File

plugins/mod_s2s_auth_certs.lua @ 6320:17344d25a0f6

mod_s2s_auth_certs: Pick a logging function once and stick with it
author Kim Alvefur <zash@zash.se>
date Fri, 25 Jul 2014 21:03:16 +0200
parent 6319:92d009af6eba
child 6373:84e7e418c29a
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();

	if cert then
		local log = session.log or log;
		local chain_valid, errors;
		if conn.getpeerverification then
			chain_valid, errors = conn:getpeerverification();
		elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
			chain_valid, errors = conn:getpeerchainvalid();
			errors = (not chain_valid) and { { errors } } or nil;
		else
			chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
		end
		-- Is there any interest in printing out all/the number of errors here?
		if not chain_valid then
			log("debug", "certificate chain validation result: invalid");
			for depth, t in pairs(errors or NULL) do
				log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
			end
			session.cert_chain_status = "invalid";
		else
			log("debug", "certificate chain validation result: valid");
			session.cert_chain_status = "valid";

			-- We'll go ahead and verify the asserted identity if the
			-- connecting server specified one.
			if host then
				if cert_verify_identity(host, "xmpp-server", cert) then
					session.cert_identity_status = "valid"
				else
					session.cert_identity_status = "invalid"
				end
				log("debug", "certificate identity validation result: %s", session.cert_identity_status);
			end
		end
	end
end, 509);