From: Michael Tremer Date: Thu, 11 Apr 2024 19:02:33 +0000 (+0200) Subject: ovpnmain.cgi: Include the PKCS12 certificate on config export X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2475d6fb99c0f8ce3fa70769d949aecd100a79f2;p=people%2Fms%2Fipfire-2.x.git ovpnmain.cgi: Include the PKCS12 certificate on config export Before, OpenVPN did not support PKCS12 files in an embedded format. We extracted the key and the certificate in PEM format instead. This is no longer necessary and therefore we can simply include the file. Signed-off-by: Michael Tremer --- diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b469fa53f..497ce846c 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2345,6 +2345,8 @@ END # RW } else { + my $name = $confighash{$cgiparams{'KEY'}}[1]; + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; my $zippathname = "$zippath$zipname"; $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; @@ -2371,48 +2373,6 @@ END if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { if ($cgiparams{'MODE'} eq 'insecure') { $include_certs = 1; - - # Add the CA - print CLIENTCONF ";ca cacert.pem\r\n"; - $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - - # Extract the certificate - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; - print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; - - # Extract the key - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; - print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; } else { print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; @@ -2489,24 +2449,11 @@ END print CLIENTCONF "\r\n\r\n"; close(FILE); - # Cert - open(FILE, "<$file_crt"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; - close(FILE); - - # Key - open(FILE, "<$file_key"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; + # PKCS12 + open(FILE, "<${General::swroot}/ovpn/certs/${name}.p12"); + print CLIENTCONF "\r\n"; + print CLIENTCONF &MIME::Base64::encode_base64(do { local $/; }); + print CLIENTCONF "\r\n\r\n"; close(FILE); # TLS auth @@ -2522,6 +2469,8 @@ END } } + close(CLIENTCONF); + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname);