search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Prepare required data folder for integration tests
[prosody.git] / util / openssl.lua
blob32b5aea7e0d571a2e0e2a99d8f1afc47f3d31364
1 local type, tostring, pairs, ipairs = type, tostring, pairs, ipairs;
2 local t_insert, t_concat = table.insert, table.concat;
3 local s_format = string.format;
4
5 local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE]
6 local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
7
8 local idna_to_ascii = require "util.encodings".idna.to_ascii;
9
10 local _M = {};
11 local config = {};
12 _M.config = config;
13
14 local ssl_config = {};
15 local ssl_config_mt = { __index = ssl_config };
16
17 function config.new()
18 return setmetatable({
19 req = {
20 distinguished_name = "distinguished_name",
21 req_extensions = "certrequest",
22 x509_extensions = "selfsigned",
23 prompt = "no",
24 },
25 distinguished_name = {
26 countryName = "GB",
27 -- stateOrProvinceName = "",
28 localityName = "The Internet",
29 organizationName = "Your Organisation",
30 organizationalUnitName = "XMPP Department",
31 commonName = "example.com",
32 emailAddress = "xmpp@example.com",
33 },
34 certrequest = {
35 basicConstraints = "CA:FALSE",
36 keyUsage = "digitalSignature,keyEncipherment",
37 extendedKeyUsage = "serverAuth,clientAuth",
38 subjectAltName = "@subject_alternative_name",
39 },
40 selfsigned = {
41 basicConstraints = "CA:TRUE",
42 subjectAltName = "@subject_alternative_name",
43 },
44 subject_alternative_name = {
45 DNS = {},
46 otherName = {},
47 },
48 }, ssl_config_mt);
49 end
50
51 local DN_order = {
52 "countryName";
53 "stateOrProvinceName";
54 "localityName";
55 "streetAddress";
56 "organizationName";
57 "organizationalUnitName";
58 "commonName";
59 "emailAddress";
60 }
61 _M._DN_order = DN_order;
62 function ssl_config:serialize()
63 local s = "";
64 for section, t in pairs(self) do
65 s = s .. ("[%s]\n"):format(section);
66 if section == "subject_alternative_name" then
67 for san, n in pairs(t) do
68 for i = 1, #n do
69 s = s .. s_format("%s.%d = %s\n", san, i -1, n[i]);
70 end
71 end
72 elseif section == "distinguished_name" then
73 for _, k in ipairs(t[1] and t or DN_order) do
74 local v = t[k];
75 if v then
76 s = s .. ("%s = %s\n"):format(k, v);
77 end
78 end
79 else
80 for k, v in pairs(t) do
81 s = s .. ("%s = %s\n"):format(k, v);
82 end
83 end
84 s = s .. "\n";
85 end
86 return s;
87 end
88
89 local function utf8string(s)
90 -- This is how we tell openssl not to encode UTF-8 strings as fake Latin1
91 return s_format("FORMAT:UTF8,UTF8:%s", s);
92 end
93
94 local function ia5string(s)
95 return s_format("IA5STRING:%s", s);
96 end
97
98 _M.util = {
99 utf8string = utf8string,
100 ia5string = ia5string,
101 };
102
103 function ssl_config:add_dNSName(host)
104 t_insert(self.subject_alternative_name.DNS, idna_to_ascii(host));
105 end
106
107 function ssl_config:add_sRVName(host, service)
108 t_insert(self.subject_alternative_name.otherName,
109 s_format("%s;%s", oid_dnssrv, ia5string("_" .. service .. "." .. idna_to_ascii(host))));
110 end
111
112 function ssl_config:add_xmppAddr(host)
113 t_insert(self.subject_alternative_name.otherName,
114 s_format("%s;%s", oid_xmppaddr, utf8string(host)));
115 end
116
117 function ssl_config:from_prosody(hosts, config, certhosts) -- luacheck: ignore 431/config
118 -- TODO Decide if this should go elsewhere
119 local found_matching_hosts = false;
120 for i = 1, #certhosts do
121 local certhost = certhosts[i];
122 for name in pairs(hosts) do
123 if name == certhost or name:sub(-1-#certhost) == "." .. certhost then
124 found_matching_hosts = true;
125 self:add_dNSName(name);
126 --print(name .. "#component_module: " .. (config.get(name, "component_module") or "nil"));
127 if config.get(name, "component_module") == nil then
128 self:add_sRVName(name, "xmpp-client");
129 end
130 --print(name .. "#anonymous_login: " .. tostring(config.get(name, "anonymous_login")));
131 if not (config.get(name, "anonymous_login") or
132 config.get(name, "authentication") == "anonymous") then
133 self:add_sRVName(name, "xmpp-server");
134 end
135 self:add_xmppAddr(name);
136 end
137 end
138 end
139 if not found_matching_hosts then
140 return nil, "no-matching-hosts";
141 end
142 end
143
144 do -- Lua to shell calls.
145 local function shell_escape(s)
146 return "'" .. tostring(s):gsub("'",[['\'']]) .. "'";
147 end
148
149 local function serialize(command, args)
150 local commandline = { "openssl", command };
151 for k, v in pairs(args) do
152 if type(k) == "string" then
153 t_insert(commandline, ("-%s"):format(k));
154 if v ~= true then
155 t_insert(commandline, shell_escape(v));
156 end
157 end
158 end
159 for _, v in ipairs(args) do
160 t_insert(commandline, shell_escape(v));
161 end
162 return t_concat(commandline, " ");
163 end
164
165 local os_execute = os.execute;
166 setmetatable(_M, {
167 __index = function(_, command)
168 return function(opts)
169 local ret = os_execute(serialize(command, type(opts) == "table" and opts or {}));
170 return ret == true or ret == 0;
171 end;
172 end;
173 });
174 end
175
176 return _M;
Prosody is a modern XMPP communication server.