diff options
author | Ted Trask <ttrask01@yahoo.com> | 2013-01-01 22:46:36 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2013-01-01 22:46:36 +0000 |
commit | 29248160e70e123e5fae479344b8bc69d58034bf (patch) | |
tree | be1b5d66e8b84c77cb299eaca0af68e2d22eb55d | |
parent | 0b5914ae86262efd87a9ae38a0dfa9a33296fc27 (diff) | |
download | acf-openssl-29248160e70e123e5fae479344b8bc69d58034bf.tar.bz2 acf-openssl-29248160e70e123e5fae479344b8bc69d58034bf.tar.xz |
Replace io.popen with modelfunctions.run_executable
-rw-r--r-- | openssl-model.lua | 95 |
1 files changed, 25 insertions, 70 deletions
diff --git a/openssl-model.lua b/openssl-model.lua index d998664..b9c48a7 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -18,7 +18,6 @@ local configfile = "/etc/ssl/openssl-ca-acf.cnf" local requestdir = "/etc/ssl/req/" local certdir = "/etc/ssl/cert/" local openssldir = "/etc/ssl/" -local path = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin " -- Save the config in a variable so isn't loaded each and every time needed local config = nil @@ -279,10 +278,7 @@ getstatus = function() if not fs.is_file(cacert.value) then cacert.errtxt="File not found" else - local cmd = path .. "openssl x509 -in "..format.escapespecialcharacters(cacert.value).." -noout -text" - local f = io.popen(cmd) - cacertcontents.value = f:read("*a") - f:close() + cacertcontents.value, cacertcontents.errtxt = modelfunctions.run_executable({"openssl", "x509", "-in", cacert.value, "-noout", "-text"}) local enddate = string.match(cacertcontents.value, "Not After : (.*)") local month, day, year = string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)") @@ -430,11 +426,7 @@ submitrequest = function(defaults, user) fileval = format.update_ini_file(fileval, "req", "req_extensions", ext_section) fs.write_file(reqname..".cfg", fileval) - local cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1' - local f = io.popen(cmd) - local cmdresult = f:read("*a") - f:close() - defaults.descr = cmdresult + defaults.descr, defaults.errtxt = modelfunctions.run_executable({"openssl", "req", "-nodes", "-new", "-config", reqname..".cfg", "-keyout", reqname..".pem", "-out", reqname..".csr", "-subj", subject}, true) local certfilestats = posix.stat(reqname..".csr") local keyfilestats = posix.stat(reqname..".pem") if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then @@ -469,10 +461,7 @@ end viewrequest = function(request) local reqpath = requestdir .. request - local cmd = path .. "openssl req -in "..format.escapespecialcharacters(reqpath)..".csr -text -noout" - local f = io.popen(cmd) - local cmdresult = f:read("*a") - f:close() + local cmdresult = modelfunctions.run_executable({"openssl", "req", "-in", reqpath..".csr", "-text", "-noout"}) local a,b,c = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)") local request = cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, value=cmdresult}, label="Request" }) return request @@ -497,20 +486,19 @@ approverequest = function(self, apprequest) local certname = certdir..apprequest.value.request.value.."."..serial -- Now, sign the certificate - local cmd = path .. "openssl ca -config "..format.escapespecialcharacters(reqpath)..".cfg -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1" - local f = io.popen(cmd) - apprequest.descr = f:read("*a") - f:close() + apprequest.descr, apprequest.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", reqpath..".cfg", "-in", reqpath..".csr", "-out", certname..".crt", "-name", certtype, "-batch"}, true) -- If certificate created, create the wrapped up pkcs12 local filestats = posix.stat(certname..".crt") if filestats and filestats.size > 0 then -- We're wrapping up the key, the cert, and the CA cert (and whatever came with it) - cmd = path .. "openssl pkcs12 -export -inkey "..format.escapespecialcharacters(reqpath)..".pem -in "..format.escapespecialcharacters(certname)..".crt -out "..format.escapespecialcharacters(certname)..".pfx -passout file:"..format.escapespecialcharacters(reqpath)..".pwd -certfile "..format.escapespecialcharacters(getconfigentry(certtype, "certificate")).." 2>&1" - f = io.popen(cmd) - local newcmdresult = f:read("*a") - f:close() + local newcmdresult, newerrtxt = modelfunctions.run_executable({"openssl", "pkcs12", "-export", "-inkey", reqpath..".pem", "-in", certname..".crt", "-out", certname..".pfx", "-passout", "file:"..reqpath..".pwd", "-certfile", getconfigentry(certtype, "certificate")}, true) apprequest.descr = apprequest.descr .. newcmdresult + if apprequest.errtxt then + apprequest.errtxt = apprequest.errtxt .. (newerrtxt or "") + else + apprequest.errtxt = newerrtxt + end end -- Finally, remove the request @@ -561,8 +549,7 @@ listcerts = function(user) local files = posix.glob(certdir..user..".*\\.pfx") or {} -- Do this in two steps - saves forking openssl for each cert, which -- speeds things up noticably for > 100 certs - local crtlist = "cat <<-EOF | openssl\n" - local crttab = {} + local crtlist = {} for i,x in ipairs(files) do local name = string.gsub(posix.basename(x), ".pfx$", "") local a,b,c,d = string.match(name, @@ -570,17 +557,14 @@ listcerts = function(user) list[#list + 1] = {name=name, user=a, certtype=b, commonName=unhashname(c), serial=d, enddate=enddate, daysremaining=time} - crtlist = crtlist .. "x509 -in " .. - certdir..format.escapespecialcharacters(name) .. - ".crt -noout -enddate\n" + crtlist[#crtlist+1] = "x509 -in "..certdir..name..".crt -noout -enddate" end - crtlist = crtlist .. "EOF\n" - local fh=io.popen(crtlist) + local out = modelfunctions.run_executable({"openssl"}, false, table.concat(crtlist, "\n").."\nexit\n") + local outtab = format.string_to_table(out, "\n") for i,x in ipairs(files) do - local enddate = fh:read("*l") or "notAfter=Jan 1 00:00:01 1970 GMT" - enddate = string.match(enddate, "notAfter=(.*)") + local enddate = string.match(outtab[i] or "", "notAfter=(.*)") or "Jan 1 00:00:01 1970 GMT" local month, day, year = string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)") @@ -596,16 +580,11 @@ listcerts = function(user) list[i].daysremaining = time end - fh:close() - return cfe({ type="list", value=list, label="List of approved certificates" }) end viewcert = function(cert) - local cmd = path .. "openssl x509 -in "..certdir..format.escapespecialcharacters(cert)..".crt -noout -text" - local f = io.popen(cmd) - local cmdresult = f:read("*a") - f:close() + local cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", certdir..cert..".crt", "-noout", "-text"}) local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") return cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, serial=d, value=cmdresult}, label="Certificate" }) end @@ -624,10 +603,7 @@ getrevokecert = function(self, clientdata) end revokecert = function(self, revreq) - local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. format.escapespecialcharacters(revreq.value.cert.value)..".crt -batch 2>&1" - local f = io.popen(cmd) - revreq.descr = f:read("*a") - f:close() + revreq.descr, revreq.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-revoke", certdir..revreq.value.cert.value..".crt", "-batch"}, true) return revreq end @@ -677,10 +653,7 @@ renewcert = function(self, recert, submit, approve) local subject = string.gsub(fs.read_file(reqname..".sbj") or "", "\n", "") -- Next, submit the request (new key) - cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1' - f = io.popen(cmd) - recert.descr = f:read("*a") - f:close() + recert.descr, recert.errtxt = modelfunctions.run_executable({"openssl", "req", "-nodes", "-new", "-config", reqname..".cfg", "-keyout", reqname..".pem", "-out", reqname..".csr", "-subj", subject}, true) local filestats = posix.stat(reqname..".csr") if not filestats or filestats.size == 0 then recert.errtxt = "Failed to submit request\n"..recert.descr @@ -723,12 +696,8 @@ end getcrl = function(crltype) local crlfile = cfe({ type="raw", option="application/pkix-crl" }) - local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl" - local f = io.popen(cmd) - f:close() - local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER" - local f = io.popen(cmd) - f:close() + modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-gencrl", "-out", openssldir.."ca-crl.crl"}) + modelfunctions.run_executable({"openssl", "crl", "-in", openssldir.."ca-crl.crl", "-out", openssldir.."ca-der-crl.crl", "-outform", "DER"}) if string.lower(crltype or "") == "der" then crlfile.label = "ca-der-crl.crl" crlfile.value = fs.read_file(crlfile.label) or "" @@ -745,9 +714,7 @@ getca = function(certtype) local result = cfe({ type="raw", option="application/x-x509-ca-cert" }) local fname = "cacert." if string.lower(certtype or "") == "der" then - local cmd = path .. "openssl x509 -in "..openssldir.."cacert.pem -outform der -out "..openssldir.."cacert.der" - local f = io.popen(cmd) - f:close() + modelfunctions.run_executable({"openssl", "x509", "-in", openssldir.."cacert.pem", "-outform", "der", "-out", openssldir.."cacert.der"}) fname = fname.."der" result.label = fname elseif string.lower(certtype or "") == "pem" then @@ -773,10 +740,7 @@ putca = function(self, newca) -- First, get the cert local cmd, f, cmdresult if validator.is_valid_filename(newca.value.ca.value, "/tmp/") and fs.is_file(newca.value.ca.value) then - cmd = path .. "openssl pkcs12 -in "..format.escapespecialcharacters(newca.value.ca.value).." -out "..format.escapespecialcharacters(newca.value.ca.value).."cert.pem -password pass:"..format.escapespecialcharacters(newca.value.password.value).." -nokeys 2>&1" - f = io.popen(cmd) - cmdresult = f:read("*a") - f:close() + cmdresult = modelfunctions.run_executable({"openssl", "pkcs12", "-in", newca.value.ca.value, "-out", newca.value.ca.value.."cert.pem", "-password", "pass:"..newca.value.password.value, "-nokeys"}, true) local filestats = posix.stat(newca.value.ca.value.."cert.pem") if not filestats or filestats.size == 0 then newca.value.ca.errtxt = "Could not open certificate\n"..cmdresult @@ -789,10 +753,7 @@ putca = function(self, newca) -- Check to make sure we got a CA cert if success then - cmd = path .. "openssl x509 -in "..format.escapespecialcharacters(newca.value.ca.value).."cert.pem -noout -text" - f = io.popen(cmd) - cmdresult = f:read("*a") - f:close() + cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", newca.value.ca.value.."cert.pem", "-noout","-text"}) if not string.find(cmdresult, "CA:TRUE") then newca.value.ca.errtxt = "Could not find CA Certificate" success = false @@ -801,10 +762,7 @@ putca = function(self, newca) -- Now, get the key if success then - cmd = path .. "openssl pkcs12 -in "..format.escapespecialcharacters(newca.value.ca.value).." -out "..format.escapespecialcharacters(newca.value.ca.value).."key.pem -password pass:"..format.escapespecialcharacters(newca.value.password.value).." -nocerts -nodes 2>&1" - f = io.popen(cmd) - cmdresult = f:read("*a") - f:close() + cmdresult = modelfunctions.run_executable({"openssl", "pkcs12", "-in", newca.value.ca.value, "-out", newca.value.ca.value.."key.pem", "-password", "pass:"..newca.value.password.value, "-nocerts", "-nodes"}, true) filestats = posix.stat(newca.value.ca.value.."key.pem") if not filestats or filestats.size == 0 then newca.value.ca.errtxt = "Could not find CA key\n"..cmdresult @@ -853,10 +811,7 @@ generateca = function(self, defaults) -- Submit the request local subject = create_subject_string(defaults, {"days"}) - local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile..' -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj "'..subject..'" -days '..format.escapespecialcharacters(defaults.value.days.value).." 2>&1" - local f = io.popen(cmd) - local cmdresult = f:read("*a") - f:close() + local cmdresult = modelfunctions.run_executable({"openssl", "req", "-x509", "-nodes", "-new", "-config", configfile, "-keyout", "/tmp/cakey.pem", "-out", "/tmp/cacert.pem", "-subj", subject, "-days", defaults.value.days.value}, true) local certfilestats = posix.stat("/tmp/cacert.pem") local keyfilestats = posix.stat("/tmp/cakey.pem") if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then |