annotate mod_client_certs/mod_client_certs.lua @ 2712:d89ab70808f6

mod_cloud_notify: fix bug when multiple resources are used This bug was triggered under the rare circumstances that a message arrived and one resource was smacks hibernated while the other one(s) were offline. Then only the hibernated resource but not the offline one(s) (or the other way round) got notified.
author tmolitor <thilo@eightysoft.de>
date Mon, 08 May 2017 18:24:29 +0200
parents bdf1de953fd9
children 4b43b317e8f5
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
1 -- XEP-0257: Client Certificates Management implementation for Prosody
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2012 Thijs Alkemade
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
3 --
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
4 -- This file is MIT/X11 licensed.
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
5
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
6 local st = require "util.stanza";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
7 local jid_bare = require "util.jid".bare;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
8 local jid_split = require "util.jid".split;
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
9 local xmlns_saslcert = "urn:xmpp:saslcert:1";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
10 local dm_load = require "util.datamanager".load;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
11 local dm_store = require "util.datamanager".store;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
12 local dm_table = "client_certs";
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
13 local ssl_x509 = require "ssl.x509";
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
14 local util_x509 = require "util.x509";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
698
3a3293f37139 mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 697
diff changeset
16 local id_ce_subjectAltName = "2.5.29.17";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
17 local digest_algo = "sha1";
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
18 local base64 = require "util.encodings".base64;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
19
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
20 local function get_id_on_xmpp_addrs(cert)
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
21 local id_on_xmppAddrs = {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
22 for k,ext in pairs(cert:extensions()) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
23 if k == id_ce_subjectAltName then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
24 for e,extv in pairs(ext) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
25 if e == id_on_xmppAddr then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
26 for i,v in ipairs(extv) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
28 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
29 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
30 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
31 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
32 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", "));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
34 return id_on_xmppAddrs;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
35 end
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
36
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
37 local function enable_cert(username, cert, info)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
39
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
40 --[[ the method expired doesn't exist in luasec .. yet?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
41 if cert:expired() then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
42 module:log("debug", "This certificate is already expired.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
43 return nil, "This certificate is expired.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
44 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
45 --]]
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
46
1096
1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents: 990
diff changeset
47 if not cert:validat(os.time()) then
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
48 module:log("debug", "This certificate is not valid at this moment.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
49 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
50
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
51 local valid_id_on_xmppAddrs;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
52 local require_id_on_xmppAddr = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
53 if require_id_on_xmppAddr then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
55
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
56 local found = false;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
57 for i,k in pairs(valid_id_on_xmppAddrs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
58 if jid_bare(k) == (username .. "@" .. module.host) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
59 found = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
60 break;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
61 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
62 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
63
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
64 if not found then
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
65 return nil, "This certificate has no valid id-on-xmppAddr field.";
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
66 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
67 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
68
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
69 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
70
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
71 info.pem = cert:pem();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
72 local digest = cert:digest(digest_algo);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
73 info.digest = digest;
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
74 certs[info.name] = info;
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
75
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
76 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
77 return true
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
78 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
79
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
80 local function disable_cert(username, name, disconnect)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
81 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
82
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
83 local info = certs[name];
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
84
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
85 if not info then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
86 return nil, "item-not-found"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
87 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
88
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
89 certs[name] = nil;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
90
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
91 if disconnect then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
93 local sessions = hosts[module.host].sessions[username].sessions;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
94 local disabled_cert_pem = info.pem;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
95
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
96 for _, session in pairs(sessions) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
97 if session and session.conn then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
98 local cert = session.conn:socket():getpeercertificate();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
99
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
100 if cert and cert:pem() == disabled_cert_pem then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
101 module:log("debug", "Found a session that should be closed: %s", tostring(session));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
103 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
104 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
105 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
106 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
107
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
108 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
109 return info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
110 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
111
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
113 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
114 if stanza.attr.type == "get" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
115 module:log("debug", "%s requested items", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
116
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
118 local certs = dm_load(origin.username, module.host, dm_table) or {};
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
119
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
120 for digest,info in pairs(certs) do
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
121 reply:tag("item")
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
122 :tag("name"):text(info.name):up()
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
123 :tag("x509cert"):text(info.x509cert):up()
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
124 :up();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
125 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
126
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
127 origin.send(reply);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
128 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
129 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
130 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
131
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
132 module:hook("iq/self/"..xmlns_saslcert..":append", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
133 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
134 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
135
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
136 local append = stanza:get_child("append", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
137 local name = append:get_child_text("name", xmlns_saslcert);
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
138 local x509cert = append:get_child_text("x509cert", xmlns_saslcert);
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
139
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
140 if not x509cert or not name then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
141 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify?
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
142 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
143 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1096
diff changeset
144
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
145 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil;
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
146 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
147
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
148 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
149
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
150 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
151 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate"));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
152 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
153 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
154
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
155 local ok, err = enable_cert(origin.username, cert, {
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
156 name = name,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
157 x509cert = x509cert,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
158 no_cert_management = can_manage,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
159 });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
160
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
161 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
162 origin.send(st.error_reply(stanza, "cancel", "bad-request", err));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
163 return true -- REJECT?!
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
164 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
165
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
166 module:log("debug", "%s added certificate named %s", origin.full_jid, name);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
167
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
168 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
169
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
170 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
171 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
172 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
173
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
174
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
175 local function handle_disable(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
176 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
177 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
178 local disable = stanza.tags[1];
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
179 module:log("debug", "%s disabled a certificate", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
180
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
181 local name = disable:get_child_text("name");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
182
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
183 if not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
184 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
185 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
186 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
187
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
188 disable_cert(origin.username, name, disable.name == "revoke");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
189
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
190 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
191
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
192 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
193 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
194 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
195
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
196 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
197 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
198
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
199 -- Ad-hoc command
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
200 local adhoc_new = module:require "adhoc".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
201 local dataforms_new = require "util.dataforms".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
202
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
203 local function generate_error_message(errors)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
204 local errmsg = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
205 for name, err in pairs(errors) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
206 errmsg[#errmsg + 1] = name .. ": " .. err;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
207 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
208 return table.concat(errmsg, "\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
209 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
210
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
211 local choose_subcmd_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
212 title = "Certificate management";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
213 instructions = "What action do you want to perform?";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
214
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
215 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
216 { name = "subcmd", type = "list-single", label = "Actions", required = true,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
217 value = { {label = "Add certificate", value = "add"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
218 {label = "List certificates", value = "list"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
219 {label = "Disable certificate", value = "disable"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
220 {label = "Revoke certificate", value = "revoke"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
221 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
222 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
223 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
224
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
225 local add_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
226 title = "Adding a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
227 instructions = "Enter the certificate in PEM format";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
228
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
229 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
230 { name = "name", type = "text-single", label = "Name", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
231 { name = "cert", type = "text-multi", label = "PEM certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
232 { name = "manage", type = "boolean", label = "Can manage certificates", value = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
233 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
234
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
235
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
236 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
237
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
238
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
239 local function adhoc_handler(self, data, state)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
240 if data.action == "cancel" then return { status = "canceled" }; end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
241
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
242 if not state or data.action == "prev" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
243 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
244 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
245
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
246 if not state.subcmd then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
247 local fields, errors = choose_subcmd_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
248 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
249 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
250 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
251 local subcmd = fields.subcmd
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
252
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
253 if subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
254 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
255 elseif subcmd == "list" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
256 local list_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
257 title = "List of certificates";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
258 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
259
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
260 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
261
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
262 for digest, info in pairs(certs) do
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
263 list_layout[#list_layout + 1] = { name = info.name, type = "text-multi", label = info.name, value = info.x509cert };
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
264 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
265
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
266 return { status = "completed", result = list_layout };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
267 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
268 local layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
269 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
270 { name = "cert", type = "list-single", label = "Certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
271 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
272
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
273 if subcmd == "disable" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
274 layout.title = "Disabling a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
275 layout.instructions = "Select the certificate to disable";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
276 elseif subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
277 layout.title = "Revoking a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
278 layout.instructions = "Select the certificate to revoke";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
279 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
280
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
281 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
282
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
283 local values = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
284 for digest, info in pairs(certs) do
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
285 values[#values + 1] = { label = info.name, value = info.name };
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
286 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
287
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
288 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } },
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
289 { subcmd = subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
290 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
291 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
292
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
293 if state.subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
294 local fields, errors = add_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
295 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
296 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
297 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
298
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
299 local name = fields.name;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
300 local x509cert = fields.cert:gsub("^%s*(.-)%s*$", "%1");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
301
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
302 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
303
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
304 if not cert then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
305 return { status = "completed", error = { message = "Could not parse X.509 certificate" } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
306 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
307
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
308 local ok, err = enable_cert(jid_split(data.from), cert, {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
309 name = name,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
310 x509cert = x509cert,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
311 no_cert_management = not fields.manage
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
312 });
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
313
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
314 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
315 return { status = "completed", error = { message = err } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
316 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
317
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
318 module:log("debug", "%s added certificate named %s", data.from, name);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
319
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
320 return { status = "completed", info = "Successfully added certificate " .. name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
321 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
322 local fields, errors = disable_layout_stub:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
323 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
324 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
325 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
326
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
327 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" );
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
328
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
329 if state.subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
330 return { status = "completed", info = "Revoked certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
331 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
332 return { status = "completed", info = "Disabled certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
333 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
334 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
335 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
336
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
337 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
338 module:provides("adhoc", cmd_desc);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
339
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
340 -- Here comes the SASL EXTERNAL stuff
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
341
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
342 local now = os.time;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
343 module:hook("stream-features", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
344 local session, features = event.origin, event.features;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
345 if session.secure and session.type == "c2s_unauthed" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
346 local cert = session.conn:socket():getpeercertificate();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
347 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
348 module:log("error", "No Client Certificate");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
349 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
350 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
351 module:log("info", "Client Certificate: %s", cert:digest(digest_algo));
1096
1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents: 990
diff changeset
352 if not cert:validat(now()) then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
353 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
354 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
355 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
356 module:log("debug", "Stream features:\n%s", tostring(features));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
357 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
358 if mechs then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
359 mechs:tag("mechanism"):text("EXTERNAL");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
360 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
361 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
362 end, -1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
363
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
364 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
365
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
366 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
367 local session, stanza = event.origin, event.stanza;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
368 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
369 if session.secure then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
370 local cert = session.conn:socket():getpeercertificate();
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
371 local username_data = stanza:get_text();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
372 local username = nil;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
373
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
374 if username_data == "=" then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
375 -- Check for either an id_on_xmppAddr
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
376 local jids = get_id_on_xmpp_addrs(cert);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
377
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
378 if not (#jids == 1) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
379 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs.");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
380 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
381 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
382 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
383 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
384
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
385 username = jids[1];
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
386 else
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
387 -- Check the base64 encoded username
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
388 username = base64.decode(username_data);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
389 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
390
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
391 local user, host, resource = jid_split(username);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
392
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
393 module:log("debug", "Inferred username: %s", user or "nil");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
394
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
395 if (not username) or (not host == module.host) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
396 module:log("debug", "No valid username found for %s", tostring(session));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
397 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
398 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
399 return true;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
400 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
401
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
402 local certs = dm_load(user, module.host, dm_table) or {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
403 local digest = cert:digest(digest_algo);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
404 local pem = cert:pem();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
405
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
406 for name,info in pairs(certs) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
407 if info.digest == digest and info.pem == pem then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
408 sm_make_authenticated(session, user);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
409 module:fire_event("authentication-success", { session = session });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
410 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
411 session:reset_stream();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
412 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
413 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
414 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
415 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
416 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
417 else
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
418 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
419 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
420 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
421 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
422 end, 1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
423
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
424 module:add_feature(xmlns_saslcert);