git a/html/html/templates/vpn-cert.html b/html/html/templates/vpn-cert.html new file mode 100644 index 000000000..43ec759f1 --- /dev/null +++ b/html/html/templates/vpn-cert.html @@ -0,0 +1,14 @@ +<div class="post">
<TMPL_IF NAME="ERRORMESSAGE">
<TMPL_VAR NAME="ERRORMESSAGE"><TMPL_ELSE>
<h2><TMPL_VAR NAME="L_TITLE"></h2>
<pre><TMPL_VAR NAME="OUTPUT"></pre></TMPL_IF>
+</div>
+<div align="center">
- <a href="/cgi-bin/vpnmain.cgi"><TMPL_VAR NAME="L_BACK"></a>
+</div> \ No newline at end of file -- 2.20.1
-
Jonatan Schlag -
Tom Rymes