prosody
b19438c2ca1b
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 7140:b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 05 Feb 2016 00:03:41 +0000 |
| parent | 7122:89c51ee23122 |
| child | 7144:f855ba7da30e |
comparison
equal
deleted
inserted
replaced
| 7139:2f9088c663c6 | 7140:b19438c2ca1b |
|---|---|
| 54 local global_certificates = configmanager.get("*", "certificates") or "certs"; | 54 local global_certificates = configmanager.get("*", "certificates") or "certs"; |
| 55 | 55 |
| 56 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; | 56 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
| 57 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; | 57 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
| 58 | 58 |
| 59 local function find_cert(host) | 59 local function find_cert(user_certs, name) |
| 60 local certs = configmanager.get(host, "certificate") or global_certificates; | 60 local certs = resolve_path(config_path, user_certs or global_certificates); |
| 61 certs = resolve_path(config_path, certs); | |
| 62 for i = 1, #crt_try do | 61 for i = 1, #crt_try do |
| 63 local crt_path = certs .. crt_try[i]:format(host); | 62 local crt_path = certs .. crt_try[i]:format(name); |
| 64 local key_path = certs .. key_try[i]:format(host); | 63 local key_path = certs .. key_try[i]:format(name); |
| 65 | 64 |
| 66 if stat(crt_path, "mode") == "file" then | 65 if stat(crt_path, "mode") == "file" then |
| 67 if stat(key_path, "mode") == "file" then | 66 if stat(key_path, "mode") == "file" then |
| 68 return { certificate = crt_path, key = key_path }; | 67 return { certificate = crt_path, key = key_path }; |
| 69 end | 68 end |
| 73 return { certificate = crt_path, key = key_path }; | 72 return { certificate = crt_path, key = key_path }; |
| 74 end | 73 end |
| 75 end | 74 end |
| 76 end | 75 end |
| 77 end | 76 end |
| 77 end | |
| 78 | |
| 79 local function find_host_cert(host) | |
| 80 if not host then return nil; end | |
| 81 return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); | |
| 82 end | |
| 83 | |
| 84 local function find_service_cert(service, port) | |
| 85 local cert_config = configmanager.get("*", service.."_certificate"); | |
| 86 if type(cert_config) == "table" then | |
| 87 cert_config = cert_config[port] or cert_config.default; | |
| 88 end | |
| 89 return find_cert(cert_config, service); | |
| 78 end | 90 end |
| 79 | 91 |
| 80 -- Built-in defaults | 92 -- Built-in defaults |
| 81 local core_defaults = { | 93 local core_defaults = { |
| 82 capath = "/etc/ssl/certs"; | 94 capath = "/etc/ssl/certs"; |
| 107 | 119 |
| 108 local function create_context(host, mode, ...) | 120 local function create_context(host, mode, ...) |
| 109 local cfg = new_config(); | 121 local cfg = new_config(); |
| 110 cfg:apply(core_defaults); | 122 cfg:apply(core_defaults); |
| 111 cfg:apply(global_ssl_config); | 123 cfg:apply(global_ssl_config); |
| 112 cfg:apply(find_cert(host) or find_cert(host:match("%.(.*)"))); | 124 local service_name, port = host:match("^(%w+) port (%d+)$"); |
| 125 if service_name then | |
| 126 cfg:apply(find_service_cert(service_name, tonumber(port))); | |
| 127 else | |
| 128 cfg:apply(find_host_cert(host)); | |
| 129 end | |
| 113 cfg:apply({ | 130 cfg:apply({ |
| 114 mode = mode, | 131 mode = mode, |
| 115 -- We can't read the password interactively when daemonized | 132 -- We can't read the password interactively when daemonized |
| 116 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | 133 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
| 117 }); | 134 }); |
