feat(x509.*) add revoked module and get_extension/get_extensions for x509.csr

.gitignore

@@ -1,2 +1,3 @@
 t/servroot
 __pycache__
+.idea/

README.md

@@ -107,6 +107,8 @@ Table of Contents
     + [csr.new](#csrnew)
     + [csr.istype](#csristype)
     + [csr:get_*, csr:set_*](#csrget_-csrset_)
+    + [csr:get_extension](#csrget_extension)
+    + [csr:get_extensions](#csrget_extensions)
     + [csr:sign](#csrsign)
     + [csr:verify](#csrverify)
     + [csr:tostring](#csrtostring)
@@ -120,6 +122,7 @@ Table of Contents
     + [crl:set_extension](#crlset_extension)
     + [crl:get_extension_critical](#crlget_extension_critical)
     + [crl:set_extension_critical](#crlset_extension_critical)
+    + [crl:add_revoked](#crladd_revoked)
     + [crl:sign](#crlsign)
     + [crl:verify](#crlverify)
     + [crl:tostring](#crltostring)
@@ -177,6 +180,9 @@ Table of Contents
     + [store:load_file](#storeload_file)
     + [store:load_directory](#storeload_directory)
     + [store:verify](#storeverify)
+  * [resty.openssl.x509.revoked](#restyopensslx509revoked)
+    + [revoked.new](#revokednew)
+    + [revoked.istype](#revokedistype)
   * [Functions for stack-like objects](#functions-for-stack-like-objects)
     + [metamethods](#metamethods)
     + [each](#each)
@@ -478,7 +484,7 @@ Returns a table containing the `parameters` of pkey instance.
 
 **syntax**: *ok, err = pk:set_parameters(params)*
 
-Set the paramets of the pkey from a table `params`.
+Set the parameters of the pkey from a table `params`.
 If the parameter is not set in the `params` table,
 it remains untouched in the pkey instance.
 
@@ -1726,6 +1732,30 @@ with naming convension with other functions.
 
 [Back to TOC](#table-of-contents)
 
+### csr:get_extension
+
+**syntax**: *extension, pos, err = csr:get_extension(nid_or_txt, pos?)*
+
+Get X.509 `extension` matching the given [NID] to certificate, returns a
+[resty.openssl.x509.extension](#restyopensslx509extension) instance and the found position.
+
+If `last_pos` is defined, the function searchs from that position; otherwise it
+finds from beginning. Index is 1-based.
+
+```lua
+local ext, pos, err = csr:get_extension("basicConstraints")
+```
+
+[Back to TOC](#table-of-contents)
+
+### csr:get_extensions
+
+**syntax**: *extensions, err = csr:get_extensions()*
+
+Return all extensions as a [resty.openssl.x509.extensions](#restyopensslx509extensions) instance.
+
+[Back to TOC](#table-of-contents)
+
 ### csr:sign
 
 **syntax**: *ok, err = csr:sign(pkey, digest?)*
@@ -1896,6 +1926,14 @@ Set critical flag of the X.509 `extension` matching the given [NID] to CRL.
 
 [Back to TOC](#table-of-contents)
 
+### crl:add_revoked
+
+**syntax**: *ok, err = crl:add_revoked(revoked)*
+
+Adds a [resty.openssl.x509.revoked](#restyopensslx509revoked) instance to the CRL.
+
+[Back to TOC](#table-of-contents)
+
 ### crl:sign
 
 **syntax**: *ok, err = crl:sign(pkey, digest?)*
@@ -2537,6 +2575,28 @@ returns `true` only. If verification failed, returns `nil` and error explaining
 
 [Back to TOC](#table-of-contents)
 
+## resty.openssl.x509.revoked
+
+Module to interact with X509_REVOKED
+
+[Back to TOC](#table-of-contents)
+
+### revoked.new
+
+**syntax**: *ch, err = revoked.new(serial_number, time, reason)*
+
+Creates a new `revoked` instance. 
+
+[Back to TOC](#table-of-contents)
+
+### revoked.istype
+
+**syntax**: *ok = revoked.istype(table)*
+
+Returns `true` if table is an instance of `revoked`. Returns `false` otherwise.
+
+[Back to TOC](#table-of-contents)
+
 ## Functions for stack-like objects
 
 [Back to TOC](#table-of-contents)

lib/resty/openssl/digest.lua

@@ -1,7 +1,6 @@
 local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
-local ffi_new = ffi.new
 local ffi_str = ffi.string
 
 require "resty.openssl.include.evp"

lib/resty/openssl/include/asn1.lua

@@ -22,6 +22,7 @@ ffi.cdef [[
 
   int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
   long ASN1_INTEGER_get(const ASN1_INTEGER *a);
+  int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
 ]]
 
 local function declare_asn1_functions(typ)
@@ -41,6 +42,7 @@ end
 declare_asn1_functions("ASN1_INTEGER")
 declare_asn1_functions("ASN1_OBJECT")
 declare_asn1_functions("ASN1_STRING")
+declare_asn1_functions("ASN1_ENUMERATED")
 
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER

lib/resty/openssl/include/ossl_typ.lua

@@ -54,5 +54,6 @@ ffi.cdef(
   // crypto.h
   // typedef void CRYPTO_RWLOCK;
   typedef struct hmac_ctx_st HMAC_CTX;
+  typedef struct x509_revoked_st X509_REVOKED;
 ]])
 

lib/resty/openssl/include/x509/crl.lua

@@ -28,6 +28,7 @@ ffi.cdef [[
 
   int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
   X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
+  int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 ]]
 
 if OPENSSL_11_OR_LATER then

lib/resty/openssl/include/x509/extension.lua

@@ -17,4 +17,6 @@ ffi.cdef [[
       /*X509V3_CONF_METHOD*/ void *db_meth;
       void *db;
   };
+  int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
+  int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
 ]]

lib/resty/openssl/include/x509/revoked.lua

@@ -0,0 +1,14 @@
+local ffi = require "ffi"
+
+require "resty.openssl.include.ossl_typ"
+require "resty.openssl.include.asn1"
+require "resty.openssl.include.objects"
+local asn1_macro = require "resty.openssl.include.asn1"
+
+asn1_macro.declare_asn1_functions("X509_REVOKED")
+
+ffi.cdef [[
+  int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
+  int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
+  int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
+]]

lib/resty/openssl/include/x509v3.lua

@@ -70,6 +70,13 @@ ffi.cdef [[
   int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
     int indent);
 
+  void *X509V3_get_d2i(const OPENSSL_STACK *x, int nid, int *crit, int *idx);
+
+  int X509v3_get_ext_by_NID(const OPENSSL_STACK *x,
+                           int nid, int lastpos);
+
+   X509_EXTENSION *X509v3_get_ext(const OPENSSL_STACK *x, int loc);
+
   // STACK_OF(ACCESS_DESCRIPTION)
   typedef struct stack_st AUTHORITY_INFO_ACCESS;
 

lib/resty/openssl/pkey.lua

@@ -553,7 +553,7 @@ function _M:verify(signature, digest)
     end
     ffi_gc(md_ctx, C.EVP_MD_CTX_free)
     if C.EVP_DigestVerifyInit(md_ctx, nil, nil, nil, self.ctx) ~= 1 then
-      return nil, format_error("pkey:verify: EVP_DigestSignInit")
+      return nil, format_error("pkey:verify: EVP_DigestVerifyInit")
     end
     code = C.EVP_DigestVerify(md_ctx, signature, #signature, digest, #digest)
   end

lib/resty/openssl/provider.lua

@@ -1,9 +1,5 @@
 local ffi = require "ffi"
 local C = ffi.C
-local ffi_gc = ffi.gc
-local ffi_new = ffi.new
-local ffi_str = ffi.string
-local ffi_cast = ffi.cast
 
 require "resty.openssl.include.provider"
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30

lib/resty/openssl/x509/crl.lua

@@ -6,6 +6,7 @@ require "resty.openssl.include.x509.crl"
 require "resty.openssl.include.pem"
 require "resty.openssl.include.x509v3"
 local asn1_lib = require("resty.openssl.asn1")
+local revoked_lib = require("resty.openssl.x509.revoked")
 local digest_lib = require("resty.openssl.digest")
 local extension_lib = require("resty.openssl.x509.extension")
 local pkey_lib = require("resty.openssl.pkey")
@@ -153,19 +154,46 @@ function _M:to_PEM()
   return tostring(self, "PEM")
 end
 
+--- Adds revoked item to stack of revoked certificates of crl
+-- @tparam table Instance of crl module
+-- @tparam table Instance of revoked module
+-- @treturn boolean true if revoked item was successfully added or false otherwise
+-- @treturn[opt] string Returns optional error message in case of error
+function _M:add_revoked(revoked)
+  if not revoked_lib.istype(revoked) then
+    return false, "x509.crl:add_revoked: expect a revoked instance at #1"
+  end
+  local ctx = C.X509_REVOKED_dup(revoked.ctx)
+  if ctx == nil then
+    return nil, "x509.crl:add_revoked: X509_REVOKED_dup() failed"
+  end
+
+  if C.X509_CRL_add0_revoked(self.ctx, ctx) == 0 then
+     return false, format_error("x509.crl:add_revoked")
+  end
+
+  return true
+end
+
+
 -- START AUTO GENERATED CODE
 
 -- AUTO GENERATED
 function _M:sign(pkey, digest)
   if not pkey_lib.istype(pkey) then
     return false, "x509.crl:sign: expect a pkey instance at #1"
   end
-  if digest and not digest_lib.istype(digest) then
-    return false, "x509.crl:sign: expect a digest instance at #2"
+
+  if digest then
+    if not digest_lib.istype(digest) then
+      return false, "x509.crl:sign: expect a digest instance at #2"
+    elseif not digest.dtyp then
+      return false, "x509.crl:sign: expect a digest instance to have dtyp member"
+    end
   end
 
   -- returns size of signature if success
-  if C.X509_CRL_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
+  if C.X509_CRL_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then
     return false, format_error("x509.crl:sign")
   end
 

lib/resty/openssl/x509/csr.lua

@@ -3,22 +3,24 @@ local C = ffi.C
 local ffi_gc = ffi.gc
 
 require "resty.openssl.include.pem"
-require "resty.openssl.include.x509.csr"
-require "resty.openssl.include.x509.extension"
 require "resty.openssl.include.x509v3"
+require "resty.openssl.include.x509.csr"
 require "resty.openssl.include.asn1"
+local stack_macro = require "resty.openssl.include.stack"
 local stack_lib = require "resty.openssl.stack"
 local pkey_lib = require "resty.openssl.pkey"
 local altname_lib = require "resty.openssl.x509.altname"
 local digest_lib = require("resty.openssl.digest")
+local extension_lib = require("resty.openssl.x509.extension")
+local extensions_lib = require("resty.openssl.x509.extensions")
 local util = require "resty.openssl.util"
+local txtnid2nid = require("resty.openssl.objects").txtnid2nid
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
 
 local accessors = {}
 
-
 accessors.set_subject_name = C.X509_REQ_set_subject_name
 accessors.get_pubkey = C.X509_REQ_get_pubkey
 accessors.set_pubkey = C.X509_REQ_set_pubkey
@@ -162,19 +164,71 @@ function _M:to_PEM()
   return tostring(self, "PEM")
 end
 
+local x509_extensions_gc = stack_lib.gc_of("X509_EXTENSION")
+
+--- Get all csr extensions
+-- @tparam table self Instance of csr
+-- @treturn Extensions object
+function _M.get_extensions(self)
+  local extensions = C.X509_REQ_get_extensions(self.ctx)
+  -- GC handler is sk_X509_EXTENSION_pop_free
+  ffi_gc(extensions, x509_extensions_gc)
+
+  return extensions_lib.dup(extensions)
+end
+
+--- Get a csr extension
+-- @tparam table self Instance of csr
+-- @tparam string|number Nid number or name of the extension
+-- @tparam number Position to start looking for the extension; default to look from start if omitted
+-- @treturn Parsed extension object or nil if not found
+function _M.get_extension(self, nid, last_pos)
+  local i, err = txtnid2nid(nid)
+  if err then
+    return nil, nil, err
+  end
+
+  local extensions = C.X509_REQ_get_extensions(self.ctx)
+  if extensions == nil then
+    return nil, nil, format_error("csr.get_extension: X509_REQ_get_extensions")
+  end
+  ffi_gc(extensions, x509_extensions_gc)
+
+  -- make 1-index array to 0-index
+  last_pos = (last_pos or 0) -1
+  local ext_idx = C.X509v3_get_ext_by_NID(extensions, i, last_pos)
+  if ext_idx == -1 then
+    err = ("x509.csr.get_extension: X509v3_get_ext_by_NID extension for %d not found"):format(nid)
+    return nil, nil, format_error(err)
+  end
+
+  local ctx = C.X509v3_get_ext(extensions, ext_idx)
+  if ctx == nil then
+    return nil, nil, format_error("csr.get_extension: X509v3_get_ext")
+  end
+
+  return extension_lib.dup(ctx), ext_idx+1, nil
+end
+
+
 -- START AUTO GENERATED CODE
 
 -- AUTO GENERATED
 function _M:sign(pkey, digest)
   if not pkey_lib.istype(pkey) then
     return false, "x509.csr:sign: expect a pkey instance at #1"
   end
-  if digest and not digest_lib.istype(digest) then
-    return false, "x509.csr:sign: expect a digest instance at #2"
+
+  if digest then
+    if not digest_lib.istype(digest) then
+      return false, "x509.csr:sign: expect a digest instance at #2"
+    elseif not digest.dtyp then
+      return false, "x509.csr:sign: expect a digest instance to have dtyp member"
+    end
   end
 
   -- returns size of signature if success
-  if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
+  if C.X509_REQ_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then
     return false, format_error("x509.csr:sign")
   end
 

lib/resty/openssl/x509/init.lua

@@ -334,12 +334,17 @@ function _M:sign(pkey, digest)
   if not pkey_lib.istype(pkey) then
     return false, "x509:sign: expect a pkey instance at #1"
   end
-  if digest and not digest_lib.istype(digest) then
-    return false, "x509:sign: expect a digest instance at #2"
+
+  if digest then
+    if not digest_lib.istype(digest) then
+      return false, "x509:sign: expect a digest instance at #2"
+    elseif not digest.dtyp then
+      return false, "x509:sign: expect a digest instance to have dtyp member"
+    end
   end
 
   -- returns size of signature if success
-  if C.X509_sign(self.ctx, pkey.ctx, digest and digest.ctx) == 0 then
+  if C.X509_sign(self.ctx, pkey.ctx, digest and digest.dtyp) == 0 then
     return false, format_error("x509:sign")
   end