From f21417a214e4eed4bf19663db8b88c446826629e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Thu, 24 May 2018 08:48:58 +0300
Subject: [PATCH] Various web frontend fixes

---
 certidude/builder/common.sh                         |  9 +++------
 .../builder/overlay/etc/uci-defaults/40-hostname    |  0
 certidude/builder/overlay/etc/uci-defaults/60-cron  |  3 +++
 .../etc/uci-defaults/90-certidude-sysupgrade        |  0
 .../etc/uci-defaults/99-uhttpd-disable-https        |  3 +++
 certidude/builder/overlay/usr/bin/certidude-enroll  |  1 -
 certidude/static/index.html                         |  4 ++--
 certidude/static/js/certidude.js                    |  2 +-
 certidude/static/snippets/strongswan-server.sh      | 10 +++++++---
 certidude/static/snippets/update-trust.sh           |  7 +++++++
 certidude/static/views/authority.html               | 13 +++++++------
 11 files changed, 33 insertions(+), 19 deletions(-)
 mode change 100644 => 100755 certidude/builder/overlay/etc/uci-defaults/40-hostname
 mode change 100644 => 100755 certidude/builder/overlay/etc/uci-defaults/60-cron
 mode change 100644 => 100755 certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade
 create mode 100755 certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https

diff --git a/certidude/builder/common.sh b/certidude/builder/common.sh
index e2f5068..f07e43d 100644
--- a/certidude/builder/common.sh
+++ b/certidude/builder/common.sh
@@ -81,7 +81,7 @@ config setup
 ca $AUTHORITY
     auto=add
     cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
-    ocspuri = http://$AUTHORITY/api/ocsp/
+    # OCSP and CRL URL-s embedded in certificates
 
 conn %default
     keyingtries=%forever
@@ -94,7 +94,7 @@ conn %default
     leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
     rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
 
-conn client-to-site
+conn c2s
     auto=start
     right="$ROUTER"
     rightsubnet="$SUBNETS"
@@ -103,7 +103,4 @@ conn client-to-site
 
 EOF
 
-cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https
-uci delete uhttpd.main.listen_https
-uci delete uhttpd.main.redirect_https
-EOF
+# Note that auto=route is not supported at the moment with libipsec
diff --git a/certidude/builder/overlay/etc/uci-defaults/40-hostname b/certidude/builder/overlay/etc/uci-defaults/40-hostname
old mode 100644
new mode 100755
diff --git a/certidude/builder/overlay/etc/uci-defaults/60-cron b/certidude/builder/overlay/etc/uci-defaults/60-cron
old mode 100644
new mode 100755
index 43ed67c..58dfa14
--- a/certidude/builder/overlay/etc/uci-defaults/60-cron
+++ b/certidude/builder/overlay/etc/uci-defaults/60-cron
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+/etc/init.d/ipsec enable
+
 # Randomize restart time
 OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')
 
@@ -14,3 +16,4 @@ chmod 0600 /etc/crontabs/root
 
 /etc/init.d/cron enable
 
+exit 0
diff --git a/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade b/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade
old mode 100644
new mode 100755
diff --git a/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https b/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https
new file mode 100755
index 0000000..78f4dce
--- /dev/null
+++ b/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https
@@ -0,0 +1,3 @@
+uci delete uhttpd.main.listen_https
+uci delete uhttpd.main.redirect_https
+exit 0
diff --git a/certidude/builder/overlay/usr/bin/certidude-enroll b/certidude/builder/overlay/usr/bin/certidude-enroll
index ea1b620..68c8004 100755
--- a/certidude/builder/overlay/usr/bin/certidude-enroll
+++ b/certidude/builder/overlay/usr/bin/certidude-enroll
@@ -126,5 +126,4 @@ mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
 
 # Start services
 logger -t certidude -s "Starting IPSec IKEv2 daemon..."
-/etc/init.d/ipsec enable
 /etc/init.d/ipsec restart
diff --git a/certidude/static/index.html b/certidude/static/index.html
index 3f8a85e..31d12f8 100644
--- a/certidude/static/index.html
+++ b/certidude/static/index.html
@@ -26,9 +26,9 @@
             <a class="nav-link" href="#">Log</a>
           </li>
         </ul>
-        <form class="form-inline my-2 my-lg-0">
+        <div class="form-inline my-2 my-lg-0">
           <input id="search" class="form-control mr-sm-2" style="display:none;" type="search" placeholder="🔍">
-        </form>
+        </div>
       </div>
     </nav>
     <div id="view-dashboard" class="container-fluid" style="margin: 5em 0 0 0;">
diff --git a/certidude/static/js/certidude.js b/certidude/static/js/certidude.js
index 678357b..573794a 100644
--- a/certidude/static/js/certidude.js
+++ b/certidude/static/js/certidude.js
@@ -155,7 +155,7 @@ function onEnroll(encoding) {
                   gateway: query.router,
                   p12_uuid: blobToUuid(p12),
                   p12: forge.util.encode64(p12),
-                  ca_uuid: blobToUuid(forge.pki.certificateToAsn1(ca)).getBytes()),
+                  ca_uuid: blobToUuid(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes()),
                   ca: forge.util.encode64(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes())
               });
               var mimetype = "application/x-apple-aspen-config";
diff --git a/certidude/static/snippets/strongswan-server.sh b/certidude/static/snippets/strongswan-server.sh
index 6bce914..b1fcdec 100644
--- a/certidude/static/snippets/strongswan-server.sh
+++ b/certidude/static/snippets/strongswan-server.sh
@@ -16,18 +16,22 @@ conn default-{{ session.authority.hostname }}
     leftupdown=/etc/certidude/authority/{{ session.authority.hostname }}/updown
     leftcert=/etc/certidude/authority/{{ session.authority.hostname }}/host_cert.pem
     leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24 # Subnets pushed to roadwarriors
-    leftdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors
     leftca="{{ session.authority.certificate.distinguished_name }}"
     rightca="{{ session.authority.certificate.distinguished_name }}"
     rightsourceip=172.21.0.0/24 # Roadwarrior virtual IP pool
     dpddelay=0
     dpdaction=clear
+    fragmentation=yes
+    reauth=no
+    rekey=no
+    leftsendcert=always
 
-conn site-to-clients
+conn s2c-rw
     auto=add
     also=default-{{ session.authority.hostname }}
+    rightdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors
 
-conn site-to-client1
+conn s2c-client1
     auto=ignore
     also=default-{{ session.authority.hostname }}
     rightid="CN=*, OU=IP Camera, O=*, DC=*, DC=*, DC=*"
diff --git a/certidude/static/snippets/update-trust.sh b/certidude/static/snippets/update-trust.sh
index d78545a..5328b27 100644
--- a/certidude/static/snippets/update-trust.sh
+++ b/certidude/static/snippets/update-trust.sh
@@ -7,3 +7,10 @@ test -e /etc/pki/ca-trust/source/anchors \
 test -e /usr/local/share/ca-certificates/ \
  && ln -s /etc/certidude/authority/{{ session.authority.hostname }}/ca_cert.pem /usr/local/share/ca-certificates/{{ session.authority.hostname }}.crt \
  && update-ca-certificates
+
+# Patch Firefox trust store on Ubuntu
+if [ ! -h /usr/lib/firefox/libnssckbi.so ]; then
+  apt install p11-kit p11-kit-modules
+  mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
+  ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
+fi
diff --git a/certidude/static/views/authority.html b/certidude/static/views/authority.html
index 584033a..018c7cb 100644
--- a/certidude/static/views/authority.html
+++ b/certidude/static/views/authority.html
@@ -192,7 +192,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
 
 <div class="row">
   <div class="col-sm-6 col-lg-4 col-xl-3">
-    <h1>Signed certificates</h1>
+    <h3>Signed certificates</h3>
     <p>Authority administration
       {% if session.authority.certificate.organization %}of {{ session.authority.certificate.organization }}{% endif %}
         allowed for
@@ -213,7 +213,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
   <div class="col-sm-6 col-lg-4 col-xl-3">
   {% if session.authority %}
     {% if session.features.token %}
-      <h1>Tokens</h1>
+      <h3>Tokens</h3>
       <p>Tokens allow enrolling smartphones and third party devices.</p>
       <ul>
         <li>You can issue yourself a token to be used on a mobile device</li>
@@ -241,7 +241,8 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
     {% endif %}
 
     {% if session.authorization.request_subnets %}
-      <h1>Pending requests</h1>
+      <p>&nbsp;</p>
+      <h3>Pending requests</h3>
 
       <p>Use Certidude client to apply for a certificate.
 
@@ -291,7 +292,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
     {% endif %}
 
     {% if session.builder.profiles %}
-      <h2>LEDE imagebuilder</h2>
+      <h3>LEDE imagebuilder</h3>
       <p>Hit a link to generate machine specific image. Note that this might take couple minutes to finish.</p>
       <ul>
         {% for name, title, filename in session.builder.profiles %}
@@ -303,7 +304,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
   </div>
   <div class="col-sm-6 col-lg-4 col-xl-3">
 
-    <h1>Revoked certificates</h1>
+    <h3>Revoked certificates</h3>
     <p>Following certificates have been revoked{% if session.features.crl %}, for more information click
     <a href="#revocation_list_modal" data-toggle="modal">here</a>{% endif %}.</p>
 
@@ -317,7 +318,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
       <p>Loading logs, this might take a while...</p>
     </div>
     <div class="content" style="display:none;">
-      <h1>Log</h1>
+      <h3>Log</h3>
       <div class="btn-group" data-toggle="buttons">
         <label class="btn btn-primary active"><input id="log-level-critical" type="checkbox" autocomplete="off" checked>Critical</label>
         <label class="btn btn-primary active"><input id="log-level-error" type="checkbox" autocomplete="off" checked>Error</label>