232 local session, cert, host = event.session, event.cert, event.host; |
232 local session, cert, host = event.session, event.cert, event.host; |
233 if not cert then return end |
233 if not cert then return end |
234 local log = session.log or module._log; |
234 local log = session.log or module._log; |
235 local dane = session.dane; |
235 local dane = session.dane; |
236 if type(dane) == "table" then |
236 if type(dane) == "table" then |
237 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
237 local match_found, supported_found; |
238 for i = 1, #dane do |
238 for i = 1, #dane do |
239 tlsa = dane[i].tlsa; |
239 local tlsa = dane[i].tlsa; |
240 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
240 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
241 use = tlsa.use; |
241 local use = tlsa.use; |
242 |
242 |
243 if enabled_uses:contains(use) then |
243 if enabled_uses:contains(use) then |
244 -- PKIX-EE or DANE-EE |
244 -- PKIX-EE or DANE-EE |
245 if use == 1 or use == 3 then |
245 if use == 1 or use == 3 then |
246 -- Should we check if the cert subject matches? |
246 -- Should we check if the cert subject matches? |
247 is_match = one_dane_check(tlsa, cert); |
247 local is_match = one_dane_check(tlsa, cert); |
248 if is_match ~= nil then |
248 if is_match ~= nil then |
249 supported_found = true; |
249 supported_found = true; |
250 end |
250 end |
251 if is_match then |
251 if is_match then |
252 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
252 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
258 match_found = true; |
258 match_found = true; |
259 break; |
259 break; |
260 end |
260 end |
261 elseif use == 0 or use == 2 then |
261 elseif use == 0 or use == 2 then |
262 supported_found = true; |
262 supported_found = true; |
263 if chain == nil then |
263 local chain = session.conn:socket():getpeerchain(); |
264 chain = session.conn:socket():getpeerchain(); |
264 for i = 1, #chain do |
265 end |
265 local cacert = chain[i]; |
266 for i = 2, #chain do |
266 local is_match = one_dane_check(tlsa, cacert); |
267 cacert, leafcert = chain[i], chain[i-1]; |
|
268 is_match = one_dane_check(tlsa, cacert); |
|
269 if is_match ~= nil then |
267 if is_match ~= nil then |
270 supported_found = true; |
268 supported_found = true; |
271 end |
269 end |
272 if use == 2 and not cacert:issued(leafcert or cacert) then |
270 if is_match and cacert:issued(cert, unpack(chain)) then |
273 module:log("debug", "Broken chain"); |
|
274 break; |
|
275 end |
|
276 if is_match then |
|
277 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
271 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
278 if use == 2 then -- DANE-TA |
272 if use == 2 then -- DANE-TA |
279 session.cert_identity_status = "valid"; |
273 session.cert_identity_status = "valid"; |
280 session.cert_chain_status = "valid"; |
274 session.cert_chain_status = "valid"; |
281 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
275 -- for usage 0, PKIX-CA, identity and chain has to be valid already |