diff --git a/bind8/edit_tls.cgi b/bind8/edit_tls.cgi index a3c600325..41daeb09f 100644 --- a/bind8/edit_tls.cgi +++ b/bind8/edit_tls.cgi @@ -1,5 +1,5 @@ #!/usr/local/bin/perl -# Show a form to edit or create a TLS key +# Show a form to edit or create a TLS key and cert use strict; use warnings; @@ -7,7 +7,7 @@ no warnings 'redefine'; no warnings 'uninitialized'; our (%access, %text, %in); -require './bind8-lib.pl'; +require './bind8-lib.pl'; $access{'defaults'} || &error($text{'tls_ecannot'}); &supports_tls() || &error($text{'tls_esupport'}); &ReadParse(); @@ -46,6 +46,13 @@ print &ui_table_row($text{'tls_key'}, print &ui_table_row($text{'tls_cert'}, &ui_filebox("cert", &find_value("cert-file", $mems), 60)); +# CA cert file +my $ca = &find_value("ca-file", $mems); +print &ui_table_row($text{'tls_ca'}, + &ui_radio("ca_def", $ca ? 0 : 1, + [ [ 1, $text{'tls_ca_def'} ], + [ 0, &ui_filebox("ca", $ca, 60) ] ])); + print &ui_table_end(); print &ui_form_end( $in{'new'} ? [ [ undef, $text{'create'} ] ] diff --git a/bind8/lang/en b/bind8/lang/en index 7fe530c04..acec802a4 100644 --- a/bind8/lang/en +++ b/bind8/lang/en @@ -1355,6 +1355,8 @@ tls_esupport=SSL keys and certificates are not supported on this system tls_name=Key name tls_key=Key file tls_cert=Certificate file +tls_ca=CA certificate file +tls_ca_def=None required tls_ecannot=You are not allowed to edit SSL keys and certificates tls_esupport=DNS over SSL is not supported on this system tls_none=No SSL keys have been added yet. @@ -1364,5 +1366,12 @@ tls_title1=Add SSL Key tls_title2=Edit SSL Key tls_egone=SSL key no longer exists! tls_header=Key and certificate details +tls_cerr=Failed to create SSL key +tls_derr=Failed to delete SSL key +tls_err=Failed to save SSL key +tls_ename=SSL key name can only contain letters, numbers, underscore and dash +tls_ekey=Missing or non-existent SSL key file +tls_ecert=Missing or non-existent SSL certificate file +tls_eca=Missing or non-existent SSL CA certificate file __norefs=1 diff --git a/bind8/save_tls.cgi b/bind8/save_tls.cgi index 0f7a5a169..ca5d6cf3b 100644 --- a/bind8/save_tls.cgi +++ b/bind8/save_tls.cgi @@ -5,7 +5,7 @@ use strict; use warnings; no warnings 'redefine'; no warnings 'uninitialized'; -our (%access, %text, %in); +our (%access, %text, %in, %config); require './bind8-lib.pl'; $access{'defaults'} || &error($text{'tls_ecannot'}); @@ -15,24 +15,75 @@ $access{'defaults'} || &error($text{'tls_ecannot'}); $in{'delete'} ? $text{'tls_derr'} : $text{'tls_err'}); # Get the TLS config being edited +my $parent = &get_config_parent(); +my $conf = &get_config(); +my @tls = &find("tls", $conf); my $tls; if (!$in{'new'}) { - my $conf = &get_config(); - my @tls = &find("tls", $conf); - ($tls) = grep { $_->{'values'}->[0] eq $in{'name'} } @tls; + ($tls) = grep { $_->{'values'}->[0] eq $in{'oldname'} } @tls; $tls || &error($text{'tls_egone'}); } -else { - $tls = { 'values' => [], - 'members' => [] }; - } +&lock_file(&make_chroot($config{'named_conf'})); if ($in{'delete'}) { # Just remove this one TLS key, if unused + # XXX + &save_directive($parent, [ $tls ], [ ]); } else { # Validate inputs $in{'name'} =~ /^[a-z0-9\-\_]+$/i || &error($text{'tls_ename'}); + -r $in{'key'} || &error($text{'tls_ekey'}); + -r $in{'cert'} || &error($text{'tls_ecert'}); + if (!$in{'ca_def'}) { + -r $in{'ca'} || &error($text{'tls_eca'}); + } + &foreign_require("webmin"); + &webmin::validate_key_cert($in{'key'}, $in{'cert'}); + if (!$in{'ca_def'}) { + &webmin::validate_key_cert($in{'key'}, $in{'ca'}); + } + + if ($in{'new'}) { + # Create the TLS object + $tls = { 'name' => 'tls', + 'values' => [ $in{'name'} ], + 'type' => 1, + 'members' => [ + { 'name' => 'key-file', + 'values' => [ $in{'key'} ] + }, + { 'name' => 'cert-file', + 'values' => [ $in{'cert'} ] + }, + ] + }; + if (!$in{'ca_def'}) { + push(@{$tls->{'members'}}, + { 'name' => 'ca-file', + 'values' => [ $in{'ca'} ] + }); + } + &save_directive($parent, [ ], [ $tls ]); + } + else { + # Update the existing object + $tls->{'values'}->[0] = $in{'name'}; + &save_directive($parent, [ $tls ], [ $tls ]); + &save_directive($tls, "key-file", + [ { 'name' => 'key-file', + 'values' => [ $in{'key'} ] } ]); + &save_directive($tls, "cert-file", + [ { 'name' => 'cert-file', + 'values' => [ $in{'cert'} ] } ]); + &save_directive($tls, "ca-file", $in{'ca_def'} ? [ ] : + [ { 'name' => 'ca-file', + 'values' => [ $in{'ca'} ] } ]); + } } - +&flush_file_lines(); +&unlock_file(&make_chroot($config{'named_conf'})); +&webmin_log($in{'new'} ? 'create' : $in{'delete'} ? 'delete' : 'modify', + 'tls', $tls->{'values'}->[0]); +&redirect("list_tls.cgi");