Mercurial > prosody-modules
diff mod_auth_ccert/mod_auth_ccert.lua @ 1062:f853a1a3aa15
mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 13 Jun 2013 21:25:12 +0200 |
parents | |
children | b2a4679e7d20 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_ccert/mod_auth_ccert.lua Thu Jun 13 21:25:12 2013 +0200 @@ -0,0 +1,64 @@ +-- Copyright (C) 2013 Kim Alvefur +-- +-- This file is MIT/X11 licensed. + +local jid_compare = require "util.jid".compare; +local jid_split = require "util.jid".prepped_split; +local new_sasl = require "util.sasl".new; +local log = module._log; +local subject_alternative_name = "2.5.29.17"; +local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; +local now = os.time; + +function get_sasl_handler(session) + return new_sasl(module.host, { + external = session.secure and function(authz) + if session.secure then + -- getpeercertificate() on a TCP connection would be bad, abort! + (session.log or log)("error", "How did you manage to select EXTERNAL without TLS?"); + return nil, false; + end + local sock = session.conn:socket(); + local cert = sock:getpeercertificate(); + if not cert then + (session.log or log)("warn", "No certificate provided"); + return nil, false; + end + + if not cert:validat(now()) then + (session.log or log)("warn", "Client certificate expired") + return nil, "expired"; + end + + local chain_valid, chain_errors = sock:getpeerverification(); + if not chain_valid then + (session.log or log)("warn", "Invalid client certificate chain"); + for i, error in ipairs(chain_errors) do + (session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", ")); + end + return nil, false; + end + + local extensions = cert:extensions(); + local SANs = extensions[subject_alternative_name]; + local xmppAddrs = SANs and SANs[id_on_xmppAddr]; + + if not xmppAddrs then + (session.log or log)("warn", "Client certificate contains no xmppAddrs"); + return nil, false; + end + + for i=1,#xmppAddrs do + if authz == "" or jid_compare(authz, xmppAddrs[i]) then + (session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz) + local username, host = jid_split(xmppAddrs[i]); + if host == module.host then + return username, true + end + end + end + end + }); +end + +module:provides "auth";