Merge branch 'ashb-csr_san'

5 files changed, 122 insertions, 2 deletions

diff --git a/src/GNUmakefile b/src/GNUmakefile
index 3aff30a..f0eefde 100644
--- a/src/GNUmakefile
+++ b/src/GNUmakefile
@@ -88,6 +88,7 @@ LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true)
 MODS$(1)_$(d) = \
 	$$(DESTDIR)$(2)/_openssl.so \
 	$$(DESTDIR)$(3)/openssl.lua \
+	$$(DESTDIR)$(3)/openssl/auxlib.lua \
 	$$(DESTDIR)$(3)/openssl/bignum.lua \
 	$$(DESTDIR)$(3)/openssl/pkey.lua \
 	$$(DESTDIR)$(3)/openssl/pubkey.lua \
diff --git a/src/openssl.auxlib.lua b/src/openssl.auxlib.lua
new file mode 100644
index 0000000..4f00c25
--- /dev/null
+++ b/src/openssl.auxlib.lua
@@ -0,0 +1,21 @@
+local auxlib = {}
+
+if _VERSION == "Lua 5.1" then
+	local _pairs = pairs
+
+	function auxlib.pairs(t)
+		if type(t) == "userdata" then
+			local mt = getmetatable(t)
+
+			if mt and mt.__pairs then
+				return mt.__pairs(t)
+			else
+				return _pairs(t)
+			end
+		end
+	end
+else
+	auxlib.pairs = pairs
+end
+
+return auxlib
diff --git a/src/openssl.c b/src/openssl.c
index 11d02a0..9c40e57 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -4328,6 +4328,7 @@ static const auxL_IntegerReg xe_textopts[] = {
 	{ "ERROR_UNKNOWN", X509V3_EXT_ERROR_UNKNOWN },
 	{ "PARSE_UNKNOWN", X509V3_EXT_PARSE_UNKNOWN },
 	{ "DUMP_UNKNOWN", X509V3_EXT_DUMP_UNKNOWN },
+	{ NULL, 0 },
 };
 
 int luaopen__openssl_x509_extension(lua_State *L) {
@@ -5487,6 +5488,99 @@ static int xr_setPublicKey(lua_State *L) {
 } /* xr_setPublicKey() */
 
 
+static int xr_setExtensionByNid(lua_State *L, X509_REQ *csr, int target_nid, void* value) {
+	STACK_OF(X509_EXTENSION) *sk = NULL;
+	int has_attrs=0;
+
+	/*
+	 * Replace existing if it's there. Extensions are stored in a CSR in
+	 * an interesting way:
+	 *
+	 * They are stored as a list under either (most likely) the
+	 * "official" NID_ext_req or under NID_ms_ext_req which means
+	 * everything is stored under a list in a single "attribute" so we
+	 * can't use X509_REQ_add1_attr or similar.
+	 *
+	 * Instead we have to get the extensions, find and replace the SAN
+	 * if it's in there, then *replace* the extensions in the list of
+	 * attributes. (If we just try to add it the old ones are found
+	 * first and don't take priority.)
+	 */
+	has_attrs = X509_REQ_get_attr_count(csr);
+
+	sk = X509_REQ_get_extensions(csr);
+	if (!X509V3_add1_i2d(&sk, target_nid, value, 0, X509V3_ADD_REPLACE))
+		goto error;
+	if (X509_REQ_add_extensions(csr, sk) == 0)
+		goto error;
+	sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
+	sk = NULL;
+
+	/*
+	 * Delete the old extensions attribute, so that the one we just
+	 * added takes priority.
+	 */
+	if (has_attrs) {
+		X509_ATTRIBUTE *attr = NULL;
+		int idx, *pnid;
+
+		for (pnid = X509_REQ_get_extension_nids(); *pnid != NID_undef; pnid++) {
+			idx = X509_REQ_get_attr_by_NID(csr, *pnid, -1);
+			if (idx == -1)
+				continue;
+			if (!(attr = X509_REQ_delete_attr(csr, idx)))
+				goto error;
+			X509_ATTRIBUTE_free(attr);
+			break;
+		}
+		if (!attr)
+			goto error;
+	}
+
+	/*
+	 * We have to mark the encoded form as invalid, otherwise when we
+	 * write it out again it will use the loaded version.
+	 */
+	csr->req_info->enc.modified = 1;
+
+	lua_pushboolean(L, 1);
+
+	return 1;
+error:
+	if (sk)
+		sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
+
+	return auxL_error(L, auxL_EOPENSSL, "x509.csr.setExtensionByNid");
+} /* xr_setExtensionByNid() */
+
+
+static int xr_setSubjectAlt(lua_State *L) {
+	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
+	GENERAL_NAMES *gens = checksimple(L, 2, X509_GENS_CLASS);
+
+	return xr_setExtensionByNid(L, csr, NID_subject_alt_name, gens);
+} /* xr_setSubjectAlt */
+
+
+static int xr_getSubjectAlt(lua_State *L) {
+	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
+	STACK_OF(X509_EXTENSION) *exts;
+	GENERAL_NAMES *gens;
+
+	exts = X509_REQ_get_extensions(csr);
+	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
+	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	if (!gens) goto error;
+
+	gn_dup(L, gens);
+
+	return 1;
+error:
+	return 0;
+} /* xr_getSubjectAlt() */
+
+
+
 static int xr_sign(lua_State *L) {
 	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
 	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -5544,6 +5638,8 @@ static const auxL_Reg xr_methods[] = {
 	{ "setSubject",   &xr_setSubject },
 	{ "getPublicKey", &xr_getPublicKey },
 	{ "setPublicKey", &xr_setPublicKey },
+	{ "getSubjectAlt", &xr_getSubjectAlt },
+	{ "setSubjectAlt", &xr_setSubjectAlt },
 	{ "sign",         &xr_sign },
 	{ "tostring",     &xr__tostring },
 	{ NULL,           NULL },
diff --git a/src/openssl.x509.altname.lua b/src/openssl.x509.altname.lua
index 66f16e7..e8222a0 100644
--- a/src/openssl.x509.altname.lua
+++ b/src/openssl.x509.altname.lua
@@ -1,9 +1,10 @@
 local altname = require"_openssl.x509.altname"
+local auxlib = require"openssl.auxlib"
 
 altname.interpose("__tostring", function (self)
 	local t = { }
 
-	for k, v in pairs(self) do
+	for k, v in auxlib.pairs(self) do
 		t[#t + 1] = k .. ":" .. v
 	end
 
diff --git a/src/openssl.x509.name.lua b/src/openssl.x509.name.lua
index a531502..f33339a 100644
--- a/src/openssl.x509.name.lua
+++ b/src/openssl.x509.name.lua
@@ -1,9 +1,10 @@
 local name = require"_openssl.x509.name"
+local auxlib = require"openssl.auxlib"
 
 name.interpose("__tostring", function (self)
 	local t = { }
 
-	for k, v in pairs(self) do
+	for k, v in auxlib.pairs(self) do
 		t[#t + 1] = k .. "=" .. v
 	end