Comparison

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1944:1950fa6aa0c0

mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
author Kim Alvefur <zash@zash.se>
date Thu, 05 Nov 2015 15:38:31 +0100
parent 1943:7e04ca0aa757
child 1951:7974a24d29b6
comparison
equal deleted inserted replaced
1943:7e04ca0aa757 1944:1950fa6aa0c0
265 local tlsa = dane[i].tlsa; 265 local tlsa = dane[i].tlsa;
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) 266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
267 local use = tlsa.use; 267 local use = tlsa.use;
268 268
269 if enabled_uses:contains(use) then 269 if enabled_uses:contains(use) then
270 -- PKIX-EE or DANE-EE 270 -- DANE-EE or PKIX-EE
271 if use == 1 or use == 3 then 271 if use == 3 or (use == 1 and session.cert_chain_status == "valid") then
272 -- Should we check if the cert subject matches? 272 -- Should we check if the cert subject matches?
273 local is_match = one_dane_check(tlsa, cert); 273 local is_match = one_dane_check(tlsa, cert);
274 if is_match ~= nil then 274 if is_match ~= nil then
275 supported_found = true; 275 supported_found = true;
276 end 276 end
282 -- for usage 1, PKIX-EE, the chain has to be valid already 282 -- for usage 1, PKIX-EE, the chain has to be valid already
283 end 283 end
284 match_found = true; 284 match_found = true;
285 break; 285 break;
286 end 286 end
287 elseif use == 0 or use == 2 then 287 -- DANE-TA or PKIX-CA
288 elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then
288 supported_found = true; 289 supported_found = true;
289 local chain = session.conn:socket():getpeerchain(); 290 local chain = session.conn:socket():getpeerchain();
290 for c = 1, #chain do 291 for c = 1, #chain do
291 local cacert = chain[c]; 292 local cacert = chain[c];
292 local is_match = one_dane_check(tlsa, cacert); 293 local is_match = one_dane_check(tlsa, cacert);