alterator-ca-0.5.4/ 0000755 0000000 0000000 00000000000 11303112121 0014055 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/Makefile 0000644 0000000 0000000 00000000555 11303112121 0015522 0 ustar 00root root 0000000 0000000 NAME=ca
all:
clean:
install: install-module install-sbin install-data
include /usr/share/alterator/build/module.mak
install-sbin:
install -d $(bindir)
install -d $(sbindir)
install -pm644 bin/ca-sh-functions $(bindir)
install -pm755 bin/ca-sko $(sbindir)
install-data:
install -d $(datadir)/alterator-ca
install -pm644 data/CA.cnf $(datadir)/alterator-ca
alterator-ca-0.5.4/alterator 0000777 0000000 0000000 00000000000 11303112121 0021145 2interfaces/guile ustar 00root root 0000000 0000000 alterator-ca-0.5.4/applications/ 0000755 0000000 0000000 00000000000 11303112121 0016543 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/applications/ca.desktop 0000644 0000000 0000000 00000000340 11303112121 0020516 0 ustar 00root root 0000000 0000000 [Desktop Entry]
Type=Application
Categories=X-Alterator-System
Terminal=false
Name=Certification Authority
Icon=ca
X-Alterator-URI=/ca
X-Alterator-Help=ca
X-Alterator-UI=html
Name[ru]=Удостоверяющий Центр
alterator-ca-0.5.4/backend3/ 0000755 0000000 0000000 00000000000 11303112121 0015527 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/backend3/ca 0000755 0000000 0000000 00000016660 11303112121 0016051 0 ustar 00root root 0000000 0000000 #!/bin/sh -f
alterator_api_version=1
po_domain="alterator-ca"
. alterator-sh-functions
. avahi-sh-functions
. shell-config
. shell-signal
cleanup_function()
{
[ -z "$tmpdir" ] ||
rm -rf -- "$tmpdir"
}
tmpdir="$(mktemp -dt "${0##*/}.XXXXXXXX")"
set_cleanup_handler cleanup_function
conffile="/etc/alterator-ca/dnparam.txt"
autoupdate_file="/etc/cron.d/alterator-ca"
update_cmd="ca-sko update"
export CA_VERBOSE=1
filter_localhost()
{
[ -n "$1" -a "$1" != "localhost" ]
}
do_all_keys()
{
local IFS=';'
local cmd="$1"
for i in $in_key_name; do
ca-sko "$cmd" "$in_hostname" "$i"
done
}
do_all_hosts()
{
local IFS=';'
local cmd="$1"
local filter="${2:-:}"
for i in $in_name; do
"$filter" "$i" || continue
ca-sko "$cmd" "$i"
done
}
write_autoupdate()
{
if ! test_bool "$in_autoupdate"; then
rm -f "$autoupdate_file"
return
fi
in_time="${in_time%:*}"
local hour="${in_time%:*}"
local min="${in_time#*:}"
local tmpfile="$(mktemp "$autoupdate_file.XXXXXXXXXX")"
printf '#autogenerated by alterator-ca\n' >"$tmpfile"
printf 'SHELL=/bin/sh\n' >> "$tmpfile"
printf 'PATH=/sbin:/usr/sbin:/bin:/usr/bin\n' >> "$tmpfile"
printf 'CA_VERBOSE=1\n\n' >> "$tmpfile"
printf '%s %s * * * root %s\n' "$min" "$hour" "$update_cmd" >> "$tmpfile"
mv -f "$tmpfile" "$autoupdate_file"
}
read_autoupdate()
{
if [ -s "$autoupdate_file" ]; then
while read min hour monthday month weekday rest; do
[ -n "$min" ] || continue
[ -n "${min%%\#*}" ] || continue
[ -n "${min##*=*}" ] || continue
write_string_param time "$hour:$min:00"
write_bool_param autoupdate true
return
done < "$autoupdate_file"
fi
write_string_param time "02:00:00"
write_bool_param autoupdate false
}
on_message() {
case "$in_action" in
type)
case "$in__objects" in
root)
write_type_item C iso-3166-alpha-2
write_type_item O ca-cert-field
;;
esac
;;
list)
case "$in__objects" in
avail_hosts)
trust-list | write_enum
;;
host)
if [ -n "$in_hostname" ]; then
ca-sko show "$in_hostname" |
while IFS=' ' read key issued expires subject __ __ __ status; do
name="${key##*/}"
name="${name%.cert}"
status="${status#*:}"
write_table_item \
key_name "$name" \
name "$name" \
issued "$issued" \
expires "$expires" \
subject "$subject" \
status "$status"
done
fi
;;
certs)
write_table_item \
name localhost \
hostname "$(_ "Local certificates")"
ca-sko hosts |
while read host; do
write_table_item \
name "$host" \
hostname "$host"
done
;;
esac
;;
read)
case "$in__objects" in
download)
file="$(ca-sko status | cut -d ' ' -f 1)"
if [ -z "$file" ]; then
write_error "$(_ "CA not initialized")"
return
fi
case "$in_file" in
ca-root.pem)
write_blob_param "file" "$file"
;;
ca-root.csr)
write_blob_param "file" "${file%.pem}.csr"
;;
output.pem)
if [ ! -s "$tmpdir/output.csr" ]; then
write_error "$(_ "Missing sign request")"
return
fi
ca-sko signfile "$tmpdir/output.csr" "$tmpdir/output.pem"
if [ ! -s "$tmpdir/output.pem" ]; then
write_error "$(_ "Unable to sign request")"
return
fi
write_blob_param "file" "$tmpdir/output.pem"
rm -f "$tmpdir/output.csr"
;;
esac
;;
host)
case "$in_hostname" in
localhost)
write_string_param displayname "$(_ "Local")"
;;
*)
write_string_param displayname "$in_hostname"
;;
esac
write_string_param hostname "$in_hostname"
;;
certs)
read_autoupdate
if [ -s "$tmpdir/output.txt" ]; then
write_bool_param can_has_sign true
write_string_param sign_request "$(cat "$tmpdir/output.txt")"
else
write_bool_param can_has_sign false
fi
;;
root)
write_string_param C "$(shell_config_get "$conffile" "C")"
write_string_param O "$(shell_config_get "$conffile" "O")"
ret=0
status="$(ca-sko status)"
ret=$?
[ $ret != 1 ] &&
write_bool_param is_active true ||
write_bool_param is_active false
[ $ret != 1 ] || return
startdate="$(printf '%s' "$status" | cut -d ' ' -f 2)"
enddate="$(printf '%s' "$status" | cut -d ' ' -f 3)"
subj="$(printf '%s' "$status" | cut -d ' ' -f 4)"
issuer="$(printf '%s' "$status" | cut -d ' ' -f 5)"
sha1fp="$(printf '%s' "$status" | cut -d ' ' -f 6)"
md5fp="$(printf '%s' "$status" | cut -d ' ' -f 7)"
status="$(printf '%s' "$status" | cut -d ' ' -f 8)"
status="${status#*:}"
printf '%s/' "$subj" |
while read -d/ line; do
[ -n "$line" ] || continue
name="${line%%=*}"
value="${line#*=}"
write_string_param "subject_$name" "$value"
done
printf '%s/' "$issuer" |
while read -d/ line; do
[ -n "$line" ] || continue
name="${line%%=*}"
value="${line#*=}"
write_string_param "issuer_$name" "$value"
done
write_string_param startdate "$startdate"
write_string_param enddate "$enddate"
write_string_param sha1fp "$sha1fp"
write_string_param md5fp "$md5fp"
write_string_param status "$status"
;;
esac
;;
write)
if [ -n "$in_new_host" -a -n "$in_new_name" ]; then
ret=0
status="$(ca-sko addhost "$in_new_name" 2>&1 >/dev/null)"
ret=$?
echo "$status" >&2
[ $ret = 0 ] ||
write_error "$status"
elif [ -n "$in_del_host" -a -n "$in_name" ]; then
do_all_hosts delhost filter_localhost
elif [ -n "$in_update_host" -a -n "$in_name" ]; then
do_all_hosts update
elif [ -n "$in_import_host" -a -n "$in_name" ]; then
do_all_hosts import
elif [ -n "$in_sign_host" -a -n "$in_name" ]; then
do_all_hosts sign
elif [ -n "$in_export_host" -a -n "$in_name" ]; then
do_all_hosts export
elif [ -n "$in_sign_key" -a -n "$in_hostname" -a -n "$in_key_name" ]; then
do_all_keys signkey
elif [ -n "$in_apply_autoupdate" ]; then
write_autoupdate
#elif [ -n "" ]; then
# :
fi
;;
create)
if [ -z "$in_C" -a -z "$in_O" ]; then
write_error "$(_ "Country and Organizaton must be defined")"
return
fi
if [ -z "$in_O" ]; then
write_error "$(_ "Organizaton must be defined")"
return
fi
if [ -z "$in_C" ]; then
write_error "$(_ "Country must be defined")"
return
fi
if ca-sko status >/dev/null 2>&1; then
if test_bool "$in_confirm"; then
ca-sko drop
else
write_error "$(_ "CA already initialized")"
return
fi
fi
shell_config_set "$conffile" "C" "$in_C"
shell_config_set "$conffile" "O" "$in_O"
ret=0
status="$(ca-sko init 2>&1 >/dev/null)"
ret=$?
if [ $ret = 0 ]; then
file="$(ca-sko status | cut -d ' ' -f 1)"
if [ -d /srv/public -a -f "$file" ]; then
cp -f -- "$file" /srv/public/ca-root.pem
publish_service alterator-ca "$in_O Root CA (%h)" '_ca-root._tcp' 0 "path=/ca-root.pem"
fi
else
write_error "$status"
fi
;;
upload)
mv -f "$in_request" "$tmpdir/output.csr"
[ -s "$tmpdir/output.csr" ] &&
openssl req -text -noout -in "$tmpdir/output.csr" -out "$tmpdir/output.txt"
if [ ! -s "$tmpdir/output.txt" ]; then
rm -f "$tmpdir/output.csr"
rm -f "$tmpdir/output.txt"
write_error "$(_ "Invalid sign request")"
fi
;;
esac
}
message_loop
# vim:ts=4:
alterator-ca-0.5.4/bin/ 0000755 0000000 0000000 00000000000 11303112121 0014625 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/bin/ca-sh-functions 0000644 0000000 0000000 00000014666 11303112121 0017566 0 ustar 00root root 0000000 0000000 #!/bin/sh
. cert-sh-functions
. shell-config
CA_VERBOSE="${CA_VERBOSE:-}"
CA_SKO_ROOT="${CA_SKO_ROOT:-/var/lib/alterator-ca}"
CA_SKO_CADIR="${CA_SKO_CADIR:-$CA_SKO_ROOT/CA}"
CA_SKO_CONFIG="${CA_SKO_CONFIG:-/usr/share/alterator-ca/CA.cnf}"
CA_SKO_DNPARAM="${CA_SKO_DNPARAM:-/etc/alterator-ca/dnparam.txt}"
#CA infrastructure
ca_check_CAdir()
{
[ -d "$CA_SKO_CADIR" -a -d "$CA_SKO_CADIR/private" ]
}
ca_make_CAdir()
{
ca_check_CAdir && return
mkdir -m700 -p "$CA_SKO_CADIR"
mkdir -m700 -p "$CA_SKO_CADIR/certs"
mkdir -m700 -p "$CA_SKO_CADIR/private"
mkdir -m700 -p "$CA_SKO_CADIR/newcerts"
touch "$CA_SKO_CADIR/index.txt"
chmod 600 "$CA_SKO_CADIR/index.txt"
echo 01 > "$CA_SKO_CADIR/serial"
chmod 600 "$CA_SKO_CADIR/serial"
}
ca_get_subject()
{
local C O
C="$(shell_config_get "$CA_SKO_DNPARAM" "C")"
C="${C:-RU}"
O="$(shell_config_get "$CA_SKO_DNPARAM" "O")"
O="${O:-Snake Oil, Ltd.}"
printf "/C=%s/O=%s/OU=%s Certification Authority/CN=%s Root Certification Authority" "$C" "$O" "$O" "$O"
}
#CA private key
ca_check_CAkey()
{
[ -f "$CA_SKO_CADIR/private/cakey.pem" ]
}
ca_make_CAkey()
{
ca_check_CAkey && return
"$OPENSSL" genrsa -out "$CA_SKO_CADIR/private/cakey.pem" 1024 >/dev/null 2>&1 ||
ssl_fatal "Unable to create CA private key"
}
#CA itself
ca_check_CA()
{
[ -f "$CA_SKO_CADIR/cacert.pem" ] || return 1
subject="$(ca_get_cert_attr "$CA_SKO_CADIR/cacert.pem" subject)"
ca_subject="$(ca_get_subject)"
[ "$subject" = "$ca_subject" ]
}
ca_make_CA()
{
ca_check_CA && return
subject="$(ca_get_subject)"
"$OPENSSL" req -batch -new -key "$CA_SKO_CADIR/private/cakey.pem" -out "$CA_SKO_CADIR/cacert.csr" -subj "$subject" >/dev/null 2>&1 ||
ssl_fatal "Unable to create sign request"
"$OPENSSL" ca -batch -config "$CA_SKO_CONFIG" -selfsign -days 3650 -extensions v3_ca -extfile /etc/openssl/openssl.cnf -keyfile "$CA_SKO_CADIR/private/cakey.pem" -in "$CA_SKO_CADIR/cacert.csr" -out "$CA_SKO_CADIR/cacert.pem" -subj "$subject" >/dev/null 2>&1 ||
ssl_fatal "Unable to create CA certificate"
printf '%s\n' "$subject" >> "$CA_SKO_ROOT/ca_history.txt"
# validating newly-created certificate may yeld "not yet valid"
sleep 1
}
ca_export_CAcert()
{
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments'
cat "$CA_SKO_CADIR/cacert.pem" > "$SSL_CERTDIR/$1.pem"
c_rehash "$SSL_CERTDIR" >/dev/null 2>&1
}
ca_update_db()
{
"$OPENSSL" ca -batch -config "$CA_SKO_CONFIG" -updatedb 2>/dev/null ||:
}
#CA sign
ca_check_req()
{
[ -n "$1" -a -n "$2" ] ||
ssl_fatal 'Insufficient arguments'
[ -f "$1" ] ||
ssl_fatal 'Missing sign request'
[ ! -f "$2" -o "$1" -nt "$2" ] ||
ssl_fatal "Certificate is newer than sign request"
}
ca_sign_req2()
{
[ -n "$1" -a -n "$2" ] ||
ssl_fatal 'Insufficient arguments'
"$OPENSSL" ca -batch -config "$CA_SKO_CONFIG" -out "$2" -in "$1" -notext >/dev/null 2>&1 ||
ssl_fatal "Unable to sign certificate"
}
ca_sign_req()
{
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments.'
ssl_check_req "$1" ||
ssl_fatal 'Missing sign request'
ca_sign_req2 "$SSL_CSRDIR/$1.csr" "$SSL_CERTDIR/$1.cert"
ln -sf "$1.cert" "$SSL_CERTDIR/$1.pem"
c_rehash "$SSL_CERTDIR" > /dev/null
ssl_make_pem "$1"
}
#CA attributes
ca_get_cert_attr()
{
local file param
[ -n "$1" -a -n "$2" ] ||
ssl_fatal 'Insufficient arguments'
file="$1" && shift
param="$1" && shift
"$OPENSSL" x509 -in "$file" -noout "-$param" "$@" 2>/dev/null | cut -d= -f 2- | sed 's,\(^[[:blank:]]\+\|[[:blank:]]\+$\),,g'
}
#CA check
ca_needs_resign()
{
local code="$1"
[ "$code" = "1" -o "$code" = "3" -o "$code" = "4" -o "$code" = "6" ] &&
return 0
return 1
}
# 0 - OK
# 1 - invalid
# 2 - not yet valid
# 3 - expired
# 4 - will expire in 10 days
# 5 - issuer does not match CA
# 6 - self-signed certificate
ca_check_cert2()
{
local startdate enddate curdate subject issuer ca_subject ca_issuer
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments.'
[ -s "$1" ] ||
return 1
startdate="$(ca_get_cert_attr "$1" startdate)" ||
return 1
enddate="$(ca_get_cert_attr "$1" enddate)" ||
return 1
subject="$(ca_get_cert_attr "$1" subject)" ||
return 1
issuer="$(ca_get_cert_attr "$1" issuer)" ||
return 1
ca_subject="$(ca_get_cert_attr "$CA_SKO_CADIR/cacert.pem" subject)" ||
return 1
ca_issuer="$(ca_get_subject)"
if [ "$issuer" = "$ca_subject" ]; then
# local CA itself or signed by local CA
if [ "$subject" = "$issuer" -a "$issuer" != "$ca_issuer" ]; then
# outdated local CA
return 1
fi
else
if [ "$subject" = "$issuer" ]; then
# self-signed
return 6
else
if grep -qsFx -e "$ca_subject" "$CA_SKO_ROOT/ca_history.txt" 2>/dev/null; then
# old local
[ "$issuer" = "$ca_issuer" ] ||
return 1
else
# foreign trusted
return 5
fi
fi
fi
startdate="$(date -d "$startdate" +%s)"
enddate="$(date -d "$enddate" +%s)"
curdate="$(date +%s)"
[ -n "$startdate" -a -n "$enddate" -a -n "$curdate" ] ||
return 1
[ "$curdate" -gt "$startdate" ] ||
return 2
[ "$curdate" -lt "$enddate" ] ||
return 3
"$OPENSSL" x509 -in "$1" -checkend 864000 > /dev/null||
return 4
"$OPENSSL" verify -CAfile "$CA_SKO_CADIR/cacert.pem" "$1" >/dev/null 2>&1 ||
return 1
}
ca_status_message()
{
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments.'
case "$1" in
0) printf 'OK\n';;
1) printf 'invalid\n';;
2) printf 'not yet valid\n';;
3) printf 'expired\n';;
4) printf 'will expire in 10 or less days\n';;
5) printf 'issuer does not match CA\n';;
6) printf 'self-signed certificate\n';;
*) printf 'unknown error';;
esac
}
ca_check_cert()
{
local ret
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments.'
ret=0
ca_check_cert2 "$@" || ret=$?
printf '%s: %s\n' "$1" "$(ca_status_message "$ret")"
return $ret
}
#CA info
ca_show_cert()
{
local startdate enddate sha1fp md5fp subj issuer retcode status
[ -n "$1" ] ||
ssl_fatal 'Insufficient arguments'
[ -f "$1" ] ||
ssl_fatal 'Missing certificate'
startdate="$(ca_get_cert_attr "$1" startdate)"
enddate="$(ca_get_cert_attr "$1" enddate)"
sha1fp="$(ca_get_cert_attr "$1" fingerprint)"
md5fp="$(ca_get_cert_attr "$1" fingerprint -md5)"
subj="$(ca_get_cert_attr "$1" subject)"
issuer="$(ca_get_cert_attr "$1" issuer)"
retcode=0
ca_check_cert2 "$@" || retcode=$?
status="$(ca_status_message "$retcode")"
if [ -z "$CA_VERBOSE" ]; then
printf '%s\t%s\t%s\t%s\n' "${1##*/}" "$enddate" "$subj" "$status"
else
printf '%s\t%s\t%s\t%s\t%s\t%s\t%s\t%d:%s\n' "$1" "$startdate" "$enddate" "$subj" "$issuer" "$sha1fp" "$md5fp" "$retcode" "$status"
fi
}
# vim: set ts=4:
alterator-ca-0.5.4/bin/ca-sko 0000755 0000000 0000000 00000012636 11303112121 0015740 0 ustar 00root root 0000000 0000000 #!/bin/sh -f
. cert-sh-functions
. ca-sh-functions
CA_SKO_INDIR="${CA_SKO_INDIR:-$CA_SKO_ROOT/in}"
CA_SKO_OUTDIR="${CA_SKO_OUTDIR:-$CA_SKO_ROOT/out}"
host_csr_dir()
{
[ -n "$1" -a "$1" != "localhost" ] &&
printf '%s/%s' "$CA_SKO_INDIR" "$1" ||
printf '%s' "$SSL_CSRDIR"
}
host_cert_dir()
{
[ -n "$1" -a "$1" != "localhost" ] &&
printf '%s/%s' "$CA_SKO_OUTDIR" "$1" ||
printf '%s' "$SSL_CERTDIR"
}
import_keys()
{
local csr_dir cert_dir
[ -n "$1" -a "$1" != "localhost" ] ||
return 0
csr_dir="$(host_csr_dir "$1")"
cert_dir="$(host_cert_dir "$1")"
rsync -qaH -e trust-ssh --delete-after --include='*.csr' --exclude='*' "$1:$SSL_CSRDIR/" "$csr_dir/" &&
rsync -qaH -e trust-ssh --delete-after --include='*.cert' --include='*.pem' --exclude='*' "$1:$SSL_CERTDIR/" "$cert_dir/"
}
find_files()
{
[ -n "$1" -a -n "$2" -a -n "$3" ] ||
return 1
find "$1" -mindepth 1 -maxdepth 1 -type "$3" -name "$2" -printf '%P\n'
}
show_keys()
{
local SSL_CERTDIR="$(host_cert_dir "$@")"
[ -d "$SSL_CERTDIR" ] ||
return 1
find_files "$SSL_CERTDIR" '*.cert' f |
while IFS= read cert; do
[ -f "$SSL_CSRDIR/${cert%.cert}.csr" ] ||
continue
ca_show_cert "$SSL_CERTDIR/$cert"
done
}
forcesign_key()
{
local host="${1:-localhost}"
local SSL_CSRDIR="$(host_csr_dir "$host")"
local SSL_CERTDIR="$(host_cert_dir "$host")"
local ret base req cert status
[ -d "$SSL_CSRDIR" ] ||
return 1
base="$2"
req="$base.csr"
cert="$base.cert"
[ -f "$SSL_CERTDIR/$req" ] ||
return 1
[ -z "$CA_VERBOSE" ] ||
printf '%s:%s: resigned\n' "$host" "$cert"
ca_sign_req "$base"
}
sign_key()
{
local host="${1:-localhost}"
local SSL_CSRDIR="$(host_csr_dir "$host")"
local SSL_CERTDIR="$(host_cert_dir "$host")"
local ret base req cert status
[ -d "$SSL_CSRDIR" ] ||
return 1
base="$2"
req="$base.csr"
cert="$base.cert"
[ -f "$SSL_CERTDIR/$req" ] ||
return 1
ret=0
ca_check_cert2 "$SSL_CERTDIR/$cert" || ret=$?
status=
if [ "$SSL_CSRDIR/$req" -nt "$SSL_CERTDIR/$cert" ]; then
status="new sign request found"
elif ca_needs_resign "$ret"; then
status="$(ca_status_message "$ret")"
fi
if [ -n "$status" ]; then
[ -z "$CA_VERBOSE" ] ||
printf '%s:%s: %s, resigned\n' "$host" "$cert" "$status"
ca_sign_req "$base"
fi
}
sign_keys()
{
local host="${1:-localhost}"
local SSL_CSRDIR="$(host_csr_dir "$host")"
local SSL_CERTDIR="$(host_cert_dir "$host")"
[ -d "$SSL_CSRDIR" ] ||
return 1
find_files "$SSL_CSRDIR" '*.csr' f |
while IFS= read req; do
local base
base="${req%.csr}"
sign_key "$host" "$base"
done
ca_export_CAcert ca-root
}
export_keys()
{
local csr_dir cert_dir
if [ -z "$1" -o "$1" = "localhost" ]; then
c_rehash "$SSL_CERTDIR" >/dev/null
return 0
fi
csr_dir="$(host_csr_dir "$1")"
cert_dir="$(host_cert_dir "$1")"
rsync -qaH -e trust-ssh --include='*.csr' --exclude='*' "$csr_dir/" "$1:$SSL_CSRDIR/" &&
rsync -qaH -e trust-ssh --include='*.cert' --include='*.pem' --exclude='*' "$cert_dir/" "$1:$SSL_CSRDIR/" &&
trust-ssh "$1" c_rehash "$SSL_CERTDIR" >/dev/null
}
update_host()
{
import_keys "$@" &&
sign_keys "$@" &&
export_keys "$@"
}
each_host()
{
local function list
function="$1" && shift
list=
if [ "$#" -gt 0 ]; then
while [ "$#" -gt 0 ]; do
list="${list:+$list
}$1" && shift
done
else
list="localhost
$(find_files "$CA_SKO_INDIR" '*' d)"
fi
printf '%s\n' "$list" |
while IFS= read host; do
"$function" "$host" ||
printf '%s: Update failed.\n' "$host"
done
}
cmd="$1" && shift
case "$cmd" in
init)
ca_make_CAdir
ca_make_CAkey
ca_make_CA
ca_export_CAcert ca-root
exit $?
;;
status)
ca_check_CA ||
exit $?
cert="$CA_SKO_CADIR/cacert.pem"
ca_show_cert "$cert"
ca_check_cert2 "$cert"
exit $?
;;
*)
ca_check_CAdir >/dev/null 2>&1 &&
ca_check_CAkey >/dev/null 2>&1 &&
ca_check_CA >/dev/null 2>&1 ||
ssl_fatal "CA not initialized"
ret=0
ca_check_cert2 "$CA_SKO_CADIR/cacert.pem" >/dev/null 2>&1 ||
ret=$?
if [ $ret != 0 ]; then
if ca_needs_resign "$ret"; then
ca_make_CA
else
ssl_fatal "$(ca_status_message "$ret")"
fi
fi
;;
esac
ca_update_db
rc=0
case "$cmd" in
drop)
rm -rf "$CA_SKO_CADIR" ||: 2>/dev/null
;;
addhost)
[ -n "$1" -a "$1" != "localhost" ] ||
ssl_fatal "lolwhut?"
host="$1"
[ -d "$CA_SKO_INDIR/$host" ] || mkdir -p "$CA_SKO_INDIR/$host"
[ -d "$CA_SKO_OUTDIR/$host" ] || mkdir -p "$CA_SKO_OUTDIR/$host"
printf 'Added host:\n%s\n' "$hostkey"
rc=$?
;;
delhost)
[ -n "$1" -a "$1" != "localhost" ] ||
ssl_fatal "lolwhut?"
host="$1"
rm -rf "$CA_SKO_INDIR/$host"
rm -rf "$CA_SKO_OUTDIR/$host"
rc=$?
;;
update)
each_host update_host "$@"
rc=$?
;;
import)
each_host import_keys "$@"
rc=$?
;;
sign)
each_host sign_keys "$@"
rc=$?
;;
export)
each_host export_keys "$@"
rc=$?
;;
show)
show_keys "$@"
rc=$?
;;
hosts)
find_files "$CA_SKO_INDIR" '*' d
rc=$?
;;
signkey)
case "$#" in
2)
host="$1"
key="$2"
;;
1)
host="localhost"
key="$1"
;;
*)
ssl_fatal "Usage: ${0##*/} sign [HOST] NAME"
;;
esac
sign_key "$host" "$key"
rc=$?
;;
signfile)
case "$#" in
2)
ca_sign_req2 "$1" "$2"
rc=$?
;;
*)
ssl_fatal "Usage: ${0##*/} sign REQUEST CERTIFICATE"
;;
esac
;;
check)
[ -n "$1" ] ||
ssl_fatal "Usage: ${0##*/} check CERTIFICATE"
ca_check_cert "$1"
rc=$?
;;
*)
ssl_fatal "Invalid command: $cmd"
;;
esac
exit $rc
# vim: set ts=4:
alterator-ca-0.5.4/data/ 0000755 0000000 0000000 00000000000 11303112121 0014766 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/data/CA.cnf 0000644 0000000 0000000 00000001332 11303112121 0015740 0 ustar 00root root 0000000 0000000 [ ca ]
default_ca = CA_default
[ CA_default ]
dir = /var/lib/alterator-ca/CA
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
default_days = 365
default_crl_days= 30
default_md = md5
policy = policy_any
email_in_dn = no
unique_subject = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = none
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
alterator-ca-0.5.4/etc/ 0000755 0000000 0000000 00000000000 11303112121 0014630 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/etc/dnparam.txt 0000644 0000000 0000000 00000000006 11303112121 0017007 0 ustar 00root root 0000000 0000000 C=
O=
alterator-ca-0.5.4/hook/ 0000755 0000000 0000000 00000000000 11303112121 0015015 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/hook/ca 0000644 0000000 0000000 00000000322 11303112121 0015320 0 ustar 00root root 0000000 0000000 #!/bin/sh
# Hook for alterator-trust
# $1 - host
# $2 - action
host="$1"
action="$2"
case "$action" in
add)
ca-sko addhost "$host"
ca-sko update "$host"
;;
remove)
ca-sko delhost "$host"
;;
esac
alterator-ca-0.5.4/interfaces/ 0000755 0000000 0000000 00000000000 11303112121 0016200 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/interfaces/guile/ 0000755 0000000 0000000 00000000000 11303112121 0017305 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/interfaces/guile/type/ 0000755 0000000 0000000 00000000000 11303112121 0020266 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/interfaces/guile/type/ca-cert-field.scm 0000644 0000000 0000000 00000000724 11303112121 0023374 0 ustar 00root root 0000000 0000000 (define-module (alterator type ca-cert-field)
:use-module (alterator woo)
:export (type))
(define *latin-string-regex-str* "^[a-zA-Z_[:space:][:punct:]0-9-]+$")
(define *latin-string-regex* (make-regexp *latin-string-regex-str* regexp/extended))
(define (type v _)
(or (and (string? v) (string-null? v))
(and (string? v) (regexp-exec *latin-string-regex* v))
(type-error (_ "only digits, punctuation and latin letters allowed" "alterator-ca"))))
alterator-ca-0.5.4/ui/ 0000755 0000000 0000000 00000000000 11303112121 0014472 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/ui/ca/ 0000755 0000000 0000000 00000000000 11303112121 0015055 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/ui/ca/ajax.scm 0000644 0000000 0000000 00000000752 11303112121 0016510 0 ustar 00root root 0000000 0000000 (define-module (ui ca ajax)
:use-module (alterator ajax)
:use-module (alterator woo)
:export (ui))
(define (download file)
(ui-blob "file"
(woo-read-first "/ca/download"
'file file)
"text/plain"
file))
(define (module-path)
(if (woo-get-option (woo-read-first "/ca/root") 'is_active)
"/ca/certs"
"/ca/root"))
(define (ui)
(let ((file (form-value "download")))
(if file
(download file)
(ui-replace (module-path)))))
alterator-ca-0.5.4/ui/ca/certs/ 0000755 0000000 0000000 00000000000 11303112121 0016175 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/ui/ca/certs/ajax.scm 0000644 0000000 0000000 00000004446 11303112121 0017634 0 ustar 00root root 0000000 0000000 (define-module (ui ca certs ajax)
:use-module (alterator ajax)
:use-module (alterator effect)
:use-module (alterator woo)
:export (init))
(define (ui-read)
(let* ((obj (woo-read-first "/ca/certs"))
(can_has_sign (woo-get-option obj 'can_has_sign)))
(form-update-value-list obj)
(update-effect)
(form-update-visibility '("can_has_sign") can_has_sign)))
(define (ui-list)
(form-update-enum "name"
(woo-list "/ca/certs" 'language (form-value "language")))
(form-update-enum "new_name"
(woo-list "/ca/avail_hosts" 'language (form-value "language"))))
(define (on-autoupdate)
(catch/message
(lambda()
(woo-write "/ca/certs"
'apply_autoupdate #t
'language (form-value "language")
'autoupdate (form-value "autoupdate")
'time (form-value "time"))
(ui-read))))
(define (on-upload)
(call-with-form-file
"request"
(lambda (path)
(catch/message
(lambda()
(woo "upload" "/ca"
'request path
'language (form-value "language"))))))
(ui-read))
(define (on-del-host)
(catch/message
(lambda()
(woo-write "/ca/certs"
'del_host #t
'name (form-value "name")
'language (form-value "language"))
(ui-list))))
(define (on-new-host)
(catch/message
(lambda()
(woo-write "/ca/certs"
'new_host #t
'new_name (form-value "new_name")
'language (form-value "language"))
(ui-list))))
(define (on-update-host)
(catch/message
(lambda()
(woo-write "/ca/certs"
'update_host #t
'name (form-value "name")
'language (form-value "language"))
(ui-list))))
(define (on-sign)
(form-update-visibility '("can_has_sign") #f)
(form-replace "/ca?download=output.pem"))
(define (init)
(effect-enable "time" "autoupdate" #t)
(init-effect)
(ui-read)
(ui-list)
(form-bind-upload "upload_button" "click" "request" on-upload)
(form-bind "sign_button" "click" on-sign)
(form-bind "apply_autoupdate" "click" on-autoupdate)
(form-bind "del_host" "click" on-del-host)
(form-bind "new_host" "click" on-new-host)
(form-bind "update_host" "click" on-update-host))
alterator-ca-0.5.4/ui/ca/certs/host/ 0000755 0000000 0000000 00000000000 11303112121 0017152 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/ui/ca/certs/host/ajax.scm 0000644 0000000 0000000 00000001166 11303112121 0020605 0 ustar 00root root 0000000 0000000 (define-module (ui ca certs host ajax)
:use-module (alterator ajax)
:use-module (alterator woo)
:export (init))
(define (ui-read)
(form-update-enum
"key_name"
(woo-list "/ca/host"
'language (form-value "language")
'hostname (form-value "hostname"))))
(define (ui-write)
(catch/message
(lambda()
(woo-write "/ca/host"
'sign_key #t
'language (form-value "language")
'hostname (form-value "hostname")
'key_name (form-value "key_name"))
(ui-read))))
(define (init)
(ui-read)
(form-bind "sign_key" "click" ui-write)) alterator-ca-0.5.4/ui/ca/certs/host/index.html 0000644 0000000 0000000 00000002705 11303112121 0021153 0 ustar 00root root 0000000 0000000
alterator-ca-0.5.4/ui/ca/certs/index.html 0000644 0000000 0000000 00000004104 11303112121 0020171 0 ustar 00root root 0000000 0000000
alterator-ca-0.5.4/ui/ca/root/ 0000755 0000000 0000000 00000000000 11303112121 0016040 5 ustar 00root root 0000000 0000000 alterator-ca-0.5.4/ui/ca/root/ajax.scm 0000644 0000000 0000000 00000001363 11303112121 0017472 0 ustar 00root root 0000000 0000000 (define-module (ui ca root ajax)
:use-module (alterator ajax)
:use-module (alterator woo)
:use-module (alterator effect)
:export (init))
(define (ui-read)
(form-update-value-list
(woo-read-first "/ca/root"))
(form-update-value "confirm" #f)
(update-effect))
(define (ui-write)
(catch/message
(lambda()
(apply woo "create" "/ca/root"
'language (form-value "language")
(form-value-list))
(ui-read))))
(define (init)
(effect-show "active" "is_active" #t)
(effect-show "inactive" "is_active" #f)
(effect-show "confirm_button" "confirm" #t)
(init-effect)
(ui-read)
(form-bind "confirm_button" "click" ui-write)
(form-bind "create_button" "click" ui-write))
alterator-ca-0.5.4/ui/ca/root/index.html 0000644 0000000 0000000 00000011641 11303112121 0020040 0 ustar 00root root 0000000 0000000