diff options
| -rw-r--r-- | openssl-controller.lua | 9 | ||||
| -rw-r--r-- | openssl-html.lsp | 82 | ||||
| -rw-r--r-- | openssl-model.lua | 44 |
3 files changed, 105 insertions, 30 deletions
diff --git a/openssl-controller.lua b/openssl-controller.lua index 64dd307..59918c1 100644 --- a/openssl-controller.lua +++ b/openssl-controller.lua @@ -26,7 +26,7 @@ readall = function(self) self.sessiondata.cmdresult = nil local pending = self.model.listrequests() local approved = self.model.listcerts() - local revoked = nil + local revoked = self.model.listrevoked() local result = cfe({ type="list", value={cmdresult=cmdresult, pending=pending, approved=approved, revoked=revoked} }) return result end @@ -38,7 +38,7 @@ read = function(self) local user = cfe({ value=self.sessiondata.userinfo.userid, label="User Name" }) local pending = self.model.listrequests(self.sessiondata.userinfo.userid) local approved = self.model.listcerts(self.sessiondata.userinfo.userid) - local revoked = nil + local revoked = self.model.listrevoked() local result = cfe({ type="list", value={cmdresult=cmdresult, user=user, pending=pending, approved=approved, revoked=revoked} }) return result end @@ -117,6 +117,9 @@ end -- Revoke the specified cert revoke = function(self) + local cmdresult = self.model.revokecert(self.clientdata.cert) + self.sessiondata.cmdresult = cmdresult + redirect_to_referrer(self) end -- Delete the specified certificate @@ -128,6 +131,8 @@ end -- Get the revoked list getrevoked = function(self) + self.conf.viewtype="stream" + return self.model.getcrl(self.clientdata.crltype) end -- Put the CA cert diff --git a/openssl-html.lsp b/openssl-html.lsp index 192f7ce..9c61259 100644 --- a/openssl-html.lsp +++ b/openssl-html.lsp @@ -7,7 +7,7 @@ io.write(html.cfe_unpack(view)) <? if view.value.cmdresult then ?> <H1>Command Result</H1> <DL> -<?= view.value.cmdresult.value ?> +<?= string.gsub(view.value.cmdresult.value, "\n", "<BR>") ?> </DL> <? end ?> @@ -42,6 +42,13 @@ io.write(html.cfe_unpack(view)) </TABLE> <? end ?> +<? local reverserevoked = {} +if view.value.revoked then + for i,serial in ipairs(view.value.revoked.value) do + reverserevoked[serial] = i + end +end ?> + <H1>Approved certificate requests<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1> <? if not view.value.approved or #view.value.approved.value == 0 then ?> No certificates approved @@ -54,36 +61,59 @@ io.write(html.cfe_unpack(view)) <TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD> <TD style="white-space:nowrap;" class="header">Serial Num</TD> <? for i,cert in ipairs(view.value.approved.value) do ?> - <TR> - <TD> - <? if session.permissions.openssl.viewcert then ?> - <?= html.link{value="viewcert?cert="..cert.name, label="View "} ?> - <? end ?> - <? if session.permissions.openssl.getcert then ?> - <?= html.link{value="getcert?cert="..cert.name, label="Download "} ?> - <? end ?> - <? if session.permissions.openssl.revoke then ?> - <?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?> + <? if not reverserevoked[cert.serial] then ?> + <TR> + <TD> + <? if session.permissions.openssl.viewcert then ?> + <?= html.link{value="viewcert?cert="..cert.name, label="View "} ?> + <? end ?> + <? if session.permissions.openssl.getcert then ?> + <?= html.link{value="getcert?cert="..cert.name, label="Download "} ?> + <? end ?> + <? if session.permissions.openssl.revoke then ?> + <?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?> + <? end ?> + <? if session.permissions.openssl.deletecert then ?> + <?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?> + <? end ?> + </TD> + <TD><?= cert.user ?></TD> + <TD><?= cert.certtype ?></TD> + <TD><?= cert.commonName ?></TD> + <TD><?= cert.serial ?></TD> + </TR> <? end ?> - <? if session.permissions.openssl.deletecert then ?> - <?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?> - <? end ?> - </TD> - <TD><?= cert.user ?></TD> - <TD><?= cert.certtype ?></TD> - <TD><?= cert.commonName ?></TD> - <TD><?= cert.serial ?></TD> - </TR> <? end ?> </TABLE> <? end ?> - + <H1>Revoked certificates<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1> <? if not view.value.revoked or #view.value.revoked.value == 0 then ?> No certificates revoked -<? else - for i,name in ipairs(view.value.revoked.value) do - io.write(name..'<br>') - end -end ?> +<? else ?> +<TABLE> + <TR style="background:#eee;font-weight:bold;"> + <TD style="padding-right:20px;white-space:nowrap;" class="header">User</TD> + <TD style="padding-right:20px;white-space:nowrap;" class="header">Cert Type</TD> + <TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD> + <TD style="white-space:nowrap;" class="header">Serial Num</TD> + <? for i,cert in ipairs(view.value.approved.value) do ?> + <? if reverserevoked[cert.serial] then ?> + <TR> + <TD><?= cert.user ?></TD> + <TD><?= cert.certtype ?></TD> + <TD><?= cert.commonName ?></TD> + <TD><?= cert.serial ?></TD> + </TR> + <? end ?> + <? end ?> +</TABLE> +<? end ?> + +<? if session.permissions.openssl.getrevoked then ?> +<H1>Get revoked list (crl)</H1> +<?= html.link{value="getrevoked?crltype=PEM", label="Download PEM "} ?><BR> +<?= html.link{value="getrevoked?crltype=DER", label="Download DER "} ?><BR> +<?= html.link{value="getrevoked", label="Import to Firefox"} ?><BR> +<? end ?> diff --git a/openssl-model.lua b/openssl-model.lua index fa844fe..ef2218e 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -317,7 +317,6 @@ approverequest = function(request) -- Now, sign the certificate local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1" -APP.logevent(cmd) local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -357,6 +356,7 @@ listcerts = function(user) local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)") list[#list + 1] = {name=name, user=a, certtype=b, commonName=c, serial=d} end + fh:close() return cfe({ type="list", value=list, label="List of approved certificates" }) end @@ -368,10 +368,17 @@ end getcert = function(cert) local f = fs.read_file(certdir..cert..".pfx") - return cfe({ type="raw", value=f, label=cert..".pfx" }) + return cfe({ type="raw", value=f, label=cert..".pfx", option="application/x-pkcs12" }) + --return cfe({ type="raw", value=f, label=cert..".pfx" }) end revokecert = function(cert) + local cmdresult = cfe({ label="Revoke result" }) + local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1" + local f = io.popen(cmd) + cmdresult.value = f:read("*a") + f:close() + return cmdresult end deletecert = function(cert) @@ -382,6 +389,39 @@ deletecert = function(cert) return cfe({ value="Certificate deleted", label="Delete result" }) end +listrevoked = function() + config = config or getopts.getoptsfromfile(configfile) + local databasepath = getconfigpath(config.ca.default_ca, "database") + local revoked = {} + local database = fs.read_file_as_array(databasepath) + for x,line in ipairs(database) do + if string.sub(line,1,1) == "R" then + revoked[#revoked + 1] = string.match(line, "^%S+%s+%S+%s+%S+%s+(%S+)") + end + end + return cfe({ type="list", value=revoked, label="Revoked serial numbers" }) +end + +getcrl = function(crltype) + local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" }) + local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl" + local f = io.popen(cmd) + f:close() + local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER" + local f = io.popen(cmd) + f:close() + if crltype == "DER" then + crlfile.label = "ca-der-crl.crl" + crlfile.value = fs.read_file(crlfile.label) + elseif crltype == "PEM" then + crlfile.label = "ca-crl.crl" + crlfile.value = fs.read_file(crlfile.label) + else + crlfile.value = fs.read_file("ca-crl.crl") + end + return crlfile +end + -- FIXME this won't work because haserl doesn't support file upload. Untested and unfinished putca = function(file, pword, set) local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' }) |