diff options
| -rwxr-xr-x | examples/self.x509 | 54 | ||||
| -rwxr-xr-x | examples/vrfy.sig | 35 |
2 files changed, 89 insertions, 0 deletions
diff --git a/examples/self.x509 b/examples/self.x509 new file mode 100755 index 0000000..39525d0 --- /dev/null +++ b/examples/self.x509 @@ -0,0 +1,54 @@ +#!/usr/local/lua52/bin/lua +-- +-- Example self-signed X.509 certificate generation. +-- +-- Skips intermediate CSR object, which is just an antiquated way for +-- specifying subject DN and public key to CAs. See API documentation for +-- CSR generation. +-- + +local pubkey = require"openssl.pubkey" +local x509 = require"openssl.x509" +local name = require"openssl.x509.name" +local altname = require"openssl.x509.altname" + +-- generate our public/private key pair +--local key = pubkey.new{ type = "RSA", bits = 1024 } +--local key = pubkey.new{ type = "DSA", bits = 1024 } +local key = pubkey.new{ type = "EC", curve = "prime192v1" } + +-- our Subject and Issuer DN (self-signed, so same) +local dn = name.new() +dn:add("C", "US") +dn:add("ST", "California") +dn:add("L", "San Francisco") +dn:add("O", "Acme, Inc") +dn:add("CN", "acme.inc") + +-- our Alternative Names +local alt = altname.new() +alt:add("DNS", "acme.inc") +alt:add("DNS", "*.acme.inc") + +-- build our certificate +local crt = x509.new() + +crt:setVersion(3) +crt:setSerial(47) + +crt:setSubject(dn) +crt:setIssuer(crt:getSubject()) +crt:setSubjectAlt(alt) + +local issued, expires = crt:getLifetime() +crt:setLifetime(issued, expires + 60) -- good for 60 seconds + +crt:setBasicConstraints{ CA = true, pathLen = 2 } +crt:setBasicConstraintsCritical(true) + +crt:setPublicKey(key) +crt:sign(key) + +-- pretty-print using openssl command-line utility. +io.popen("openssl x509 -text -noout", "w"):write(tostring(crt)) + diff --git a/examples/vrfy.sig b/examples/vrfy.sig new file mode 100755 index 0000000..94daf43 --- /dev/null +++ b/examples/vrfy.sig @@ -0,0 +1,35 @@ +#!/usr/local/lua52/bin/lua +-- +-- Example public-key signature verification. +-- + +local pubkey = require"openssl.pubkey" +local digest = require"openssl.digest" + +-- generate a public/private key pair +local key = pubkey.new{ type = "EC", curve = "prime192v1" } + +-- digest our message using an appropriate digest ("ecdsa-with-SHA1" for EC; +-- "dss1" for DSA; and "sha1", "sha256", etc for RSA). +local data = digest.new"ecdsa-with-SHA1" +data:update(... or "hello world") + +-- generate a signature for our data +local sig = key:sign(data) + +-- to prove verification works, instantiate a new object holding just +-- the public key +local pub = pubkey.new(key:toPEM"public") + +-- a utility routine to output our signature +local function tohex(b) + local x = "" + for i = 1, #b do + x = x .. string.format("%.2x", string.byte(b, i)) + end + return x +end + +print("okay", pub:verify(sig, data)) +print("type", pub:type()) +print("sig", tohex(sig)) |