From 12c628ed78384370b9dc30ecb582dfeedd3e8c9a Mon Sep 17 00:00:00 2001 From: Pascal Fellerich Date: Mon, 3 Apr 2017 14:36:45 +1000 Subject: New: pkey.new{} modified to accept 'dhparam', a string representing the pre-computed DH parameters --- doc/luaossl.tex | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'doc') diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 7db7463..86f117d 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -286,8 +286,13 @@ field & type:default & description\\\hline .exp & number:65537 & RSA or Diffie-Hellman exponent \\ +.dhparam & string & PEM encoded string with precomputed DH parameters \\ + .curve & string:prime192v1 & for elliptic curve keys, the OpenSSL string identifier of the curve \end{ctabular} + +The DH parameters ``dhparam'' will be generated on the fly, ``bits'' wide. This is a slow process, and especially for larger sizes, you would precompute those; for example: ``openssl dhparam -2 -out dh-2048.pem -outform PEM 2048''. Using the field ``dhparam'' overrides the ``bits'' field. + \subsubsection[\fn{pkey.interpose}]{\fn{pkey.interpose($name$, $function$)}} Add or interpose a pkey class method. Returns the previous method, if any. -- cgit v1.2.3-59-g8ed1b From 159354a58afda90f213f0858db89dfbd87ae74eb Mon Sep 17 00:00:00 2001 From: Pascal Fellerich Date: Mon, 3 Apr 2017 14:50:30 +1000 Subject: New: pkcs12.parse() added to read a PKCS12 string, and return (pkey,cert,ca) --- doc/luaossl.tex | 4 ++++ src/openssl.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) (limited to 'doc') diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 86f117d..4f06ecf 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -768,6 +768,10 @@ Add or interpose a store class method. Returns the previous method, if any. Returns a PKCS \#12 binary encoded string. +\subsubsection[\fn{pkcs12.parse}]{\fn{pkcs12.parse($bag$[, $passphrase$])}} + +Parses a PKCS\#12 bag, presented as a binary string $bag$. The second parameter $passphrase$ is the passphrase required to decrypt the PKCS\#12 bag. The function returns three items; namely the key, certificate and the CA chain, as their respective objects. If an item is absent, it will be substituted with nil. + \end{Module} diff --git a/src/openssl.c b/src/openssl.c index 8fd51d3..5a8e03f 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -7434,6 +7434,61 @@ static int p12_interpose(lua_State *L) { } /* p12_interpose() */ +static int p12_parse(lua_State *L) { + /* parse a p12 binary string and return the parts */ + + EVP_PKEY *pkey; + X509 *cert; + STACK_OF(X509) *ca = NULL; + PKCS12 *p12; + + /* gather input parameters */ + size_t len; + const char *blob = luaL_checklstring(L, 1, &len); + const char *passphrase = luaL_optstring(L, 2, NULL); + + /* prepare return values */ + EVP_PKEY **ud_pkey = prepsimple(L, PKEY_CLASS); + X509 **ud_cert = prepsimple(L, X509_CERT_CLASS); + STACK_OF(X509) **ud_chain = prepsimple(L, X509_CHAIN_CLASS); + /* Note: *ud_chain must be initialised to NULL, which prepsimple does. */ + + /* read PKCS#12 data into OpenSSL memory buffer */ + BIO *bio = BIO_new_mem_buf((void*)blob, len); + if (!bio) + return auxL_error(L, auxL_EOPENSSL, "pkcs12.parse"); + p12 = d2i_PKCS12_bio(bio, NULL); + BIO_free(bio); + if (!p12) + return auxL_error(L, auxL_EOPENSSL, "pkcs12.parse"); + + /* the p12 pointer holds the data we're interested in */ + int rc = PKCS12_parse(p12, passphrase, ud_pkey, ud_cert, ud_chain); + PKCS12_free(p12); + if (!rc) + auxL_error(L, auxL_EOPENSSL, "pkcs12.parse"); + + /* replace the return values by nil if the ud pointers are NULL */ + if (*ud_pkey == NULL) { + lua_pushnil(L); + lua_replace(L, -4); + } + + if (*ud_cert == NULL) { + lua_pushnil(L); + lua_replace(L, -3); + } + + /* other certificates (a chain, STACK_OF(X509) *) */ + if (*ud_chain == NULL) { + lua_pop(L, 1); + lua_pushnil(L); + } + + return 3; +} /* p12_parse() */ + + static int p12__tostring(lua_State *L) { PKCS12 *p12 = checksimple(L, 1, PKCS12_CLASS); BIO *bio = getbio(L); @@ -7477,6 +7532,7 @@ static const auxL_Reg p12_metatable[] = { static const auxL_Reg p12_globals[] = { { "new", &p12_new }, { "interpose", &p12_interpose }, + { "parse", &p12_parse }, { NULL, NULL }, }; -- cgit v1.2.3-59-g8ed1b From d77caf28ae5af5cd4b759d436c4c94870d8d26a3 Mon Sep 17 00:00:00 2001 From: Pascal Fellerich Date: Mon, 3 Apr 2017 14:46:36 +1000 Subject: New: method crl:verify(publickey) added, documentation updated. --- doc/luaossl.tex | 4 ++++ src/openssl.c | 14 ++++++++++++++ 2 files changed, 18 insertions(+) (limited to 'doc') diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 4f06ecf..0675e62 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -693,6 +693,10 @@ Returns the integer count of the number of extensions. Signs the instance CRL using the \module{openssl.pkey} $key$. +\subsubsection[\fn{crl:verify}]{\fn{crl:verify($publickey$)}} + +Verifies the instance CRL using a public key. + \subsubsection[\fn{crl:text}]{\fn{crl:text()}} Returns a human-readable textual representation of the instance CRL. diff --git a/src/openssl.c b/src/openssl.c index 5a8e03f..0910bb3 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -6838,6 +6838,19 @@ static int xx_sign(lua_State *L) { } /* xx_sign() */ +static int xx_verify(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); + + if (!X509_CRL_verify(crl, key)) + return auxL_error(L, auxL_EOPENSSL, "x509.crl:verify"); + + lua_pushboolean(L, 1); + + return 1; +} /* xx_verify() */ + + static int xx_text(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); @@ -6907,6 +6920,7 @@ static const auxL_Reg xx_methods[] = { { "getExtension", &xx_getExtension }, { "getExtensionCount", &xx_getExtensionCount }, { "sign", &xx_sign }, + { "verify", &xx_verify }, { "text", &xx_text }, { "tostring", &xx__tostring }, { NULL, NULL }, -- cgit v1.2.3-59-g8ed1b