266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
267 local use = tlsa.use; |
267 local use = tlsa.use; |
268 |
268 |
269 if enabled_uses:contains(use) then |
269 if enabled_uses:contains(use) then |
270 -- DANE-EE or PKIX-EE |
270 -- DANE-EE or PKIX-EE |
271 if use == 3 or (use == 1 and session.cert_chain_status == "valid") then |
271 if use == 3 or use == 1 then |
272 -- Should we check if the cert subject matches? |
272 -- Should we check if the cert subject matches? |
273 local is_match = one_dane_check(tlsa, cert); |
273 local is_match = one_dane_check(tlsa, cert); |
274 if is_match ~= nil then |
274 if is_match ~= nil then |
275 supported_found = true; |
275 supported_found = true; |
|
276 end |
|
277 if is_match and use == 1 and session.cert_chain_status ~= "valid" then |
|
278 -- for usage 1, PKIX-EE, the chain has to be valid already |
|
279 log("debug", "PKIX-EE TLSA matches untrusted certificate"); |
|
280 is_match = false; |
276 end |
281 end |
277 if is_match then |
282 if is_match then |
278 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
283 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
279 session.cert_identity_status = "valid"; |
284 session.cert_identity_status = "valid"; |
280 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
285 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
281 session.cert_chain_status = "valid"; |
286 session.cert_chain_status = "valid"; |
282 -- for usage 1, PKIX-EE, the chain has to be valid already |
|
283 end |
287 end |
284 match_found = true; |
288 match_found = true; |
285 break; |
289 break; |
286 end |
290 end |
287 -- DANE-TA or PKIX-CA |
291 -- DANE-TA or PKIX-CA |
288 elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then |
292 elseif use == 2 or use == 0 then |
289 supported_found = true; |
293 supported_found = true; |
290 local chain = session.conn:socket():getpeerchain(); |
294 local chain = session.conn:socket():getpeerchain(); |
291 for c = 1, #chain do |
295 for c = 1, #chain do |
292 local cacert = chain[c]; |
296 local cacert = chain[c]; |
293 local is_match = one_dane_check(tlsa, cacert); |
297 local is_match = one_dane_check(tlsa, cacert); |
294 if is_match ~= nil then |
298 if is_match ~= nil then |
295 supported_found = true; |
299 supported_found = true; |
296 end |
300 end |
297 if is_match and cacert:issued(cert, unpack(chain)) then |
301 if is_match and not cacert:issued(cert, unpack(chain)) then |
|
302 is_match = false; |
|
303 end |
|
304 if is_match and use == 0 and session.cert_chain_status ~= "valid" then |
|
305 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
|
306 is_match = false; |
|
307 end |
|
308 if is_match then |
298 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
309 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
299 if use == 2 then -- DANE-TA |
310 if use == 2 then -- DANE-TA |
300 session.cert_identity_status = "valid"; |
311 session.cert_identity_status = "valid"; |
301 if cert_verify_identity(host, "xmpp-server", cert) then |
312 if cert_verify_identity(host, "xmpp-server", cert) then |
302 session.cert_chain_status = "valid"; |
313 session.cert_chain_status = "valid"; |
303 -- else -- TODO Check against SRV target? |
314 -- else -- TODO Check against SRV target? |
304 end |
315 end |
305 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
|
306 end |
316 end |
307 match_found = true; |
317 match_found = true; |
308 break; |
318 break; |
309 end |
319 end |
310 end |
320 end |