prosody
f04db5e7e90d
util/x509.lua
Software / code / prosody
Comparison
util/x509.lua @ 4486:f04db5e7e90d
user.x509: Add some utility functions for generating OpenSSL configs
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 20 Jan 2012 21:59:13 +0100 |
| parent | 4330:520fcb333cba |
| child | 4825:5fdc36bd866c |
comparison
equal
deleted
inserted
replaced
| 4485:abfd27b59fa8 | 4486:f04db5e7e90d |
|---|---|
| 19 -- [PKIX] - http://tools.ietf.org/html/rfc5280 | 19 -- [PKIX] - http://tools.ietf.org/html/rfc5280 |
| 20 | 20 |
| 21 local nameprep = require "util.encodings".stringprep.nameprep; | 21 local nameprep = require "util.encodings".stringprep.nameprep; |
| 22 local idna_to_ascii = require "util.encodings".idna.to_ascii; | 22 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
| 23 local log = require "util.logger".init("x509"); | 23 local log = require "util.logger".init("x509"); |
| 24 local pairs, ipairs = pairs, ipairs; | |
| 25 local s_format = string.format; | |
| 26 local t_insert = table.insert; | |
| 27 local t_concat = table.concat; | |
| 24 | 28 |
| 25 module "x509" | 29 module "x509" |
| 26 | 30 |
| 27 local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3 | 31 local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3 |
| 28 local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6 | 32 local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6 |
| 206 | 210 |
| 207 -- If all else fails, well, why should we be any different? | 211 -- If all else fails, well, why should we be any different? |
| 208 return false | 212 return false |
| 209 end | 213 end |
| 210 | 214 |
| 215 -- TODO Rename? Split out subroutines? | |
| 216 -- Also, this is probably openssl specific, what TODO about that? | |
| 217 function genx509san(hosts, config, certhosts, raw) -- recive config through that or some better way? | |
| 218 local function utf8string(s) | |
| 219 -- This is how we tell openssl not to encode UTF-8 strings as Latin1 | |
| 220 return s_format("FORMAT:UTF8,UTF8:%s", s); | |
| 221 end | |
| 222 | |
| 223 local function ia5string(s) | |
| 224 return s_format("IA5STRING:%s", s); | |
| 225 end | |
| 226 | |
| 227 local function dnsname(t, host) | |
| 228 t_insert(t.DNS, idna_to_ascii(host)); | |
| 229 end | |
| 230 | |
| 231 local function srvname(t, host, service) | |
| 232 t_insert(t.otherName, s_format("%s;%s", oid_dnssrv, ia5string("_" .. service .."." .. idna_to_ascii(host)))); | |
| 233 end | |
| 234 | |
| 235 local function xmppAddr(t, host) | |
| 236 t_insert(t.otherName, s_format("%s;%s", oid_xmppaddr, utf8string(host))); | |
| 237 end | |
| 238 | |
| 239 ----------------------------- | |
| 240 | |
| 241 local san = { | |
| 242 DNS = {}; | |
| 243 otherName = {}; | |
| 244 }; | |
| 245 | |
| 246 local sslsanconf = { }; | |
| 247 | |
| 248 for i = 1,#certhosts do | |
| 249 local certhost = certhosts[i]; | |
| 250 for name, host in pairs(hosts) do | |
| 251 if name == certhost or name:sub(-1-#certhost) == "."..certhost then | |
| 252 dnsname(san, name); | |
| 253 --print(name .. "#component_module: " .. (config.get(name, "core", "component_module") or "nil")); | |
| 254 if config.get(name, "core", "component_module") == nil then | |
| 255 srvname(san, name, "xmpp-client"); | |
| 256 end | |
| 257 --print(name .. "#anonymous_login: " .. tostring(config.get(name, "core", "anonymous_login"))); | |
| 258 if not (config.get(name, "core", "anonymous_login") or | |
| 259 config.get(name, "core", "authentication") == "anonymous") then | |
| 260 srvname(san, name, "xmpp-server"); | |
| 261 end | |
| 262 xmppAddr(san, name); | |
| 263 end | |
| 264 end | |
| 265 end | |
| 266 | |
| 267 for t, n in pairs(san) do | |
| 268 for i = 1,#n do | |
| 269 t_insert(sslsanconf, s_format("%s.%d = %s", t, i -1, n[i])); | |
| 270 end | |
| 271 end | |
| 272 | |
| 273 return raw and sslsanconf or t_concat(sslsanconf, "\n"); | |
| 274 end | |
| 275 | |
| 276 function baseconf() | |
| 277 return { | |
| 278 req = { | |
| 279 distinguished_name = "distinguished_name", | |
| 280 req_extensions = "v3_extensions", | |
| 281 x509_extensions = "v3_extensions", | |
| 282 prompt = "no", | |
| 283 }, | |
| 284 distinguished_name = { | |
| 285 commonName = "example.com", | |
| 286 countryName = "GB", | |
| 287 localityName = "The Internet", | |
| 288 organizationName = "Your Organisation", | |
| 289 organizationalUnitName = "XMPP Department", | |
| 290 emailAddress = "xmpp@example.com", | |
| 291 }, | |
| 292 v3_extensions = { | |
| 293 basicConstraints = "CA:FALSE", | |
| 294 keyUsage = "digitalSignature,keyEncipherment", | |
| 295 extendedKeyUsage = "serverAuth,clientAuth", | |
| 296 subjectAltName = "@subject_alternative_name", | |
| 297 }, | |
| 298 subject_alternative_name = { }, | |
| 299 } | |
| 300 end | |
| 301 | |
| 302 function serialize_conf(conf) | |
| 303 local s = ""; | |
| 304 for k, t in pairs(conf) do | |
| 305 s = s .. ("[%s]\n"):format(k); | |
| 306 if t[1] then | |
| 307 for i, v in ipairs(t) do | |
| 308 s = s .. ("%s\n"):format(v); | |
| 309 end | |
| 310 else | |
| 311 for k, v in pairs(t) do | |
| 312 s = s .. ("%s = %s\n"):format(k, v); | |
| 313 end | |
| 314 end | |
| 315 s = s .. "\n"; | |
| 316 end | |
| 317 return s; | |
| 318 end | |
| 319 | |
| 211 return _M; | 320 return _M; |
