85degree / prosody-modules

Automatically exported from code.google.com/p/prosody-modules
MIT License
0 stars 0 forks source link

[mod_client_certs] Requesting the certificate list is broken, module doesn't advertise support, and doesn't accept valid certificates #68

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
1) Due to a missing :up() in a loop, requesting items 
(http://xmpp.org/extensions/xep-0257.html#example-3) will generate a 
badly-nested stanza, so most clients will only see the first certificate in the 
list, while others may crash (hopefully not).

2) The module doesn’t advertise the urn:xmpp:saslcert:1, even though it is 
required (http://xmpp.org/extensions/xep-0257.html#sect-idp588448).

3) The module loads certificates by adding PEM headers/and footers to the 
base64 sent by the user and feeding that to x509.load(). This is wrong because 
x509.load() expects a properly-formatted PEM with 64-chars lines and will fail 
otherwise, but XEP-0257 states that the stanza must contain “base64 encoded 
DER data of the certificate”, with no formatting required 
(http://xmpp.org/extensions/xep-0257.html#add the example also says 
“whitespace only added for presentation”). Therefore, a client currently 
conforming to that XEP will not be able to work with this module.

I am attaching a patch below that should take care of those issues, but if 
there is a better solution than the dual base64 encoding/decoding in order to 
sanitize the base64 data, I'm all ears.

Original issue reported on code.google.com by prosodym...@dfgh.net on 23 Jan 2015 at 6:02

Attachments: