diff --git a/main.fnl b/main.fnl index d2d94a5..4292bcf 100644 --- a/main.fnl +++ b/main.fnl @@ -41,6 +41,7 @@ (local ca-key (pkey.new (slurp "ca.key"))) (local ca-crt (x509.new (slurp "ca.crt"))) +(local psk (with-open [f (io.open "psk" "r")] (f:read "l"))) (fn new-crt [csr] (let [crt @@ -54,12 +55,21 @@ (: :sign ca-key))] (crt:toPEM))) +(fn approved-request? [csr] + (let [attr (csr:getAttributes)] + (accumulate [found false + _ v (ipairs (. attr "challengePassword"))] + (or found (= v psk))))) + + (fn handle-sign-csr [out] - (let [body (out:get_body_as_string) - h (make-headers 200 { :content-type "text/plain" })] - (out:write_headers h false) - (let [req (csr.new body)] - (out:write_chunk (new-crt req) true)))) + (let [req (csr.new (out:get_body_as_string))] + (if (approved-request? req) + (do + (out:write_headers (make-headers 200 { :content-type "text/plain" }) false) + (out:write_chunk (new-crt req) true)) + (send-error out 400 "missing attributes in CSR")))) + (fn on-stream [sv out] (let [hdrs (out:get_headers) diff --git a/package.nix b/package.nix index 8aae4e6..8444240 100644 --- a/package.nix +++ b/package.nix @@ -1,14 +1,26 @@ { - lua5_3 -, stdenv -, makeWrapper + fetchpatch, + lib, + lua5_3, + makeWrapper, + openssl, + stdenv, }: let pname = "certifix"; + + luaossl' = lua5_3.pkgs.luaossl.overrideAttrs (o: { + patches = [ + (fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/wahern/luaossl/pull/218.patch"; + hash = "sha256-0+5OR9t7nw8lPi7jcM/RwI8Qt8HeXwU1jvl+f+B5V38="; + }) + ] ++ lib.optionals (o ? patches) o.patches; + }); + http = lua5_3.pkgs.http.override { luaossl = luaossl'; }; + lua = lua5_3.withPackages (ps: [ -# ps.dkjson -# ps.lpeg - ps.http + http ps.luaposix ]); inherit makeWrapper; @@ -16,6 +28,7 @@ let in stdenv.mkDerivation { inherit pname; version = "0.1"; + src = ./.; makeFlags = [ "TARGET=${placeholder "out"}" ]; postInstall = ''