Mercurial > prosody-modules
comparison mod_client_certs/mod_client_certs.lua @ 698:3a3293f37139
mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
| author | Thijs Alkemade <thijsalkemade@gmail.com> |
|---|---|
| date | Tue, 05 Jun 2012 20:47:02 +0200 |
| parents | c3337f62a538 |
| children | 151743149f07 |
comparison
equal
deleted
inserted
replaced
| 697:c3337f62a538 | 698:3a3293f37139 |
|---|---|
| 10 local dm_load = require "util.datamanager".load; | 10 local dm_load = require "util.datamanager".load; |
| 11 local dm_store = require "util.datamanager".store; | 11 local dm_store = require "util.datamanager".store; |
| 12 local dm_table = "client_certs"; | 12 local dm_table = "client_certs"; |
| 13 local x509 = require "ssl.x509"; | 13 local x509 = require "ssl.x509"; |
| 14 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; | 14 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; |
| 15 local id_ce_subjectAltName = "2.5.29.17"; | |
| 15 local digest_algo = "sha1"; | 16 local digest_algo = "sha1"; |
| 16 | 17 |
| 17 local function enable_cert(username, cert, info) | 18 local function enable_cert(username, cert, info) |
| 18 local certs = dm_load(username, module.host, dm_table) or {}; | 19 local certs = dm_load(username, module.host, dm_table) or {}; |
| 19 local all_certs = dm_load(nil, module.host, dm_table) or {}; | 20 local all_certs = dm_load(nil, module.host, dm_table) or {}; |
| 118 if not cert:valid_at(os.time()) then | 119 if not cert:valid_at(os.time()) then |
| 119 module:log("debug", "This certificate is not valid at this moment."); | 120 module:log("debug", "This certificate is not valid at this moment."); |
| 120 end | 121 end |
| 121 | 122 |
| 122 local valid_id_on_xmppAddrs; | 123 local valid_id_on_xmppAddrs; |
| 123 local require_id_on_xmppAddr = false; | 124 local require_id_on_xmppAddr = true; |
| 124 if require_id_on_xmppAddr then | 125 if require_id_on_xmppAddr then |
| 125 --local info = {}; | |
| 126 valid_id_on_xmppAddrs = {}; | 126 valid_id_on_xmppAddrs = {}; |
| 127 for _,v in ipairs(cert:subject()) do | 127 for k,ext in pairs(cert:extensions()) do |
| 128 --info[#info+1] = (v.name or v.oid) ..":" .. v.value; | 128 if k == id_ce_subjectAltName then |
| 129 if v.oid == id_on_xmppAddr then | 129 for e,extv in pairs(ext) do |
| 130 if jid_bare(v.value) == jid_bare(origin.full_jid) then | 130 if e == id_on_xmppAddr then |
| 131 module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid."); | 131 if jid_bare(extv[1]) == jid_bare(origin.full_jid) then |
| 132 valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = v.value; | 132 module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid."); |
| 133 -- Is there a point in having >1 ids? Reject?! | 133 valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = extv[1]; |
| 134 else | 134 -- Is there a point in having >1 ids? Reject?! |
| 135 module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value); | 135 else |
| 136 -- Reject? | 136 module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value); |
| 137 -- Reject? | |
| 138 end | |
| 139 end | |
| 137 end | 140 end |
| 138 end | 141 end |
| 139 end | 142 end |
| 140 | 143 |
| 141 if #valid_id_on_xmppAddrs == 0 then | 144 if #valid_id_on_xmppAddrs == 0 then |
| 173 if not name then | 176 if not name then |
| 174 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); | 177 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); |
| 175 return true | 178 return true |
| 176 end | 179 end |
| 177 | 180 |
| 178 local disabled_cert = disable_cert(origin.username, name):pem(); | 181 local disabled_cert = disable_cert(origin.username, name); |
| 179 | 182 |
| 180 if disable.name == "revoke" then | 183 if disabled_cert and disable.name == "revoke" then |
| 181 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid); | 184 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid); |
| 182 local sessions = hosts[module.host].sessions[origin.username].sessions; | 185 local sessions = hosts[module.host].sessions[origin.username].sessions; |
| 186 local disabled_cert_pem = disabled_cert:pem(); | |
| 183 | 187 |
| 184 for _, session in pairs(sessions) do | 188 for _, session in pairs(sessions) do |
| 185 local cert = session.external_auth_cert; | 189 local cert = session.external_auth_cert; |
| 186 | 190 |
| 187 if cert and cert == disabled_cert then | 191 if cert and cert == disabled_cert_pem then |
| 188 module:log("debug", "Found a session that should be closed: %s", tostring(session)); | 192 module:log("debug", "Found a session that should be closed: %s", tostring(session)); |
| 189 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; | 193 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; |
| 190 end | 194 end |
| 191 end | 195 end |
| 192 end | 196 end |
