Various web frontend fixes

2018-05-24 08:48:58 +03:00 · 2018-05-24 08:48:58 +03:00 · f21417a214
parent ef16bac80f
commit f21417a214
11 changed files with 33 additions and 19 deletions
--- a/certidude/builder/common.sh
+++ b/certidude/builder/common.sh
@ -81,7 +81,7 @@ config setup
 ca $AUTHORITY
    auto=add
    cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
-    ocspuri = http://$AUTHORITY/api/ocsp/
+    # OCSP and CRL URL-s embedded in certificates

 conn %default
    keyingtries=%forever
@ -94,7 +94,7 @@ conn %default
    leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
    rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"

-conn client-to-site
+conn c2s
    auto=start
    right="$ROUTER"
    rightsubnet="$SUBNETS"
@ -103,7 +103,4 @@ conn client-to-site

 EOF

-cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https
-uci delete uhttpd.main.listen_https
-uci delete uhttpd.main.redirect_https
-EOF
+# Note that auto=route is not supported at the moment with libipsec
--- a/certidude/builder/overlay/etc/uci-defaults/40-hostname
+++ b/certidude/builder/overlay/etc/uci-defaults/40-hostname
--- a/certidude/builder/overlay/etc/uci-defaults/60-cron
+++ b/certidude/builder/overlay/etc/uci-defaults/60-cron
@ -1,5 +1,7 @@
 #!/bin/sh

+/etc/init.d/ipsec enable
+
 # Randomize restart time
 OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')

@ -14,3 +16,4 @@ chmod 0600 /etc/crontabs/root

 /etc/init.d/cron enable

+exit 0
--- a/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade
+++ b/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade
--- a/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https
+++ b/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https
@ -0,0 +1,3 @@
+uci delete uhttpd.main.listen_https
+uci delete uhttpd.main.redirect_https
+exit 0
--- a/certidude/builder/overlay/usr/bin/certidude-enroll
+++ b/certidude/builder/overlay/usr/bin/certidude-enroll
@ -126,5 +126,4 @@ mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH

 # Start services
 logger -t certidude -s "Starting IPSec IKEv2 daemon..."
-/etc/init.d/ipsec enable
 /etc/init.d/ipsec restart
--- a/certidude/static/index.html
+++ b/certidude/static/index.html
@ -26,9 +26,9 @@
            <a class="nav-link" href="#">Log</a>
          </li>
        </ul>
-        <form class="form-inline my-2 my-lg-0">
+        <div class="form-inline my-2 my-lg-0">
          <input id="search" class="form-control mr-sm-2" style="display:none;" type="search" placeholder="🔍">
-        </form>
+        </div>
      </div>
    </nav>
    <div id="view-dashboard" class="container-fluid" style="margin: 5em 0 0 0;">
--- a/certidude/static/js/certidude.js
+++ b/certidude/static/js/certidude.js
@ -155,7 +155,7 @@ function onEnroll(encoding) {
                  gateway: query.router,
                  p12_uuid: blobToUuid(p12),
                  p12: forge.util.encode64(p12),
-                  ca_uuid: blobToUuid(forge.pki.certificateToAsn1(ca)).getBytes()),
+                  ca_uuid: blobToUuid(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes()),
                  ca: forge.util.encode64(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes())
              });
              var mimetype = "application/x-apple-aspen-config";
--- a/certidude/static/snippets/strongswan-server.sh
+++ b/certidude/static/snippets/strongswan-server.sh
@ -16,18 +16,22 @@ conn default-{{ session.authority.hostname }}
    leftupdown=/etc/certidude/authority/{{ session.authority.hostname }}/updown
    leftcert=/etc/certidude/authority/{{ session.authority.hostname }}/host_cert.pem
    leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24 # Subnets pushed to roadwarriors
-    leftdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors
    leftca="{{ session.authority.certificate.distinguished_name }}"
    rightca="{{ session.authority.certificate.distinguished_name }}"
    rightsourceip=172.21.0.0/24 # Roadwarrior virtual IP pool
    dpddelay=0
    dpdaction=clear
+    fragmentation=yes
+    reauth=no
+    rekey=no
+    leftsendcert=always

-conn site-to-clients
+conn s2c-rw
    auto=add
    also=default-{{ session.authority.hostname }}
+    rightdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors

-conn site-to-client1
+conn s2c-client1
    auto=ignore
    also=default-{{ session.authority.hostname }}
    rightid="CN=*, OU=IP Camera, O=*, DC=*, DC=*, DC=*"
--- a/certidude/static/snippets/update-trust.sh
+++ b/certidude/static/snippets/update-trust.sh
@ -7,3 +7,10 @@ test -e /etc/pki/ca-trust/source/anchors \
 test -e /usr/local/share/ca-certificates/ \
 && ln -s /etc/certidude/authority/{{ session.authority.hostname }}/ca_cert.pem /usr/local/share/ca-certificates/{{ session.authority.hostname }}.crt \
 && update-ca-certificates
+
+# Patch Firefox trust store on Ubuntu
+if [ ! -h /usr/lib/firefox/libnssckbi.so ]; then
+  apt install p11-kit p11-kit-modules
+  mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
+  ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
+fi
--- a/certidude/static/views/authority.html
+++ b/certidude/static/views/authority.html
@ -192,7 +192,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept

 <div class="row">
  <div class="col-sm-6 col-lg-4 col-xl-3">
-    <h1>Signed certificates</h1>
+    <h3>Signed certificates</h3>
    <p>Authority administration
      {% if session.authority.certificate.organization %}of {{ session.authority.certificate.organization }}{% endif %}
        allowed for
@ -213,7 +213,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
  <div class="col-sm-6 col-lg-4 col-xl-3">
  {% if session.authority %}
    {% if session.features.token %}
-      <h1>Tokens</h1>
+      <h3>Tokens</h3>
      <p>Tokens allow enrolling smartphones and third party devices.</p>
      <ul>
        <li>You can issue yourself a token to be used on a mobile device</li>
@ -241,7 +241,8 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
    {% endif %}

    {% if session.authorization.request_subnets %}
-      <h1>Pending requests</h1>
+      <p>&nbsp;</p>
+      <h3>Pending requests</h3>

      <p>Use Certidude client to apply for a certificate.

@ -291,7 +292,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
    {% endif %}

    {% if session.builder.profiles %}
-      <h2>LEDE imagebuilder</h2>
+      <h3>LEDE imagebuilder</h3>
      <p>Hit a link to generate machine specific image. Note that this might take couple minutes to finish.</p>
      <ul>
        {% for name, title, filename in session.builder.profiles %}
@ -303,7 +304,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
  </div>
  <div class="col-sm-6 col-lg-4 col-xl-3">

-    <h1>Revoked certificates</h1>
+    <h3>Revoked certificates</h3>
    <p>Following certificates have been revoked{% if session.features.crl %}, for more information click
    <a href="#revocation_list_modal" data-toggle="modal">here</a>{% endif %}.</p>

@ -317,7 +318,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
      <p>Loading logs, this might take a while...</p>
    </div>
    <div class="content" style="display:none;">
-      <h1>Log</h1>
+      <h3>Log</h3>
      <div class="btn-group" data-toggle="buttons">
        <label class="btn btn-primary active"><input id="log-level-critical" type="checkbox" autocomplete="off" checked>Critical</label>
        <label class="btn btn-primary active"><input id="log-level-error" type="checkbox" autocomplete="off" checked>Error</label>