path: root/openssl-model.lua

module(..., package.seeall)

require("posix")
require("modelfunctions")
fs = require("acf.fs")
format = require("acf.format")
validator = require("acf.validator")

-- There are two options of how to allow users to specify the type of certificate they want - the request extensions
-- and the ca signing extensions.  We have opted for making all requests look the same (same extensions) and defining
-- different ca sections for the different types of certificates.  The ca section to use when signing the request is
-- actually stored in the request filename.  The request filename is in the following format: 
-- 	'username'.'ca section name'.'common name'.csr

local packagename = "openssl"
--local configfile = "/etc/ssl/openssl.cnf"
local configfile = "/etc/ssl/openssl-ca-acf.cnf"
local requestdir = "/etc/ssl/req/"
local certdir = "/etc/ssl/cert/"
local openssldir = "/etc/ssl/"
local path = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin "

-- Save the config in a variable so isn't loaded each and every time needed
local config = nil

-- list of request entries that can be edited
local short_names = { countryName="C", stateOrProvinceName="ST", localityName="L", organizationName="O", organizationalUnitName="OU", commonName="CN" }

-- list of entries that may be found in cert extensions section
local extensions = { "basicConstraints", "nsCertType", "nsComment", "keyUsage", "subjectKeyIdentifier",
			"authorityKeyIdentifier", "subjectAltName", "issuerAltName" }
-- list of entries that must be found in ca section (used to define our certificate types)
local ca_mandatory_entries = { "new_certs_dir", "certificate", "private_key", "default_md", "database", "serial", "policy", "default_days" }

-- Create a cfe with the distinguished name defaults
local getdefaults = function()
	local defaults = cfe({ type="group", value={} })
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local distinguished_name = config.req.distinguished_name or ""

	-- Get the distinguished name defaults
	for name,value in pairs(config[distinguished_name]) do
		if nil == string.find(name, "_") then
			defaults.value[name] = cfe({ label=value,
			value=config[distinguished_name][name .. "_default"] or "" })
		end
	end

	return defaults
end

-- Validate the values of distinguished names using the min/max found in the config file
local validate_distinguished_names = function(values)
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local distinguished_name = config.req.distinguished_name or ""
	local success = true

	for name,value in pairs(values.value) do
		if string.find(value.value, "[#]") then
			value.errtxt = "Value cannot contain #"
			success = false
		end

		-- check min, but empty is allowed
		local min = config[distinguished_name][name.."_min"]
		if min and value.value and #value.value < tonumber(min) and #value.value > 0 then
			value.errtxt = "Value too short"
			success = false
		end
		local max = config[distinguished_name][name.."_max"]
		if max and value.value and #value.value > tonumber(max) then
			value.errtxt = "Value too long"
			success = false
		end
	end
	return success, values
end

-- Write distinguished name defaults to config file
local write_distinguished_names = function(file, values, ignorevalues)
	local reverseignore = {}
	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
	config = config or format.parse_ini_file(file)
	local distinguished_name = config.req.distinguished_name or ""

	for name,value in pairs(values.value) do
		if not reverseignore[name] then
			local wname = name.."_default"
			file = format.update_ini_file(file, distinguished_name, wname, value.value)
		end
	end
	config = nil
	return file
end

local create_subject_string = function(values, ignorevalues)
	local outstr = {}
	local reverseignore = {}
	for i,value in ipairs(ignorevalues) do reverseignore[value]=i end
	-- do the ones with short names first
	local reverseshorts = {}
	for name,short in pairs(short_names) do
		reverseshorts[short] = name
	end
	for name,value in pairs(values.value) do
		name = name:gsub(".*%.", "")	-- remove the "0." from the front
		if (short_names[name] or reverseshorts[name]) and value.value and value.value ~= "" then
			name = short_names[name] or name
			-- escape characters
			outstr[#outstr + 1] = name .. "=" .. format.escapespecialcharacters(value.value):gsub("[=]", "\\%1")
		end
	end
	-- now do the ones with no short names (and not ignored)
	for name,value in pairs(values.value) do
		name = name:gsub(".*%.", "")	-- remove the "0." from the front
		if not reverseignore[name] and not short_names[name] and not reverseshorts[name] and value.value and value.value ~= "" then
			-- escape characters
			outstr[#outstr + 1] = format.escapespecialcharacters(name) .. "=" .. format.escapespecialcharacters(value.value):gsub("[=]", "\\%1")
		end
	end
	return "/"..table.concat(outstr, "/")
end

local getconfigentry = function(section, value)
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local result = config[section][value] or config[""][value] or ""
	while string.find(result, "%$[%w_]+") do
		local sub = string.match(result, "%$[%w_]+")
		result = string.gsub(result, sub, config[section][string.sub(sub,2)] or config[""][string.sub(sub,2)] or "")
	end
	return result
end

-- Find the sections of the config file that define ca's (ca -name option)
local find_ca_sections = function()
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local cert_types = {}

	for section in pairs(config) do
		local success = true
		for i,entry in ipairs(ca_mandatory_entries) do
			if getconfigentry(section,entry) == "" then
				success = false
				break
			end
		end
		if success then
			cert_types[#cert_types + 1] = section
		end
	end

	return cert_types
end

local validate_request = function(defaults, noextensionsections)
	local success
	success, defaults = validate_distinguished_names(defaults)

	if defaults.value.certtype then
		local foundcert=false
		for i,cert in ipairs(defaults.value.certtype.option) do
			if defaults.value.certtype.value == cert then
				foundcert=true
				break
			end
		end
		if not foundcert then
			success = false
			defaults.value.certtype.errtxt = "Invalid certificate type"
		end
	end

	if defaults.value.extensions then
		config = config or format.parse_ini_file(fs.read_file(configfile) or "")
		local extensions = format.parse_ini_file(defaults.value.extensions.value)
		for name,value in pairs(extensions or {}) do
			if name ~= "" and noextensionsections then
				defaults.value.extensions.errtxt = "Cannot contain sections"
				success = false
			elseif name ~= "" and config[name] then
				defaults.value.extensions.errtxt = "Duplicate section name"
				success = false
			end
		end
	end

	return success, defaults
end

local copyca = function(cacert, cakey)
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local certpath = getconfigentry(config.ca.default_ca, "certificate")
	fs.move_file(cacert, certpath)
	local keypath = getconfigentry(config.ca.default_ca, "private_key")
	fs.move_file(cakey, keypath)
end

local checkdir = function(name, dirpath)
	local errtxt, cmdline
	local filestats = posix.stat(dirpath, "type")
	if not filestats or filestats == "" then
		errtxt = name.." does not exist"
		cmdline = function() fs.create_directory(dirpath) end
	elseif filestats ~= "directory" then
		errtxt = "UNRECOVERABLE - "..name.." not a directory"
	end
	return errtxt, cmdline
end

local checkfile = function(name, filepath, default)
	local errtxt, cmdline
	local filestats = posix.stat(filepath, "type")
	if not filestats or filestats == "" then
		errtxt = name.." does not exist"
		if default then
			cmdline = function() fs.write_file(filepath, default) end
		else
			cmdline = function() fs.create_file(filepath) end
		end
	elseif filestats ~= "regular" then
		errtxt = "UNRECOVERABLE - "..name.." not a file"
	end
	return errtxt, cmdline
end

local hashname = function(name)
	local hash = {name:byte(1,-1)}
	-- no longer returning '-' separated decimal, but 2 char hex
	--return table.concat(hash, "-")
	for i,val in ipairs(hash) do hash[i] = string.format("%02X", val) end
	return table.concat(hash)
end

local unhashname = function(hashstring)
	local hash = {}
	-- this is to be backward compatible with '-' separated decimal
	if string.find(hashstring, "-") then
		for char in string.gmatch(hashstring, "([^-]+)-*") do
			hash[#hash+1] = char
		end
	else
		for char in string.gmatch(hashstring, "%x%x") do
			hash[#hash+1] = tonumber(char, 16)
		end
	end
	return string.char(unpack(hash))
end

getstatus = function()
	processinfo = require("acf.processinfo")
	-- set the working directory once for model
	posix.chdir(openssldir)
	local value,errtxt=processinfo.package_version(packagename)
	local version = cfe({ value=value, errtxt=errtxt, label="Program version", name=packagename })
	local conffile = cfe({ value=configfile, label="Configuration file" })
	local cacert = cfe({ label="CA Certificate" })
	local cacertcontents = cfe({ type="longtext", label="CA Certificate contents" })
	local cakey = cfe({ label="CA Key" })
	if not fs.is_file(configfile) then
		conffile.errtxt="File not found"
		cacert.errtxt="File not defined"
		cacertcontents.errtxt=""
		cakey.errtxt="File not defined"
	else
		config = config or format.parse_ini_file(fs.read_file(configfile) or "")
		if (not config) or (not config.ca) or (not config.ca.default_ca) then
			conffile.errtxt="Invalid config file"
			cacert.errtxt="File not defined"
			cacertcontents.errtxt=""
			cakey.errtxt="File not defined"
		else
			cacert.value = getconfigentry(config.ca.default_ca, "certificate")
			if not fs.is_file(cacert.value) then
				cacert.errtxt="File not found"
			else
				local cmd = path .. "openssl x509 -in "..format.escapespecialcharacters(cacert.value).." -noout -text"
				local f = io.popen(cmd)
				cacertcontents.value = f:read("*a")
				f:close()
				local enddate = string.match(cacertcontents.value, "Not After : (.*)")
				local month, day, year = string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)")

				local reversemonth = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}
				local time = os.time({year=year, month=reversemonth[month], day=day})
				if os.time() > time then
					time = 0
					cacert.errtxt="Certificate expired"
				else
					time = (time-os.time())/86400
				end
				cacert.daysremaining=time
			end
			cakey.value = getconfigentry(config.ca.default_ca, "private_key")
			if not fs.is_file(cakey.value) then
				cakey.errtxt="File not found"
			end
		end
	end
	local environment = checkenvironment()
	return cfe({ type="group", value={version=version, conffile=conffile, environment=environment, cacert=cacert, cacertcontents=cacertcontents, cakey=cakey}, label="openssl status" })
end

set_umask = function()
	return posix.umask("rw-------")
end


getreqdefaults = function()
	local defaults = getdefaults()

	 --Add in the encryption bit default
         local encryption = config.req.default_bits
         defaults.value.encryption = cfe({ type="select", label="Encryption Bits", value=encryption, option={"2048", "4096"} })

         -- Add in the default days
         local validdays = getconfigentry(config.ca.default_ca, "default_days")
         defaults.value.validdays = cfe({ type="text", label="Period of Validity (Days)", value=validdays, descr="Number of days this certificate is valid for" })

	-- Add in the ca type default
	defaults.value.certtype = cfe({ type="select", label="Certificate Type", 
		value=config.ca.default_ca, option=find_ca_sections() })
	-- Add in the extensions
	local extensions = ""
	local content = fs.read_file(configfile) or ""
	config = config or format.parse_ini_file(content)
	if config.req.req_extensions then
		extensions = format.get_ini_section(content, config.req.req_extensions)
	end
	defaults.value.extensions = cfe({ type="longtext", label="Additional x509 Extensions", value=extensions, descr="These extensions can be overridden by the Certificate Type" })

	return defaults
end

setreqdefaults = function(self, defaults)
	local success, defaults = validate_request(defaults, true)

	-- If success, write the values to the config file
	if success then
		local fileval = fs.read_file(configfile) or ""
		config = config or format.parse_ini_file(fileval)
		local ext_section
		if not config.req or not config.req.req_extensions then
			ext_section = "v3_req"
			while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end
			fileval = format.update_ini_file(fileval, "req", "req_extensions", ext_section)
		else
			ext_section = config.req.req_extensions
		end
		config = nil
		fileval = format.update_ini_file(fileval,"","default_days",defaults.value.validdays.value)
		fileval = format.set_ini_section(fileval, ext_section, format.dostounix(defaults.value.extensions.value))
		fileval = format.update_ini_file(fileval, "ca", "default_ca", defaults.value.certtype.value)
		fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions", "validdays"})
		fs.write_file(configfile, fileval)
	end

	if not success then
		defaults.errtxt = "Failed to set defaults"
	end

	return defaults
end

getnewrequest = function()
	local values = getreqdefaults()
	-- In addition to the request defaults, we need a password and confirmation
	values.value.password = cfe({ label="Password" })
	values.value.password_confirm = cfe({ label="Password confirmation" })
	return values
end

submitrequest = function(defaults, user)
	local success, defaults = validate_request(defaults)

	-- Must have a common name
	if #defaults.value.commonName.value == 0 then
		defaults.value.commonName.errtxt = "Common Name cannot be blank"
		success = false
	end
	-- Check validity of password
	if #defaults.value.password.value < 4 then
		defaults.value.password.errtxt = "Password too short"
		success = false
	end
	if defaults.value.password.value ~= defaults.value.password_confirm.value then
		defaults.value.password_confirm.errtxt = "You entered wrong password/confirmation"
		success = false
	end

	local reqname = requestdir..user.."."..defaults.value.certtype.value.."."..hashname(defaults.value.commonName.value)
	if fs.is_file(reqname..".csr") then
		defaults.errtxt = "Failed to submit request\nRequest already exists"
		success = false
	end
	
	if not tonumber(defaults.value.validdays.value) then
		defaults.value.validdays.errtxt = "Period of Validity is not a number"
		success = false
	end

	if success then
		-- Submit the request
		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"})

		-- Generate a temp config file for this request
		local fileval = fs.read_file(configfile) or ""
		config = config or format.parse_ini_file(fileval)
		local ext_section = "v3_req"
		while config[ext_section] do ext_section = "v3_req_"..tostring(os.time()) end
		local content = format.dostounix(defaults.value.extensions.value)
		-- Override with the extensions for this cert type
		if config[defaults.value.certtype.value].x509_extensions then
			local temp = config[defaults.value.certtype.value].x509_extensions
			for name,value in pairs(config[temp] or {}) do
				if not string.find(value, "issuer") then
					content = format.update_ini_file(content, "", name, value)
				end
			end
		end
	
		fileval = format.update_ini_file(fileval, "req","default_bits",defaults.value.encryption.value)
		fileval = format.update_ini_file(fileval, "","default_days",defaults.value.validdays.value)	
		fileval = format.set_ini_section(fileval, ext_section, content)
		fileval = format.update_ini_file(fileval, "req", "req_extensions", ext_section)
		fs.write_file(reqname..".cfg", fileval)
		
		local cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1'
		local f = io.popen(cmd)
		local cmdresult = f:read("*a")
		f:close()
		defaults.descr = cmdresult
		local certfilestats = posix.stat(reqname..".csr")
		local keyfilestats = posix.stat(reqname..".pem")
		if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then
			success = false
			os.remove(reqname..".cfg")
			os.remove(reqname..".csr")
			os.remove(reqname..".pem")
		else
			fs.write_file(reqname..".pwd", defaults.value.password.value)
			fs.write_file(reqname..".sbj", subject)
		end
	end

	if not success and not defaults.errtxt then
		defaults.errtxt = "Failed to submit request"
	end

	return defaults
end

listrequests = function(user)
	user = user or "*"
	local list={}
	local files = posix.glob(requestdir..user..".*\\.csr") or {}
	for i,x in ipairs(files) do
		local name = string.gsub(posix.basename(x), ".csr$", "")
		local a,b,c = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*)")
		list[#list + 1] = {name=name, user=a, certtype=b, commonName=unhashname(c)}
	end
	return cfe({ type="list", value=list, label="List of pending requests" })
end

viewrequest = function(request)
	local reqpath = requestdir .. request
	local cmd = path .. "openssl req -in "..format.escapespecialcharacters(reqpath)..".csr -text -noout"
	local f = io.popen(cmd)
	local cmdresult = f:read("*a")
	f:close()
	local a,b,c = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)")
	local request = cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, value=cmdresult}, label="Request" })
	return request
end

approverequest = function(request)
	local cmdresult = cfe({ value="Failed to approve request", label="Approve result" })
	local reqpath = requestdir .. request
	if fs.is_file(reqpath..".csr") then
		-- Request file exists, so try to sign
		local user,certtype,commonName = string.match(request, "([^%.]*)%.([^%.]*)%.([^%.]*)")

		-- Add the serial number to the end of the cert file name
		local serialpath = getconfigentry(certtype, "serial")
		local serialfile = fs.read_file(serialpath) or ""
		local serial = string.match(serialfile, "%x+")
		local certname = certdir..request.."."..serial
		
		-- Now, sign the certificate
		local cmd = path .. "openssl ca -config "..format.escapespecialcharacters(reqpath)..".cfg -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1"
		local f = io.popen(cmd)
		cmdresult.value = f:read("*a")
		f:close()

		-- If certificate created, create the wrapped up pkcs12
		local filestats = posix.stat(certname..".crt")
		if filestats and filestats.size > 0 then
			-- We're wrapping up the key, the cert, and the CA cert (and whatever came with it)
			cmd = path .. "openssl pkcs12 -export -inkey "..format.escapespecialcharacters(reqpath)..".pem -in "..format.escapespecialcharacters(certname)..".crt -out "..format.escapespecialcharacters(certname)..".pfx -passout file:"..format.escapespecialcharacters(reqpath)..".pwd -certfile "..format.escapespecialcharacters(getconfigentry(certtype, "certificate")).." 2>&1"
			f = io.popen(cmd)
			local newcmdresult = f:read("*a")
			f:close()
			cmdresult.value = cmdresult.value .. newcmdresult
		end

		-- Finally, remove the request
		filestats = posix.stat(certname..".pfx")
		if filestats and filestats.size > 0 then
			fs.move_file(reqpath..".pwd", certname..".pwd")
			fs.move_file(reqpath..".sbj", certname..".sbj")
			fs.move_file(reqpath..".pem", certname..".pem")
			fs.move_file(reqpath..".cfg", certname..".cfg")
			os.remove(reqpath..".csr")
		else
			-- or failed, remove the cert
			os.remove(certname..".crt")
			os.remove(certname..".pfx")
		end
	end
	return cmdresult
end

deleterequest = function(request, user)
	user = user or ".*"
	if (not fs.is_file(requestdir..request..".csr")) or (not string.find(request, "^"..user.."%.")) then
		return cfe({ value="Request not found", label="Delete result" })
	end
	local reqpath = requestdir..request
	os.remove(reqpath..".pwd")
	os.remove(reqpath..".sbj")
	os.remove(reqpath..".pem")
	os.remove(reqpath..".cfg")
	os.remove(reqpath..".csr")
	return cfe({ value="Request deleted", label="Delete result" })
end

listcerts = function(user)
	user = user or "*"
	local list={}
	local files = posix.glob(certdir..user..".*\\.pfx") or {}
	-- Do this in two steps - saves forking openssl for each cert, which
	-- speeds things up noticably for > 100 certs
	local crtlist = "cat <<-EOF | openssl\n"
	local crttab = {}
	for i,x in ipairs(files) do
		local name = string.gsub(posix.basename(x), ".pfx$", "")
		local a,b,c,d = string.match(name, 
			"([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
		list[#list + 1] = {name=name, user=a, certtype=b, 
			commonName=unhashname(c), serial=d, enddate=enddate, 
			daysremaining=time}
		crtlist = crtlist .. "x509 -in " .. 
			certdir..format.escapespecialcharacters(name) .. 
			".crt -noout -enddate\n"
	end
	crtlist = crtlist .. "EOF\n"

	local fh=io.popen(crtlist)

	for i,x in ipairs(files) do
		local enddate = fh:read("*l") or "notAfter=Jan 1 00:00:01 1970 GMT"
		enddate = string.match(enddate, "notAfter=(.*)")
		local month, day, year = 
			string.match(enddate, "(%a+)%s+(%d+)%s+%S+%s+(%d+)")
		
		local reversemonth = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,
					Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}
		local time = os.time({year=year, month=reversemonth[month], day=day})
		if os.time() > time then
			time = 0
		else
			time = (time-os.time())/86400
		end
		list[i].enddate = enddate
		list[i].daysremaining = time
	end

	fh:close()	
	
	return cfe({ type="list", value=list, label="List of approved certificates" })
end

viewcert = function(cert)
	local cmd = path .. "openssl x509 -in "..certdir..format.escapespecialcharacters(cert)..".crt -noout -text"
	local f = io.popen(cmd)
	local cmdresult = f:read("*a")
	f:close()
	local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
	return cfe({ type="table", value={name=name, user=a, certtype=b, commonName=c, serial=d, value=cmdresult}, label="Certificate" })
end

getcert = function(cert)
	local f = fs.read_file(certdir..cert..".pfx") or ""
	local a,b,c,d = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
	c = string.gsub(unhashname(c), "[^%w_-]", "")
	return cfe({ type="raw", value=f, label=c..".pfx", option="application/x-pkcs12" })
end

revokecert = function(cert)
	local cmdresult = cfe({ label="Revoke result" })
	local cmd = path .. "openssl ca -config "..configfile.." -revoke "..certdir .. format.escapespecialcharacters(cert)..".crt -batch 2>&1"
	local f = io.popen(cmd)
	cmdresult.value = f:read("*a")
	f:close()
	return cmdresult
end

deletecert = function(cert)
	-- The certificate will still be in the ca directories and index.txt, just not available for web interface
	local certname = certdir..cert
	os.remove(certname..".cfg")
	os.remove(certname..".crt")
	os.remove(certname..".pem")
	os.remove(certname..".pfx")
	os.remove(certname..".pwd")
	os.remove(certname..".sbj")
	return cfe({ value="Certificate deleted", label="Delete result" })
end

renewcert = function(cert, approve)
	local cmdresult = ""
	local success = true
	local user,certtype,commonName,serialnum = string.match(cert, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
	local reqname = requestdir..user.."."..certtype.."."..commonName
	if fs.is_file(reqname..".csr") then
		cmdresult = "Failed to submit request\nRequest already exists"
		success = false
	end

	if success then
		-- Submit the request
		-- First, put the subject, config file and password in place
		local certname = certdir..cert
		fs.copy_file(certname..".pwd", reqname..".pwd")
		fs.copy_file(certname..".sbj", reqname..".sbj")
		fs.copy_file(certname..".cfg", reqname..".cfg")

		-- Next, get the subject (removing the /n inserted by fs.write_file)
		local subject = string.gsub(fs.read_file(reqname..".sbj") or "", "\n", "")

		-- Next, submit the request (new key)
		cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1'
		f = io.popen(cmd)
		cmdresult = f:read("*a")
		f:close()
		local filestats = posix.stat(reqname..".csr")
		if not filestats or filestats.size == 0 then
			cmdresult = "Failed to submit request\n"..cmdresult
			success = false
			os.remove(reqname..".pwd")
			os.remove(reqname..".sbj")
			os.remove(reqname..".cfg")
			os.remove(reqname..".pem")
			os.remove(reqname..".csr")
		else
			cmdresult = "Submitted request"
		end
	end

	if success and approve then
		approverequest(posix.basename(reqname))
	end

	return cfe({ type="boolean", value=cmdresult, label="Renew result" })
end

listrevoked = function()
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
	local databasepath = getconfigentry(config.ca.default_ca, "database")
	local revoked = {}
	local database = fs.read_file_as_array(databasepath) or {}
	for x,line in ipairs(database) do
		if string.sub(line,1,1) == "R" then
			revoked[#revoked + 1] = string.match(line, "^%S+%s+%S+%s+%S+%s+(%S+)")
		end
	end
	return cfe({ type="list", value=revoked, label="Revoked serial numbers" })
end

getcrl = function(crltype)
	local crlfile = cfe({ type="raw", option="application/pkix-crl" })
	local cmd = path .. "openssl ca -config "..configfile.." -gencrl -out "..openssldir.."ca-crl.crl"
	local f = io.popen(cmd)
	f:close()
	local cmd = path .. "openssl crl -in "..openssldir.."ca-crl.crl -out "..openssldir.."ca-der-crl.crl -outform DER"
	local f = io.popen(cmd)
	f:close()
	if string.lower(crltype or "") == "der" then
		crlfile.label = "ca-der-crl.crl"
		crlfile.value = fs.read_file(crlfile.label) or ""
	elseif string.lower(crltype or "") == "pem" then
		crlfile.label = "ca-crl.crl"
		crlfile.value = fs.read_file(crlfile.label) or ""
	else
		crlfile.value = fs.read_file("ca-der-crl.crl") or ""
	end
	return crlfile
end

getca = function(certtype)
	local result = cfe({ type="raw", option="application/x-x509-ca-cert" })
	local fname = "cacert."
	if string.lower(certtype or "") == "der" then
		local cmd = path .. "openssl x509 -in "..openssldir.."cacert.pem -outform der -out "..openssldir.."cacert.der"
		local f = io.popen(cmd)
		f:close()
		fname = fname.."der"
		result.label = fname
	elseif string.lower(certtype or "") == "pem" then
		fname = fname.."pem"
		result.label = fname
	else
		fname = fname.."pem"
	end
	result.value = fs.read_file(fname) or ""
	return result
end

getnewputca = function()
	local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' })
	local password = cfe({ label="Certificate Password" })
	return cfe({ type="group", value={ca=ca, password=password} })
end

putca = function(self, newca)
	local success = true
	-- Trying to upload a cert/key
	-- The way haserl works, ca contains the temporary file name
	-- First, get the cert
	local cmd, f, cmdresult
	if validator.is_valid_filename(newca.value.ca.value, "/tmp/") and fs.is_file(newca.value.ca.value) then
		cmd = path .. "openssl pkcs12 -in "..format.escapespecialcharacters(newca.value.ca.value).." -out "..format.escapespecialcharacters(newca.value.ca.value).."cert.pem -password pass:"..format.escapespecialcharacters(newca.value.password.value).." -nokeys 2>&1"
		f = io.popen(cmd)
		cmdresult = f:read("*a")
		f:close()
		local filestats = posix.stat(newca.value.ca.value.."cert.pem")
		if not filestats or filestats.size == 0 then
			newca.value.ca.errtxt = "Could not open certificate\n"..cmdresult
			success = false
		end
	else
		newca.value.ca.errtxt = "Invalid certificate"
		success = false
	end

	-- Check to make sure we got a CA cert
	if success then
		cmd = path .. "openssl x509 -in "..format.escapespecialcharacters(newca.value.ca.value).."cert.pem -noout -text"
		f = io.popen(cmd)
		cmdresult = f:read("*a")
		f:close()
		if not string.find(cmdresult, "CA:TRUE") then
			newca.value.ca.errtxt = "Could not find CA Certificate"
			success = false
		end
	end
		
	-- Now, get the key
	if success then
		cmd = path .. "openssl pkcs12 -in "..format.escapespecialcharacters(newca.value.ca.value).." -out "..format.escapespecialcharacters(newca.value.ca.value).."key.pem -password pass:"..format.escapespecialcharacters(newca.value.password.value).." -nocerts -nodes 2>&1"
		f = io.popen(cmd)
		cmdresult = f:read("*a")
		f:close()
		filestats = posix.stat(newca.value.ca.value.."key.pem")
		if not filestats or filestats.size == 0 then
			newca.value.ca.errtxt = "Could not find CA key\n"..cmdresult
			success = false
		end
	end

	if success then
		-- copy the keys
		copyca(newca.value.ca.value.."cert.pem", newca.value.ca.value.."key.pem")
	else
		newca.errtxt = "Failed to upload CA certificate"
	end

	-- Delete the temporary files
	if validator.is_valid_filename(newca.value.ca.value, "/tmp/") and fs.is_file(newca.value.ca.value) then
		os.remove(newca.value.ca.value.."cert.pem")
		os.remove(newca.value.ca.value.."key.pem")
	end

	-- Clear the values
	newca.value.ca.value = ""
	newca.value.password.value = ""

	return newca
end

getnewcarequest = function()
	request = getdefaults()
	-- In addition to the distinguished name defaults, we need days
	request.value.days = cfe({ value="365", label="Number of days to certify" })
	return request
end

generateca = function(self, defaults)
	local success, defaults = validate_request(defaults)

	if not validator.is_integer(defaults.value.days.value) then
		defaults.value.days.errtxt = "Must be a number"
		success = false
	end

	if success then
		os.remove("/tmp/cacert.pem")
		os.remove("/tmp/cakey.pem")

		-- Submit the request
		local subject = create_subject_string(defaults, {"days"})
		local cmd = path .. "openssl req -x509 -nodes -new -config "..configfile..' -keyout /tmp/cakey.pem -out /tmp/cacert.pem -subj "'..subject..'" -days '..format.escapespecialcharacters(defaults.value.days.value).." 2>&1"
		local f = io.popen(cmd)
		local cmdresult = f:read("*a")
		f:close()
		local certfilestats = posix.stat("/tmp/cacert.pem")
		local keyfilestats = posix.stat("/tmp/cakey.pem")
		if not certfilestats or certfilestats.size == 0 or not keyfilestats or keyfilestats.size == 0 then
			defaults.errtxt = "Failed to generate CA certificate\n"..cmdresult
			success = false
		end

		if success then
			-- copy the keys
			copyca("/tmp/cacert.pem", "/tmp/cakey.pem")
		end

		-- Delete the temporary files
		os.remove("/tmp/cacert.pem")
		os.remove("/tmp/cakey.pem")
	end

	if not success and not defaults.errtxt then
		defaults.errtxt = "Failed to generate CA certificate"
	end

	return defaults
end

getconfigfile = function()
	return modelfunctions.getfiledetails(configfile)
end

setconfigfile = function(self, filedetails)
	-- validate
	return modelfunctions.setfiledetails(self, filedetails, {configfile})
end

checkenvironment = function(set)
	local errtxt = {}
	local cmdline = {}
	
	-- First check for the openssl, req, and cert directories
	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("openssl directory", openssldir)
	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new certificate directory", certdir)
	errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("request directory", requestdir)

	-- Then check for the config file entries
	config = config or format.parse_ini_file(fs.read_file(configfile) or "")

	if config then
		local chkpath = getconfigentry(config.ca.default_ca, "new_certs_dir")
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("new_certs_dir", chkpath)

		local file = getconfigentry(config.ca.default_ca, "certificate")
		chkpath = posix.dirname(file)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("certificate directory", chkpath)
	
		file = getconfigentry(config.ca.default_ca, "private_key")
		chkpath = posix.dirname(file)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("private_key directory", chkpath)
	
		file = getconfigentry(config.ca.default_ca, "database")
		chkpath = posix.dirname(file)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("database directory", chkpath)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("database", file)
	
		file = getconfigentry(config.ca.default_ca, "serial")
		chkpath = posix.dirname(file)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("serial directory", chkpath)
		errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("serial", file, "01")

		file = getconfigentry(config.ca.default_ca, "crlnumber")
		if file ~= "" then
			chkpath = posix.dirname(file)
			errtxt[#errtxt+1], cmdline[#cmdline+1] = checkdir("crlnumber directory", chkpath)
			errtxt[#errtxt+1], cmdline[#cmdline+1] = checkfile("crlnumber", file, "01")
		end
	else
		errtxt[#errtxt+1] = "Configuration invalid"
	end

	if set then
		-- loop through the cmdline and execute
		for x,cmd in ipairs(cmdline) do
			cmd()
		end
		return checkenvironment()
	else
		errtxt = table.concat(errtxt, '\n')
		local value
		if errtxt == "" then
			errtxt = nil
			value = "Environment ready"
		else
			value = "Environment not ready"
		end
		return cfe({ value=value, errtxt=errtxt, label="Environment" })
	end
end