certifix/main.fnl

(local { : view} (require :fennel))

(local server (require :http.server))
(local headers (require :http.headers))
(local ssl (require :openssl))
(local csr (require :openssl.x509.csr))
(local x509 (require :openssl.x509))
(local pkey (require :openssl.pkey))
(local bignum (require :openssl.bignum))

(fn string->bignum [bytes]
  (bignum.new
   (string.format
    "0x%03x%03x%03x%03x%03x"
    (string.unpack "I4I4I4I4I4" bytes))))

(fn make-serial []
  ;; 20 bytes, but luaossl expects it as a bignum
  (let [bytes (with-open [f (io.open "/dev/urandom" :r)]
                (f:read 20))]
    (string->bignum bytes)))

(fn make-headers [status attributes]
  (let [h (headers.new)]
    (h:append ":status" (tostring status))
    (each [k v (pairs attributes)]
      (h:append k v))
    h))

(fn send-error [out code text]
  (out:write_headers
   (make-headers code { :content-type "text/plain" })
   false)
  (out:write_chunk text true))

(fn slurp [filename]
  (with-open [f (io.open filename "r")] (f:read "*a")))

(fn read-line [filename]
  (with-open [f (io.open filename "r")] (f:read "l")))

(fn assoc [tbl k v & more]
  (tset tbl k v)
  (case more
    [k v] (assoc tbl k v)
    _ tbl))

(fn parse-args [args]
  (match args
    ["--certificate" f & rest]
    (assoc (parse-args rest) :certificate (slurp f))
    ["--private-key" f & rest]
    (assoc (parse-args rest) :private-key (slurp f))
    ["--challenge-password" f & rest]
    (assoc (parse-args rest) :challenge-password (read-line f))
    [bind-address] { : bind-address }
    _ {}))

(local options
       (doto
           (parse-args arg)
         (case
             {: certificate : private-key : challenge-password : bind-address}
           true
           _
           (assert nil "missing required command line params"))))

(local ca-key (pkey.new options.private-key))
(local ca-crt (x509.new options.certificate))

(fn new-crt [csr]
  (let [crt
        (doto (x509.new)
          (: :setVersion 2)
          (: :setSerial (make-serial))
          (: :setIssuer (ca-crt:getSubject))
          (: :setLifetime (os.time) (+ (* 365 86400) (os.time)))
          (: :setSubject (csr:getSubject))
          (: :setPublicKey (csr:getPublicKey))
          (: :sign ca-key))]
    (crt:toPEM)))

(fn approved-request? [csr]
  (let [attr (csr:getAttributes)]
    (accumulate [found false
                 _ v (ipairs (. attr "challengePassword"))]
      (or found (= v options.challenge-password)))))


(fn handle-sign-csr [out]
  (let [req (csr.new (out:get_body_as_string))]
    (if (approved-request? req)
        (do
          (out:write_headers (make-headers 200 { :content-type "text/plain" }) false)
          (out:write_chunk (new-crt req) true))
        (send-error out 400 "missing attributes in CSR"))))


(fn on-stream [sv out]
  (let [hdrs (out:get_headers)
        method (hdrs:get ":method")
        path (or (hdrs:get ":path") "/")]
    (case path
      "/sign"
      (handle-sign-csr out)
      _
      (send-error out 404 "not found"))))

;; ncall is the opposite of pcall: "non-protected call"
(macro ncall [f]
  `(case ,f
     ok# ok#
     (nil err#) (error err#)))

(fn new-server []
  (let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
    (case (server.listen
           {
            :host addr
            :port (tonumber port)
            :onstream on-stream
            })
      f (doto f (print))
      (nil e) (error e))))

(let [s (new-server)]
  (ncall (s:listen))
  (print "server ready")
  (ncall (s:loop)))
initial commit 2024-09-25 09:20:14 +00:00			`(local { : view} (require :fennel))`

			`(local server (require :http.server))`
			`(local headers (require :http.headers))`
			`(local ssl (require :openssl))`
			`(local csr (require :openssl.x509.csr))`
			`(local x509 (require :openssl.x509))`
			`(local pkey (require :openssl.pkey))`
unhardcode the certificate serial number 2024-09-25 11:00:40 +00:00			`(local bignum (require :openssl.bignum))`

			`(fn string->bignum [bytes]`
			`(bignum.new`
			`(string.format`
			`"0x%03x%03x%03x%03x%03x"`
			`(string.unpack "I4I4I4I4I4" bytes))))`

			`(fn make-serial []`
			`;; 20 bytes, but luaossl expects it as a bignum`
			`(let [bytes (with-open [f (io.open "/dev/urandom" :r)]`
			`(f:read 20))]`
			`(string->bignum bytes)))`

extract method send-error 2024-09-25 11:26:34 +00:00			`(fn make-headers [status attributes]`
			`(let [h (headers.new)]`
			`(h:append ":status" (tostring status))`
			`(each [k v (pairs attributes)]`
			`(h:append k v))`
			`h))`

			`(fn send-error [out code text]`
			`(out:write_headers`
remove newline 2024-09-25 20:31:04 +00:00			`(make-headers code { :content-type "text/plain" })`
extract method send-error 2024-09-25 11:26:34 +00:00			`false)`
			`(out:write_chunk text true))`
initial commit 2024-09-25 09:20:14 +00:00
			`(fn slurp [filename]`
			`(with-open [f (io.open filename "r")] (f:read "*a")))`

parse command-line for options instead of hardcoding note port is still hardcoded 2024-09-26 21:05:13 +00:00			`(fn read-line [filename]`
			`(with-open [f (io.open filename "r")] (f:read "l")))`

			`(fn assoc [tbl k v & more]`
			`(tset tbl k v)`
			`(case more`
			`[k v] (assoc tbl k v)`
			`_ tbl))`

			`(fn parse-args [args]`
			`(match args`
			`["--certificate" f & rest]`
			`(assoc (parse-args rest) :certificate (slurp f))`
			`["--private-key" f & rest]`
			`(assoc (parse-args rest) :private-key (slurp f))`
			`["--challenge-password" f & rest]`
			`(assoc (parse-args rest) :challenge-password (read-line f))`
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`[bind-address] { : bind-address }`
parse command-line for options instead of hardcoding note port is still hardcoded 2024-09-26 21:05:13 +00:00			`_ {}))`

			`(local options`
			`(doto`
			`(parse-args arg)`
			`(case`
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`{: certificate : private-key : challenge-password : bind-address}`
parse command-line for options instead of hardcoding note port is still hardcoded 2024-09-26 21:05:13 +00:00			`true`
			`_`
			`(assert nil "missing required command line params"))))`

			`(local ca-key (pkey.new options.private-key))`
			`(local ca-crt (x509.new options.certificate))`
initial commit 2024-09-25 09:20:14 +00:00
			`(fn new-crt [csr]`
			`(let [crt`
			`(doto (x509.new)`
			`(: :setVersion 2)`
unhardcode the certificate serial number 2024-09-25 11:00:40 +00:00			`(: :setSerial (make-serial))`
initial commit 2024-09-25 09:20:14 +00:00			`(: :setIssuer (ca-crt:getSubject))`
			`(: :setLifetime (os.time) (+ (* 365 86400) (os.time)))`
			`(: :setSubject (csr:getSubject))`
			`(: :setPublicKey (csr:getPublicKey))`
			`(: :sign ca-key))]`
			`(crt:toPEM)))`

implement policy-based signing the csr will be signed iff it has a challengePassword attribute containing a value matching the contents of the "psk" file yeah, UX could use a little work 2024-09-25 20:14:13 +00:00			`(fn approved-request? [csr]`
			`(let [attr (csr:getAttributes)]`
			`(accumulate [found false`
			`_ v (ipairs (. attr "challengePassword"))]`
parse command-line for options instead of hardcoding note port is still hardcoded 2024-09-26 21:05:13 +00:00			`(or found (= v options.challenge-password)))))`
implement policy-based signing the csr will be signed iff it has a challengePassword attribute containing a value matching the contents of the "psk" file yeah, UX could use a little work 2024-09-25 20:14:13 +00:00

initial commit 2024-09-25 09:20:14 +00:00			`(fn handle-sign-csr [out]`
implement policy-based signing the csr will be signed iff it has a challengePassword attribute containing a value matching the contents of the "psk" file yeah, UX could use a little work 2024-09-25 20:14:13 +00:00			`(let [req (csr.new (out:get_body_as_string))]`
			`(if (approved-request? req)`
			`(do`
			`(out:write_headers (make-headers 200 { :content-type "text/plain" }) false)`
			`(out:write_chunk (new-crt req) true))`
			`(send-error out 400 "missing attributes in CSR"))))`

initial commit 2024-09-25 09:20:14 +00:00
			`(fn on-stream [sv out]`
			`(let [hdrs (out:get_headers)`
			`method (hdrs:get ":method")`
			`path (or (hdrs:get ":path") "/")]`
			`(case path`
			`"/sign"`
			`(handle-sign-csr out)`
			`_`
inline not-found function 2024-09-26 20:34:37 +00:00			`(send-error out 404 "not found"))))`
initial commit 2024-09-25 09:20:14 +00:00
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`;; ncall is the opposite of pcall: "non-protected call"`
			`(macro ncall [f]`
			`(case ,f
			`ok# ok#`
			`(nil err#) (error err#)))`
initial commit 2024-09-25 09:20:14 +00:00
			`(fn new-server []`
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`(let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]`
			`(case (server.listen`
			`{`
			`:host addr`
			`:port (tonumber port)`
			`:onstream on-stream`
			`})`
			`f (doto f (print))`
			`(nil e) (error e))))`

			`(let [s (new-server)]`
			`(ncall (s:listen))`
initial commit 2024-09-25 09:20:14 +00:00			`(print "server ready")`
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`(ncall (s:loop)))`