From bfe7abd13fc07149386421e2f327780f4699936b Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Sun, 1 Jul 2018 23:04:56 +0300
Subject: dmvpn-ca: password change function

---
 dmvpn-ca | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

(limited to 'dmvpn-ca')

diff --git a/dmvpn-ca b/dmvpn-ca
index a9d68a8..a0bb8f0 100755
--- a/dmvpn-ca
+++ b/dmvpn-ca
@@ -210,9 +210,11 @@ function detect_prefix_afi(s)
 end
 
 
-function get_password(new)
-	if not password then password = dmvpn.get_password(new) end
-	return password
+passwords = {}
+function get_password(new, id)
+	if not id then id = 'default' end
+	if not passwords[id] then passwords[id] = dmvpn.get_password(new) end
+	return passwords[id]
 end
 
 function decrypt_key(key)
@@ -230,6 +232,13 @@ function load_ca()
 	return ca_cert, ca_key
 end
 
+function encrypt_key(key, new_pw, pw_id)
+	return key:getPrivateKey(
+		config.db['encrypt-keys'] or nil,
+		function() return get_password(new_pw, pw_id) end
+	)
+end
+
 function sign(object, hash_alg, cert, key)
 	if not cert then cert, key = load_ca() end
 	object:setIssuer(cert:getSubject())
@@ -273,10 +282,7 @@ function issue_cert(attrs, func)
 
 	attrs.issued = issued
 	attrs.expires = expires
-	attrs.privateKey = key:getPrivateKey(
-		config.db['encrypt-keys'] or nil,
-		function() return get_password(ca) end
-	)
+	attrs.privateKey = encrypt_key(key, ca)
 
 	cert:addExtension(
 		x509ext.new(
@@ -1282,6 +1288,22 @@ output = scan_choice(
 					scan_finished()
 					io.write(tostring(generate_crl()))
 				end
+			},
+			password={
+				set=function()
+					for row in select_many(
+						'serial, privateKey',
+						'certificate',
+						nil,
+						'n'
+					) do
+						update(
+							'certificate',
+							{privateKey=encrypt_key(decrypt_key(row[2]), true, 'new')},
+							{serial=row[1]}
+						)
+					end
+				end
 			}
 		},
 		'object type'
-- 
cgit v1.2.3