# HG changeset patch # User Kim Alvefur # Date 1371151512 -7200 # Node ID f853a1a3aa1561b0771037d8d948ef1834091daf # Parent f4031e7ccec15e74e9784047bb983b8cc2bb92b9 mod_auth_ccert: Initial commit of authentication module for using CA-issued client certificates diff -r f4031e7ccec1 -r f853a1a3aa15 mod_auth_ccert/mod_auth_ccert.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_ccert/mod_auth_ccert.lua Thu Jun 13 21:25:12 2013 +0200 @@ -0,0 +1,64 @@ +-- Copyright (C) 2013 Kim Alvefur +-- +-- This file is MIT/X11 licensed. + +local jid_compare = require "util.jid".compare; +local jid_split = require "util.jid".prepped_split; +local new_sasl = require "util.sasl".new; +local log = module._log; +local subject_alternative_name = "2.5.29.17"; +local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; +local now = os.time; + +function get_sasl_handler(session) + return new_sasl(module.host, { + external = session.secure and function(authz) + if session.secure then + -- getpeercertificate() on a TCP connection would be bad, abort! + (session.log or log)("error", "How did you manage to select EXTERNAL without TLS?"); + return nil, false; + end + local sock = session.conn:socket(); + local cert = sock:getpeercertificate(); + if not cert then + (session.log or log)("warn", "No certificate provided"); + return nil, false; + end + + if not cert:validat(now()) then + (session.log or log)("warn", "Client certificate expired") + return nil, "expired"; + end + + local chain_valid, chain_errors = sock:getpeerverification(); + if not chain_valid then + (session.log or log)("warn", "Invalid client certificate chain"); + for i, error in ipairs(chain_errors) do + (session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", ")); + end + return nil, false; + end + + local extensions = cert:extensions(); + local SANs = extensions[subject_alternative_name]; + local xmppAddrs = SANs and SANs[id_on_xmppAddr]; + + if not xmppAddrs then + (session.log or log)("warn", "Client certificate contains no xmppAddrs"); + return nil, false; + end + + for i=1,#xmppAddrs do + if authz == "" or jid_compare(authz, xmppAddrs[i]) then + (session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz) + local username, host = jid_split(xmppAddrs[i]); + if host == module.host then + return username, true + end + end + end + end + }); +end + +module:provides "auth";