Openssl removed the subjectAltName and instead added in an extensions section to manually add x509 extensions.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1311 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 66 insertions, 24 deletions

diff --git a/openssl-model.lua b/openssl-model.lua
index 92952eb..9c34711 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -75,10 +75,9 @@ local validate_distinguished_names = function(values)
 end
 
 -- Write distinguished name defaults to config file
-local write_distinguished_names = function(values, ignorevalues)
+local write_distinguished_names = function(file, values, ignorevalues)
 	local reverseignore = {}
 	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
-	local file = fs.read_file(configfile)
 	config = config or getopts.getoptsfromfile(file)
 	local distinguished_name = config.req.distinguished_name or ""
 
@@ -89,8 +88,8 @@ local write_distinguished_names = function(values, ignorevalues)
 			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value)
 		end
 	end
-	fs.write_file(configfile, file)
-	config = getopts.getoptsfromfile(file)
+	config = nil
+	return file
 end
 
 local create_subject_string = function(values, ignorevalues)
@@ -149,7 +148,7 @@ local find_ca_sections = function()
 	return cert_types
 end
 
-local validate_request = function(defaults)
+local validate_request = function(defaults, noextensionsections)
 	local success
 	success, defaults = validate_distinguished_names(defaults)
 
@@ -167,6 +166,20 @@ local validate_request = function(defaults)
 		end
 	end
 
+	if defaults.value.extensions then
+		config = config or getopts.getoptsfromfile(configfile)
+		local extensions = getopts.getoptsfromfile(defaults.value.extensions.value)
+		for name,value in pairs(extensions or {}) do
+			if name ~= "" and noextensionsections then
+				defaults.value.extensions.errtxt = "Cannot contain sections"
+				success = false
+			elseif name ~= "" and config[name] then
+				defaults.value.extensions.errtxt = "Duplicate section name"
+				success = false
+			end
+		end
+	end
+
 	return success, defaults
 end
 
@@ -283,18 +296,38 @@ getreqdefaults = function()
 	-- Add in the ca type default
 	defaults.value.certtype = cfe({ type="select", label="Certificate Type", 
 		value=config.ca.default_ca, option=find_ca_sections() })
+	-- Add in the extensions
+	local extensions = ""
+	config = config or getopts.getoptsfromfile(configfile)
+	if config.req.req_extensions then
+		extensions = getopts.getsection(configfile, config.req.req_extensions)
+	end
+	defaults.value.extensions = cfe({ type="longtext", label="Additional x509 Extensions", value=extensions })
 
 	return defaults
 end
 
 setreqdefaults = function(defaults)
-	local success, defaults = validate_request(defaults)
+	local success, defaults = validate_request(defaults, true)
 
 	-- If success, write the values to the config file
 	if success then
-		getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
+		local a,b,c
+		local fileval = fs.read_file(configfile)
+		config = config or getopts.getoptsfromfile(fileval)
+		local ext_section
+		if not config.req or not config.req.req_extensions then
+			ext_section = "v3_req"
+			while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end
+			a,b,c,fileval = getopts.setoptsinfile(fileval, "req", "req_extensions", ext_section)
+		else
+			ext_section = config.req.req_extensions
+		end
 		config = nil
-		write_distinguished_names(defaults, {"certtype"})
+		a,b,c,fileval = getopts.setsection(fileval, ext_section, defaults.value.extensions.value)
+		a,b,c,fileval = getopts.setoptsinfile(fileval, "ca", "default_ca", defaults.value.certtype.value)
+		fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions"})
+		fs.write_file(configfile, fileval)
 	end
 
 	if not success then
@@ -309,7 +342,6 @@ getnewrequest = function()
 	-- In addition to the request defaults, we need a password and confirmation
 	values.value.password = cfe({ label="Password" })
 	values.value.password_confirm = cfe({ label="Password confirmation" })
-	values.value.subjectAltName = cfe({ label="Alternative Name (e.g. DNS:www.myotherhost.com)" })
 	return values
 end
 
@@ -331,11 +363,6 @@ submitrequest = function(defaults, user)
 		success = false
 	end
 
-	if defaults.value.subjectAltName.value:match("'") then
-		defaults.value.subjectAltName.errtxt = "Cannot contain '"
-		success = false
-	end
-
 	local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value)
 	if fs.is_file(reqname..".csr") then
 		defaults.errtxt = "Failed to submit request\nRequest already exists"
@@ -344,9 +371,31 @@ submitrequest = function(defaults, user)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults, {"password", "password_confirm", "subjectAltName", "certtype"})
-		local cmd = path .. "openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
-		cmd = "ALTNAME='" .. defaults.value.subjectAltName.value .. "' " .. cmd
+		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"})
+
+		-- Generate a temp config file for this request
+		local a,b,c
+		local fileval = fs.read_file(configfile)
+		config = config or getopts.getoptsfromfile(fileval)
+		local temp = defaults.value.extensions.value
+		local ext_section
+		if not config.req or not config.req.req_extensions then
+			ext_section = "v3_req"
+			while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end
+			a,b,c,fileval = getopts.setoptsinfile(fileval, "req", "req_extensions", ext_section)
+		else
+			ext_section = config.req.req_extensions
+		end
+		--[[if config[defaults.value.certtype.value].x509_extensions then
+			ext_section = config[defaults.value.certtype.value].x509_extensions
+			for name,value in pairs(config[ext_section] or {}) do
+				a,b,c,temp = getopts.setoptsinfile(temp, "", name, value)
+			end
+		end--]]
+		a,b,c,fileval = getopts.setsection(fileval, ext_section, temp)
+		fs.write_file(configfile..".tmp", fileval)
+		
+		local cmd = path .. "openssl req -nodes -new -config "..configfile..".tmp -reqexts "..ext_section.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
 		f:close()
@@ -385,7 +434,6 @@ end
 viewrequest = function(request)
 	local reqpath = requestdir .. request
 	local cmd = path .. "openssl req -in "..reqpath..".csr -text -noout"
-	cmd = "ALTNAME='' " .. cmd
 	local f = io.popen(cmd)
 	local cmdresult = f:read("*a")
 	f:close()
@@ -409,7 +457,6 @@ approverequest = function(request)
 		
 		-- Now, sign the certificate
 		local cmd = path .. "openssl ca -config "..configfile.." -in "..reqpath..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1"
-		cmd = "ALTNAME='' " .. cmd
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
@@ -502,7 +549,6 @@ end
 revokecert = function(cert)
 	local cmdresult = cfe({ label="Revoke result" })
 	local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1"
-	cmd = "ALTNAME='' " .. cmd
 	local f = io.popen(cmd)
 	cmdresult.value = f:read("*a")
 	f:close()
@@ -546,7 +592,6 @@ renewcert = function(cert, approve)
 
 		-- Next, submit the request
 		cmd = path .. "openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
-		cmd = "ALTNAME='' " .. cmd
 		f = io.popen(cmd)
 		cmdresult = f:read("*a")
 		f:close()
@@ -585,11 +630,9 @@ end
 getcrl = function(crltype)
 	local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" })
 	local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl"
-	cmd = "ALTNAME='' " .. cmd
 	local f = io.popen(cmd)
 	f:close()
 	local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER"
-	cmd = "ALTNAME='' " .. cmd
 	local f = io.popen(cmd)
 	f:close()
 	if crltype == "DER" then
@@ -688,7 +731,6 @@ generateca = function(defaults)
 		-- Submit the request
 		local subject = create_subject_string(defaults, {"days"})
 		local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
-		cmd = "ALTNAME='' " .. cmd
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
 		f:close()