-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(feat) Add additional methods for crl ad csr modules #8
Changes from 27 commits
8661180
95aa829
eb6bfa0
5e07ec0
b4a573c
9d69620
7118bc9
9d1accb
7576fb2
c33254b
aeba9a9
ebe4bb2
655c21f
a7812d4
3df0d47
21d44df
3442ba4
2a1feea
c624769
9012980
5280e8c
23f6c5b
a5ca2ba
b7760ee
5d17e6d
7da15b6
bd92a2c
7bd597c
2028785
ca7bea3
5f236b6
2e40cb9
9c3041a
fbcb80e
8a8fa13
73694e4
8524023
45bc63f
605e6fa
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
t/servroot | ||
__pycache__ | ||
.idea/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
local ffi = require "ffi" | ||
|
||
require "resty.openssl.include.ossl_typ" | ||
require "resty.openssl.include.asn1" | ||
require "resty.openssl.include.objects" | ||
local asn1_macro = require "resty.openssl.include.asn1" | ||
|
||
asn1_macro.declare_asn1_functions("X509_REVOKED") | ||
|
||
ffi.cdef [[ | ||
int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); | ||
int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); | ||
int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); | ||
]] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,28 @@ | ||
local ffi = require "ffi" | ||
local C = ffi.C | ||
local ffi_gc = ffi.gc | ||
local ffi_cast = ffi.cast | ||
|
||
require "resty.openssl.include.pem" | ||
require "resty.openssl.include.x509.csr" | ||
require "resty.openssl.include.x509.extension" | ||
require "resty.openssl.include.x509v3" | ||
require "resty.openssl.include.asn1" | ||
local stack_macro = require "resty.openssl.include.stack" | ||
local stack_lib = require "resty.openssl.stack" | ||
local pkey_lib = require "resty.openssl.pkey" | ||
local altname_lib = require "resty.openssl.x509.altname" | ||
local digest_lib = require("resty.openssl.digest") | ||
local extension_lib = require("resty.openssl.x509.extension") | ||
local util = require "resty.openssl.util" | ||
local txtnid2nid = require("resty.openssl.objects").txtnid2nid | ||
local format_error = require("resty.openssl.err").format_error | ||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 | ||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER | ||
|
||
local ext_typ_ptr = "X509_EXTENSION" .. "*" | ||
local accessors = {} | ||
|
||
|
||
local push = table.insert | ||
nasrullo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
accessors.set_subject_name = C.X509_REQ_set_subject_name | ||
accessors.get_pubkey = C.X509_REQ_get_pubkey | ||
accessors.set_pubkey = C.X509_REQ_set_pubkey | ||
|
@@ -162,19 +166,73 @@ function _M:to_PEM() | |
return tostring(self, "PEM") | ||
end | ||
|
||
--- Get all csr extensions | ||
-- @tparam table self Instance of csr | ||
-- @treturn List of parsed extension objects | ||
function _M.get_extensions(self) | ||
local extensions = C.X509_REQ_get_extensions(self.ctx) | ||
local n = stack_macro.OPENSSL_sk_num(extensions) | ||
local ret = {} | ||
for i = 0, n - 1 do | ||
local ext = stack_macro.OPENSSL_sk_value(extensions, i) | ||
local dup, err = extension_lib.dup(ffi_cast(ext_typ_ptr, ext)) | ||
if not err then | ||
local obj = dup:get_object() | ||
obj.blob = dup:tostring() | ||
push(ret, obj) | ||
end | ||
end | ||
return ret | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we should return the stack itself rather than a table here. i just finished the extensions module today, will merge as is and update to use that later. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agree, Changed. I only need get_extension. BTW, Did you review new logic in get extension method? What do you think? I did not find any method to directly get single extension without getting all There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah i do have some investigation a while ago, the API for X509_REQ is bit different for others. But it should be fine, from I can see X509_REQ_get_extension returns a internal pointer and not duplicating the stack. |
||
end | ||
|
||
--- Get a csr extension | ||
-- @tparam table self Instance of csr | ||
-- @tparam string|number Nid number or name of the extension | ||
-- @treturn Parsed extension object or nil if not found | ||
function _M.get_extension(self, nid) | ||
local i, err = txtnid2nid(nid) | ||
if err then | ||
return nil, err | ||
end | ||
local items = self:get_extensions() | ||
|
||
for j = 1, #items do | ||
local ext = items[j] | ||
if ext.nid == i then | ||
return ext | ||
end | ||
end | ||
return nil, ("extension for %d not found"):format(nid) | ||
|
||
-- @todo fix malloc issue and use code below | ||
--[[ local ctx = C.X509V3_EXT_i2d(i, 0, self.ctx) | ||
if ctx == nil then | ||
return nil, format_error("csr.get_extension: X509V3_EXT_i2d") | ||
end | ||
ffi_gc(ctx, C.X509_EXTENSION_free) | ||
local dup = extension_lib.dup(ctx) | ||
local obj = dup:get_object() | ||
obj.blob = dup:tostring() | ||
return obj]] | ||
end | ||
|
||
|
||
-- START AUTO GENERATED CODE | ||
|
||
-- AUTO GENERATED | ||
function _M:sign(pkey, digest) | ||
if not pkey_lib.istype(pkey) then | ||
return false, "x509.csr:sign: expect a pkey instance at #1" | ||
end | ||
if digest and not digest_lib.istype(digest) then | ||
if not digest or not digest_lib.istype(digest) then | ||
return false, "x509.csr:sign: expect a digest instance at #2" | ||
end | ||
if not digest.dtyp then | ||
return false, "x509.csr:sign: expect a digest instance should have dtyp member" | ||
end | ||
|
||
-- returns size of signature if success | ||
if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then | ||
if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then | ||
nasrullo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
return false, format_error("x509.csr:sign") | ||
end | ||
|
||
|
@@ -277,8 +335,6 @@ function _M:set_version(toset) | |
return true | ||
end | ||
|
||
|
||
-- END AUTO GENERATED CODE | ||
|
||
return _M | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
local ffi = require "ffi" | ||
local bn_lib = require("resty.openssl.bn") | ||
require("resty.openssl.include.x509.crl") | ||
require("resty.openssl.include.x509.revoked") | ||
local NID_crl_reason = 141 | ||
local C = ffi.C | ||
local ffi_gc = ffi.gc | ||
local _M = {} | ||
local revoked_ptr_ct = ffi.typeof('X509_REVOKED *') | ||
|
||
--- Creates new instance of X509_REVOKED data | ||
-- @tparam bn|number sn Serial number as number or bn instance | ||
-- @tparam number time Revocation time | ||
-- @tparam number reason Revocation reason | ||
-- @treturn table instance of the module or nil | ||
-- @treturn[opt] string Returns optional error message in case of error | ||
function _M.new(sn, time, reason) | ||
--- only convert to bn if it is number | ||
if type(sn) == "number"then | ||
sn = bn_lib.new(sn) | ||
end | ||
if not bn_lib.istype(sn) then | ||
return nil, "revoked.new: sn should be number or a bn instance" | ||
end | ||
|
||
local revoked = C.X509_REVOKED_new() | ||
ffi_gc(revoked, C.X509_REVOKED_free) | ||
|
||
time = C.ASN1_TIME_set(nil, time) | ||
nasrullo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if time == nil then | ||
return nil, "revoked.new: ASN1_TIME_set() failed" | ||
end | ||
|
||
local it = C.BN_to_ASN1_INTEGER(sn.ctx, nil) | ||
nasrullo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if it == nil then | ||
return nil, "revoked.new: BN_to_ASN1_INTEGER() failed" | ||
end | ||
|
||
if C.X509_REVOKED_set_revocationDate(revoked, time) == 0 then | ||
return nil, "revoked.new: X509_REVOKED_set_revocationDate() failed" | ||
end | ||
|
||
if C.X509_REVOKED_set_serialNumber(revoked, it) == 0 then | ||
return nil, "revoked.new: X509_REVOKED_set_serialNumber() failed" | ||
end | ||
|
||
local e = C.ASN1_ENUMERATED_new() | ||
if e == nil then | ||
return nil, "revoked.new: ASN1_ENUMERATED_new() failed" | ||
end | ||
ffi_gc(e, C.ASN1_ENUMERATED_free) | ||
|
||
local ext = C.X509_EXTENSION_new() | ||
if ext == nil then | ||
return nil, "revoked.new: X509_EXTENSION_new() failed" | ||
end | ||
ffi_gc(ext, C.X509_EXTENSION_free) | ||
|
||
if C.ASN1_ENUMERATED_set(e, reason) == 0 then | ||
return nil, "revoked.new: ASN1_ENUMERATED_set() failed" | ||
end | ||
|
||
if C.X509_EXTENSION_set_data(ext, e) == 0 then | ||
return nil, "revoked.new: X509_EXTENSION_set_data() failed" | ||
end | ||
if C.X509_EXTENSION_set_object(ext, C.OBJ_nid2obj(NID_crl_reason)) == 0 then | ||
return nil, "revoked.new: X509_EXTENSION_set_object() failed" | ||
end | ||
|
||
if C.X509_REVOKED_add_ext(revoked, ext, 0) == 0 then | ||
return nil, "revoked.new: X509_EXTENSION_set_object() failed" | ||
end | ||
|
||
return { ctx = revoked, { __index = _M } } | ||
end | ||
|
||
--- Type check | ||
-- @tparam table Instance of revoked module | ||
-- @treturn boolean true if instance is instance of revoked module false otherwise | ||
function _M.istype(l) | ||
return l and l.ctx and ffi.istype(revoked_ptr_ct, l.ctx) | ||
end | ||
|
||
return _M |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
..
concat seems not necessary here? also let's declare the type instead of literal name