Software /
code /
prosody-modules
Annotate
mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 5705:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Oct 2023 11:30:49 +0100 |
parent | 4441:58a112bd9792 |
rev | line source |
---|---|
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 - 2014 Tobias Markmann |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- Implements authentication via POSH (PKIX over Secure HTTP) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- http://tools.ietf.org/html/draft-miller-posh-03 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 module:set_global(); |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
8 local json = require "util.json"; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
10 local base64 = require "util.encodings".base64; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
11 local pem2der = require "util.x509".pem2der; |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
12 local hashes = require "util.hashes"; |
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
13 local build_url = require "socket.url".build; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
14 local async = require "util.async"; |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
15 local http = require "net.http"; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
16 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
17 local cache = require "util.cache".new(100); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
18 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
19 local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
20 local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local function posh_lookup(host_session, resume) |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 -- do nothing if posh info already exists |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 if host_session.posh ~= nil then return end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local target_host = false; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if host_session.direction == "incoming" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 target_host = host_session.from_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 elseif host_session.direction == "outgoing" then |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 target_host = host_session.to_host; |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
33 local cached = cache:get(target_host); |
3200 | 34 if cached then |
35 if os.time() > cached.expires then | |
36 cache:set(target_host, nil); | |
37 else | |
38 host_session.posh = { jwk = cached }; | |
39 return false; | |
40 end | |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
41 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
42 local log = host_session.log or module._log; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
44 log("debug", "Session direction: %s", tostring(host_session.direction)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
45 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
46 local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
48 log("debug", "Request POSH information for %s", tostring(target_host)); |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
49 local redirect_followed = false; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
50 local function cb (response, code) |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
51 if code ~= 200 then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
52 log("debug", "No or invalid POSH response received"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 resume(); |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
54 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
56 log("debug", "Received POSH response"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
57 local jwk = json.decode(response); |
3287
f0e19a77f81e
mod_s2s_auth_posh: Ensure JWK data decodes to a table
Kim Alvefur <zash@zash.se>
parents:
3225
diff
changeset
|
58 if not jwk or type(jwk) ~= "table" then |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
59 log("error", "POSH response is not valid JSON!\n%s", tostring(response)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
60 resume(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
61 return; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 end |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
63 if type(jwk.url) == "string" then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
64 if redirect_followed then |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
65 redirect_followed = true; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
66 http.request(jwk.url, nil, cb); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
67 else |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
68 log("error", "POSH had invalid redirect:\n%s", tostring(response)); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
69 resume(); |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
70 return; |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
71 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
72 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
73 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
74 host_session.posh = { orig = response }; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
75 jwk.expires = os.time() + tonumber(jwk.expires) or 3600; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
76 host_session.posh.jwk = jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
77 cache:set(target_host, jwk); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
78 resume(); |
3288
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
79 end |
3eee4029ac6c
mod_s2s_auth_posh: Follow reference
Kim Alvefur <zash@zash.se>
parents:
3287
diff
changeset
|
80 http.request(url, nil, cb); |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
81 return true; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 -- Do POSH authentication |
3205
7bfb25111ea6
mod_s2s_auth_posh: Normalize code formatting
Kim Alvefur <zash@zash.se>
parents:
3204
diff
changeset
|
85 module:hook("s2s-check-certificate", function (event) |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 local session, cert = event.session, event.cert; |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
87 local log = session.log or module._log; |
3202
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
88 if session.cert_identity_status == "valid" then |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
89 log("debug", "Not trying POSH because certificate is already valid"); |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
90 return; |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
91 end |
094f75f316d6
mod_s2s_auth_posh: Skip POSH if session certificate is already valid
Kim Alvefur <zash@zash.se>
parents:
3201
diff
changeset
|
92 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
93 log("info", "Trying POSH authentication."); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
94 local wait, done = async.waiter(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
95 if posh_lookup(session, done) then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
96 wait(); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
97 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
98 local posh = session.posh; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
99 local jwk = posh and posh.jwk; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
100 local fingerprints = jwk and jwk.fingerprints; |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
101 |
3289
f2037a754480
mod_s2s_auth_posh: Be a tiny bit stricter with types
Kim Alvefur <zash@zash.se>
parents:
3288
diff
changeset
|
102 if type(fingerprints) ~= "table" then |
3204
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
103 log("debug", "No POSH authentication data available"); |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
104 return; |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
105 end |
13f381f0c03f
mod_s2s_auth_posh: Abort if no fingerprints are found
Kim Alvefur <zash@zash.se>
parents:
3203
diff
changeset
|
106 |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
107 local cert_der = pem2der(cert:pem()); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
108 local cert_hashes = {}; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
109 for i = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
110 cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
111 end |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
112 for i = 1, #fingerprints do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
113 local fp = fingerprints[i]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
114 for j = 1, #hash_order do |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
115 local hash = fp[hash_order[j]]; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
116 if cert_hashes[j] == hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
117 session.cert_chain_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
118 session.cert_identity_status = "valid"; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
119 log("debug", "POSH authentication succeeded!"); |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
120 return true; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
121 elseif hash then |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
122 -- Don't try weaker hashes |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
123 break; |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
124 end |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
125 end |
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
126 end |
3199
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
127 |
cb7c24305ed2
mod_s2s_auth_posh: Changes done outside of version control during 2014-2017
Kim Alvefur <zash@zash.se>
parents:
3198
diff
changeset
|
128 log("debug", "POSH authentication failed!"); |
3198
f3e452b43cfe
mod_s2s_auth_posh: PKIX over Secure HTTP
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
129 end); |
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
130 |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
131 function module.command(arg) |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
132 if not arg[1] then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
133 print("Usage: mod_s2s_auth_posh /path/to/cert.pem") |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
134 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
135 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
136 local jwkset = { fingerprints = { }; expires = 86400; } |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
137 |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
138 for i, cert_file in ipairs(arg) do |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
139 local cert, err = io.open(cert_file); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
140 if not cert then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
141 io.stderr:write(err, "\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
142 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
143 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
144 local cert_pem = cert:read("*a"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
145 local cert_der, typ = pem2der(cert_pem); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
146 if typ == "CERTIFICATE" then |
4441
58a112bd9792
mod_s2s_auth_posh: Use unused loop variable for something [luacheck]
Kim Alvefur <zash@zash.se>
parents:
3289
diff
changeset
|
147 jwkset.fingerprints[i] = { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); }; |
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
148 elseif typ then |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
149 io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
150 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
151 else |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
152 io.stderr:write(cert_file, " did not contain a certificate in PEM format\n"); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
153 return 1; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
154 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
155 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
156 print(json.encode(jwkset)); |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
157 return 0; |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
158 end |
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3205
diff
changeset
|
159 |