diff options
author | Ted Trask <ttrask01@yahoo.com> | 2015-01-31 22:24:01 -0500 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2015-01-31 22:24:01 -0500 |
commit | 168f8e45c8d83372e8786dbca2d076555100a5ea (patch) | |
tree | 971edf186f4d4ef3592136d28f0a41863a3414ed | |
parent | 97c66e10c5bc12415eeb6b0f2c6470d6e5b7f9a1 (diff) | |
download | acf-openssl-168f8e45c8d83372e8786dbca2d076555100a5ea.tar.bz2 acf-openssl-168f8e45c8d83372e8786dbca2d076555100a5ea.tar.xz |
Change all actions to include a basedir action as a first stop for supporting multiple CAs
-rw-r--r-- | openssl-model.lua | 271 |
1 files changed, 144 insertions, 127 deletions
diff --git a/openssl-model.lua b/openssl-model.lua index 2c1a54a..86bc3e7 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -31,9 +31,19 @@ local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", -- list of entries that must be found in ca section (used to define our certificate types) local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy", "default_days" } +local initializecfe = function(self, clientdata, label) + local retval = cfe({ type="group", value={}, label=label or "" }) + retval.value.basedir = cfe({ label="Base Directory", key=true }) + self.handle_clientdata(retval, clientdata) + if retval.value.basedir.value ~= "" then + openssldir = retval.value.basedir.value + end + return retval +end + -- Create a cfe with the distinguished name defaults -local getdefaults = function() - local defaults = cfe({ type="group", value={} }) +local getdefaults = function(self, clientdata) + local defaults = initializecfe(self, clientdata, "OpenSSL Request") config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local distinguished_name = config.req.distinguished_name or "" @@ -316,68 +326,124 @@ local listrevoked = function() return cfe({ type="list", value=revoked, label="Revoked serial numbers" }) end +local checkenvironment = function() + local errtxt = {} + local cmdline = {} + + -- First check for the openssl, req, and cert directories + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("openssl directory", openssldir) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", openssldir..certdir) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", openssldir..requestdir) + + -- Then check for the config file entries + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") + + if config then + local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir") + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", chkpath) + + local file = getconfigentry(config.ca.default_ca, "certificate") + chkpath = posix.dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", chkpath) + + file = getconfigentry(config.ca.default_ca, "private_key") + chkpath = posix.dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", chkpath) + + file = getconfigentry(config.ca.default_ca, "database") + chkpath = posix.dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", chkpath) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("database", file) + + file = getconfigentry(config.ca.default_ca, "serial") + chkpath = posix.dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", chkpath) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("serial", file, "01") + + file = getconfigentry(config.ca.default_ca, "crlnumber") + if file ~= "" then + chkpath = posix.dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", chkpath) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("crlnumber", file, "01") + end + else + errtxt[#errtxt+1] = "Configuration invalid" + end + + errtxt = table.concat(errtxt, '\n') + local value + if errtxt == "" then + errtxt = nil + value = "Environment ready" + else + value = "Environment not ready" + end + return cfe({ value=value, errtxt=errtxt, cmdline=cmdline, label="Environment" }) +end + mymodule.getstatus = function(self, clientdata) -- set the working directory and umask once for model posix.umask("rw-------") posix.chdir(openssldir) + local retval = initializecfe(self, clientdata, "OpenSSL status") local value,errtxt=processinfo.package_version(packagename) - local version = cfe({ value=value, errtxt=errtxt, label="Program version", name=packagename }) - local conffile = cfe({ value=openssldir..configfile, label="Configuration file" }) - local cacert = cfe({ label="CA Certificate" }) - local cacertcontents = cfe({ type="longtext", label="CA Certificate contents" }) - local cakey = cfe({ label="CA Key" }) + retval.value.version = cfe({ value=value, errtxt=errtxt, label="Program version", name=packagename }) + retval.value.conffile = cfe({ value=openssldir..configfile, label="Configuration file" }) + retval.value.cacert = cfe({ label="CA Certificate" }) + retval.value.cacertcontents = cfe({ type="longtext", label="CA Certificate contents" }) + retval.value.cakey = cfe({ label="CA Key" }) if not fs.is_file(openssldir..configfile) then - conffile.errtxt="File not found" - cacert.errtxt="File not defined" - cacertcontents.errtxt="" - cakey.errtxt="File not defined" + retval.value.conffile.errtxt="File not found" + retval.value.cacert.errtxt="File not defined" + retval.value.cacertcontents.errtxt="" + retval.value.cakey.errtxt="File not defined" else config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") if (not config) or (not config.ca) or (not config.ca.default_ca) then - conffile.errtxt="Invalid config file" - cacert.errtxt="File not defined" - cacertcontents.errtxt="" - cakey.errtxt="File not defined" + retval.value.conffile.errtxt="Invalid config file" + retval.value.cacert.errtxt="File not defined" + retval.value.cacertcontents.errtxt="" + retval.value.cakey.errtxt="File not defined" else - cacert.value = getconfigentry(config.ca.default_ca, "certificate") - if not fs.is_file(cacert.value) then - cacert.errtxt="File not found" + retval.value.cacert.value = getconfigentry(config.ca.default_ca, "certificate") + if not fs.is_file(retval.value.cacert.value) then + retval.value.cacert.errtxt="File not found" else - cacertcontents.value, cacertcontents.errtxt = modelfunctions.run_executable({"openssl", "x509", "-in", cacert.value, "-noout", "-text"}) - local enddate = string.match(cacertcontents.value, "Not After : (.*)") + retval.value.cacertcontents.value, retval.value.cacertcontents.errtxt = modelfunctions.run_executable({"openssl", "x509", "-in", retval.value.cacert.value, "-noout", "-text"}) + local enddate = string.match(retval.value.cacertcontents.value, "Not After : (.*)") local month, day, year = string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)") local reversemonth = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12} local time = os.time({year=year, month=reversemonth[month], day=day}) if os.time() > time then time = 0 - cacert.errtxt="Certificate expired" + retval.value.cacert.errtxt="Certificate expired" else time = (time-os.time())/86400 end - cacert.daysremaining=time + retval.value.cacert.daysremaining=time end - cakey.value = getconfigentry(config.ca.default_ca, "private_key") - if not fs.is_file(cakey.value) then - cakey.errtxt="File not found" + retval.value.cakey.value = getconfigentry(config.ca.default_ca, "private_key") + if not fs.is_file(retval.value.cakey.value) then + retval.value.cakey.errtxt="File not found" end end end - local environment = mymodule.checkenvironment() - return cfe({ type="group", value={version=version, conffile=conffile, environment=environment, cacert=cacert, cacertcontents=cacertcontents, cakey=cakey}, label="OpenSSL status" }) + retval.value.environment = checkenvironment() + return retval end -mymodule.getreqdefaults = function() - local defaults = getdefaults() - - --Add in the encryption bit default - local encryption = config.req.default_bits - defaults.value.encryption = cfe({ type="select", label="Encryption Bits", value=encryption, option={"2048", "4096"}, seq=94 }) - - -- Add in the default days - local validdays = getconfigentry(config.ca.default_ca, "default_days") - defaults.value.validdays = cfe({ type="text", label="Period of Validity (Days)", value=validdays, descr="Number of days this certificate is valid for", seq=95 }) +mymodule.getreqdefaults = function(self, clientdata) + local defaults = getdefaults(self, clientdata) + --Add in the encryption bit default + local encryption = config.req.default_bits + defaults.value.encryption = cfe({ type="select", label="Encryption Bits", value=encryption, option={"2048", "4096"}, seq=94 }) + + -- Add in the default days + local validdays = getconfigentry(config.ca.default_ca, "default_days") + defaults.value.validdays = cfe({ type="text", label="Period of Validity (Days)", value=validdays, descr="Number of days this certificate is valid for", seq=95 }) + -- Add in the ca type default defaults.value.certtype = cfe({ type="select", label="Certificate Type", value=config.ca.default_ca, option=find_ca_sections(), seq=96 }) @@ -389,7 +455,7 @@ mymodule.getreqdefaults = function() extensions = format.get_ini_section(content, config.req.req_extensions) end defaults.value.extensions = cfe({ type="longtext", label="Additional x509 Extensions", value=extensions, descr="These extensions can be overridden by the Certificate Type", seq=97 }) - + return defaults end @@ -508,7 +574,7 @@ mymodule.submitrequest = function(self, defaults, submit, user) end mymodule.readall = function(self, clientdata) - local result = cfe({ type="group", value={}, label="All Certificates" }) + local result = initializecfe(self, clientdata, "All Certificates") result.value.pending = listrequests() result.value.approved = listcerts() result.value.revoked = listrevoked() @@ -516,7 +582,7 @@ mymodule.readall = function(self, clientdata) end mymodule.readuser = function(self, clientdata, user) - local result = cfe({ type="group", value={}, label="Certificates for "..user }) + local result = initializecfe(self, clientdata, "Certificates for "..user) result.value.user = cfe({ value=user, label="User Name" }) result.value.pending = listrequests(user) result.value.approved = listcerts(user) @@ -525,7 +591,7 @@ mymodule.readuser = function(self, clientdata, user) end mymodule.viewrequest = function(self, clientdata) - local retval = cfe({ type="group", value={}, label="Request" }) + local retval = initializecfe(self, clientdata, "Request") retval.value.request = cfe({ label="Request", key=true }) self.handle_clientdata(retval, clientdata) @@ -538,9 +604,9 @@ mymodule.viewrequest = function(self, clientdata) end mymodule.getapproverequest = function(self, clientdata) - local retval = {} - retval.request = cfe({ value=clientdata.request or "", label="Request" }) - return cfe({ type="group", value=retval, label="Approve Request" }) + local retval = initializecfe(self, clientdata, "Approve Request") + retval.value.request = cfe({ value=clientdata.request or "", label="Request" }) + return retval end mymodule.approverequest = function(self, apprequest) @@ -592,9 +658,9 @@ mymodule.approverequest = function(self, apprequest) end mymodule.getdeleterequest = function(self, clientdata) - local retval = {} - retval.request = cfe({ value=clientdata.request or "", label="Request" }) - return cfe({ type="group", value=retval, label="Delete Request" }) + local retval = initializecfe(self, clientdata, "Delete Request") + retval.value.request = cfe({ value=clientdata.request or "", label="Request" }) + return retval end mymodule.deleterequest = function(self, delrequest, submit, user) @@ -614,7 +680,7 @@ mymodule.deleterequest = function(self, delrequest, submit, user) end mymodule.viewcert = function(self, clientdata) - local retval = cfe({ type="group", value={}, label="Certificate" }) + local retval = initializecfe(self, clientdata, "Certificate") retval.value.cert = cfe({ label="Certificate", key=true }) self.handle_clientdata(retval, clientdata) @@ -626,7 +692,7 @@ mymodule.viewcert = function(self, clientdata) end mymodule.getcert = function(self, clientdata) - local retval = cfe({ type="group", value={}, label="Certificate" }) + local retval = initializecfe(self, clientdata, "Certificate") retval.value.cert = cfe({ label="Certificate", key=true }) self.handle_clientdata(retval, clientdata) @@ -642,9 +708,9 @@ mymodule.getcert = function(self, clientdata) end mymodule.getrevokecert = function(self, clientdata) - retval = {} - retval.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) - return cfe({ type="group", value=retval, label="Revoke Certificate" }) + local retval = initializecfe(self, clientdata, "Revoke Certificate") + retval.value.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) + return retval end mymodule.revokecert = function(self, revreq) @@ -653,9 +719,9 @@ mymodule.revokecert = function(self, revreq) end mymodule.getdeletecert = function(self, clientdata) - retval = {} - retval.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) - return cfe({ type="group", value=retval, label="Delete Certificate" }) + local retval = initializecfe(self, clientdata, "Delete Certificate") + retval.value.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) + return retval end mymodule.deletecert = function(self, delcert) @@ -671,9 +737,9 @@ mymodule.deletecert = function(self, delcert) end mymodule.getrenewcert = function(self, clientdata) - retval = {} - retval.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) - return cfe({ type="group", value=retval, label="Renew Certificate" }) + local retval = initializecfe(self, clientdata, "Renew Certificate") + retval.value.cert = cfe({ value=clientdata.cert or "", label="Certificate" }) + return retval end mymodule.renewcert = function(self, recert, submit, approve) @@ -727,7 +793,7 @@ mymodule.renewcert = function(self, recert, submit, approve) end mymodule.getcrl = function(self, clientdata) - local retval = cfe({ type="group", value={}, label="Certificate Revocation List" }) + local retval = initializecfe(self, clientdata, "Certificate Revocation List") retval.value.crltype = cfe({ type="select", value="", option={"", "DER", "PEM"}, label="CRL Type", key=true }) self.handle_clientdata(retval, clientdata) @@ -751,7 +817,7 @@ mymodule.getcrl = function(self, clientdata) end mymodule.getca = function(self, clientdata) - local retval = cfe({ type="group", value={}, label="CA Certificate" }) + local retval = initializecfe(self, clientdata, "CA Certificate") retval.value.certtype = cfe({ type="select", value="", option={"", "DER", "PEM"}, label="Certificate Type", key=true }) self.handle_clientdata(retval, clientdata) @@ -777,10 +843,11 @@ mymodule.getca = function(self, clientdata) return retval end -mymodule.getnewputca = function() - local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file', seq=1 }) - local password = cfe({ type="password", label="Certificate Password", seq=2 }) - return cfe({ type="group", value={ca=ca, password=password} }) +mymodule.getnewputca = function(self, clientdata) + local retval = initializecfe(self, clientdata, "Upload CA Certificate") + retval.value.ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file', seq=1 }) + retval.value.password = cfe({ type="password", label="Certificate Password", seq=2 }) + return retval end mymodule.putca = function(self, newca) @@ -840,8 +907,8 @@ mymodule.putca = function(self, newca) return newca end -mymodule.getnewcarequest = function() - request = getdefaults() +mymodule.getnewcarequest = function(self, clientdata) + request = getdefaults(self, clientdata) -- In addition to the distinguished name defaults, we need days request.value.days = cfe({ value="365", label="Number of days to certify", seq=95 }) return request @@ -886,8 +953,13 @@ mymodule.generateca = function(self, defaults) return defaults end -mymodule.getconfigfile = function() - return modelfunctions.getfiledetails(openssldir..configfile) +mymodule.getconfigfile = function(self, clientdata) + local retval = initializecfe(self, clientdata, "") + local retval2 = modelfunctions.getfiledetails(openssldir..configfile) + for name,value in pairs(retval.value) do + retval2.value.name = value + end + return retval2 end mymodule.setconfigfile = function(self, filedetails) @@ -896,9 +968,9 @@ mymodule.setconfigfile = function(self, filedetails) end mymodule.getenvironment = function(self, clientdata) - local retval = {} - retval.status = mymodule.checkenvironment() - return cfe({ type="group", value=retval, label="Check Environment" }) + local retval = initializecfe(self, clientdata, "Check Environment") + retval.value.status = checkenvironment() + return retval end mymodule.setenvironment = function(self, setenv) @@ -906,66 +978,11 @@ mymodule.setenvironment = function(self, setenv) for x,cmd in ipairs(setenv.value.status.cmdline) do cmd() end - setenv.value.status = mymodule.checkenvironment() + setenv.value.status = checkenvironment() if setenv.value.status.errtxt then setenv.errtxt = "Failed to Configure Environment" end return setenv end -mymodule.checkenvironment = function() - local errtxt = {} - local cmdline = {} - - -- First check for the openssl, req, and cert directories - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("openssl directory", openssldir) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", openssldir..certdir) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", openssldir..requestdir) - - -- Then check for the config file entries - config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") - - if config then - local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir") - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", chkpath) - - local file = getconfigentry(config.ca.default_ca, "certificate") - chkpath = posix.dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", chkpath) - - file = getconfigentry(config.ca.default_ca, "private_key") - chkpath = posix.dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", chkpath) - - file = getconfigentry(config.ca.default_ca, "database") - chkpath = posix.dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", chkpath) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("database", file) - - file = getconfigentry(config.ca.default_ca, "serial") - chkpath = posix.dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", chkpath) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("serial", file, "01") - - file = getconfigentry(config.ca.default_ca, "crlnumber") - if file ~= "" then - chkpath = posix.dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", chkpath) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("crlnumber", file, "01") - end - else - errtxt[#errtxt+1] = "Configuration invalid" - end - - errtxt = table.concat(errtxt, '\n') - local value - if errtxt == "" then - errtxt = nil - value = "Environment ready" - else - value = "Environment not ready" - end - return cfe({ value=value, errtxt=errtxt, cmdline=cmdline, label="Environment" }) -end - return mymodule |