--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_auth_ccert/mod_auth_ccert.lua Thu Jun 13 21:25:12 2013 +0200
@@ -0,0 +1,64 @@
+-- Copyright (C) 2013 Kim Alvefur
+--
+-- This file is MIT/X11 licensed.
+
+local jid_compare = require "util.jid".compare;
+local jid_split = require "util.jid".prepped_split;
+local new_sasl = require "util.sasl".new;
+local log = module._log;
+local subject_alternative_name = "2.5.29.17";
+local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
+local now = os.time;
+
+function get_sasl_handler(session)
+ return new_sasl(module.host, {
+ external = session.secure and function(authz)
+ if session.secure then
+ -- getpeercertificate() on a TCP connection would be bad, abort!
+ (session.log or log)("error", "How did you manage to select EXTERNAL without TLS?");
+ return nil, false;
+ end
+ local sock = session.conn:socket();
+ local cert = sock:getpeercertificate();
+ if not cert then
+ (session.log or log)("warn", "No certificate provided");
+ return nil, false;
+ end
+
+ if not cert:validat(now()) then
+ (session.log or log)("warn", "Client certificate expired")
+ return nil, "expired";
+ end
+
+ local chain_valid, chain_errors = sock:getpeerverification();
+ if not chain_valid then
+ (session.log or log)("warn", "Invalid client certificate chain");
+ for i, error in ipairs(chain_errors) do
+ (session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", "));
+ end
+ return nil, false;
+ end
+
+ local extensions = cert:extensions();
+ local SANs = extensions[subject_alternative_name];
+ local xmppAddrs = SANs and SANs[id_on_xmppAddr];
+
+ if not xmppAddrs then
+ (session.log or log)("warn", "Client certificate contains no xmppAddrs");
+ return nil, false;
+ end
+
+ for i=1,#xmppAddrs do
+ if authz == "" or jid_compare(authz, xmppAddrs[i]) then
+ (session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
+ local username, host = jid_split(xmppAddrs[i]);
+ if host == module.host then
+ return username, true
+ end
+ end
+ end
+ end
+ });
+end
+
+module:provides "auth";