Annotate

mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5405:c7a5caad28ef

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:31:25 +0200
parent 2424:27ffa6521d4e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_s2s_keysize_policy.lua
1204
fc42f8484451 mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents: 1203
diff changeset
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local datetime_parse = require"util.datetime".parse;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local function parse_x509_datetime(s)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month];
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 -- From RFC 4492
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local weak_key_size = {
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 RSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 DSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 DH = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 EC = 233,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 }
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 module:hook("s2s-check-certificate", function(event)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 local host, session, cert = event.host, event.session, event.cert;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 if cert and cert.pubkey then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local _, key_type, key_size = cert:pubkey();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 if key_size < ( weak_key_size[key_type] or 0 ) then
1325
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
29 local issued = parse_x509_datetime(cert:notbefore());
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
30 if issued > weak_key_cutoff then
2424
27ffa6521d4e mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 session.cert_chain_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 session.cert_identity_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end);