Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(feat) Add additional methods for crl ad csr modules #8

Closed
wants to merge 39 commits into from
Closed
Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
8661180
removed varargs
nasrullo Aug 4, 2020
95aa829
Removed varargs and cached methods
nasrullo Aug 4, 2020
eb6bfa0
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
5e07ec0
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
b4a573c
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
9d69620
removed varargs
nasrullo Aug 4, 2020
7118bc9
Removed varargs and cached methods
nasrullo Aug 4, 2020
9d1accb
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
7576fb2
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
c33254b
Minor commit to trigger build
nasrullo Aug 6, 2020
aeba9a9
removed varargs
nasrullo Aug 4, 2020
ebe4bb2
Removed varargs and cached methods
nasrullo Aug 4, 2020
655c21f
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
a7812d4
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
3df0d47
removed varargs
nasrullo Aug 4, 2020
21d44df
Removed varargs and cached methods
nasrullo Aug 4, 2020
3442ba4
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
2a1feea
Added support for revoked list and getting csr extensions
nasrullo Aug 6, 2020
c624769
Removed dupe code
nasrullo Aug 6, 2020
9012980
Addressed PR review changes
nasrullo Aug 6, 2020
5280e8c
Adds sn check and passing bn instance support
nasrullo Aug 6, 2020
23f6c5b
Added include revoked to rockspec
nasrullo Aug 6, 2020
a5ca2ba
Addressed PR review change requests
nasrullo Aug 6, 2020
b7760ee
Adds tests and fixes crl sign method
nasrullo Aug 7, 2020
5d17e6d
Adds tests and fixes crl sign method
nasrullo Aug 7, 2020
7da15b6
fixed missing declaration for symbol 'OPENSSL_sk_value
nasrullo Aug 7, 2020
bd92a2c
Added csr sign test
nasrullo Aug 7, 2020
7bd597c
Addressed PR review changes
nasrullo Aug 7, 2020
2028785
Removed checks
nasrullo Aug 7, 2020
ca7bea3
Fixed test
nasrullo Aug 7, 2020
5f236b6
Fixed typo
nasrullo Aug 7, 2020
2e40cb9
Fixed typo
nasrullo Aug 7, 2020
9c3041a
Fixed typo
nasrullo Aug 7, 2020
fbcb80e
Changed get_extension method
nasrullo Aug 7, 2020
8a8fa13
Changed get_extension method
nasrullo Aug 7, 2020
73694e4
Removed concat
nasrullo Aug 7, 2020
8524023
Removed concat
nasrullo Aug 8, 2020
45bc63f
Implemented PR review changes
nasrullo Aug 9, 2020
605e6fa
Changed get_extensions test
nasrullo Aug 9, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
t/servroot
__pycache__
.idea/
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ Returns a table containing the `parameters` of pkey instance.

**syntax**: *ok, err = pk:set_parameters(params)*

Set the paramets of the pkey from a table `params`.
Set the parameters of the pkey from a table `params`.
If the parameter is not set in the `params` table,
it remains untouched in the pkey instance.

Expand Down
1 change: 1 addition & 0 deletions lib/resty/openssl/asn1.lua
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ local floor = math.floor

local asn1_macro = require("resty.openssl.include.asn1")


-- https://github.com/wahern/luaossl/blob/master/src/openssl.c
local function isleap(year)
return (year % 4) == 0 and ((year % 100) > 0 or (year % 400) == 0)
Expand Down
1 change: 0 additions & 1 deletion lib/resty/openssl/digest.lua
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
local ffi = require "ffi"
local C = ffi.C
local ffi_gc = ffi.gc
local ffi_new = ffi.new
local ffi_str = ffi.string

require "resty.openssl.include.evp"
Expand Down
2 changes: 2 additions & 0 deletions lib/resty/openssl/include/asn1.lua
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ ffi.cdef [[

int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
long ASN1_INTEGER_get(const ASN1_INTEGER *a);
int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
]]

local function declare_asn1_functions(typ)
Expand All @@ -41,6 +42,7 @@ end
declare_asn1_functions("ASN1_INTEGER")
declare_asn1_functions("ASN1_OBJECT")
declare_asn1_functions("ASN1_STRING")
declare_asn1_functions("ASN1_ENUMERATED")

local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
Expand Down
1 change: 1 addition & 0 deletions lib/resty/openssl/include/ossl_typ.lua
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,6 @@ ffi.cdef(
// crypto.h
// typedef void CRYPTO_RWLOCK;
typedef struct hmac_ctx_st HMAC_CTX;
typedef struct x509_revoked_st X509_REVOKED;
]])

1 change: 1 addition & 0 deletions lib/resty/openssl/include/x509/crl.lua
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ ffi.cdef [[

int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
]]

if OPENSSL_11_OR_LATER then
Expand Down
2 changes: 2 additions & 0 deletions lib/resty/openssl/include/x509/extension.lua
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,6 @@ ffi.cdef [[
/*X509V3_CONF_METHOD*/ void *db_meth;
void *db;
};
int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
]]
14 changes: 14 additions & 0 deletions lib/resty/openssl/include/x509/revoked.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
local ffi = require "ffi"

require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.asn1"
require "resty.openssl.include.objects"
local asn1_macro = require "resty.openssl.include.asn1"

asn1_macro.declare_asn1_functions("X509_REVOKED")

ffi.cdef [[
int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
]]
2 changes: 2 additions & 0 deletions lib/resty/openssl/include/x509v3.lua
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ ffi.cdef [[
int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
int indent);

void *X509V3_get_d2i(const OPENSSL_STACK *x, int nid, int *crit, int *idx);

// STACK_OF(ACCESS_DESCRIPTION)
typedef struct stack_st AUTHORITY_INFO_ACCESS;

Expand Down
4 changes: 0 additions & 4 deletions lib/resty/openssl/provider.lua
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
local ffi = require "ffi"
local C = ffi.C
local ffi_gc = ffi.gc
local ffi_new = ffi.new
local ffi_str = ffi.string
local ffi_cast = ffi.cast

require "resty.openssl.include.provider"
local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
Expand Down
35 changes: 31 additions & 4 deletions lib/resty/openssl/x509/crl.lua
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ require "resty.openssl.include.x509.crl"
require "resty.openssl.include.pem"
require "resty.openssl.include.x509v3"
local asn1_lib = require("resty.openssl.asn1")
local revoked_lib = require("resty.openssl.x509.revoked")
local digest_lib = require("resty.openssl.digest")
local extension_lib = require("resty.openssl.x509.extension")
local pkey_lib = require("resty.openssl.pkey")
Expand All @@ -26,7 +27,7 @@ if OPENSSL_11_OR_LATER then
accessors.set_last_update = C.X509_CRL_set1_lastUpdate
accessors.get_next_update = C.X509_CRL_get0_nextUpdate
accessors.set_next_update = C.X509_CRL_set1_nextUpdate
accessors.get_version = C.X509_CRL_get_version
accessors.get_version = C.X509_CRL_get_version
accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
elseif OPENSSL_10 then
accessors.get_last_update = function(crl)
Expand Down Expand Up @@ -153,19 +154,44 @@ function _M:to_PEM()
return tostring(self, "PEM")
end

--- Adds revoked item to stack of revoked certificates of crl
-- @tparam table Instance of crl module
-- @tparam table Instance of revoked module
-- @treturn boolean true if revoked item was successfully added or false otherwise
-- @treturn[opt] string Returns optional error message in case of error
function _M.add_revoked(self, revoked)
if not revoked_lib.istype(revoked) then
return false, "x509.crl:add_revoked: expect a revoked instance at #1"
end
local ctx = C.X509_REVOKED_dup(revoked.ctx)
if ctx == nil then
return nil, "x509.crl:: X509_REVOKED_dup() failed"
end

if C.X509_CRL_add0_revoked(self.ctx, ctx) == 0 then
return false, format_error("x509.crl:add_revoked")
end
return true
end


-- START AUTO GENERATED CODE

-- AUTO GENERATED
function _M:sign(pkey, digest)
if not pkey_lib.istype(pkey) then
return false, "x509.crl:sign: expect a pkey instance at #1"
end
if digest and not digest_lib.istype(digest) then
if not digest or not digest_lib.istype(digest) then
return false, "x509.crl:sign: expect a digest instance at #2"
end

if not digest.dtyp then
return false, "x509.crl:sign: expect a digest instance should have dtyp member"
end

-- returns size of signature if success
if C.X509_CRL_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
if C.X509_CRL_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then
return false, format_error("x509.crl:sign")
end

Expand Down Expand Up @@ -229,7 +255,8 @@ function _M:get_extension(nid_txt, last_pos)
if err then
return nil, nil, "x509.crl:get_extension: " .. err
end
local ext, err = extension_lib.dup(ctx)
local ext
ext, err = extension_lib.dup(ctx)
if err then
return nil, nil, "x509.crl:get_extension: " .. err
end
Expand Down
68 changes: 62 additions & 6 deletions lib/resty/openssl/x509/csr.lua
Original file line number Diff line number Diff line change
@@ -1,24 +1,28 @@
local ffi = require "ffi"
local C = ffi.C
local ffi_gc = ffi.gc
local ffi_cast = ffi.cast

require "resty.openssl.include.pem"
require "resty.openssl.include.x509.csr"
require "resty.openssl.include.x509.extension"
require "resty.openssl.include.x509v3"
require "resty.openssl.include.asn1"
local stack_macro = require "resty.openssl.include.stack"
local stack_lib = require "resty.openssl.stack"
local pkey_lib = require "resty.openssl.pkey"
local altname_lib = require "resty.openssl.x509.altname"
local digest_lib = require("resty.openssl.digest")
local extension_lib = require("resty.openssl.x509.extension")
local util = require "resty.openssl.util"
local txtnid2nid = require("resty.openssl.objects").txtnid2nid
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER

local ext_typ_ptr = "X509_EXTENSION" .. "*"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.. concat seems not necessary here? also let's declare the type instead of literal name

local x509_extension_ptr_ct = ffi.typeof("X509_EXTENSION*")

local accessors = {}


local push = table.insert
nasrullo marked this conversation as resolved.
Show resolved Hide resolved
accessors.set_subject_name = C.X509_REQ_set_subject_name
accessors.get_pubkey = C.X509_REQ_get_pubkey
accessors.set_pubkey = C.X509_REQ_set_pubkey
Expand Down Expand Up @@ -162,19 +166,73 @@ function _M:to_PEM()
return tostring(self, "PEM")
end

--- Get all csr extensions
-- @tparam table self Instance of csr
-- @treturn List of parsed extension objects
function _M.get_extensions(self)
local extensions = C.X509_REQ_get_extensions(self.ctx)
local n = stack_macro.OPENSSL_sk_num(extensions)
local ret = {}
for i = 0, n - 1 do
local ext = stack_macro.OPENSSL_sk_value(extensions, i)
local dup, err = extension_lib.dup(ffi_cast(ext_typ_ptr, ext))
if not err then
local obj = dup:get_object()
obj.blob = dup:tostring()
push(ret, obj)
end
end
return ret
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should return the stack itself rather than a table here. i just finished the extensions module today, will merge as is and update to use that later.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, Changed. I only need get_extension. BTW, Did you review new logic in get extension method? What do you think? I did not find any method to directly get single extension without getting all

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah i do have some investigation a while ago, the API for X509_REQ is bit different for others. But it should be fine, from I can see X509_REQ_get_extension returns a internal pointer and not duplicating the stack.

end

--- Get a csr extension
-- @tparam table self Instance of csr
-- @tparam string|number Nid number or name of the extension
-- @treturn Parsed extension object or nil if not found
function _M.get_extension(self, nid)
local i, err = txtnid2nid(nid)
if err then
return nil, err
end
local items = self:get_extensions()

for j = 1, #items do
local ext = items[j]
if ext.nid == i then
return ext
end
end
return nil, ("extension for %d not found"):format(nid)

-- @todo fix malloc issue and use code below
--[[ local ctx = C.X509V3_EXT_i2d(i, 0, self.ctx)
if ctx == nil then
return nil, format_error("csr.get_extension: X509V3_EXT_i2d")
end
ffi_gc(ctx, C.X509_EXTENSION_free)
local dup = extension_lib.dup(ctx)
local obj = dup:get_object()
obj.blob = dup:tostring()
return obj]]
end


-- START AUTO GENERATED CODE

-- AUTO GENERATED
function _M:sign(pkey, digest)
if not pkey_lib.istype(pkey) then
return false, "x509.csr:sign: expect a pkey instance at #1"
end
if digest and not digest_lib.istype(digest) then
if not digest or not digest_lib.istype(digest) then
return false, "x509.csr:sign: expect a digest instance at #2"
end
if not digest.dtyp then
return false, "x509.csr:sign: expect a digest instance should have dtyp member"
end

-- returns size of signature if success
if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then
nasrullo marked this conversation as resolved.
Show resolved Hide resolved
return false, format_error("x509.csr:sign")
end

Expand Down Expand Up @@ -277,8 +335,6 @@ function _M:set_version(toset)
return true
end


-- END AUTO GENERATED CODE

return _M

84 changes: 84 additions & 0 deletions lib/resty/openssl/x509/revoked.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
local ffi = require "ffi"
local bn_lib = require("resty.openssl.bn")
require("resty.openssl.include.x509.crl")
require("resty.openssl.include.x509.revoked")
local NID_crl_reason = 141
local C = ffi.C
local ffi_gc = ffi.gc
local _M = {}
local revoked_ptr_ct = ffi.typeof('X509_REVOKED *')

--- Creates new instance of X509_REVOKED data
-- @tparam bn|number sn Serial number as number or bn instance
-- @tparam number time Revocation time
-- @tparam number reason Revocation reason
-- @treturn table instance of the module or nil
-- @treturn[opt] string Returns optional error message in case of error
function _M.new(sn, time, reason)
--- only convert to bn if it is number
if type(sn) == "number"then
sn = bn_lib.new(sn)
end
if not bn_lib.istype(sn) then
return nil, "revoked.new: sn should be number or a bn instance"
end

local revoked = C.X509_REVOKED_new()
ffi_gc(revoked, C.X509_REVOKED_free)

time = C.ASN1_TIME_set(nil, time)
nasrullo marked this conversation as resolved.
Show resolved Hide resolved
if time == nil then
return nil, "revoked.new: ASN1_TIME_set() failed"
end

local it = C.BN_to_ASN1_INTEGER(sn.ctx, nil)
nasrullo marked this conversation as resolved.
Show resolved Hide resolved
if it == nil then
return nil, "revoked.new: BN_to_ASN1_INTEGER() failed"
end

if C.X509_REVOKED_set_revocationDate(revoked, time) == 0 then
return nil, "revoked.new: X509_REVOKED_set_revocationDate() failed"
end

if C.X509_REVOKED_set_serialNumber(revoked, it) == 0 then
return nil, "revoked.new: X509_REVOKED_set_serialNumber() failed"
end

local e = C.ASN1_ENUMERATED_new()
if e == nil then
return nil, "revoked.new: ASN1_ENUMERATED_new() failed"
end
ffi_gc(e, C.ASN1_ENUMERATED_free)

local ext = C.X509_EXTENSION_new()
if ext == nil then
return nil, "revoked.new: X509_EXTENSION_new() failed"
end
ffi_gc(ext, C.X509_EXTENSION_free)

if C.ASN1_ENUMERATED_set(e, reason) == 0 then
return nil, "revoked.new: ASN1_ENUMERATED_set() failed"
end

if C.X509_EXTENSION_set_data(ext, e) == 0 then
return nil, "revoked.new: X509_EXTENSION_set_data() failed"
end
if C.X509_EXTENSION_set_object(ext, C.OBJ_nid2obj(NID_crl_reason)) == 0 then
return nil, "revoked.new: X509_EXTENSION_set_object() failed"
end

if C.X509_REVOKED_add_ext(revoked, ext, 0) == 0 then
return nil, "revoked.new: X509_EXTENSION_set_object() failed"
end

return { ctx = revoked, { __index = _M } }
end

--- Type check
-- @tparam table Instance of revoked module
-- @treturn boolean true if instance is instance of revoked module false otherwise
function _M.istype(l)
return l and l.ctx and ffi.istype(revoked_ptr_ct, l.ctx)
end

return _M
Loading