diff options
| -rw-r--r-- | openssl-ca-acf.cnf | 24 | ||||
| -rw-r--r-- | openssl-editdefaults-html.lsp | 2 | ||||
| -rw-r--r-- | openssl-model.lua | 90 | ||||
| -rw-r--r-- | openssl-request-html.lsp | 2 |
4 files changed, 81 insertions, 37 deletions
diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf index 0fa7f05..5e11a9f 100644 --- a/openssl-ca-acf.cnf +++ b/openssl-ca-acf.cnf @@ -99,20 +99,23 @@ countryName_default = countryName_min = 2 countryName_max = 2 -# This is how you add multiple values; in this case we will -# use multiple organizationNames - -0.organizationName = Organization Name -0.organizationName_default = - -1.organizationName = Organization Name -1.organizationName_default = +organizationName = Organization Name +organizationName_default = localityName = Locality Name (e.g. city) localityName_default = -organizationalUnitName = Organizational Unit Name (eg, division) -organizationalUnitName_default = +# This is how you add multiple values; in this case we will +# use multiple organizationalUnitNames + +0.organizationalUnitName = Organizational Unit Name (eg, division) +0.organizationalUnitName_default= + +1.organizationalUnitName = Organizational Unit Name (eg, division) +1.organizationalUnitName_default= + +2.organizationalUnitName = Organizational Unit Name (eg, division) +2.organizationalUnitName_default= commonName = Common Name (eg, the certificate CN) commonName_max = 64 @@ -135,7 +138,6 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [ v3_req ] -subjectAltName = $ENV::ALTNAME [ general_cert ] # Non-specific diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp index 77221a1..376eb12 100644 --- a/openssl-editdefaults-html.lsp +++ b/openssl-editdefaults-html.lsp @@ -10,7 +10,7 @@ io.write(html.cfe_unpack(form)) form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O", "organizationalUnitName", "OU", "commonName", "CN", "emailAddress" } - local finishingorder = { "certtype" } + local finishingorder = { "certtype", "extensions" } displayform(form, order, finishingorder) ?> diff --git a/openssl-model.lua b/openssl-model.lua index 92952eb..9c34711 100644 --- a/openssl-model.lua +++ b/openssl-model.lua @@ -75,10 +75,9 @@ local validate_distinguished_names = function(values) end -- Write distinguished name defaults to config file -local write_distinguished_names = function(values, ignorevalues) +local write_distinguished_names = function(file, values, ignorevalues) local reverseignore = {} for i,value in ipairs(ignorevalues) do reverseignore[value]=i end - local file = fs.read_file(configfile) config = config or getopts.getoptsfromfile(file) local distinguished_name = config.req.distinguished_name or "" @@ -89,8 +88,8 @@ local write_distinguished_names = function(values, ignorevalues) a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value) end end - fs.write_file(configfile, file) - config = getopts.getoptsfromfile(file) + config = nil + return file end local create_subject_string = function(values, ignorevalues) @@ -149,7 +148,7 @@ local find_ca_sections = function() return cert_types end -local validate_request = function(defaults) +local validate_request = function(defaults, noextensionsections) local success success, defaults = validate_distinguished_names(defaults) @@ -167,6 +166,20 @@ local validate_request = function(defaults) end end + if defaults.value.extensions then + config = config or getopts.getoptsfromfile(configfile) + local extensions = getopts.getoptsfromfile(defaults.value.extensions.value) + for name,value in pairs(extensions or {}) do + if name ~= "" and noextensionsections then + defaults.value.extensions.errtxt = "Cannot contain sections" + success = false + elseif name ~= "" and config[name] then + defaults.value.extensions.errtxt = "Duplicate section name" + success = false + end + end + end + return success, defaults end @@ -283,18 +296,38 @@ getreqdefaults = function() -- Add in the ca type default defaults.value.certtype = cfe({ type="select", label="Certificate Type", value=config.ca.default_ca, option=find_ca_sections() }) + -- Add in the extensions + local extensions = "" + config = config or getopts.getoptsfromfile(configfile) + if config.req.req_extensions then + extensions = getopts.getsection(configfile, config.req.req_extensions) + end + defaults.value.extensions = cfe({ type="longtext", label="Additional x509 Extensions", value=extensions }) return defaults end setreqdefaults = function(defaults) - local success, defaults = validate_request(defaults) + local success, defaults = validate_request(defaults, true) -- If success, write the values to the config file if success then - getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value) + local a,b,c + local fileval = fs.read_file(configfile) + config = config or getopts.getoptsfromfile(fileval) + local ext_section + if not config.req or not config.req.req_extensions then + ext_section = "v3_req" + while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end + a,b,c,fileval = getopts.setoptsinfile(fileval, "req", "req_extensions", ext_section) + else + ext_section = config.req.req_extensions + end config = nil - write_distinguished_names(defaults, {"certtype"}) + a,b,c,fileval = getopts.setsection(fileval, ext_section, defaults.value.extensions.value) + a,b,c,fileval = getopts.setoptsinfile(fileval, "ca", "default_ca", defaults.value.certtype.value) + fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions"}) + fs.write_file(configfile, fileval) end if not success then @@ -309,7 +342,6 @@ getnewrequest = function() -- In addition to the request defaults, we need a password and confirmation values.value.password = cfe({ label="Password" }) values.value.password_confirm = cfe({ label="Password confirmation" }) - values.value.subjectAltName = cfe({ label="Alternative Name (e.g. DNS:www.myotherhost.com)" }) return values end @@ -331,11 +363,6 @@ submitrequest = function(defaults, user) success = false end - if defaults.value.subjectAltName.value:match("'") then - defaults.value.subjectAltName.errtxt = "Cannot contain '" - success = false - end - local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value) if fs.is_file(reqname..".csr") then defaults.errtxt = "Failed to submit request\nRequest already exists" @@ -344,9 +371,31 @@ submitrequest = function(defaults, user) if success then -- Submit the request - local subject = create_subject_string(defaults, {"password", "password_confirm", "subjectAltName", "certtype"}) - local cmd = path .. "openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" - cmd = "ALTNAME='" .. defaults.value.subjectAltName.value .. "' " .. cmd + local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"}) + + -- Generate a temp config file for this request + local a,b,c + local fileval = fs.read_file(configfile) + config = config or getopts.getoptsfromfile(fileval) + local temp = defaults.value.extensions.value + local ext_section + if not config.req or not config.req.req_extensions then + ext_section = "v3_req" + while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end + a,b,c,fileval = getopts.setoptsinfile(fileval, "req", "req_extensions", ext_section) + else + ext_section = config.req.req_extensions + end + --[[if config[defaults.value.certtype.value].x509_extensions then + ext_section = config[defaults.value.certtype.value].x509_extensions + for name,value in pairs(config[ext_section] or {}) do + a,b,c,temp = getopts.setoptsinfile(temp, "", name, value) + end + end--]] + a,b,c,fileval = getopts.setsection(fileval, ext_section, temp) + fs.write_file(configfile..".tmp", fileval) + + local cmd = path .. "openssl req -nodes -new -config "..configfile..".tmp -reqexts "..ext_section.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -385,7 +434,6 @@ end viewrequest = function(request) local reqpath = requestdir .. request local cmd = path .. "openssl req -in "..reqpath..".csr -text -noout" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() @@ -409,7 +457,6 @@ approverequest = function(request) -- Now, sign the certificate local cmd = path .. "openssl ca -config "..configfile.." -in "..reqpath..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -502,7 +549,6 @@ end revokecert = function(cert) local cmdresult = cfe({ label="Revoke result" }) local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -546,7 +592,6 @@ renewcert = function(cert, approve) -- Next, submit the request cmd = path .. "openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1" - cmd = "ALTNAME='' " .. cmd f = io.popen(cmd) cmdresult = f:read("*a") f:close() @@ -585,11 +630,9 @@ end getcrl = function(crltype) local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" }) local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) f:close() local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) f:close() if crltype == "DER" then @@ -688,7 +731,6 @@ generateca = function(defaults) -- Submit the request local subject = create_subject_string(defaults, {"days"}) local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1" - cmd = "ALTNAME='' " .. cmd local f = io.popen(cmd) local cmdresult = f:read("*a") f:close() diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp index 6ed33ed..cc0cdb3 100644 --- a/openssl-request-html.lsp +++ b/openssl-request-html.lsp @@ -12,7 +12,7 @@ io.write(html.cfe_unpack(form)) form.value.password_confirm.type = "password" local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O", "organizationalUnitName", "OU", "commonName", "CN", "emailAddress" } - local finishingorder = { "subjectAltName", "certtype", "password", "password_confirm" } + local finishingorder = { "certtype", "extensions", "password", "password_confirm" } displayform(form, order, finishingorder) ?> |