aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s_auth_certs.lua
blob: be81f51b3a0b402ea91a76b25d40fc3f74a48e0f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();

	if cert then
		local chain_valid, errors;
		if conn.getpeerverification then
			chain_valid, errors = conn:getpeerverification();
		elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
			chain_valid, errors = conn:getpeerchainvalid();
			errors = (not chain_valid) and { { errors } } or nil;
		else
			chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
		end
		-- Is there any interest in printing out all/the number of errors here?
		if not chain_valid then
			(session.log or log)("debug", "certificate chain validation result: invalid");
			for depth, t in pairs(errors or NULL) do
				(session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
			end
			session.cert_chain_status = "invalid";
		else
			(session.log or log)("debug", "certificate chain validation result: valid");
			session.cert_chain_status = "valid";

			-- We'll go ahead and verify the asserted identity if the
			-- connecting server specified one.
			if host then
				if cert_verify_identity(host, "xmpp-server", cert) then
					session.cert_identity_status = "valid"
				else
					session.cert_identity_status = "invalid"
				end
				(session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status);
			end
		end
	end
end, 509);