From 5099733a041f8b625353c0563e09d092d69d7a57 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 22 May 2008 21:04:40 +0000
Subject: Added revoking support to openssl

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1178 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openssl-controller.lua |  9 ++++--
 openssl-html.lsp       | 82 ++++++++++++++++++++++++++++++++++----------------
 openssl-model.lua      | 44 +++++++++++++++++++++++++--
 3 files changed, 105 insertions(+), 30 deletions(-)

diff --git a/openssl-controller.lua b/openssl-controller.lua
index 64dd307..59918c1 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -26,7 +26,7 @@ readall = function(self)
 	self.sessiondata.cmdresult = nil
 	local pending = self.model.listrequests()
 	local approved = self.model.listcerts()
-	local revoked = nil
+	local revoked = self.model.listrevoked()
 	local result = cfe({ type="list", value={cmdresult=cmdresult, pending=pending, approved=approved, revoked=revoked} })
 	return result
 end
@@ -38,7 +38,7 @@ read = function(self)
 	local user = cfe({ value=self.sessiondata.userinfo.userid, label="User Name" })
 	local pending = self.model.listrequests(self.sessiondata.userinfo.userid)
 	local approved = self.model.listcerts(self.sessiondata.userinfo.userid)
-	local revoked = nil
+	local revoked = self.model.listrevoked()
 	local result = cfe({ type="list", value={cmdresult=cmdresult, user=user, pending=pending, approved=approved, revoked=revoked} })
 	return result
 end
@@ -117,6 +117,9 @@ end
 
 -- Revoke the specified cert
 revoke = function(self)
+	local cmdresult = self.model.revokecert(self.clientdata.cert)
+	self.sessiondata.cmdresult = cmdresult
+	redirect_to_referrer(self)
 end
 
 -- Delete the specified certificate
@@ -128,6 +131,8 @@ end
 
 -- Get the revoked list
 getrevoked = function(self)
+	self.conf.viewtype="stream"
+	return self.model.getcrl(self.clientdata.crltype)
 end
 
 -- Put the CA cert
diff --git a/openssl-html.lsp b/openssl-html.lsp
index 192f7ce..9c61259 100644
--- a/openssl-html.lsp
+++ b/openssl-html.lsp
@@ -7,7 +7,7 @@ io.write(html.cfe_unpack(view))
 <? if view.value.cmdresult then ?>
 <H1>Command Result</H1>
 <DL>
-<?= view.value.cmdresult.value ?>
+<?= string.gsub(view.value.cmdresult.value, "\n", "<BR>") ?>
 </DL>
 <? end ?>
 
@@ -42,6 +42,13 @@ io.write(html.cfe_unpack(view))
 </TABLE>
 <? end ?>
 
+<? local reverserevoked = {}
+if view.value.revoked then
+	for i,serial in ipairs(view.value.revoked.value) do
+		reverserevoked[serial] = i
+	end
+end ?>
+	
 <H1>Approved certificate requests<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1>
 <? if not view.value.approved or #view.value.approved.value == 0 then ?>
 	No certificates approved
@@ -54,36 +61,59 @@ io.write(html.cfe_unpack(view))
 		<TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD>
 		<TD style="white-space:nowrap;" class="header">Serial Num</TD>
 	<? for i,cert in ipairs(view.value.approved.value) do ?>
-		<TR>
-		<TD>
-		<? if session.permissions.openssl.viewcert then ?>
-			<?= html.link{value="viewcert?cert="..cert.name, label="View "} ?>
-		<? end ?>
-		<? if session.permissions.openssl.getcert then ?>
-			<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
-		<? end ?>
-		<? if session.permissions.openssl.revoke then ?>
-			<?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?>
+		<? if not reverserevoked[cert.serial] then ?>
+			<TR>
+			<TD>
+			<? if session.permissions.openssl.viewcert then ?>
+				<?= html.link{value="viewcert?cert="..cert.name, label="View "} ?>
+			<? end ?>
+			<? if session.permissions.openssl.getcert then ?>
+				<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
+			<? end ?>
+			<? if session.permissions.openssl.revoke then ?>
+				<?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?>
+			<? end ?>
+			<? if session.permissions.openssl.deletecert then ?>
+				<?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?>
+			<? end ?>
+			</TD>
+			<TD><?= cert.user ?></TD>
+			<TD><?= cert.certtype ?></TD>
+			<TD><?= cert.commonName ?></TD>
+			<TD><?= cert.serial ?></TD>
+			</TR>
 		<? end ?>
-		<? if session.permissions.openssl.deletecert then ?>
-			<?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?>
-		<? end ?>
-		</TD>
-		<TD><?= cert.user ?></TD>
-		<TD><?= cert.certtype ?></TD>
-		<TD><?= cert.commonName ?></TD>
-		<TD><?= cert.serial ?></TD>
-		</TR>
 	<? end ?>
 </TABLE>
 <? end ?>
-	
+
 <H1>Revoked certificates<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1>
 <? if not view.value.revoked or #view.value.revoked.value == 0 then ?>
 	No certificates revoked
-<? else
-	for i,name in ipairs(view.value.revoked.value) do
-		io.write(name..'<br>')
-	end
-end ?>
+<? else ?>
+<TABLE>
+	<TR style="background:#eee;font-weight:bold;">
+		<TD style="padding-right:20px;white-space:nowrap;" class="header">User</TD>
+		<TD style="padding-right:20px;white-space:nowrap;" class="header">Cert Type</TD>
+		<TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD>
+		<TD style="white-space:nowrap;" class="header">Serial Num</TD>
+	<? for i,cert in ipairs(view.value.approved.value) do ?>
+		<? if reverserevoked[cert.serial] then ?>
+			<TR>
+			<TD><?= cert.user ?></TD>
+			<TD><?= cert.certtype ?></TD>
+			<TD><?= cert.commonName ?></TD>
+			<TD><?= cert.serial ?></TD>
+			</TR>
+		<? end ?>
+	<? end ?>
+</TABLE>
+<? end ?>
+
+<? if session.permissions.openssl.getrevoked then ?>
+<H1>Get revoked list (crl)</H1>
+<?= html.link{value="getrevoked?crltype=PEM", label="Download PEM "} ?><BR>
+<?= html.link{value="getrevoked?crltype=DER", label="Download DER "} ?><BR>
+<?= html.link{value="getrevoked", label="Import to Firefox"} ?><BR>
 
+<? end ?>
diff --git a/openssl-model.lua b/openssl-model.lua
index fa844fe..ef2218e 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -317,7 +317,6 @@ approverequest = function(request)
 
 		-- Now, sign the certificate
 		local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -in "..path..".csr -out "..certname..".crt -name "..certtype.." -batch 2>&1"
-APP.logevent(cmd)
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
@@ -357,6 +356,7 @@ listcerts = function(user)
 		local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
 		list[#list + 1] = {name=name, user=a, certtype=b, commonName=c, serial=d}
 	end
+	fh:close()
 	return cfe({ type="list", value=list, label="List of approved certificates" })
 end
 
@@ -368,10 +368,17 @@ end
 
 getcert = function(cert)
 	local f = fs.read_file(certdir..cert..".pfx")
-	return cfe({ type="raw", value=f, label=cert..".pfx" })
+	return cfe({ type="raw", value=f, label=cert..".pfx", option="application/x-pkcs12" })
+	--return cfe({ type="raw", value=f, label=cert..".pfx" })
 end
 
 revokecert = function(cert)
+	local cmdresult = cfe({ label="Revoke result" })
+	local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -revoke "..certdir .. cert..".crt -batch 2>&1"
+	local f = io.popen(cmd)
+	cmdresult.value = f:read("*a")
+	f:close()
+	return cmdresult
 end
 
 deletecert = function(cert)
@@ -382,6 +389,39 @@ deletecert = function(cert)
 	return cfe({ value="Certificate deleted", label="Delete result" })
 end
 
+listrevoked = function()
+	config = config or getopts.getoptsfromfile(configfile)
+	local databasepath = getconfigpath(config.ca.default_ca, "database")
+	local revoked = {}
+	local database = fs.read_file_as_array(databasepath)
+	for x,line in ipairs(database) do
+		if string.sub(line,1,1) == "R" then
+			revoked[#revoked + 1] = string.match(line, "^%S+%s+%S+%s+%S+%s+(%S+)")
+		end
+	end
+	return cfe({ type="list", value=revoked, label="Revoked serial numbers" })
+end
+
+getcrl = function(crltype)
+	local crlfile = cfe({ type="raw", label="Revoke list", option="application/pkix-crl" })
+	local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl"
+	local f = io.popen(cmd)
+	f:close()
+	local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER"
+	local f = io.popen(cmd)
+	f:close()
+	if crltype == "DER" then
+		crlfile.label = "ca-der-crl.crl"
+		crlfile.value = fs.read_file(crlfile.label)
+	elseif crltype == "PEM" then
+		crlfile.label = "ca-crl.crl"
+		crlfile.value = fs.read_file(crlfile.label)
+	else
+		crlfile.value = fs.read_file("ca-crl.crl")
+	end
+	return crlfile
+end
+
 -- FIXME this won't work because haserl doesn't support file upload. Untested and unfinished
 putca = function(file, pword, set)
 	local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' })
-- 
cgit v1.2.3