implement policy-based signing

the csr will be signed iff it has a challengePassword attribute containing a value matching the contents of the "psk" file yeah, UX could use a little work
2024-09-25 21:14:13 +01:00 · 2024-09-25 21:14:13 +01:00 · fe98a413ee
commit fe98a413ee
parent 911faaa0ef
2 changed files with 34 additions and 11 deletions
--- a/main.fnl
+++ b/main.fnl
@ -41,6 +41,7 @@

 (local ca-key (pkey.new (slurp "ca.key")))
 (local ca-crt (x509.new (slurp "ca.crt")))
+(local psk (with-open [f (io.open "psk" "r")] (f:read "l")))

 (fn new-crt [csr]
  (let [crt
@ -54,12 +55,21 @@
          (: :sign ca-key))]
    (crt:toPEM)))

+(fn approved-request? [csr]
+  (let [attr (csr:getAttributes)]
+    (accumulate [found false
+                 _ v (ipairs (. attr "challengePassword"))]
+      (or found (= v psk)))))
+
+
 (fn handle-sign-csr [out]
-  (let [body  (out:get_body_as_string)
-        h (make-headers 200 { :content-type "text/plain" })]
-    (out:write_headers h false)
-    (let [req (csr.new body)]
-      (out:write_chunk (new-crt req) true))))
+  (let [req (csr.new (out:get_body_as_string))]
+    (if (approved-request? req)
+        (do
+          (out:write_headers (make-headers 200 { :content-type "text/plain" }) false)
+          (out:write_chunk (new-crt req) true))
+        (send-error out 400 "missing attributes in CSR"))))
+

 (fn on-stream [sv out]
  (let [hdrs (out:get_headers)
--- a/package.nix
+++ b/package.nix
@ -1,14 +1,26 @@
 {
-  lua5_3
-, stdenv
-, makeWrapper
+  fetchpatch,
+  lib,
+  lua5_3,
+  makeWrapper,
+  openssl,
+  stdenv,
 }:
 let
  pname = "certifix";
+
+  luaossl' = lua5_3.pkgs.luaossl.overrideAttrs (o: {
+    patches = [
+      (fetchpatch {
+        url = "https://patch-diff.githubusercontent.com/raw/wahern/luaossl/pull/218.patch";
+        hash = "sha256-0+5OR9t7nw8lPi7jcM/RwI8Qt8HeXwU1jvl+f+B5V38=";
+      })
+    ] ++ lib.optionals (o ? patches) o.patches;
+  });
+  http = lua5_3.pkgs.http.override { luaossl = luaossl'; };
+
  lua = lua5_3.withPackages (ps: [
-#      ps.dkjson
-#      ps.lpeg
-    ps.http
+    http
    ps.luaposix
  ]);
  inherit makeWrapper;
@ -16,6 +28,7 @@ let
 in stdenv.mkDerivation {
  inherit pname;
  version = "0.1";
+
  src = ./.;
  makeFlags = [ "TARGET=${placeholder "out"}" ];
  postInstall = ''