diff mod_auth_ccert/mod_auth_ccert.lua @ 1062:f853a1a3aa15

mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
author Kim Alvefur <zash@zash.se>
date Thu, 13 Jun 2013 21:25:12 +0200
parents
children b2a4679e7d20
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_auth_ccert/mod_auth_ccert.lua	Thu Jun 13 21:25:12 2013 +0200
@@ -0,0 +1,64 @@
+-- Copyright (C) 2013 Kim Alvefur
+--
+-- This file is MIT/X11 licensed.
+
+local jid_compare = require "util.jid".compare;
+local jid_split = require "util.jid".prepped_split;
+local new_sasl = require "util.sasl".new;
+local log = module._log;
+local subject_alternative_name = "2.5.29.17";
+local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
+local now = os.time;
+
+function get_sasl_handler(session)
+	return new_sasl(module.host, {
+		external = session.secure and function(authz)
+			if session.secure then
+				-- getpeercertificate() on a TCP connection would be bad, abort!
+				(session.log or log)("error", "How did you manage to select EXTERNAL without TLS?");
+				return nil, false;
+			end
+			local sock = session.conn:socket();
+			local cert = sock:getpeercertificate();
+			if not cert then
+				(session.log or log)("warn", "No certificate provided");
+				return nil, false;
+			end
+
+			if not cert:validat(now()) then
+				(session.log or log)("warn", "Client certificate expired")
+				return nil, "expired";
+			end
+
+			local chain_valid, chain_errors = sock:getpeerverification();
+			if not chain_valid then
+				(session.log or log)("warn", "Invalid client certificate chain");
+				for i, error in ipairs(chain_errors) do
+					(session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", "));
+				end
+				return nil, false;
+			end
+
+			local extensions = cert:extensions();
+			local SANs = extensions[subject_alternative_name];
+			local xmppAddrs = SANs and SANs[id_on_xmppAddr];
+
+			if not xmppAddrs then
+				(session.log or log)("warn", "Client certificate contains no xmppAddrs");
+				return nil, false;
+			end
+
+			for i=1,#xmppAddrs do
+				if authz == "" or jid_compare(authz, xmppAddrs[i]) then
+					(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
+					local username, host = jid_split(xmppAddrs[i]);
+					if host == module.host then
+						return username, true
+					end
+				end
+			end
+		end
+	});
+end
+
+module:provides "auth";