Luke Stuart: 1 acf-openssl changes as per #354 6 files changed, 49 insertions(+), 22 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/devel/patches/58/mbox | git am -3Learn more about email & git
--- openssl-controller.lua | 6 ++++- openssl-editdefaults-html.lsp | 2 +- openssl-model.lua | 48 ++++++++++++++++++++++++++++------------ openssl-request-html.lsp | 2 +- openssl-status-html.lsp | 7 +++++- openssl.roles | 6 ++-- 6 files changed, 49 insertions(+), 22 deletions(-) mode change 100755 => 100644 openssl-controller.lua mode change 100755 => 100644 openssl-model.lua diff --git a/openssl-controller.lua b/openssl-controller.lua old mode 100755 new mode 100644 index 7d9ae9a..fd43693 --- a/openssl-controller.lua +++ b/openssl-controller.lua @@ -9,7 +9,6 @@ local sslstatus mvc={} mvc.pre_exec = function(self) - self.model.set_umask() sslstatus = self.model.getstatus() if (sslstatus.value.version.errtxt and self.conf.action ~= "status") or (sslstatus.value.conffile.errtxt and self.conf.action ~= "status" and self.conf.action ~= "editconfigfile" and self.conf.action ~= "checkenvironment") @@ -116,6 +115,11 @@ putcacert = function(self) return controllerfunctions.handle_form(self, self.model.getnewputca, self.model.putca, self.clientdata, "Upload", "Upload CA Certificate", "Certificate Uploaded") end +downloadpem = function(self) + self.conf.viewtype="stream" + return self.model.getpem(self.clientdata.dlpath) +end + -- Generate a self-signed CA generatecacert = function(self) return controllerfunctions.handle_form(self, self.model.getnewcarequest, self.model.generateca, self.clientdata, "Generate", "Generate CA Certificate", "Certificate Generated") diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp index 9052213..b73b0a8 100644 --- a/openssl-editdefaults-html.lsp +++ b/openssl-editdefaults-html.lsp @@ -6,7 +6,7 @@ form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O", "organizationalUnitName", "OU", "commonName", "CN", "emailAddress" } - local finishingorder = { "certtype", "extensions" } + local finishingorder = { "encryption", "validdays", "certtype", "extensions" } displayform(form, order, finishingorder) %> diff --git a/openssl-model.lua b/openssl-model.lua old mode 100755 new mode 100644 index b5a84a6..844fa7c --- a/openssl-model.lua +++ b/openssl-model.lua @@ -37,7 +37,6 @@ local getdefaults = function() local defaults = cfe({ type="group", value={} }) config = config or format.parse_ini_file(fs.read_file(configfile) or "") local distinguished_name = config.req.distinguished_name or "" - -- Get the distinguished name defaults for name,value in pairs(config[distinguished_name]) do if nil == string.find(name, "_") then @@ -300,21 +299,26 @@ getstatus = function() return cfe({ type="group", value={version=version, conffile=conffile, environment=environment, cacert=cacert, cacertcontents=cacertcontents, cakey=cakey}, label="openssl status" }) end -set_umask = function() - return posix.umask("rw-------") -end - - getreqdefaults = function() local defaults = getdefaults() - + + --Add in the encryption bit default + local encryption = "" + local content = fs.read_file(configfile) or "" + encryption = format.get_ini_entry(content, "req", "default_bits") + defaults.value.encryption = cfe({ type="select", label="Encryption Bits", value=encryption, option={"2048", "4096"} }) + + -- Add in the default days + local validdays = "" + local validdays = format.get_ini_entry(content, "", "default_days") + defaults.value.validdays = cfe({ type="text", label="Period of Validity (Days)", value=validdays, descr="Number of days this certificate is valid for" }) + -- Add in the ca type default defaults.value.certtype = cfe({ type="select", label="Certificate Type", value=config.ca.default_ca, option=find_ca_sections() }) + -- Add in the extensions local extensions = "" - local content = fs.read_file(configfile) or "" - config = config or format.parse_ini_file(content) if config.req.req_extensions then extensions = format.get_ini_section(content, config.req.req_extensions) end @@ -338,10 +342,13 @@ setreqdefaults = function(defaults) else ext_section = config.req.req_extensions end + config = nil + fileval = format.update_ini_file(fileval,"req","default_bits",defaults.value.encryption.value) + fileval = format.update_ini_file(fileval,"","default_days",defaults.value.validdays.value) fileval = format.set_ini_section(fileval, ext_section, format.dostounix(defaults.value.extensions.value)) fileval = format.update_ini_file(fileval, "ca", "default_ca", defaults.value.certtype.value) - fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions"}) + fileval = write_distinguished_names(fileval, defaults, {"certtype", "extensions", "validdays" }) fs.write_file(configfile, fileval) end @@ -362,7 +369,7 @@ end submitrequest = function(defaults, user) local success, defaults = validate_request(defaults) - + -- Must have a common name if #defaults.value.commonName.value == 0 then defaults.value.commonName.errtxt = "Common Name cannot be blank" @@ -383,10 +390,15 @@ submitrequest = function(defaults, user) defaults.errtxt = "Failed to submit request\nRequest already exists" success = false end + + if not tonumber(defaults.value.validdays.value) then + defaults.value.validdays.errtxt = "Period of Validity is not a number" + success = false + end if success then -- Submit the request - local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions"}) + local subject = create_subject_string(defaults, {"password", "password_confirm", "certtype", "extensions" }) -- Generate a temp config file for this request local fileval = fs.read_file(configfile) or "" @@ -403,11 +415,11 @@ submitrequest = function(defaults, user) end end end - + fileval = format.update_ini_file(fileval, "req","default_bits",defaults.value.encryption.value) + fileval = format.update_ini_file(fileval, "","default_days",defaults.value.validdays.value) fileval = format.set_ini_section(fileval, ext_section, content) fileval = format.update_ini_file(fileval, "req", "req_extensions", ext_section) fs.write_file(reqname..".cfg", fileval) - local cmd = path .. "openssl req -nodes -new -config "..format.escapespecialcharacters(reqname)..".cfg -keyout "..format.escapespecialcharacters(reqname)..".pem -out "..format.escapespecialcharacters(reqname)..'.csr -subj "'..subject..'" 2>&1' local f = io.popen(cmd) local cmdresult = f:read("*a") @@ -470,7 +482,7 @@ approverequest = function(request) local certname = certdir..request.."."..serial -- Now, sign the certificate - local cmd = path .. "openssl ca -config "..configfile.." -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1" + local cmd = path .. "openssl ca -config "..format.escapespecialcharacters(reqpath)..".cfg -in "..format.escapespecialcharacters(reqpath)..".csr -out "..format.escapespecialcharacters(certname)..".crt -name "..format.escapespecialcharacters(certtype).." -batch 2>&1" local f = io.popen(cmd) cmdresult.value = f:read("*a") f:close() @@ -680,6 +692,12 @@ getcrl = function(crltype) return crlfile end +getpem = function(pem) + local f = fs.read_file(pem) or "" + local fname = string.gsub(pem, ".*/", "") + return cfe({ type="raw", value=f, label=fname, option="application/x-pkcs12" }) +end + getnewputca = function() local ca = cfe({ type="raw", value=0, label="CA Certificate", descr='File must be a password protected ".pfx" file' }) local password = cfe({ label="Certificate Password" }) diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp index 2bc3af9..6444165 100644 --- a/openssl-request-html.lsp +++ b/openssl-request-html.lsp @@ -8,7 +8,7 @@ form.value.password_confirm.type = "password" local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O", "organizationalUnitName", "OU", "commonName", "CN", "emailAddress" } - local finishingorder = { "certtype", "extensions", "password", "password_confirm" } + local finishingorder = { "encryption", "validdays", "certtype", "extensions", "password", "password_confirm" } displayform(form, order, finishingorder) %> diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp index 1837ab0..f983359 100644 --- a/openssl-status-html.lsp +++ b/openssl-status-html.lsp @@ -32,4 +32,9 @@ end end end %> - +<% if viewlibrary.check_permission("downloadpem") then %> +<H1>Download Certificate</H1> +<DL> +<%= html.link{value="downloadpem?dlpath="..html.html_escape(view.value.cacert.value), label="Download "..view.value.cacert.value } %><BR> +</DL> +<% end %> diff --git a/openssl.roles b/openssl.roles index eb63818..03f5df1 100644 --- a/openssl.roles +++ b/openssl.roles @@ -1,6 +1,6 @@ USER=openssl:status,openssl:getrevoked EDITOR=openssl:editdefaults CERT_REQUESTER=openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert -CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert -EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment -ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment +CERT_APPROVER=openssl:readall,openssl:approve,openssl:viewrequest,openssl:deleterequest,openssl:revoke,openssl:viewcert,openssl:getcert,openssl:deletecert,openssl:renewcert,openssl:downloadpem +EXPERT=openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadpem +ADMIN=openssl:status,openssl:getrevoked,openssl:editdefaults,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:requestrenewcert,openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:renewcert,openssl:putcacert,openssl:generatecacert,openssl:editconfigfile,openssl:checkenvironment,openssl:downloadpem -- 1.7.5.4 --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---