# HG changeset patch # User Kim Alvefur # Date 1400493409 -7200 # Node ID cfe360d9d82cf8abdf3d9e5d2fc6f0cb199f244f # Parent d85695be0441a6adfd8f9572c92975d0d6fe7066 mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation diff -r d85695be0441 -r cfe360d9d82c mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua Mon May 19 11:56:49 2014 +0200 @@ -0,0 +1,59 @@ +module:set_global(); + +local http_request = require"socket.http".request; +local ltn12 = require"ltn12"; +local json = require"util.json"; +local json_encode, json_decode = json.encode, json.decode; +local gettime = require"socket".gettime; +local serialize = require"util.serialization".serialize; + +local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET", + "MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert"; + +local function check_with_monkeysphere(event) + local session, host, cert = event.session, event.host, event.cert; + local result = {}; + local post_body = json_encode { + peer = { + name = host; + type = "peer"; + }; + context = "https"; + -- context = "xmpp"; -- Monkeysphere needs to be extended to understand this + pkc = { + type = "x509pem"; + data = cert:pem(); + }; + } + local req = { + method = "POST"; + url = msva_url; + headers = { + ["Content-Type"] = "application/json"; + ["Content-Length"] = tostring(#post_body); + }; + sink = ltn12.sink.table(result); + source = ltn12.source.string(post_body); + }; + session.log("debug", "Asking what Monkeysphere thinks about this certificate"); + local starttime = gettime(); + local ok, code = http_request(req); + module:log("debug", "Request took %fs", gettime() - starttime); + local body = table.concat(result); + if ok and code == 200 and body then + body = json_decode(body); + if body then + session.log(body.valid and "info" or "warn", "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message); + if body.valid then + session.cert_chain_status = "valid"; + session.cert_identity_status = "valid"; + return true; + end + end + else + module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body)); + module:log("debug", serialize(req)); + end +end + +module:hook("s2s-check-certificate", check_with_monkeysphere);