From 2f4e63b03ba7688cf9541073ef242fc1dd2ff863 Mon Sep 17 00:00:00 2001
From: RasAlGhul <razzaguhl@gmail.com>
Date: Tue, 14 Jan 2025 10:51:41 +0100
Subject: [PATCH] net/freeradius: EAP-TLS with multiple CAs (#4381)

* controller eap: changed from dropdown to select_multiple

* model eap: add mulitple option to CertificateField type ca

* script generate_certs: Multiple comma-separated refid values are possible. Use explode() and process them with a foreach loop
---
 .../OPNsense/Freeradius/forms/eap.xml         |  2 +-
 .../app/models/OPNsense/Freeradius/Eap.xml    |  1 +
 .../scripts/Freeradius/generate_certs.php     | 26 +++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 843862089..cb032d2fc 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -20,7 +20,7 @@
     <field>
         <id>eap.ca</id>
         <label>Root Certificate</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <help>Choose the Root CA. This CA will be trusted to issue client certificates for authentication.</help>
     </field>
     <field>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index c44c58ed3..991e9bd52 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -31,6 +31,7 @@
         <ca type="CertificateField">
             <Type>ca</Type>
             <Required>N</Required>
+            <multiple>Y</multiple>
         </ca>
         <certificate type="CertificateField">
             <Type>cert</Type>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index efb5eabd0..a55e822d0 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -80,17 +80,21 @@ if (isset($configObj->OPNsense->freeradius)) {
         $cert_refid = (string)$find_cert->ca;
         // if eap has a ca-certificate attached, search for its contents
         if ($cert_refid != "") {
-            foreach ($configObj->ca as $ca) {
-                if ($cert_refid == (string)$ca->refid) {
-                    // generate cert pem file
-                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
-                        "\r",
-                        "",
-                        base64_decode((string)$ca->crt)
-                    )));
-
-                    $pem_content .= "\n";
-                    $ca_pem_content .= $pem_content;
+            // multiple comma-separated refid values are possible
+            $cert_refids = explode(',', $cert_refid);
+            foreach ($cert_refids as $current_refid) {
+                foreach ($configObj->ca as $ca) {
+                    if ($current_refid == (string)$ca->refid) {
+                        // generate cert pem file
+                        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                            "\r",
+                            "",
+                            base64_decode((string)$ca->crt)
+                        )));
+    
+                        $pem_content .= "\n";
+                        $ca_pem_content .= $pem_content;
+                    }
                 }
             }
         }