Mercurial > prosody-modules
comparison mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 1203:5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Sep 2013 19:10:39 +0200 |
parents | |
children | fc42f8484451 |
comparison
equal
deleted
inserted
replaced
1202:2cce28fe806b | 1203:5294c8c1861c |
---|---|
1 -- mod_s2s_keysize_policy.lua | |
2 | |
3 module:set_global(); | |
4 | |
5 local datetime_parse = require"util.datetime".parse; | |
6 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; | |
7 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; | |
8 local function parse_x509_datetime(s) | |
9 local month, day, hour, min, sec, year = s:match(pat); month = months[month]; | |
10 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); | |
11 end | |
12 | |
13 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); | |
14 | |
15 -- From RFC 4492 | |
16 local weak_key_size = { | |
17 RSA = 2048, | |
18 DSA = 2048, | |
19 DH = 2048, | |
20 EC = 233, | |
21 } | |
22 | |
23 module:hook("s2s-check-certificate", function(event) | |
24 local host, session, cert = event.host, event.session, event.cert; | |
25 if cert and cert.pubkey then | |
26 local _, key_type, key_size = cert:pubkey(); | |
27 if key_size < ( weak_key_size[key_type] or 0 ) then | |
28 local issued = parse_x509_datetime(cert:notbefore()); | |
29 if issued > weak_key_cutoff then | |
30 session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); | |
31 session.cert_chain_status = "invalid"; | |
32 session.cert_identity_status = "invalid"; | |
33 else | |
34 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); | |
35 end | |
36 else | |
37 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); | |
38 end | |
39 end | |
40 end); |