From: Matthew Wild <mwild1@gmail.com>
Date: Fri, 5 Feb 2016 00:03:41 +0000 (+0000)
Subject: certmanager: Support new certificate configuration for non-XMPP services too (fixes... 
X-Git-Url: https://git.enpas.org/?a=commitdiff_plain;h=5874ba5e9508dd50dc0e5e6c692136b24a56f7fe;p=prosody.git

certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
---

diff --git a/core/certmanager.lua b/core/certmanager.lua
index db3cf58e..b1ff648d 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -56,12 +56,11 @@ local global_certificates = configmanager.get("*", "certificates") or "certs";
 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
 local key_try = { "", "/%s.key", "/%s/privkey.pem",   "/%s.pem", };
 
-local function find_cert(host)
-	local certs = configmanager.get(host, "certificate") or global_certificates;
-	certs = resolve_path(config_path, certs);
+local function find_cert(user_certs, name)
+	local certs = resolve_path(config_path, user_certs or global_certificates);
 	for i = 1, #crt_try do
-		local crt_path = certs .. crt_try[i]:format(host);
-		local key_path = certs .. key_try[i]:format(host);
+		local crt_path = certs .. crt_try[i]:format(name);
+		local key_path = certs .. key_try[i]:format(name);
 
 		if stat(crt_path, "mode") == "file" then
 			if stat(key_path, "mode") == "file" then
@@ -77,6 +76,19 @@ local function find_cert(host)
 	end
 end
 
+local function find_host_cert(host)
+	if not host then return nil; end
+	return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
+end
+
+local function find_service_cert(service, port)
+	local cert_config = configmanager.get("*", service.."_certificate");
+	if type(cert_config) == "table" then
+		cert_config = cert_config[port] or cert_config.default;
+	end
+	return find_cert(cert_config, service);
+end
+
 -- Built-in defaults
 local core_defaults = {
 	capath = "/etc/ssl/certs";
@@ -109,7 +121,12 @@ local function create_context(host, mode, ...)
 	local cfg = new_config();
 	cfg:apply(core_defaults);
 	cfg:apply(global_ssl_config);
-	cfg:apply(find_cert(host) or find_cert(host:match("%.(.*)")));
+	local service_name, port = host:match("^(%w+) port (%d+)$");
+	if service_name then
+		cfg:apply(find_service_cert(service_name, tonumber(port)));
+	else
+		cfg:apply(find_host_cert(host));
+	end
 	cfg:apply({
 		mode = mode,
 		-- We can't read the password interactively when daemonized