# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1398555823 -7200
# Node ID cf4e39334ef77b7ff93f3c7f72ae74513afe58fa
# Parent  33f132c3f4b7b06afd5546688104bdae75d70775
mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes)

diff -r 33f132c3f4b7 -r cf4e39334ef7 mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Apr 27 01:40:20 2014 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Apr 27 01:43:43 2014 +0200
@@ -36,7 +36,14 @@
 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
 
 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
-local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" });
+if debug.getregistry()["SSL:Certificate"].__index.issued then
+	-- Need cert:issued() for these
+	implemented_uses:add("DANE-TA");
+	implemented_uses:add("PKIX-CA");
+else
+	module:log("warn", "Unable to support DANE-TA and PKIX-CA");
+end
+local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" });
 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
 
 local function dane_lookup(host_session, cb, a,b,c,e)
@@ -159,7 +166,7 @@
 	local session, cert = event.session, event.cert;
 	local dane = session.dane;
 	if type(dane) == "table" then
-		local use, tlsa, match_found, supported_found, is_match;
+		local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
 		for i = 1, #dane do
 			tlsa = dane[i].tlsa;
 			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
@@ -183,6 +190,33 @@
 						match_found = true;
 						break;
 					end
+				elseif use == 0 or use == 2 then
+					supported_found = true;
+					if chain == nil then
+						chain = session.conn:socket():getpeerchain();
+					end
+					for i = 2, #chain do
+						cacert, leafcert = chain[i], chain[i-1];
+						is_match = one_dane_check(tlsa, cacert);
+						if is_match ~= nil then
+							supported_found = true;
+						end
+						if use == 2 and not cacert:issued(leafcert or cacert) then
+							module:log("debug", "Broken chain");
+							break;
+						end
+						if is_match then
+							(session.log or module._log)("info", "DANE validation successful");
+							if use == 2 then -- DANE-TA
+								session.cert_identity_status = "valid";
+								session.cert_chain_status = "valid";
+								-- for usage 0, PKIX-CA, identity and chain has to be valid already
+							end
+							match_found = true;
+							break;
+						end
+					end
+					if match_found then break end
 				end
 			end
 		end