Mercurial > prosody-modules
annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5406:b86d80e21c60
mod_http_oauth2: Validate consistency of response and grant types
Ensure that these correlated fields make sense per RFC 7591 ยง 2.1, even
though we currently only check the response type during authorization.
This could probably all be deleted if (when!) we remove the implicit
grant, since then these things don't make any sense anymore.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:34:31 +0200 |
parents | 27ffa6521d4e |
children |
rev | line source |
---|---|
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_s2s_keysize_policy.lua |
1204
fc42f8484451
mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents:
1203
diff
changeset
|
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12 |
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 module:set_global(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local datetime_parse = require"util.datetime".parse; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local function parse_x509_datetime(s) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month]; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 -- From RFC 4492 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local weak_key_size = { |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 RSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 DSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 DH = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 EC = 233, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 } |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 module:hook("s2s-check-certificate", function(event) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 local host, session, cert = event.host, event.session, event.cert; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 if cert and cert.pubkey then |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 local _, key_type, key_size = cert:pubkey(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 if key_size < ( weak_key_size[key_type] or 0 ) then |
1325
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
29 local issued = parse_x509_datetime(cert:notbefore()); |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
30 if issued > weak_key_cutoff then |
2424
27ffa6521d4e
mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error
Kim Alvefur <zash@zash.se>
parents:
1325
diff
changeset
|
31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); |
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 session.cert_chain_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 session.cert_identity_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 end); |