From 4d6cd17677dc2da12763a2ac0788d838d0a02248 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Mon, 9 Jun 2008 20:49:11 +0000
Subject: Fixed download bug for logfiles and certificates. Several changes to
 openssl: Removed renew cert and download revoked cert from view, do not allow
 bad chars and handle blank entries in subject, changed file names to use hash
 of Common Name allowing use of more chars, check CA cert for expiration, and
 add CA certs to pfx.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1213 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openssl-html.lsp  |  8 ++++----
 openssl-model.lua | 57 +++++++++++++++++++++++++++++++++++++++++++++----------
 2 files changed, 51 insertions(+), 14 deletions(-)

diff --git a/openssl-html.lsp b/openssl-html.lsp
index f2c65e6..c3d0c3b 100644
--- a/openssl-html.lsp
+++ b/openssl-html.lsp
@@ -83,11 +83,11 @@ end ?>
 		<? if session.permissions.openssl.getcert then ?>
 			<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
 		<? end ?>
-		<? if session.permissions.openssl.renewcert then ?>
+		<? --[[ if session.permissions.openssl.renewcert then ?>
 			<?= html.link{value="renewcert?cert="..cert.name, label="Renew "} ?>
 		<? elseif session.permissions.openssl.requestrenewcert then ?>
 			<?= html.link{value="requestrenewcert?cert="..cert.name, label="Renew "} ?>
-		<? end ?>
+		<? end --]] ?>
 		<? if session.permissions.openssl.revoke then ?>
 			<?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?>
 		<? end ?>
@@ -122,9 +122,9 @@ end ?>
 		<? if session.permissions.openssl.viewcert then ?>
 			<?= html.link{value="viewcert?cert="..cert.name, label="View "} ?>
 		<? end ?>
-		<? if session.permissions.openssl.getcert then ?>
+		<? --[[ if session.permissions.openssl.getcert then ?>
 			<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
-		<? end ?>
+		<? end --]] ?>
 		<? if session.permissions.openssl.deletecert then ?>
 			<?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?>
 		<? end ?>
diff --git a/openssl-model.lua b/openssl-model.lua
index ff30867..2502c4a 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -44,6 +44,9 @@ local getdefaults = function()
 			value=config[distinguished_name][name.name .. "_default"]
 				or config[distinguished_name]["0."..name.name.."_default"] or "",
 			descr=config[distinguished_name][name.name] or config[distinguished_name]["0."..name.name] })
+		if defaults.value[name.name].value == "" and name.short then
+			defaults.value[name.name].value = config[distinguished_name][name.short .. "_default"] or ""
+		end
 	end
 
 	return defaults
@@ -56,8 +59,14 @@ local validate_distinguished_names = function(values)
 	local success = true
 
 	for i, name in ipairs(distinguished_names) do
+		if string.find(values.value[name.name].value, "[,/'=]") then
+			values.value[name.name].errtxt = "Value cannot contain =/,'"
+			success = false
+		end
+
+		-- check min, but empty is allowed
 		local min = config[distinguished_name][name.name.."_min"] or config[distinguished_name]["0."..name.name.."_min"]
-		if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) then
+		if min and values.value[name.name] and #values.value[name.name].value < tonumber(min) and #values.value[name.name].value > 0 then
 			values.value[name.name].errtxt = "Value too short"
 			success = false
 		end
@@ -93,7 +102,9 @@ end
 local create_subject_string = function(values)
 	local outstr = {}
 	for i,name in ipairs(distinguished_names) do
-		outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+		if values.value[name.name].value ~= "" then
+			outstr[#outstr + 1] = (name.short or name.name) .. "=" .. values.value[name.name].value
+		end
 	end
 	return "/"..table.concat(outstr, "/")
 end
@@ -190,6 +201,19 @@ local checkfile = function(name, path, default)
 	return errtxt, cmdline
 end
 
+local hashname = function(name)
+	local hash = {name:byte(1,-1)}
+	return table.concat(hash, "-")
+end
+
+local unhashname = function(hashstring)
+	local hash = {}
+	for char in string.gmatch(hashstring, "([^-]+)-*") do
+		hash[#hash+1] = char
+	end
+	return string.char(unpack(hash))
+end
+
 getstatus = function()
 	require("processinfo")
 	-- set the working directory once for model
@@ -221,6 +245,18 @@ getstatus = function()
 				local f = io.popen(cmd)
 				cacertcontents.value = f:read("*a")
 				f:close()
+				local enddate = string.match(cacertcontents.value, "Not After : (.*)")
+				local month, day, year = string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)")
+
+				local reversemonth = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}
+				local time = os.time({year=year, month=reversemonth[month], day=day})
+				if os.time() > time then
+					time = 0
+					cacert.errtxt="Certificate expired"
+				else
+					time = (time-os.time())/86400
+				end
+				cacert.daysremaining=time
 			end
 			cakey.value = getconfigentry(config.ca.default_ca, "private_key")
 			if not fs.is_file(cakey.value) then
@@ -285,7 +321,7 @@ submitrequest = function(defaults, user)
 		success = false
 	end
 
-	local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..defaults.value.commonName.value
+	local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value)
 	if fs.is_file(reqname..".csr") then
 		defaults.errtxt = "Failed to submit request\nRequest already exists"
 		success = false
@@ -311,7 +347,7 @@ submitrequest = function(defaults, user)
 		end
 	end
 
-	if not success then
+	if not success and not defaults.errtxt then
 		defaults.errtxt = "Failed to submit request"
 	end
 
@@ -321,11 +357,11 @@ end
 listrequests = function(user)
 	user = user or "*"
 	local list={}
-	local fh = io.popen('find ' .. requestdir .. ' -name "'..user..'.*.csr" -maxdepth 1')
+	local fh = io.popen("find " .. requestdir .. " -name "..user..".*.csr -maxdepth 1")
 	for x in fh:lines() do
 		local name = basename(x,".csr")
 		local a,b,c = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*)")
-		list[#list + 1] = {name=name, user=a, certtype=b, commonName=c}
+		list[#list + 1] = {name=name, user=a, certtype=b, commonName=unhashname(c)}
 	end
 	return cfe({ type="list", value=list, label="List of pending requests" })
 end
@@ -359,11 +395,12 @@ approverequest = function(request)
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
-		
+
 		-- If certificate created, create the wrapped up pkcs12
 		local filestats = posix.stat(certname..".crt")
 		if filestats and filestats.size > 0 then
-			cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -export -inkey "..path..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..path..".pwd 2>&1"
+			-- We're wrapping up the key, the cert, and the CA cert (and whatever came with it)
+			cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl pkcs12 -export -inkey "..path..".pem -in "..certname..".crt -out "..certname..".pfx -passout file:"..path..".pwd -certfile "..getconfigentry(certtype, "certificate").." 2>&1"
 			f = io.popen(cmd)
 			local newcmdresult = f:read("*a")
 			f:close()
@@ -406,7 +443,7 @@ end
 listcerts = function(user)
 	user = user or "*"
 	local list={}
-	local fh = io.popen('find ' .. certdir .. ' -name "'..user..'.*.pfx" -maxdepth 1')
+	local fh = io.popen("find " .. certdir .. " -name "..user..".*.pfx -maxdepth 1")
 	for x in fh:lines() do
 		local name = basename(x,".pfx")
 		local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
@@ -424,7 +461,7 @@ listcerts = function(user)
 		else
 			time = (time-os.time())/86400
 		end
-		list[#list + 1] = {name=name, user=a, certtype=b, commonName=c, serial=d, enddate=enddate, daysremaining=time}
+		list[#list + 1] = {name=name, user=a, certtype=b, commonName=unhashname(c), serial=d, enddate=enddate, daysremaining=time}
 	end
 	fh:close()
 	return cfe({ type="list", value=list, label="List of approved certificates" })
-- 
cgit v1.2.3