diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-05-22 19:06:04 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-05-22 19:06:04 +0000 |
commit | 6974a4052073c6aaadc6af8c30cf3d236b16b88f (patch) | |
tree | 1f272ff65fa67d1ad42ebf827c17a56010145fc1 | |
parent | 29c8138587a3edcbc62b575bb8372597801b970e (diff) | |
download | acf-openssl-6974a4052073c6aaadc6af8c30cf3d236b16b88f.tar.bz2 acf-openssl-6974a4052073c6aaadc6af8c30cf3d236b16b88f.tar.xz |
openssl is now pretty much done except for revoking certificates.
git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1176 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | openssl-controller.lua | 42 | ||||
-rw-r--r-- | openssl-model.lua | 131 | ||||
-rw-r--r-- | openssl.menu | 4 | ||||
-rw-r--r-- | openssl.roles | 4 |
4 files changed, 147 insertions, 34 deletions
diff --git a/openssl-controller.lua b/openssl-controller.lua index 78cbe2b..64dd307 100644 --- a/openssl-controller.lua +++ b/openssl-controller.lua @@ -3,7 +3,22 @@ module (..., package.seeall) require("getopts") -default_action = "read" +default_action = "status" + +mvc={} +mvc.pre_exec = function(self) + if self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" then + local verify = self.model.verifyopenssl() + if verify.value == false then + redirect(self) + end + end +end + +-- Show openssl status +status = function(self) + return self.model.getstatus() +end -- View all pending and approved requests and revoked certificates readall = function(self) @@ -38,7 +53,7 @@ request = function(self) cmdresult = cfe({ value="Request submitted", label="Request result" }) self.sessiondata.cmdresult = cmdresult --request.descr = "Submitted request" - redirect(self, "readall") + redirect(self, "read") end else request = self.model.getnewrequest() @@ -116,5 +131,28 @@ getrevoked = function(self) end -- Put the CA cert +-- FIXME this won't work because haserl doesn't support file upload. Untested putcacert = function(self) + local retval = self.model.putca(self.clientdata.ca, self.clientdata.password, self.clientdata.Upload) + retval.type = "form" + retval.option = "Upload" + retval.label = "Upload CA Certificate" + return retval +end + +editconfigfile = function(self) + local saved = false + if self.clientdata.Save then + saved = self.model.setconfigfile(self.clientdata.filecontent) + end + local configfile = self.model.getconfigfile() + configfile.type = "form" + configfile.option = "Save" + configfile.label = "Edit config file" + if saved then + configfile.descr = "Saved config file" + elseif self.clientdata.Save then + configfile.errtxt = "Failed to save config file" + end + return configfile end diff --git a/openssl-model.lua b/openssl-model.lua index a572f92..fa844fe 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -8,11 +8,15 @@ require("html") -- actually stored in the request filename. The request filename is in the following format: -- 'username'.'ca section name'.'common name'.csr +local packagename = "openssl" local configfile = "/etc/ssl/openssl.cnf" local requestdir = "/etc/ssl/req/" local certdir = "/etc/ssl/cert/" local openssldir = "/etc/ssl/" +-- Save the config in a variable so isn't loaded each and every time needed +local config = nil + -- list of request entries that can be edited local distinguished_names = { {name="countryName", label="Country Name", short="C"}, {name="stateOrProvinceName", label="State Or Province Name", short="ST"}, @@ -28,8 +32,8 @@ local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "policy" } -- Validate the values of distinguished names using the min/max found in the config file -local validate_distinguished_names = function(values, inputconfig) - local config = inputconfig or getopts.getoptsfromfile(configfile) +local validate_distinguished_names = function(values) + config = config or getopts.getoptsfromfile(configfile) local distinguished_name = config.req.distinguished_name or "" local success = true @@ -49,9 +53,9 @@ local validate_distinguished_names = function(values, inputconfig) end -- Write distinguished name defaults to config file -local write_distinguished_names = function(values, inputconfig) +local write_distinguished_names = function(values) local file = fs.read_file(configfile) - local config = inputconfig or getopts.getoptsfromfile(file) + config = config or getopts.getoptsfromfile(file) local distinguished_name = config.req.distinguished_name or "" for i,name in ipairs(distinguished_names) do @@ -65,6 +69,7 @@ local write_distinguished_names = function(values, inputconfig) end end fs.write_file(configfile, file) + config = getopts.getoptsfromfile(file) end local create_subject_string = function(values) @@ -76,8 +81,8 @@ local create_subject_string = function(values) end -- Find the sections of the config file that define ca's (ca -name option) -local find_ca_sections = function(inputconfig) - local config = inputconfig or getopts.getoptsfromfile(configfile) +local find_ca_sections = function() + config = config or getopts.getoptsfromfile(configfile) local cert_types = {} for section in pairs(config) do @@ -96,7 +101,7 @@ local find_ca_sections = function(inputconfig) return cert_types end -local handle_req_clientdata = function(clientdata, defaults, config) +local handle_req_clientdata = function(clientdata, defaults) -- Next, put the user values into the table for name,value in pairs(clientdata) do @@ -107,7 +112,7 @@ local handle_req_clientdata = function(clientdata, defaults, config) -- Next, validate the values local success - success, defaults = validate_distinguished_names(defaults, config) + success, defaults = validate_distinguished_names(defaults) local foundcert=false for i,cert in ipairs(defaults.value.certtype.option) do @@ -121,30 +126,65 @@ local handle_req_clientdata = function(clientdata, defaults, config) defaults.value.certtype.errtxt = "Invalid certificate type" end - return success, defaults, config + return success, defaults end -local getconfigpath = function(config, section, value) - result=config[section][value] or "" +local getconfigpath = function(section, value) + config = config or getopts.getoptsfromfile(configfile) + local result = config[section][value] or "" while string.find(result, "%$[%w_]+") do local sub = string.match(result, "%$[%w_]+") - result = string.gsub(result, sub, config[section][string.sub(sub,2)] or config[""][string.sub(sub,2)]) + result = string.gsub(result, sub, config[section][string.sub(sub,2)] or config[""][string.sub(sub,2)] or "") end return result end -- FIXME we need to make sure necessary files / directories / private key are there verifyopenssl = function() + -- set the working directory once for model + posix.chdir(openssldir) + local retval = false if fs.is_file(configfile) then - retval=true + config = config or getopts.getoptsfromfile(configfile) + if config and config.ca and config.ca.default_ca then + local cacert_file = getconfigpath(config.ca.default_ca, "private_key") + if fs.is_file(cacert_file) then + retval=true + end + end end - return retval + return cfe({ type="boolean", value=retval, label="openssl verified" }) end -getreqdefaults = function(inputconfig) +getstatus = function() + require("processinfo") + posix.chdir(openssldir) + local value,errtxt=processinfo.package_version(packagename) + local version = cfe({ value=value, errtxt=errtxt, label="Program version" }) + local conffile = cfe({ value=configfile, label="Configuration file" }) + local cacert = cfe({ label="CA Certificate" }) + if not fs.is_file(configfile) then + conffile.errtxt="File not found" + cacert.errtxt="File not defined" + else + config = config or getopts.getoptsfromfile(configfile) + if (not config) or (not config.ca) or (not config.ca.default_ca) then + conffile.errtxt="Invalid config file" + cacert.errtxt="File not defined" + else + cacert.value = getconfigpath(config.ca.default_ca, "private_key") + if not fs.is_file(cacert.value) then + cacert.errtxt="File not found" + end + end + end + return cfe({ type="group", value={version=version, conffile=conffile, cacert=cacert}, label="openssl status" }) +end + +getreqdefaults = function() local defaults = cfe({ type="group", value={} }) - local config = inputconfig or getopts.getoptsfromfile(configfile) + config = config or getopts.getoptsfromfile(configfile) local distinguished_name = config.req.distinguished_name or "" -- Get the distinguished name defaults @@ -157,24 +197,24 @@ getreqdefaults = function(inputconfig) -- Add in the ca type default defaults.value.certtype = cfe({ type="select", label="Certificate Type", - value=config.ca.default_ca, option=find_ca_sections(config) }) + value=config.ca.default_ca, option=find_ca_sections() }) return defaults end setreqdefaults = function(clientdata) -- First, get the defaults - local config = getopts.getoptsfromfile(configfile) + config = config or getopts.getoptsfromfile(configfile) local defaults = getreqdefaults() -- Then, copy in user values and validate - local success, defaults, config = handle_req_clientdata(clientdata, defaults, config) + local success, defaults = handle_req_clientdata(clientdata, defaults) -- Finally, write the values to the config file if success then - write_distinguished_names(defaults, config) - getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value) + config = nil + write_distinguished_names(defaults) end if not success then @@ -194,11 +234,10 @@ end submitrequest = function(clientdata, user) -- First, get the defaults - local config = getopts.getoptsfromfile(configfile) - local defaults = getnewrequest(config) + local defaults = getnewrequest() -- Then, copy in user values and validate - local success, defaults, config = handle_req_clientdata(clientdata, defaults, config) + local success, defaults = handle_req_clientdata(clientdata, defaults) -- Must have a common name if #defaults.value.commonName.value == 0 then @@ -271,21 +310,17 @@ approverequest = function(request) local user,certtype,commonName = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)") -- Add the serial number to the end of the cert file name - local config = getopts.getoptsfromfile(configfile) - local serialpath = getconfigpath(config, certtype, "serial") + local serialpath = getconfigpath(certtype, "serial") local serialfile = fs.read_file(openssldir..serialpath) local serial = string.match(serialfile, "%x%x") local certname = certdir..request.."."..serial -- Now, sign the certificate - local cwd = posix.getcwd() - posix.chdir(openssldir) local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1" APP.logevent(cmd) local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() - posix.chdir(cwd) -- If certificate created, create the wrapped up pkcs12 if fs.is_file(certname..".crt") then @@ -346,3 +381,41 @@ deletecert = function(cert) f:close() return cfe({ value="Certificate deleted", label="Delete result" }) end + +-- FIXME this won't work because haserl doesn't support file upload. Untested and unfinished +putca = function(file, pword, set) + local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' }) + local password = cfe({ label="Certificate Password" }) + local retval = cfe({ type="group", value={ca=ca, password=password} }) + if file and pword and set then + fs.write_file(openssldir.."temp.pfx", file) + fs.write_file(openssldir.."temp.pwd", pword) + + -- Still need to verify input (using openssl pkcs12) and put cert and key in right place + end + return retval +end + +getconfigfile = function() + local filename = cfe({ value=configfile, label="File Name" }) + local filecontent = cfe({ type="longtext", label="Config file" }) + local filesize = cfe({ value="0", label="File size" }) + local mtime = cfe({ value="---", label="File date" }) + if fs.is_file(configfile) then + local filedetails = fs.stat(configfile) + filecontent.value=fs.read_file(configfile) + filesize.value = filedetails.size + mtime.value = filedetails.mtime + else + filename.errtxt = "File not found" + end + return cfe({ type="group", value={filename=filename, filecontent=filecontent, filesize=filesize, mtime=mtime}, label="Config file details" }) +end + +setconfigfile = function(file) + if file and type(file)=="string" and #file>0 then + fs.write_file(configfile, file) + return true + end + return false +end diff --git a/openssl.menu b/openssl.menu index da1398a..b94c8fb 100644 --- a/openssl.menu +++ b/openssl.menu @@ -1,6 +1,8 @@ # Prefix and controller are already known at this point # Cat Group Tab Action +Applications 10Certificate_Authority Status status Applications 10Certificate_Authority All readall -Applications 10Certificate_Authority Status read +Applications 10Certificate_Authority View read Applications 10Certificate_Authority Request request Applications 10Certificate_Authority Edit_Defaults editdefaults +Applications 10Certificate_Authority Expert editconfigfile diff --git a/openssl.roles b/openssl.roles index ec8ba3e..47b3bc9 100644 --- a/openssl.roles +++ b/openssl.roles @@ -1,2 +1,2 @@ -READ=openssl:read,openssl:request,openssl:viewrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked -UPDATE=openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:putcacert +READ=openssl:status,openssl:read,openssl:request,openssl:viewrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked +UPDATE=openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:putcacert,openssl:editconfigfile |