comparison mod_client_certs/mod_client_certs.lua @ 698:3a3293f37139

mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
author Thijs Alkemade <thijsalkemade@gmail.com>
date Tue, 05 Jun 2012 20:47:02 +0200
parents c3337f62a538
children 151743149f07
comparison
equal deleted inserted replaced
697:c3337f62a538 698:3a3293f37139
10 local dm_load = require "util.datamanager".load; 10 local dm_load = require "util.datamanager".load;
11 local dm_store = require "util.datamanager".store; 11 local dm_store = require "util.datamanager".store;
12 local dm_table = "client_certs"; 12 local dm_table = "client_certs";
13 local x509 = require "ssl.x509"; 13 local x509 = require "ssl.x509";
14 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; 14 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
15 local id_ce_subjectAltName = "2.5.29.17";
15 local digest_algo = "sha1"; 16 local digest_algo = "sha1";
16 17
17 local function enable_cert(username, cert, info) 18 local function enable_cert(username, cert, info)
18 local certs = dm_load(username, module.host, dm_table) or {}; 19 local certs = dm_load(username, module.host, dm_table) or {};
19 local all_certs = dm_load(nil, module.host, dm_table) or {}; 20 local all_certs = dm_load(nil, module.host, dm_table) or {};
118 if not cert:valid_at(os.time()) then 119 if not cert:valid_at(os.time()) then
119 module:log("debug", "This certificate is not valid at this moment."); 120 module:log("debug", "This certificate is not valid at this moment.");
120 end 121 end
121 122
122 local valid_id_on_xmppAddrs; 123 local valid_id_on_xmppAddrs;
123 local require_id_on_xmppAddr = false; 124 local require_id_on_xmppAddr = true;
124 if require_id_on_xmppAddr then 125 if require_id_on_xmppAddr then
125 --local info = {};
126 valid_id_on_xmppAddrs = {}; 126 valid_id_on_xmppAddrs = {};
127 for _,v in ipairs(cert:subject()) do 127 for k,ext in pairs(cert:extensions()) do
128 --info[#info+1] = (v.name or v.oid) ..":" .. v.value; 128 if k == id_ce_subjectAltName then
129 if v.oid == id_on_xmppAddr then 129 for e,extv in pairs(ext) do
130 if jid_bare(v.value) == jid_bare(origin.full_jid) then 130 if e == id_on_xmppAddr then
131 module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid."); 131 if jid_bare(extv[1]) == jid_bare(origin.full_jid) then
132 valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = v.value; 132 module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid.");
133 -- Is there a point in having >1 ids? Reject?! 133 valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = extv[1];
134 else 134 -- Is there a point in having >1 ids? Reject?!
135 module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value); 135 else
136 -- Reject? 136 module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value);
137 -- Reject?
138 end
139 end
137 end 140 end
138 end 141 end
139 end 142 end
140 143
141 if #valid_id_on_xmppAddrs == 0 then 144 if #valid_id_on_xmppAddrs == 0 then
173 if not name then 176 if not name then
174 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); 177 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
175 return true 178 return true
176 end 179 end
177 180
178 local disabled_cert = disable_cert(origin.username, name):pem(); 181 local disabled_cert = disable_cert(origin.username, name);
179 182
180 if disable.name == "revoke" then 183 if disabled_cert and disable.name == "revoke" then
181 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid); 184 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid);
182 local sessions = hosts[module.host].sessions[origin.username].sessions; 185 local sessions = hosts[module.host].sessions[origin.username].sessions;
186 local disabled_cert_pem = disabled_cert:pem();
183 187
184 for _, session in pairs(sessions) do 188 for _, session in pairs(sessions) do
185 local cert = session.external_auth_cert; 189 local cert = session.external_auth_cert;
186 190
187 if cert and cert == disabled_cert then 191 if cert and cert == disabled_cert_pem then
188 module:log("debug", "Found a session that should be closed: %s", tostring(session)); 192 module:log("debug", "Found a session that should be closed: %s", tostring(session));
189 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; 193 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
190 end 194 end
191 end 195 end
192 end 196 end