prosody-modules
3a3293f37139

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Changeset

698:3a3293f37139

mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
author Thijs Alkemade <thijsalkemade@gmail.com>
date Tue, 05 Jun 2012 20:47:02 +0200
parents 697:c3337f62a538
children 699:7c88e09a07e7
files mod_client_certs/mod_client_certs.lua
diffstat 1 files changed, 19 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/mod_client_certs/mod_client_certs.lua	Tue Jun 05 19:31:03 2012 +0200
+++ b/mod_client_certs/mod_client_certs.lua	Tue Jun 05 20:47:02 2012 +0200
@@ -12,6 +12,7 @@
 local dm_table = "client_certs";
 local x509 = require "ssl.x509";
 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
+local id_ce_subjectAltName = "2.5.29.17";
 local digest_algo = "sha1";
 
 local function enable_cert(username, cert, info)
@@ -120,20 +121,22 @@
 		end
 
 		local valid_id_on_xmppAddrs;
-		local require_id_on_xmppAddr = false;
+		local require_id_on_xmppAddr = true;
 		if require_id_on_xmppAddr then
-			--local info = {};
 			valid_id_on_xmppAddrs = {};
-			for _,v in ipairs(cert:subject()) do
-				--info[#info+1] = (v.name or v.oid) ..":" .. v.value;
-				if v.oid == id_on_xmppAddr then
-					if jid_bare(v.value) == jid_bare(origin.full_jid) then
-						module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid.");
-						valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = v.value;
-						-- Is there a point in having >1 ids? Reject?!
-					else
-						module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value);
-						-- Reject?
+			for k,ext in pairs(cert:extensions()) do
+				if k == id_ce_subjectAltName then
+					for e,extv in pairs(ext) do
+						if e == id_on_xmppAddr then
+							if jid_bare(extv[1]) == jid_bare(origin.full_jid) then
+								module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid.");
+								valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = extv[1];
+								-- Is there a point in having >1 ids? Reject?!
+							else
+								module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value);
+								-- Reject?
+							end
+						end
 					end
 				end
 			end
@@ -175,16 +178,17 @@
 			return true
 		end
 
-		local disabled_cert = disable_cert(origin.username, name):pem();
+		local disabled_cert = disable_cert(origin.username, name);
 
-		if disable.name == "revoke" then
+		if disabled_cert and disable.name == "revoke" then
 			module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid);
 			local sessions = hosts[module.host].sessions[origin.username].sessions;
+			local disabled_cert_pem = disabled_cert:pem();
 
 			for _, session in pairs(sessions) do
 				local cert = session.external_auth_cert;
 				
-				if cert and cert == disabled_cert then
+				if cert and cert == disabled_cert_pem then
 					module:log("debug", "Found a session that should be closed: %s", tostring(session));
 					session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
 				end