Added managesubca action to automatically configure the environment to manage a sub-CA

4 files changed, 62 insertions, 4 deletions

diff --git a/openssl-controller.lua b/openssl-controller.lua
index 5c72c95..ace61bd 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -126,4 +126,8 @@ mymodule.getcachain = function(self)
 	return self.model.get_ca_chain(self, self.clientdata)
 end
 
+mymodule.managesubca = function(self)
+	return self.handle_form(self, self.model.getsubca, self.model.createsubca, self.clientdata, "Manage", "Manage Sub-CA")
+end
+
 return mymodule
diff --git a/openssl-model.lua b/openssl-model.lua
index a564954..e1d1f5e 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -1049,4 +1049,55 @@ mymodule.get_ca_chain = function(self, clientdata)
 	return retval
 end
 
+mymodule.getsubca = function(self, clientdata)
+	local retval = initializecfe(self, clientdata, "Sub-CA Certificate")
+	retval.value.cert = cfe({ label="Certificate", key=true })
+	return retval
+end
+
+mymodule.createsubca = function(self, subca)
+	local success = true
+	local cert = basedir..certdir..subca.value.cert.value
+	if not posix.stat(cert..".crt") or not string.match(subca.value.cert.value, "[^%.]*%.ssl_ca_cert%.") then
+		subca.value.cert.errtxt = "Invalid Sub-CA"
+		success = false
+	else
+		local subcadir = basedir..subca.value.cert.value.."/"
+		if not fs.is_dir(subcadir) then
+			success = fs.create_directory(subcadir)
+		end
+		if success and not posix.stat(subcadir..configfile) then
+			-- Copy the config from this CA, but modify 'dir'
+			local configcontent = fs.read_file(basedir..configfile) or ""
+			configcontent = format.update_ini_file(configcontent, nil, "dir", basedir..subca.value.cert.value)
+			fs.write_file(subcadir..configfile, configcontent)
+
+			-- Copy the cert
+			-- temporarily overwrite the global config with the new one
+			config = format.parse_ini_file(configcontent)
+			fs.copy_file(cert..".crt", getconfigentry(config.ca.default_ca, "certificate"))
+			fs.copy_file(cert..".pem", getconfigentry(config.ca.default_ca, "private_key"))
+			config = nil
+
+			-- Set up the environment
+			-- temporarily overwrite the basedir
+			local oldbasedir = basedir
+			basedir = subcadir
+			local envstatus = checkenvironment()
+			-- loop through the cmdline and execute
+			for x,cmd in ipairs(envstatus.cmdline) do
+				cmd()
+			end
+			basedir = oldbasedir
+		end
+		if success and self.sessiondata then
+			self.sessiondata.openssl_cadir = subca.value.cadir.value.."/"..subca.value.cert.value
+		end
+	end
+	if not success then
+		subca.errtxt = "Failed to configure sub-CA"
+	end
+	return subca
+end
+
 return mymodule
diff --git a/openssl-read-html.lsp b/openssl-read-html.lsp
index 21fa0c0..27c31f2 100644
--- a/openssl-read-html.lsp
+++ b/openssl-read-html.lsp
@@ -139,6 +139,9 @@ end %>
 		if viewlibrary.check_permission("deletecert") then
 			htmlviewfunctions.displayitem(cfe({type="form", value={cert=crt, cadir=cadir}, label="", option="Delete", action="deletecert"}), page_info, -1)
 		end
+		if viewlibrary.check_permission("managesubca") and cert.certtype == "ssl_ca_cert" then
+			htmlviewfunctions.displayitem(cfe({type="form", value={cert=crt, cadir=cadir}, label="", option="Manage", action="managesubca"}), page_info, -1)
+		end
 		%>
 		</td>
 		<td><%= html.html_escape(cert.user) %></td>
diff --git a/openssl.roles b/openssl.roles
index 8a7cb5d..183704f 100644
--- a/openssl.roles
+++ b/openssl.roles
@@ -1,6 +1,6 @@
 USER=openssl:status,openssl:getrevoked
 EDITOR=openssl:editdefaults
-CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:getcachain
-CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadcacert,openssl:getcachain
-EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain
-ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain
+CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:getcachain,openssl:managesubca
+CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadcacert,openssl:getcachain,openssl:managesubca
+EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain,openssl:managesubca
+ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain,openssl:managesubca