prosody
8f709577fe8e
util/x509.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

util/x509.lua @ 10434:8f709577fe8e

Merge 0.11->trunk
author Kim Alvefur <zash@zash.se>
date Sat, 23 Nov 2019 23:12:01 +0100
parent 10259:9df135b06c2f
child 10494:69e55b03d5cf
comparison
equal deleted inserted replaced
10433:7777f25d5266 10434:8f709577fe8e
18 -- [LDAP] - http://tools.ietf.org/html/rfc4519 18 -- [LDAP] - http://tools.ietf.org/html/rfc4519
19 -- [PKIX] - http://tools.ietf.org/html/rfc5280 19 -- [PKIX] - http://tools.ietf.org/html/rfc5280
20 20
21 local nameprep = require "util.encodings".stringprep.nameprep; 21 local nameprep = require "util.encodings".stringprep.nameprep;
22 local idna_to_ascii = require "util.encodings".idna.to_ascii; 22 local idna_to_ascii = require "util.encodings".idna.to_ascii;
23 local idna_to_unicode = require "util.encodings".idna.to_unicode;
23 local base64 = require "util.encodings".base64; 24 local base64 = require "util.encodings".base64;
24 local log = require "util.logger".init("x509"); 25 local log = require "util.logger".init("x509");
26 local mt = require "util.multitable";
25 local s_format = string.format; 27 local s_format = string.format;
28 local ipairs = ipairs;
26 29
27 local _ENV = nil; 30 local _ENV = nil;
28 -- luacheck: std none 31 -- luacheck: std none
29 32
30 local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3 33 local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3
214 217
215 -- If all else fails, well, why should we be any different? 218 -- If all else fails, well, why should we be any different?
216 return false 219 return false
217 end 220 end
218 221
222 -- TODO Support other SANs
223 local function get_identities(cert) --> map of names to sets of services
224 if cert.setencode then
225 cert:setencode("utf8");
226 end
227
228 local names = mt.new();
229
230 local ext = cert:extensions();
231 local sans = ext[oid_subjectaltname];
232 if sans then
233 if sans["dNSName"] then -- Valid for any service
234 for _, name in ipairs(sans["dNSName"]) do
235 name = idna_to_unicode(nameprep(name));
236 if name then
237 names:set(name, "*", true);
238 end
239 end
240 end
241 if sans[oid_xmppaddr] then
242 for _, name in ipairs(sans[oid_xmppaddr]) do
243 name = nameprep(name);
244 if name then
245 names:set(name, "xmpp-client", true);
246 names:set(name, "xmpp-server", true);
247 end
248 end
249 end
250 if sans[oid_dnssrv] then
251 for _, srvname in ipairs(sans[oid_dnssrv]) do
252 local srv, name = srvname:match("^_([^.]+)%.(.*)");
253 if srv then
254 name = nameprep(name);
255 if name then
256 names:set(name, srv, true);
257 end
258 end
259 end
260 end
261 end
262
263 local subject = cert:subject();
264 for i = 1, #subject do
265 local dn = subject[i];
266 if dn.oid == oid_commonname then
267 local name = nameprep(dn.value);
268 if name and idna_to_ascii(name) then
269 names:set("*", name, true);
270 end
271 end
272 end
273 return names.data;
274 end
275
219 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. 276 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
220 "([0-9A-Za-z+/=\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; 277 "([0-9A-Za-z+/=\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
221 278
222 local function pem2der(pem) 279 local function pem2der(pem)
223 local typ, data = pem:match(pat); 280 local typ, data = pem:match(pat);
235 return s_format(envelope, typ, data:gsub(wrap, '%0\n', (#data-1)/64), typ); 292 return s_format(envelope, typ, data:gsub(wrap, '%0\n', (#data-1)/64), typ);
236 end 293 end
237 294
238 return { 295 return {
239 verify_identity = verify_identity; 296 verify_identity = verify_identity;
297 get_identities = get_identities;
240 pem2der = pem2der; 298 pem2der = pem2der;
241 der2pem = der2pem; 299 der2pem = der2pem;
242 }; 300 };