diff options
author | Ted Trask <ttrask01@yahoo.com> | 2015-02-03 11:34:47 -0500 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2015-02-03 11:34:47 -0500 |
commit | fb334e291744a500a99fab1d54a5db7448cdcfbf (patch) | |
tree | 193f5111cab5a33eb110fe07efa2e3604a846422 | |
parent | fb3cc9787652312ac452372d3a8e8efb893c4a0f (diff) | |
download | acf-openssl-fb334e291744a500a99fab1d54a5db7448cdcfbf.tar.bz2 acf-openssl-fb334e291744a500a99fab1d54a5db7448cdcfbf.tar.xz |
Added managesubca action to automatically configure the environment to manage a sub-CA
-rw-r--r-- | openssl-controller.lua | 4 | ||||
-rw-r--r-- | openssl-model.lua | 51 | ||||
-rw-r--r-- | openssl-read-html.lsp | 3 | ||||
-rw-r--r-- | openssl.roles | 8 |
4 files changed, 62 insertions, 4 deletions
diff --git a/openssl-controller.lua b/openssl-controller.lua index 5c72c95..ace61bd 100644 --- a/openssl-controller.lua +++ b/openssl-controller.lua @@ -126,4 +126,8 @@ mymodule.getcachain = function(self) return self.model.get_ca_chain(self, self.clientdata) end +mymodule.managesubca = function(self) + return self.handle_form(self, self.model.getsubca, self.model.createsubca, self.clientdata, "Manage", "Manage Sub-CA") +end + return mymodule diff --git a/openssl-model.lua b/openssl-model.lua index a564954..e1d1f5e 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -1049,4 +1049,55 @@ mymodule.get_ca_chain = function(self, clientdata) return retval end +mymodule.getsubca = function(self, clientdata) + local retval = initializecfe(self, clientdata, "Sub-CA Certificate") + retval.value.cert = cfe({ label="Certificate", key=true }) + return retval +end + +mymodule.createsubca = function(self, subca) + local success = true + local cert = basedir..certdir..subca.value.cert.value + if not posix.stat(cert..".crt") or not string.match(subca.value.cert.value, "[^%.]*%.ssl_ca_cert%.") then + subca.value.cert.errtxt = "Invalid Sub-CA" + success = false + else + local subcadir = basedir..subca.value.cert.value.."/" + if not fs.is_dir(subcadir) then + success = fs.create_directory(subcadir) + end + if success and not posix.stat(subcadir..configfile) then + -- Copy the config from this CA, but modify 'dir' + local configcontent = fs.read_file(basedir..configfile) or "" + configcontent = format.update_ini_file(configcontent, nil, "dir", basedir..subca.value.cert.value) + fs.write_file(subcadir..configfile, configcontent) + + -- Copy the cert + -- temporarily overwrite the global config with the new one + config = format.parse_ini_file(configcontent) + fs.copy_file(cert..".crt", getconfigentry(config.ca.default_ca, "certificate")) + fs.copy_file(cert..".pem", getconfigentry(config.ca.default_ca, "private_key")) + config = nil + + -- Set up the environment + -- temporarily overwrite the basedir + local oldbasedir = basedir + basedir = subcadir + local envstatus = checkenvironment() + -- loop through the cmdline and execute + for x,cmd in ipairs(envstatus.cmdline) do + cmd() + end + basedir = oldbasedir + end + if success and self.sessiondata then + self.sessiondata.openssl_cadir = subca.value.cadir.value.."/"..subca.value.cert.value + end + end + if not success then + subca.errtxt = "Failed to configure sub-CA" + end + return subca +end + return mymodule diff --git a/openssl-read-html.lsp b/openssl-read-html.lsp index 21fa0c0..27c31f2 100644 --- a/openssl-read-html.lsp +++ b/openssl-read-html.lsp @@ -139,6 +139,9 @@ end %> if viewlibrary.check_permission("deletecert") then htmlviewfunctions.displayitem(cfe({type="form", value={cert=crt, cadir=cadir}, label="", option="Delete", action="deletecert"}), page_info, -1) end + if viewlibrary.check_permission("managesubca") and cert.certtype == "ssl_ca_cert" then + htmlviewfunctions.displayitem(cfe({type="form", value={cert=crt, cadir=cadir}, label="", option="Manage", action="managesubca"}), page_info, -1) + end %> </td> <td><%= html.html_escape(cert.user) %></td> diff --git a/openssl.roles b/openssl.roles index 8a7cb5d..183704f 100644 --- a/openssl.roles +++ b/openssl.roles @@ -1,6 +1,6 @@ USER=openssl:status,openssl:getrevoked EDITOR=openssl:editdefaults -CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:getcachain -CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadcacert,openssl:getcachain -EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain -ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain +CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:getcachain,openssl:managesubca +CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadcacert,openssl:getcachain,openssl:managesubca +EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain,openssl:managesubca +ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadcacert,openssl:getcachain,openssl:managesubca |