diff options
author | Ted Trask <ttrask01@yahoo.com> | 2015-01-30 16:52:43 -0500 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2015-01-30 16:52:43 -0500 |
commit | 81a6cd86d633eb166d47d6581a113b56d51b63f1 (patch) | |
tree | 053464947335afd35f7a7dde3d7eba1e0e886963 | |
parent | 35e11d3f9186ed9f13ab2008589832242e15b49d (diff) | |
download | acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.bz2 acf-openssl-81a6cd86d633eb166d47d6581a113b56d51b63f1.tar.xz |
Cleanup of path access in preparation for handling CAs in different paths
-rw-r--r-- | openssl-model.lua | 79 |
1 files changed, 39 insertions, 40 deletions
diff --git a/openssl-model.lua b/openssl-model.lua index f5ab354..d15c358 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -13,10 +13,9 @@ validator = require("acf.validator") -- 'username'.'ca section name'.'common name'.csr local packagename = "openssl" ---local configfile = "/etc/ssl/openssl.cnf" -local configfile = "/etc/ssl/openssl-ca-acf.cnf" -local requestdir = "/etc/ssl/req/" -local certdir = "/etc/ssl/cert/" +local configfile = "openssl-ca-acf.cnf" +local requestdir = "req/" +local certdir = "cert/" local openssldir = "/etc/ssl/" -- Save the config in a variable so isn't loaded each and every time needed @@ -34,7 +33,7 @@ local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "d -- Create a cfe with the distinguished name defaults local getdefaults = function() local defaults = cfe({ type="group", value={} }) - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local distinguished_name = config.req.distinguished_name or "" -- Define the order of the parameters in the form @@ -56,7 +55,7 @@ end -- Validate the values of distinguished names using the min/max found in the config file local validate_distinguished_names = function(values) - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local distinguished_name = config.req.distinguished_name or "" local success = true @@ -127,7 +126,7 @@ local create_subject_string = function(values, ignorevalues) end local getconfigentry = function(section, value) - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local result = config[section][value] or config[""][value] or "" while string.find(result, "%$[%w_]+") do local sub = string.match(result, "%$[%w_]+") @@ -138,7 +137,7 @@ end -- Find the sections of the config file that define ca's (ca -name option) local find_ca_sections = function() - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local cert_types = {} for section in pairs(config) do @@ -176,7 +175,7 @@ local validate_request = function(defaults, noextensionsections) end if defaults.value.extensions then - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local extensions = format.parse_ini_file(defaults.value.extensions.value) for name,value in pairs(extensions or {}) do if name ~= "" and noextensionsections then @@ -193,7 +192,7 @@ local validate_request = function(defaults, noextensionsections) end local copyca = function(cacert, cakey) - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local certpath = getconfigentry(config.ca.default_ca, "certificate") fs.move_file(cacert, certpath) local keypath = getconfigentry(config.ca.default_ca, "private_key") @@ -257,17 +256,17 @@ mymodule.getstatus = function() posix.chdir(openssldir) local value,errtxt=processinfo.package_version(packagename) local version = cfe({ value=value, errtxt=errtxt, label="Program version", name=packagename }) - local conffile = cfe({ value=configfile, label="Configuration file" }) + local conffile = cfe({ value=openssldir..configfile, label="Configuration file" }) local cacert = cfe({ label="CA Certificate" }) local cacertcontents = cfe({ type="longtext", label="CA Certificate contents" }) local cakey = cfe({ label="CA Key" }) - if not fs.is_file(configfile) then + if not fs.is_file(openssldir..configfile) then conffile.errtxt="File not found" cacert.errtxt="File not defined" cacertcontents.errtxt="" cakey.errtxt="File not defined" else - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") if (not config) or (not config.ca) or (not config.ca.default_ca) then conffile.errtxt="Invalid config file" cacert.errtxt="File not defined" @@ -323,7 +322,7 @@ mymodule.getreqdefaults = function() value=config.ca.default_ca, option=find_ca_sections(), seq=96 }) -- Add in the extensions local extensions = "" - local content = fs.read_file(configfile) or "" + local content = fs.read_file(openssldir..configfile) or "" config = config or format.parse_ini_file(content) if config.req.req_extensions then extensions = format.get_ini_section(content, config.req.req_extensions) @@ -338,7 +337,7 @@ mymodule.setreqdefaults = function(self, defaults) -- If success, write the values to the config file if success then - local fileval = fs.read_file(configfile) or "" + local fileval = fs.read_file(openssldir..configfile) or "" config = config or format.parse_ini_file(fileval) local ext_section if not config.req or not config.req.req_extensions then @@ -353,7 +352,7 @@ mymodule.setreqdefaults = function(self, defaults) fileval = format.set_ini_section(fileval, ext_section, format.dostounix(defaults.value.extensions.value)) fileval = format.update_ini_file(fileval, "ca", "default_ca", defaults.value.certtype.value) fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions", "validdays"}) - fs.write_file(configfile, fileval) + fs.write_file(openssldir..configfile, fileval) end if not success then @@ -389,7 +388,7 @@ mymodule.submitrequest = function(defaults, user) success = false end - local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value) + local reqname = openssldir..requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value) if fs.is_file(reqname..".csr") then defaults.errtxt = "Failed to submit request\nRequest already exists" success = false @@ -405,7 +404,7 @@ mymodule.submitrequest = function(defaults, user) local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"}) -- Generate a temp config file for this request - local fileval = fs.read_file(configfile) or "" + local fileval = fs.read_file(openssldir..configfile) or "" config = config or format.parse_ini_file(fileval) local ext_section = "v3_req" while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end @@ -450,7 +449,7 @@ end mymodule.listrequests = function(user) user = user or "*" local list={} - local files = posix.glob(requestdir..user..".*\\.csr") or {} + local files = posix.glob(openssldir..requestdir..user..".*\\.csr") or {} for i,x in ipairs(files) do local name = string.gsub(posix.basename(x), ".csr$", "") local a,b,c = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*)") @@ -460,7 +459,7 @@ mymodule.listrequests = function(user) end mymodule.viewrequest = function(request) - local reqpath = requestdir .. request + local reqpath = openssldir..requestdir .. request local cmdresult = modelfunctions.run_executable({"openssl", "req", "-in", reqpath..".csr", "-text", "-noout"}) local a,b,c = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)") local request = cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, value=cmdresult}, label="Request Details" }) @@ -474,7 +473,7 @@ mymodule.getapproverequest = function(self, clientdata) end mymodule.approverequest = function(self, apprequest) - local reqpath = requestdir .. apprequest.value.request.value + local reqpath = openssldir..requestdir .. apprequest.value.request.value if fs.is_file(reqpath..".csr") then -- Request file exists, so try to sign local user,certtype,commonName = string.match(apprequest.value.request.value, "([^%.]*)%.([^%.]*)%.([^%.]*)") @@ -483,7 +482,7 @@ mymodule.approverequest = function(self, apprequest) local serialpath = getconfigentry(certtype, "serial") local serialfile = fs.read_file(serialpath) or "" local serial = string.match(serialfile, "%x+") - local certname = certdir..apprequest.value.request.value.."."..serial + local certname = openssldir..certdir..apprequest.value.request.value.."."..serial -- Now, sign the certificate apprequest.descr, apprequest.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", reqpath..".cfg", "-in", reqpath..".csr", "-out", certname..".crt", "-name", certtype, "-batch"}, true) @@ -529,11 +528,11 @@ end mymodule.deleterequest = function(self, delrequest, user) user = user or ".*" - if (not fs.is_file(requestdir..delrequest.value.request.value..".csr")) or (not string.find(delrequest.value.request.value, "^"..user.."%.")) then + if (not fs.is_file(openssldir..requestdir..delrequest.value.request.value..".csr")) or (not string.find(delrequest.value.request.value, "^"..user.."%.")) then delrequest.value.request.errtxt = "Request not found" delrequest.errtxt = "Failed to Delete Request" else - local reqpath = requestdir..delrequest.value.request.value + local reqpath = openssldir..requestdir..delrequest.value.request.value os.remove(reqpath..".pwd") os.remove(reqpath..".sbj") os.remove(reqpath..".pem") @@ -546,7 +545,7 @@ end mymodule.listcerts = function(user) user = user or "*" local list={} - local files = posix.glob(certdir..user..".*\\.pfx") or {} + local files = posix.glob(openssldir..certdir..user..".*\\.pfx") or {} -- Do this in two steps - saves forking openssl for each cert, which -- speeds things up noticably for > 100 certs local crtlist = {} @@ -557,7 +556,7 @@ mymodule.listcerts = function(user) list[#list + 1] = {name=name, user=a, certtype=b, commonName=unhashname(c), serial=d, enddate=enddate, daysremaining=time} - crtlist[#crtlist+1] = "x509 -in "..certdir..name..".crt -noout -enddate" + crtlist[#crtlist+1] = "x509 -in "..openssldir..certdir..name..".crt -noout -enddate" end local out = modelfunctions.run_executable({"openssl"}, false, table.concat(crtlist, "\n").."\nexit\n") @@ -584,13 +583,13 @@ mymodule.listcerts = function(user) end mymodule.viewcert = function(cert) - local cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", certdir..cert..".crt", "-noout", "-text"}) + local cmdresult = modelfunctions.run_executable({"openssl", "x509", "-in", openssldir..certdir..cert..".crt", "-noout", "-text"}) local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") return cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, serial=d, value=cmdresult}, label="Certificate Details" }) end mymodule.getcert = function(cert) - local f = fs.read_file(certdir..cert..".pfx") or "" + local f = fs.read_file(openssldir..certdir..cert..".pfx") or "" local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") c = string.gsub(unhashname(c), "[^%w_-]", "") return cfe({ type="raw", value=f, label=c..".pfx", option="application/x-pkcs12" }) @@ -603,7 +602,7 @@ mymodule.getrevokecert = function(self, clientdata) end mymodule.revokecert = function(self, revreq) - revreq.descr, revreq.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-revoke", certdir..revreq.value.cert.value..".crt", "-batch"}, true) + revreq.descr, revreq.errtxt = modelfunctions.run_executable({"openssl", "ca", "-config", openssldir..configfile, "-revoke", openssldir..certdir..revreq.value.cert.value..".crt", "-batch"}, true) return revreq end @@ -615,7 +614,7 @@ end mymodule.deletecert = function(self, delcert) -- The certificate will still be in the ca directories and index.txt, just not available for web interface - local certname = certdir..delcert.value.cert.value + local certname = openssldir..certdir..delcert.value.cert.value os.remove(certname..".cfg") os.remove(certname..".crt") os.remove(certname..".pem") @@ -634,7 +633,7 @@ end mymodule.renewcert = function(self, recert, submit, approve) local success = true local user,certtype,commonName,serialnum = string.match(recert.value.cert.value, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") - local reqname = requestdir..user.."."..certtype.."."..commonName + local reqname = openssldir..requestdir..user.."."..certtype.."."..commonName if fs.is_file(reqname..".csr") then recert.errtxt = "Failed to submit request" recert.value.cert.errtxt = "Request already exists" @@ -644,7 +643,7 @@ mymodule.renewcert = function(self, recert, submit, approve) if success then -- Submit the request -- First, put the subject, config file and password in place - local certname = certdir..recert.value.cert.value + local certname = openssldir..certdir..recert.value.cert.value fs.copy_file(certname..".pwd", reqname..".pwd") fs.copy_file(certname..".sbj", reqname..".sbj") fs.copy_file(certname..".cfg", reqname..".cfg") @@ -682,7 +681,7 @@ mymodule.renewcert = function(self, recert, submit, approve) end mymodule.listrevoked = function() - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") local databasepath = getconfigentry(config.ca.default_ca, "database") local revoked = {} local database = fs.read_file_as_array(databasepath) or {} @@ -696,7 +695,7 @@ end mymodule.getcrl = function(crltype) local crlfile = cfe({ type="raw", option="application/pkix-crl" }) - modelfunctions.run_executable({"openssl", "ca", "-config", configfile, "-gencrl", "-out", openssldir.."ca-crl.crl"}) + modelfunctions.run_executable({"openssl", "ca", "-config", openssldir..configfile, "-gencrl", "-out", openssldir.."ca-crl.crl"}) modelfunctions.run_executable({"openssl", "crl", "-in", openssldir.."ca-crl.crl", "-out", openssldir.."ca-der-crl.crl", "-outform", "DER"}) if string.lower(crltype or "") == "der" then crlfile.label = "ca-der-crl.crl" @@ -811,7 +810,7 @@ mymodule.generateca = function(self, defaults) -- Submit the request local subject = create_subject_string(defaults, {"days"}) - local cmdresult = modelfunctions.run_executable({"openssl", "req", "-x509", "-nodes", "-new", "-config", configfile, "-keyout", "/tmp/cakey.pem", "-out", "/tmp/cacert.pem", "-subj", subject, "-days", defaults.value.days.value}, true) + local cmdresult = modelfunctions.run_executable({"openssl", "req", "-x509", "-nodes", "-new", "-config", openssldir..configfile, "-keyout", "/tmp/cakey.pem", "-out", "/tmp/cacert.pem", "-subj", subject, "-days", defaults.value.days.value}, true) local certfilestats = posix.stat("/tmp/cacert.pem") local keyfilestats = posix.stat("/tmp/cakey.pem") if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then @@ -837,12 +836,12 @@ mymodule.generateca = function(self, defaults) end mymodule.getconfigfile = function() - return modelfunctions.getfiledetails(configfile) + return modelfunctions.getfiledetails(openssldir..configfile) end mymodule.setconfigfile = function(self, filedetails) -- validate - return modelfunctions.setfiledetails(self, filedetails, {configfile}) + return modelfunctions.setfiledetails(self, filedetails, {openssldir..configfile}) end mymodule.getenvironment = function(self, clientdata) @@ -869,11 +868,11 @@ mymodule.checkenvironment = function() -- First check for the openssl, req, and cert directories errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("openssl directory", openssldir) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", certdir) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", requestdir) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", openssldir..certdir) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", openssldir..requestdir) -- Then check for the config file entries - config = config or format.parse_ini_file(fs.read_file(configfile) or "") + config = config or format.parse_ini_file(fs.read_file(openssldir..configfile) or "") if config then local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir") |