diff options
| -rw-r--r-- | doc/luaossl.tex | 222 |
1 files changed, 112 insertions, 110 deletions
diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 0aac6c3..5bdc67d 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -221,11 +221,11 @@ Install Lua 5.3 module. \module{openssl.bignum} binds OpenSSL's libcrypto bignum library. It supports all the standard arithmetic operations. Regular number operands in a mixed arithmetic expression are upgraded as-if \method{bignum.new} was used explicitly. The \fn{\_\_tostring} metamethod generates a decimal encoded represention. -\subsubsection[\fn{bignum.new}]{\fn{bignum.new(number)}} +\subsubsection[\fn{bignum.new}]{\fn{bignum.new($number$)}} -Wraps the sign and integral part of `number' as a bignum object, discarding any fractional part. +Wraps the sign and integral part of $number$ as a bignum object, discarding any fractional part. -\subsubsection[\fn{bignum.interpose}]{\fn{bignum.interpose(name, function)}} +\subsubsection[\fn{bignum.interpose}]{\fn{bignum.interpose($name$, $function$)}} Add or interpose a bignum class method. Returns the previous method, if any. @@ -234,11 +234,13 @@ Add or interpose a bignum class method. Returns the previous method, if any. \begin{Module}{openssl.pubkey} -\module{openssl.pubkey} binds OpenSSL's libcrypto public-private key library. The \fn{tostring} metamethod generates a PEM encoded representation of the public key---excluding the private key. +\module{openssl.pubkey} binds OpenSSL's libcrypto public-private key library. The \fn{\_\_tostring} metamethod generates a PEM encoded representation of the public key---excluding the private key. -\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new(string)}} +\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new($string$[, $format$])}} -Initializes a new pubkey object from the PEM-encoded key in `string'. +Initializes a new pubkey object from the PEM- or DER-encoded key in $string$. $format$ defaults to ``*'', which means to automatically test the input encoding. If $format$ is explicitly ``PEM'' or ``DER'', then only that decoding format is used. + +On failure throws an error. \subsubsection[\fn{pubkey.new}]{\fn{pubkey.new\{ $\ldots$ \}}} @@ -254,7 +256,7 @@ field & type:default & description\\\hline .curve & string:prime192v1 & for elliptic curve keys, the OpenSSL string identifier of the curve \end{ctabular} -\subsubsection[\fn{pubkey.interpose}]{\fn{pubkey.interpose(name, function)}} +\subsubsection[\fn{pubkey.interpose}]{\fn{pubkey.interpose($name$, $function$)}} Add or interpose a pubkey class method. Returns the previous method, if any. @@ -262,29 +264,29 @@ Add or interpose a pubkey class method. Returns the previous method, if any. Returns the OpenSSL string identifier for the type of key. -\subsubsection[\fn{pubkey:setPublicKey}]{\fn{pubkey:setPublicKey(string)}} +\subsubsection[\fn{pubkey:setPublicKey}]{\fn{pubkey:setPublicKey($string$[, $format$])}} -Set the public key component to that described by the PEM encoded public key in `string'. +Set the public key component to that described by the PEM- or DER-encoded public key in $string$. $format$ is as described in \fn{openssl.pubkey.new}---``PEM'', ``DER'', or ``*'' (default). -\subsubsection[\fn{pubkey:setPrivateKey}]{\fn{pubkey:setPrivateKey(string)}} +\subsubsection[\fn{pubkey:setPrivateKey}]{\fn{pubkey:setPrivateKey($string$[, $format$])}} -Set the private key component to that described by the PEM encoded private key in `string'. +Set the private key component to that described by the PEM encoded private key in $string$. $format$ is as described in \fn{openssl.pubkey.new}. -\subsubsection[\fn{pubkey:sign}]{\fn{pubkey:sign(digest)}} +\subsubsection[\fn{pubkey:sign}]{\fn{pubkey:sign($digest$)}} -Sign data which has been consumed by the specified \module{openssl.digest} `digest'. Digests and keys are not all interchangeable. For example, an elliptic curve key requires a digest of type ``ecdsa-with-SHA1'', while DSA requires ``dss1''. OpenSSL supports more varied digests for RSA. +Sign data which has been consumed by the specified \module{openssl.digest} $digest$. Digests and keys are not all interchangeable. For example, an elliptic curve key requires a digest of type ``ecdsa-with-SHA1'', while DSA requires ``dss1''. OpenSSL supports more varied digests for RSA. Returns the signature as an opaque binary string\footnote{Elliptic curve signatures are two X.509 DER-encoded numbers, for example, while RSA signatures are encrypted DER structures.} on success, and throws an error otherwise. -\subsubsection[\fn{pubkey:verify}]{\fn{pubkey:verify(signature, digest)}} +\subsubsection[\fn{pubkey:verify}]{\fn{pubkey:verify($signature$, $digest$)}} -Verify the string `signature' as signing the document consumed by \module{openssl.digest} `digest`. See the :sign method for constraints on the format and type of the parameters. +Verify the string $signature$ as signing the document consumed by \module{openssl.digest} $digest$. See the :sign method for constraints on the format and type of the parameters. Returns true on success, false for properly formatted but invalid signatures, and throws an error otherwise. Because the structure of the signature is opaque and not susceptible to sanity checking before passing to OpenSSL, an application should always be prepared for an error to be thrown when verifying untrusted signatures. OpenSSL, of course, should be able to handle all malformed inputs. But the module does not attempt to differentiate local system errors from errors triggered by malformed signatures because the set of such errors may change in the future. -\subsubsection[\fn{pubkey:toPEM}]{\fn{pubkey:toPEM(which[, which])}} +\subsubsection[\fn{pubkey:toPEM}]{\fn{pubkey:toPEM($which$[, $which$])}} -Returns the PEM encoded string representation(s) of the specified key component. `which' must be one of ``public'', ``PublicKey'', ``private'', or ``PrivateKey''. For the two argument form, returns two values. +Returns the PEM encoded string representation(s) of the specified key component. $which$ must be one of ``public'', ``PublicKey'', ``private'', or ``PrivateKey''. For the two argument form, returns two values. \end{Module} @@ -297,13 +299,13 @@ Binds the X.509 distinguished name OpenSSL ASN.1 object, used for representing c Returns an empty name object. -\subsubsection[\fn{name.interpose}]{\fn{name.interpose(name, function)}} +\subsubsection[\fn{name.interpose}]{\fn{name.interpose($name$, $function$)}} Add or interpose a name class method. Returns the previous method, if any. -\subsubsection[\fn{name:add}]{\fn{name:add(type, value)}} +\subsubsection[\fn{name:add}]{\fn{name:add($type$, $value$)}} -Add a distinguished name component. `type' is the OpenSSL string identifier of the component type---short, long, or OID forms. `value' is the string value of the component. DN components are free-form, and are encoded raw. +Add a distinguished name component. $type$ is the OpenSSL string identifier of the component type---short, long, or OID forms. $value$ is the string value of the component. DN components are free-form, and are encoded raw. \subsubsection[\fn{name:all}]{\fn{name:all()}} @@ -332,19 +334,19 @@ Binds the X.509 alternative names (a.k.a ``general names'') OpenSSL ASN.1 object Returns an empty altname object. -\subsubsection[\fn{altname.interpose}]{\fn{altname.interpose(name, function)}} +\subsubsection[\fn{altname.interpose}]{\fn{altname.interpose($name$, $function$)}} Add or interpose an altname class method. Returns the previous method, if any. -\subsubsection[\fn{altname:add}]{\fn{altname:add(type, value)}} +\subsubsection[\fn{altname:add}]{\fn{altname:add($type$, $value$)}} -Add an alternative name. `type' must specify one of the four basic types identified by ``RFC822Name'', ``RFC822'', ``email'', ``UniformResourceIdentifier'', ``URI'', ``DNSName'', ``DNS'', ``IPAddress'', and ``IP''. +Add an alternative name. $type$ must specify one of the five basic types identified by ``RFC822Name'', ``RFC822'', ``email'', ``UniformResourceIdentifier'', ``URI'', ``DNSName'', ``DNS'', ``IPAddress'', ``IP'', or ``DirName''. -`value' is a string acceptable to OpenSSL's sanity checks. For an IP address, `value' must be parseable by the system's \fn{inet\_pton} routine, as IP addresses are stored as raw 4- or 16-byte octets. +For all types except ``DirName'', $value$ is a string acceptable to OpenSSL's sanity checks. For an IP address, $value$ must be parseable by the system's \fn{inet\_pton} routine, as IP addresses are stored as raw 4- or 16-byte octets. ``DirName'' takes an \module{openssl.x509.name} object. \subsubsection[\fn{name:\_\_pairs}]{\fn{name:\_\_pairs()}} -Returns a key-value iterator over the alternative names. The key is one of ``email'', ``URI'', ``DNS'', or ``IP''. The value is the string representation of the name. +Returns a key-value iterator over the alternative names. The key is one of ``email'', ``URI'', ``DNS'', ``IP'', or ``DirName''. The value is the string representation of the name. \end{Module} @@ -353,11 +355,11 @@ Returns a key-value iterator over the alternative names. The key is one of ``ema Binds the X.509 certificate OpenSSL ASN.1 object. -\subsubsection[\fn{x509.new}]{\fn{x509.new([string])}} +\subsubsection[\fn{x509.new}]{\fn{x509.new([$string$[, $format$]])}} -Returns a new x509 object, optionally initialized to the PEM encoded certificate specified by `string'. +Returns a new x509 object, optionally initialized to the PEM- or DER-encoded certificate specified by $string$. $format$ is as described in \fn{openssl.pubkey.new}--``PEM'', ``DER'', or ``*'' (default). -\subsubsection[\fn{x509.interpose}]{\fn{x509.interpose(name, function)}} +\subsubsection[\fn{x509.interpose}]{\fn{x509.interpose($name$, $function$)}} Add or interpose an x509 class method. Returns the previous method, if any. @@ -365,7 +367,7 @@ Add or interpose an x509 class method. Returns the previous method, if any. Returns the X.509 version of the certificate. -\subsubsection[\fn{x509:setVersion}]{\fn{x509:setVersion(number)}} +\subsubsection[\fn{x509:setVersion}]{\fn{x509:setVersion($number$)}} Sets the X.509 version of the certificate. @@ -373,27 +375,27 @@ Sets the X.509 version of the certificate. Returns the serial of the certificate as an \module{openssl.bignum}. -\subsubsection[\fn{x509:setSerial}]{\fn{x509:setSerial(number)}} +\subsubsection[\fn{x509:setSerial}]{\fn{x509:setSerial($number$)}} -Sets the serial of the certificate. `number' is a Lua or \module{openssl.bignum} number. +Sets the serial of the certificate. $number$ is a Lua or \module{openssl.bignum} number. -\subsubsection[\fn{x509:digest}]{\fn{x509:digest([type[, format]])}} +\subsubsection[\fn{x509:digest}]{\fn{x509:digest([$type$[, $format$]])}} -Returns the cryptographic one-way message digest of the certificate. `type' is the OpenSSL string identifier of the hash type---e.g. ``md5'', ``sha1'' (default), ``sha256'', etc. `format' specifies the representation of the digest---``s'' for an octet string, ``x'' for a hexadecimal string (default), and ``n'' for an \module{openssl.bignum} number. +Returns the cryptographic one-way message digest of the certificate. $type$ is the OpenSSL string identifier of the hash type---e.g. ``md5'', ``sha1'' (default), ``sha256'', etc. $format$ specifies the representation of the digest---``s'' for an octet string, ``x'' for a hexadecimal string (default), and ``n'' for an \module{openssl.bignum} number. \subsubsection[\fn{x509:getLifetime}]{\fn{x509:getLifetime()}} Returns the certificate validity ``Not Before'' and ``Not After'' dates as two Unix timestamp numbers. -\subsubsection[\fn{x509:setLifetime}]{\fn{x509:setLifetime([notbefore][, notafter])}} +\subsubsection[\fn{x509:setLifetime}]{\fn{x509:setLifetime([$notbefore$][, $notafter$])}} -Sets the certificate validity dates. A nil value leaves the particular date unchanged. +Sets the certificate validity dates. $notbefore$ and $notafter$ should be UNIX timestamps. A nil value leaves the particular date unchanged. \subsubsection[\fn{x509:getIssuer}]{\fn{x509:getIssuer()}} Returns the issuer distinguished name as an \module{x509.name} object. -\subsubsection[\fn{x509:setIssuer}]{\fn{x509:setIssuer(name)}} +\subsubsection[\fn{x509:setIssuer}]{\fn{x509:setIssuer($name$)}} Sets the issuer distinguished name. @@ -401,7 +403,7 @@ Sets the issuer distinguished name. Returns the subject distinguished name as an \module{x509.name} object. -\subsubsection[\fn{x509:setSubject}]{\fn{x509:setSubject(name)}} +\subsubsection[\fn{x509:setSubject}]{\fn{x509:setSubject($name$)}} Sets the subject distinguished name. @@ -409,7 +411,7 @@ Sets the subject distinguished name. Returns the issuer alternative names as an \module{x509.altname} object. -\subsubsection[\fn{x509:setIssuerAlt}]{\fn{x509:setIssuer(altname)}} +\subsubsection[\fn{x509:setIssuerAlt}]{\fn{x509:setIssuer($altname$)}} Sets the issuer alternative names. @@ -417,7 +419,7 @@ Sets the issuer alternative names. Returns the subject alternative names as an \module{x509.name} object. -\subsubsection[\fn{x509:setSubjectAlt}]{\fn{x509:setSubjectAlt(name)}} +\subsubsection[\fn{x509:setSubjectAlt}]{\fn{x509:setSubjectAlt($name$)}} Sets the subject alternative names. @@ -425,7 +427,7 @@ Sets the subject alternative names. Returns the issuer alternative names critical flag as a boolean. -\subsubsection[\fn{x509:setIssuerAltCritical}]{\fn{x509:setIssuerAltCritical(boolean)}} +\subsubsection[\fn{x509:setIssuerAltCritical}]{\fn{x509:setIssuerAltCritical($boolean$)}} Sets the issuer alternative names critical flag. @@ -433,13 +435,13 @@ Sets the issuer alternative names critical flag. Returns the subject alternative names critical flag as a boolean. -\subsubsection[\fn{x509:setSubjectAltCritical}]{\fn{x509:setSubjectAltCritical(boolean)}} +\subsubsection[\fn{x509:setSubjectAltCritical}]{\fn{x509:setSubjectAltCritical($boolean$)}} Sets the subject alternative names critical flag. -\subsubsection[\fn{x509:getBasicConstraints}]{\fn{x509:getBasicConstraints([which[, which $\ldots$ ]])}} +\subsubsection[\fn{x509:getBasicConstraints}]{\fn{x509:getBasicConstraints([$which$[, $which$ $\ldots$ ]])}} -Returns the X.509 ``basic constraint'' flags. If specified, `which' should be one of ``CA'' or ``pathLen'', which returns the specified constraint---respectively, a boolean and a number. If no parameters are specified, returns a table with fields ``CA'' and ``pathLen''. +Returns the X.509 `basic constraint' flags. If specified, $which$ should be one of ``CA'' or ``pathLen'', which returns the specified constraint---respectively, a boolean and a number. If no parameters are specified, returns a table with fields ``CA'' and ``pathLen''. \subsubsection[\fn{x509:setBasicConstraints}]{\fn{x509:setBasicConstraints\{ $\ldots$ \}}} @@ -449,25 +451,25 @@ Sets the basic constraint flag according to the defined field values for ``CA'' Returns the basic constraints critical flag as a boolean. -\subsubsection[\fn{x509:setBasicConstraintsCritical}]{\fn{x509:setBasicConstraintsCritical(boolean)}} +\subsubsection[\fn{x509:setBasicConstraintsCritical}]{\fn{x509:setBasicConstraintsCritical($boolean$)}} Sets the basic constraints critical flag. -\subsubsection[\fn{x509:isIssuedBy}]{\fn{x509:isIssuedBy(issuer)}} +\subsubsection[\fn{x509:isIssuedBy}]{\fn{x509:isIssuedBy($issuer$)}} -Returns a boolean according to whether the specified issuer---an \module{openssl.x509} object---signed the instance certificate. +Returns a boolean according to whether the specified issuer---an \module{openssl.x509.name} object---signed the instance certificate. \subsubsection[\fn{x509:getPublicKey}]{\fn{x509:getPublicKey()}} Returns the public key component as an \module{openssl.pubkey} object. -\subsubsection[\fn{x509:setPublicKey}]{\fn{x509:setPublicKey(key)}} +\subsubsection[\fn{x509:setPublicKey}]{\fn{x509:setPublicKey($key$)}} -Sets the public key component referenced by the \module{openssl.pubkey} object `key'. +Sets the public key component referenced by the \module{openssl.pubkey} object $key$. -\subsubsection[\fn{x509:sign}]{\fn{x509:sign(key [, type])}} +\subsubsection[\fn{x509:sign}]{\fn{x509:sign($key$ [, $type$])}} -Signs and updates the instance certificate using the \module{openssl.pubkey} `key'. `type' is an optional string describing the digest type. See \module{pubkey:sign}, regarding which types of digests are valid. If `type' is omitted than a default type is used---``sha1'' for RSA keys, ``dss1'' for DSA keys, and ``ecdsa-with-SHA1'' for EC keys. +Signs and updates the instance certificate using the \module{openssl.pubkey} $key$. $type$ is an optional string describing the digest type. See \module{pubkey:sign}, regarding which types of digests are valid. If $type$ is omitted than a default type is used---``sha1'' for RSA keys, ``dss1'' for DSA keys, and ``ecdsa-with-SHA1'' for EC keys. \subsubsection[\fn{x509:\_\_tostring}]{\fn{x509:\_\_tostring}} @@ -480,11 +482,11 @@ Returns the PEM encoded representation of the instance certificate. Binds the X.509 certificate signing request OpenSSL ASN.1 object. -\subsubsection[\fn{csr.new}]{\fn{csr.new([x509|string])}} +\subsubsection[\fn{csr.new}]{\fn{csr.new([$x509$|$string$[, $format$]])}} -Returns a new request object, optionally initialized to the specified \module{openssl.x509} certificate `x509' or the the PEM encoded certificate signing request `string'. +Returns a new request object, optionally initialized to the specified \module{openssl.x509} certificate $x509$ or the PEM- or DER-encoded certificate signing request $string$. $format$ is as described in \fn{openssl.pubkey.new}---``PEM'', ``DER'', or ``*'' (default). -\subsubsection[\fn{csr.interpose}]{\fn{csr.interpose(name, function)}} +\subsubsection[\fn{csr.interpose}]{\fn{csr.interpose($name$, $function$)}} Add or interpose a request class method. Returns the previous method, if any. @@ -492,7 +494,7 @@ Add or interpose a request class method. Returns the previous method, if any. Returns the X.509 version of the request. -\subsubsection[\fn{car:setVersion}]{\fn{csr:setVersion(number)}} +\subsubsection[\fn{car:setVersion}]{\fn{csr:setVersion($number$)}} Sets the X.509 version of the request. @@ -500,7 +502,7 @@ Sets the X.509 version of the request. Returns the subject distinguished name as an \module{x509.name} object. -\subsubsection[\fn{csr:setSubject}]{\fn{csr:setSubject(name)}} +\subsubsection[\fn{csr:setSubject}]{\fn{csr:setSubject($name$)}} Sets the subject distinguished name. @@ -508,13 +510,13 @@ Sets the subject distinguished name. Returns the public key component as an \module{openssl.pubkey} object. -\subsubsection[\fn{csr:setPublicKey}]{\fn{csr:setPublicKey(key)}} +\subsubsection[\fn{csr:setPublicKey}]{\fn{csr:setPublicKey($key$)}} -Sets the public key component referenced by the \module{openssl.pubkey} object `key'. +Sets the public key component referenced by the \module{openssl.pubkey} object $key$. -\subsubsection[\fn{car:sign}]{\fn{csr:sign(key)}} +\subsubsection[\fn{car:sign}]{\fn{csr:sign($key$)}} -Signs the instance request using the \module{openssl.pubkey} `key'. +Signs the instance request using the \module{openssl.pubkey} $key$. \subsubsection[\fn{csr:\_\_tostring}]{\fn{csr:\_\_tostring}} @@ -531,13 +533,13 @@ Binds the ``STACK\_OF(X509)'' OpenSSL object, principally used in the OpenSSL li Returns a new chain object. -\subsubsection[\fn{chain.interpose}]{\fn{chain.interpose(name, function)}} +\subsubsection[\fn{chain.interpose}]{\fn{chain.interpose($name$, $function$)}} Add or interpose a chain class method. Returns the previous method, if any. -\subsubsection[\fn{chain:add}]{\fn{chain:add(x509)}} +\subsubsection[\fn{chain:add}]{\fn{chain:add($crt$)}} -Append the X.509 certificate `x509'. +Append the X.509 certificate $crt$. \subsubsection[\fn{chain:\_\_ipairs}]{\fn{chain:\_\_ipairs()}} @@ -554,17 +556,17 @@ Binds the X.509 certificate ``X509\_STORE'' OpenSSL object, principally used for Returns a new store object. -\subsubsection[\fn{store.interpose}]{\fn{store.interpose(name, function)}} +\subsubsection[\fn{store.interpose}]{\fn{store.interpose($name$, $function$)}} Add or interpose a store class method. Returns the previous method, if any. -\subsubsection[\fn{store:add}]{\fn{store:add(x509|filepath|dirpath)}} +\subsubsection[\fn{store:add}]{\fn{store:add($crt$|$filepath$|$dirpath$)}} -Add the X.509 certificate `x509' to the store, load the certificates from the file `filepath', or set the OpenSSL ``hash dir'' certificate path `dirpath'. +Add the X.509 certificate $crt$ to the store, load the certificates from the file $filepath$, or set the OpenSSL `hashdir' certificate path $dirpath$. -\subsubsection[\fn{store:verify}]{\fn{store:verify(x509[, chain])}} +\subsubsection[\fn{store:verify}]{\fn{store:verify($crt$[, $chain$])}} -Returns two values. The first is a boolean value for whether the specified certificate `x509' was verified. If true, the second value is a \module{openssl.x509.chain} object validation chain. If false, the second value is a string describing why verification failed. The optional parameter `chain' is an \module{openssl.x509.chain} object of untrusted certificates linking the certificate `x509' to one of the trusted certificates in the instance store. +Returns two values. The first is a boolean value for whether the specified certificate $crt$ was verified. If true, the second value is a \module{openssl.x509.chain} object validation chain. If false, the second value is a string describing why verification failed. The optional parameter $chain$ is an \module{openssl.x509.chain} object of untrusted certificates linking the certificate $crt$ to one of the trusted certificates in the instance store. \end{Module} @@ -587,35 +589,35 @@ VERIFY\_CLIENT\_ONCE & do not request peer certificates after initial handshake See the \href{http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES}{NOTES section} in the OpenSSL documentation for \fn{SSL\_CTX\_set\_verify\_mode}. -\subsubsection[\fn{context.new}]{\fn{context.new([protocol][, server])}} +\subsubsection[\fn{context.new}]{\fn{context.new([$protocol$][, $server$])}} -Returns a new context object. `protocol' is an optional string identifier selecting the SSL mode---TLSv1 (default), SSLv3, SSLv23, or SSLv2. If `server' is true, then SSL connections instantiated using this context will be placed into server mode, otherwise they behave as clients. +Returns a new context object. $protocol$ is an optional string identifier selecting the SSL mode---``TLSv1'' (default), ``SSLv3'', ``SSLv23'', or ``SSLv2''. If $server$ is true, then SSL connections instantiated using this context will be placed into server mode, otherwise they behave as clients. -\subsubsection[\fn{context.interpose}]{\fn{context.interpose(name, function)}} +\subsubsection[\fn{context.interpose}]{\fn{context.interpose($name$, $function$)}} Add or interpose a context class method. Returns the previous method, if any. -\subsubsection[\fn{context:setStore}]{\fn{context:setStore(store)}} +\subsubsection[\fn{context:setStore}]{\fn{context:setStore($store$)}} -Sets the \module{x509.store} of the context instance. +Sets the \module{openssl.x509.store} of the context instance. \subsubsection[\fn{context:getVerify}]{\fn{context:getVerify()}} Returns two values: the bitwise verification mode flags, and the maximum validation depth. -\subsubsection[\fn{context:setVerify}]{\fn{context:setVerify([mode][, depth])}} +\subsubsection[\fn{context:setVerify}]{\fn{context:setVerify([$mode$][, $depth$])}} Sets the verification mode flags and maximum validation chain depth. -\subsubsection[\fn{context:setCertificate}]{\fn{context:setCertificate(x509)}} +\subsubsection[\fn{context:setCertificate}]{\fn{context:setCertificate($crt$)}} -Sets the X.509 certificate \module{openssl.x509} object `x509' to send during SSL connection instance handshakes. +Sets the X.509 certificate \module{openssl.x509} object $crt$ to send during SSL connection instance handshakes. -\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey(key)}} +\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey($key$)}} -Sets the private key \module{openssl.pubkey} object `key' for use during SSL connection instance handshakes. +Sets the private key \module{openssl.pubkey} object $key$ for use during SSL connection instance handshakes. -\subsubsection[\fn{context:setCipherList}]{\fn{context:setCipherList(string)}} +\subsubsection[\fn{context:setCipherList}]{\fn{context:setCipherList($string$)}} Sets the allowed public key and private key algorithms. The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. @@ -626,17 +628,17 @@ Sets the allowed public key and private key algorithms. The string format is doc Binds the ``SSL'' OpenSSL object, which represents an SSL connection instance. See \method{socket.checktls}. -\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose(name, function)}} +\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose($name$, $function$)}} Add or interpose an ssl class method. Returns the previous method, if any. \subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}} -Returns the X.509 peer certificate as a \module{cqueues.openssl.x509} object. If no peer certificate is available, returns nil. +Returns the X.509 peer certificate as an \module{openssl.x509} object. If no peer certificate is available, returns nil. \subsubsection[\fn{ssl:getPeerChain}]{\fn{ssl:getPeerChain()}} -Similar to :getPeerCertifiate, but returns the entire chain sent by the peer as a \module{cqueues.openssl.x509.chain} object. +Similar to :getPeerCertifiate, but returns the entire chain sent by the peer as an \module{openssl.x509.chain} object. \subsubsection[\fn{ssl:getCipherInfo}]{\fn{ssl:getCipherInfo()}} @@ -657,21 +659,21 @@ field & description\\\hline Binds the ``EVP\_MD\_CTX'' OpenSSL object, which represents a cryptographic message digest (i.e. hashing) algorithm instance. -\subsubsection[\fn{digest.interpose}]{\fn{digest.interpose(name, function)}} +\subsubsection[\fn{digest.interpose}]{\fn{digest.interpose($name$, $function$)}} Add or interpose a digest class method. Returns the previous method, if any. -\subsubsection[\fn{digest.new}]{\fn{digest.new([type])}} +\subsubsection[\fn{digest.new}]{\fn{digest.new([$type$])}} -Return a new digest instance using the specified algorithm `type'. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''. +Return a new digest instance using the specified algorithm $type$. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''. -\subsubsection[\fn{digest:update}]{\fn{digest:update([string [, ...]])}} +\subsubsection[\fn{digest:update}]{\fn{digest:update([$string$ [, ...]])}} -Update the digest with the specified strings. Returns true. +Update the digest with the specified string(s). Returns the digest object. -\subsubsection[\fn{digest:final}]{\fn{digest:final([string [, ...]])}} +\subsubsection[\fn{digest:final}]{\fn{digest:final([$string$ [, ...]])}} -Update the digest with the specified strings. Returns the final message digest as a binary string. +Update the digest with the specified string(s). Returns the final message digest as a binary string. \end{Module} @@ -680,21 +682,21 @@ Update the digest with the specified strings. Returns the final message digest a Binds the ``HMAC\_CTX'' OpenSSL object, which represents a cryptographic HMAC algorithm instance. -\subsubsection[\fn{hmac.interpose}]{\fn{hmac.interpose(name, function)}} +\subsubsection[\fn{hmac.interpose}]{\fn{hmac.interpose($name$, $function$)}} Add or interpose an HMAC class method. Returns the previous method, if any. -\subsubsection[\fn{hmac.new}]{\fn{hmac.new(key [, type])}} +\subsubsection[\fn{hmac.new}]{\fn{hmac.new($key$ [, $type$])}} -Return a new HMAC instance using the specified `key' and `type'. `key' is the secret used for HMAC authentication. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''. +Return a new HMAC instance using the specified $key$ and $type$. $key$ is the secret used for HMAC authentication. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''. -\subsubsection[\fn{hmac:update}]{\fn{hmac:update([string [, ...]])}} +\subsubsection[\fn{hmac:update}]{\fn{hmac:update([$string$ [, ...]])}} -Update the HMAC with the specified strings. Returns true. +Update the HMAC with the specified string(s). Returns the HMAC object. -\subsubsection[\fn{hmac:final}]{\fn{hmac:final([string [, ...]])}} +\subsubsection[\fn{hmac:final}]{\fn{hmac:final([$string$ [, ...]])}} -Update the HMAC with the specified strings. Returns the final HMAC checksum as a binary string. +Update the HMAC with the specified string(s). Returns the final HMAC checksum as a binary string. \end{Module} @@ -703,31 +705,31 @@ Update the HMAC with the specified strings. Returns the final HMAC checksum as a Binds the ``EVP\_CIPHER\_CTX'' OpenSSL object, which represents a cryptographic cipher instance. -\subsubsection[\fn{cipher.interpose}]{\fn{cipher.interpose(name, function)}} +\subsubsection[\fn{cipher.interpose}]{\fn{cipher.interpose($name$, $function$)}} Add or interpose a cipher class method. Returns the previous method, if any. -\subsubsection[\fn{cipher.new}]{\fn{cipher.new(type)}} +\subsubsection[\fn{cipher.new}]{\fn{cipher.new($type$)}} -Return a new, uninitialized cipher instance. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_cipherbyname, typically of a form similar to ``AES-128-CBC''. +Return a new, uninitialized cipher instance. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_cipherbyname, typically of a form similar to ``AES-128-CBC''. The cipher is uninitialized because some algorithms support or require additional \textit{ad hoc} parameters before key initialization. The API still allows one-shot encryption like ``cipher.new(type):encrypt(key, iv):final(plaintext)''. -\subsubsection[\fn{cipher:encrypt}]{\fn{cipher:encrypt(key [, iv] [, padding])}} +\subsubsection[\fn{cipher:encrypt}]{\fn{cipher:encrypt($key$ [, $iv$] [, $padding$])}} -Initialize the cipher in encryption mode. `key' and `iv' are binary strings with lengths equal to that required by the cipher instance as configured. In other words, key stretching and other transformations must be done explicitly. If the mode does not take an IV or equivalent, such as in ECB mode, then it may be nil. `padding' is a boolean which controls whether PKCS padding is applied, and defaults to true. Returns the cipher instance. +Initialize the cipher in encryption mode. $key$ and $iv$ are binary strings with lengths equal to that required by the cipher instance as configured. In other words, key stretching and other transformations must be done explicitly. If the mode does not take an IV or equivalent, such as in ECB mode, then it may be nil. $padding$ is a boolean which controls whether PKCS padding is applied, and defaults to true. Returns the cipher instance. -\subsubsection[\fn{cipher:decrypt}]{\fn{cipher:decrypt(key [, iv] [, padding])}} +\subsubsection[\fn{cipher:decrypt}]{\fn{cipher:decrypt($key$ [, $iv$] [, $padding$])}} -Initialize the cipher in decryption mode. `key', `iv', and `padding' are as described in :encrypt. Returns the cipher instance. +Initialize the cipher in decryption mode. $key$, $iv$, and $padding$ are as described in \fn{:encrypt}. Returns the cipher instance. -\subsubsection[\fn{cipher:update}]{\fn{cipher:update([string [, ...]])}} +\subsubsection[\fn{cipher:update}]{\fn{cipher:update([$string$ [, ...]])}} -Update the cipher instance with the specified strings. Returns a string on success, or nil and an error message on failure. The returned string may be empty if no blocks can be flushed. +Update the cipher instance with the specified string(s). Returns a string on success, or nil and an error message on failure. The returned string may be empty if no blocks can be flushed. -\subsubsection[\fn{cipher:final}]{\fn{cipher:final([string [, ...]])}} +\subsubsection[\fn{cipher:final}]{\fn{cipher:final([$string$ [, ...]])}} -Update the cipher with the specified strings. Returns the final output string on success, or nil and an error message on failure. The returned string may be empty if all blocks have already been flushed in prior :update calls. +Update the cipher with the specified string(s). Returns the final output string on success, or nil and an error message on failure. The returned string may be empty if all blocks have already been flushed in prior \fn{:update} calls. \end{Module} @@ -738,9 +740,9 @@ Binds OpenSSL's random number interfaces. OpenSSL will automatically attempt to seed itself from the system. The only time this could theoretically fail is if /dev/urandom (or similar) were not visible or could not be opened. This might happen if within a chroot jail, or if a file descriptor limit were reached. -\subsubsection[\fn{rand.bytes}]{\fn{rand.bytes(count)}} +\subsubsection[\fn{rand.bytes}]{\fn{rand.bytes($count$)}} -Returns `count' cryptographically-strong bytes as a single string. Throws an error if OpenSSL could not complete the request---e.g. because the CSPRNG could not be seeded. +Returns $count$ cryptographically-strong bytes as a single string. Throws an error if OpenSSL could not complete the request---e.g. because the CSPRNG could not be seeded. \subsubsection[\fn{rand.ready}]{\fn{rand.ready()}} @@ -748,9 +750,9 @@ Returns a boolean describing whether the CSPRNG has been properly seeded. In the default CSPRNG engine this routine will also attempt to seed the system if not already. Because seeding only needs to happen once per process to ensure a successful RAND\_bytes invocation\footnote{At least this appeared to be the case when examining the source code of OpenSSL 1.0.1. See md\_rand.c near line 407---``Once we've had enough initial seeding we don't bother to adjust the entropy count, though, because we're not ambitious to provide *information-theoretic* randomness.''}, it may be prudent to assert on rand:ready() at application startup. -\subsubsection[\fn{rand.uniform}]{\fn{rand.uniform([n])}} +\subsubsection[\fn{rand.uniform}]{\fn{rand.uniform([$n$])}} -Returns a cryptographically strong uniform random integer in the interval $[0, n-1]$. If `n' is omitted, the interval is $[0, 2^{64}-1]$. +Returns a cryptographically strong uniform random integer in the interval $[0, n-1]$. If $n$ is omitted, the interval is $[0, 2^{64}-1]$. The routine operates internally on 64-bit unsigned integers.\footnote{Actually, \texttt{unsigned long long}.} Because neither Lua 5.1 nor 5.2 support 64-bit integers, it's probably best to generate numbers that fit the integral range of your Lua implementation. Lua 5.3 is expected to add a new arithmetic type for 64-bit signed integers in two's-complement representation. This new arithmetic type will be used for return values when available. |