Mercurial > prosody-modules
annotate mod_client_certs/mod_client_certs.lua @ 5416:2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.
Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.
On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 04 May 2023 18:41:33 +0200 |
parents | 5f2eeebcf899 |
children |
rev | line source |
---|---|
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
1 -- XEP-0257: Client Certificates Management implementation for Prosody |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2012 Thijs Alkemade |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
3 -- |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
4 -- This file is MIT/X11 licensed. |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
5 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
6 local st = require "util.stanza"; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
7 local jid_bare = require "util.jid".bare; |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
8 local jid_split = require "util.jid".split; |
990
17ba2c59d661
mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents:
713
diff
changeset
|
9 local xmlns_saslcert = "urn:xmpp:saslcert:1"; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
10 local dm_load = require "util.datamanager".load; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
11 local dm_store = require "util.datamanager".store; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
12 local dm_table = "client_certs"; |
1779
bdf1de953fd9
mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents:
1343
diff
changeset
|
13 local ssl_x509 = require "ssl.x509"; |
bdf1de953fd9
mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents:
1343
diff
changeset
|
14 local util_x509 = require "util.x509"; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; |
698
3a3293f37139
mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
697
diff
changeset
|
16 local id_ce_subjectAltName = "2.5.29.17"; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
17 local digest_algo = "sha1"; |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
18 local base64 = require "util.encodings".base64; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
19 |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
20 local function get_id_on_xmpp_addrs(cert) |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
21 local id_on_xmppAddrs = {}; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
22 for k,ext in pairs(cert:extensions()) do |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
23 if k == id_ce_subjectAltName then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
24 for e,extv in pairs(ext) do |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
25 if e == id_on_xmppAddr then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
26 for i,v in ipairs(extv) do |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
28 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
29 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
30 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
31 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
32 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", ")); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
34 return id_on_xmppAddrs; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
35 end |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
36 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
37 local function enable_cert(username, cert, info) |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr? |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
39 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
40 --[[ the method expired doesn't exist in luasec .. yet? |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
41 if cert:expired() then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
42 module:log("debug", "This certificate is already expired."); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
43 return nil, "This certificate is expired."; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
44 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
45 --]] |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
46 |
1096
1abb8f2a5761
mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents:
990
diff
changeset
|
47 if not cert:validat(os.time()) then |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
48 module:log("debug", "This certificate is not valid at this moment."); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
49 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
50 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
51 local valid_id_on_xmppAddrs; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
52 local require_id_on_xmppAddr = true; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
53 if require_id_on_xmppAddr then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
55 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
56 local found = false; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
57 for i,k in pairs(valid_id_on_xmppAddrs) do |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
58 if jid_bare(k) == (username .. "@" .. module.host) then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
59 found = true; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
60 break; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
61 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
62 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
63 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
64 if not found then |
990
17ba2c59d661
mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents:
713
diff
changeset
|
65 return nil, "This certificate has no valid id-on-xmppAddr field."; |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
66 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
67 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
68 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
69 local certs = dm_load(username, module.host, dm_table) or {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
70 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
71 info.pem = cert:pem(); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
72 local digest = cert:digest(digest_algo); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
73 info.digest = digest; |
990
17ba2c59d661
mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents:
713
diff
changeset
|
74 certs[info.name] = info; |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
75 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
76 dm_store(username, module.host, dm_table, certs); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
77 return true |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
78 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
79 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
80 local function disable_cert(username, name, disconnect) |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
81 local certs = dm_load(username, module.host, dm_table) or {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
82 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
83 local info = certs[name]; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
84 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
85 if not info then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
86 return nil, "item-not-found" |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
87 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
88 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
89 certs[name] = nil; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
90 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
91 if disconnect then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
93 local sessions = hosts[module.host].sessions[username].sessions; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
94 local disabled_cert_pem = info.pem; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
95 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
96 for _, session in pairs(sessions) do |
3447
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
97 if session and session.conn and session.conn:socket().getpeercertificate then |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
98 local cert = session.conn:socket():getpeercertificate(); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
99 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
100 if cert and cert:pem() == disabled_cert_pem then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
101 module:log("debug", "Found a session that should be closed: %s", tostring(session)); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
103 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
104 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
105 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
106 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
107 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
108 dm_store(username, module.host, dm_table, certs); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
109 return info; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
110 end |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
111 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
112 module:hook("iq-get/self/"..xmlns_saslcert..":items", function(event) |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
113 local origin, stanza = event.origin, event.stanza; |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
114 module:log("debug", "%s requested items", origin.full_jid); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
115 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
116 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
117 local certs = dm_load(origin.username, module.host, dm_table) or {}; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
118 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
119 for digest,info in pairs(certs) do |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
120 reply:tag("item") |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
121 :tag("name"):text(info.name):up() |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
122 :tag("x509cert"):text(info.x509cert):up() |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
123 :up(); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
124 end |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
125 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
126 origin.send(reply); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
127 return true |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
128 end); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
129 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
130 module:hook("iq-set/self/"..xmlns_saslcert..":append", function(event) |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
131 local origin, stanza = event.origin, event.stanza; |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
132 local append = stanza:get_child("append", xmlns_saslcert); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
133 local name = append:get_child_text("name", xmlns_saslcert); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
134 local x509cert = append:get_child_text("x509cert", xmlns_saslcert); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
135 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
136 if not x509cert or not name then |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
137 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
138 return true |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
139 end |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
140 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
141 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil; |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
142 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1"); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
143 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
144 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
145 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
146 if not cert then |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
147 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
148 return true; |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
149 end |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
150 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
151 local ok, err = enable_cert(origin.username, cert, { |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
152 name = name, |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
153 x509cert = x509cert, |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
154 no_cert_management = can_manage, |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
155 }); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
156 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
157 if not ok then |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
158 origin.send(st.error_reply(stanza, "cancel", "bad-request", err)); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
159 return true -- REJECT?! |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
160 end |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
161 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
162 module:log("debug", "%s added certificate named %s", origin.full_jid, name); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
163 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
164 origin.send(st.reply(stanza)); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
165 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
166 return true |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
167 end); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
168 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
169 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
170 local function handle_disable(event) |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
171 local origin, stanza = event.origin, event.stanza; |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
172 local disable = stanza.tags[1]; |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
173 module:log("debug", "%s disabled a certificate", origin.full_jid); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
174 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
175 local name = disable:get_child_text("name"); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
176 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
177 if not name then |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
178 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
179 return true |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
180 end |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
181 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
182 disable_cert(origin.username, name, disable.name == "revoke"); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
183 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
184 origin.send(st.reply(stanza)); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
185 |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
186 return true |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
187 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
188 |
3267
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
189 module:hook("iq-set/self/"..xmlns_saslcert..":disable", handle_disable); |
4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
1779
diff
changeset
|
190 module:hook("iq-set/self/"..xmlns_saslcert..":revoke", handle_disable); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
191 |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
192 -- Ad-hoc command |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
193 local adhoc_new = module:require "adhoc".new; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
194 local dataforms_new = require "util.dataforms".new; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
195 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
196 local function generate_error_message(errors) |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
197 local errmsg = {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
198 for name, err in pairs(errors) do |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
199 errmsg[#errmsg + 1] = name .. ": " .. err; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
200 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
201 return table.concat(errmsg, "\n"); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
202 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
203 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
204 local choose_subcmd_layout = dataforms_new { |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
205 title = "Certificate management"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
206 instructions = "What action do you want to perform?"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
207 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
208 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
209 { name = "subcmd", type = "list-single", label = "Actions", required = true, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
210 value = { {label = "Add certificate", value = "add"}, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
211 {label = "List certificates", value = "list"}, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
212 {label = "Disable certificate", value = "disable"}, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
213 {label = "Revoke certificate", value = "revoke"}, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
214 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
215 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
216 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
217 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
218 local add_layout = dataforms_new { |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
219 title = "Adding a certificate"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
220 instructions = "Enter the certificate in PEM format"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
221 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
222 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
223 { name = "name", type = "text-single", label = "Name", required = true }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
224 { name = "cert", type = "text-multi", label = "PEM certificate", required = true }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
225 { name = "manage", type = "boolean", label = "Can manage certificates", value = true }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
226 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
227 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
228 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
229 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
230 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
231 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
232 local function adhoc_handler(self, data, state) |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
233 if data.action == "cancel" then return { status = "canceled" }; end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
234 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
235 if not state or data.action == "prev" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
236 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
237 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
238 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
239 if not state.subcmd then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
240 local fields, errors = choose_subcmd_layout:data(data.form); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
241 if errors then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
242 return { status = "completed", error = { message = generate_error_message(errors) } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
243 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
244 local subcmd = fields.subcmd |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
245 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
246 if subcmd == "add" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
247 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
248 elseif subcmd == "list" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
249 local list_layout = dataforms_new { |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
250 title = "List of certificates"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
251 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
252 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
253 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
254 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
255 for digest, info in pairs(certs) do |
990
17ba2c59d661
mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents:
713
diff
changeset
|
256 list_layout[#list_layout + 1] = { name = info.name, type = "text-multi", label = info.name, value = info.x509cert }; |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
257 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
258 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
259 return { status = "completed", result = list_layout }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
260 else |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
261 local layout = dataforms_new { |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
262 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
263 { name = "cert", type = "list-single", label = "Certificate", required = true }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
264 }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
265 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
266 if subcmd == "disable" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
267 layout.title = "Disabling a certificate"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
268 layout.instructions = "Select the certificate to disable"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
269 elseif subcmd == "revoke" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
270 layout.title = "Revoking a certificate"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
271 layout.instructions = "Select the certificate to revoke"; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
272 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
273 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
274 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
275 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
276 local values = {}; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
277 for digest, info in pairs(certs) do |
990
17ba2c59d661
mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents:
713
diff
changeset
|
278 values[#values + 1] = { label = info.name, value = info.name }; |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
279 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
280 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
281 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } }, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
282 { subcmd = subcmd }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
283 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
284 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
285 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
286 if state.subcmd == "add" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
287 local fields, errors = add_layout:data(data.form); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
288 if errors then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
289 return { status = "completed", error = { message = generate_error_message(errors) } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
290 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
291 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
292 local name = fields.name; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
293 local x509cert = fields.cert:gsub("^%s*(.-)%s*$", "%1"); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
294 |
1779
bdf1de953fd9
mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents:
1343
diff
changeset
|
295 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); |
713
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
296 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
297 if not cert then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
298 return { status = "completed", error = { message = "Could not parse X.509 certificate" } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
299 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
300 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
301 local ok, err = enable_cert(jid_split(data.from), cert, { |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
302 name = name, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
303 x509cert = x509cert, |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
304 no_cert_management = not fields.manage |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
305 }); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
306 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
307 if not ok then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
308 return { status = "completed", error = { message = err } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
309 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
310 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
311 module:log("debug", "%s added certificate named %s", data.from, name); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
312 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
313 return { status = "completed", info = "Successfully added certificate " .. name .. "." }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
314 else |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
315 local fields, errors = disable_layout_stub:data(data.form); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
316 if errors then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
317 return { status = "completed", error = { message = generate_error_message(errors) } }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
318 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
319 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
320 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" ); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
321 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
322 if state.subcmd == "revoke" then |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
323 return { status = "completed", info = "Revoked certificate " .. info.name .. "." }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
324 else |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
325 return { status = "completed", info = "Disabled certificate " .. info.name .. "." }; |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
326 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
327 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
328 end |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
329 |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
330 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user"); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
331 module:provides("adhoc", cmd_desc); |
88ef66a65b13
mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents:
712
diff
changeset
|
332 |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
333 -- Here comes the SASL EXTERNAL stuff |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
334 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
335 local now = os.time; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
336 module:hook("stream-features", function(event) |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
337 local session, features = event.origin, event.features; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
338 if session.secure and session.type == "c2s_unauthed" then |
3447
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
339 local socket = session.conn:socket(); |
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
340 if not socket.getpeercertificate then |
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
341 module:log("debug", "Not a TLS socket"); |
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
342 return |
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
343 end |
5f2eeebcf899
mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents:
3267
diff
changeset
|
344 local cert = socket:getpeercertificate(); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
345 if not cert then |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
346 module:log("error", "No Client Certificate"); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
347 return |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
348 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
349 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); |
1096
1abb8f2a5761
mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents:
990
diff
changeset
|
350 if not cert:validat(now()) then |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
351 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo)); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
352 return |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
353 end |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
354 module:log("debug", "Stream features:\n%s", tostring(features)); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
355 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl"); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
356 if mechs then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
357 mechs:tag("mechanism"):text("EXTERNAL"); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
358 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
359 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
360 end, -1); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
361 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
362 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
363 |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
364 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
365 local session, stanza = event.origin, event.stanza; |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
366 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
367 if session.secure then |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
368 local cert = session.conn:socket():getpeercertificate(); |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
369 local username_data = stanza:get_text(); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
370 local username = nil; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
371 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
372 if username_data == "=" then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
373 -- Check for either an id_on_xmppAddr |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
374 local jids = get_id_on_xmpp_addrs(cert); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
375 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
376 if not (#jids == 1) then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
377 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs."); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
378 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" }); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
379 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized"); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
380 return true; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
381 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
382 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
383 username = jids[1]; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
384 else |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
385 -- Check the base64 encoded username |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
386 username = base64.decode(username_data); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
387 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
388 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
389 local user, host, resource = jid_split(username); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
390 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
391 module:log("debug", "Inferred username: %s", user or "nil"); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
392 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
393 if (not username) or (not host == module.host) then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
394 module:log("debug", "No valid username found for %s", tostring(session)); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
395 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" }); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
396 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized"); |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
397 return true; |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
398 end |
709
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
399 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
400 local certs = dm_load(user, module.host, dm_table) or {}; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
401 local digest = cert:digest(digest_algo); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
402 local pem = cert:pem(); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
403 |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
404 for name,info in pairs(certs) do |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
405 if info.digest == digest and info.pem == pem then |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
406 sm_make_authenticated(session, user); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
407 module:fire_event("authentication-success", { session = session }); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
408 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"})); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
409 session:reset_stream(); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
410 return true; |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
411 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
412 end |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
413 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" }); |
151743149f07
mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
698
diff
changeset
|
414 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized"); |
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
415 else |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
416 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required"); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
417 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
418 return true; |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
419 end |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
420 end, 1); |
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
421 |
1779
bdf1de953fd9
mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents:
1343
diff
changeset
|
422 module:add_feature(xmlns_saslcert); |