prosody
5fdc36bd866c
util/x509.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

util/x509.lua @ 4825:5fdc36bd866c

util.x509: Remove logic for generating certificate configs
author Kim Alvefur <zash@zash.se>
date Wed, 09 May 2012 00:34:24 +0200
parent 4486:f04db5e7e90d
child 5845:c48f717c2fd6
comparison
equal deleted inserted replaced
4824:73e261ed00a9 4825:5fdc36bd866c
210 210
211 -- If all else fails, well, why should we be any different? 211 -- If all else fails, well, why should we be any different?
212 return false 212 return false
213 end 213 end
214 214
215 -- TODO Rename? Split out subroutines?
216 -- Also, this is probably openssl specific, what TODO about that?
217 function genx509san(hosts, config, certhosts, raw) -- recive config through that or some better way?
218 local function utf8string(s)
219 -- This is how we tell openssl not to encode UTF-8 strings as Latin1
220 return s_format("FORMAT:UTF8,UTF8:%s", s);
221 end
222
223 local function ia5string(s)
224 return s_format("IA5STRING:%s", s);
225 end
226
227 local function dnsname(t, host)
228 t_insert(t.DNS, idna_to_ascii(host));
229 end
230
231 local function srvname(t, host, service)
232 t_insert(t.otherName, s_format("%s;%s", oid_dnssrv, ia5string("_" .. service .."." .. idna_to_ascii(host))));
233 end
234
235 local function xmppAddr(t, host)
236 t_insert(t.otherName, s_format("%s;%s", oid_xmppaddr, utf8string(host)));
237 end
238
239 -----------------------------
240
241 local san = {
242 DNS = {};
243 otherName = {};
244 };
245
246 local sslsanconf = { };
247
248 for i = 1,#certhosts do
249 local certhost = certhosts[i];
250 for name, host in pairs(hosts) do
251 if name == certhost or name:sub(-1-#certhost) == "."..certhost then
252 dnsname(san, name);
253 --print(name .. "#component_module: " .. (config.get(name, "core", "component_module") or "nil"));
254 if config.get(name, "core", "component_module") == nil then
255 srvname(san, name, "xmpp-client");
256 end
257 --print(name .. "#anonymous_login: " .. tostring(config.get(name, "core", "anonymous_login")));
258 if not (config.get(name, "core", "anonymous_login") or
259 config.get(name, "core", "authentication") == "anonymous") then
260 srvname(san, name, "xmpp-server");
261 end
262 xmppAddr(san, name);
263 end
264 end
265 end
266
267 for t, n in pairs(san) do
268 for i = 1,#n do
269 t_insert(sslsanconf, s_format("%s.%d = %s", t, i -1, n[i]));
270 end
271 end
272
273 return raw and sslsanconf or t_concat(sslsanconf, "\n");
274 end
275
276 function baseconf()
277 return {
278 req = {
279 distinguished_name = "distinguished_name",
280 req_extensions = "v3_extensions",
281 x509_extensions = "v3_extensions",
282 prompt = "no",
283 },
284 distinguished_name = {
285 commonName = "example.com",
286 countryName = "GB",
287 localityName = "The Internet",
288 organizationName = "Your Organisation",
289 organizationalUnitName = "XMPP Department",
290 emailAddress = "xmpp@example.com",
291 },
292 v3_extensions = {
293 basicConstraints = "CA:FALSE",
294 keyUsage = "digitalSignature,keyEncipherment",
295 extendedKeyUsage = "serverAuth,clientAuth",
296 subjectAltName = "@subject_alternative_name",
297 },
298 subject_alternative_name = { },
299 }
300 end
301
302 function serialize_conf(conf)
303 local s = "";
304 for k, t in pairs(conf) do
305 s = s .. ("[%s]\n"):format(k);
306 if t[1] then
307 for i, v in ipairs(t) do
308 s = s .. ("%s\n"):format(v);
309 end
310 else
311 for k, v in pairs(t) do
312 s = s .. ("%s = %s\n"):format(k, v);
313 end
314 end
315 s = s .. "\n";
316 end
317 return s;
318 end
319
320 return _M; 215 return _M;