Merge branch 'ashb-csr_san'

author: William Ahern <william@25thandclement.com> 2016-06-24 19:14:05 -0700
committer: William Ahern <william@25thandclement.com> 2016-06-24 19:14:05 -0700
commit: c429c7d4945d2cddf43d31bd59b45cadea617f82 (patch)
tree: 5458f64fbd3a52e7128f8977715b3ee1cac3098a
parent: dac0e48996b48537fa6d1f6b75b39731b9a58cb2 (diff)
parent: bddd9f5a79ae4aea43d7dca09157c53e40503bfb (diff)
download: luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.tar.gz
luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.tar.bz2
luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.zip
6 files changed, 130 insertions, 2 deletions
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
index 433dd03..7db7463 100644
--- a/doc/luaossl.tex
+++ b/doc/luaossl.tex
@@ -597,6 +597,14 @@ Returns the subject distinguished name as an \module{x509.name} object.
 Sets the subject distinguished name. $name$ should be an \module{x509.name} object.
+\subsubsection[\fn{csr:getSubjectAlt}]{\fn{csr:getSubjectAlt()}}
+Returns the subject alternative name as an \module{x509.altname} object.
+\subsubsection[\fn{csr:setSubjectAlt}]{\fn{csr:setSubjectAlt($name$)}}
+Sets the subject alternative names. $name$ should be an \module{x509.altname} object.
 \subsubsection[\fn{csr:getPublicKey}]{\fn{csr:getPublicKey()}}
 Returns the public key component as an \module{openssl.pkey} object.
diff --git a/src/GNUmakefile b/src/GNUmakefile
index 3aff30a..f0eefde 100644
--- a/src/GNUmakefile
+++ b/src/GNUmakefile
@@ -88,6 +88,7 @@ LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true)
 MODS$(1)_$(d) = \
        $$(DESTDIR)$(2)/_openssl.so \
        $$(DESTDIR)$(3)/openssl.lua \
+        $$(DESTDIR)$(3)/openssl/auxlib.lua \
        $$(DESTDIR)$(3)/openssl/bignum.lua \
        $$(DESTDIR)$(3)/openssl/pkey.lua \
        $$(DESTDIR)$(3)/openssl/pubkey.lua \
diff --git a/src/openssl.auxlib.lua b/src/openssl.auxlib.lua
new file mode 100644
index 0000000..4f00c25
--- /dev/null
+++ b/src/openssl.auxlib.lua
@@ -0,0 +1,21 @@
+local auxlib = {}
+if _VERSION == "Lua 5.1" then
+        local _pairs = pairs
+        function auxlib.pairs(t)
+                if type(t) == "userdata" then
+                        local mt = getmetatable(t)
+                        if mt and mt.__pairs then
+                                return mt.__pairs(t)
+                        else
+                                return _pairs(t)
+                        end
+                end
+        end
+else
+        auxlib.pairs = pairs
+end
+return auxlib
diff --git a/src/openssl.c b/src/openssl.c
index 11d02a0..9c40e57 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -4328,6 +4328,7 @@ static const auxL_IntegerReg xe_textopts[] = {
        { "ERROR_UNKNOWN", X509V3_EXT_ERROR_UNKNOWN },
        { "PARSE_UNKNOWN", X509V3_EXT_PARSE_UNKNOWN },
        { "DUMP_UNKNOWN", X509V3_EXT_DUMP_UNKNOWN },
+        { NULL, 0 },
 };
 int luaopen__openssl_x509_extension(lua_State *L) {
@@ -5487,6 +5488,99 @@ static int xr_setPublicKey(lua_State *L) {
 } /* xr_setPublicKey() */
+static int xr_setExtensionByNid(lua_State *L, X509_REQ *csr, int target_nid, void* value) {
+        STACK_OF(X509_EXTENSION) *sk = NULL;
+        int has_attrs=0;
+        /*
+         * Replace existing if it's there. Extensions are stored in a CSR in
+         * an interesting way:
+         *
+         * They are stored as a list under either (most likely) the
+         * "official" NID_ext_req or under NID_ms_ext_req which means
+         * everything is stored under a list in a single "attribute" so we
+         * can't use X509_REQ_add1_attr or similar.
+         *
+         * Instead we have to get the extensions, find and replace the SAN
+         * if it's in there, then *replace* the extensions in the list of
+         * attributes. (If we just try to add it the old ones are found
+         * first and don't take priority.)
+         */
+        has_attrs = X509_REQ_get_attr_count(csr);
+        sk = X509_REQ_get_extensions(csr);
+        if (!X509V3_add1_i2d(&sk, target_nid, value, 0, X509V3_ADD_REPLACE))
+                goto error;
+        if (X509_REQ_add_extensions(csr, sk) == 0)
+                goto error;
+        sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
+        sk = NULL;
+        /*
+         * Delete the old extensions attribute, so that the one we just
+         * added takes priority.
+         */
+        if (has_attrs) {
+                X509_ATTRIBUTE *attr = NULL;
+                int idx, *pnid;
+                for (pnid = X509_REQ_get_extension_nids(); *pnid != NID_undef; pnid++) {
+                        idx = X509_REQ_get_attr_by_NID(csr, *pnid, -1);
+                        if (idx == -1)
+                                continue;
+                        if (!(attr = X509_REQ_delete_attr(csr, idx)))
+                                goto error;
+                        X509_ATTRIBUTE_free(attr);
+                        break;
+                }
+                if (!attr)
+                        goto error;
+        }
+        /*
+         * We have to mark the encoded form as invalid, otherwise when we
+         * write it out again it will use the loaded version.
+         */
+        csr->req_info->enc.modified = 1;
+        lua_pushboolean(L, 1);
+        return 1;
+error:
+        if (sk)
+                sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
+        return auxL_error(L, auxL_EOPENSSL, "x509.csr.setExtensionByNid");
+} /* xr_setExtensionByNid() */
+static int xr_setSubjectAlt(lua_State *L) {
+        X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
+        GENERAL_NAMES *gens = checksimple(L, 2, X509_GENS_CLASS);
+        return xr_setExtensionByNid(L, csr, NID_subject_alt_name, gens);
+} /* xr_setSubjectAlt */
+static int xr_getSubjectAlt(lua_State *L) {
+        X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
+        STACK_OF(X509_EXTENSION) *exts;
+        GENERAL_NAMES *gens;
+        exts = X509_REQ_get_extensions(csr);
+        gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
+        sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+        if (!gens) goto error;
+        gn_dup(L, gens);
+        return 1;
+error:
+        return 0;
+} /* xr_getSubjectAlt() */
 static int xr_sign(lua_State *L) {
        X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
        EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -5544,6 +5638,8 @@ static const auxL_Reg xr_methods[] = {
        { "setSubject",   &xr_setSubject },
        { "getPublicKey", &xr_getPublicKey },
        { "setPublicKey", &xr_setPublicKey },
+        { "getSubjectAlt", &xr_getSubjectAlt },
+        { "setSubjectAlt", &xr_setSubjectAlt },
        { "sign",         &xr_sign },
        { "tostring",     &xr__tostring },
        { NULL,           NULL },
diff --git a/src/openssl.x509.altname.lua b/src/openssl.x509.altname.lua
index 66f16e7..e8222a0 100644
--- a/src/openssl.x509.altname.lua
+++ b/src/openssl.x509.altname.lua
@@ -1,9 +1,10 @@
 local altname = require"_openssl.x509.altname"
+local auxlib = require"openssl.auxlib"
 altname.interpose("__tostring", function (self)
        local t = { }
-        for k, v in pairs(self) do
+        for k, v in auxlib.pairs(self) do
                t[#t + 1] = k .. ":" .. v
        end
diff --git a/src/openssl.x509.name.lua b/src/openssl.x509.name.lua
index a531502..f33339a 100644
--- a/src/openssl.x509.name.lua
+++ b/src/openssl.x509.name.lua
@@ -1,9 +1,10 @@
 local name = require"_openssl.x509.name"
+local auxlib = require"openssl.auxlib"
 name.interpose("__tostring", function (self)
        local t = { }
-        for k, v in pairs(self) do
+        for k, v in auxlib.pairs(self) do
                t[#t + 1] = k .. "=" .. v
        end
author	William Ahern <william@25thandclement.com>	2016-06-24 19:14:05 -0700
committer	William Ahern <william@25thandclement.com>	2016-06-24 19:14:05 -0700
commit	c429c7d4945d2cddf43d31bd59b45cadea617f82 (patch)
tree	5458f64fbd3a52e7128f8977715b3ee1cac3098a
parent	dac0e48996b48537fa6d1f6b75b39731b9a58cb2 (diff)
parent	bddd9f5a79ae4aea43d7dca09157c53e40503bfb (diff)
download	luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.tar.gz luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.tar.bz2 luaossl-c429c7d4945d2cddf43d31bd59b45cadea617f82.zip

diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 433dd03..7db7463 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex
@@ -597,6 +597,14 @@ Returns the subject distinguished name as an \module{x509.name} object.
597		597
598	Sets the subject distinguished name. $name$ should be an \module{x509.name} object.	598	Sets the subject distinguished name. $name$ should be an \module{x509.name} object.
599		599
		600	\subsubsection[\fn{csr:getSubjectAlt}]{\fn{csr:getSubjectAlt()}}
		601
		602	Returns the subject alternative name as an \module{x509.altname} object.
		603
		604	\subsubsection[\fn{csr:setSubjectAlt}]{\fn{csr:setSubjectAlt($name$)}}
		605
		606	Sets the subject alternative names. $name$ should be an \module{x509.altname} object.
		607
600	\subsubsection[\fn{csr:getPublicKey}]{\fn{csr:getPublicKey()}}	608	\subsubsection[\fn{csr:getPublicKey}]{\fn{csr:getPublicKey()}}
601		609
602	Returns the public key component as an \module{openssl.pkey} object.	610	Returns the public key component as an \module{openssl.pkey} object.


diff --git a/src/GNUmakefile b/src/GNUmakefile index 3aff30a..f0eefde 100644 --- a/src/GNUmakefile +++ b/src/GNUmakefile
@@ -88,6 +88,7 @@ LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true)
88	MODS$(1)_$(d) = \	88	MODS$(1)_$(d) = \
89	$$(DESTDIR)$(2)/_openssl.so \	89	$$(DESTDIR)$(2)/_openssl.so \
90	$$(DESTDIR)$(3)/openssl.lua \	90	$$(DESTDIR)$(3)/openssl.lua \
		91	$$(DESTDIR)$(3)/openssl/auxlib.lua \
91	$$(DESTDIR)$(3)/openssl/bignum.lua \	92	$$(DESTDIR)$(3)/openssl/bignum.lua \
92	$$(DESTDIR)$(3)/openssl/pkey.lua \	93	$$(DESTDIR)$(3)/openssl/pkey.lua \
93	$$(DESTDIR)$(3)/openssl/pubkey.lua \	94	$$(DESTDIR)$(3)/openssl/pubkey.lua \


diff --git a/src/openssl.auxlib.lua b/src/openssl.auxlib.lua new file mode 100644 index 0000000..4f00c25 --- /dev/null +++ b/src/openssl.auxlib.lua
@@ -0,0 +1,21 @@
		1	local auxlib = {}
		2
		3	if _VERSION == "Lua 5.1" then
		4	local _pairs = pairs
		5
		6	function auxlib.pairs(t)
		7	if type(t) == "userdata" then
		8	local mt = getmetatable(t)
		9
		10	if mt and mt.__pairs then
		11	return mt.__pairs(t)
		12	else
		13	return _pairs(t)
		14	end
		15	end
		16	end
		17	else
		18	auxlib.pairs = pairs
		19	end
		20
		21	return auxlib


diff --git a/src/openssl.c b/src/openssl.c index 11d02a0..9c40e57 100644 --- a/src/openssl.c +++ b/src/openssl.c
@@ -4328,6 +4328,7 @@ static const auxL_IntegerReg xe_textopts[] = {
4328	{ "ERROR_UNKNOWN", X509V3_EXT_ERROR_UNKNOWN },	4328	{ "ERROR_UNKNOWN", X509V3_EXT_ERROR_UNKNOWN },
4329	{ "PARSE_UNKNOWN", X509V3_EXT_PARSE_UNKNOWN },	4329	{ "PARSE_UNKNOWN", X509V3_EXT_PARSE_UNKNOWN },
4330	{ "DUMP_UNKNOWN", X509V3_EXT_DUMP_UNKNOWN },	4330	{ "DUMP_UNKNOWN", X509V3_EXT_DUMP_UNKNOWN },
		4331	{ NULL, 0 },
4331	};	4332	};
4332		4333
4333	int luaopen__openssl_x509_extension(lua_State *L) {	4334	int luaopen__openssl_x509_extension(lua_State *L) {
@@ -5487,6 +5488,99 @@ static int xr_setPublicKey(lua_State *L) {
5487	} /* xr_setPublicKey() */	5488	} /* xr_setPublicKey() */
5488		5489
5489		5490
		5491	static int xr_setExtensionByNid(lua_State L, X509_REQ csr, int target_nid, void* value) {
		5492	STACK_OF(X509_EXTENSION) *sk = NULL;
		5493	int has_attrs=0;
		5494
		5495	/*
		5496	* Replace existing if it's there. Extensions are stored in a CSR in
		5497	* an interesting way:
		5498	*
		5499	* They are stored as a list under either (most likely) the
		5500	* "official" NID_ext_req or under NID_ms_ext_req which means
		5501	* everything is stored under a list in a single "attribute" so we
		5502	* can't use X509_REQ_add1_attr or similar.
		5503	*
		5504	* Instead we have to get the extensions, find and replace the SAN
		5505	* if it's in there, then replace the extensions in the list of
		5506	* attributes. (If we just try to add it the old ones are found
		5507	* first and don't take priority.)
		5508	*/
		5509	has_attrs = X509_REQ_get_attr_count(csr);
		5510
		5511	sk = X509_REQ_get_extensions(csr);
		5512	if (!X509V3_add1_i2d(&sk, target_nid, value, 0, X509V3_ADD_REPLACE))
		5513	goto error;
		5514	if (X509_REQ_add_extensions(csr, sk) == 0)
		5515	goto error;
		5516	sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
		5517	sk = NULL;
		5518
		5519	/*
		5520	* Delete the old extensions attribute, so that the one we just
		5521	* added takes priority.
		5522	*/
		5523	if (has_attrs) {
		5524	X509_ATTRIBUTE *attr = NULL;
		5525	int idx, *pnid;
		5526
		5527	for (pnid = X509_REQ_get_extension_nids(); *pnid != NID_undef; pnid++) {
		5528	idx = X509_REQ_get_attr_by_NID(csr, *pnid, -1);
		5529	if (idx == -1)
		5530	continue;
		5531	if (!(attr = X509_REQ_delete_attr(csr, idx)))
		5532	goto error;
		5533	X509_ATTRIBUTE_free(attr);
		5534	break;
		5535	}
		5536	if (!attr)
		5537	goto error;
		5538	}
		5539
		5540	/*
		5541	* We have to mark the encoded form as invalid, otherwise when we
		5542	* write it out again it will use the loaded version.
		5543	*/
		5544	csr->req_info->enc.modified = 1;
		5545
		5546	lua_pushboolean(L, 1);
		5547
		5548	return 1;
		5549	error:
		5550	if (sk)
		5551	sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
		5552
		5553	return auxL_error(L, auxL_EOPENSSL, "x509.csr.setExtensionByNid");
		5554	} /* xr_setExtensionByNid() */
		5555
		5556
		5557	static int xr_setSubjectAlt(lua_State *L) {
		5558	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
		5559	GENERAL_NAMES *gens = checksimple(L, 2, X509_GENS_CLASS);
		5560
		5561	return xr_setExtensionByNid(L, csr, NID_subject_alt_name, gens);
		5562	} /* xr_setSubjectAlt */
		5563
		5564
		5565	static int xr_getSubjectAlt(lua_State *L) {
		5566	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
		5567	STACK_OF(X509_EXTENSION) *exts;
		5568	GENERAL_NAMES *gens;
		5569
		5570	exts = X509_REQ_get_extensions(csr);
		5571	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
		5572	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
		5573	if (!gens) goto error;
		5574
		5575	gn_dup(L, gens);
		5576
		5577	return 1;
		5578	error:
		5579	return 0;
		5580	} /* xr_getSubjectAlt() */
		5581
		5582
		5583
5490	static int xr_sign(lua_State *L) {	5584	static int xr_sign(lua_State *L) {
5491	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);	5585	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
5492	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);	5586	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -5544,6 +5638,8 @@ static const auxL_Reg xr_methods[] = {
5544	{ "setSubject", &xr_setSubject },	5638	{ "setSubject", &xr_setSubject },
5545	{ "getPublicKey", &xr_getPublicKey },	5639	{ "getPublicKey", &xr_getPublicKey },
5546	{ "setPublicKey", &xr_setPublicKey },	5640	{ "setPublicKey", &xr_setPublicKey },
		5641	{ "getSubjectAlt", &xr_getSubjectAlt },
		5642	{ "setSubjectAlt", &xr_setSubjectAlt },
5547	{ "sign", &xr_sign },	5643	{ "sign", &xr_sign },
5548	{ "tostring", &xr__tostring },	5644	{ "tostring", &xr__tostring },
5549	{ NULL, NULL },	5645	{ NULL, NULL },


diff --git a/src/openssl.x509.altname.lua b/src/openssl.x509.altname.lua index 66f16e7..e8222a0 100644 --- a/src/openssl.x509.altname.lua +++ b/src/openssl.x509.altname.lua
@@ -1,9 +1,10 @@
1	local altname = require"_openssl.x509.altname"	1	local altname = require"_openssl.x509.altname"
		2	local auxlib = require"openssl.auxlib"
2		3
3	altname.interpose("__tostring", function (self)	4	altname.interpose("__tostring", function (self)
4	local t = { }	5	local t = { }
5		6
6	for k, v in pairs(self) do	7	for k, v in auxlib.pairs(self) do
7	t[#t + 1] = k .. ":" .. v	8	t[#t + 1] = k .. ":" .. v
8	end	9	end
9		10


diff --git a/src/openssl.x509.name.lua b/src/openssl.x509.name.lua index a531502..f33339a 100644 --- a/src/openssl.x509.name.lua +++ b/src/openssl.x509.name.lua
@@ -1,9 +1,10 @@
1	local name = require"_openssl.x509.name"	1	local name = require"_openssl.x509.name"
		2	local auxlib = require"openssl.auxlib"
2		3
3	name.interpose("__tostring", function (self)	4	name.interpose("__tostring", function (self)
4	local t = { }	5	local t = { }
5		6
6	for k, v in pairs(self) do	7	for k, v in auxlib.pairs(self) do
7	t[#t + 1] = k .. "=" .. v	8	t[#t + 1] = k .. "=" .. v
8	end	9	end
9		10