prosody-modules: mod_auth_ccert/mod_auth_ccert.lua@8ad0d234608c (annotated)

1062 f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	1	-- Copyright (C) 2013 Kim Alvefur
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	2	--
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	3	-- This file is MIT/X11 licensed.
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	4
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	5	local jid_compare = require "util.jid".compare;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	6	local jid_split = require "util.jid".prepped_split;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	7	local new_sasl = require "util.sasl".new;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	8	local log = module._log;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	9	local subject_alternative_name = "2.5.29.17";
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	10	local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	11	local now = os.time;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	12
1065 3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	13	local cert_match = module:get_option("certificate_match", "xmppaddr");
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	14
1068 8ad0d234608c mod_auth_ccert: Pass the session username-outfigurer function too Kim Alvefur <zash@zash.se> parents: 1067 diff changeset	15	local username_extractor = {};
1065 3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	16
1068 8ad0d234608c mod_auth_ccert: Pass the session username-outfigurer function too Kim Alvefur <zash@zash.se> parents: 1067 diff changeset	17	function username_extractor.xmppaddr(cert, authz, session)
1065 3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	18	local extensions = cert:extensions();
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	19	local SANs = extensions[subject_alternative_name];
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	20	local xmppAddrs = SANs and SANs[id_on_xmppAddr];
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	21
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	22	if not xmppAddrs then
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	23	(session.log or log)("warn", "Client certificate contains no xmppAddrs");
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	24	return nil, false;
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	25	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	26
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	27	for i=1,#xmppAddrs do
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	28	if authz == "" or jid_compare(authz, xmppAddrs[i]) then
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	29	(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	30	local username, host = jid_split(xmppAddrs[i]);
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	31	if host == module.host then
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	32	return username, true
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	33	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	34	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	35	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	36	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	37
1066 83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	38	function username_extractor.email(cert)
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	39	local subject = cert:subject();
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	40	for i=1,#subject do
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	41	local ava = subject[i];
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	42	if ava.oid == oid_emailAddress then
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	43	local username, host = jid_split(ava.value);
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	44	if host == module.host then
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	45	return username, true
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	46	end
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	47	end
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	48	end
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	49	end
83175a6af8c5 mod_auth_ccert: Add optional method for certificates which contain an email address Kim Alvefur <zash@zash.se> parents: 1065 diff changeset	50
1065 3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	51	local find_username = username_extractor[cert_match];
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	52	if not find_username then
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	53	module:log("error", "certificate_match = %q is not supported");
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	54	return
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	55	end
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	56
3d04d9377a67 mod_auth_ccert: Prepare for supporting more ways to figure out the username Kim Alvefur <zash@zash.se> parents: 1063 diff changeset	57
1062 f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	58	function get_sasl_handler(session)
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	59	return new_sasl(module.host, {
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	60	external = session.secure and function(authz)
1063 b2a4679e7d20 mod_auth_ccert: Accidentally not Kim Alvefur <zash@zash.se> parents: 1062 diff changeset	61	if not session.secure then
1062 f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	62	-- getpeercertificate() on a TCP connection would be bad, abort!
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	63	(session.log or log)("error", "How did you manage to select EXTERNAL without TLS?");
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	64	return nil, false;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	65	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	66	local sock = session.conn:socket();
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	67	local cert = sock:getpeercertificate();
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	68	if not cert then
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	69	(session.log or log)("warn", "No certificate provided");
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	70	return nil, false;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	71	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	72
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	73	if not cert:validat(now()) then
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	74	(session.log or log)("warn", "Client certificate expired")
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	75	return nil, "expired";
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	76	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	77
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	78	local chain_valid, chain_errors = sock:getpeerverification();
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	79	if not chain_valid then
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	80	(session.log or log)("warn", "Invalid client certificate chain");
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	81	for i, error in ipairs(chain_errors) do
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	82	(session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", "));
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	83	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	84	return nil, false;
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	85	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	86
1068 8ad0d234608c mod_auth_ccert: Pass the session username-outfigurer function too Kim Alvefur <zash@zash.se> parents: 1067 diff changeset	87	return find_username(cert, authz, session);
1062 f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	88	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	89	});
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	90	end
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	91
f853a1a3aa15 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates Kim Alvefur <zash@zash.se> parents: diff changeset	92	module:provides "auth";

author	Kim Alvefur <zash@zash.se>
	Fri, 14 Jun 2013 20:27:58 +0200
changeset 1068	8ad0d234608c
parent 1067	8649f78b1dde
child 1069	d7719bf1aed6
permissions	-rw-r--r--