Cleanup of path access in preparation for handling CAs in different paths

author: Ted Trask <ttrask01@yahoo.com> 2015-01-30 16:52:43 -0500
committer: Ted Trask <ttrask01@yahoo.com> 2015-01-30 16:52:43 -0500
commit: 81a6cd86d633eb166d47d6581a113b56d51b63f1 (patch)
tree: 053464947335afd35f7a7dde3d7eba1e0e886963
parent: 35e11d3f9186ed9f13ab2008589832242e15b49d (diff)
download: acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.bz2
acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.xz
1 files changed, 39 insertions, 40 deletions
diff --git a/openssl-model.lua b/openssl-model.lua
index f5ab354..d15c358 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -13,10 +13,9 @@ validator = require("acf.validator")
 -- 	'username'.'ca section name'.'common name'.csr
 
 local packagename = "openssl"
---local configfile = "/etc/ssl/openssl.cnf"
-local configfile = "/etc/ssl/openssl-ca-acf.cnf"
-local requestdir = "/etc/ssl/req/"
-local certdir = "/etc/ssl/cert/"
+local configfile = "openssl-ca-acf.cnf"
+local requestdir = "req/"
+local certdir = "cert/"
 local openssldir = "/etc/ssl/"
 
 -- Save the config in a variable so isn't loaded each and every time needed
@@ -34,7 +33,7 @@ local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "d
 -- Create a cfe with the distinguished name defaults
 local getdefaults = function()
 	local defaults = cfe({ type="group", value={} })
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local distinguished_name = config.req.distinguished_name or ""
 
 	-- Define the order of the parameters in the form
@@ -56,7 +55,7 @@ end
 
 -- Validate the values of distinguished names using the min/max found in the config file
 local validate_distinguished_names = function(values)
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local distinguished_name = config.req.distinguished_name or ""
 	local success = true
 
@@ -127,7 +126,7 @@ local create_subject_string = function(values, ignorevalues)
 end
 
 local getconfigentry = function(section, value)
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local result = config[section][value] or config[""][value] or ""
 	while string.find(result, "%$[%w_]+") do
 		local sub = string.match(result, "%$[%w_]+")
@@ -138,7 +137,7 @@ end
 
 -- Find the sections of the config file that define ca's (ca -name option)
 local find_ca_sections = function()
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local cert_types = {}
 
 	for section in pairs(config) do
@@ -176,7 +175,7 @@ local validate_request = function(defaults, noextensionsections)
 	end
 
 	if defaults.value.extensions then
-		config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+		config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 		local extensions = format.parse_ini_file(defaults.value.extensions.value)
 		for name,value in pairs(extensions or {}) do
 			if name ~= "" and noextensionsections then
@@ -193,7 +192,7 @@ local validate_request = function(defaults, noextensionsections)
 end
 
 local copyca = function(cacert, cakey)
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local certpath = getconfigentry(config.ca.default_ca, "certificate")
 	fs.move_file(cacert, certpath)
 	local keypath = getconfigentry(config.ca.default_ca, "private_key")
@@ -257,17 +256,17 @@ mymodule.getstatus = function()
 	posix.chdir(openssldir)
 	local value,errtxt=processinfo.package_version(packagename)
 	local version = cfe({ value=value, errtxt=errtxt, label="Program version", name=packagename })
-	local conffile = cfe({ value=configfile, label="Configuration file" })
+	local conffile = cfe({ value=openssldir..configfile, label="Configuration file" })
 	local cacert = cfe({ label="CA Certificate" })
 	local cacertcontents = cfe({ type="longtext", label="CA Certificate contents" })
 	local cakey = cfe({ label="CA Key" })
-	if not fs.is_file(configfile) then
+	if not fs.is_file(openssldir..configfile) then
 		conffile.errtxt="File not found"
 		cacert.errtxt="File not defined"
 		cacertcontents.errtxt=""
 		cakey.errtxt="File not defined"
 	else
-		config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+		config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 		if (not config) or (not config.ca) or (not config.ca.default_ca) then
 			conffile.errtxt="Invalid config file"
 			cacert.errtxt="File not defined"
@@ -323,7 +322,7 @@ mymodule.getreqdefaults = function()
 		value=config.ca.default_ca, option=find_ca_sections(), seq=96 })
 	-- Add in the extensions
 	local extensions = ""
-	local content = fs.read_file(configfile) or ""
+	local content = fs.read_file(openssldir..configfile) or ""
 	config = config or format.parse_ini_file(content)
 	if config.req.req_extensions then
 		extensions = format.get_ini_section(content, config.req.req_extensions)
@@ -338,7 +337,7 @@ mymodule.setreqdefaults = function(self, defaults)
 
 	-- If success, write the values to the config file
 	if success then
-		local fileval = fs.read_file(configfile) or ""
+		local fileval = fs.read_file(openssldir..configfile) or ""
 		config = config or format.parse_ini_file(fileval)
 		local ext_section
 		if not config.req or not config.req.req_extensions then
@@ -353,7 +352,7 @@ mymodule.setreqdefaults = function(self, defaults)
 		fileval = format.set_ini_section(fileval, ext_section, format.dostounix(defaults.value.extensions.value))
 		fileval = format.update_ini_file(fileval, "ca", "default_ca", defaults.value.certtype.value)
 		fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions", "validdays"})
-		fs.write_file(configfile, fileval)
+		fs.write_file(openssldir..configfile, fileval)
 	end
 
 	if not success then
@@ -389,7 +388,7 @@ mymodule.submitrequest = function(defaults, user)
 		success = false
 	end
 
-	local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value)
+	local reqname = openssldir..requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value)
 	if fs.is_file(reqname..".csr") then
 		defaults.errtxt = "Failed to submit request\nRequest already exists"
 		success = false
@@ -405,7 +404,7 @@ mymodule.submitrequest = function(defaults, user)
 		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"})
 
 		-- Generate a temp config file for this request
-		local fileval = fs.read_file(configfile) or ""
+		local fileval = fs.read_file(openssldir..configfile) or ""
 		config = config or format.parse_ini_file(fileval)
 		local ext_section = "v3_req"
 		while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end
@@ -450,7 +449,7 @@ end
 mymodule.listrequests = function(user)
 	user = user or "*"
 	local list={}
-	local files = posix.glob(requestdir..user..".*\\.csr") or {}
+	local files = posix.glob(openssldir..requestdir..user..".*\\.csr") or {}
 	for i,x in ipairs(files) do
 		local name = string.gsub(posix.basename(x), ".csr$", "")
 		local a,b,c = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*)")
@@ -460,7 +459,7 @@ mymodule.listrequests = function(user)
 end
 
 mymodule.viewrequest = function(request)
-	local reqpath = requestdir .. request
+	local reqpath = openssldir..requestdir .. request
 	local cmdresult = modelfunctions.run_executable({"openssl", "req", "-in", reqpath..".csr", "-text", "-noout"})
 	local a,b,c = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)")
 	local request = cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, value=cmdresult}, label="Request Details" })
@@ -474,7 +473,7 @@ mymodule.getapproverequest = function(self, clientdata)
 end
 
 mymodule.approverequest = function(self, apprequest)
-	local reqpath = requestdir .. apprequest.value.request.value
+	local reqpath = openssldir..requestdir .. apprequest.value.request.value
 	if fs.is_file(reqpath..".csr") then
 		-- Request file exists, so try to sign
 		local user,certtype,commonName = string.match(apprequest.value.request.value, "([^%.]*)%.([^%.]*)%.([^%.]*)")
@@ -483,7 +482,7 @@ mymodule.approverequest = function(self, apprequest)
 		local serialpath = getconfigentry(certtype, "serial")
 		local serialfile = fs.read_file(serialpath) or ""
 		local serial = string.match(serialfile, "%x+")
-		local certname = certdir..apprequest.value.request.value.."."..serial
+		local certname = openssldir..certdir..apprequest.value.request.value.."."..serial
 		
 		-- Now, sign the certificate
 		apprequest.descr, apprequest.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", reqpath..".cfg", "-in", reqpath..".csr", "-out", certname..".crt", "-name", certtype, "-batch"}, true)
@@ -529,11 +528,11 @@ end
 
 mymodule.deleterequest = function(self, delrequest, user)
 	user = user or ".*"
-	if (not fs.is_file(requestdir..delrequest.value.request.value..".csr")) or (not string.find(delrequest.value.request.value, "^"..user.."%.")) then
+	if (not fs.is_file(openssldir..requestdir..delrequest.value.request.value..".csr")) or (not string.find(delrequest.value.request.value, "^"..user.."%.")) then
 		delrequest.value.request.errtxt = "Request not found"
 		delrequest.errtxt = "Failed to Delete Request"
 	else
-		local reqpath = requestdir..delrequest.value.request.value
+		local reqpath = openssldir..requestdir..delrequest.value.request.value
 		os.remove(reqpath..".pwd")
 		os.remove(reqpath..".sbj")
 		os.remove(reqpath..".pem")
@@ -546,7 +545,7 @@ end
 mymodule.listcerts = function(user)
 	user = user or "*"
 	local list={}
-	local files = posix.glob(certdir..user..".*\\.pfx") or {}
+	local files = posix.glob(openssldir..certdir..user..".*\\.pfx") or {}
 	-- Do this in two steps - saves forking openssl for each cert, which
 	-- speeds things up noticably for > 100 certs
 	local crtlist = {}
@@ -557,7 +556,7 @@ mymodule.listcerts = function(user)
 		list[#list + 1] = {name=name, user=a, certtype=b, 
 			commonName=unhashname(c), serial=d, enddate=enddate, 
 			daysremaining=time}
-		crtlist[#crtlist+1] = "x509 -in "..certdir..name..".crt -noout -enddate"
+		crtlist[#crtlist+1] = "x509 -in "..openssldir..certdir..name..".crt -noout -enddate"
 	end
 
 	local out = modelfunctions.run_executable({"openssl"}, false, table.concat(crtlist, "\n").."\nexit\n")
@@ -584,13 +583,13 @@ mymodule.listcerts = function(user)
 end
 
 mymodule.viewcert = function(cert)
-	local cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", certdir..cert..".crt", "-noout", "-text"})
+	local cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", openssldir..certdir..cert..".crt", "-noout", "-text"})
 	local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
 	return cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, serial=d, value=cmdresult}, label="Certificate Details" })
 end
 
 mymodule.getcert = function(cert)
-	local f = fs.read_file(certdir..cert..".pfx") or ""
+	local f = fs.read_file(openssldir..certdir..cert..".pfx") or ""
 	local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
 	c = string.gsub(unhashname(c), "[^%w_-]", "")
 	return cfe({ type="raw", value=f, label=c..".pfx", option="application/x-pkcs12" })
@@ -603,7 +602,7 @@ mymodule.getrevokecert = function(self, clientdata)
 end
 
 mymodule.revokecert = function(self, revreq)
-	revreq.descr, revreq.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-revoke", certdir..revreq.value.cert.value..".crt", "-batch"}, true)
+	revreq.descr, revreq.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", openssldir..configfile, "-revoke", openssldir..certdir..revreq.value.cert.value..".crt", "-batch"}, true)
 	return revreq
 end
 
@@ -615,7 +614,7 @@ end
 
 mymodule.deletecert = function(self, delcert)
 	-- The certificate will still be in the ca directories and index.txt, just not available for web interface
-	local certname = certdir..delcert.value.cert.value
+	local certname = openssldir..certdir..delcert.value.cert.value
 	os.remove(certname..".cfg")
 	os.remove(certname..".crt")
 	os.remove(certname..".pem")
@@ -634,7 +633,7 @@ end
 mymodule.renewcert = function(self, recert, submit, approve)
 	local success = true
 	local user,certtype,commonName,serialnum = string.match(recert.value.cert.value, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
-	local reqname = requestdir..user.."."..certtype.."."..commonName
+	local reqname = openssldir..requestdir..user.."."..certtype.."."..commonName
 	if fs.is_file(reqname..".csr") then
 		recert.errtxt = "Failed to submit request"
 		recert.value.cert.errtxt = "Request already exists"
@@ -644,7 +643,7 @@ mymodule.renewcert = function(self, recert, submit, approve)
 	if success then
 		-- Submit the request
 		-- First, put the subject, config file and password in place
-		local certname = certdir..recert.value.cert.value
+		local certname = openssldir..certdir..recert.value.cert.value
 		fs.copy_file(certname..".pwd", reqname..".pwd")
 		fs.copy_file(certname..".sbj", reqname..".sbj")
 		fs.copy_file(certname..".cfg", reqname..".cfg")
@@ -682,7 +681,7 @@ mymodule.renewcert = function(self, recert, submit, approve)
 end
 
 mymodule.listrevoked = function()
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 	local databasepath = getconfigentry(config.ca.default_ca, "database")
 	local revoked = {}
 	local database = fs.read_file_as_array(databasepath) or {}
@@ -696,7 +695,7 @@ end
 
 mymodule.getcrl = function(crltype)
 	local crlfile = cfe({ type="raw", option="application/pkix-crl" })
-	modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-gencrl", "-out", openssldir.."ca-crl.crl"})
+	modelfunctions.run_executable({"openssl", "ca", "-config", openssldir..configfile, "-gencrl", "-out", openssldir.."ca-crl.crl"})
 	modelfunctions.run_executable({"openssl", "crl", "-in", openssldir.."ca-crl.crl", "-out", openssldir.."ca-der-crl.crl", "-outform", "DER"})
 	if string.lower(crltype or "") == "der" then
 		crlfile.label = "ca-der-crl.crl"
@@ -811,7 +810,7 @@ mymodule.generateca = function(self, defaults)
 
 		-- Submit the request
 		local subject = create_subject_string(defaults, {"days"})
-		local cmdresult = modelfunctions.run_executable({"openssl", "req", "-x509", "-nodes", "-new", "-config", configfile, "-keyout", "/tmp/cakey.pem", "-out", "/tmp/cacert.pem", "-subj", subject, "-days", defaults.value.days.value}, true)
+		local cmdresult = modelfunctions.run_executable({"openssl", "req", "-x509", "-nodes", "-new", "-config", openssldir..configfile, "-keyout", "/tmp/cakey.pem", "-out", "/tmp/cacert.pem", "-subj", subject, "-days", defaults.value.days.value}, true)
 		local certfilestats = posix.stat("/tmp/cacert.pem")
 		local keyfilestats = posix.stat("/tmp/cakey.pem")
 		if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then
@@ -837,12 +836,12 @@ mymodule.generateca = function(self, defaults)
 end
 
 mymodule.getconfigfile = function()
-	return modelfunctions.getfiledetails(configfile)
+	return modelfunctions.getfiledetails(openssldir..configfile)
 end
 
 mymodule.setconfigfile = function(self, filedetails)
 	-- validate
-	return modelfunctions.setfiledetails(self, filedetails, {configfile})
+	return modelfunctions.setfiledetails(self, filedetails, {openssldir..configfile})
 end
 
 mymodule.getenvironment = function(self, clientdata)
@@ -869,11 +868,11 @@ mymodule.checkenvironment = function()
 	
 	-- First check for the openssl, req, and cert directories
 	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("openssl directory", openssldir)
-	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", certdir)
-	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", requestdir)
+	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", openssldir..certdir)
+	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", openssldir..requestdir)
 
 	-- Then check for the config file entries
-	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
+	config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "")
 
 	if config then
 		local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir")
author	Ted Trask <ttrask01@yahoo.com>	2015-01-30 16:52:43 -0500
committer	Ted Trask <ttrask01@yahoo.com>	2015-01-30 16:52:43 -0500
commit	81a6cd86d633eb166d47d6581a113b56d51b63f1 (patch)
tree	053464947335afd35f7a7dde3d7eba1e0e886963
parent	35e11d3f9186ed9f13ab2008589832242e15b49d (diff)
download	acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.bz2 acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.xz