prosody-modules: mod_s2s_keysize_policy/mod_s2s_keysize

1203 5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	1	-- mod_s2s_keysize_policy.lua
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	2
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	3	module:set_global();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	4
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	5	local datetime_parse = require"util.datetime".parse;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	6	local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	7	local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	8	local function parse_x509_datetime(s)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	9	local month, day, hour, min, sec, year = s:match(pat); month = months[month];
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	10	return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	11	end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	12
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	13	local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	14
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	15	-- From RFC 4492
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	16	local weak_key_size = {
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	17	RSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	18	DSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	19	DH = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	20	EC = 233,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	21	}
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	22
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	23	module:hook("s2s-check-certificate", function(event)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	24	local host, session, cert = event.host, event.session, event.cert;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	25	if cert and cert.pubkey then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	26	local _, key_type, key_size = cert:pubkey();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	27	if key_size < ( weak_key_size[key_type] or 0 ) then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	28	local issued = parse_x509_datetime(cert:notbefore());
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	29	if issued > weak_key_cutoff then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	30	session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	31	session.cert_chain_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	32	session.cert_identity_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	33	else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	34	session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	35	end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	36	else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	37	session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	38	end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	39	end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	40	end);

author	Kim Alvefur <zash@zash.se>
	Sun, 29 Sep 2013 19:10:39 +0200
changeset 1203	5294c8c1861c
child 1204	fc42f8484451
permissions	-rw-r--r--