summaryrefslogtreecommitdiffstats
path: root/openssl-model.lua
diff options
context:
space:
mode:
Diffstat (limited to 'openssl-model.lua')
-rw-r--r--openssl-model.lua94
1 files changed, 52 insertions, 42 deletions
diff --git a/openssl-model.lua b/openssl-model.lua
index fb28cb6..bcde4df 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -16,6 +16,7 @@ local configfile = "/etc/ssl/openssl-ca-acf.cnf"
local requestdir = "/etc/ssl/req/"
local certdir = "/etc/ssl/cert/"
local openssldir = "/etc/ssl/"
+local path = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin "
-- Save the config in a variable so isn't loaded each and every time needed
local config = nil
@@ -181,27 +182,27 @@ local copyca = function(cacert, cakey)
f:close()
end
-local checkdir = function(name, path)
+local checkdir = function(name, dirpath)
local errtxt, cmdline
- local filestats = posix.stat(path, "type")
+ local filestats = posix.stat(dirpath, "type")
if not filestats or filestats == "" then
errtxt = name.." does not exist"
- cmdline = "mkdir -p "..path
+ cmdline = "mkdir -p "..dirpath
elseif filestats ~= "directory" then
errtxt = "UNRECOVERABLE - "..name.." not a directory"
end
return errtxt, cmdline
end
-local checkfile = function(name, path, default)
+local checkfile = function(name, filepath, default)
local errtxt, cmdline
- local filestats = posix.stat(path, "type")
+ local filestats = posix.stat(filepath, "type")
if not filestats or filestats == "" then
errtxt = name.." does not exist"
if default then
- cmdline = "echo "..default.." > "..path
+ cmdline = "echo "..default.." > "..filepath
else
- cmdline = "touch "..path
+ cmdline = "touch "..filepath
end
elseif filestats ~= "regular" then
errtxt = "UNRECOVERABLE - "..name.." not a file"
@@ -249,7 +250,7 @@ getstatus = function()
if not fs.is_file(cacert.value) then
cacert.errtxt="File not found"
else
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..cacert.value.." -noout -text"
+ local cmd = path .. "openssl x509 -in "..cacert.value.." -noout -text"
local f = io.popen(cmd)
cacertcontents.value = f:read("*a")
f:close()
@@ -308,6 +309,7 @@ getnewrequest = function()
-- In addition to the request defaults, we need a password and confirmation
values.value.password = cfe({ label="Password" })
values.value.password_confirm = cfe({ label="Password confirmation" })
+ values.value.subjectAltName = cfe({ label="Alternative Name (e.g. DNS:www.myotherhost.com)" })
return values
end
@@ -337,8 +339,9 @@ submitrequest = function(defaults, user)
if success then
-- Submit the request
- local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"})
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
+ local subject = create_subject_string(defaults, {"password", "password_confirm", "subjectAltName", "certtype"})
+ local cmd = path .. "openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
+ cmd = "ALTNAME=" .. defaults.value.subjectAltName.value .. " " .. cmd
local f = io.popen(cmd)
local cmdresult = f:read("*a")
f:close()
@@ -375,8 +378,9 @@ listrequests = function(user)
end
viewrequest = function(request)
- local path = requestdir .. request
- local cmd = "openssl req -in "..path..".csr -text -noout"
+ local reqpath = requestdir .. request
+ local cmd = path .. "openssl req -in "..reqpath..".csr -text -noout"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
local cmdresult = f:read("*a")
f:close()
@@ -387,8 +391,8 @@ end
approverequest = function(request)
local cmdresult = cfe({ value="Failed to approve request", label="Approve result" })
- local path = requestdir .. request
- if fs.is_file(path..".csr") then
+ local reqpath = requestdir .. request
+ if fs.is_file(reqpath..".csr") then
-- Request file exists, so try to sign
local user,certtype,commonName = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)")
@@ -399,7 +403,8 @@ approverequest = function(request)
local certname = certdir..request.."."..serial
-- Now, sign the certificate
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1"
+ local cmd = path .. "openssl ca -config "..configfile.." -in "..reqpath..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
cmdresult.value = f:read("*a")
f:close()
@@ -408,7 +413,7 @@ approverequest = function(request)
local filestats = posix.stat(certname..".crt")
if filestats and filestats.size > 0 then
-- We're wrapping up the key, the cert, and the CA cert (and whatever came with it)
- cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -export -inkey "..path..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..path..".pwd -certfile "..getconfigentry(certtype, "certificate").." 2>&1"
+ cmd = path .. "openssl pkcs12 -export -inkey "..reqpath..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..reqpath..".pwd -certfile "..getconfigentry(certtype, "certificate").." 2>&1"
f = io.popen(cmd)
local newcmdresult = f:read("*a")
f:close()
@@ -418,13 +423,13 @@ approverequest = function(request)
-- Finally, remove the request
filestats = posix.stat(certname..".pfx")
if filestats and filestats.size > 0 then
- cmd = "cp "..path..".pwd "..certname..".pwd"
+ cmd = "cp "..reqpath..".pwd "..certname..".pwd"
f = io.popen(cmd)
f:close()
- cmd = "cp "..path..".pem "..certname..".pem"
+ cmd = "cp "..reqpath..".pem "..certname..".pem"
f = io.popen(cmd)
f:close()
- cmd = "rm "..path..".*"
+ cmd = "rm "..reqpath..".*"
f = io.popen(cmd)
f:close()
else
@@ -455,7 +460,7 @@ listcerts = function(user)
for x in fh:lines() do
local name = basename(x,".pfx")
local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..name..".crt -noout -enddate"
+ local cmd = path .. "openssl x509 -in "..certdir..name..".crt -noout -enddate"
local f = io.popen(cmd)
local enddate = f:read("*a")
enddate = string.match(enddate, "notAfter=(.*)")
@@ -476,7 +481,7 @@ listcerts = function(user)
end
viewcert = function(cert)
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..cert..".crt -noout -text"
+ local cmd = path .. "openssl x509 -in "..certdir..cert..".crt -noout -text"
local f = io.popen(cmd)
local cmdresult = f:read("*a")
f:close()
@@ -491,7 +496,8 @@ end
revokecert = function(cert)
local cmdresult = cfe({ label="Revoke result" })
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1"
+ local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
cmdresult.value = f:read("*a")
f:close()
@@ -519,7 +525,7 @@ renewcert = function(cert, approve)
if success then
-- Submit the request
-- First, get the subject
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..certdir..cert..".crt -noout -subject"
+ local cmd = path .. "openssl x509 -in "..certdir..cert..".crt -noout -subject"
local f = io.popen(cmd)
local subject = f:read("*a")
subject = string.match(subject, "subject= ([^\n]*)")
@@ -534,7 +540,8 @@ renewcert = function(cert, approve)
f:close()
-- Next, submit the request
- cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
+ cmd = path .. "openssl req -new -config "..configfile.." -key "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
+ cmd = "ALTNAME='' " .. cmd
f = io.popen(cmd)
cmdresult = f:read("*a")
f:close()
@@ -572,10 +579,12 @@ end
getcrl = function(crltype)
local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" })
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl"
+ local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
f:close()
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER"
+ local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
f:close()
if crltype == "DER" then
@@ -601,7 +610,7 @@ putca = function(newca)
-- Trying to upload a cert/key
-- The way haserl works, ca contains the temporary file name
-- First, get the cert
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."cert.pem -password pass:"..newca.value.password.value.." -nokeys 2>&1"
+ local cmd = path .. "openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."cert.pem -password pass:"..newca.value.password.value.." -nokeys 2>&1"
local f = io.popen(cmd)
local cmdresult = f:read("*a")
f:close()
@@ -613,7 +622,7 @@ putca = function(newca)
-- Since -cacerts doesn't seem to work, we have to check to make sure we got a CA
if success then
- cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..newca.value.ca.value.."cert.pem -noout -text"
+ cmd = path .. "openssl x509 -in "..newca.value.ca.value.."cert.pem -noout -text"
f = io.popen(cmd)
cmdresult = f:read("*a")
f:close()
@@ -625,7 +634,7 @@ putca = function(newca)
-- Now, get the key
if success then
- cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."key.pem -password pass:"..newca.value.password.value.." -nocerts -nodes 2>&1"
+ cmd = path .. "openssl pkcs12 -in "..newca.value.ca.value.." -out "..newca.value.ca.value.."key.pem -password pass:"..newca.value.password.value.." -nocerts -nodes 2>&1"
f = io.popen(cmd)
cmdresult = f:read("*a")
f:close()
@@ -673,7 +682,8 @@ generateca = function(defaults)
if success then
-- Submit the request
local subject = create_subject_string(defaults, {"days"})
- local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
+ local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
+ cmd = "ALTNAME='' " .. cmd
local f = io.popen(cmd)
local cmdresult = f:read("*a")
f:close()
@@ -737,31 +747,31 @@ checkenvironment = function(set)
config = config or getopts.getoptsfromfile(configfile)
if config then
- local path = getconfigentry(config.ca.default_ca, "new_certs_dir")
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", path)
+ local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir")
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", chkpath)
local file = getconfigentry(config.ca.default_ca, "certificate")
- path = dirname(file)
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", path)
+ chkpath = dirname(file)
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", chkpath)
file = getconfigentry(config.ca.default_ca, "private_key")
- path = dirname(file)
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", path)
+ chkpath = dirname(file)
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", chkpath)
file = getconfigentry(config.ca.default_ca, "database")
- path = dirname(file)
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", path)
+ chkpath = dirname(file)
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", chkpath)
errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("database", file)
file = getconfigentry(config.ca.default_ca, "serial")
- path = dirname(file)
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", path)
+ chkpath = dirname(file)
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", chkpath)
errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("serial", file, "01")
file = getconfigentry(config.ca.default_ca, "crlnumber")
if file ~= "" then
- path = dirname(file)
- errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", path)
+ chkpath = dirname(file)
+ errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", chkpath)
errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("crlnumber", file, "01")
end
else
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 20:23:24 +0000