view mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua @ 1951:7974a24d29b6

mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
author Kim Alvefur <zash@zash.se>
date Mon, 16 Nov 2015 18:03:41 +0100
parents cfe360d9d82c
children a100f4a720cb
line wrap: on
line source

module:set_global();

local http_request = require"socket.http".request;
local ltn12 = require"ltn12";
local json = require"util.json";
local json_encode, json_decode = json.encode, json.decode;
local gettime = require"socket".gettime;
local serialize = require"util.serialization".serialize;

local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET",
	"MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert";

local function check_with_monkeysphere(event)
	local session, host, cert = event.session, event.host, event.cert;
	local result = {};
	local post_body = json_encode {
		peer = {
			name = host;
			type = "peer";
		};
		context = "https";
		-- context = "xmpp"; -- Monkeysphere needs to be extended to understand this
		pkc = {
			type = "x509pem";
			data = cert:pem();
		};
	}
	local req = {
		method = "POST";
		url = msva_url;
		headers = {
			["Content-Type"] = "application/json";
			["Content-Length"] = tostring(#post_body);
		};
		sink = ltn12.sink.table(result);
		source = ltn12.source.string(post_body);
	};
	session.log("debug", "Asking what Monkeysphere thinks about this certificate");
	local starttime = gettime();
	local ok, code = http_request(req);
	module:log("debug", "Request took %fs", gettime() - starttime);
	local body = table.concat(result);
	if ok and code == 200 and body then
		body = json_decode(body);
		if body then
			session.log(body.valid and "info" or "warn", "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message);
			if body.valid then
				session.cert_chain_status = "valid";
				session.cert_identity_status = "valid";
				return true;
			end
		end
	else
		module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body));
		module:log("debug", serialize(req));
	end
end

module:hook("s2s-check-certificate", check_with_monkeysphere);