Changeset

--- a/mod_s2s_auth_posh/README.markdown	Fri Aug 10 06:12:55 2018 +0200
+++ b/mod_s2s_auth_posh/README.markdown	Mon Aug 13 03:35:42 2018 +0200
@@ -10,7 +10,13 @@
 securely delegating a domain to a hosting provider, without that hosting
 provider needing keys and certificates covering the hosted domain.
 
-# Setup
+# Validating
 
 This module performs POSH validation of other servers. It is *not*
 needed to delegate your own domain.
+
+# Delegation
+
+You can generate the JSON delegation file from a certificate by running
+`prosodyctl mod_s2s_auth_posh /path/to/example.crt`. This file needs to
+be served at `https://example.com/.well-known/posh/xmpp-server.json`.

--- a/mod_s2s_auth_posh/mod_s2s_auth_posh.lua	Fri Aug 10 06:12:55 2018 +0200
+++ b/mod_s2s_auth_posh/mod_s2s_auth_posh.lua	Mon Aug 13 03:35:42 2018 +0200
@@ -114,3 +114,33 @@
 
 	log("debug", "POSH authentication failed!");
 end);
+
+function module.command(arg)
+	if not arg[1] then
+		print("Usage: mod_s2s_auth_posh /path/to/cert.pem")
+		return 1;
+	end
+	local jwkset = { fingerprints = { }; expires = 86400; }
+
+	for i, cert_file in ipairs(arg) do
+		local cert, err = io.open(cert_file);
+		if not cert then
+			io.stderr:write(err, "\n");
+			return 1;
+		end
+		local cert_pem = cert:read("*a");
+		local cert_der, typ = pem2der(cert_pem);
+		if typ == "CERTIFICATE" then
+			table.insert(jwkset.fingerprints, { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); });
+		elseif typ then
+			io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n");
+			return 1;
+		else
+			io.stderr:write(cert_file, " did not contain a certificate in PEM format\n");
+			return 1;
+		end
+	end
+	print(json.encode(jwkset));
+	return 0;
+end
+