diff options
Diffstat (limited to 'util')
| -rw-r--r-- | util/openssl.lua | 156 | ||||
| -rw-r--r-- | util/rfc3484.lua | 4 | ||||
| -rw-r--r-- | util/x509.lua | 105 |
3 files changed, 158 insertions, 107 deletions
diff --git a/util/openssl.lua b/util/openssl.lua new file mode 100644 index 00000000..8fdb9b4a --- /dev/null +++ b/util/openssl.lua @@ -0,0 +1,156 @@ +local type, tostring, pairs, ipairs = type, tostring, pairs, ipairs; +local t_insert, t_concat = table.insert, table.concat; +local s_format = string.format; + +local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE] +local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID] + +local idna_to_ascii = require "util.encodings".idna.to_ascii; + +local _M = {}; +local config = {}; +_M.config = config; + +local ssl_config = {}; +local ssl_config_mt = {__index=ssl_config}; + +function config.new() + return setmetatable({ + req = { + distinguished_name = "distinguished_name", + req_extensions = "v3_extensions", + x509_extensions = "v3_extensions", + prompt = "no", + }, + distinguished_name = { + commonName = "example.com", + countryName = "GB", + localityName = "The Internet", + organizationName = "Your Organisation", + organizationalUnitName = "XMPP Department", + emailAddress = "xmpp@example.com", + }, + v3_extensions = { + basicConstraints = "CA:FALSE", + keyUsage = "digitalSignature,keyEncipherment", + extendedKeyUsage = "serverAuth,clientAuth", + subjectAltName = "@subject_alternative_name", + }, + subject_alternative_name = { + DNS = {}, + otherName = {}, + }, + }, ssl_config_mt); +end + +function ssl_config:serialize() + local s = ""; + for k, t in pairs(self) do + s = s .. ("[%s]\n"):format(k); + if k == "subject_alternative_name" then + for san, n in pairs(t) do + for i = 1,#n do + s = s .. s_format("%s.%d = %s\n", san, i -1, n[i]); + end + end + else + for k, v in pairs(t) do + s = s .. ("%s = %s\n"):format(k, v); + end + end + s = s .. "\n"; + end + return s; +end + +local function utf8string(s) + -- This is how we tell openssl not to encode UTF-8 strings as fake Latin1 + return s_format("FORMAT:UTF8,UTF8:%s", s); +end + +local function ia5string(s) + return s_format("IA5STRING:%s", s); +end + +local util = {}; +_M.util = { + utf8string = utf8string, + ia5string = ia5string, +}; + +local function xmppAddr(t, host) +end + +function ssl_config:add_dNSName(host) + t_insert(self.subject_alternative_name.DNS, idna_to_ascii(host)); +end + +function ssl_config:add_sRVName(host, service) + t_insert(self.subject_alternative_name.otherName, + s_format("%s;%s", oid_dnssrv, ia5string("_" .. service .."." .. idna_to_ascii(host)))); +end + +function ssl_config:add_xmppAddr(host) + t_insert(self.subject_alternative_name.otherName, + s_format("%s;%s", oid_xmppaddr, utf8string(host))); +end + +function ssl_config:from_prosody(hosts, config, certhosts, raw) + -- TODO Decide if this should go elsewhere + local found_matching_hosts = false; + for i = 1,#certhosts do + local certhost = certhosts[i]; + for name, host in pairs(hosts) do + if name == certhost or name:sub(-1-#certhost) == "."..certhost then + found_matching_hosts = true; + self:add_dNSName(name); + --print(name .. "#component_module: " .. (config.get(name, "core", "component_module") or "nil")); + if config.get(name, "core", "component_module") == nil then + self:add_sRVName(name, "xmpp-client"); + end + --print(name .. "#anonymous_login: " .. tostring(config.get(name, "core", "anonymous_login"))); + if not (config.get(name, "core", "anonymous_login") or + config.get(name, "core", "authentication") == "anonymous") then + self:add_sRVName(name, "xmpp-server"); + end + self:add_xmppAddr(name); + end + end + end + if not found_matching_hosts then + return nil, "no-matching-hosts"; + end +end + +do -- Lua to shell calls. + local function shell_escape(s) + return s:gsub("'",[['\'']]); + end + + local function serialize(f,o) + local r = {"openssl", f}; + for k,v in pairs(o) do + if type(k) == "string" then + t_insert(r, ("-%s"):format(k)); + if v ~= true then + t_insert(r, ("'%s'"):format(shell_escape(tostring(v)))); + end + end + end + for k,v in ipairs(o) do + t_insert(r, ("'%s'"):format(shell_escape(tostring(v)))); + end + return t_concat(r, " "); + end + + local os_execute = os.execute; + setmetatable(_M, { + __index=function(self,f) + return function(opts) + return 0 == os_execute(serialize(f, type(opts) == "table" and opts or {})); + end; + end; + }); +end + +return _M; diff --git a/util/rfc3484.lua b/util/rfc3484.lua index dd855a84..5ee572a0 100644 --- a/util/rfc3484.lua +++ b/util/rfc3484.lua @@ -19,7 +19,7 @@ local function t_sort(t, comp) end end -function source(dest, candidates) +local function source(dest, candidates) local function comp(ipA, ipB) -- Rule 1: Prefer same address if dest == ipA then @@ -70,7 +70,7 @@ function source(dest, candidates) return candidates[1]; end -function destination(candidates, sources) +local function destination(candidates, sources) local sourceAddrs = {}; local function comp(ipA, ipB) local ipAsource = sourceAddrs[ipA]; diff --git a/util/x509.lua b/util/x509.lua index f106e6fa..19d4ec6d 100644 --- a/util/x509.lua +++ b/util/x509.lua @@ -212,109 +212,4 @@ function verify_identity(host, service, cert) return false end --- TODO Rename? Split out subroutines? --- Also, this is probably openssl specific, what TODO about that? -function genx509san(hosts, config, certhosts, raw) -- recive config through that or some better way? - local function utf8string(s) - -- This is how we tell openssl not to encode UTF-8 strings as Latin1 - return s_format("FORMAT:UTF8,UTF8:%s", s); - end - - local function ia5string(s) - return s_format("IA5STRING:%s", s); - end - - local function dnsname(t, host) - t_insert(t.DNS, idna_to_ascii(host)); - end - - local function srvname(t, host, service) - t_insert(t.otherName, s_format("%s;%s", oid_dnssrv, ia5string("_" .. service .."." .. idna_to_ascii(host)))); - end - - local function xmppAddr(t, host) - t_insert(t.otherName, s_format("%s;%s", oid_xmppaddr, utf8string(host))); - end - - ----------------------------- - - local san = { - DNS = {}; - otherName = {}; - }; - - local sslsanconf = { }; - - for i = 1,#certhosts do - local certhost = certhosts[i]; - for name, host in pairs(hosts) do - if name == certhost or name:sub(-1-#certhost) == "."..certhost then - dnsname(san, name); - --print(name .. "#component_module: " .. (config.get(name, "core", "component_module") or "nil")); - if config.get(name, "core", "component_module") == nil then - srvname(san, name, "xmpp-client"); - end - --print(name .. "#anonymous_login: " .. tostring(config.get(name, "core", "anonymous_login"))); - if not (config.get(name, "core", "anonymous_login") or - config.get(name, "core", "authentication") == "anonymous") then - srvname(san, name, "xmpp-server"); - end - xmppAddr(san, name); - end - end - end - - for t, n in pairs(san) do - for i = 1,#n do - t_insert(sslsanconf, s_format("%s.%d = %s", t, i -1, n[i])); - end - end - - return raw and sslsanconf or t_concat(sslsanconf, "\n"); -end - -function baseconf() - return { - req = { - distinguished_name = "distinguished_name", - req_extensions = "v3_extensions", - x509_extensions = "v3_extensions", - prompt = "no", - }, - distinguished_name = { - commonName = "example.com", - countryName = "GB", - localityName = "The Internet", - organizationName = "Your Organisation", - organizationalUnitName = "XMPP Department", - emailAddress = "xmpp@example.com", - }, - v3_extensions = { - basicConstraints = "CA:FALSE", - keyUsage = "digitalSignature,keyEncipherment", - extendedKeyUsage = "serverAuth,clientAuth", - subjectAltName = "@subject_alternative_name", - }, - subject_alternative_name = { }, - } -end - -function serialize_conf(conf) - local s = ""; - for k, t in pairs(conf) do - s = s .. ("[%s]\n"):format(k); - if t[1] then - for i, v in ipairs(t) do - s = s .. ("%s\n"):format(v); - end - else - for k, v in pairs(t) do - s = s .. ("%s = %s\n"):format(k, v); - end - end - s = s .. "\n"; - end - return s; -end - return _M; |