prosody
b50eadfddd57

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Changeset

13729:b50eadfddd57 13.0

util.x509: Per RFC 9525, remove obsolete Common Name check
author Kim Alvefur <zash@zash.se>
date Sun, 11 Feb 2024 13:34:13 +0100
parents 13727:704765bfe0a3
children 13730:c653c1d3e8da 13731:d78e0f422464
files CHANGES doc/doap.xml util/x509.lua
diffstat 3 files changed, 9 insertions(+), 44 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Mon Feb 17 11:35:03 2025 +0000
+++ b/CHANGES	Sun Feb 11 13:34:13 2024 +0100
@@ -46,6 +46,7 @@
 - Ability to disable and enable user accounts
 - Full DANE support for s2s
 - A "grace period" is now supported for deletion requests via in-band registration
+- No longer check certificate Common Names per RFC 9525
 
 ### Storage
 
--- a/doc/doap.xml	Mon Feb 17 11:35:03 2025 +0000
+++ b/doc/doap.xml	Sun Feb 11 13:34:13 2024 +0100
@@ -64,6 +64,7 @@
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc7673"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc8305"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc9266"/>
+    <implements rdf:resource="https://www.rfc-editor.org/info/rfc9525"/>
     <implements rdf:resource="https://datatracker.ietf.org/doc/draft-cridland-xmpp-session/">
       <!-- since=0.6.0 note=Added in hg:0bbbc9042361 -->
     </implements>
--- a/util/x509.lua	Mon Feb 17 11:35:03 2025 +0000
+++ b/util/x509.lua	Sun Feb 11 13:34:13 2024 +0100
@@ -11,7 +11,8 @@
 -- IDN libraries complicate that.
 
 
--- [TLS-CERTS] - https://www.rfc-editor.org/rfc/rfc6125.html
+-- [TLS-CERTS] - https://www.rfc-editor.org/rfc/rfc6125.html -- Obsolete
+-- [TLS-IDENT] - https://www.rfc-editor.org/rfc/rfc9525.html
 -- [XMPP-CORE] - https://www.rfc-editor.org/rfc/rfc6120.html
 -- [SRV-ID]    - https://www.rfc-editor.org/rfc/rfc4985.html
 -- [IDNA]      - https://www.rfc-editor.org/rfc/rfc5890.html
@@ -35,10 +36,8 @@
 local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE]
 local oid_dnssrv   = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
 
--- Compare a hostname (possibly international) with asserted names
--- extracted from a certificate.
--- This function follows the rules laid out in
--- sections 6.4.1 and 6.4.2 of [TLS-CERTS]
+-- Compare a hostname (possibly international) with asserted names extracted from a certificate.
+-- This function follows the rules laid out in section 6.3 of [TLS-IDENT]
 --
 -- A wildcard ("*") all by itself is allowed only as the left-most label
 local function compare_dnsname(host, asserted_names)
@@ -159,61 +158,25 @@
 	if ext[oid_subjectaltname] then
 		local sans = ext[oid_subjectaltname];
 
-		-- Per [TLS-CERTS] 6.3, 6.4.4, "a client MUST NOT seek a match for a
-		-- reference identifier if the presented identifiers include a DNS-ID
-		-- SRV-ID, URI-ID, or any application-specific identifier types"
-		local had_supported_altnames = false
-
 		if sans[oid_xmppaddr] then
-			had_supported_altnames = true
 			if service == "_xmpp-client" or service == "_xmpp-server" then
 				if compare_xmppaddr(host, sans[oid_xmppaddr]) then return true end
 			end
 		end
 
 		if sans[oid_dnssrv] then
-			had_supported_altnames = true
 			-- Only check srvNames if the caller specified a service
 			if service and compare_srvname(host, service, sans[oid_dnssrv]) then return true end
 		end
 
 		if sans["dNSName"] then
-			had_supported_altnames = true
 			if compare_dnsname(host, sans["dNSName"]) then return true end
 		end
-
-		-- We don't need URIs, but [TLS-CERTS] is clear.
-		if sans["uniformResourceIdentifier"] then
-			had_supported_altnames = true
-		end
-
-		if had_supported_altnames then return false end
-	end
-
-	-- Extract a common name from the certificate, and check it as if it were
-	-- a dNSName subjectAltName (wildcards may apply for, and receive,
-	-- cat treats)
-	--
-	-- Per [TLS-CERTS] 1.8, a CN-ID is the Common Name from a cert subject
-	-- which has one and only one Common Name
-	local subject = cert:subject()
-	local cn = nil
-	for i=1,#subject do
-		local dn = subject[i]
-		if dn["oid"] == oid_commonname then
-			if cn then
-				log("info", "Certificate has multiple common names")
-				return false
-			end
-
-			cn = dn["value"];
-		end
 	end
 
-	if cn then
-		-- Per [TLS-CERTS] 6.4.4, follow the comparison rules for dNSName SANs.
-		return compare_dnsname(host, { cn })
-	end
+	-- Per [TLS-IDENT] ignore the Common Name
+	-- The server identity can only be expressed in the subjectAltNames extension;
+	-- it is no longer valid to use the commonName RDN, known as CN-ID in [TLS-CERTS].
 
 	-- If all else fails, well, why should we be any different?
 	return false