58 |
58 |
59 if select == 0 then |
59 if select == 0 then |
60 certdata = pem2der(cert:pem()); |
60 certdata = pem2der(cert:pem()); |
61 elseif select == 1 then |
61 elseif select == 1 then |
62 certdata = pem2der(cert:pubkey()); |
62 certdata = pem2der(cert:pubkey()); |
|
63 else |
|
64 module:log("warn", "DANE selector %d is unsupported", select); |
63 end |
65 end |
64 if match == 1 then |
66 if match == 1 then |
65 certdata = hashes.sha256(certdata); |
67 certdata = hashes.sha256(certdata); |
66 elseif match == 2 then |
68 elseif match == 2 then |
67 certdata = hashes.sha512(certdata); |
69 certdata = hashes.sha512(certdata); |
|
70 elseif match ~= 0 then |
|
71 module:log("warn", "DANE match rule %d is unsupported", match); |
|
72 certdata = nil |
68 end |
73 end |
69 |
74 |
70 -- Should we check if the cert subject matches? |
75 -- Should we check if the cert subject matches? |
71 if certdata == tlsa.data then |
76 if certdata and certdata == tlsa.data then |
72 (session.log or module._log)("info", "DANE validation successful"); |
77 (session.log or module._log)("info", "DANE validation successful"); |
73 session.cert_identity_status = "valid" |
78 session.cert_identity_status = "valid" |
74 if use == 3 then |
79 if use == 3 then |
75 session.cert_chain_status = "valid" |
80 session.cert_chain_status = "valid" |
76 -- for usage 1 the chain has to be valid already |
81 -- for usage 1 the chain has to be valid already |
77 end |
82 end |
78 break; |
83 break; |
79 end |
84 end |
80 else |
85 else |
81 module:log("warn", "DANE %s is unsupported", tlsa:getUsage()); |
86 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
82 -- TODO Ca checks needs to loop over the chain and stuff |
87 -- TODO Ca checks needs to loop over the chain and stuff |
83 end |
88 end |
84 end |
89 end |
85 end |
90 end |
86 |
91 |