Modified openssl to work with new cnf file. Distinguished names are no longer hard coded, but entirely based upon cnf file. Modified views to display password and certtype at end. Update to getopts fixes bug where setting defaults truncated the cnf file.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1295 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 46 insertions, 40 deletions

diff --git a/openssl-model.lua b/openssl-model.lua
index d0c669d..6a17a0c 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -21,17 +21,12 @@ local openssldir = "/etc/ssl/"
 local config = nil
 
 -- list of request entries that can be edited
-local distinguished_names = { 	{name="countryName", label="Country Name", short="C"},
-				{name="stateOrProvinceName", label="State Or Province Name", short="ST"},
-				{name="localityName", label="Locality Name", short="L"},
-				{name="organizationName", label="Organization Name", short="O"},
-				{name="organizationalUnitName", label="Organizational Unit Name", short="OU"},
-				{name="commonName", label="Common Name", short="CN"},
-				{name="emailAddress", label="e-mail Address"} }
+local short_names = { countryName="C", stateOrProvinceName="ST", localityName="L", organizationName="O", organizationalUnitName="OU", commonName="CN" }
+
 -- list of entries that may be found in cert extensions section
 local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", "subjectKeyIdentifier",
 			"authorityKeyIdentifier", "subjectAltName", "issuerAltName" }
--- list of entries that must be found in ca section
+-- list of entries that must be found in ca section (used to define our certificate types)
 local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy" }
 
 -- Create a cfe with the distinguished name defaults
@@ -41,13 +36,10 @@ local getdefaults = function()
 	local distinguished_name = config.req.distinguished_name or ""
 
 	-- Get the distinguished name defaults
-	for i, name in ipairs(distinguished_names) do
-		defaults.value[name.name] = cfe({ label=name.label,
-			value=config[distinguished_name][name.name .. "_default"]
-				or config[distinguished_name]["0."..name.name.."_default"] or "",
-			descr=config[distinguished_name][name.name] or config[distinguished_name]["0."..name.name] })
-		if defaults.value[name.name].value == "" and name.short then
-			defaults.value[name.name].value = config[distinguished_name][name.short .. "_default"] or ""
+	for name,value in pairs(config[distinguished_name]) do
+		if nil == string.find(name, "_") then
+			defaults.value[name] = cfe({ label=value,
+			value=config[distinguished_name][name .. "_default"] or "" })
 		end
 	end
 
@@ -60,21 +52,21 @@ local validate_distinguished_names = function(values)
 	local distinguished_name = config.req.distinguished_name or ""
 	local success = true
 
-	for i, name in ipairs(distinguished_names) do
-		if string.find(values.value[name.name].value, "[,/'=]") then
-			values.value[name.name].errtxt = "Value cannot contain =/,'"
+	for name,value in pairs(values.value) do
+		if string.find(value.value, "[,/'=]") then
+			value.errtxt = "Value cannot contain =/,'"
 			success = false
 		end
 
 		-- check min, but empty is allowed
-		local min = config[distinguished_name][name.name.."_min"] or config[distinguished_name]["0."..name.name.."_min"]
-		if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) and #values.value[name.name].value > 0 then
-			values.value[name.name].errtxt = "Value too short"
+		local min = config[distinguished_name][name.."_min"]
+		if min and value.value and #value.value < tonumber(min) and #value.value > 0 then
+			value.errtxt = "Value too short"
 			success = false
 		end
-		local max = config[distinguished_name][name.name.."_max"] or config[distinguished_name]["0."..name.name.."_max"]
-		if max and values.value[name.name] and #values.value[name.name].value > tonumber(max) then
-			values.value[name.name].errtxt = "Value too long"
+		local max = config[distinguished_name][name.."_max"]
+		if max and value.value and #value.value > tonumber(max) then
+			value.errtxt = "Value too long"
 			success = false
 		end
 	end
@@ -82,30 +74,44 @@ local validate_distinguished_names = function(values)
 end
 
 -- Write distinguished name defaults to config file
-local write_distinguished_names = function(values)
+local write_distinguished_names = function(values, ignorevalues)
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
 	local file = fs.read_file(configfile)
 	config = config or getopts.getoptsfromfile(file)
 	local distinguished_name = config.req.distinguished_name or ""
 
-	for i,name in ipairs(distinguished_names) do
-		wname = name.name.."_default"
-		if config[distinguished_name]["0."..name.name] then
-			wname = "0."..wname
-		end
-		if values.value[name.name] then
+	for name,value in pairs(values.value) do
+		if not reverseignore[name] then
+			local wname = name.."_default"
 			local a,b,c
-			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, values.value[name.name].value)
+			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value)
 		end
 	end
 	fs.write_file(configfile, file)
 	config = getopts.getoptsfromfile(file)
 end
 
-local create_subject_string = function(values)
+local create_subject_string = function(values, ignorevalues)
 	local outstr = {}
-	for i,name in ipairs(distinguished_names) do
-		if values.value[name.name].value ~= "" then
-			outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
+	-- do the ones with short names first
+	local reverseshorts = {}
+	for name,short in pairs(short_names) do
+		reverseshorts[short] = name
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if (short_names[name] or reverseshorts[name]) and value.value and value.value ~= "" then
+			name = short_names[name] or name
+			outstr[#outstr + 1] = name .. "=" .. value.value
+		end
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if not reverseignore[name] and not short_names[name] and not reverseshorts[name] and value.value and value.value ~= "" then
+			outstr[#outstr + 1] = name .. "=" .. value.value
 		end
 	end
 	return "/"..table.concat(outstr, "/")
@@ -287,7 +293,7 @@ setreqdefaults = function(defaults)
 	if success then
 		getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
 		config = nil
-		write_distinguished_names(defaults)
+		write_distinguished_names(defaults, {"certtype"})
 	end
 
 	if not success then
@@ -331,7 +337,7 @@ submitrequest = function(defaults, user)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
@@ -388,7 +394,7 @@ approverequest = function(request)
 
 		-- Add the serial number to the end of the cert file name
 		local serialpath = getconfigentry(certtype, "serial")
-		local serialfile = fs.read_file(openssldir..serialpath)
+		local serialfile = fs.read_file(serialpath)
 		local serial = string.match(serialfile, "%x%x")
 		local certname = certdir..request.."."..serial
 		
@@ -666,7 +672,7 @@ generateca = function(defaults)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"days"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")