Can revoke/generate server certiticate in admin interface

htdocs/index.php

@@ -61,12 +61,16 @@ if ($n && $p[0] == SALT_ADMIN)
           case "certificate/":
           case "certificate/newca":
           case "certificate/newca/":
+          case "certificate/newsrv":
+          case "certificate/newsrv/":
           case "certificate/newclient":
           case "certificate/newclient/":
           case "certificate/deleteca":
           case "certificate/deleteca/":
           case "certificate/revoke":
           case "certificate/revoke/":
+          case "certificate/revokesrv":
+          case "certificate/revokesrv/":
           case "certificate/get":
           case "certificate/get/":
             $page = require("admin/certificate.php");

misc/CA.sh

@@ -1,10 +1,12 @@
 #!/bin/sh
 
-if [[ -z "${TOP_DIR}" ]]; then
+cd $(dirname "$0")
+
+if [ -z "${TOP_DIR}" ]; then
     TOP_DIR=pki
 fi
 
-if [[ -z "${OPENSSL_CONF}" ]]; then
+if [ -z "${OPENSSL_CONF}" ]; then
     OPENSSL_CONF=openssl.cnf
 fi
 
@@ -16,24 +18,24 @@ DAYS=2
 
 if [ -z "$PS1" ]
 then
-    GREEN="<font color=green>"
-    RED="<font color=red>"
-    COLOR_RST="</font>"
-    BOLD="<strong>"
-    END_BOLD="</strong>"
-    ECHO_OPTS=""
-else
     GREEN="\033[1;32m"
     RED="\033[1;31m"
     COLOR_RST="\033[0m"
     BOLD=""
     END_BOLD=""
     ECHO_OPTS="-e"
+else
+    GREEN="<font color=green>"
+    RED="<font color=red>"
+    COLOR_RST="</font>"
+    BOLD="<strong>"
+    END_BOLD="</strong>"
+    ECHO_OPTS=""
 fi
 
 usage()
 {
-    echo "Usage: $0 (-newca|-newserver|-newclient NAME|-revoke NAME|-gencrl)"
+    echo "Usage: $0 (-newca|-newserver|-revokeserver|-newclient NAME|-revoke NAME|-gencrl)"
     exit 1
 }
 
@@ -71,7 +73,7 @@ OUTPUT=$(mktemp)
 case $1 in
     "-newca" )
         echo -n $ECHO_OPTS "${GREEN}Create the directories, take care this will delete"
-        echo $ECHO_OPTS "the old directories ${COLOR_RST}"
+        echo $ECHO_OPTS " the old directories ${COLOR_RST}"
 #        sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
 
         clean "ca"
@@ -161,7 +163,7 @@ case $1 in
             cat $OUTPUT
             exit 4
         fi
-        rm ${TOP_DIR}/server.crt ${TOP_DIR}/server.key
+        rm server.crt server.key
 
 	gen_crl
         ;;

onyx/include/admin/certificate.php

@@ -27,22 +27,19 @@ function new_client($name, $misc_dir)
   //TODO handle if already exist
   putenv("OPENSSL_CONF=$misc_dir/openssl.cnf");
   putenv("TOP_DIR=$misc_dir/pki");
-  $output = shell_exec("$misc_dir/CA.sh -newclient $name");
-  return $output;
+  return shell_exec("$misc_dir/CA.sh -newclient $name");
 }
 
 function revoke_client($name, $misc_dir)
 {
   putenv("OPENSSL_CONF=$misc_dir/openssl.cnf");
   putenv("TOP_DIR=$misc_dir/pki");
-  $output = shell_exec("$misc_dir/CA.sh -revoke $name");
+  return shell_exec("$misc_dir/CA.sh -revoke $name");
 }
 
 if (!empty($p[2]))
 {
-  if (isset($VAR['misc_dir']))
-    $misc_dir = $VAR['misc_dir'];
-  else
+  if (empty($VAR['misc_dir']))
   {
     erreur("Merci d'ajouter la variable misc_dir dans root.xml");
     return "admin/home";
@@ -54,7 +51,9 @@ if (!empty($p[2]))
   {
     putenv("OPENSSL_CONF=$misc_dir/openssl.cnf");
     putenv("TOP_DIR=$misc_dir/pki");
-    $output = shell_exec("$misc_dir/CA.sh -newca");
+    $template->assign("output",
+                      shell_exec("$misc_dir/CA.sh -newca"));
+    return "admin/shell";
   }
 
   elseif ($p[2] == "deleteca")
@@ -62,16 +61,38 @@ if (!empty($p[2]))
     $dir = "$misc_dir/pki";
     remove_directory($dir);
   }
+
+  elseif ($p[2] == "newsrv")
+  {
+    putenv("OPENSSL_CONF=$misc_dir/openssl.cnf");
+    putenv("TOP_DIR=$misc_dir/pki");
+    $template->assign("output",
+                      shell_exec("$misc_dir/CA.sh -newserver"));
+    return "admin/shell";
+  }
+
+  elseif ($p[2] == "revokesrv")
+  {
+    putenv("OPENSSL_CONF=$misc_dir/openssl.cnf");
+    putenv("TOP_DIR=$misc_dir/pki");
+    $template->assign("output",
+                      shell_exec("$misc_dir/CA.sh -revokeserver"));
+    return "admin/shell";
+  }
+
   elseif ($p[2] == "revoke")
   {
     $name = $_GET['name'];
     if (isset($name))
     {
-      $output = revoke_client($name, $misc_dir);
+      $template->assign("output",
+                        revoke_client($name, $misc_dir));
       //TODO Check revocation failed
       Team::set_revoked(TRUE, $name);
     }
+    return "admin/shell";
   }
+
   // Is new team
   elseif ($p[2] == "newclient")
   {
@@ -80,12 +101,13 @@ if (!empty($p[2]))
     //TODO check revoked attribute
     if (isset($name))
     {
-        $output = new_client($name, $misc_dir);
+        $template->assign("output",
+                          new_client($name, $misc_dir));
         Team::set_revoked(FALSE, $name);
-	erreur($output, "sucess");
-	return "admin/import_users";
+	return "admin/shell";
     }
   }
+
   elseif ($p[2] == "get")
   {
     $name = $_GET['name'];
@@ -95,14 +117,15 @@ if (!empty($p[2]))
         if (file_exists($path) && is_readable($path))
         {
             header("Content-Type: application/force-download");
-            header("Content-Length: ".strval(filesize($path)));
+            header("Content-Length: ".filesize($path));
             header("Content-Disposition: attachment; filename=\"$name.p12\"");
             readfile($path);
+            exit;
         }
     }
-    exit;
   }
 
+
   if ($p[2] == "deleteca" || $p[2] == "newca")
   {
     header("Location: /".SALT_ADMIN."/");
@@ -114,4 +137,3 @@ if (!empty($p[2]))
     exit;
   }
 }
-

onyx/include/admin/home.php

@@ -20,20 +20,26 @@ else
 if (is_writable($misc_dir) && !is_dir("$misc_dir/pki/"))
   mkdir("$misc_dir/pki/");
 
-$wright = is_writable("$misc_dir/pki/");
-$template->assign("cert_writable", $wright);
+$template->assign("cert_writable", is_writable("$misc_dir/pki/"));
 
 $ca_file = "$misc_dir/pki/cacert.crt";
-
 if (file_exists($ca_file))
 {
     if (!is_readable($ca_file))
         erreur("Impossible de lire le fichier");
     else
-    {
-        $data = openssl_x509_parse(file_get_contents(ONYX . '../misc/pki/cacert.crt'));
-        $template->assign("cert", $data);
-    }
+        $template->assign("cert_CA",
+                          openssl_x509_parse(file_get_contents($ca_file)));
+}
+
+$srv_file = "$misc_dir/server.crt";
+if (file_exists($srv_file))
+{
+    if (!is_readable($srv_file))
+        erreur("Impossible de lire le fichier");
+    else
+        $template->assign("cert_srv",
+                          openssl_x509_parse(file_get_contents($srv_file)));
 }
 
 return "admin/home";

onyx/tpl/bootstrap/admin/home.tpl

@@ -1,29 +1,55 @@
 {extends file="admin/layout.tpl"}
 
 {block name=content}
-<div class="panel panel-info">
-  <div class="panel-heading">
-    <h3 class="panel-title">Certificat racine</h3>
+<div class="row">
+  <div class="col-md-6">
+    <div class="panel panel-primary">
+      <div class="panel-heading">
+        <h3 class="panel-title">Certificat racine</h3>
+      </div>
+      <div class="panel-body">
+      {if isset($cert_CA)}
+        <ul>
+          {foreach from=$cert_CA.subject key=k item=crt}
+          <li><strong>[{$k}] :</strong> {$crt}</li>
+          {/foreach}
+        </ul>
+        <a href="/{$SALT_ADMIN}/certificate/deleteca" class="btn btn-danger"
+           onclick="return confirm('Êtes-vous sûr de vouloir supprimer ce certificat ?')">Supprimer</a>
+      {elseif ! $cert_writable}
+        <div class="alert alert-danger"><span class="glyphicon glyphicon-warning-sign"></span> Répertoire non accessible en écriture.</div>
+        <a href="/{$SALT_ADMIN}/certificate/newca" class="btn btn-primary" disabled="disabled">Nouveau</a>
+      {else}
+        Pas de certificat
+        <a href="/{$SALT_ADMIN}/certificate/newca" class="btn btn-primary">Nouveau</a>
+      {/if}
+      </div>
+    </div>
   </div>
-  <div class="panel-body">
-  {if isset($cert)}
-    <ul>
-      <li><strong>[C] :</strong> {$cert['subject']['C']}</li>
-      <li><strong>[ST] :</strong> {$cert['subject']['ST']}</li>
-      <li><strong>[O] :</strong> {$cert['subject']['O']}</li>
-      <li><strong>[OU] :</strong> {$cert['subject']['OU']}</li>
-      <li><strong>[CN] :</strong> {$cert['subject']['CN']}</li>
-      <li><strong>[emailAddress] :</strong> {$cert['subject']['emailAddress']}</li>
-    </ul>
-    <!--<a href="/{$SALT_ADMIN}/certificate/deleteca" class="btn btn-danger"
-       onclick="return confirm('Êtes-vous sûr de vouloir supprimer ce certificat ?')">Supprimer</a>-->
-  {elseif isset($cert_writable) && ! $cert_writable}
-    <div class="alert alert-danger"><span class="glyphicon glyphicon-warning-sign"></span> Répertoire non accessible en écriture.</div>
-    <!--<a href="/{$SALT_ADMIN}/certificate/newca" class="btn btn-primary" disabled="disabled">Nouveau</a>-->
-  {else}
-    Pas de certificat
-    <!--<a href="/{$SALT_ADMIN}/certificate/newca" class="btn btn-primary">Nouveau</a>-->
-  {/if}
+
+  <div class="col-md-6">
+    <div class="panel panel-info">
+      <div class="panel-heading">
+        <h3 class="panel-title">Certificat serveur</h3>
+      </div>
+      <div class="panel-body">
+      {if isset($cert_srv)}
+        <ul>
+          {foreach from=$cert_srv.subject key=k item=crt}
+          <li><strong>[{$k}] :</strong> {$crt}</li>
+          {/foreach}
+        </ul>
+        <a href="/{$SALT_ADMIN}/certificate/revokesrv" class="btn btn-danger"
+           onclick="return confirm('Êtes-vous sûr de vouloir supprimer ce certificat ?')">Supprimer</a>
+      {elseif ! $cert_writable}
+        <div class="alert alert-danger"><span class="glyphicon glyphicon-warning-sign"></span> Répertoire non accessible en écriture.</div>
+        <a href="/{$SALT_ADMIN}/certificate/newsrv" class="btn btn-primary" disabled="disabled">Nouveau</a>
+      {else}
+        Pas de certificat
+        <a href="/{$SALT_ADMIN}/certificate/newsrv" class="btn btn-primary">Nouveau</a>
+      {/if}
+      </div>
+    </div>
   </div>
 </div>
 

onyx/tpl/bootstrap/admin/shell.tpl

@@ -0,0 +1,7 @@
+{extends file="admin/layout.tpl"}
+
+{block name=content}
+<pre>
+{$output}
+</pre>
+{/block}