(feat) Add additional methods for crl ad csr modules

.gitignore

@@ -1,2 +1,3 @@
 t/servroot
 __pycache__
+.idea/

README.md

@@ -468,7 +468,7 @@ Returns a table containing the `parameters` of pkey instance.
 
 **syntax**: *ok, err = pk:set_parameters(params)*
 
-Set the paramets of the pkey from a table `params`.
+Set the parameters of the pkey from a table `params`.
 If the parameter is not set in the `params` table,
 it remains untouched in the pkey instance.
 

lib/resty/openssl/asn1.lua

@@ -5,6 +5,7 @@ local floor = math.floor
 
 local asn1_macro = require("resty.openssl.include.asn1")
 
+
 -- https://github.com/wahern/luaossl/blob/master/src/openssl.c
 local function isleap(year)
   return (year % 4) == 0 and ((year % 100) > 0 or (year % 400) == 0)

lib/resty/openssl/digest.lua

@@ -1,7 +1,6 @@
 local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
-local ffi_new = ffi.new
 local ffi_str = ffi.string
 
 require "resty.openssl.include.evp"

lib/resty/openssl/include/asn1.lua

@@ -22,6 +22,7 @@ ffi.cdef [[
 
   int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
   long ASN1_INTEGER_get(const ASN1_INTEGER *a);
+  int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
 ]]
 
 local function declare_asn1_functions(typ)
@@ -41,6 +42,7 @@ end
 declare_asn1_functions("ASN1_INTEGER")
 declare_asn1_functions("ASN1_OBJECT")
 declare_asn1_functions("ASN1_STRING")
+declare_asn1_functions("ASN1_ENUMERATED")
 
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER

lib/resty/openssl/include/ossl_typ.lua

@@ -54,5 +54,6 @@ ffi.cdef(
   // crypto.h
   // typedef void CRYPTO_RWLOCK;
   typedef struct hmac_ctx_st HMAC_CTX;
+  typedef struct x509_revoked_st X509_REVOKED;
 ]])
 

lib/resty/openssl/include/x509/crl.lua

@@ -28,6 +28,7 @@ ffi.cdef [[
 
   int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
   X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
+  int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 ]]
 
 if OPENSSL_11_OR_LATER then

lib/resty/openssl/include/x509/extension.lua

@@ -17,4 +17,6 @@ ffi.cdef [[
       /*X509V3_CONF_METHOD*/ void *db_meth;
       void *db;
   };
+  int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
+  int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
 ]]

lib/resty/openssl/include/x509/revoked.lua

@@ -0,0 +1,14 @@
+local ffi = require "ffi"
+
+require "resty.openssl.include.ossl_typ"
+require "resty.openssl.include.asn1"
+require "resty.openssl.include.objects"
+local asn1_macro = require "resty.openssl.include.asn1"
+
+asn1_macro.declare_asn1_functions("X509_REVOKED")
+
+ffi.cdef [[
+  int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
+  int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
+  int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
+]]

lib/resty/openssl/include/x509v3.lua

@@ -70,6 +70,13 @@ ffi.cdef [[
   int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
     int indent);
 
+  void *X509V3_get_d2i(const OPENSSL_STACK *x, int nid, int *crit, int *idx);
+
+  int X509v3_get_ext_by_NID(const OPENSSL_STACK *x,
+                           int nid, int lastpos);
+
+   X509_EXTENSION *X509v3_get_ext(const OPENSSL_STACK *x, int loc);
+
   // STACK_OF(ACCESS_DESCRIPTION)
   typedef struct stack_st AUTHORITY_INFO_ACCESS;
 

lib/resty/openssl/pkey.lua

@@ -553,7 +553,7 @@ function _M:verify(signature, digest)
     end
     ffi_gc(md_ctx, C.EVP_MD_CTX_free)
     if C.EVP_DigestVerifyInit(md_ctx, nil, nil, nil, self.ctx) ~= 1 then
-      return nil, format_error("pkey:verify: EVP_DigestSignInit")
+      return nil, format_error("pkey:verify: EVP_DigestVerifyInit")
     end
     code = C.EVP_DigestVerify(md_ctx, signature, #signature, digest, #digest)
   end

lib/resty/openssl/provider.lua

@@ -1,9 +1,5 @@
 local ffi = require "ffi"
 local C = ffi.C
-local ffi_gc = ffi.gc
-local ffi_new = ffi.new
-local ffi_str = ffi.string
-local ffi_cast = ffi.cast
 
 require "resty.openssl.include.provider"
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30

lib/resty/openssl/x509/crl.lua

@@ -6,6 +6,7 @@ require "resty.openssl.include.x509.crl"
 require "resty.openssl.include.pem"
 require "resty.openssl.include.x509v3"
 local asn1_lib = require("resty.openssl.asn1")
+local revoked_lib = require("resty.openssl.x509.revoked")
 local digest_lib = require("resty.openssl.digest")
 local extension_lib = require("resty.openssl.x509.extension")
 local pkey_lib = require("resty.openssl.pkey")
@@ -26,7 +27,7 @@ if OPENSSL_11_OR_LATER then
   accessors.set_last_update = C.X509_CRL_set1_lastUpdate
   accessors.get_next_update = C.X509_CRL_get0_nextUpdate
   accessors.set_next_update = C.X509_CRL_set1_nextUpdate
-  accessors.get_version = C.X509_CRL_get_version
+  accessors.get_version     = C.X509_CRL_get_version
   accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
 elseif OPENSSL_10 then
   accessors.get_last_update = function(crl)
@@ -153,19 +154,44 @@ function _M:to_PEM()
   return tostring(self, "PEM")
 end
 
+--- Adds revoked item to stack of revoked certificates of crl
+-- @tparam table Instance of crl module
+-- @tparam table Instance of revoked module
+-- @treturn boolean true if revoked item was successfully added or false otherwise
+-- @treturn[opt] string Returns optional error message in case of error
+function _M.add_revoked(self, revoked)
+  if not revoked_lib.istype(revoked) then
+    return false, "x509.crl:add_revoked: expect a revoked instance at #1"
+  end
+  local ctx = C.X509_REVOKED_dup(revoked.ctx)
+  if ctx == nil then
+    return nil, "x509.crl:: X509_REVOKED_dup() failed"
+  end
+
+  if C.X509_CRL_add0_revoked(self.ctx, ctx) == 0 then
+     return false, format_error("x509.crl:add_revoked")
+  end
+  return true
+end
+
+
 -- START AUTO GENERATED CODE
 
 -- AUTO GENERATED
 function _M:sign(pkey, digest)
   if not pkey_lib.istype(pkey) then
     return false, "x509.crl:sign: expect a pkey instance at #1"
   end
-  if digest and not digest_lib.istype(digest) then
+  if not digest or not digest_lib.istype(digest) then
     return false, "x509.crl:sign: expect a digest instance at #2"
   end
 
+  if not digest.dtyp then
+    return false, "x509.crl:sign: expect a digest instance should have dtyp member"
+  end
+
   -- returns size of signature if success
-  if C.X509_CRL_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
+  if C.X509_CRL_sign(self.ctx, pkey.ctx, digest.dtyp) == 0 then
     return false, format_error("x509.crl:sign")
   end
 
@@ -229,7 +255,8 @@ function _M:get_extension(nid_txt, last_pos)
   if err then
     return nil, nil, "x509.crl:get_extension: " .. err
   end
-  local ext, err = extension_lib.dup(ctx)
+  local ext
+  ext, err = extension_lib.dup(ctx)
   if err then
     return nil, nil, "x509.crl:get_extension: " .. err
   end

lib/resty/openssl/x509/csr.lua

@@ -1,24 +1,28 @@
 local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
+local ffi_cast = ffi.cast
 
 require "resty.openssl.include.pem"
+require "resty.openssl.include.x509v3"
 require "resty.openssl.include.x509.csr"
 require "resty.openssl.include.x509.extension"
-require "resty.openssl.include.x509v3"
 require "resty.openssl.include.asn1"
+local stack_macro = require "resty.openssl.include.stack"
 local stack_lib = require "resty.openssl.stack"
 local pkey_lib = require "resty.openssl.pkey"
 local altname_lib = require "resty.openssl.x509.altname"
 local digest_lib = require("resty.openssl.digest")
+local extension_lib = require("resty.openssl.x509.extension")
 local util = require "resty.openssl.util"
+local txtnid2nid = require("resty.openssl.objects").txtnid2nid
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
-
+local ext_typ_ptr = "X509_EXTENSION*"
 local accessors = {}
 
-
+local push = table.insert
 accessors.set_subject_name = C.X509_REQ_set_subject_name
 accessors.get_pubkey = C.X509_REQ_get_pubkey
 accessors.set_pubkey = C.X509_REQ_set_pubkey
@@ -162,19 +166,61 @@ function _M:to_PEM()
   return tostring(self, "PEM")
 end
 
+--- Get all csr extensions
+-- @tparam table self Instance of csr
+-- @treturn List of parsed extension objects
+function _M.get_extensions(self)
+    local extensions = C.X509_REQ_get_extensions(self.ctx)
+    ffi_gc(extensions, stack_macro.OPENSSL_sk_free)
+    return extensions
+end
+
+--- Get a csr extension
+-- @tparam table self Instance of csr
+-- @tparam string|number Nid number or name of the extension
+-- @treturn Parsed extension object or nil if not found
+function _M.get_extension(self, nid)
+    local i, err = txtnid2nid(nid)
+    if err then
+        return nil, err
+    end
+    local extensions = C.X509_REQ_get_extensions(self.ctx)
+    if extensions == nil then
+        return nil, format_error("csr.get_extension: X509_REQ_get_extensions")
+    end
+    ffi_gc(extensions, stack_macro.OPENSSL_sk_free)
+
+    local ext_idx = C.X509v3_get_ext_by_NID(extensions, i, -1)
+    if ext_idx == -1 then
+        return nil, format_error(("x509.csr.get_extension: X509v3_get_ext_by_NID extension for %d not found"):format(nid))
+    end
+
+    local ctx = C.X509v3_get_ext(extensions, ext_idx)
+    if ctx == nil then
+        return nil, format_error("csr.get_extension: X509v3_get_ext")
+    end
+    ffi_gc(ctx, C.X509_EXTENSION_free)
+
+    return extension_lib.dup(ctx)
+end
+
+
 -- START AUTO GENERATED CODE
 
 -- AUTO GENERATED
 function _M:sign(pkey, digest)
   if not pkey_lib.istype(pkey) then
     return false, "x509.csr:sign: expect a pkey instance at #1"
   end
-  if digest and not digest_lib.istype(digest) then
+  if not digest or not digest_lib.istype(digest) then
     return false, "x509.csr:sign: expect a digest instance at #2"
   end
+  if not digest.dtyp then
+    return false, "x509.csr:sign: expect a digest instance should have dtyp member"
+  end
 
-  -- returns size of signature if success
-  if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
+-- returns size of signature if success
+  if C.X509_REQ_sign(self.ctx, pkey.ctx, digest.dtyp) == 0 then
     return false, format_error("x509.csr:sign")
   end
 

lib/resty/openssl/x509/name.lua

@@ -2,12 +2,11 @@ local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
 local ffi_str = ffi.string
-local ffi_sizeof = ffi.sizeof
 
 require "resty.openssl.include.x509.name"
 local objects_lib = require "resty.openssl.objects"
 local asn1_macro = require "resty.openssl.include.asn1"
-
+local push, join, sort, pairs =  table.insert, table.concat, table.sort, pairs
 -- local MBSTRING_FLAG = 0x1000
 local MBSTRING_ASC  = 0x1001 -- (MBSTRING_FLAG|1)
 
@@ -135,10 +134,10 @@ function _M:_tostring()
   local all = self:all()
   local values = {}
   for k, v in pairs(all) do
-    table.insert(values, k .. "=" .. v.blob)
+   push(values, k .. "=" .. v.blob)
   end
-  table.sort(values)
-  return table.concat(values, "/")
+  sort(values)
+  return join(values, "/")
 end
 
 return _M