Index: /branches/rel_avx_2_7_5/src/webui/webui.c =================================================================== --- /branches/rel_avx_2_7_5/src/webui/webui.c (revision 9155) +++ /branches/rel_avx_2_7_5/src/webui/webui.c (working copy) @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -70,6 +71,10 @@ #define true 0 #define false -1 +/* Global variables for password storage */ +static char global_passphrase[256] = {0}; +static char global_pfx_pass[256] = {0}; + static char * http_fastcgi_req_msg[] = { "REQUEST_METHOD:GET;SERVER_NAME:localhost;SERVER_PORT:3033;SERVER_PROTOCOL:HTTP/1.1;PATH_INFO:/webui_on;REQUEST_URI:/webui_on/;", "REQUEST_METHOD:GET;SERVER_NAME:localhost;SERVER_PORT:3033;SERVER_PROTOCOL:HTTP/1.1;PATH_INFO:/webui_off;REQUEST_URI:/webui_off/;", @@ -174,6 +179,9 @@ static int webui_ssl_write_config(char *buff, int *p_len); static webui_app_config_t* userland_app_config_attach(void); static int show_ssl_cert(char *crtfile); +static int key_passwd_cb(char *buf, int size, int rwflag, void *u); +static int check_format(const char *file, int type); +static int is_pfx_format(const char *file); unsigned long long asn1time2time(ASN1_TIME *a, int *err); /* for restapi */ @@ -1141,6 +1149,50 @@ return ERR_WEBUI_OK; } +/* + * Password callback function for encrypted private keys + * This function is called by OpenSSL when it encounters an encrypted private key + */ +static int +key_passwd_cb(char *buf, int size, int rwflag, void *u) +{ + if (strlen(global_passphrase) == 0) { + printf("Private key with passphrase is not supported.\n"); + return 0; // Return 0 to indicate failure if no password provided + } + + int len = strlen(global_passphrase); + if (len >= size) { + len = size - 1; + } + + memcpy(buf, global_passphrase, len); + buf[len] = '\0'; + return len; +} + +/* + * Check if a file is in PFX format + */ +static int +is_pfx_format(const char *file) +{ + FILE *fp; + unsigned char header[4]; + + fp = fopen(file, "rb"); + if (!fp) return 0; + + if (fread(header, 1, 4, fp) != 4) { + fclose(fp); + return 0; + } + fclose(fp); + + // PFX files usually start with 0x30 + return (header[0] == 0x30); +} + char* write_webui_twofactor_user() { int i, len = 0; @@ -2227,15 +2279,6 @@ return cert_type; } -/* - * get password from the user from our ca-shell. - */ -static int -key_passwd_cb(char *buf, int size, int rwflag, void *u) -{ - printf("Private key with passphrase is not supported.\n"); - return -1; -} static int check_format(const char *file, int type) @@ -2243,10 +2286,140 @@ BIO *in = NULL; X509 *x = NULL; EVP_PKEY *pkey = NULL; + PKCS12 *p12 = NULL; int cert_type, ret = -1; webui_app_config_t* config_p = userland_app_config_attach(); + // Check for PFX format first + if (is_pfx_format(file)) { + FILE *fp = fopen(file, "rb"); + if (!fp) { + printf("File download failed or invalid certificate format!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + return -1; + } + + p12 = d2i_PKCS12_fp(fp, NULL); + fclose(fp); + if (!p12) { + printf("File download failed or invalid certificate format!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + return -1; + } + + // Use PFX password to parse PKCS12 + if (!PKCS12_parse(p12, global_pfx_pass, &pkey, &x, NULL)) { + PKCS12_free(p12); + printf("Invalid PFX password or corrupted PFX file!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + return -1; + } + + // For CLIENTCA type, verify it's a CA certificate + if (type == WEBUI_SSL_TYPE_CLIENTCA) { + cert_type = webui_get_cert_type(x); + if (cert_type != EVP_PKEY_RSA && cert_type != EVP_PKEY_EC) { + printf("Failed to import the WebUI SSL clientca Certificate because it is not an RSA or ECC certificate.\n"); + goto pfx_error; + } + + X509_check_purpose(x, -1, 0); + /* keyUsage if present should allow cert signing */ + if ((x->ex_flags & EXFLAG_KUSAGE) && + !(x->ex_kusage & KU_KEY_CERT_SIGN)) { + ret = ERR_WEBUI_NOT_CA_CERT; + goto pfx_error; + } + + /* check nsCertType if present */ + if((x->ex_flags & EXFLAG_NSCERT) && + !(x->ex_nscert & NS_SSL_CA)) { + ret = ERR_WEBUI_NOT_CA_CERT; + goto pfx_error; + } + + /* If basicConstraints says not a CA then say so */ + if(x->ex_flags & EXFLAG_BCONS) { + if(!(x->ex_flags & EXFLAG_CA)) { + ret = ERR_WEBUI_NOT_CA_CERT; + goto pfx_error; + } + } + + // Cleanup and return success for CA cert + X509_free(x); + EVP_PKEY_free(pkey); + PKCS12_free(p12); + return 0; + } + + // For server cert, verify private key and certificate match + if (!X509_check_private_key(x, pkey)) { + printf("Private key and public key do not match.\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto pfx_error; + } + + // Check certificate and ciphersuite matched + cert_type = pkey->type; + if (cert_type == EVP_PKEY_RSA) { + if (!ssl_rsa_cipher_exist(config_p->ssl_cipherlist)) { + printf("The certificate and current cipher suites do not match. Please import an ECC certificate or change the cipher suites.\n"); + ret = ERR_WEBUI_CIPHER_CERT_NOT_MATCH; + goto pfx_error; + } + } else if (cert_type == EVP_PKEY_EC) { + if (!ssl_ecc_cipher_exist(config_p->ssl_cipherlist)) { + printf("The certificate and current cipher suites do not match. Please import an RSA certificate or change the cipher suites.\n"); + ret = ERR_WEBUI_CIPHER_CERT_NOT_MATCH; + goto pfx_error; + } + } else { + printf("Unsupported certificate type!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + ret = ERR_WEBUI_CIPHER_CERT_NOT_MATCH; + goto pfx_error; + } + // Convert PFX to PEM format and write to file + FILE *pemfp = fopen(file, "w"); + if (!pemfp) { + printf("Failed to write certificate file!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto pfx_error; + } + + // Write certificate in PEM format + if (!PEM_write_X509(pemfp, x)) { + fclose(pemfp); + printf("Failed to write certificate!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto pfx_error; + } + + // Write private key in PEM format (unencrypted for WebUI use) + if (!PEM_write_PrivateKey(pemfp, pkey, NULL, NULL, 0, NULL, NULL)) { + fclose(pemfp); + printf("Failed to write private key!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto pfx_error; + } + + fclose(pemfp); + + // Cleanup and return success + X509_free(x); + EVP_PKEY_free(pkey); + PKCS12_free(p12); + return 0; + + pfx_error: + if (x) X509_free(x); + if (pkey) EVP_PKEY_free(pkey); + PKCS12_free(p12); + return ret; + } + in = BIO_new(BIO_s_file()); if (NULL == in) { printf("File download failed or invalid certificate format!\n"); @@ -2359,10 +2532,41 @@ } BIO_free(in); + in = NULL; + + /* + * Re-write the PEM file with unencrypted private key + * This ensures WebUI can start without requiring password input + * (Same approach as PFX handling) + */ + FILE *pemfp = fopen(file, "w"); + if (!pemfp) { + printf("Failed to write certificate file!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto error; + } + + /* Write certificate in PEM format */ + if (!PEM_write_X509(pemfp, x)) { + fclose(pemfp); + printf("Failed to write certificate!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto error; + } + + /* Write private key in PEM format (unencrypted for WebUI use) */ + /* NULL cipher = no encryption, allows WebUI to auto-start */ + if (!PEM_write_PrivateKey(pemfp, pkey, NULL, NULL, 0, NULL, NULL)) { + fclose(pemfp); + printf("Failed to write private key!\n"); + printf("WebUI SSL certificate import failed. Please try again!\n"); + goto error; + } + + fclose(pemfp); X509_free(x); EVP_PKEY_free(pkey); - return 0; error: @@ -2384,6 +2588,9 @@ { char buff, tbuf[6]; int done, amm, flag,i; + char pass_buffer[256] = {0}; + int reading_passphrase = 0; + int password_len = 0; done = 0; buff = '\0'; @@ -2410,12 +2617,32 @@ tbuf[i+1] = '\0'; i++; if(i==3){ - if(strcmp(tbuf,"...\n")){ + // Note: tbuf contains "..\n" (2 dots + newline) because + // first dot is overwritten in the loop + if(strcmp(tbuf,"..\n") == 0){ flag=1; - done=1; + // Prompt for private key passphrase (only for CLI) + if (cli_need_challenge()) { + printf("Enter private key passphrase (press Enter if not encrypted): "); + fflush(stdout); + } + // Manual input only supports PEM, no PFX password needed + global_pfx_pass[0] = '\0'; + reading_passphrase = 1; } } } + } else if (reading_passphrase && buff != '\n') { + // Read passphrase + if (password_len < 255) { + pass_buffer[password_len++] = buff; + } + } else if (reading_passphrase && buff == '\n') { + // End of passphrase input + pass_buffer[password_len] = '\0'; + strncpy(global_passphrase, pass_buffer, sizeof(global_passphrase) - 1); + global_passphrase[sizeof(global_passphrase) - 1] = '\0'; + done = 1; } else{ write(fd,&buff,(unsigned int)amm); } @@ -2580,7 +2807,7 @@ switch (proto) { case 1: { - char * file_dir = (char *)(url+6); + char * file_dir = (char *)(url+7); // Skip "file://" (7 characters) if (access(file_dir, F_OK) == 0) { /* Bug 23370, chenyl, 20090810 */ snprintf(syscmd, MAX_SSL_CRT_COM_LEN, "mv -f \"%s\" \"%s\"", file_dir, outfile); @@ -2678,7 +2905,9 @@ return ERR_WEBUI_INVALID_ARG; } /* imput from console */ - printf("Please enter the WebUI SSL certificate in PEM format. \nUse ellipsis (...) in the final line to finish the input.\n"); + printf("Please enter the WebUI SSL certificate in PEM format.\n"); + printf("Include certificate and private key (encrypted keys are supported).\n"); + printf("Use ellipsis (...) on a new line to finish the input.\n"); fflush(stdout); ssl_import_via_stdin(certfd); @@ -2688,6 +2917,57 @@ unlink(tmp_crtfile); return ERR_WEBUI_INVALID_ARG; } + // After downloading file from URL, read passwords from stdin + // First password: PFX password + char pfx_buffer[256] = {0}; + char password_char; + int password_len = 0; + + // Prompt for PFX password (only shown in interactive CLI mode) + if (cli_need_challenge()) { + printf("Enter PFX file password (press Enter to skip): "); + fflush(stdout); + } + + // Read PFX password until newline + while (password_len < 255) { + if (read(STDIN_FILENO, &password_char, 1) <= 0) { + break; + } + if (password_char == '\n') { + break; + } + pfx_buffer[password_len++] = password_char; + } + pfx_buffer[password_len] = '\0'; + + // Second password: Private key passphrase + char pass_buffer[256] = {0}; + password_len = 0; + + // Prompt for private key passphrase (only shown in interactive CLI mode) + if (cli_need_challenge()) { + printf("Enter private key passphrase (press Enter to skip): "); + fflush(stdout); + } + + // Read passphrase until newline + while (password_len < 255) { + if (read(STDIN_FILENO, &password_char, 1) <= 0) { + break; + } + if (password_char == '\n') { + break; + } + pass_buffer[password_len++] = password_char; + } + pass_buffer[password_len] = '\0'; + + // Set global password variables separately + strncpy(global_pfx_pass, pfx_buffer, sizeof(global_pfx_pass) - 1); + global_pfx_pass[sizeof(global_pfx_pass) - 1] = '\0'; + strncpy(global_passphrase, pass_buffer, sizeof(global_passphrase) - 1); + global_passphrase[sizeof(global_passphrase) - 1] = '\0'; } if (check_format(tmp_crtfile, WEBUI_SSL_TYPE_CERT) != 0) { @@ -2757,6 +3037,29 @@ unlink(tmp_crtfile); return ERR_WEBUI_INVALID_ARG; } + // After downloading file from URL, read password from stdin (if any) + // Note: CA certificates typically don't have private keys, but we'll handle it for consistency + char password_buffer[256] = {0}; + char password_char; + int password_len = 0; + + // Read password until newline + while (password_len < 255) { + if (read(STDIN_FILENO, &password_char, 1) <= 0) { + break; + } + if (password_char == '\n') { + break; + } + password_buffer[password_len++] = password_char; + } + password_buffer[password_len] = '\0'; + + // Set global password variables (even though CA certs typically don't need them) + strncpy(global_passphrase, password_buffer, sizeof(global_passphrase) - 1); + global_passphrase[sizeof(global_passphrase) - 1] = '\0'; + strncpy(global_pfx_pass, password_buffer, sizeof(global_pfx_pass) - 1); + global_pfx_pass[sizeof(global_pfx_pass) - 1] = '\0'; } ret = check_format(tmp_crtfile, WEBUI_SSL_TYPE_CLIENTCA); Index: /branches/rel_avx_2_7_5/src/webui/webui/htdocs/new/src/avx/models/system/access_control/__init__.py =================================================================== --- /branches/rel_avx_2_7_5/src/webui/webui/htdocs/new/src/avx/models/system/access_control/__init__.py (revision 9155) +++ /branches/rel_avx_2_7_5/src/webui/webui/htdocs/new/src/avx/models/system/access_control/__init__.py (working copy) @@ -1,6 +1,7 @@ from hive.imports.model import * from django.utils.translation import ugettext_lazy as _ from hive.utils import andebug +from hive.exceptions import ActionPerformException import cgi from hive.model.legacycli import CLIEnablePassError __ = _ @@ -385,22 +386,62 @@ def _perform_Import_Cert(self, options): if 'local' in options['using']: + + passphrase = "" + if "passphrase" in options['using']['local']: + passphrase = options['using']['local']['passphrase'] + + # Build CLI command string with passphrase + # Format: command\nYES\n[pfx_pass]\n[passphrase]\n + # For non-PFX files, pfx_pass is empty but must be sent to match C code expectations + cli_str = 'webui ssl import certificate "file://%s"\nYES\n\n%s\n' % ( + options['using']['local']['cert'], passphrase) + + # Check if file is PFX/P12 format + if "." in options['using']['local']['cert']: + filename = options['using']['local']['cert'] + file_extension = filename.split(".")[-1].lower() + + if file_extension in ['pfx', 'p12']: + # Check if pfx_pass parameter exists + if "pfx_pass" not in options['using']['local']: + raise ActionPerformException('Please input password for pfx file') + + pfx_password = options['using']['local'].get('pfx_pass', '') + + # PFX requires the file password, private key password is optional + cli_str = 'webui ssl import certificate "file://%s"\nYES\n%s\n%s\n' % ( + options['using']['local']['cert'], + pfx_password, + passphrase) + self.cli.set_config() - result = self.cli.cmd('webui ssl import certificate "file://%s"\nYES\n' % (options['using']['local']['cert']), + result = self.cli.cmd(cli_str, RegexParser('import failed', match_exception=CLICmdError, match_msg='WebUI SSL certificate import failed. Invalid certificate format!'), RegexParser('already exists', match_exception=CLICmdError, match_msg='The WebUI SSL certificate already exists.'), RegexParser('import successful', match_exception=CLICmdNormal, exclusive=True), BlankParser(nonblank_exception=CLICmdError, supplement=True)) elif 'online' in options['using']: + passphrase = "" + if "passphrase" in options['using']['online']: + passphrase = options['using']['online']['passphrase'] + self.cli.set_config() - result = self.cli.cmd('webui ssl import certificate "%s"\nYES\n'% (options['using']['online']['url']), + # Format: command\nYES\n[pfx_pass]\n[passphrase]\n - empty pfx_pass for non-PFX files + result = self.cli.cmd('webui ssl import certificate "%s"\nYES\n\n%s\n' % (options['using']['online']['url'], passphrase), RegexParser('import failed', match_exception=CLICmdError, match_msg='WebUI SSL certificate import failed. Invalid certificate format!'), RegexParser('already exists', match_exception=CLICmdError, match_msg='The WebUI SSL certificate already exists.'), RegexParser('import successful', match_exception=CLICmdNormal, exclusive=True), BlankParser(nonblank_exception=CLICmdError, supplement=True)) elif 'manual_input' in options['using']: + passphrase = "" + if "passphrase" in options['using']['manual_input']: + passphrase = options['using']['manual_input']['passphrase'] + self.cli.set_config() - result = self.cli.cmd('webui ssl import certificate\nYES\n%s\n...\n' % (options['using']['manual_input']['cert_content']), + # Format for stdin: command\nYES\n[cert_content]\n...\n[passphrase]\n + # Note: manual input only supports PEM, no PFX password needed + result = self.cli.cmd('webui ssl import certificate\nYES\n%s\n...\n%s\n' % (options['using']['manual_input']['cert_content'], passphrase), RegexParser('import failed', match_exception=CLICmdError, match_msg='WebUI SSL certificate import failed. Invalid certificate format!'), RegexParser('already exists', match_exception=CLICmdError, match_msg='The WebUI SSL certificate already exists.'), RegexParser('import successful', match_exception=CLICmdNormal, exclusive=True),