summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorwilliam <william@25tandclement.com>2014-03-22 21:22:19 -0700
committerwilliam <william@25tandclement.com>2014-03-22 21:22:19 -0700
commit052431b55ded9fe43f54c8b1a35c551f99f1c064 (patch)
tree7ca9c561243943fc8d85db8d184e2a76ea7a1669 /doc
parent331bc576f5bf394bcc006a8cb7766062dabdfe9c (diff)
downloadluaossl-052431b55ded9fe43f54c8b1a35c551f99f1c064.tar.gz
luaossl-052431b55ded9fe43f54c8b1a35c551f99f1c064.tar.bz2
luaossl-052431b55ded9fe43f54c8b1a35c551f99f1c064.zip
add luaossl documentation as copied and amended from the cqueues user guide
Diffstat (limited to 'doc')
-rw-r--r--doc/luaossl.tex860
1 files changed, 860 insertions, 0 deletions
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
new file mode 100644
index 0000000..3d33422
--- /dev/null
+++ b/doc/luaossl.tex
@@ -0,0 +1,860 @@
1\documentclass[11pt, oneside]{memoir}
2
3\usepackage{fullpage}
4\usepackage{xspace}
5\usepackage{makeidx}
6\usepackage{listings}
7\usepackage{multicol}
8\usepackage{graphicx}
9\usepackage[colorlinks=true, linkcolor=blue]{hyperref}
10
11\setlength{\parindent}{0pt}
12\nonzeroparskip
13
14% add padding to ctabular tables
15\renewcommand{\arraystretch}{1.2}
16
17\makeindex
18
19%
20% COMMANDS
21%
22\newcommand*{\luaossl}[0]{\texttt{luaossl}\xspace}
23\newcommand*{\key}[1]{#1\index{#1}\xspace}
24\newcommand*{\syscall}[1]{\texttt{#1}\xspace}
25\newcommand*{\routine}[1]{\texttt{#1}\xspace}
26\newcommand*{\fn}[1]{\texttt{#1}\xspace}
27\newcommand*{\method}[1]{\texttt{#1}\xspace}
28\newcommand*{\module}[1]{\texttt{#1}\xspace}
29\newcommand*{\errno}[1]{\texttt{#1}\xspace}
30\newcommand*{\crlf}[0]{$\backslash$r$\backslash$n\xspace}
31\newcommand*{\lf}[0]{$\backslash$n\xspace}
32
33%
34% ENVIRONMENTS
35%
36\lstdefinelanguage{lua}{
37morekeywords={break,goto,do,end,while,repeat,until,if,then,elseif,else,for,in,function,local,nil,false,true,and,or,not},
38sensitive=true,
39morestring=[b]"
40}
41
42\lstnewenvironment{code}[1]{
43 \lstset{language=#1}
44}{
45}
46
47\lstnewenvironment{example}[1]{
48 \lstset{language=#1,numbers=left,numberstyle=\tiny,stepnumber=2,tabsize=4}
49 \ttfamily\small
50}{
51}
52
53\newcounter{toccols}
54\setcounter{toccols}{2}
55\newenvironment{Module}[1]{
56 \subsection{\texttt{#1}}
57 \addtocontents{toc}{
58 \protect\begin{multicols}{\value{toccols}}
59 %\renewcommand*{\cftsubsubsectiondotsep}{\cftnodots}%
60 }
61}{
62 \addtocontents{toc}{\protect\end{multicols}}
63}
64
65
66\lstdefinelanguage{lua}{morekeywords={break,goto,do,end,while,repeat,until,if,then,elseif,else,for,in,function,local,nil,false,true,and,or,not},sensitive=true,morestring=[b]"}
67
68
69\begin{document}
70
71%\pagestyle{empty}
72
73\title{
74
75\vspace*{10ex}
76
77\HUGE\sffamily User Guide to \luaossl, \\
78
79%\vspace*{20pt}
80%\hrule
81
82\HUGE Comprehensive OpenSSL Module for Lua \\
83
84\vspace*{30pt}
85\hrule
86}
87
88\date{\today}
89\author{William Ahern}
90%\setlength{\droptitle}{85pt}
91\maketitle
92\thispagestyle{empty}
93\clearpage
94
95\maxtocdepth{subsubsection}
96\setsecnumdepth{subsection}
97\setcounter{page}{1}
98\pagenumbering{roman}
99\tableofcontents
100
101\clearpage
102
103\setcounter{page}{1}
104\pagenumbering{arabic}
105
106\chapterstyle{section}
107\setlength{\beforechapskip}{1ex}
108\setlength{\afterchapskip}{1ex}
109
110\chapter{Dependencies}
111
112\section{Operating Systems}
113
114\luaossl targets modern POSIX-conformant systems. A Windows port is feasible and patches welcome.
115Note however that the module employs the POSIX thread API, POSIX dlopen, and the non-POSIX dladdr interface to protect OpenSSL in threaded environments.
116
117\section{Libraries}
118
119\subsection{Lua 5.1, 5.2, 5.3}
120
121\luaossl targets Lua 5.1 and above.
122
123\subsection{OpenSSL}
124
125\luaossl targets modern OpenSSL versions as installed on OS X, Linux, Solaris, OpenBSD, and similar platforms.
126
127\subsection{pthreads}
128
129Because it's not possible to detect threading use at runtime, or to \emph{safely} and dynamically enable locking, this protection is builtin by default. At present the module only understands the POSIX threading API.
130
131\paragraph{Linking}
132Note that on some systems, such as NetBSD and FreeBSD, the loading application must be linked against pthreads (using -lpthread or -pthread). It is not enough for the \luaossl module to pull in the dependency at load time. In particular, if using the stock Lua interpreter, it must have been linked against pthreads at build time. Add the appropriate linker flag to MYLIBS in lua-5.2.x/src/Makefile.
133
134\subsection{libdl}
135
136In multithreaded environments the module will initialize OpenSSL mutexes if they've not already been initialized. If the mutexes are initialized then the module must pin itself in memory to prevent unloading by the Lua garbage collector. The module first uses the non-standard but widely supported dladdr routine to derive the module's load path, and then increments the reference count to the module using dlopen. This is the safest and most portable method that I'm aware of.
137
138\section{GNU Make}
139
140The Makefile requires GNU Make, usually installed as gmake on platforms other than Linux or OS X. The actual \texttt{Makefile} proxies to \texttt{GNUmakefile}. As long as \texttt{gmake} is installed on non-GNU systems you can invoke your system's \texttt{make}.
141
142\chapter{Installation}
143
144All the C modules are built into a single core C library. The core routines are then wrapped and extended through Lua modules. Because there several extant versions of Lua often used in parallel on the same system, there are individual targets to build and install for each supported Lua version. The targets \texttt{all} and \texttt{install} will attempt to build and install all supported versions.
145
146Note that building and installation and can accomplished in a single step by simply invoking one of the install targets with all the necessary variables defined.
147
148\section{Building}
149
150There is no separate \texttt{./configure} step. System introspection occurs during compile-time. However, the ``\texttt{configure}'' make target can be used to cache the build environment so one needn't continually use a long command-line invocation.
151
152All the common GNU-style compiler variables are supported, including \texttt{CC}, \texttt{CPPFLAGS}, \texttt{CFLAGS}, \texttt{LDFLAGS}, and \texttt{SOFLAGS}. Note that you can specify the path to Lua 5.1, Lua 5.2, and Lua 5.3 include headers at the same time in CPPFLAGS; the build system will work things out to ensure the correct headers are loaded when compiling each version of the module.
153
154\subsection{Targets}
155
156\begin{description}
157\item[\texttt{all}] \hfill \\
158Build modules for Lua 5.1, 5.2, and 5.3.
159
160\item[\texttt{all5.1}] \hfill \\
161Build Lua 5.1 module.
162
163\item[\texttt{all5.2}] \hfill \\
164Build Lua 5.2 module.
165
166\item[\texttt{all5.3}] \hfill \\
167Build Lua 5.3 module.
168
169\end{description}
170
171\section{Installing}
172
173All the common GNU-style installation path variables are supported, including \texttt{prefix}, \texttt{bindir}, \texttt{libdir}, \texttt{datadir}, \texttt{includedir}, and \texttt{DESTDIR}. These additional path variables are also allowed:
174
175\begin{description}
176
177\item[\texttt{lua51path}] \hfill \\
178Install path for Lua 5.1 modules, e.g. \texttt{\$(prefix)/share/lua/5.1}
179
180\item[\texttt{lua51cpath}] \hfill \\
181Install path for Lua 5.1 C modules, e.g. \texttt{\$(prefix)/lib/lua/5.1}
182
183\item[\texttt{lua52path}] \hfill \\
184Install path for Lua 5.2 modules, e.g. \texttt{\$(prefix)/share/lua/5.2}
185
186\item[\texttt{lua52cpath}] \hfill \\
187Install path for Lua 5.2 C modules, e.g. \texttt{\$(prefix)/lib/lua/5.2}
188
189\end{description}
190
191\subsection{Targets}
192
193\begin{description}
194
195\item[\texttt{install}] \hfill \\
196Install modules for Lua 5.1, 5.2, and 5.3.
197
198\item[\texttt{install5.1}] \hfill \\
199Install Lua 5.1 module.
200
201\item[\texttt{install5.2}] \hfill \\
202Install Lua 5.2 module.
203
204\item[\texttt{install5.3}] \hfill \\
205Install Lua 5.3 module.
206
207\end{description}
208
209
210\chapter{Usage}
211
212\section{Modules}
213
214\begin{Module}{openssl.bignum}
215
216\module{openssl.bignum} binds OpenSSL's libcrypto bignum library. It supports all the standard arithmetic operations. Regular number operands in a mixed arithmetic expression are upgraded as-if \method{bignum.new} was used explicitly. The \fn{\_\_tostring} metamethod generates a decimal encoded represention.
217
218\subsubsection[\fn{bignum.new}]{\fn{bignum.new(number)}}
219
220Wraps the sign and integral part of `number' as a bignum object, discarding any fractional part.
221
222\subsubsection[\fn{bignum.interpose}]{\fn{bignum.interpose(name, function)}}
223
224Add or interpose a bignum class method. Returns the previous method, if any.
225
226\end{Module}
227
228
229\begin{Module}{openssl.pubkey}
230
231\module{openssl.pubkey} binds OpenSSL's libcrypto public-private key library. The \fn{tostring} metamethod generates a PEM encoded representation of the public key---excluding the private key.
232
233\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new(string)}}
234
235Initializes a new pubkey object from the PEM-encoded key in `string'.
236
237\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new\{ $\ldots$ \}}}
238
239Generates a new pubkey object according to the specified parameters.
240
241\begin{ctabular}{ c | c | p{5in}}
242field & type:default & description\\\hline
243.type & string:RSA & public key algorithm---``RSA'', ``DSA'', ``EC'', ``DH'', or an internal OpenSSL identifier of a subclass of one of those basic types \\
244
245.bits & number:1024 & private key size \\
246
247.exp & number:65537 & RSA or Diffie-Hellman exponent \\
248
249.curve & string:prime192v1 & for elliptic curve keys, the OpenSSL string identifier of the curve
250\end{ctabular}
251\subsubsection[\fn{pubkey.interpose}]{\fn{pubkey.interpose(name, function)}}
252
253Add or interpose a pubkey class method. Returns the previous method, if any.
254
255\subsubsection[\fn{pubkey:type}]{\fn{pubkey:type()}}
256
257Returns the OpenSSL string identifier for the type of key.
258
259\subsubsection[\fn{pubkey:setPublicKey}]{\fn{pubkey:setPublicKey(string)}}
260
261Set the public key component to that described by the PEM encoded public key in `string'.
262
263\subsubsection[\fn{pubkey:setPrivateKey}]{\fn{pubkey:setPrivateKey(string)}}
264
265Set the private key component to that described by the PEM encoded private key in `string'.
266
267\subsubsection[\fn{pubkey:sign}]{\fn{pubkey:sign(digest)}}
268
269Sign data which has been consumed by the specified \module{openssl.digest} `digest'. Digests and keys are not all interchangeable. For example, an elliptic curve key requires a digest of type ``ecdsa-with-SHA1'', while DSA requires ``dss1''. OpenSSL supports more varied digests for RSA.
270
271Returns the signature as an opaque binary string\footnote{Elliptic curve signatures are two X.509 DER-encoded numbers, for example, while RSA signatures are encrypted DER structures.} on success, and throws an error otherwise.
272
273\subsubsection[\fn{pubkey:verify}]{\fn{pubkey:verify(signature, digest)}}
274
275Verify the string `signature' as signing the document consumed by \module{openssl.digest} `digest`. See the :sign method for constraints on the format and type of the parameters.
276
277Returns true on success, false for properly formatted but invalid signatures, and throws an error otherwise. Because the structure of the signature is opaque and not susceptible to sanity checking before passing to OpenSSL, an application should always be prepared for an error to be thrown when verifying untrusted signatures. OpenSSL, of course, should be able to handle all malformed inputs. But the module does not attempt to differentiate local system errors from errors triggered by malformed signatures because the set of such errors may change in the future.
278
279\subsubsection[\fn{pubkey:toPEM}]{\fn{pubkey:toPEM(which[, which])}}
280
281Returns the PEM encoded string representation(s) of the specified key component. `which' must be one of ``public'', ``PublicKey'', ``private'', or ``PrivateKey''. For the two argument form, returns two values.
282
283\end{Module}
284
285
286\begin{Module}{openssl.x509.name}
287
288Binds the X.509 distinguished name OpenSSL ASN.1 object, used for representing certificate subject and issuer names.
289
290\subsubsection[\fn{name.new}]{\fn{name.new()}}
291
292Returns an empty name object.
293
294\subsubsection[\fn{name.interpose}]{\fn{name.interpose(name, function)}}
295
296Add or interpose a name class method. Returns the previous method, if any.
297
298\subsubsection[\fn{name:add}]{\fn{name:add(type, value)}}
299
300Add a distinguished name component. `type' is the OpenSSL string identifier of the component type---short, long, or OID forms. `value' is the string value of the component. DN components are free-form, and are encoded raw.
301
302\subsubsection[\fn{name:all}]{\fn{name:all()}}
303
304Returns a table array of the distinguished name components. Each element is a table with four fields:
305
306\begin{tabular}{ l | l}
307field & description\\\hline
308.sn & short name identifier, if available\\
309.ln & long name identifier, if available\\
310.id & OID identifier\\
311.blob & raw string value of the component
312\end{tabular}
313
314\subsubsection[\fn{name:\_\_pairs}]{\fn{name:\_\_pairs()}}
315
316Returns a key-value iterator over the distinguished name components. The key is either the short, long, or OID identifier, with preference for the former.
317
318\end{Module}
319
320
321\begin{Module}{openssl.x509.altname}
322
323Binds the X.509 alternative names (a.k.a ``general names'') OpenSSL ASN.1 object, used for representing certificate subject and issuer alternative names.
324
325\subsubsection[\fn{altname.new}]{\fn{altname.new()}}
326
327Returns an empty altname object.
328
329\subsubsection[\fn{altname.interpose}]{\fn{altname.interpose(name, function)}}
330
331Add or interpose an altname class method. Returns the previous method, if any.
332
333\subsubsection[\fn{altname:add}]{\fn{altname:add(type, value)}}
334
335Add an alternative name. `type' must specify one of the four basic types identified by ``RFC822Name'', ``RFC822'', ``email'', ``UniformResourceIdentifier'', ``URI'', ``DNSName'', ``DNS'', ``IPAddress'', and ``IP''.
336
337`value' is a string acceptable to OpenSSL's sanity checks. For an IP address, `value' must be parseable by the system's \fn{inet\_pton} routine, as IP addresses are stored as raw 4- or 16-byte octets.
338
339\subsubsection[\fn{name:\_\_pairs}]{\fn{name:\_\_pairs()}}
340
341Returns a key-value iterator over the alternative names. The key is one of ``email'', ``URI'', ``DNS'', or ``IP''. The value is the string representation of the name.
342
343\end{Module}
344
345
346\begin{Module}{openssl.x509}
347
348Binds the X.509 certificate OpenSSL ASN.1 object.
349
350\subsubsection[\fn{x509.new}]{\fn{x509.new([string])}}
351
352Returns a new x509 object, optionally initialized to the PEM encoded certificate specified by `string'.
353
354\subsubsection[\fn{x509.interpose}]{\fn{x509.interpose(name, function)}}
355
356Add or interpose an x509 class method. Returns the previous method, if any.
357
358\subsubsection[\fn{x509:getVersion}]{\fn{x509:getVersion()}}
359
360Returns the X.509 version of the certificate.
361
362\subsubsection[\fn{x509:setVersion}]{\fn{x509:setVersion(number)}}
363
364Sets the X.509 version of the certificate.
365
366\subsubsection[\fn{x509:getSerial}]{\fn{x509:getSerial()}}
367
368Returns the serial of the certificate as an \module{openssl.bignum}.
369
370\subsubsection[\fn{x509:setSerial}]{\fn{x509:setSerial(number)}}
371
372Sets the serial of the certificate. `number' is a Lua or \module{openssl.bignum} number.
373
374\subsubsection[\fn{x509:digest}]{\fn{x509:digest([type[, format]])}}
375
376Returns the cryptographic one-way message digest of the certificate. `type' is the OpenSSL string identifier of the hash type---e.g. ``md5'', ``sha1'' (default), ``sha256'', etc. `format' specifies the representation of the digest---``s'' for an octet string, ``x'' for a hexadecimal string (default), and ``n'' for an \module{openssl.bignum} number.
377
378\subsubsection[\fn{x509:getLifetime}]{\fn{x509:getLifetime()}}
379
380Returns the certificate validity ``Not Before'' and ``Not After'' dates as two Unix timestamp numbers.
381
382\subsubsection[\fn{x509:setLifetime}]{\fn{x509:setLifetime([notbefore][, notafter])}}
383
384Sets the certificate validity dates. A nil value leaves the particular date unchanged.
385
386\subsubsection[\fn{x509:getIssuer}]{\fn{x509:getIssuer()}}
387
388Returns the issuer distinguished name as an \module{x509.name} object.
389
390\subsubsection[\fn{x509:setIssuer}]{\fn{x509:setIssuer(name)}}
391
392Sets the issuer distinguished name.
393
394\subsubsection[\fn{x509:getSubject}]{\fn{x509:getSubject()}}
395
396Returns the subject distinguished name as an \module{x509.name} object.
397
398\subsubsection[\fn{x509:setSubject}]{\fn{x509:setSubject(name)}}
399
400Sets the subject distinguished name.
401
402\subsubsection[\fn{x509:getIssuerAlt}]{\fn{x509:getIssuerAlt()}}
403
404Returns the issuer alternative names as an \module{x509.altname} object.
405
406\subsubsection[\fn{x509:setIssuerAlt}]{\fn{x509:setIssuer(altname)}}
407
408Sets the issuer alternative names.
409
410\subsubsection[\fn{x509:getSubjectAlt}]{\fn{x509:getSubjectAlt()}}
411
412Returns the subject alternative names as an \module{x509.name} object.
413
414\subsubsection[\fn{x509:setSubjectAlt}]{\fn{x509:setSubjectAlt(name)}}
415
416Sets the subject alternative names.
417
418\subsubsection[\fn{x509:getIssuerAltCritical}]{\fn{x509:getIssuerAltCritical()}}
419
420Returns the issuer alternative names critical flag as a boolean.
421
422\subsubsection[\fn{x509:setIssuerAltCritical}]{\fn{x509:setIssuerAltCritical(boolean)}}
423
424Sets the issuer alternative names critical flag.
425
426\subsubsection[\fn{x509:getSubjectAltCritical}]{\fn{x509:getSubjectAltCritical()}}
427
428Returns the subject alternative names critical flag as a boolean.
429
430\subsubsection[\fn{x509:setSubjectAltCritical}]{\fn{x509:setSubjectAltCritical(boolean)}}
431
432Sets the subject alternative names critical flag.
433
434\subsubsection[\fn{x509:getBasicConstraints}]{\fn{x509:getBasicConstraints([which[, which $\ldots$ ]])}}
435
436Returns the X.509 ``basic constraint'' flags. If specified, `which' should be one of ``CA'' or ``pathLen'', which returns the specified constraint---respectively, a boolean and a number. If no parameters are specified, returns a table with fields ``CA'' and ``pathLen''.
437
438\subsubsection[\fn{x509:setBasicConstraints}]{\fn{x509:setBasicConstraints\{ $\ldots$ \}}}
439
440Sets the basic constraint flag according to the defined field values for ``CA'' (boolean) and ``pathLen'' (number).
441
442\subsubsection[\fn{x509:getBasicConstraintsCritical}]{\fn{x509:getBasicConstraintsCritical()}}
443
444Returns the basic constraints critical flag as a boolean.
445
446\subsubsection[\fn{x509:setBasicConstraintsCritical}]{\fn{x509:setBasicConstraintsCritical(boolean)}}
447
448Sets the basic constraints critical flag.
449
450\subsubsection[\fn{x509:isIssuedBy}]{\fn{x509:isIssuedBy(issuer)}}
451
452Returns a boolean according to whether the specified issuer---an \module{openssl.x509} object---signed the instance certificate.
453
454\subsubsection[\fn{x509:getPublicKey}]{\fn{x509:getPublicKey()}}
455
456Returns the public key component as an \module{openssl.pubkey} object.
457
458\subsubsection[\fn{x509:setPublicKey}]{\fn{x509:setPublicKey(key)}}
459
460Sets the public key component referenced by the \module{openssl.pubkey} object `key'.
461
462\subsubsection[\fn{x509:sign}]{\fn{x509:sign(key [, type])}}
463
464Signs and updates the instance certificate using the \module{openssl.pubkey} `key'. `type' is an optional string describing the digest type. See \module{pubkey:sign}, regarding which types of digests are valid. If `type' is omitted than a default type is used---``sha1'' for RSA keys, ``dss1'' for DSA keys, and ``ecdsa-with-SHA1'' for EC keys.
465
466\subsubsection[\fn{x509:\_\_tostring}]{\fn{x509:\_\_tostring}}
467
468Returns the PEM encoded representation of the instance certificate.
469
470\end{Module}
471
472
473\begin{Module}{openssl.x509.csr}
474
475Binds the X.509 certificate signing request OpenSSL ASN.1 object.
476
477\subsubsection[\fn{csr.new}]{\fn{csr.new([x509|string])}}
478
479Returns a new request object, optionally initialized to the specified \module{openssl.x509} certificate `x509' or the the PEM encoded certificate signing request `string'.
480
481\subsubsection[\fn{csr.interpose}]{\fn{csr.interpose(name, function)}}
482
483Add or interpose a request class method. Returns the previous method, if any.
484
485\subsubsection[\fn{csr:getVersion}]{\fn{csr:getVersion()}}
486
487Returns the X.509 version of the request.
488
489\subsubsection[\fn{car:setVersion}]{\fn{csr:setVersion(number)}}
490
491Sets the X.509 version of the request.
492
493\subsubsection[\fn{csr:getSubject}]{\fn{csr:getSubject()}}
494
495Returns the subject distinguished name as an \module{x509.name} object.
496
497\subsubsection[\fn{csr:setSubject}]{\fn{csr:setSubject(name)}}
498
499Sets the subject distinguished name.
500
501\subsubsection[\fn{csr:getPublicKey}]{\fn{csr:getPublicKey()}}
502
503Returns the public key component as an \module{openssl.pubkey} object.
504
505\subsubsection[\fn{csr:setPublicKey}]{\fn{csr:setPublicKey(key)}}
506
507Sets the public key component referenced by the \module{openssl.pubkey} object `key'.
508
509\subsubsection[\fn{car:sign}]{\fn{csr:sign(key)}}
510
511Signs the instance request using the \module{openssl.pubkey} `key'.
512
513\subsubsection[\fn{csr:\_\_tostring}]{\fn{csr:\_\_tostring}}
514
515Returns the PEM encoded representation of the instance request.
516
517\end{Module}
518
519
520\begin{Module}{openssl.x509.chain}
521
522Binds the ``STACK\_OF(X509)'' OpenSSL object, principally used in the OpenSSL library for representing a validation chain.
523
524\subsubsection[\fn{chain.new}]{\fn{chain.new()}}
525
526Returns a new chain object.
527
528\subsubsection[\fn{chain.interpose}]{\fn{chain.interpose(name, function)}}
529
530Add or interpose a chain class method. Returns the previous method, if any.
531
532\subsubsection[\fn{chain:add}]{\fn{chain:add(x509)}}
533
534Append the X.509 certificate `x509'.
535
536\subsubsection[\fn{chain:\_\_ipairs}]{\fn{chain:\_\_ipairs()}}
537
538Returns an iterator over the stored certificates.
539
540\end{Module}
541
542
543\begin{Module}{openssl.x509.store}
544
545Binds the X.509 certificate ``X509\_STORE'' OpenSSL object, principally used for loading and storing trusted certificates, paths to trusted certificates, and verification policy.
546
547\subsubsection[\fn{store.new}]{\fn{store.new()}}
548
549Returns a new store object.
550
551\subsubsection[\fn{store.interpose}]{\fn{store.interpose(name, function)}}
552
553Add or interpose a store class method. Returns the previous method, if any.
554
555\subsubsection[\fn{store:add}]{\fn{store:add(x509|filepath|dirpath)}}
556
557Add the X.509 certificate `x509' to the store, load the certificates from the file `filepath', or set the OpenSSL ``hash dir'' certificate path `dirpath'.
558
559\subsubsection[\fn{store:verify}]{\fn{store:verify(x509[, chain])}}
560
561Returns two values. The first is a boolean value for whether the specified certificate `x509' was verified. If true, the second value is a \module{openssl.x509.chain} object validation chain. If false, the second value is a string describing why verification failed. The optional parameter `chain' is an \module{openssl.x509.chain} object of untrusted certificates linking the certificate `x509' to one of the trusted certificates in the instance store.
562
563\end{Module}
564
565
566\begin{Module}{openssl.ssl.context}
567
568Binds the ``SSL\_CTX'' OpenSSL object, used as a configuration prototype for SSL connection instances. See \method{socket.starttls}.
569
570\subsubsection[\fn{context[]}]{\fn{context[]}}
571
572A table mapping bitwise flags to names.
573
574\begin{tabular}{ c | l }
575name & description \\\hline
576VERIFY\_NONE & disable client peer certificate verification \\
577VERIFY\_PEER & enable client peer certificate verification \\
578VERIFY\_FAIL\_IF\_NO\_PEER\_CERT & require a peer certificate \\
579VERIFY\_CLIENT\_ONCE & do not request peer certificates after initial handshake
580\end{tabular}
581
582See the \href{http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES}{NOTES section} in the OpenSSL documentation for \fn{SSL\_CTX\_set\_verify\_mode}.
583
584\subsubsection[\fn{context.new}]{\fn{context.new([protocol][, server])}}
585
586Returns a new context object. `protocol' is an optional string identifier selecting the SSL mode---TLSv1 (default), SSLv3, SSLv23, or SSLv2. If `server' is true, then SSL connections instantiated using this context will be placed into server mode, otherwise they behave as clients.
587
588\subsubsection[\fn{context.interpose}]{\fn{context.interpose(name, function)}}
589
590Add or interpose a context class method. Returns the previous method, if any.
591
592\subsubsection[\fn{context:setStore}]{\fn{context:setStore(store)}}
593
594Sets the \module{x509.store} of the context instance.
595
596\subsubsection[\fn{context:getVerify}]{\fn{context:getVerify()}}
597
598Returns two values: the bitwise verification mode flags, and the maximum validation depth.
599
600\subsubsection[\fn{context:setVerify}]{\fn{context:setVerify([mode][, depth])}}
601
602Sets the verification mode flags and maximum validation chain depth.
603
604\subsubsection[\fn{context:setCertificate}]{\fn{context:setCertificate(x509)}}
605
606Sets the X.509 certificate \module{openssl.x509} object `x509' to send during SSL connection instance handshakes.
607
608\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey(key)}}
609
610Sets the private key \module{openssl.pubkey} object `key' for use during SSL connection instance handshakes.
611
612\subsubsection[\fn{context:setCipherList}]{\fn{context:setCipherList(string)}}
613
614Sets the allowed public key and private key algorithms. The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}.
615
616\end{Module}
617
618
619\begin{Module}{openssl.ssl}
620
621Binds the ``SSL'' OpenSSL object, which represents an SSL connection instance. See \method{socket.checktls}.
622
623\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose(name, function)}}
624
625Add or interpose an ssl class method. Returns the previous method, if any.
626
627\subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}}
628
629Returns the X.509 peer certificate as a \module{cqueues.openssl.x509} object. If no peer certificate is available, returns nil.
630
631\subsubsection[\fn{ssl:getPeerChain}]{\fn{ssl:getPeerChain()}}
632
633Similar to :getPeerCertifiate, but returns the entire chain sent by the peer as a \module{cqueues.openssl.x509.chain} object.
634
635\subsubsection[\fn{ssl:getCipherInfo}]{\fn{ssl:getCipherInfo()}}
636
637Returns a table of information on the current cipher.
638
639\begin{tabular}{ c | l }
640field & description\\\hline
641.name & cipher name returned by \fn{SSL\_CIPHER\_get\_name}\\
642.bits & number of secret bits returned by \fn{SSL\_CIPHER\_get\_bits}\\
643.version & SSL/TLS version string returned by \fn{SSL\_CIPHER\_get\_version}\\
644.description & key:value cipher description returned by \fn{SSL\_CIPHER\_description}
645\end{tabular}
646
647\end{Module}
648
649
650\begin{Module}{openssl.digest}
651
652Binds the ``EVP\_MD\_CTX'' OpenSSL object, which represents a cryptographic message digest (i.e. hashing) algorithm instance.
653
654\subsubsection[\fn{digest.interpose}]{\fn{digest.interpose(name, function)}}
655
656Add or interpose a digest class method. Returns the previous method, if any.
657
658\subsubsection[\fn{digest.new}]{\fn{digest.new([type])}}
659
660Return a new digest instance using the specified algorithm `type'. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
661
662\subsubsection[\fn{digest:update}]{\fn{digest:update([string [, ...]])}}
663
664Update the digest with the specified strings. Returns true.
665
666\subsubsection[\fn{digest:final}]{\fn{digest:final([string [, ...]])}}
667
668Update the digest with the specified strings. Returns the final message digest as a binary string.
669
670\end{Module}
671
672
673\begin{Module}{openssl.hmac}
674
675Binds the ``HMAC\_CTX'' OpenSSL object, which represents a cryptographic HMAC algorithm instance.
676
677\subsubsection[\fn{hmac.interpose}]{\fn{hmac.interpose(name, function)}}
678
679Add or interpose an HMAC class method. Returns the previous method, if any.
680
681\subsubsection[\fn{hmac.new}]{\fn{hmac.new(key [, type])}}
682
683Return a new HMAC instance using the specified `key' and `type'. `key' is the secret used for HMAC authentication. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
684
685\subsubsection[\fn{hmac:update}]{\fn{hmac:update([string [, ...]])}}
686
687Update the HMAC with the specified strings. Returns true.
688
689\subsubsection[\fn{hmac:final}]{\fn{hmac:final([string [, ...]])}}
690
691Update the HMAC with the specified strings. Returns the final HMAC checksum as a binary string.
692
693\end{Module}
694
695
696\begin{Module}{openssl.cipher}
697
698Binds the ``EVP\_CIPHER\_CTX'' OpenSSL object, which represents a cryptographic cipher instance.
699
700\subsubsection[\fn{cipher.interpose}]{\fn{cipher.interpose(name, function)}}
701
702Add or interpose a cipher class method. Returns the previous method, if any.
703
704\subsubsection[\fn{cipher.new}]{\fn{cipher.new(type)}}
705
706Return a new, uninitialized cipher instance. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_cipherbyname, typically of a form similar to ``AES-128-CBC''.
707
708The cipher is uninitialized because some algorithms support or require additional \textit{ad hoc} parameters before key initialization. The API still allows one-shot encryption like ``cipher.new(type):encrypt(key, iv):final(plaintext)''.
709
710\subsubsection[\fn{cipher:encrypt}]{\fn{cipher:encrypt(key [, iv] [, padding])}}
711
712Initialize the cipher in encryption mode. `key' and `iv' are binary strings with lengths equal to that required by the cipher instance as configured. In other words, key stretching and other transformations must be done explicitly. If the mode does not take an IV or equivalent, such as in ECB mode, then it may be nil. `padding' is a boolean which controls whether PKCS padding is applied, and defaults to true. Returns the cipher instance.
713
714\subsubsection[\fn{cipher:decrypt}]{\fn{cipher:decrypt(key [, iv] [, padding])}}
715
716Initialize the cipher in decryption mode. `key', `iv', and `padding' are as described in :encrypt. Returns the cipher instance.
717
718\subsubsection[\fn{cipher:update}]{\fn{cipher:update([string [, ...]])}}
719
720Update the cipher instance with the specified strings. Returns a string on success, or nil and an error message on failure. The returned string may be empty if no blocks can be flushed.
721
722\subsubsection[\fn{cipher:final}]{\fn{cipher:final([string [, ...]])}}
723
724Update the cipher with the specified strings. Returns the final output string on success, or nil and an error message on failure. The returned string may be empty if all blocks have already been flushed in prior :update calls.
725
726\end{Module}
727
728
729\begin{Module}{openssl.rand}
730
731Binds OpenSSL's random number interfaces.
732
733OpenSSL will automatically attempt to seed itself from the system. The only time this could theoretically fail is if /dev/urandom (or similar) were not visible or could not be opened. This might happen if within a chroot jail, or if a file descriptor limit were reached.
734
735\subsubsection[\fn{rand.bytes}]{\fn{rand.bytes(count)}}
736
737Returns `count' cryptographically-strong bytes as a single string. Throws an error if OpenSSL could not complete the request---e.g. because the CSPRNG could not be seeded.
738
739\subsubsection[\fn{rand.ready}]{\fn{rand.ready()}}
740
741Returns a boolean describing whether the CSPRNG has been properly seeded.
742
743In the default CSPRNG engine this routine will also attempt to seed the system if not already. Because seeding only needs to happen once per process to ensure a successful RAND\_bytes invocation\footnote{At least this appeared to be the case when examining the source code of OpenSSL 1.0.1. See md\_rand.c near line 407---``Once we've had enough initial seeding we don't bother to adjust the entropy count, though, because we're not ambitious to provide *information-theoretic* randomness.''}, it may be prudent to assert on rand:ready() at application startup.
744
745\subsubsection[\fn{rand.uniform}]{\fn{rand.uniform([n])}}
746
747Returns a cryptographically strong uniform random integer in the interval $[0, n-1]$. If `n' is omitted, the interval is $[0, 2^{64}-1]$.
748
749The routine operates internally on 64-bit unsigned integers.\footnote{Actually, \texttt{unsigned long long}.} Because neither Lua 5.1 nor 5.2 support 64-bit integers, it's probably best to generate numbers that fit the integral range of your Lua implementation. Lua 5.3 is expected to add a new arithmetic type for 64-bit signed integers in two's-complement representation. This new arithmetic type will be used for return values when available.
750
751\end{Module}
752
753
754\chapter{Examples}
755
756These examples and others are made available under examples/ in the source tree.
757
758\section{Self-Signed Certificate}
759
760\begin{example}{lua}
761--
762-- Example self-signed X.509 certificate generation.
763--
764-- Skips intermediate CSR object, which is just an antiquated way for
765-- specifying subject DN and public key to CAs. See API documentation for
766-- CSR generation.
767--
768local pubkey = require"openssl.pubkey"
769local x509 = require"openssl.x509"
770local name = require"openssl.x509.name"
771local altname = require"openssl.x509.altname"
772
773-- generate our public/private key pair
774local key = pubkey.new{ type = "EC", curve = "prime192v1" }
775
776-- our Subject and Issuer DN (self-signed, so same)
777local dn = name.new()
778dn:add("C", "US")
779dn:add("ST", "California")
780dn:add("L", "San Francisco")
781dn:add("O", "Acme, Inc")
782dn:add("CN", "acme.inc")
783
784-- our Alternative Names
785local alt = altname.new()
786alt:add("DNS", "acme.inc")
787alt:add("DNS", "*.acme.inc")
788
789-- build our certificate
790local crt = x509.new()
791
792crt:setVersion(3)
793crt:setSerial(42)
794
795crt:setSubject(dn)
796crt:setIssuer(crt:getSubject())
797crt:setSubjectAlt(alt)
798
799local issued, expires = crt:getLifetime()
800crt:setLifetime(issued, expires + 60) -- good for 60 seconds
801
802crt:setBasicConstraints{ CA = true, pathLen = 2 }
803crt:setBasicConstraintsCritical(true)
804
805crt:setPublicKey(key)
806crt:sign(key)
807
808-- pretty-print using openssl command-line utility.
809io.popen("openssl x509 -text -noout", "w"):write(tostring(crt))
810
811
812\end{example}
813
814
815\clearpage
816
817\section{Signature Generation \& Verification}
818
819\begin{example}{lua}
820--
821-- Example public-key signature verification.
822--
823local pubkey = require"openssl.pubkey"
824local digest = require"openssl.digest"
825
826-- generate a public/private key pair
827local key = pubkey.new{ type = "EC", curve = "prime192v1" }
828
829-- digest our message using an appropriate digest ("ecdsa-with-SHA1" for EC;
830-- "dss1" for DSA; and "sha1", "sha256", etc for RSA).
831local data = digest.new"ecdsa-with-SHA1"
832data:update(... or "hello world")
833
834-- generate a signature for our data
835local sig = key:sign(data)
836
837-- to prove verification works, instantiate a new object holding just
838-- the public key
839local pub = pubkey.new(key:toPEM"public")
840
841-- a utility routine to output our signature
842local function tohex(b)
843 local x = ""
844 for i = 1, #b do
845 x = x .. string.format("%.2x", string.byte(b, i))
846 end
847 return x
848end
849
850print("okay", pub:verify(sig, data))
851print("type", pub:type())
852print("sig", tohex(sig))
853\end{example}
854
855
856
857\appendix
858\printindex
859
860\end{document}