author | Kim Alvefur <zash@zash.se> |
Thu, 13 Jun 2013 21:25:12 +0200 | |
changeset 1062 | f853a1a3aa15 |
child 1063 | b2a4679e7d20 |
permissions | -rw-r--r-- |
1062
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- Copyright (C) 2013 Kim Alvefur |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
-- |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
-- This file is MIT/X11 licensed. |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
local jid_compare = require "util.jid".compare; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
local jid_split = require "util.jid".prepped_split; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
local new_sasl = require "util.sasl".new; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
local log = module._log; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
local subject_alternative_name = "2.5.29.17"; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
local now = os.time; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
function get_sasl_handler(session) |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
return new_sasl(module.host, { |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
external = session.secure and function(authz) |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
if session.secure then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
-- getpeercertificate() on a TCP connection would be bad, abort! |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
(session.log or log)("error", "How did you manage to select EXTERNAL without TLS?"); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
return nil, false; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
local sock = session.conn:socket(); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
local cert = sock:getpeercertificate(); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
if not cert then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 |
(session.log or log)("warn", "No certificate provided"); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
return nil, false; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
if not cert:validat(now()) then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
(session.log or log)("warn", "Client certificate expired") |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
return nil, "expired"; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 |
local chain_valid, chain_errors = sock:getpeerverification(); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
if not chain_valid then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
(session.log or log)("warn", "Invalid client certificate chain"); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
for i, error in ipairs(chain_errors) do |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
(session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", ")); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
return nil, false; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 |
local extensions = cert:extensions(); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
local SANs = extensions[subject_alternative_name]; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
local xmppAddrs = SANs and SANs[id_on_xmppAddr]; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
if not xmppAddrs then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
(session.log or log)("warn", "Client certificate contains no xmppAddrs"); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
return nil, false; |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
for i=1,#xmppAddrs do |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
if authz == "" or jid_compare(authz, xmppAddrs[i]) then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz) |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
local username, host = jid_split(xmppAddrs[i]); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
if host == module.host then |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
return username, true |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
}); |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
end |
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 |
|
f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
module:provides "auth"; |