projects
/
prosody.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
mod_s2s: Detect TLS compression
[prosody.git]
/
util
/
x509.lua
diff --git
a/util/x509.lua
b/util/x509.lua
index d323f4b4d682fc39c5297045873724a2083af55f..19d4ec6d791d5ca79268af567a989d480484b19a 100644
(file)
--- a/
util/x509.lua
+++ b/
util/x509.lua
@@
-11,8
+11,8
@@
-- IDN libraries complicate that.
-- IDN libraries complicate that.
--- [TLS-CERTS] - http://tools.ietf.org/html/
draft-saintandre-tls-server-id-check-10
--- [XMPP-CORE] - http://tools.ietf.org/html/
draft-ietf-xmpp-3920bis-18
+-- [TLS-CERTS] - http://tools.ietf.org/html/
rfc6125
+-- [XMPP-CORE] - http://tools.ietf.org/html/
rfc6120
-- [SRV-ID] - http://tools.ietf.org/html/rfc4985
-- [IDNA] - http://tools.ietf.org/html/rfc5890
-- [LDAP] - http://tools.ietf.org/html/rfc4519
-- [SRV-ID] - http://tools.ietf.org/html/rfc4985
-- [IDNA] - http://tools.ietf.org/html/rfc5890
-- [LDAP] - http://tools.ietf.org/html/rfc4519
@@
-20,9
+20,13
@@
local nameprep = require "util.encodings".stringprep.nameprep;
local idna_to_ascii = require "util.encodings".idna.to_ascii;
local nameprep = require "util.encodings".stringprep.nameprep;
local idna_to_ascii = require "util.encodings".idna.to_ascii;
-local log = require "util.logger".init("certverification");
+local log = require "util.logger".init("x509");
+local pairs, ipairs = pairs, ipairs;
+local s_format = string.format;
+local t_insert = table.insert;
+local t_concat = table.concat;
-module "
certverification
"
+module "
x509
"
local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3
local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6
local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3
local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6
@@
-32,7
+36,7
@@
local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
-- Compare a hostname (possibly international) with asserted names
-- extracted from a certificate.
-- This function follows the rules laid out in
-- Compare a hostname (possibly international) with asserted names
-- extracted from a certificate.
-- This function follows the rules laid out in
--- sections
4.4.1 and 4
.4.2 of [TLS-CERTS]
+-- sections
6.4.1 and 6
.4.2 of [TLS-CERTS]
--
-- A wildcard ("*") all by itself is allowed only as the left-most label
local function compare_dnsname(host, asserted_names)
--
-- A wildcard ("*") all by itself is allowed only as the left-most label
local function compare_dnsname(host, asserted_names)
@@
-150,7
+154,7
@@
function verify_identity(host, service, cert)
if ext[oid_subjectaltname] then
local sans = ext[oid_subjectaltname];
if ext[oid_subjectaltname] then
local sans = ext[oid_subjectaltname];
- -- Per [TLS-CERTS]
4.3, 4
.4.4, "a client MUST NOT seek a match for a
+ -- Per [TLS-CERTS]
6.3, 6
.4.4, "a client MUST NOT seek a match for a
-- reference identifier if the presented identifiers include a DNS-ID
-- SRV-ID, URI-ID, or any application-specific identifier types"
local had_supported_altnames = false
-- reference identifier if the presented identifiers include a DNS-ID
-- SRV-ID, URI-ID, or any application-specific identifier types"
local had_supported_altnames = false
@@
-183,7
+187,7
@@
function verify_identity(host, service, cert)
-- a dNSName subjectAltName (wildcards may apply for, and receive,
-- cat treats)
--
-- a dNSName subjectAltName (wildcards may apply for, and receive,
-- cat treats)
--
- -- Per [TLS-CERTS] 1.
5
, a CN-ID is the Common Name from a cert subject
+ -- Per [TLS-CERTS] 1.
8
, a CN-ID is the Common Name from a cert subject
-- which has one and only one Common Name
local subject = cert:subject()
local cn = nil
-- which has one and only one Common Name
local subject = cert:subject()
local cn = nil
@@
-200,7
+204,7
@@
function verify_identity(host, service, cert)
end
if cn then
end
if cn then
- -- Per [TLS-CERTS]
4
.4.4, follow the comparison rules for dNSName SANs.
+ -- Per [TLS-CERTS]
6
.4.4, follow the comparison rules for dNSName SANs.
return compare_dnsname(host, { cn })
end
return compare_dnsname(host, { cn })
end