For discussion of Alpine Linux development and developer support

[alpine-devel] [PATCH] acf-openssl changes as per #354

Luke Stuart
Details
Message ID
<1308567945-12186-1-git-send-email-lukestu@gmail.com>
Sender timestamp
1308567945
DKIM signature
missing
Download raw message
Patch: +49 -22
---
 openssl-controller.lua        |    6 ++++-
 openssl-editdefaults-html.lsp |    2 +-
 openssl-model.lua             |   48 ++++++++++++++++++++++++++++------------
 openssl-request-html.lsp      |    2 +-
 openssl-status-html.lsp       |    7 +++++-
 openssl.roles                 |    6 ++--
 6 files changed, 49 insertions(+), 22 deletions(-)
 mode change 100755 => 100644 openssl-controller.lua
 mode change 100755 => 100644 openssl-model.lua

diff --git a/openssl-controller.lua b/openssl-controller.lua
old mode 100755
new mode 100644
index 7d9ae9a..fd43693
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -9,7 +9,6 @@ local sslstatus
 
 mvc={}
 mvc.pre_exec = function(self)
-	self.model.set_umask()
 	sslstatus = self.model.getstatus()
 	if (sslstatus.value.version.errtxt and self.conf.action ~= "status")
 		or (sslstatus.value.conffile.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment")
@@ -116,6 +115,11 @@ putcacert = function(self)
 	return controllerfunctions.handle_form(self, self.model.getnewputca, self.model.putca, self.clientdata, "Upload", "Upload CA Certificate", "Certificate Uploaded")
 end
 
+downloadpem = function(self)
+	self.conf.viewtype="stream"
+	return self.model.getpem(self.clientdata.dlpath)	
+end
+	
 -- Generate a self-signed CA
 generatecacert = function(self)
 	return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Generate CA Certificate", "Certificate Generated")
diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp
index 9052213..b73b0a8 100644
--- a/openssl-editdefaults-html.lsp
+++ b/openssl-editdefaults-html.lsp
@@ -6,7 +6,7 @@
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
 			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
-	local finishingorder = { "certtype", "extensions" }
+	local finishingorder = { "encryption", "validdays", "certtype", "extensions" }
 	displayform(form, order, finishingorder)
 %>
 
diff --git a/openssl-model.lua b/openssl-model.lua
old mode 100755
new mode 100644
index b5a84a6..844fa7c
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -37,7 +37,6 @@ local getdefaults = function()
 	local defaults = cfe({ type="group", value={} })
 	config = config or format.parse_ini_file(fs.read_file(configfile) or "")
 	local distinguished_name = config.req.distinguished_name or ""
-
 	-- Get the distinguished name defaults
 	for name,value in pairs(config[distinguished_name]) do
 		if nil == string.find(name, "_") then
@@ -300,21 +299,26 @@ getstatus = function()
 	return cfe({ type="group", value={version=version, conffile=conffile, environment=environment, cacert=cacert, cacertcontents=cacertcontents, cakey=cakey}, label="openssl status" })
 end
 
-set_umask = function()
-	return posix.umask("rw-------")
-end
-
-
 getreqdefaults = function()
 	local defaults = getdefaults()
-
+	
+	--Add in the encryption bit default
+	local encryption = ""
+	local content = fs.read_file(configfile) or ""
+	encryption = format.get_ini_entry(content, "req", "default_bits")
+	defaults.value.encryption = cfe({ type="select", label="Encryption Bits", value=encryption, option={"2048", "4096"} })
+	
+	-- Add in the default days
+	local validdays = ""
+	local validdays = format.get_ini_entry(content, "", "default_days")
+	defaults.value.validdays = cfe({ type="text", label="Period of Validity (Days)", value=validdays, descr="Number of days this certificate is valid for" })
+	
 	-- Add in the ca type default
 	defaults.value.certtype = cfe({ type="select", label="Certificate Type", 
 		value=config.ca.default_ca, option=find_ca_sections() })
+	
 	-- Add in the extensions
 	local extensions = ""
-	local content = fs.read_file(configfile) or ""
-	config = config or format.parse_ini_file(content)
 	if config.req.req_extensions then
 		extensions = format.get_ini_section(content, config.req.req_extensions)
 	end
@@ -338,10 +342,13 @@ setreqdefaults = function(defaults)
 		else
 			ext_section = config.req.req_extensions
 		end
+	
 		config = nil
+		fileval = format.update_ini_file(fileval,"req","default_bits",defaults.value.encryption.value)
+		fileval = format.update_ini_file(fileval,"","default_days",defaults.value.validdays.value)
 		fileval = format.set_ini_section(fileval, ext_section, format.dostounix(defaults.value.extensions.value))
 		fileval = format.update_ini_file(fileval, "ca", "default_ca", defaults.value.certtype.value)
-		fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions"})
+		fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions", "validdays" })
 		fs.write_file(configfile, fileval)
 	end
 
@@ -362,7 +369,7 @@ end
 
 submitrequest = function(defaults, user)
 	local success, defaults = validate_request(defaults)
-
+	
 	-- Must have a common name
 	if #defaults.value.commonName.value == 0 then
 		defaults.value.commonName.errtxt = "Common Name cannot be blank"
@@ -383,10 +390,15 @@ submitrequest = function(defaults, user)
 		defaults.errtxt = "Failed to submit request\nRequest already exists"
 		success = false
 	end
+	
+	if not tonumber(defaults.value.validdays.value) then
+		defaults.value.validdays.errtxt = "Period of Validity is not a number"
+		success = false
+	end 
 
 	if success then
 		-- Submit the request
-		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"})
+		local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions" })
 
 		-- Generate a temp config file for this request
 		local fileval = fs.read_file(configfile) or ""
@@ -403,11 +415,11 @@ submitrequest = function(defaults, user)
 				end
 			end
 		end
-		
+		fileval = format.update_ini_file(fileval, "req","default_bits",defaults.value.encryption.value)
+		fileval = format.update_ini_file(fileval, "","default_days",defaults.value.validdays.value)	
 		fileval = format.set_ini_section(fileval, ext_section, content)
 		fileval = format.update_ini_file(fileval, "req", "req_extensions", ext_section)
 		fs.write_file(reqname..".cfg", fileval)
-		
 		local cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1'
 		local f = io.popen(cmd)
 		local cmdresult = f:read("*a")
@@ -470,7 +482,7 @@ approverequest = function(request)
 		local certname = certdir..request.."."..serial
 		
 		-- Now, sign the certificate
-		local cmd = path .. "openssl ca -config "..configfile.." -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1"
+		local cmd = path .. "openssl ca -config "..format.escapespecialcharacters(reqpath)..".cfg -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1"
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
@@ -680,6 +692,12 @@ getcrl = function(crltype)
 	return crlfile
 end
 
+getpem = function(pem)
+	local f = fs.read_file(pem) or ""
+	local fname = string.gsub(pem, ".*/", "")
+	return cfe({ type="raw", value=f, label=fname, option="application/x-pkcs12" })
+end
+
 getnewputca = function()
 	local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' })
 	local password = cfe({ label="Certificate Password" })
diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp
index 2bc3af9..6444165 100644
--- a/openssl-request-html.lsp
+++ b/openssl-request-html.lsp
@@ -8,7 +8,7 @@
 	form.value.password_confirm.type = "password"
 	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
 			"organizationalUnitName", "OU", "commonName", "CN", "emailAddress" }
-	local finishingorder = { "certtype", "extensions", "password", "password_confirm" }
+	local finishingorder = { "encryption", "validdays", "certtype", "extensions", "password", "password_confirm" }
 	displayform(form, order, finishingorder)
 %>
 
diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp
index 1837ab0..f983359 100644
--- a/openssl-status-html.lsp
+++ b/openssl-status-html.lsp
@@ -32,4 +32,9 @@
 		end
 	end
 end %>
-
+<% if viewlibrary.check_permission("downloadpem") then %>
+<H1>Download Certificate</H1>
+<DL>
+<%= html.link{value="downloadpem?dlpath="..html.html_escape(view.value.cacert.value), label="Download "..view.value.cacert.value } %><BR>
+</DL>
+<% end %> 
diff --git a/openssl.roles b/openssl.roles
index eb63818..03f5df1 100644
--- a/openssl.roles
+++ b/openssl.roles
@@ -1,6 +1,6 @@
 USER=openssl:status,openssl:getrevoked
 EDITOR=openssl:editdefaults
 CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert
-CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert
-EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment
-ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment
+CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadpem
+EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadpem
+ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadpem
-- 
1.7.5.4



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---