net/freeradius: cert write for EAP, mostly @mimugmail

2026-05-28 04:34:15 -04:00 · 2017-10-20 15:48:13 +00:00 · 2017-10-20 15:48:13 +00:00 · 9c363e6ebe
commit 9c363e6ebe
parent 9bb63e966e
4 changed files with 37 additions and 80 deletions
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@ -35,6 +35,12 @@ require_once("legacy_bindings.inc");

 use OPNsense\Core\Config;

+$cert_pem_filename = '/usr/local/etc/raddb/certs/cert_opn.pem';
+$cert_pem_content = '';
+
+$ca_pem_filename = '/usr/local/etc/raddb/certs/ca_opn.pem';
+$ca_pem_content = '';
+
 // traverse Freeradius plugin for certficiates
 $configObj = Config::getInstance()->object();
 if (isset($configObj->OPNsense->freeradius)) {
@ -58,21 +64,39 @@ if (isset($configObj->OPNsense->freeradius)) {
                        str_replace("\r", "", base64_decode((string)$cert->prv))
                    ));
                    $pem_content .= "\n";
-                    $output_pem_filename = "/usr/local/etc/raddb/certs/cert_" . $cert_refid . ".pem";
-                    file_put_contents($output_pem_filename, $pem_content);
-                    chmod($output_pem_filename, 0600);
-                    echo "certificate generated " .$output_pem_filename . "\n";
+                    $cert_pem_content .= $pem_content;
                    // generate ca pem file
                    if (!empty($cert->caref)) {
-                        $output_pem_filename = "/usr/local/etc/raddb/certs/ca_" . $cert_refid . ".pem";
                        $cert = (array)$cert;
-                        $ca = ca_chain($cert);
-                        file_put_contents($output_pem_filename, $ca);
-                        chmod($output_pem_filename, 0600);
-                        echo "certificate generated " .$output_pem_filename  ."\n";
+                        $ca_pem_content .= ca_chain($cert);
                    }
                }
            }
        }
+
+        $cert_refid = (string)$find_cert->crl;
+        // if eap has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->crl as $crl) {
+                if ($cert_refid == (string)$crl->refid && !empty((string)$crl->text)) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$crl->text)
+                    )));
+                    $pem_content .= "\n";
+                    $ca_pem_content .= $pem_content;
+                }
+            }
+        }
    }
 }
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($ca_pem_filename, $ca_pem_content);
+chmod($ca_pem_filename, 0600);
+echo "Certificates generated $ca_pem_filename\n";
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_crl.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_crl.php
@ -1,63 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- *    Copyright (C) 2015 Deciso B.V.
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-// use legacy code to generate certs and ca's
-// eventually we need to replace this.
-require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
-
-use OPNsense\Core\Config;
-
-// traverse Freeradius plugin for certficiates
-$configObj = Config::getInstance()->object();
-if (isset($configObj->OPNsense->freeradius)) {
-    foreach ($configObj->OPNsense->freeradius->children() as $find_cert) {
-        $cert_refid = (string)$find_cert->crl;
-        // if eap has a certificate attached, search for its contents
-        if ($cert_refid != "") {
-            foreach ($configObj->crl as $crl) {
-                if ($cert_refid == (string)$crl->refid) {
-                    // generate cert pem file
-                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
-                        "\r",
-                        "",
-                        base64_decode((string)$crl->text)
-                    )));
-
-                    $pem_content .= "\n";
-                    $output_pem_filename = "/usr/local/etc/raddb/certs/crl.pem";
-                    file_put_contents($output_pem_filename, $pem_content);
-                    chmod($output_pem_filename, 0600);
-                    echo "certificate generated " .$output_pem_filename . "\n";
-                }
-            }
-        }
-    }
-}
--- a/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
@ -16,8 +16,4 @@ for FILE in ${RADIUS_FILES}; do
 	chmod 700 ${FILE}
 done

-# clear old certificates and export new ones
-rm -f /usr/local/etc/raddb/certs/ca_*.pem
-rm -f /usr/local/etc/raddb/certs/cert_*.pem
-/usr/local/opnsense/scripts/Freeradius/generate_certs.php > /dev/null 2>&1
-/usr/local/opnsense/scripts/Freeradius/generate_crl.php > /dev/null 2>&1
+/usr/local/opnsense/scripts/Freeradius/generate_certs.php
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@ -177,8 +177,8 @@ eap {
 {% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
 {%   if helpers.exists('OPNsense.freeradius.eap.certificate') and OPNsense.freeradius.eap.certificate != '' %}
                private_key_password =
-                private_key_file = ${certdir}/cert_{{ OPNsense.freeradius.eap.certificate }}.pem
-                certificate_file = ${certdir}/cert_{{ OPNsense.freeradius.eap.certificate }}.pem
+                private_key_file = ${certdir}/cert_opn.pem
+                certificate_file = ${certdir}/cert_opn.pem
 {%   else %}
                private_key_password = whatever
                private_key_file = ${certdir}/server.pem
@ -205,7 +205,7 @@ eap {
                #  *one* CA certificate.
                #
 {%   if helpers.exists('OPNsense.freeradius.eap.ca') and OPNsense.freeradius.eap.ca != '' %}
-                ca_file = ${certdir}/ca_{{ OPNsense.freeradius.eap.certificate }}.pem
+                ca_file = ${certdir}/ca_opn.pem
 {%   else %}
                ca_file = ${cadir}/ca.pem
 {%   endif %}