diff options
| -rw-r--r-- | openssl-ca-acf.cnf | 41 | ||||
| -rw-r--r-- | openssl-model.lua | 94 | ||||
| -rw-r--r-- | openssl-request-html.lsp | 2 |
3 files changed, 72 insertions, 65 deletions
diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf index 7530240..0fa7f05 100644 --- a/openssl-ca-acf.cnf +++ b/openssl-ca-acf.cnf @@ -7,9 +7,6 @@ HOME = /etc/ssl RANDFILE = /dev/urandom - - - # Openssl wants to put these in the ca section; but for our purposes # this config file is only used by the CA, so we define them # for everything @@ -19,7 +16,6 @@ certs = $dir/certs # Where the issued certs are kept crl = $dir/crl.pem # The current CRL RANDFILE = $dir/private/.rand # private random number file - # The "Certificate Type" dropdown in the web interface is built # from any section in which all of the CA Mandatory Entries are # Defined. The CA Mandadory Entries are: @@ -69,14 +65,14 @@ countryName = optional commonName = supplied emailAddress = optional localityName = optional -subjectAltName = optional [ policy_acf_cert ] +organizationName = optional organizationalUnitName = optional +countryName = optional commonName = supplied emailAddress = optional -subjectAltName = optional - +localityName = optional #################################################################### # The settings for a request. @@ -87,6 +83,7 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca_cert string_mask = nombstr +req_extensions = v3_req # The req section specifies the attributes that will be asked for # Here is where we define the fields that are presented in @@ -102,8 +99,14 @@ countryName_default = countryName_min = 2 countryName_max = 2 -organizationName = Organization Name -organizationName_default = +# This is how you add multiple values; in this case we will +# use multiple organizationNames + +0.organizationName = Organization Name +0.organizationName_default = + +1.organizationName = Organization Name +1.organizationName_default = localityName = Locality Name (e.g. city) localityName_default = @@ -118,19 +121,6 @@ commonName_default = emailAddress = Email Address emailAddress_max = 60 -# This is how you add multiple values; in this case we will -# use multiple subjectAltNames - -0.subjectAltName = Alternate Name (e.g DNS:www.myotherhost.com) -0.subjectAltName_max = 64 -0.subjectAltName_default = - -1.subjectAltName = Additional Alt. Name (e.g DNS:www.mythirdhost.com) -1.subjectAltName_max = 64 -1.subjectAltName_default = - - - [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 @@ -144,10 +134,14 @@ keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +[ v3_req ] +subjectAltName = $ENV::ALTNAME + [ general_cert ] # Non-specific policy = policy_acf_cert x509_extensions = general +copy_extensions = copy [ general ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash @@ -157,6 +151,7 @@ authorityKeyIdentifier = keyid,issuer:always # SSL server policy = policy_acf_cert x509_extensions = ssl_server +copy_extensions = copy [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server @@ -169,6 +164,7 @@ authorityKeyIdentifier = keyid,issuer:always # SSL client policy = policy_acf_cert x509_extensions = ssl_client +copy_extensions = copy [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client @@ -181,6 +177,7 @@ authorityKeyIdentifier = keyid,issuer:always # SSL Certifying Authority policy = policy_acf_ca x509_extensions = ssl_ca +copy_extensions = copy [ ssl_ca ] basicConstraints = critical, CA:true nsCertType = sslCA diff --git a/openssl-model.lua b/openssl-model.lua index fb28cb6..bcde4df 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -16,6 +16,7 @@ local configfile = "/etc/ssl/openssl-ca-acf.cnf" local requestdir = "/etc/ssl/req/" local certdir = "/etc/ssl/cert/" local openssldir = "/etc/ssl/" +local path = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin " -- Save the config in a variable so isn't loaded each and every time needed local config = nil @@ -181,27 +182,27 @@ local copyca = function(cacert, cakey) f:close() end -local checkdir = function(name, path) +local checkdir = function(name, dirpath) local errtxt, cmdline - local filestats = posix.stat(path, "type") + local filestats = posix.stat(dirpath, "type") if not filestats or filestats == "" then errtxt = name.." does not exist" - cmdline = "mkdir -p "..path + cmdline = "mkdir -p "..dirpath elseif filestats ~= "directory" then errtxt = "UNRECOVERABLE - "..name.." not a directory" end return errtxt, cmdline end -local checkfile = function(name, path, default) +local checkfile = function(name, filepath, default) local errtxt, cmdline - local filestats = posix.stat(path, "type") + local filestats = posix.stat(filepath, "type") if not filestats or filestats == "" then errtxt = name.." does not exist" if default then - cmdline = "echo "..default.." > "..path + cmdline = "echo "..default.." > "..filepath else - cmdline = "touch "..path + cmdline = "touch "..filepath end elseif filestats ~= "regular" then errtxt = "UNRECOVERABLE - "..name.." not a file" @@ -249,7 +250,7 @@ getstatus = function() if not fs.is_file(cacert.value) then cacert.errtxt="File not found" else - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..cacert.value.." -noout -text" + local cmd = path .. "openssl x509 -in "..cacert.value.." -noout -text" local f = io.popen(cmd) cacertcontents.value = f:read("*a") f:close() @@ -308,6 +309,7 @@ getnewrequest = function() -- In addition to the request defaults, we need a password and confirmation values.value.password = cfe({ label="Password" }) values.value.password_confirm = cfe({ label="Password confirmation" }) + values.value.subjectAltName = cfe({ label="Alternative Name (e.g. DNS:www.myotherhost.com)" }) return values end @@ -337,8 +339,9 @@ submitrequest = function(defaults, user) if success then -- Submit the request - local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"}) - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" + local subject = create_subject_string(defaults, {"password", "password_confirm", "subjectAltName", "certtype"}) + local cmd = path .. "openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" + cmd = "ALTNAME=" .. defaults.value.subjectAltName.value .. " " .. cmd local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -375,8 +378,9 @@ listrequests = function(user) end viewrequest = function(request) - local path = requestdir .. request - local cmd = "openssl req -in "..path..".csr -text -noout" + local reqpath = requestdir .. request + local cmd = path .. "openssl req -in "..reqpath..".csr -text -noout" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -387,8 +391,8 @@ end approverequest = function(request) local cmdresult = cfe({ value="Failed to approve request", label="Approve result" }) - local path = requestdir .. request - if fs.is_file(path..".csr") then + local reqpath = requestdir .. request + if fs.is_file(reqpath..".csr") then -- Request file exists, so try to sign local user,certtype,commonName = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)") @@ -399,7 +403,8 @@ approverequest = function(request) local certname = certdir..request.."."..serial -- Now, sign the certificate - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1" + local cmd = path .. "openssl ca -config "..configfile.." -in "..reqpath..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -408,7 +413,7 @@ approverequest = function(request) local filestats = posix.stat(certname..".crt") if filestats and filestats.size > 0 then -- We're wrapping up the key, the cert, and the CA cert (and whatever came with it) - cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -export -inkey "..path..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..path..".pwd -certfile "..getconfigentry(certtype, "certificate").." 2>&1" + cmd = path .. "openssl pkcs12 -export -inkey "..reqpath..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..reqpath..".pwd -certfile "..getconfigentry(certtype, "certificate").." 2>&1" f = io.popen(cmd) local newcmdresult = f:read("*a") f:close() @@ -418,13 +423,13 @@ approverequest = function(request) -- Finally, remove the request filestats = posix.stat(certname..".pfx") if filestats and filestats.size > 0 then - cmd = "cp "..path..".pwd "..certname..".pwd" + cmd = "cp "..reqpath..".pwd "..certname..".pwd" f = io.popen(cmd) f:close() - cmd = "cp "..path..".pem "..certname..".pem" + cmd = "cp "..reqpath..".pem "..certname..".pem" f = io.popen(cmd) f:close() - cmd = "rm "..path..".*" + cmd = "rm "..reqpath..".*" f = io.popen(cmd) f:close() else @@ -455,7 +460,7 @@ listcerts = function(user) for x in fh:lines() do local name = basename(x,".pfx") local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..name..".crt -noout -enddate" + local cmd = path .. "openssl x509 -in "..certdir..name..".crt -noout -enddate" local f = io.popen(cmd) local enddate = f:read("*a") enddate = string.match(enddate, "notAfter=(.*)") @@ -476,7 +481,7 @@ listcerts = function(user) end viewcert = function(cert) - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..cert..".crt -noout -text" + local cmd = path .. "openssl x509 -in "..certdir..cert..".crt -noout -text" local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -491,7 +496,8 @@ end revokecert = function(cert) local cmdresult = cfe({ label="Revoke result" }) - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1" + local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -519,7 +525,7 @@ renewcert = function(cert, approve) if success then -- Submit the request -- First, get the subject - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..cert..".crt -noout -subject" + local cmd = path .. "openssl x509 -in "..certdir..cert..".crt -noout -subject" local f = io.popen(cmd) local subject = f:read("*a") subject = string.match(subject, "subject= ([^\n]*)") @@ -534,7 +540,8 @@ renewcert = function(cert, approve) f:close() -- Next, submit the request - cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" + cmd = path .. "openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" + cmd = "ALTNAME='' " .. cmd f = io.popen(cmd) cmdresult = f:read("*a") f:close() @@ -572,10 +579,12 @@ end getcrl = function(crltype) local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" }) - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl" + local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) f:close() - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER" + local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) f:close() if crltype == "DER" then @@ -601,7 +610,7 @@ putca = function(newca) -- Trying to upload a cert/key -- The way haserl works, ca contains the temporary file name -- First, get the cert - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."cert.pem -password pass:"..newca.value.password.value.." -nokeys 2>&1" + local cmd = path .. "openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."cert.pem -password pass:"..newca.value.password.value.." -nokeys 2>&1" local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -613,7 +622,7 @@ putca = function(newca) -- Since -cacerts doesn't seem to work, we have to check to make sure we got a CA if success then - cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..newca.value.ca.value.."cert.pem -noout -text" + cmd = path .. "openssl x509 -in "..newca.value.ca.value.."cert.pem -noout -text" f = io.popen(cmd) cmdresult = f:read("*a") f:close() @@ -625,7 +634,7 @@ putca = function(newca) -- Now, get the key if success then - cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."key.pem -password pass:"..newca.value.password.value.." -nocerts -nodes 2>&1" + cmd = path .. "openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."key.pem -password pass:"..newca.value.password.value.." -nocerts -nodes 2>&1" f = io.popen(cmd) cmdresult = f:read("*a") f:close() @@ -673,7 +682,8 @@ generateca = function(defaults) if success then -- Submit the request local subject = create_subject_string(defaults, {"days"}) - local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1" + local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1" + cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -737,31 +747,31 @@ checkenvironment = function(set) config = config or getopts.getoptsfromfile(configfile) if config then - local path = getconfigentry(config.ca.default_ca, "new_certs_dir") - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", path) + local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir") + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", chkpath) local file = getconfigentry(config.ca.default_ca, "certificate") - path = dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", path) + chkpath = dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", chkpath) file = getconfigentry(config.ca.default_ca, "private_key") - path = dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", path) + chkpath = dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", chkpath) file = getconfigentry(config.ca.default_ca, "database") - path = dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", path) + chkpath = dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", chkpath) errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("database", file) file = getconfigentry(config.ca.default_ca, "serial") - path = dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", path) + chkpath = dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", chkpath) errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("serial", file, "01") file = getconfigentry(config.ca.default_ca, "crlnumber") if file ~= "" then - path = dirname(file) - errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", path) + chkpath = dirname(file) + errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", chkpath) errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("crlnumber", file, "01") end else diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp index 348ad23..6ed33ed 100644 --- a/openssl-request-html.lsp +++ b/openssl-request-html.lsp @@ -12,7 +12,7 @@ io.write(html.cfe_unpack(form)) form.value.password_confirm.type = "password" local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O", "organizationalUnitName", "OU", "commonName", "CN", "emailAddress" } - local finishingorder = { "certtype", "password", "password_confirm" } + local finishingorder = { "subjectAltName", "certtype", "password", "password_confirm" } displayform(form, order, finishingorder) ?> |