author | Kim Alvefur <zash@zash.se> |
Thu, 29 Feb 2024 18:00:01 +0100 | |
changeset 5852 | 593312fedfe1 |
parent 4445 | 58a112bd9792 |
permissions | -rw-r--r-- |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- Copyright (C) 2013 - 2014 Tobias Markmann |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
-- This file is MIT/X11 licensed. |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
-- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
-- Implements authentication via POSH (PKIX over Secure HTTP) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
-- http://tools.ietf.org/html/draft-miller-posh-03 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
-- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
module:set_global(); |
3209
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
8 |
local json = require "util.json"; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
3209
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
10 |
local base64 = require "util.encodings".base64; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
11 |
local pem2der = require "util.x509".pem2der; |
3209
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
12 |
local hashes = require "util.hashes"; |
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
13 |
local build_url = require "socket.url".build; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
14 |
local async = require "util.async"; |
3209
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
15 |
local http = require "net.http"; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
16 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
17 |
local cache = require "util.cache".new(100); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
18 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
19 |
local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
20 |
local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
local function posh_lookup(host_session, resume) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
-- do nothing if posh info already exists |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 |
if host_session.posh ~= nil then return end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
local target_host = false; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
if host_session.direction == "incoming" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
target_host = host_session.from_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
elseif host_session.direction == "outgoing" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
target_host = host_session.to_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
33 |
local cached = cache:get(target_host); |
3204 | 34 |
if cached then |
35 |
if os.time() > cached.expires then |
|
36 |
cache:set(target_host, nil); |
|
37 |
else |
|
38 |
host_session.posh = { jwk = cached }; |
|
39 |
return false; |
|
40 |
end |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
41 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
42 |
local log = host_session.log or module._log; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
44 |
log("debug", "Session direction: %s", tostring(host_session.direction)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
45 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
46 |
local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
48 |
log("debug", "Request POSH information for %s", tostring(target_host)); |
3292
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
49 |
local redirect_followed = false; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
50 |
local function cb (response, code) |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
51 |
if code ~= 200 then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
52 |
log("debug", "No or invalid POSH response received"); |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
resume(); |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
54 |
return; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
end |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
56 |
log("debug", "Received POSH response"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
57 |
local jwk = json.decode(response); |
3291
f0e19a77f81e
mod_s2s_auth_posh: Ensure JWK data decodes to a table
Kim Alvefur <zash@zash.se>
parents:
3229
diff
changeset
|
58 |
if not jwk or type(jwk) ~= "table" then |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
59 |
log("error", "POSH response is not valid JSON!\n%s", tostring(response)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
60 |
resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
61 |
return; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
end |
3292
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
63 |
if type(jwk.url) == "string" then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
64 |
if redirect_followed then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
65 |
redirect_followed = true; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
66 |
http.request(jwk.url, nil, cb); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
67 |
else |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
68 |
log("error", "POSH had invalid redirect:\n%s", tostring(response)); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
69 |
resume(); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
70 |
return; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
71 |
end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
72 |
end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
73 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
74 |
host_session.posh = { orig = response }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
75 |
jwk.expires = os.time() + tonumber(jwk.expires) or 3600; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
76 |
host_session.posh.jwk = jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
77 |
cache:set(target_host, jwk); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
78 |
resume(); |
3292
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
79 |
end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3291
diff
changeset
|
80 |
http.request(url, nil, cb); |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
81 |
return true; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 |
|
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 |
-- Do POSH authentication |
3209
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3208
diff
changeset
|
85 |
module:hook("s2s-check-certificate", function (event) |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 |
local session, cert = event.session, event.cert; |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
87 |
local log = session.log or module._log; |
3206
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
88 |
if session.cert_identity_status == "valid" then |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
89 |
log("debug", "Not trying POSH because certificate is already valid"); |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
90 |
return; |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
91 |
end |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
92 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
93 |
log("info", "Trying POSH authentication."); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
94 |
local wait, done = async.waiter(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
95 |
if posh_lookup(session, done) then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
96 |
wait(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
97 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
98 |
local posh = session.posh; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
99 |
local jwk = posh and posh.jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
100 |
local fingerprints = jwk and jwk.fingerprints; |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
101 |
|
3293
f2037a754480
mod_s2s_auth_posh: Be a tiny bit stricter with types
Kim Alvefur <zash@zash.se>
parents:
3292
diff
changeset
|
102 |
if type(fingerprints) ~= "table" then |
3208
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3207
diff
changeset
|
103 |
log("debug", "No POSH authentication data available"); |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3207
diff
changeset
|
104 |
return; |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3207
diff
changeset
|
105 |
end |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3207
diff
changeset
|
106 |
|
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
107 |
local cert_der = pem2der(cert:pem()); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
108 |
local cert_hashes = {}; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
109 |
for i = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
110 |
cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
111 |
end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
112 |
for i = 1, #fingerprints do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
113 |
local fp = fingerprints[i]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
114 |
for j = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
115 |
local hash = fp[hash_order[j]]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
116 |
if cert_hashes[j] == hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
117 |
session.cert_chain_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
118 |
session.cert_identity_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
119 |
log("debug", "POSH authentication succeeded!"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
120 |
return true; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
121 |
elseif hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
122 |
-- Don't try weaker hashes |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
123 |
break; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
124 |
end |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
125 |
end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
126 |
end |
3203
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
127 |
|
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3202
diff
changeset
|
128 |
log("debug", "POSH authentication failed!"); |
3202
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
129 |
end); |
3229
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
130 |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
131 |
function module.command(arg) |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
132 |
if not arg[1] then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
133 |
print("Usage: mod_s2s_auth_posh /path/to/cert.pem") |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
134 |
return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
135 |
end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
136 |
local jwkset = { fingerprints = { }; expires = 86400; } |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
137 |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
138 |
for i, cert_file in ipairs(arg) do |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
139 |
local cert, err = io.open(cert_file); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
140 |
if not cert then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
141 |
io.stderr:write(err, "\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
142 |
return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
143 |
end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
144 |
local cert_pem = cert:read("*a"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
145 |
local cert_der, typ = pem2der(cert_pem); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
146 |
if typ == "CERTIFICATE" then |
4445
58a112bd9792
mod_s2s_auth_posh: Use unused loop variable for something [luacheck]
Kim Alvefur <zash@zash.se>
parents:
3293
diff
changeset
|
147 |
jwkset.fingerprints[i] = { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); }; |
3229
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
148 |
elseif typ then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
149 |
io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
150 |
return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
151 |
else |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
152 |
io.stderr:write(cert_file, " did not contain a certificate in PEM format\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
153 |
return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
154 |
end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
155 |
end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
156 |
print(json.encode(jwkset)); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
157 |
return 0; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
158 |
end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3209
diff
changeset
|
159 |