Mercurial > prosody-modules
comparison mod_s2s_log_certs/mod_s2s_log_certs.lua @ 1009:fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 09 May 2013 13:37:55 +0200 |
| parents | |
| children | 79ef0427765f |
comparison
equal
deleted
inserted
replaced
| 1008:2b2d4b1de638 | 1009:fcba646eb20a |
|---|---|
| 1 module:set_global(); | |
| 2 | |
| 3 local dm_load = require "util.datamanager".load; | |
| 4 local dm_store = require "util.datamanager".store; | |
| 5 local datetime = require "util.datetime".datetime; | |
| 6 | |
| 7 local do_store = module:get_option_boolean(module:get_name().."_persist", false); | |
| 8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); | |
| 9 | |
| 10 local function note_cert_digest(event) | |
| 11 local session, remote_host, cert = event.session, event.host, event.cert; | |
| 12 | |
| 13 if not (remote_host and cert and cert.digest) then return end; | |
| 14 local digest = cert:digest(digest_algo); | |
| 15 | |
| 16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; | |
| 17 local chain_status = session.cert_chain_status; | |
| 18 local identity_status = session.cert_identity_status; | |
| 19 | |
| 20 module:log("info", "Spotted %s %s certificate used by %s with %s: %s", | |
| 21 chain_status == "valid" and "trusted" or "untrusted", | |
| 22 identity_status or "invalid", | |
| 23 remote_host, digest_algo:upper(), | |
| 24 digest:upper():gsub("..",":%0"):sub(2)); | |
| 25 | |
| 26 if do_store then | |
| 27 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; | |
| 28 | |
| 29 digest = digest_algo..":"..digest; | |
| 30 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } | |
| 31 this_cert.last = datetime(); | |
| 32 this_cert.times = this_cert.times + 1; | |
| 33 seen_certs[digest] = this_cert; | |
| 34 chain_status = chain_status; | |
| 35 identity_status = identity_status; | |
| 36 dm_store(remote_host, local_host, "s2s_certs", seen_certs); | |
| 37 end | |
| 38 end | |
| 39 | |
| 40 module:hook("s2s-check-certificate", note_cert_digest, 1000); | |
| 41 --[[ | |
| 42 function module.add_host(module) | |
| 43 module:hook("s2s-check-certificate", note_cert_digest, 1000); | |
| 44 end | |
| 45 ]] |