Mercurial > prosody-modules
annotate mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 5553:67152838afbc
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 17 Jun 2023 18:15:00 +0200 |
parents | 58a112bd9792 |
children |
rev | line source |
---|---|
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 - 2014 Tobias Markmann |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- Implements authentication via POSH (PKIX over Secure HTTP) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- http://tools.ietf.org/html/draft-miller-posh-03 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 module:set_global(); |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
8 local json = require "util.json"; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
10 local base64 = require "util.encodings".base64; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
11 local pem2der = require "util.x509".pem2der; |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
12 local hashes = require "util.hashes"; |
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
13 local build_url = require "socket.url".build; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
14 local async = require "util.async"; |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
15 local http = require "net.http"; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
16 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
17 local cache = require "util.cache".new(100); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
18 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
19 local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
20 local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local function posh_lookup(host_session, resume) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 -- do nothing if posh info already exists |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 if host_session.posh ~= nil then return end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local target_host = false; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if host_session.direction == "incoming" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 target_host = host_session.from_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 elseif host_session.direction == "outgoing" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 target_host = host_session.to_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
33 local cached = cache:get(target_host); |
3200 | 34 if cached then |
35 if os.time() > cached.expires then | |
36 cache:set(target_host, nil); | |
37 else | |
38 host_session.posh = { jwk = cached }; | |
39 return false; | |
40 end | |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
41 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
42 local log = host_session.log or module._log; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
44 log("debug", "Session direction: %s", tostring(host_session.direction)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
45 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
46 local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
48 log("debug", "Request POSH information for %s", tostring(target_host)); |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
49 local redirect_followed = false; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
50 local function cb (response, code) |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
51 if code ~= 200 then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
52 log("debug", "No or invalid POSH response received"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 resume(); |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
54 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
56 log("debug", "Received POSH response"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
57 local jwk = json.decode(response); |
3287
f0e19a77f81e
mod_s2s_auth_posh: Ensure JWK data decodes to a table
Kim Alvefur <zash@zash.se>
parents:
3225
diff
changeset
|
58 if not jwk or type(jwk) ~= "table" then |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
59 log("error", "POSH response is not valid JSON!\n%s", tostring(response)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
60 resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
61 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 end |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
63 if type(jwk.url) == "string" then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
64 if redirect_followed then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
65 redirect_followed = true; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
66 http.request(jwk.url, nil, cb); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
67 else |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
68 log("error", "POSH had invalid redirect:\n%s", tostring(response)); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
69 resume(); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
70 return; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
71 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
72 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
73 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
74 host_session.posh = { orig = response }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
75 jwk.expires = os.time() + tonumber(jwk.expires) or 3600; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
76 host_session.posh.jwk = jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
77 cache:set(target_host, jwk); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
78 resume(); |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
79 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
80 http.request(url, nil, cb); |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
81 return true; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 -- Do POSH authentication |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
85 module:hook("s2s-check-certificate", function (event) |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 local session, cert = event.session, event.cert; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
87 local log = session.log or module._log; |
3202
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
88 if session.cert_identity_status == "valid" then |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
89 log("debug", "Not trying POSH because certificate is already valid"); |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
90 return; |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
91 end |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
92 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
93 log("info", "Trying POSH authentication."); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
94 local wait, done = async.waiter(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
95 if posh_lookup(session, done) then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
96 wait(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
97 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
98 local posh = session.posh; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
99 local jwk = posh and posh.jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
100 local fingerprints = jwk and jwk.fingerprints; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
101 |
3289
f2037a754480
mod_s2s_auth_posh: Be a tiny bit stricter with types
Kim Alvefur <zash@zash.se>
parents:
3288
diff
changeset
|
102 if type(fingerprints) ~= "table" then |
3204
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
103 log("debug", "No POSH authentication data available"); |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
104 return; |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
105 end |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
106 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
107 local cert_der = pem2der(cert:pem()); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
108 local cert_hashes = {}; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
109 for i = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
110 cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
111 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
112 for i = 1, #fingerprints do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
113 local fp = fingerprints[i]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
114 for j = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
115 local hash = fp[hash_order[j]]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
116 if cert_hashes[j] == hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
117 session.cert_chain_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
118 session.cert_identity_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
119 log("debug", "POSH authentication succeeded!"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
120 return true; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
121 elseif hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
122 -- Don't try weaker hashes |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
123 break; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
124 end |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
125 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
126 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
127 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
128 log("debug", "POSH authentication failed!"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
129 end); |
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
130 |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
131 function module.command(arg) |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
132 if not arg[1] then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
133 print("Usage: mod_s2s_auth_posh /path/to/cert.pem") |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
134 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
135 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
136 local jwkset = { fingerprints = { }; expires = 86400; } |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
137 |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
138 for i, cert_file in ipairs(arg) do |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
139 local cert, err = io.open(cert_file); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
140 if not cert then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
141 io.stderr:write(err, "\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
142 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
143 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
144 local cert_pem = cert:read("*a"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
145 local cert_der, typ = pem2der(cert_pem); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
146 if typ == "CERTIFICATE" then |
4441
58a112bd9792
mod_s2s_auth_posh: Use unused loop variable for something [luacheck]
Kim Alvefur <zash@zash.se>
parents:
3289
diff
changeset
|
147 jwkset.fingerprints[i] = { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); }; |
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
148 elseif typ then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
149 io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
150 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
151 else |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
152 io.stderr:write(cert_file, " did not contain a certificate in PEM format\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
153 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
154 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
155 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
156 print(json.encode(jwkset)); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
157 return 0; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
158 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
159 |