Annotate

mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 5705:527c747711f3

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parent 4441:58a112bd9792
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Copyright (C) 2013 - 2014 Tobias Markmann
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- This file is MIT/X11 licensed.
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- Implements authentication via POSH (PKIX over Secure HTTP)
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 -- http://tools.ietf.org/html/draft-miller-posh-03
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 --
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:set_global();
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
8 local json = require "util.json";
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
10 local base64 = require "util.encodings".base64;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
11 local pem2der = require "util.x509".pem2der;
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
12 local hashes = require "util.hashes";
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
13 local build_url = require "socket.url".build;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
14 local async = require "util.async";
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
15 local http = require "net.http";
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
16
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
17 local cache = require "util.cache".new(100);
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
18
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
19 local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" };
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
20 local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 };
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local function posh_lookup(host_session, resume)
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 -- do nothing if posh info already exists
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 if host_session.posh ~= nil then return end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local target_host = false;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 if host_session.direction == "incoming" then
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 target_host = host_session.from_host;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 elseif host_session.direction == "outgoing" then
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 target_host = host_session.to_host;
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
33 local cached = cache:get(target_host);
3200
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
34 if cached then
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
35 if os.time() > cached.expires then
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
36 cache:set(target_host, nil);
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
37 else
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
38 host_session.posh = { jwk = cached };
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
39 return false;
d070a751b6ed mod_s2s_auth_posh: Cache tweak
Kim Alvefur <zash@zash.se>
parents: 3199
diff changeset
40 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
41 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
42 local log = host_session.log or module._log;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
44 log("debug", "Session direction: %s", tostring(host_session.direction));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
45
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
46 local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" };
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
48 log("debug", "Request POSH information for %s", tostring(target_host));
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
49 local redirect_followed = false;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
50 local function cb (response, code)
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
51 if code ~= 200 then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
52 log("debug", "No or invalid POSH response received");
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 resume();
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
54 return;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
56 log("debug", "Received POSH response");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
57 local jwk = json.decode(response);
3287
f0e19a77f81e mod_s2s_auth_posh: Ensure JWK data decodes to a table
Kim Alvefur <zash@zash.se>
parents: 3225
diff changeset
58 if not jwk or type(jwk) ~= "table" then
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
59 log("error", "POSH response is not valid JSON!\n%s", tostring(response));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
60 resume();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
61 return;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 end
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
63 if type(jwk.url) == "string" then
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
64 if redirect_followed then
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
65 redirect_followed = true;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
66 http.request(jwk.url, nil, cb);
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
67 else
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
68 log("error", "POSH had invalid redirect:\n%s", tostring(response));
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
69 resume();
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
70 return;
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
71 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
72 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
73
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
74 host_session.posh = { orig = response };
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
75 jwk.expires = os.time() + tonumber(jwk.expires) or 3600;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
76 host_session.posh.jwk = jwk;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
77 cache:set(target_host, jwk);
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
78 resume();
3288
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
79 end
3eee4029ac6c mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents: 3287
diff changeset
80 http.request(url, nil, cb);
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
81 return true;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 -- Do POSH authentication
3205
7bfb25111ea6 mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents: 3204
diff changeset
85 module:hook("s2s-check-certificate", function (event)
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 local session, cert = event.session, event.cert;
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
87 local log = session.log or module._log;
3202
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
88 if session.cert_identity_status == "valid" then
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
89 log("debug", "Not trying POSH because certificate is already valid");
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
90 return;
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
91 end
094f75f316d6 mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents: 3201
diff changeset
92
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
93 log("info", "Trying POSH authentication.");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
94 local wait, done = async.waiter();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
95 if posh_lookup(session, done) then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
96 wait();
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
97 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
98 local posh = session.posh;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
99 local jwk = posh and posh.jwk;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
100 local fingerprints = jwk and jwk.fingerprints;
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101
3289
f2037a754480 mod_s2s_auth_posh: Be a tiny bit stricter with types
Kim Alvefur <zash@zash.se>
parents: 3288
diff changeset
102 if type(fingerprints) ~= "table" then
3204
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
103 log("debug", "No POSH authentication data available");
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
104 return;
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
105 end
13f381f0c03f mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents: 3203
diff changeset
106
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
107 local cert_der = pem2der(cert:pem());
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
108 local cert_hashes = {};
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
109 for i = 1, #hash_order do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
110 cert_hashes[i] = base64.encode(hash_funcs[i](cert_der));
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
111 end
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
112 for i = 1, #fingerprints do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
113 local fp = fingerprints[i];
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
114 for j = 1, #hash_order do
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
115 local hash = fp[hash_order[j]];
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
116 if cert_hashes[j] == hash then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
117 session.cert_chain_status = "valid";
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
118 session.cert_identity_status = "valid";
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
119 log("debug", "POSH authentication succeeded!");
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
120 return true;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
121 elseif hash then
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
122 -- Don't try weaker hashes
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
123 break;
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
124 end
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
125 end
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
126 end
3199
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
127
cb7c24305ed2 mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents: 3198
diff changeset
128 log("debug", "POSH authentication failed!");
3198
f3e452b43cfe mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff changeset
129 end);
3225
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
130
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
131 function module.command(arg)
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
132 if not arg[1] then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
133 print("Usage: mod_s2s_auth_posh /path/to/cert.pem")
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
134 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
135 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
136 local jwkset = { fingerprints = { }; expires = 86400; }
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
137
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
138 for i, cert_file in ipairs(arg) do
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
139 local cert, err = io.open(cert_file);
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
140 if not cert then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
141 io.stderr:write(err, "\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
142 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
143 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
144 local cert_pem = cert:read("*a");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
145 local cert_der, typ = pem2der(cert_pem);
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
146 if typ == "CERTIFICATE" then
4441
58a112bd9792 mod_s2s_auth_posh: Use unused loop variable for something [luacheck]
Kim Alvefur <zash@zash.se>
parents: 3289
diff changeset
147 jwkset.fingerprints[i] = { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); };
3225
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
148 elseif typ then
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
149 io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
150 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
151 else
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
152 io.stderr:write(cert_file, " did not contain a certificate in PEM format\n");
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
153 return 1;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
154 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
155 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
156 print(json.encode(jwkset));
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
157 return 0;
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
158 end
517c7f0333e3 mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents: 3205
diff changeset
159