view mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua @ 1008:2b2d4b1de638

mod_s2s_auth_dnssec_srv: Implements Secure Delegation using DNS SRV
author Kim Alvefur <>
date Thu, 09 May 2013 13:36:53 +0200
children 29dcdea3c2be
line wrap: on
line source

-- Copyright (C) 2013 Kim Alvefur
-- This file is MIT/X11 licensed.
-- Implements Secure Delegation using DNS SRV as described in 
-- Dependecies:
-- Prosody above hg:43059357b2f0
-- DNSSEC-validating DNS resolver
--   libunbound binding using LuaJIT FFI


local nameprep = require"util.encodings".stringprep.nameprep;
local to_unicode = require"util.encodings".idna.to_unicode;
local cert_verify_identity = require "util.x509".verify_identity;

module:hook("s2s-check-certificate", function(event)
	local session, cert = event.session, event.cert;

	if session.cert_identity_status ~= "valid" and session.srv_choice
	and session.srv_hosts.answer and then
		local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$","")));
		(session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
		if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
			(session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target);
			session.cert_identity_status = "valid";