summaryrefslogtreecommitdiffstats
path: root/openssl-model.lua
diff options
context:
space:
mode:
Diffstat (limited to 'openssl-model.lua')
-rw-r--r--openssl-model.lua86
1 files changed, 46 insertions, 40 deletions
diff --git a/openssl-model.lua b/openssl-model.lua
index d0c669d..6a17a0c 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -21,17 +21,12 @@ local openssldir = "/etc/ssl/"
local config = nil
-- list of request entries that can be edited
-local distinguished_names = { {name="countryName", label="Country Name", short="C"},
- {name="stateOrProvinceName", label="State Or Province Name", short="ST"},
- {name="localityName", label="Locality Name", short="L"},
- {name="organizationName", label="Organization Name", short="O"},
- {name="organizationalUnitName", label="Organizational Unit Name", short="OU"},
- {name="commonName", label="Common Name", short="CN"},
- {name="emailAddress", label="e-mail Address"} }
+local short_names = { countryName="C", stateOrProvinceName="ST", localityName="L", organizationName="O", organizationalUnitName="OU", commonName="CN" }
+
-- list of entries that may be found in cert extensions section
local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", "subjectKeyIdentifier",
"authorityKeyIdentifier", "subjectAltName", "issuerAltName" }
--- list of entries that must be found in ca section
+-- list of entries that must be found in ca section (used to define our certificate types)
local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy" }
-- Create a cfe with the distinguished name defaults
@@ -41,13 +36,10 @@ local getdefaults = function()
local distinguished_name = config.req.distinguished_name or ""
-- Get the distinguished name defaults
- for i, name in ipairs(distinguished_names) do
- defaults.value[name.name] = cfe({ label=name.label,
- value=config[distinguished_name][name.name .. "_default"]
- or config[distinguished_name]["0."..name.name.."_default"] or "",
- descr=config[distinguished_name][name.name] or config[distinguished_name]["0."..name.name] })
- if defaults.value[name.name].value == "" and name.short then
- defaults.value[name.name].value = config[distinguished_name][name.short .. "_default"] or ""
+ for name,value in pairs(config[distinguished_name]) do
+ if nil == string.find(name, "_") then
+ defaults.value[name] = cfe({ label=value,
+ value=config[distinguished_name][name .. "_default"] or "" })
end
end
@@ -60,21 +52,21 @@ local validate_distinguished_names = function(values)
local distinguished_name = config.req.distinguished_name or ""
local success = true
- for i, name in ipairs(distinguished_names) do
- if string.find(values.value[name.name].value, "[,/'=]") then
- values.value[name.name].errtxt = "Value cannot contain =/,'"
+ for name,value in pairs(values.value) do
+ if string.find(value.value, "[,/'=]") then
+ value.errtxt = "Value cannot contain =/,'"
success = false
end
-- check min, but empty is allowed
- local min = config[distinguished_name][name.name.."_min"] or config[distinguished_name]["0."..name.name.."_min"]
- if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) and #values.value[name.name].value > 0 then
- values.value[name.name].errtxt = "Value too short"
+ local min = config[distinguished_name][name.."_min"]
+ if min and value.value and #value.value < tonumber(min) and #value.value > 0 then
+ value.errtxt = "Value too short"
success = false
end
- local max = config[distinguished_name][name.name.."_max"] or config[distinguished_name]["0."..name.name.."_max"]
- if max and values.value[name.name] and #values.value[name.name].value > tonumber(max) then
- values.value[name.name].errtxt = "Value too long"
+ local max = config[distinguished_name][name.."_max"]
+ if max and value.value and #value.value > tonumber(max) then
+ value.errtxt = "Value too long"
success = false
end
end
@@ -82,30 +74,44 @@ local validate_distinguished_names = function(values)
end
-- Write distinguished name defaults to config file
-local write_distinguished_names = function(values)
+local write_distinguished_names = function(values, ignorevalues)
+ local reverseignore = {}
+ for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
local file = fs.read_file(configfile)
config = config or getopts.getoptsfromfile(file)
local distinguished_name = config.req.distinguished_name or ""
- for i,name in ipairs(distinguished_names) do
- wname = name.name.."_default"
- if config[distinguished_name]["0."..name.name] then
- wname = "0."..wname
- end
- if values.value[name.name] then
+ for name,value in pairs(values.value) do
+ if not reverseignore[name] then
+ local wname = name.."_default"
local a,b,c
- a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, values.value[name.name].value)
+ a,b,c, file = getopts.setoptsinfile(file, distinguished_name, wname, value.value)
end
end
fs.write_file(configfile, file)
config = getopts.getoptsfromfile(file)
end
-local create_subject_string = function(values)
+local create_subject_string = function(values, ignorevalues)
local outstr = {}
- for i,name in ipairs(distinguished_names) do
- if values.value[name.name].value ~= "" then
- outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+ local reverseignore = {}
+ for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
+ -- do the ones with short names first
+ local reverseshorts = {}
+ for name,short in pairs(short_names) do
+ reverseshorts[short] = name
+ end
+ for name,value in pairs(values.value) do
+ name = name:gsub(".*%.", "")
+ if (short_names[name] or reverseshorts[name]) and value.value and value.value ~= "" then
+ name = short_names[name] or name
+ outstr[#outstr + 1] = name .. "=" .. value.value
+ end
+ end
+ for name,value in pairs(values.value) do
+ name = name:gsub(".*%.", "")
+ if not reverseignore[name] and not short_names[name] and not reverseshorts[name] and value.value and value.value ~= "" then
+ outstr[#outstr + 1] = name .. "=" .. value.value
end
end
return "/"..table.concat(outstr, "/")
@@ -287,7 +293,7 @@ setreqdefaults = function(defaults)
if success then
getopts.setoptsinfile(configfile, "ca", "default_ca", defaults.value.certtype.value)
config = nil
- write_distinguished_names(defaults)
+ write_distinguished_names(defaults, {"certtype"})
end
if not success then
@@ -331,7 +337,7 @@ submitrequest = function(defaults, user)
if success then
-- Submit the request
- local subject = create_subject_string(defaults)
+ local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype"})
local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -nodes -new -config "..configfile.." -keyout "..reqname..".pem -out "..reqname..".csr -subj '"..subject.."' 2>&1"
local f = io.popen(cmd)
local cmdresult = f:read("*a")
@@ -388,7 +394,7 @@ approverequest = function(request)
-- Add the serial number to the end of the cert file name
local serialpath = getconfigentry(certtype, "serial")
- local serialfile = fs.read_file(openssldir..serialpath)
+ local serialfile = fs.read_file(serialpath)
local serial = string.match(serialfile, "%x%x")
local certname = certdir..request.."."..serial
@@ -666,7 +672,7 @@ generateca = function(defaults)
if success then
-- Submit the request
- local subject = create_subject_string(defaults)
+ local subject = create_subject_string(defaults, {"days"})
local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl req -x509 -nodes -new -config "..configfile.." -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj '"..subject.."' -days "..defaults.value.days.value.." 2>&1"
local f = io.popen(cmd)
local cmdresult = f:read("*a")
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 15:41:00 +0000