implement policy-based signing
the csr will be signed iff it has a challengePassword attribute containing a value matching the contents of the "psk" file yeah, UX could use a little work
This commit is contained in:
parent
911faaa0ef
commit
fe98a413ee
20
main.fnl
20
main.fnl
|
|
@ -41,6 +41,7 @@
|
||||||
|
|
||||||
(local ca-key (pkey.new (slurp "ca.key")))
|
(local ca-key (pkey.new (slurp "ca.key")))
|
||||||
(local ca-crt (x509.new (slurp "ca.crt")))
|
(local ca-crt (x509.new (slurp "ca.crt")))
|
||||||
|
(local psk (with-open [f (io.open "psk" "r")] (f:read "l")))
|
||||||
|
|
||||||
(fn new-crt [csr]
|
(fn new-crt [csr]
|
||||||
(let [crt
|
(let [crt
|
||||||
|
|
@ -54,12 +55,21 @@
|
||||||
(: :sign ca-key))]
|
(: :sign ca-key))]
|
||||||
(crt:toPEM)))
|
(crt:toPEM)))
|
||||||
|
|
||||||
|
(fn approved-request? [csr]
|
||||||
|
(let [attr (csr:getAttributes)]
|
||||||
|
(accumulate [found false
|
||||||
|
_ v (ipairs (. attr "challengePassword"))]
|
||||||
|
(or found (= v psk)))))
|
||||||
|
|
||||||
|
|
||||||
(fn handle-sign-csr [out]
|
(fn handle-sign-csr [out]
|
||||||
(let [body (out:get_body_as_string)
|
(let [req (csr.new (out:get_body_as_string))]
|
||||||
h (make-headers 200 { :content-type "text/plain" })]
|
(if (approved-request? req)
|
||||||
(out:write_headers h false)
|
(do
|
||||||
(let [req (csr.new body)]
|
(out:write_headers (make-headers 200 { :content-type "text/plain" }) false)
|
||||||
(out:write_chunk (new-crt req) true))))
|
(out:write_chunk (new-crt req) true))
|
||||||
|
(send-error out 400 "missing attributes in CSR"))))
|
||||||
|
|
||||||
|
|
||||||
(fn on-stream [sv out]
|
(fn on-stream [sv out]
|
||||||
(let [hdrs (out:get_headers)
|
(let [hdrs (out:get_headers)
|
||||||
|
|
|
||||||
25
package.nix
25
package.nix
|
|
@ -1,14 +1,26 @@
|
||||||
{
|
{
|
||||||
lua5_3
|
fetchpatch,
|
||||||
, stdenv
|
lib,
|
||||||
, makeWrapper
|
lua5_3,
|
||||||
|
makeWrapper,
|
||||||
|
openssl,
|
||||||
|
stdenv,
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
pname = "certifix";
|
pname = "certifix";
|
||||||
|
|
||||||
|
luaossl' = lua5_3.pkgs.luaossl.overrideAttrs (o: {
|
||||||
|
patches = [
|
||||||
|
(fetchpatch {
|
||||||
|
url = "https://patch-diff.githubusercontent.com/raw/wahern/luaossl/pull/218.patch";
|
||||||
|
hash = "sha256-0+5OR9t7nw8lPi7jcM/RwI8Qt8HeXwU1jvl+f+B5V38=";
|
||||||
|
})
|
||||||
|
] ++ lib.optionals (o ? patches) o.patches;
|
||||||
|
});
|
||||||
|
http = lua5_3.pkgs.http.override { luaossl = luaossl'; };
|
||||||
|
|
||||||
lua = lua5_3.withPackages (ps: [
|
lua = lua5_3.withPackages (ps: [
|
||||||
# ps.dkjson
|
http
|
||||||
# ps.lpeg
|
|
||||||
ps.http
|
|
||||||
ps.luaposix
|
ps.luaposix
|
||||||
]);
|
]);
|
||||||
inherit makeWrapper;
|
inherit makeWrapper;
|
||||||
|
|
@ -16,6 +28,7 @@ let
|
||||||
in stdenv.mkDerivation {
|
in stdenv.mkDerivation {
|
||||||
inherit pname;
|
inherit pname;
|
||||||
version = "0.1";
|
version = "0.1";
|
||||||
|
|
||||||
src = ./.;
|
src = ./.;
|
||||||
makeFlags = [ "TARGET=${placeholder "out"}" ];
|
makeFlags = [ "TARGET=${placeholder "out"}" ];
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue