Software /
code /
prosody
Annotate
util/x509.lua @ 13073:9e5802b45b9e
mod_tokenauth: Only check if expiry of expiring tokens
Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime
explicitly bounded here, but rather be bounded by the lifetime of
something else, like the OAuth2 client.
Open question: Would it be better to enforce a lifetime on all tokens?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 12 Apr 2023 10:21:32 +0200 |
parent | 12975:d10957394a3c |
rev | line source |
---|---|
3651 | 1 -- Prosody IM |
2 -- Copyright (C) 2010 Matthew Wild | |
3 -- Copyright (C) 2010 Paul Aurich | |
4 -- | |
5 -- This project is MIT/X11 licensed. Please see the | |
6 -- COPYING file in the source package for more information. | |
7 -- | |
8 | |
9 -- TODO: I feel a fair amount of this logic should be integrated into Luasec, | |
10 -- so that everyone isn't re-inventing the wheel. Dependencies on | |
11 -- IDN libraries complicate that. | |
12 | |
13 | |
12604
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
14 -- [TLS-CERTS] - https://www.rfc-editor.org/rfc/rfc6125.html |
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
15 -- [XMPP-CORE] - https://www.rfc-editor.org/rfc/rfc6120.html |
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
16 -- [SRV-ID] - https://www.rfc-editor.org/rfc/rfc4985.html |
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
17 -- [IDNA] - https://www.rfc-editor.org/rfc/rfc5890.html |
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
18 -- [LDAP] - https://www.rfc-editor.org/rfc/rfc4519.html |
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
12106
diff
changeset
|
19 -- [PKIX] - https://www.rfc-editor.org/rfc/rfc5280.html |
3651 | 20 |
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
21 local nameprep = require "prosody.util.encodings".stringprep.nameprep; |
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
22 local idna_to_ascii = require "prosody.util.encodings".idna.to_ascii; |
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
23 local idna_to_unicode = require "prosody.util.encodings".idna.to_unicode; |
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
24 local base64 = require "prosody.util.encodings".base64; |
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
25 local log = require "prosody.util.logger".init("x509"); |
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
26 local mt = require "prosody.util.multitable"; |
4486
f04db5e7e90d
user.x509: Add some utility functions for generating OpenSSL configs
Kim Alvefur <zash@zash.se>
parents:
4330
diff
changeset
|
27 local s_format = string.format; |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
28 local ipairs = ipairs; |
3651 | 29 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
30 local _ENV = nil; |
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
31 -- luacheck: std none |
3651 | 32 |
33 local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3 | |
34 local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6 | |
35 local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE] | |
36 local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID] | |
37 | |
38 -- Compare a hostname (possibly international) with asserted names | |
39 -- extracted from a certificate. | |
40 -- This function follows the rules laid out in | |
4330
520fcb333cba
util.x509: Update references to published RFCs
Paul Aurich <paul@darkrain42.org>
parents:
3735
diff
changeset
|
41 -- sections 6.4.1 and 6.4.2 of [TLS-CERTS] |
3651 | 42 -- |
43 -- A wildcard ("*") all by itself is allowed only as the left-most label | |
44 local function compare_dnsname(host, asserted_names) | |
45 -- TODO: Sufficient normalization? Review relevant specs. | |
46 local norm_host = idna_to_ascii(host) | |
47 if norm_host == nil then | |
48 log("info", "Host %s failed IDNA ToASCII operation", host) | |
49 return false | |
50 end | |
51 | |
52 norm_host = norm_host:lower() | |
53 | |
54 local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label | |
55 | |
56 for i=1,#asserted_names do | |
57 local name = asserted_names[i] | |
58 if norm_host == name:lower() then | |
59 log("debug", "Cert dNSName %s matched hostname", name); | |
60 return true | |
61 end | |
62 | |
63 -- Allow the left most label to be a "*" | |
64 if name:match("^%*%.") then | |
65 local rest_name = name:gsub("^[^.]+%.", "") | |
66 if host_chopped == rest_name:lower() then | |
67 log("debug", "Cert dNSName %s matched hostname", name); | |
68 return true | |
69 end | |
70 end | |
71 end | |
72 | |
73 return false | |
74 end | |
75 | |
76 -- Compare an XMPP domain name with the asserted id-on-xmppAddr | |
77 -- identities extracted from a certificate. Both are UTF8 strings. | |
78 -- | |
79 -- Per [XMPP-CORE], matches against asserted identities don't include | |
80 -- wildcards, so we just do a normalize on both and then a string comparison | |
81 -- | |
82 -- TODO: Support for full JIDs? | |
83 local function compare_xmppaddr(host, asserted_names) | |
84 local norm_host = nameprep(host) | |
85 | |
86 for i=1,#asserted_names do | |
87 local name = asserted_names[i] | |
88 | |
89 -- We only want to match against bare domains right now, not | |
90 -- those crazy full-er JIDs. | |
91 if name:match("[@/]") then | |
92 log("debug", "Ignoring xmppAddr %s because it's not a bare domain", name) | |
93 else | |
94 local norm_name = nameprep(name) | |
95 if norm_name == nil then | |
96 log("info", "Ignoring xmppAddr %s, failed nameprep!", name) | |
97 else | |
98 if norm_host == norm_name then | |
99 log("debug", "Cert xmppAddr %s matched hostname", name) | |
100 return true | |
101 end | |
102 end | |
103 end | |
104 end | |
105 | |
106 return false | |
107 end | |
108 | |
109 -- Compare a host + service against the asserted id-on-dnsSRV (SRV-ID) | |
110 -- identities extracted from a certificate. | |
111 -- | |
112 -- Per [SRV-ID], the asserted identities will be encoded in ASCII via ToASCII. | |
113 -- Comparison is done case-insensitively, and a wildcard ("*") all by itself | |
114 -- is allowed only as the left-most non-service label. | |
115 local function compare_srvname(host, service, asserted_names) | |
116 local norm_host = idna_to_ascii(host) | |
117 if norm_host == nil then | |
118 log("info", "Host %s failed IDNA ToASCII operation", host); | |
119 return false | |
120 end | |
121 | |
122 -- Service names start with a "_" | |
123 if service:match("^_") == nil then service = "_"..service end | |
124 | |
125 norm_host = norm_host:lower(); | |
126 local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label | |
127 | |
128 for i=1,#asserted_names do | |
129 local asserted_service, name = asserted_names[i]:match("^(_[^.]+)%.(.*)"); | |
130 if service == asserted_service then | |
131 if norm_host == name:lower() then | |
132 log("debug", "Cert SRVName %s matched hostname", name); | |
133 return true; | |
134 end | |
135 | |
136 -- Allow the left most label to be a "*" | |
137 if name:match("^%*%.") then | |
138 local rest_name = name:gsub("^[^.]+%.", "") | |
139 if host_chopped == rest_name:lower() then | |
140 log("debug", "Cert SRVName %s matched hostname", name) | |
141 return true | |
142 end | |
143 end | |
144 if norm_host == name:lower() then | |
145 log("debug", "Cert SRVName %s matched hostname", name); | |
146 return true | |
147 end | |
148 end | |
149 end | |
150 | |
151 return false | |
152 end | |
153 | |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
154 local function verify_identity(host, service, cert) |
6708
d2beb98ece29
util.x509: Tell LuaSec we want UTF-8 data
Kim Alvefur <zash@zash.se>
parents:
6153
diff
changeset
|
155 if cert.setencode then |
d2beb98ece29
util.x509: Tell LuaSec we want UTF-8 data
Kim Alvefur <zash@zash.se>
parents:
6153
diff
changeset
|
156 cert:setencode("utf8"); |
d2beb98ece29
util.x509: Tell LuaSec we want UTF-8 data
Kim Alvefur <zash@zash.se>
parents:
6153
diff
changeset
|
157 end |
3651 | 158 local ext = cert:extensions() |
159 if ext[oid_subjectaltname] then | |
160 local sans = ext[oid_subjectaltname]; | |
161 | |
4330
520fcb333cba
util.x509: Update references to published RFCs
Paul Aurich <paul@darkrain42.org>
parents:
3735
diff
changeset
|
162 -- Per [TLS-CERTS] 6.3, 6.4.4, "a client MUST NOT seek a match for a |
3651 | 163 -- reference identifier if the presented identifiers include a DNS-ID |
164 -- SRV-ID, URI-ID, or any application-specific identifier types" | |
165 local had_supported_altnames = false | |
166 | |
167 if sans[oid_xmppaddr] then | |
168 had_supported_altnames = true | |
5845
c48f717c2fd6
util.x509: Only compare identity with oid-on-xmppAddr for XMPP services
Kim Alvefur <zash@zash.se>
parents:
4825
diff
changeset
|
169 if service == "_xmpp-client" or service == "_xmpp-server" then |
c48f717c2fd6
util.x509: Only compare identity with oid-on-xmppAddr for XMPP services
Kim Alvefur <zash@zash.se>
parents:
4825
diff
changeset
|
170 if compare_xmppaddr(host, sans[oid_xmppaddr]) then return true end |
c48f717c2fd6
util.x509: Only compare identity with oid-on-xmppAddr for XMPP services
Kim Alvefur <zash@zash.se>
parents:
4825
diff
changeset
|
171 end |
3651 | 172 end |
173 | |
174 if sans[oid_dnssrv] then | |
175 had_supported_altnames = true | |
176 -- Only check srvNames if the caller specified a service | |
177 if service and compare_srvname(host, service, sans[oid_dnssrv]) then return true end | |
178 end | |
179 | |
180 if sans["dNSName"] then | |
181 had_supported_altnames = true | |
182 if compare_dnsname(host, sans["dNSName"]) then return true end | |
183 end | |
184 | |
185 -- We don't need URIs, but [TLS-CERTS] is clear. | |
186 if sans["uniformResourceIdentifier"] then | |
187 had_supported_altnames = true | |
188 end | |
189 | |
190 if had_supported_altnames then return false end | |
191 end | |
192 | |
193 -- Extract a common name from the certificate, and check it as if it were | |
194 -- a dNSName subjectAltName (wildcards may apply for, and receive, | |
195 -- cat treats) | |
196 -- | |
4330
520fcb333cba
util.x509: Update references to published RFCs
Paul Aurich <paul@darkrain42.org>
parents:
3735
diff
changeset
|
197 -- Per [TLS-CERTS] 1.8, a CN-ID is the Common Name from a cert subject |
3651 | 198 -- which has one and only one Common Name |
199 local subject = cert:subject() | |
200 local cn = nil | |
201 for i=1,#subject do | |
202 local dn = subject[i] | |
203 if dn["oid"] == oid_commonname then | |
204 if cn then | |
205 log("info", "Certificate has multiple common names") | |
206 return false | |
207 end | |
208 | |
209 cn = dn["value"]; | |
210 end | |
211 end | |
212 | |
213 if cn then | |
4330
520fcb333cba
util.x509: Update references to published RFCs
Paul Aurich <paul@darkrain42.org>
parents:
3735
diff
changeset
|
214 -- Per [TLS-CERTS] 6.4.4, follow the comparison rules for dNSName SANs. |
3651 | 215 return compare_dnsname(host, { cn }) |
216 end | |
217 | |
218 -- If all else fails, well, why should we be any different? | |
219 return false | |
220 end | |
221 | |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
222 -- TODO Support other SANs |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
223 local function get_identities(cert) --> map of names to sets of services |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
224 if cert.setencode then |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
225 cert:setencode("utf8"); |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
226 end |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
227 |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
228 local names = mt.new(); |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
229 |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
230 local ext = cert:extensions(); |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
231 local sans = ext[oid_subjectaltname]; |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
232 if sans then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
233 if sans["dNSName"] then -- Valid for any service |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
234 for _, name in ipairs(sans["dNSName"]) do |
12106
c0cb8e86ad21
util.x509: Fix to include wildcard identity
Kim Alvefur <zash@zash.se>
parents:
10494
diff
changeset
|
235 local is_wildcard = name:sub(1, 2) == "*."; |
c0cb8e86ad21
util.x509: Fix to include wildcard identity
Kim Alvefur <zash@zash.se>
parents:
10494
diff
changeset
|
236 if is_wildcard then name = name:sub(3); end |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
237 name = idna_to_unicode(nameprep(name)); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
238 if name then |
12106
c0cb8e86ad21
util.x509: Fix to include wildcard identity
Kim Alvefur <zash@zash.se>
parents:
10494
diff
changeset
|
239 if is_wildcard then name = "*." .. name; end |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
240 names:set(name, "*", true); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
241 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
242 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
243 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
244 if sans[oid_xmppaddr] then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
245 for _, name in ipairs(sans[oid_xmppaddr]) do |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
246 name = nameprep(name); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
247 if name then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
248 names:set(name, "xmpp-client", true); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
249 names:set(name, "xmpp-server", true); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
250 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
251 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
252 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
253 if sans[oid_dnssrv] then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
254 for _, srvname in ipairs(sans[oid_dnssrv]) do |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
255 local srv, name = srvname:match("^_([^.]+)%.(.*)"); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
256 if srv then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
257 name = nameprep(name); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
258 if name then |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
259 names:set(name, srv, true); |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
260 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
261 end |
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
262 end |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
263 end |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
264 end |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
265 |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
266 local subject = cert:subject(); |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
267 for i = 1, #subject do |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
268 local dn = subject[i]; |
10255
8e8d3b3a55da
util.x509: Nameprep commonName once
Kim Alvefur <zash@zash.se>
parents:
9907
diff
changeset
|
269 if dn.oid == oid_commonname then |
8e8d3b3a55da
util.x509: Nameprep commonName once
Kim Alvefur <zash@zash.se>
parents:
9907
diff
changeset
|
270 local name = nameprep(dn.value); |
10256
b2e7b07f8b74
util.x509: Only collect commonNames that pass idna
Kim Alvefur <zash@zash.se>
parents:
10255
diff
changeset
|
271 if name and idna_to_ascii(name) then |
10494
69e55b03d5cf
util.x509: Fix recording of CommonNames in get_identities
Kim Alvefur <zash@zash.se>
parents:
10259
diff
changeset
|
272 names:set(name, "*", true); |
10255
8e8d3b3a55da
util.x509: Nameprep commonName once
Kim Alvefur <zash@zash.se>
parents:
9907
diff
changeset
|
273 end |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
274 end |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
275 end |
10259
9df135b06c2f
util.x509: Return sets of services per identity
Kim Alvefur <zash@zash.se>
parents:
10256
diff
changeset
|
276 return names.data; |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
277 end |
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
278 |
12812
b2d422b88cd6
Revert unintentionally committed parts of 12bd40b8e105
Kim Alvefur <zash@zash.se>
parents:
12808
diff
changeset
|
279 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
b2d422b88cd6
Revert unintentionally committed parts of 12bd40b8e105
Kim Alvefur <zash@zash.se>
parents:
12808
diff
changeset
|
280 "([0-9A-Za-z+/=\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
6152
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
281 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
282 local function pem2der(pem) |
6152
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
283 local typ, data = pem:match(pat); |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
284 if typ and data then |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
285 return base64.decode(data), typ; |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
286 end |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
287 end |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
288 |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
289 local wrap = ('.'):rep(64); |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
290 local envelope = "-----BEGIN %s-----\n%s\n-----END %s-----\n" |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
291 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
292 local function der2pem(data, typ) |
6152
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
293 typ = typ and typ:upper() or "CERTIFICATE"; |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
294 data = base64.encode(data); |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
295 return s_format(envelope, typ, data:gsub(wrap, '%0\n', (#data-1)/64), typ); |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
296 end |
fbab74c28e31
util.x509: And functions for converting between DER and PEM
Kim Alvefur <zash@zash.se>
parents:
5845
diff
changeset
|
297 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
298 return { |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
299 verify_identity = verify_identity; |
9907
54e36a8677bc
util.x509: Add function that extracts usable names from a certificate
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
300 get_identities = get_identities; |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
301 pem2der = pem2der; |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
302 der2pem = der2pem; |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
6708
diff
changeset
|
303 }; |