Changeset

1203:5294c8c1861c

mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
author Kim Alvefur <zash@zash.se>
date Sun, 29 Sep 2013 19:10:39 +0200
parents 1202:2cce28fe806b
children 1204:fc42f8484451
files mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua
diffstat 1 files changed, 40 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua	Sun Sep 29 19:10:39 2013 +0200
@@ -0,0 +1,40 @@
+-- mod_s2s_keysize_policy.lua
+
+module:set_global();
+
+local datetime_parse = require"util.datetime".parse;
+local pat = "^([JFMAONSD][ceupao][glptbvyncr])  ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
+local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
+local function parse_x509_datetime(s)
+	local month, day, hour, min, sec, year = s:match(pat); month = months[month];
+	return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
+end
+
+local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
+
+-- From RFC 4492
+local weak_key_size = {
+	RSA = 2048,
+	DSA = 2048,
+	DH  = 2048,
+	EC  =  233,
+}
+
+module:hook("s2s-check-certificate", function(event)
+	local host, session, cert = event.host, event.session, event.cert;
+	if cert and cert.pubkey then
+		local _, key_type, key_size = cert:pubkey();
+		if key_size < ( weak_key_size[key_type] or 0 ) then
+			local issued = parse_x509_datetime(cert:notbefore());
+			if issued > weak_key_cutoff then
+				session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
+				session.cert_chain_status = "invalid";
+				session.cert_identity_status = "invalid";
+			else
+				session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
+			end
+		else
+			session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
+		end
+	end
+end);