Modified openssl to work with new cnf file. Distinguished names are no longer hard coded, but entirely based upon cnf file. Modified views to display password and certtype at end. Update to getopts fixes bug where setting defaults truncated the cnf file.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1295 ab2d0c66-481e-0410-8bed-d214d4d58bed

8 files changed, 73 insertions, 94 deletions

diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
index 2e3adfb..47eec0e 100644
--- a/openssl-ca-acf.cnf
+++ b/openssl-ca-acf.cnf
@@ -89,12 +89,7 @@ countryName             = optional
 commonName              = supplied
 emailAddress            = optional
 localityName            = optional
-subjectAltName.1	= optional
-subjectAltName.2	= optional
-subjectAltName.3	= optional
-subjectAltName.4	= optional
-
-
+subjectAltName		= optional
 
 ####################################################################
 [ req ]
@@ -102,7 +97,7 @@ default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions		= ssl_client_cert
+x509_extensions		= v3_ca_cert
 string_mask		= nombstr
 
 [ req_distinguished_name ]
@@ -136,6 +131,13 @@ challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 
+[ v3_ca_cert ]
+basicConstraints		= critical, CA:true
+nsCertType			= sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage			= cRLSign, keyCertSign 
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
 
 [ general_cert ]
 # Non-specific 
@@ -165,26 +167,16 @@ subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
-[ v3_ca_cert ]
+[ ssl_ca_cert ]
 # SSL Certifying Authority
 basicConstraints		= critical, CA:true
 nsCertType			= sslCA
 # Below is correct, but may prevent self-signed certs from working
 keyUsage			= cRLSign, keyCertSign 
-#extendedKeyUsage		= serverAuth, clientAuth
-extenedKeyUsage			= 
+extendedKeyUsage		= 
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
 [ crl_ext ]
-basicConstraints		= CA:FALSE
-keyUsage			= digitalSignature, keyEncipherment
-subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
-
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
diff --git a/openssl-controller.lua b/openssl-controller.lua
index 83cdf9e..be85ac6 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -13,7 +13,7 @@ mvc.pre_exec = function(self)
 	if (sslstatus.value.version.errtxt and self.conf.action ~= "status")
 		or (sslstatus.value.conffile.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment")
 		or (sslstatus.value.environment.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment")
-		or ((sslstatus.value.cacert.errtxt or sslstatus.value.cakey.errtxt) and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "putcacert" and self.conf.action ~= "generatecacert" and self.conf.action ~= "checkenvironment")
+		or ((sslstatus.value.cacert.errtxt or sslstatus.value.cakey.errtxt) and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "putcacert" and self.conf.action ~= "generatecacert" and self.conf.action ~= "checkenvironment" and self.conf.action ~= "editdefaults")
 	then
 		redirect(self)
 	end
@@ -117,7 +117,7 @@ end
 
 -- Generate a self-signed CA
 generatecacert = function(self)
-	return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Gererate CA Certificate", "Certificate Generated", "status")
+	return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Generate CA Certificate", "Certificate Generated", "status")
 end
 
 editconfigfile = function(self)
diff --git a/openssl-editconfigfile-html.lsp b/openssl-editconfigfile-html.lsp
index 46f820b..bd8e6de 100644
--- a/openssl-editconfigfile-html.lsp
+++ b/openssl-editconfigfile-html.lsp
@@ -1,31 +1,11 @@
 <? local form, viewlibrary, page_info, session = ... ?>
 <? require("viewfunctions") ?>
 
-<? --[[ DEBUG INFORMATION
-io.write(html.cfe_unpack(form))
---]] ?>
-
-<H1>Configuration</H1>
-<H2>File Details</H2>
-<DL>
 <?
-displayitem(form.value.filename)
-displayitem(form.value.filesize)
-displayitem(form.value.mtime)
+local pattern = string.gsub(page_info.prefix..page_info.controller, "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1")
+local func = haserl.loadfile(page_info.viewfile:gsub(pattern..".*$", "/") .. "filedetails-html.lsp")
+func(form, viewlibrary, page_info, session)
 ?>
-</DL>
-
-<H2>File Content</H1>
-<? if form.descr then ?><P CLASS='descr'><?= string.gsub(form.descr, "\n", "<BR>") ?></P><? end ?>
-<? if form.errtxt then ?><P CLASS='error'><?= string.gsub(form.errtxt, "\n", "<BR>") ?></P><? end ?>
-<form action="<?= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action ?>" method="POST">
-<textarea name="filecontent">
-<?= form.value.filecontent.value ?>
-</textarea>
-<? if form.value.filecontent.errtxt then ?><P CLASS='error'><?= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") ?></P><? end ?>
-
-<DL><DT></DT><DD><input class="submit" type="submit" name="<?= form.option ?>" value="<?= form.option ?>"></DD></DL>
-</form>
 
 <? if viewlibrary and viewlibrary.dispatch_component and session.permissions.openssl.checkenvironment then
 	viewlibrary.dispatch_component("checkenvironment")
diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp
index e678ec4..77221a1 100644
--- a/openssl-editdefaults-html.lsp
+++ b/openssl-editdefaults-html.lsp
@@ -8,8 +8,9 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress", "certtype" }
-	displayform(form, order)
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
+	local finishingorder = { "certtype" }
+	displayform(form, order, finishingorder)
 ?>
 
diff --git a/openssl-generatecacert-html.lsp b/openssl-generatecacert-html.lsp
index 3f251f5..1061ab6 100644
--- a/openssl-generatecacert-html.lsp
+++ b/openssl-generatecacert-html.lsp
@@ -8,8 +8,8 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress" }
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
 	displayform(form, order)
 ?>
 
diff --git a/openssl-model.lua b/openssl-model.lua
index d0c669d..6a17a0c 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -21,17 +21,12 @@ local openssldir = "/etc/ssl/"
 local config = nil
 
 -- list of request entries that can be edited
-local distinguished_names = { 	{name="countryName", label="Country Name", short="C"},
-				{name="stateOrProvinceName", label="State Or Province Name", short="ST"},
-				{name="localityName", label="Locality Name", short="L"},
-				{name="organizationName", label="Organization Name", short="O"},
-				{name="organizationalUnitName", label="Organizational Unit Name", short="OU"},
-				{name="commonName", label="Common Name", short="CN"},
-				{name="emailAddress", label="e-mail Address"} }
+local short_names = { countryName="C", stateOrProvinceName="ST", localityName="L", organizationName="O", organizationalUnitName="OU", commonName="CN" }
+
 -- list of entries that may be found in cert extensions section
 local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", "subjectKeyIdentifier",
 			"authorityKeyIdentifier", "subjectAltName", "issuerAltName" }
--- list of entries that must be found in ca section
+-- list of entries that must be found in ca section (used to define our certificate types)
 local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy" }
 
 -- Create a cfe with the distinguished name defaults
@@ -41,13 +36,10 @@ local getdefaults = function()
 	local distinguished_name = config.req.distinguished_name or ""
 
 	-- Get the distinguished name defaults
-	for i, name in ipairs(distinguished_names) do
-		defaults.value[name.name] = cfe({ label=name.label,
-			value=config[distinguished_name][name.name .. "_default"]
-				or config[distinguished_name]["0."..name.name.."_default"] or "",
-			descr=config[distinguished_name][name.name] or config[distinguished_name]["0."..name.name] })
-		if defaults.value[name.name].value == "" and name.short then
-			defaults.value[name.name].value = config[distinguished_name][name.short .. "_default"] or ""
+	for name,value in pairs(config[distinguished_name]) do
+		if nil == string.find(name, "_") then
+			defaults.value[name] = cfe({ label=value,
+			value=config[distinguished_name][name .. "_default"] or "" })
 		end
 	end
 
@@ -60,21 +52,21 @@ local validate_distinguished_names = function(values)
 	local distinguished_name = config.req.distinguished_name or ""
 	local success = true
 
-	for i, name in ipairs(distinguished_names) do
-		if string.find(values.value[name.name].value, "[,/'=]") then
-			values.value[name.name].errtxt = "Value cannot contain =/,'"
+	for name,value in pairs(values.value) do
+		if string.find(value.value, "[,/'=]") then
+			value.errtxt = "Value cannot contain =/,'"
 			success = false
 		end
 
 		-- check min, but empty is allowed
-		local min = config[distinguished_name][name.name.."_min"] or config[distinguished_name]["0."..name.name.."_min"]
-		if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) and #values.value[name.name].value > 0 then
-			values.value[name.name].errtxt = "Value too short"
+		local min = config[distinguished_name][name.."_min"]
+		if min and value.value and #value.value < tonumber(min) and #value.value > 0 then
+			value.errtxt = "Value too short"
 			success = false
 		end
-		local max = config[distinguished_name][name.name.."_max"] or config[distinguished_name]["0."..name.name.."_max"]
-		if max and values.value[name.name] and #values.value[name.name].value > tonumber(max) then
-			values.value[name.name].errtxt = "Value too long"
+		local max = config[distinguished_name][name.."_max"]
+		if max and value.value and #value.value > tonumber(max) then
+			value.errtxt = "Value too long"
 			success = false
 		end
 	end
@@ -82,30 +74,44 @@ local validate_distinguished_names = function(values)
 end
 
 -- Write distinguished name defaults to config file
-local write_distinguished_names = function(values)
+local write_distinguished_names = function(values, ignorevalues)
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
 	local file = fs.read_file(configfile)
 	config = config or getopts.getoptsfromfile(file)
 	local distinguished_name = config.req.distinguished_name or ""
 
-	for i,name in ipairs(distinguished_names) do
-		wname = name.name.."_default"
-		if config[distinguished_name]["0."..name.name] then
-			wname = "0."..wname
-		end
-		if values.value[name.name] then
+	for name,value in pairs(values.value) do
+		if not reverseignore[name] then
+			local wname = name.."_default"
 			local a,b,c
-			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, values.value[name.name].value)
+			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value)
 		end
 	end
 	fs.write_file(configfile, file)
 	config = getopts.getoptsfromfile(file)
 end
 
-local create_subject_string = function(values)
+local create_subject_string = function(values, ignorevalues)
 	local outstr = {}
-	for i,name in ipairs(distinguished_names) do
-		if values.value[name.name].value ~= "" then
-			outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
+	-- do the ones with short names first
+	local reverseshorts = {}
+	for name,short in pairs(short_names) do
+		reverseshorts[short] = name
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if (short_names[name] or reverseshorts[name]) and value.value and value.value ~= "" then
+			name = short_names[name] or name
+			outstr[#outstr + 1] = name .. "=" .. value.value
+		end
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if not reverseignore[name] and not short_names[name] and not reverseshorts[name] and value.value and value.value ~= "" then
+			outstr[#outstr + 1] = name .. "=" .. value.value
 		end
 	end
 	return "/"..table.concat(outstr, "/")
@@ -287,7 +293,7 @@ setreqdefaults = function(defaults)
 	if success then
 		getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
 		config = nil
-		write_distinguished_names(defaults)
+		write_distinguished_names(defaults, {"certtype"})
 	end
 
 	if not success then
@@ -331,7 +337,7 @@ submitrequest = function(defaults, user)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
@@ -388,7 +394,7 @@ approverequest = function(request)
 
 		-- Add the serial number to the end of the cert file name
 		local serialpath = getconfigentry(certtype, "serial")
-		local serialfile = fs.read_file(openssldir..serialpath)
+		local serialfile = fs.read_file(serialpath)
 		local serial = string.match(serialfile, "%x%x")
 		local certname = certdir..request.."."..serial
 		
@@ -666,7 +672,7 @@ generateca = function(defaults)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"days"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp
index ff27023..348ad23 100644
--- a/openssl-request-html.lsp
+++ b/openssl-request-html.lsp
@@ -8,11 +8,11 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress", "certtype",
-			"password", "password_confirm" }
 	form.value.password.type = "password"
 	form.value.password_confirm.type = "password"
-	displayform(form, order)
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
+	local finishingorder = { "certtype", "password", "password_confirm" }
+	displayform(form, order, finishingorder)
 ?>
 
diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp
index 7ba2b95..cf9f119 100644
--- a/openssl-status-html.lsp
+++ b/openssl-status-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(view))
 --]] ?>
 
-<H1>SYSTEM INFO</H1>
+<H1>System Info</H1>
 <DL>
 <? displayitem(view.value.version) ?>
 <? displayitem(view.value.conffile) ?>