From 39a331b41a5a2c96495633e31bc4bbfbe3000f04 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Fri, 7 Dec 2018 12:29:48 -0800 Subject: src/openssl.c: Add bindings to chain management Adds support for setting and retrieving intermediate certificates --- doc/luaossl.tex | 26 +++++++++++++++++ src/openssl.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+) diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 8db0d4e..c63df57 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -967,6 +967,18 @@ Returns the X.509 certificate \module{openssl.x509} object to be sent during SSL \emph{Only supported since OpenSSL 1.0.2.} +\subsubsection[\fn{context:setCertificateChain}]{\fn{context:setCertificateChain($chain$)}} + +Sets the X.509 certificate chain \module{openssl.x509.chain} object $chain$ to send during SSL connection instance handshakes. + +\emph{Only supported since OpenSSL 1.0.2.} + +\subsubsection[\fn{context:getCertificateChain}]{\fn{context:getCertificateChain()}} + +Returns the X.509 certificate chain \module{openssl.x509.chain} object to be sent during SSL connection instance handshakes. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey($key$)}} Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes. @@ -1171,6 +1183,20 @@ Returns two values: the integer verification result code and the string represen Sets the X.509 certificate \module{openssl.x509} object $crt$ to send during SSL connection instance handshakes. See \fn{openssl.ssl.context:setCertificate}. +\subsubsection[\fn{ssl:setCertificateChain}]{\fn{ssl:setCertificateChain($chain$)}} + +Sets the X.509 certificate chain \module{openssl.x509.chain} object $chain$ to send during SSL connection instance handshakes. +See \fn{openssl.ssl.context:setCertificateChain}. + +\emph{Only supported since OpenSSL 1.0.2.} + +\subsubsection[\fn{context:getCertificateChain}]{\fn{context:getCertificateChain()}} + +Returns the X.509 certificate chain \module{openssl.x509.chain} object to be sent during SSL connection instance handshakes. +See \fn{openssl.ssl.context:getCertificateChain}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{ssl:setPrivateKey}]{\fn{ssl:setPrivateKey($key$)}} Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes. diff --git a/src/openssl.c b/src/openssl.c index 0940e7c..9248b0d 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -279,6 +279,10 @@ #define HAVE_SSL_CTX_ADD_CUSTOM_EXT OPENSSL_PREREQ(1,1,1) #endif +#ifndef HAVE_SSL_CTX_GET0_CHAIN_CERTS +#define HAVE_SSL_CTX_GET0_CHAIN_CERTS OPENSSL_PREREQ(1,0,2) +#endif + #ifndef HAVE_SSL_CTX_GET0_PARAM #define HAVE_SSL_CTX_GET0_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0)) #endif @@ -315,6 +319,10 @@ #define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || OPENSSL_PREREQ(1,1,1)) /* backwards compatible with old macro name */ #endif +#ifndef HAVE_SSL_CTX_SET1_CHAIN +#define HAVE_SSL_CTX_SET1_CHAIN OPENSSL_PREREQ(1,0,2) +#endif + #ifndef HAVE_SSL_CTX_SET1_PARAM #define HAVE_SSL_CTX_SET1_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,0)) #endif @@ -363,6 +371,10 @@ #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS #endif +#ifndef HAVE_SSL_GET0_CHAIN_CERTS +#define HAVE_SSL_GET0_CHAIN_CERTS OPENSSL_PREREQ(1,0,2) +#endif + #ifndef HAVE_SSL_GET0_PARAM #define HAVE_SSL_GET0_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0)) #endif @@ -387,6 +399,10 @@ #define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif +#ifndef HAVE_SSL_SET1_CHAIN +#define HAVE_SSL_SET1_CHAIN OPENSSL_PREREQ(1,0,2) +#endif + #ifndef HAVE_SSL_SET1_PARAM #define HAVE_SSL_SET1_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif @@ -8758,6 +8774,36 @@ static int sx_getCertificate(lua_State *L) { #endif +#if HAVE_SSL_CTX_SET1_CHAIN +static int sx_setCertificateChain(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + STACK_OF(X509) *certs = checksimple(L, 2, X509_CHAIN_CLASS); + + if (!SSL_CTX_set1_chain(ctx, certs)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCertificateChain"); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setCertificateChain() */ +#endif + + +#if HAVE_SSL_CTX_GET0_CHAIN_CERTS +static int sx_getCertificateChain(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + STACK_OF(X509) *certs; + + if (!SSL_CTX_get0_chain_certs(ctx, &certs)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:getCertificateChain"); + + xl_dup(L, certs, 1); + + return 1; +} /* sx_getCertificateChain() */ +#endif + + static int sx_setPrivateKey(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); @@ -9499,6 +9545,12 @@ static const auxL_Reg sx_methods[] = { { "setCertificate", &sx_setCertificate }, #if HAVE_SSL_CTX_GET0_CERTIFICATE { "getCertificate", &sx_getCertificate }, +#endif +#if HAVE_SSL_CTX_SET1_CHAIN + { "setCertificateChain", &sx_setCertificateChain }, +#endif +#if HAVE_SSL_CTX_GET0_CHAIN_CERTS + { "getCertificateChain", &sx_getCertificateChain }, #endif { "setPrivateKey", &sx_setPrivateKey }, { "setCipherList", &sx_setCipherList }, @@ -9982,6 +10034,36 @@ static int ssl_setCertificate(lua_State *L) { } /* ssl_setCertificate() */ +#if HAVE_SSL_SET1_CHAIN +static int ssl_setCertificateChain(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + STACK_OF(X509) *certs = checksimple(L, 2, X509_CHAIN_CLASS); + + if (!SSL_set1_chain(ssl, certs)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCertificateChain"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setCertificateChain() */ +#endif + + +#if HAVE_SSL_GET0_CHAIN_CERTS +static int ssl_getCertificateChain(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + STACK_OF(X509) *certs; + + if (!SSL_get0_chain_certs(ssl, &certs)) + return auxL_error(L, auxL_EOPENSSL, "ssl:getCertificateChain"); + + xl_dup(L, X509_chain_up_ref(certs), 1); + + return 1; +} /* ssl_getCertificateChain() */ +#endif + + static int ssl_setPrivateKey(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); @@ -10392,6 +10474,12 @@ static const auxL_Reg ssl_methods[] = { { "getVerify", &ssl_getVerify }, { "getVerifyResult", &ssl_getVerifyResult }, { "setCertificate", &ssl_setCertificate }, +#if HAVE_SSL_SET1_CHAIN + { "setCertificateChain", &ssl_setCertificateChain }, +#endif +#if HAVE_SSL_GET0_CHAIN_CERTS + { "getCertificateChain", &ssl_getCertificateChain }, +#endif { "setPrivateKey", &ssl_setPrivateKey }, { "getCertificate", &ssl_getCertificate }, { "getPeerCertificate", &ssl_getPeerCertificate }, -- cgit v1.2.3-59-g8ed1b