Diff

util/x509.lua @ 10259:9df135b06c2f

util.x509: Return sets of services per identity
author Kim Alvefur <zash@zash.se>
date Tue, 10 Sep 2019 18:41:36 +0200
parent 10256:b2e7b07f8b74
child 10494:69e55b03d5cf
line wrap: on
line diff
--- a/util/x509.lua	Wed Sep 11 15:10:31 2019 +0100
+++ b/util/x509.lua	Tue Sep 10 18:41:36 2019 +0200
@@ -23,7 +23,9 @@
 local idna_to_unicode = require "util.encodings".idna.to_unicode;
 local base64 = require "util.encodings".base64;
 local log = require "util.logger".init("x509");
+local mt = require "util.multitable";
 local s_format = string.format;
+local ipairs = ipairs;
 
 local _ENV = nil;
 -- luacheck: std none
@@ -218,18 +220,43 @@
 end
 
 -- TODO Support other SANs
-local function get_identities(cert) --> set of names
+local function get_identities(cert) --> map of names to sets of services
 	if cert.setencode then
 		cert:setencode("utf8");
 	end
 
-	local names = {};
+	local names = mt.new();
 
 	local ext = cert:extensions();
 	local sans = ext[oid_subjectaltname];
-	if sans and sans["dNSName"] then
-		for i = 1, #sans["dNSName"] do
-			names[ idna_to_unicode(sans["dNSName"][i]) ] = true;
+	if sans then
+		if sans["dNSName"] then -- Valid for any service
+			for _, name in ipairs(sans["dNSName"]) do
+				name = idna_to_unicode(nameprep(name));
+				if name then
+					names:set(name, "*", true);
+				end
+			end
+		end
+		if sans[oid_xmppaddr] then
+			for _, name in ipairs(sans[oid_xmppaddr]) do
+				name = nameprep(name);
+				if name then
+					names:set(name, "xmpp-client", true);
+					names:set(name, "xmpp-server", true);
+				end
+			end
+		end
+		if sans[oid_dnssrv] then
+			for _, srvname in ipairs(sans[oid_dnssrv]) do
+				local srv, name = srvname:match("^_([^.]+)%.(.*)");
+				if srv then
+					name = nameprep(name);
+					if name then
+						names:set(name, srv, true);
+					end
+				end
+			end
 		end
 	end
 
@@ -239,11 +266,11 @@
 		if dn.oid == oid_commonname then
 			local name = nameprep(dn.value);
 			if name and idna_to_ascii(name) then
-				names[name] = true;
+				names:set("*", name, true);
 			end
 		end
 	end
-	return names;
+	return names.data;
 end
 
 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..