annotate mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 5448:9d542e86e19a

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:40:09 +0200
parents 58a112bd9792
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Copyright (C) 2013 - 2014 Tobias Markmann
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- This file is MIT/X11 licensed.
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- Implements authentication via POSH (PKIX over Secure HTTP)
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 -- http://tools.ietf.org/html/draft-miller-posh-03
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 --
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:set_global();
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
8 local json = require "util.json";
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
10 local base64 = require "util.encodings".base64;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
11 local pem2der = require "util.x509".pem2der;
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
12 local hashes = require "util.hashes";
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
13 local build_url = require "socket.url".build;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
14 local async = require "util.async";
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
15 local http = require "net.http";
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
16
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
17 local cache = require "util.cache".new(100);
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
18
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
19 local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" };
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
20 local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 };
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local function posh_lookup(host_session, resume)
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 -- do nothing if posh info already exists
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 if host_session.posh ~= nil then return end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local target_host = false;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 if host_session.direction == "incoming" then
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 target_host = host_session.from_host;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 elseif host_session.direction == "outgoing" then
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 target_host = host_session.to_host;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
33 local cached = cache:get(target_host);
3200
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
34 if cached then
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
35 if os.time() > cached.expires then
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
36 cache:set(target_host, nil);
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
37 else
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
38 host_session.posh = { jwk = cached };
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
39 return false;
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
40 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
41 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
42 local log = host_session.log or module._log;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
44 log("debug", "Session direction: %s", tostring(host_session.direction));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
45
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
46 local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" };
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
48 log("debug", "Request POSH information for %s", tostring(target_host));
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
49 local redirect_followed = false;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
50 local function cb (response, code)
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
51 if code ~= 200 then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
52 log("debug", "No or invalid POSH response received");
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 resume();
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
54 return;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
56 log("debug", "Received POSH response");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
57 local jwk = json.decode(response);
3287
f0e19a77f81e mod_s2s_auth_posh: Ensure JWK data decodes to a table
Kim Alvefur <zash@zash.se>
parents: 3225
diff changeset
58 if not jwk or type(jwk) ~= "table" then
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
59 log("error", "POSH response is not valid JSON!\n%s", tostring(response));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
60 resume();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
61 return;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 end
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
63 if type(jwk.url) == "string" then
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
64 if redirect_followed then
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
65 redirect_followed = true;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
66 http.request(jwk.url, nil, cb);
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
67 else
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
68 log("error", "POSH had invalid redirect:\n%s", tostring(response));
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
69 resume();
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
70 return;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
71 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
72 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
73
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
74 host_session.posh = { orig = response };
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
75 jwk.expires = os.time() + tonumber(jwk.expires) or 3600;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
76 host_session.posh.jwk = jwk;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
77 cache:set(target_host, jwk);
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
78 resume();
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
79 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
80 http.request(url, nil, cb);
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
81 return true;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 -- Do POSH authentication
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
85 module:hook("s2s-check-certificate", function (event)
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 local session, cert = event.session, event.cert;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
87 local log = session.log or module._log;
3202
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
88 if session.cert_identity_status == "valid" then
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
89 log("debug", "Not trying POSH because certificate is already valid");
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
90 return;
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
91 end
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
92
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
93 log("info", "Trying POSH authentication.");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
94 local wait, done = async.waiter();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
95 if posh_lookup(session, done) then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
96 wait();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
97 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
98 local posh = session.posh;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
99 local jwk = posh and posh.jwk;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
100 local fingerprints = jwk and jwk.fingerprints;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101
3289
f2037a754480 mod_s2s_auth_posh: Be a tiny bit stricter with types
Kim Alvefur <zash@zash.se>
parents: 3288
diff changeset
102 if type(fingerprints) ~= "table" then
3204
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
103 log("debug", "No POSH authentication data available");
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
104 return;
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
105 end
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
106
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
107 local cert_der = pem2der(cert:pem());
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
108 local cert_hashes = {};
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
109 for i = 1, #hash_order do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
110 cert_hashes[i] = base64.encode(hash_funcs[i](cert_der));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
111 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
112 for i = 1, #fingerprints do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
113 local fp = fingerprints[i];
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
114 for j = 1, #hash_order do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
115 local hash = fp[hash_order[j]];
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
116 if cert_hashes[j] == hash then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
117 session.cert_chain_status = "valid";
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
118 session.cert_identity_status = "valid";
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
119 log("debug", "POSH authentication succeeded!");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
120 return true;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
121 elseif hash then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
122 -- Don't try weaker hashes
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
123 break;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
124 end
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
125 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
126 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
127
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
128 log("debug", "POSH authentication failed!");
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
129 end);
3225
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
130
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
131 function module.command(arg)
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
132 if not arg[1] then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
133 print("Usage: mod_s2s_auth_posh /path/to/cert.pem")
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
134 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
135 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
136 local jwkset = { fingerprints = { }; expires = 86400; }
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
137
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
138 for i, cert_file in ipairs(arg) do
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
139 local cert, err = io.open(cert_file);
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
140 if not cert then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
141 io.stderr:write(err, "\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
142 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
143 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
144 local cert_pem = cert:read("*a");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
145 local cert_der, typ = pem2der(cert_pem);
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
146 if typ == "CERTIFICATE" then
4441
58a112bd9792 mod_s2s_auth_posh: Use unused loop variable for something [luacheck]
Kim Alvefur <zash@zash.se>
parents: 3289
diff changeset
147 jwkset.fingerprints[i] = { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); };
3225
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
148 elseif typ then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
149 io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
150 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
151 else
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
152 io.stderr:write(cert_file, " did not contain a certificate in PEM format\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
153 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
154 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
155 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
156 print(json.encode(jwkset));
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
157 return 0;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
158 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
159