equal
deleted
inserted
replaced
265 local tlsa = dane[i].tlsa; |
265 local tlsa = dane[i].tlsa; |
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
267 local use = tlsa.use; |
267 local use = tlsa.use; |
268 |
268 |
269 if enabled_uses:contains(use) then |
269 if enabled_uses:contains(use) then |
270 -- PKIX-EE or DANE-EE |
270 -- DANE-EE or PKIX-EE |
271 if use == 1 or use == 3 then |
271 if use == 3 or (use == 1 and session.cert_chain_status == "valid") then |
272 -- Should we check if the cert subject matches? |
272 -- Should we check if the cert subject matches? |
273 local is_match = one_dane_check(tlsa, cert); |
273 local is_match = one_dane_check(tlsa, cert); |
274 if is_match ~= nil then |
274 if is_match ~= nil then |
275 supported_found = true; |
275 supported_found = true; |
276 end |
276 end |
282 -- for usage 1, PKIX-EE, the chain has to be valid already |
282 -- for usage 1, PKIX-EE, the chain has to be valid already |
283 end |
283 end |
284 match_found = true; |
284 match_found = true; |
285 break; |
285 break; |
286 end |
286 end |
287 elseif use == 0 or use == 2 then |
287 -- DANE-TA or PKIX-CA |
|
288 elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then |
288 supported_found = true; |
289 supported_found = true; |
289 local chain = session.conn:socket():getpeerchain(); |
290 local chain = session.conn:socket():getpeerchain(); |
290 for c = 1, #chain do |
291 for c = 1, #chain do |
291 local cacert = chain[c]; |
292 local cacert = chain[c]; |
292 local is_match = one_dane_check(tlsa, cacert); |
293 local is_match = one_dane_check(tlsa, cacert); |