8 files changed, 73 insertions, 94 deletions

diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
index 2e3adfb..47eec0e 100644
--- a/openssl-ca-acf.cnf
+++ b/openssl-ca-acf.cnf
@@ -89,12 +89,7 @@ countryName             = optional
 commonName              = supplied
 emailAddress            = optional
 localityName            = optional
-subjectAltName.1	= optional
-subjectAltName.2	= optional
-subjectAltName.3	= optional
-subjectAltName.4	= optional
-
-
+subjectAltName		= optional
 
 ####################################################################
 [ req ]
@@ -102,7 +97,7 @@ default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions		= ssl_client_cert
+x509_extensions		= v3_ca_cert
 string_mask		= nombstr
 
 [ req_distinguished_name ]
@@ -136,6 +131,13 @@ challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 
+[ v3_ca_cert ]
+basicConstraints		= critical, CA:true
+nsCertType			= sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage			= cRLSign, keyCertSign 
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
 
 [ general_cert ]
 # Non-specific 
@@ -165,26 +167,16 @@ subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
-[ v3_ca_cert ]
+[ ssl_ca_cert ]
 # SSL Certifying Authority
 basicConstraints		= critical, CA:true
 nsCertType			= sslCA
 # Below is correct, but may prevent self-signed certs from working
 keyUsage			= cRLSign, keyCertSign 
-#extendedKeyUsage		= serverAuth, clientAuth
-extenedKeyUsage			= 
+extendedKeyUsage		= 
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
 [ crl_ext ]
-basicConstraints		= CA:FALSE
-keyUsage			= digitalSignature, keyEncipherment
-subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
-
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
diff --git a/openssl-controller.lua b/openssl-controller.lua
index 83cdf9e..be85ac6 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -13,7 +13,7 @@ mvc.pre_exec = function(self)
 	if (sslstatus.value.version.errtxt and self.conf.action ~= "status")
 		or (sslstatus.value.conffile.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment")
 		or (sslstatus.value.environment.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment")
-		or ((sslstatus.value.cacert.errtxt or sslstatus.value.cakey.errtxt) and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "putcacert" and self.conf.action ~= "generatecacert" and self.conf.action ~= "checkenvironment")
+		or ((sslstatus.value.cacert.errtxt or sslstatus.value.cakey.errtxt) and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "putcacert" and self.conf.action ~= "generatecacert" and self.conf.action ~= "checkenvironment" and self.conf.action ~= "editdefaults")
 	then
 		redirect(self)
 	end
@@ -117,7 +117,7 @@ end
 
 -- Generate a self-signed CA
 generatecacert = function(self)
-	return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Gererate CA Certificate", "Certificate Generated", "status")
+	return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Generate CA Certificate", "Certificate Generated", "status")
 end
 
 editconfigfile = function(self)
diff --git a/openssl-editconfigfile-html.lsp b/openssl-editconfigfile-html.lsp
index 46f820b..bd8e6de 100644
--- a/openssl-editconfigfile-html.lsp
+++ b/openssl-editconfigfile-html.lsp
@@ -1,31 +1,11 @@
 <? local form, viewlibrary, page_info, session = ... ?>
 <? require("viewfunctions") ?>
 
-<? --[[ DEBUG INFORMATION
-io.write(html.cfe_unpack(form))
---]] ?>
-
-<H1>Configuration</H1>
-<H2>File Details</H2>
-<DL>
 <?
-displayitem(form.value.filename)
-displayitem(form.value.filesize)
-displayitem(form.value.mtime)
+local pattern = string.gsub(page_info.prefix..page_info.controller, "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1")
+local func = haserl.loadfile(page_info.viewfile:gsub(pattern..".*$", "/") .. "filedetails-html.lsp")
+func(form, viewlibrary, page_info, session)
 ?>
-</DL>
-
-<H2>File Content</H1>
-<? if form.descr then ?><P CLASS='descr'><?= string.gsub(form.descr, "\n", "<BR>") ?></P><? end ?>
-<? if form.errtxt then ?><P CLASS='error'><?= string.gsub(form.errtxt, "\n", "<BR>") ?></P><? end ?>
-<form action="<?= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action ?>" method="POST">
-<textarea name="filecontent">
-<?= form.value.filecontent.value ?>
-</textarea>
-<? if form.value.filecontent.errtxt then ?><P CLASS='error'><?= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") ?></P><? end ?>
-
-<DL><DT></DT><DD><input class="submit" type="submit" name="<?= form.option ?>" value="<?= form.option ?>"></DD></DL>
-</form>
 
 <? if viewlibrary and viewlibrary.dispatch_component and session.permissions.openssl.checkenvironment then
 	viewlibrary.dispatch_component("checkenvironment")
diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp
index e678ec4..77221a1 100644
--- a/openssl-editdefaults-html.lsp
+++ b/openssl-editdefaults-html.lsp
@@ -8,8 +8,9 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress", "certtype" }
-	displayform(form, order)
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
+	local finishingorder = { "certtype" }
+	displayform(form, order, finishingorder)
 ?>
 
diff --git a/openssl-generatecacert-html.lsp b/openssl-generatecacert-html.lsp
index 3f251f5..1061ab6 100644
--- a/openssl-generatecacert-html.lsp
+++ b/openssl-generatecacert-html.lsp
@@ -8,8 +8,8 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress" }
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
 	displayform(form, order)
 ?>
 
diff --git a/openssl-model.lua b/openssl-model.lua
index d0c669d..6a17a0c 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -21,17 +21,12 @@ local openssldir = "/etc/ssl/"
 local config = nil
 
 -- list of request entries that can be edited
-local distinguished_names = { 	{name="countryName", label="Country Name", short="C"},
-				{name="stateOrProvinceName", label="State Or Province Name", short="ST"},
-				{name="localityName", label="Locality Name", short="L"},
-				{name="organizationName", label="Organization Name", short="O"},
-				{name="organizationalUnitName", label="Organizational Unit Name", short="OU"},
-				{name="commonName", label="Common Name", short="CN"},
-				{name="emailAddress", label="e-mail Address"} }
+local short_names = { countryName="C", stateOrProvinceName="ST", localityName="L", organizationName="O", organizationalUnitName="OU", commonName="CN" }
+
 -- list of entries that may be found in cert extensions section
 local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", "subjectKeyIdentifier",
 			"authorityKeyIdentifier", "subjectAltName", "issuerAltName" }
--- list of entries that must be found in ca section
+-- list of entries that must be found in ca section (used to define our certificate types)
 local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy" }
 
 -- Create a cfe with the distinguished name defaults
@@ -41,13 +36,10 @@ local getdefaults = function()
 	local distinguished_name = config.req.distinguished_name or ""
 
 	-- Get the distinguished name defaults
-	for i, name in ipairs(distinguished_names) do
-		defaults.value[name.name] = cfe({ label=name.label,
-			value=config[distinguished_name][name.name .. "_default"]
-				or config[distinguished_name]["0."..name.name.."_default"] or "",
-			descr=config[distinguished_name][name.name] or config[distinguished_name]["0."..name.name] })
-		if defaults.value[name.name].value == "" and name.short then
-			defaults.value[name.name].value = config[distinguished_name][name.short .. "_default"] or ""
+	for name,value in pairs(config[distinguished_name]) do
+		if nil == string.find(name, "_") then
+			defaults.value[name] = cfe({ label=value,
+			value=config[distinguished_name][name .. "_default"] or "" })
 		end
 	end
 
@@ -60,21 +52,21 @@ local validate_distinguished_names = function(values)
 	local distinguished_name = config.req.distinguished_name or ""
 	local success = true
 
-	for i, name in ipairs(distinguished_names) do
-		if string.find(values.value[name.name].value, "[,/'=]") then
-			values.value[name.name].errtxt = "Value cannot contain =/,'"
+	for name,value in pairs(values.value) do
+		if string.find(value.value, "[,/'=]") then
+			value.errtxt = "Value cannot contain =/,'"
 			success = false
 		end
 
 		-- check min, but empty is allowed
-		local min = config[distinguished_name][name.name.."_min"] or config[distinguished_name]["0."..name.name.."_min"]
-		if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) and #values.value[name.name].value > 0 then
-			values.value[name.name].errtxt = "Value too short"
+		local min = config[distinguished_name][name.."_min"]
+		if min and value.value and #value.value < tonumber(min) and #value.value > 0 then
+			value.errtxt = "Value too short"
 			success = false
 		end
-		local max = config[distinguished_name][name.name.."_max"] or config[distinguished_name]["0."..name.name.."_max"]
-		if max and values.value[name.name] and #values.value[name.name].value > tonumber(max) then
-			values.value[name.name].errtxt = "Value too long"
+		local max = config[distinguished_name][name.."_max"]
+		if max and value.value and #value.value > tonumber(max) then
+			value.errtxt = "Value too long"
 			success = false
 		end
 	end
@@ -82,30 +74,44 @@ local validate_distinguished_names = function(values)
 end
 
 -- Write distinguished name defaults to config file
-local write_distinguished_names = function(values)
+local write_distinguished_names = function(values, ignorevalues)
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
 	local file = fs.read_file(configfile)
 	config = config or getopts.getoptsfromfile(file)
 	local distinguished_name = config.req.distinguished_name or ""
 
-	for i,name in ipairs(distinguished_names) do
-		wname = name.name.."_default"
-		if config[distinguished_name]["0."..name.name] then
-			wname = "0."..wname
-		end
-		if values.value[name.name] then
+	for name,value in pairs(values.value) do
+		if not reverseignore[name] then
+			local wname = name.."_default"
 			local a,b,c
-			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, values.value[name.name].value)
+			a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value)
 		end
 	end
 	fs.write_file(configfile, file)
 	config = getopts.getoptsfromfile(file)
 end
 
-local create_subject_string = function(values)
+local create_subject_string = function(values, ignorevalues)
 	local outstr = {}
-	for i,name in ipairs(distinguished_names) do
-		if values.value[name.name].value ~= "" then
-			outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+	local reverseignore = {}
+	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
+	-- do the ones with short names first
+	local reverseshorts = {}
+	for name,short in pairs(short_names) do
+		reverseshorts[short] = name
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if (short_names[name] or reverseshorts[name]) and value.value and value.value ~= "" then
+			name = short_names[name] or name
+			outstr[#outstr + 1] = name .. "=" .. value.value
+		end
+	end
+	for name,value in pairs(values.value) do
+		name = name:gsub(".*%.", "")
+		if not reverseignore[name] and not short_names[name] and not reverseshorts[name] and value.value and value.value ~= "" then
+			outstr[#outstr + 1] = name .. "=" .. value.value
 		end
 	end
 	return "/"..table.concat(outstr, "/")
@@ -287,7 +293,7 @@ setreqdefaults = function(defaults)
 	if success then
 		getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
 		config = nil
-		write_distinguished_names(defaults)
+		write_distinguished_names(defaults, {"certtype"})
 	end
 
 	if not success then
@@ -331,7 +337,7 @@ submitrequest = function(defaults, user)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
@@ -388,7 +394,7 @@ approverequest = function(request)
 
 		-- Add the serial number to the end of the cert file name
 		local serialpath = getconfigentry(certtype, "serial")
-		local serialfile = fs.read_file(openssldir..serialpath)
+		local serialfile = fs.read_file(serialpath)
 		local serial = string.match(serialfile, "%x%x")
 		local certname = certdir..request.."."..serial
 		
@@ -666,7 +672,7 @@ generateca = function(defaults)
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults)
+		local subject = create_subject_string(defaults, {"days"})
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp
index ff27023..348ad23 100644
--- a/openssl-request-html.lsp
+++ b/openssl-request-html.lsp
@@ -8,11 +8,11 @@ io.write(html.cfe_unpack(form))
 <H1><?= form.label ?></H1>
 <?
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
-	local order = { "countryName", "stateOrProvinceName", "localityName", "organizationName",
-			"organizationalUnitName", "commonName", "emailAddress", "certtype",
-			"password", "password_confirm" }
 	form.value.password.type = "password"
 	form.value.password_confirm.type = "password"
-	displayform(form, order)
+	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
+			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
+	local finishingorder = { "certtype", "password", "password_confirm" }
+	displayform(form, order, finishingorder)
 ?>
 
diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp
index 7ba2b95..cf9f119 100644
--- a/openssl-status-html.lsp
+++ b/openssl-status-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(view))
 --]] ?>
 
-<H1>SYSTEM INFO</H1>
+<H1>System Info</H1>
 <DL>
 <? displayitem(view.value.version) ?>
 <? displayitem(view.value.conffile) ?>