diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-05-03 22:36:41 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-07-01 23:05:41 +0300 |
| commit | e42f090e4125e329205afd7fcbfa01bd511699c8 (patch) | |
| tree | f5f7523f6d0bfc5d408ee0f66c5f8e3af3c1a1df /dmvpn-ca | |
| parent | 37d0cab89fa15087e40038545564a917973cda46 (diff) | |
| download | dmvpn-tools-e42f090e4125e329205afd7fcbfa01bd511699c8.tar.bz2 dmvpn-tools-e42f090e4125e329205afd7fcbfa01bd511699c8.tar.xz | |
dmvpn-ca: private key encryption
Diffstat (limited to 'dmvpn-ca')
| -rwxr-xr-x | dmvpn-ca | 22 |
1 files changed, 19 insertions, 3 deletions
@@ -81,6 +81,10 @@ for _, ct in ipairs{'ca', 'hub', 'spoke', 'crl'} do set_config_defaults(config[ct], config.cert) end +if config.db['encrypt-keys'] == true then + config.db['encrypt-keys'] = 'aes128' +end + now = os.time() @@ -206,13 +210,22 @@ function detect_prefix_afi(s) end +function get_password(new) + if not password then password = dmvpn.get_password(new) end + return password +end + +function decrypt_key(key) + return pkey.new(key, 'PEM', 'private', get_password) +end + function load_ca() if not ca_cert then local row = select_one( 'data, privateKey', 'certificate', {serial=0}, 'n' ) ca_cert = x509.new(row[1], 'PEM') - ca_key = pkey.new(row[2], 'PEM', 'private') + ca_key = decrypt_key(row[2]) end return ca_cert, ca_key end @@ -260,7 +273,10 @@ function issue_cert(attrs, func) attrs.issued = issued attrs.expires = expires - attrs.privateKey = key:toPEM('private') + attrs.privateKey = key:getPrivateKey( + config.db['encrypt-keys'] or nil, + function() return get_password(ca) end + ) cert:addExtension( x509ext.new( @@ -322,7 +338,7 @@ function export_cert(cert) file:write( tostring( pkcs12.new{ - key=pkey.new(cert.privateKey, 'PEM', 'private'), + key=decrypt_key(cert.privateKey), certs=chain, password=password } |