prosody
520fcb333cba
util/x509.lua
Software / code / prosody
Comparison
util/x509.lua @ 4330:520fcb333cba
util.x509: Update references to published RFCs
For TLS-CERTS, see http://tools.ietf.org/rfcdiff?url1=draft-saintandre-tls-server-id-check-10.txt&url2=rfc6125.txt
| author | Paul Aurich <paul@darkrain42.org> |
|---|---|
| date | Sun, 22 May 2011 14:06:18 -0700 |
| parent | 3735:40b54c46a14c |
| child | 4486:f04db5e7e90d |
comparison
equal
deleted
inserted
replaced
| 4329:d8b2c97ae6ed | 4330:520fcb333cba |
|---|---|
| 9 -- TODO: I feel a fair amount of this logic should be integrated into Luasec, | 9 -- TODO: I feel a fair amount of this logic should be integrated into Luasec, |
| 10 -- so that everyone isn't re-inventing the wheel. Dependencies on | 10 -- so that everyone isn't re-inventing the wheel. Dependencies on |
| 11 -- IDN libraries complicate that. | 11 -- IDN libraries complicate that. |
| 12 | 12 |
| 13 | 13 |
| 14 -- [TLS-CERTS] - http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-10 | 14 -- [TLS-CERTS] - http://tools.ietf.org/html/rfc6125 |
| 15 -- [XMPP-CORE] - http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-18 | 15 -- [XMPP-CORE] - http://tools.ietf.org/html/rfc6120 |
| 16 -- [SRV-ID] - http://tools.ietf.org/html/rfc4985 | 16 -- [SRV-ID] - http://tools.ietf.org/html/rfc4985 |
| 17 -- [IDNA] - http://tools.ietf.org/html/rfc5890 | 17 -- [IDNA] - http://tools.ietf.org/html/rfc5890 |
| 18 -- [LDAP] - http://tools.ietf.org/html/rfc4519 | 18 -- [LDAP] - http://tools.ietf.org/html/rfc4519 |
| 19 -- [PKIX] - http://tools.ietf.org/html/rfc5280 | 19 -- [PKIX] - http://tools.ietf.org/html/rfc5280 |
| 20 | 20 |
| 30 local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID] | 30 local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID] |
| 31 | 31 |
| 32 -- Compare a hostname (possibly international) with asserted names | 32 -- Compare a hostname (possibly international) with asserted names |
| 33 -- extracted from a certificate. | 33 -- extracted from a certificate. |
| 34 -- This function follows the rules laid out in | 34 -- This function follows the rules laid out in |
| 35 -- sections 4.4.1 and 4.4.2 of [TLS-CERTS] | 35 -- sections 6.4.1 and 6.4.2 of [TLS-CERTS] |
| 36 -- | 36 -- |
| 37 -- A wildcard ("*") all by itself is allowed only as the left-most label | 37 -- A wildcard ("*") all by itself is allowed only as the left-most label |
| 38 local function compare_dnsname(host, asserted_names) | 38 local function compare_dnsname(host, asserted_names) |
| 39 -- TODO: Sufficient normalization? Review relevant specs. | 39 -- TODO: Sufficient normalization? Review relevant specs. |
| 40 local norm_host = idna_to_ascii(host) | 40 local norm_host = idna_to_ascii(host) |
| 148 function verify_identity(host, service, cert) | 148 function verify_identity(host, service, cert) |
| 149 local ext = cert:extensions() | 149 local ext = cert:extensions() |
| 150 if ext[oid_subjectaltname] then | 150 if ext[oid_subjectaltname] then |
| 151 local sans = ext[oid_subjectaltname]; | 151 local sans = ext[oid_subjectaltname]; |
| 152 | 152 |
| 153 -- Per [TLS-CERTS] 4.3, 4.4.4, "a client MUST NOT seek a match for a | 153 -- Per [TLS-CERTS] 6.3, 6.4.4, "a client MUST NOT seek a match for a |
| 154 -- reference identifier if the presented identifiers include a DNS-ID | 154 -- reference identifier if the presented identifiers include a DNS-ID |
| 155 -- SRV-ID, URI-ID, or any application-specific identifier types" | 155 -- SRV-ID, URI-ID, or any application-specific identifier types" |
| 156 local had_supported_altnames = false | 156 local had_supported_altnames = false |
| 157 | 157 |
| 158 if sans[oid_xmppaddr] then | 158 if sans[oid_xmppaddr] then |
| 181 | 181 |
| 182 -- Extract a common name from the certificate, and check it as if it were | 182 -- Extract a common name from the certificate, and check it as if it were |
| 183 -- a dNSName subjectAltName (wildcards may apply for, and receive, | 183 -- a dNSName subjectAltName (wildcards may apply for, and receive, |
| 184 -- cat treats) | 184 -- cat treats) |
| 185 -- | 185 -- |
| 186 -- Per [TLS-CERTS] 1.5, a CN-ID is the Common Name from a cert subject | 186 -- Per [TLS-CERTS] 1.8, a CN-ID is the Common Name from a cert subject |
| 187 -- which has one and only one Common Name | 187 -- which has one and only one Common Name |
| 188 local subject = cert:subject() | 188 local subject = cert:subject() |
| 189 local cn = nil | 189 local cn = nil |
| 190 for i=1,#subject do | 190 for i=1,#subject do |
| 191 local dn = subject[i] | 191 local dn = subject[i] |
| 198 cn = dn["value"]; | 198 cn = dn["value"]; |
| 199 end | 199 end |
| 200 end | 200 end |
| 201 | 201 |
| 202 if cn then | 202 if cn then |
| 203 -- Per [TLS-CERTS] 4.4.4, follow the comparison rules for dNSName SANs. | 203 -- Per [TLS-CERTS] 6.4.4, follow the comparison rules for dNSName SANs. |
| 204 return compare_dnsname(host, { cn }) | 204 return compare_dnsname(host, { cn }) |
| 205 end | 205 end |
| 206 | 206 |
| 207 -- If all else fails, well, why should we be any different? | 207 -- If all else fails, well, why should we be any different? |
| 208 return false | 208 return false |
