openssl is now pretty much done except for revoking certificates.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1176 ab2d0c66-481e-0410-8bed-d214d4d58bed

4 files changed, 147 insertions, 34 deletions

diff --git a/openssl-controller.lua b/openssl-controller.lua
index 78cbe2b..64dd307 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -3,7 +3,22 @@ module (..., package.seeall)
 
 require("getopts")
 
-default_action = "read"
+default_action = "status"
+
+mvc={}
+mvc.pre_exec = function(self)
+	if self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" then
+		local verify = self.model.verifyopenssl()
+		if verify.value == false then
+			redirect(self)
+		end
+	end
+end
+
+-- Show openssl status
+status = function(self)
+	return self.model.getstatus()
+end
 
 -- View all pending and approved requests and revoked certificates
 readall = function(self)
@@ -38,7 +53,7 @@ request = function(self)
 			cmdresult = cfe({ value="Request submitted", label="Request result" })
 			self.sessiondata.cmdresult = cmdresult
 			--request.descr = "Submitted request"
-			redirect(self, "readall")
+			redirect(self, "read")
 		end
 	else
 		request = self.model.getnewrequest()
@@ -116,5 +131,28 @@ getrevoked = function(self)
 end
 
 -- Put the CA cert
+-- FIXME this won't work because haserl doesn't support file upload.  Untested
 putcacert = function(self)
+	local retval = self.model.putca(self.clientdata.ca, self.clientdata.password, self.clientdata.Upload)
+	retval.type = "form"
+	retval.option = "Upload"
+	retval.label = "Upload CA Certificate"
+	return retval
+end
+
+editconfigfile = function(self)
+	local saved = false
+	if self.clientdata.Save then
+		saved = self.model.setconfigfile(self.clientdata.filecontent)
+	end
+	local configfile = self.model.getconfigfile()
+	configfile.type = "form"
+	configfile.option = "Save"
+	configfile.label = "Edit config file"
+	if saved then
+		configfile.descr = "Saved config file"
+	elseif self.clientdata.Save then
+		configfile.errtxt = "Failed to save config file"
+	end
+	return configfile
 end
diff --git a/openssl-model.lua b/openssl-model.lua
index a572f92..fa844fe 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -8,11 +8,15 @@ require("html")
 -- actually stored in the request filename.  The request filename is in the following format: 
 -- 	'username'.'ca section name'.'common name'.csr
 
+local packagename = "openssl"
 local configfile = "/etc/ssl/openssl.cnf"
 local requestdir = "/etc/ssl/req/"
 local certdir = "/etc/ssl/cert/"
 local openssldir = "/etc/ssl/"
 
+-- Save the config in a variable so isn't loaded each and every time needed
+local config = nil
+
 -- list of request entries that can be edited
 local distinguished_names = { 	{name="countryName", label="Country Name", short="C"},
 				{name="stateOrProvinceName", label="State Or Province Name", short="ST"},
@@ -28,8 +32,8 @@ local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage",
 local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "policy" }
 
 -- Validate the values of distinguished names using the min/max found in the config file
-local validate_distinguished_names = function(values, inputconfig)
-	local config = inputconfig or getopts.getoptsfromfile(configfile)
+local validate_distinguished_names = function(values)
+	config = config or getopts.getoptsfromfile(configfile)
 	local distinguished_name = config.req.distinguished_name or ""
 	local success = true
 
@@ -49,9 +53,9 @@ local validate_distinguished_names = function(values, inputconfig)
 end
 
 -- Write distinguished name defaults to config file
-local write_distinguished_names = function(values, inputconfig)
+local write_distinguished_names = function(values)
 	local file = fs.read_file(configfile)
-	local config = inputconfig or getopts.getoptsfromfile(file)
+	config = config or getopts.getoptsfromfile(file)
 	local distinguished_name = config.req.distinguished_name or ""
 
 	for i,name in ipairs(distinguished_names) do
@@ -65,6 +69,7 @@ local write_distinguished_names = function(values, inputconfig)
 		end
 	end
 	fs.write_file(configfile, file)
+	config = getopts.getoptsfromfile(file)
 end
 
 local create_subject_string = function(values)
@@ -76,8 +81,8 @@ local create_subject_string = function(values)
 end
 
 -- Find the sections of the config file that define ca's (ca -name option)
-local find_ca_sections = function(inputconfig)
-	local config = inputconfig or getopts.getoptsfromfile(configfile)
+local find_ca_sections = function()
+	config = config or getopts.getoptsfromfile(configfile)
 	local cert_types = {}
 
 	for section in pairs(config) do
@@ -96,7 +101,7 @@ local find_ca_sections = function(inputconfig)
 	return cert_types
 end
 
-local handle_req_clientdata = function(clientdata, defaults, config)
+local handle_req_clientdata = function(clientdata, defaults)
 
 	-- Next, put the user values into the table
 	for name,value in pairs(clientdata) do
@@ -107,7 +112,7 @@ local handle_req_clientdata = function(clientdata, defaults, config)
 
 	-- Next, validate the values
 	local success
-	success, defaults = validate_distinguished_names(defaults, config)
+	success, defaults = validate_distinguished_names(defaults)
 
 	local foundcert=false
 	for i,cert in ipairs(defaults.value.certtype.option) do
@@ -121,30 +126,65 @@ local handle_req_clientdata = function(clientdata, defaults, config)
 		defaults.value.certtype.errtxt = "Invalid certificate type"
 	end
 
-	return success, defaults, config
+	return success, defaults
 end
 
-local getconfigpath = function(config, section, value)
-	result=config[section][value] or ""
+local getconfigpath = function(section, value)
+	config = config or getopts.getoptsfromfile(configfile)
+	local result = config[section][value] or ""
 	while string.find(result, "%$[%w_]+") do
 		local sub = string.match(result, "%$[%w_]+")
-		result = string.gsub(result, sub, config[section][string.sub(sub,2)] or config[""][string.sub(sub,2)])
+		result = string.gsub(result, sub, config[section][string.sub(sub,2)] or config[""][string.sub(sub,2)] or "")
 	end
 	return result
 end
 
 -- FIXME we need to make sure necessary files / directories / private key are there
 verifyopenssl = function()
+	-- set the working directory once for model
+	posix.chdir(openssldir)
+	
 	local retval = false
 	if fs.is_file(configfile) then
-		retval=true
+		config = config or getopts.getoptsfromfile(configfile)
+		if config and config.ca and config.ca.default_ca then
+			local cacert_file = getconfigpath(config.ca.default_ca, "private_key")
+			if fs.is_file(cacert_file) then
+				retval=true
+			end
+		end
 	end
-	return retval
+	return cfe({ type="boolean", value=retval, label="openssl verified" })
 end
 
-getreqdefaults = function(inputconfig)
+getstatus = function()
+	require("processinfo")
+	posix.chdir(openssldir)
+	local value,errtxt=processinfo.package_version(packagename)
+	local version = cfe({ value=value, errtxt=errtxt, label="Program version" })
+	local conffile = cfe({ value=configfile, label="Configuration file" })
+	local cacert = cfe({ label="CA Certificate" })
+	if not fs.is_file(configfile) then
+		conffile.errtxt="File not found"
+		cacert.errtxt="File not defined"
+	else
+		config = config or getopts.getoptsfromfile(configfile)
+		if (not config) or (not config.ca) or (not config.ca.default_ca) then
+			conffile.errtxt="Invalid config file"
+			cacert.errtxt="File not defined"
+		else
+			cacert.value = getconfigpath(config.ca.default_ca, "private_key")
+			if not fs.is_file(cacert.value) then
+				cacert.errtxt="File not found"
+			end
+		end
+	end
+	return cfe({ type="group", value={version=version, conffile=conffile, cacert=cacert}, label="openssl status" })
+end
+
+getreqdefaults = function()
 	local defaults = cfe({ type="group", value={} })
-	local config = inputconfig or getopts.getoptsfromfile(configfile)
+	config = config or getopts.getoptsfromfile(configfile)
 	local distinguished_name = config.req.distinguished_name or ""
 
 	-- Get the distinguished name defaults
@@ -157,24 +197,24 @@ getreqdefaults = function(inputconfig)
 
 	-- Add in the ca type default
 	defaults.value.certtype = cfe({ type="select", label="Certificate Type", 
-		value=config.ca.default_ca, option=find_ca_sections(config) })
+		value=config.ca.default_ca, option=find_ca_sections() })
 
 	return defaults
 end
 
 setreqdefaults = function(clientdata)
 	-- First, get the defaults
-	local config = getopts.getoptsfromfile(configfile)
+	config = config or getopts.getoptsfromfile(configfile)
 	local defaults = getreqdefaults()
 
 	-- Then, copy in user values and validate
-	local success, defaults, config = handle_req_clientdata(clientdata, defaults, config)
+	local success, defaults = handle_req_clientdata(clientdata, defaults)
 
 	-- Finally, write the values to the config file
 	if success then
-		write_distinguished_names(defaults, config)
-	
 		getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
+		config = nil
+		write_distinguished_names(defaults)
 	end
 
 	if not success then
@@ -194,11 +234,10 @@ end
 
 submitrequest = function(clientdata, user)
 	-- First, get the defaults
-	local config = getopts.getoptsfromfile(configfile)
-	local defaults = getnewrequest(config)
+	local defaults = getnewrequest()
 
 	-- Then, copy in user values and validate
-	local success, defaults, config = handle_req_clientdata(clientdata, defaults, config)
+	local success, defaults = handle_req_clientdata(clientdata, defaults)
 
 	-- Must have a common name
 	if #defaults.value.commonName.value == 0 then
@@ -271,21 +310,17 @@ approverequest = function(request)
 		local user,certtype,commonName = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)")
 
 		-- Add the serial number to the end of the cert file name
-		local config = getopts.getoptsfromfile(configfile)
-		local serialpath = getconfigpath(config, certtype, "serial")
+		local serialpath = getconfigpath(certtype, "serial")
 		local serialfile = fs.read_file(openssldir..serialpath)
 		local serial = string.match(serialfile, "%x%x")
 		local certname = certdir..request.."."..serial
 
 		-- Now, sign the certificate
-		local cwd = posix.getcwd()
-		posix.chdir(openssldir)
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1"
 APP.logevent(cmd)
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
-		posix.chdir(cwd)
 
 		-- If certificate created, create the wrapped up pkcs12
 		if fs.is_file(certname..".crt") then
@@ -346,3 +381,41 @@ deletecert = function(cert)
 	f:close()
 	return cfe({ value="Certificate deleted", label="Delete result" })
 end
+
+-- FIXME this won't work because haserl doesn't support file upload. Untested and unfinished
+putca = function(file, pword, set)
+	local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' })
+	local password = cfe({ label="Certificate Password" })
+	local retval = cfe({ type="group", value={ca=ca, password=password} })
+	if file and pword and set then
+		fs.write_file(openssldir.."temp.pfx", file)
+		fs.write_file(openssldir.."temp.pwd", pword)
+		
+		-- Still need to verify input (using openssl pkcs12) and put cert and key in right place
+	end
+	return retval
+end
+
+getconfigfile = function()
+	local filename = cfe({ value=configfile, label="File Name" })
+	local filecontent = cfe({ type="longtext", label="Config file" })
+	local filesize = cfe({ value="0", label="File size" })
+	local mtime = cfe({ value="---", label="File date" })
+	if fs.is_file(configfile) then
+		local filedetails = fs.stat(configfile)
+		filecontent.value=fs.read_file(configfile)
+		filesize.value = filedetails.size
+		mtime.value = filedetails.mtime
+	else
+		filename.errtxt = "File not found"
+	end
+	return cfe({ type="group", value={filename=filename, filecontent=filecontent, filesize=filesize, mtime=mtime}, label="Config file details" })
+end
+
+setconfigfile = function(file)
+	if file and type(file)=="string" and #file>0 then
+		fs.write_file(configfile, file)
+		return true
+	end
+	return false
+end
diff --git a/openssl.menu b/openssl.menu
index da1398a..b94c8fb 100644
--- a/openssl.menu
+++ b/openssl.menu
@@ -1,6 +1,8 @@
 # Prefix and controller are already known at this point
 # Cat		Group			Tab	Action
+Applications	10Certificate_Authority	Status	status
 Applications	10Certificate_Authority	All	readall
-Applications	10Certificate_Authority	Status	read
+Applications	10Certificate_Authority	View	read
 Applications	10Certificate_Authority	Request	request
 Applications	10Certificate_Authority	Edit_Defaults	editdefaults
+Applications	10Certificate_Authority	Expert editconfigfile
diff --git a/openssl.roles b/openssl.roles
index ec8ba3e..47b3bc9 100644
--- a/openssl.roles
+++ b/openssl.roles
@@ -1,2 +1,2 @@
-READ=openssl:read,openssl:request,openssl:viewrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked
-UPDATE=openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:putcacert
+READ=openssl:status,openssl:read,openssl:request,openssl:viewrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked
+UPDATE=openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:putcacert,openssl:editconfigfile