feat/fix(ssl): fix some issues and improve ssl generation helper
- set default country to XX - fix array handling of the subjectAlternativeNames so that no indexes are added or skipped - add extendedKeyUsage to server certs to make them more secure - add keyAgreement to server certs - remove authorityKeyIdentifier as it caused the following issue: unable to get local issuer certificate - removed duplicated distinguished_name entries - improved formatting
This commit is contained in:
peaklabs-dev
@@ -10,7 +10,7 @@ class SslHelper
|
||||
{
|
||||
private const DEFAULT_ORGANIZATION_NAME = 'Coolify';
|
||||
|
||||
private const DEFAULT_COUNTRY_NAME = 'ZZ';
|
||||
private const DEFAULT_COUNTRY_NAME = 'XX';
|
||||
|
||||
private const DEFAULT_STATE_NAME = 'Default';
|
||||
|
||||
@@ -50,29 +50,44 @@ class SslHelper
|
||||
if ($server) {
|
||||
$ip = $server->getIp;
|
||||
if ($ip) {
|
||||
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) {
|
||||
$subjectAlternativeNames[] = "IP:$ip";
|
||||
} else {
|
||||
$subjectAlternativeNames[] = "DNS:$ip";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$type = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)
|
||||
? 'IP'
|
||||
: 'DNS';
|
||||
$subjectAlternativeNames = array_unique(
|
||||
array_merge(["DNS:$commonName"], $subjectAlternativeNames)
|
||||
array_merge($subjectAlternativeNames, ["$type:$ip"])
|
||||
);
|
||||
|
||||
$formattedSubjectAltNames = [];
|
||||
foreach ($subjectAlternativeNames as $index => $san) {
|
||||
[$type, $value] = explode(':', $san, 2);
|
||||
$formattedSubjectAltNames[] = "{$type}.".($index + 1)." = $value";
|
||||
}
|
||||
$formattedSubjectAltNamesSection = implode("\n", $formattedSubjectAltNames);
|
||||
}
|
||||
}
|
||||
|
||||
$basicConstraints = $isCaCertificate ? 'critical, CA:TRUE, pathlen:0' : 'critical, CA:FALSE';
|
||||
$keyUsage = $isCaCertificate ? 'critical, keyCertSign, cRLSign' : 'critical, digitalSignature';
|
||||
$authorityKeyIdentifierLine = $isCaCertificate ? '' : "authorityKeyIdentifier = critical,keyid,issuer\n";
|
||||
$keyUsage = $isCaCertificate ? 'critical, keyCertSign, cRLSign' : 'critical, digitalSignature, keyAgreement';
|
||||
|
||||
$subjectAltNameSection = '';
|
||||
$extendedKeyUsageSection = '';
|
||||
|
||||
if (! $isCaCertificate) {
|
||||
$extendedKeyUsageSection = "\nextendedKeyUsage = serverAuth";
|
||||
|
||||
$subjectAlternativeNames = array_values(
|
||||
array_unique(
|
||||
array_merge(["DNS:$commonName"], $subjectAlternativeNames)
|
||||
)
|
||||
);
|
||||
|
||||
$formattedSubjectAltNames = array_map(
|
||||
function ($index, $san) {
|
||||
[$type, $value] = explode(':', $san, 2);
|
||||
|
||||
return "{$type}.".($index + 1)." = $value";
|
||||
},
|
||||
array_keys($subjectAlternativeNames),
|
||||
$subjectAlternativeNames
|
||||
);
|
||||
|
||||
$subjectAltNameSection = "subjectAltName = @subject_alt_names\n\n[ subject_alt_names ]\n"
|
||||
.implode("\n", $formattedSubjectAltNames);
|
||||
}
|
||||
|
||||
$config = <<<CONF
|
||||
[ req ]
|
||||
@@ -81,24 +96,19 @@ class SslHelper
|
||||
req_extensions = req_ext
|
||||
|
||||
[ distinguished_name ]
|
||||
C = $countryName
|
||||
ST = $stateName
|
||||
O = $organizationName
|
||||
CN = $commonName
|
||||
|
||||
[ req_ext ]
|
||||
basicConstraints = $basicConstraints
|
||||
keyUsage = $keyUsage
|
||||
{$extendedKeyUsageSection}
|
||||
|
||||
[ v3_req ]
|
||||
basicConstraints = $basicConstraints
|
||||
keyUsage = $keyUsage
|
||||
subjectKeyIdentifier = critical,hash
|
||||
{$authorityKeyIdentifierLine}
|
||||
subjectAltName = critical,@subject_alt_names
|
||||
|
||||
[subject_alt_names]
|
||||
$formattedSubjectAltNamesSection
|
||||
{$extendedKeyUsageSection}
|
||||
subjectKeyIdentifier = hash
|
||||
{$subjectAltNameSection}
|
||||
CONF;
|
||||
|
||||
$tempConfig = tmpfile();
|
||||
|
||||
Reference in New Issue
Block a user