X-Git-Url: http://git.cielonegro.org/gitweb.cgi?p=blackboard-dns.git;a=blobdiff_plain;f=DDNS%2FServer%2FSignReq.hs;fp=DDNS%2FServer%2FSignReq.hs;h=cfc4826708a52a463e73ae23213833a571491395;hp=0000000000000000000000000000000000000000;hb=20021ec127c5574db472d88ff47cbf7e656969f4;hpb=3674500cd498050a48d69d1d30a6139ba3ba88f5 diff --git a/DDNS/Server/SignReq.hs b/DDNS/Server/SignReq.hs new file mode 100644 index 0000000..cfc4826 --- /dev/null +++ b/DDNS/Server/SignReq.hs @@ -0,0 +1,46 @@ +module DDNS.Server.SignReq + ( signReq + ) + where + +import Control.Monad +import Control.Monad.Trans +import DDNS.Utils +import Data.List +import Data.Time.Clock +import OpenSSL.EVP.PKey +import OpenSSL.EVP.Verify +import OpenSSL.PEM +import OpenSSL.X509 as X509 +import OpenSSL.X509.Request as Req +import System.Console.Haskeline +import System.FilePath +import System.IO + +signReq :: KeyPair k => k -> X509 -> IO () +signReq sKey sCert + = runInputT (setComplete completeFilename defaultSettings) $ + do file <- getInputLine "Which X.509 request do you want to sign?: " + case trim file of + Just file' + -> liftIO $ + do req <- readX509Req =<< readFile file' + key <- Req.getPublicKey req + vst <- verifyX509Req req key + unless (vst == VerifySuccess) + $ fail "Invalid X.509 request" + + cert <- makeX509FromReq req sCert + setSerialNumber cert 1 -- FIXME: This nasty behavior makes revocation-list unusable. + setNotBefore cert =<< liftM (addUTCTime (-1)) getCurrentTime + setNotAfter cert =<< liftM (addUTCTime (20 * 365 * 24 * 60 * 60)) getCurrentTime + signX509 cert sKey Nothing + + let certFile = file' `replaceExtension` ".cert" + withFile certFile WriteMode $ \ h -> + writeX509 cert >>= hPutStr h + putStrLn ("Wrote " ++ certFile) + + Just (_, fqdn) <- liftM (find ((== "CN") . fst)) $ X509.getSubjectName cert False + putStrLn ("Now send " ++ certFile ++ " back to " ++ fqdn ++ ".") + _ -> return ()