aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xdmvpn-ca36
-rw-r--r--syntax.txt2
2 files changed, 31 insertions, 7 deletions
diff --git a/dmvpn-ca b/dmvpn-ca
index a9d68a8..a0bb8f0 100755
--- a/dmvpn-ca
+++ b/dmvpn-ca
@@ -210,9 +210,11 @@ function detect_prefix_afi(s)
end
-function get_password(new)
- if not password then password = dmvpn.get_password(new) end
- return password
+passwords = {}
+function get_password(new, id)
+ if not id then id = 'default' end
+ if not passwords[id] then passwords[id] = dmvpn.get_password(new) end
+ return passwords[id]
end
function decrypt_key(key)
@@ -230,6 +232,13 @@ function load_ca()
return ca_cert, ca_key
end
+function encrypt_key(key, new_pw, pw_id)
+ return key:getPrivateKey(
+ config.db['encrypt-keys'] or nil,
+ function() return get_password(new_pw, pw_id) end
+ )
+end
+
function sign(object, hash_alg, cert, key)
if not cert then cert, key = load_ca() end
object:setIssuer(cert:getSubject())
@@ -273,10 +282,7 @@ function issue_cert(attrs, func)
attrs.issued = issued
attrs.expires = expires
- attrs.privateKey = key:getPrivateKey(
- config.db['encrypt-keys'] or nil,
- function() return get_password(ca) end
- )
+ attrs.privateKey = encrypt_key(key, ca)
cert:addExtension(
x509ext.new(
@@ -1282,6 +1288,22 @@ output = scan_choice(
scan_finished()
io.write(tostring(generate_crl()))
end
+ },
+ password={
+ set=function()
+ for row in select_many(
+ 'serial, privateKey',
+ 'certificate',
+ nil,
+ 'n'
+ ) do
+ update(
+ 'certificate',
+ {privateKey=encrypt_key(decrypt_key(row[2]), true, 'new')},
+ {serial=row[1]}
+ )
+ end
+ end
}
},
'object type'
diff --git a/syntax.txt b/syntax.txt
index ed30ddc..e8345d4 100644
--- a/syntax.txt
+++ b/syntax.txt
@@ -31,3 +31,5 @@ dmvpn-ca cert {list|show|revoke} [serial <num>|hubs|hub <id>|site <abbr> [vpnc <
dmvpn-ca cert export serial <num>
dmvpn-ca crl {show|export}
+
+dmvpn-ca password set