equal
deleted
inserted
replaced
180 local dane = session.dane; |
180 local dane = session.dane; |
181 if type(dane) == "table" then |
181 if type(dane) == "table" then |
182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
183 for i = 1, #dane do |
183 for i = 1, #dane do |
184 tlsa = dane[i].tlsa; |
184 tlsa = dane[i].tlsa; |
185 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); |
185 module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); |
186 use = tlsa.use; |
186 use = tlsa.use; |
187 |
187 |
188 if enabled_uses:contains(use) then |
188 if enabled_uses:contains(use) then |
189 -- PKIX-EE or DANE-EE |
189 -- PKIX-EE or DANE-EE |
190 if use == 1 or use == 3 then |
190 if use == 1 or use == 3 then |
192 is_match = one_dane_check(tlsa, cert); |
192 is_match = one_dane_check(tlsa, cert); |
193 if is_match ~= nil then |
193 if is_match ~= nil then |
194 supported_found = true; |
194 supported_found = true; |
195 end |
195 end |
196 if is_match then |
196 if is_match then |
197 log("info", "DANE validation successful"); |
197 log("info", "DANE validated ok using %s", tlsa:getUsage()); |
198 session.cert_identity_status = "valid"; |
198 session.cert_identity_status = "valid"; |
199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
200 session.cert_chain_status = "valid"; |
200 session.cert_chain_status = "valid"; |
201 -- for usage 1, PKIX-EE, the chain has to be valid already |
201 -- for usage 1, PKIX-EE, the chain has to be valid already |
202 end |
202 end |
217 if use == 2 and not cacert:issued(leafcert or cacert) then |
217 if use == 2 and not cacert:issued(leafcert or cacert) then |
218 module:log("debug", "Broken chain"); |
218 module:log("debug", "Broken chain"); |
219 break; |
219 break; |
220 end |
220 end |
221 if is_match then |
221 if is_match then |
222 log("info", "DANE validation successful"); |
222 log("info", "DANE validated ok using %s", tlsa:getUsage()); |
223 if use == 2 then -- DANE-TA |
223 if use == 2 then -- DANE-TA |
224 session.cert_identity_status = "valid"; |
224 session.cert_identity_status = "valid"; |
225 session.cert_chain_status = "valid"; |
225 session.cert_chain_status = "valid"; |
226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
227 end |
227 end |
233 end |
233 end |
234 end |
234 end |
235 end |
235 end |
236 if supported_found and not match_found or dane.bogus then |
236 if supported_found and not match_found or dane.bogus then |
237 -- No TLSA matched or response was bogus |
237 -- No TLSA matched or response was bogus |
238 log("warn", "DANE validation failed"); |
238 local why = "No TLSA matched certificate"; |
|
239 if dane.bogus then |
|
240 why = "Bogus: "..tostring(dane.bogus); |
|
241 end |
|
242 log("warn", "DANE validation failed: %s", why); |
239 session.cert_identity_status = "invalid"; |
243 session.cert_identity_status = "invalid"; |
240 session.cert_chain_status = "invalid"; |
244 session.cert_chain_status = "invalid"; |
241 end |
245 end |
242 else |
246 else |
243 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
247 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |