From d8839927530dcb8ea8ceb6a874146cb13d2c33a5 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Wed, 7 May 2014 00:34:04 +0300 Subject: CRL generation module --- src/GNUmakefile | 1 + src/openssl.c | 255 +++++++++++++++++++++++++++++++++++++++++++++++ src/openssl.x509.crl.lua | 1 + 3 files changed, 257 insertions(+) create mode 100644 src/openssl.x509.crl.lua (limited to 'src') diff --git a/src/GNUmakefile b/src/GNUmakefile index 99b2336..75e8c3a 100644 --- a/src/GNUmakefile +++ b/src/GNUmakefile @@ -94,6 +94,7 @@ MODS$(1)_$(d) = \ $$(DESTDIR)$(3)/openssl/x509/name.lua \ $$(DESTDIR)$(3)/openssl/x509/altname.lua \ $$(DESTDIR)$(3)/openssl/x509/chain.lua \ + $$(DESTDIR)$(3)/openssl/x509/crl.lua \ $$(DESTDIR)$(3)/openssl/x509/store.lua \ $$(DESTDIR)$(3)/openssl/ssl/context.lua \ $$(DESTDIR)$(3)/openssl/ssl.lua \ diff --git a/src/openssl.c b/src/openssl.c index 1d15f7c..ef5515e 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -85,6 +85,7 @@ #define X509_CERT_CLASS "X509*" #define X509_CHAIN_CLASS "STACK_OF(X509)*" #define X509_CSR_CLASS "X509_REQ*" +#define X509_CRL_CLASS "X509_CRL*" #define X509_STORE_CLASS "X509_STORE*" #define X509_STCTX_CLASS "X509_STORE_CTX*" #define SSL_CTX_CLASS "SSL_CTX*" @@ -2884,6 +2885,259 @@ int luaopen__openssl_x509_csr(lua_State *L) { } /* luaopen__openssl_x509_csr() */ +/* + * X509_CRL - openssl.x509.crl + * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ + +static int xx_new(lua_State *L) { + X509_CRL **ud; + + ud = prepsimple(L, X509_CRL_CLASS); + if (!(*ud = X509_CRL_new())) throwssl(L, "x509.crl.new"); + + X509_gmtime_adj(X509_CRL_get_lastUpdate(*ud), 0); + + return 1; +} /* xx_new() */ + + +static int xx_interpose(lua_State *L) { + return interpose(L, X509_CRL_CLASS); +} /* xx_interpose() */ + + +static int xx_getVersion(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + + lua_pushinteger(L, X509_CRL_get_version(crl) + 1); + + return 1; +} /* xx_getVersion() */ + + +static int xx_setVersion(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + int version = luaL_checkint(L, 2); + + if (!X509_CRL_set_version(crl, version - 1)) + return luaL_error(L, "x509.crl:setVersion: %d: invalid version", version); + + lua_pushboolean(L, 1); + + return 1; +} /* xr_setVersion() */ + + +static int xx_getUpdateTimes(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + double begin = INFINITY, end = INFINITY; + ASN1_TIME *time; + + if ((time = X509_CRL_get_lastUpdate(crl))) + begin = timeutc(time); + + if ((time = X509_CRL_get_nextUpdate(crl))) + end = timeutc(time); + + if (isfinite(begin)) + lua_pushnumber(L, begin); + else + lua_pushnil(L); + + if (isfinite(end)) + lua_pushnumber(L, end); + else + lua_pushnil(L); + + if (isfinite(begin) && isfinite(end) && begin <= end) + lua_pushnumber(L, fabs(end - begin)); + else + lua_pushnumber(L, 0.0); + + return 3; +} /* xx_getUpdateTimes() */ + + +static int xx_setUpdateTimes(lua_State *L) { + int ok = 1; + + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + double ut; + ASN1_TIME *time = NULL; + + lua_settop(L, 3); + + if (!lua_isnil(L, 2)) { + ut = lua_tonumber(L, 2); + if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), ut)) + goto error; + } + + if (!lua_isnil(L, 3)) { + ut = lua_tonumber(L, 3); + if (!(time = ASN1_TIME_new())) goto error; + if (!ASN1_TIME_set(time, ut)) goto error; + if (!X509_CRL_set_nextUpdate(crl, time)) goto error; + } + + goto done; + + error: + ok = 0; + + done: + if (time) ASN1_TIME_free(time); + + return ok ? 0 : throwssl(L, "x509.crl:setUpdateTimes"); +} /* xx_setUpdateTimes() */ + + +static int xx_getIssuer(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + X509_NAME *name; + + if (!(name = X509_CRL_get_issuer(crl))) + return 0; + + xn_dup(L, name); + + return 1; +} /* xx_getIssuer() */ + + +static int xx_setIssuer(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + X509_NAME *name = checksimple(L, 2, X509_NAME_CLASS); + + if (!X509_CRL_set_issuer_name(crl, name)) + return throwssl(L, "x509.crl:setIssuer"); + + lua_pushboolean(L, 1); + + return 1; +} /* xx_setIssuer() */ + + +static int xx_add(lua_State *L) { + int ok = 1; + + lua_settop(L, 3); + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + BIGNUM *serial = checkbig(L, 2); + + X509_REVOKED *rev = NULL; + ASN1_INTEGER *aserial = NULL; + ASN1_TIME *date = NULL; + + if (!(rev = X509_REVOKED_new())) goto error; + + if (!(aserial = BN_to_ASN1_INTEGER(serial, NULL))) goto error; + if (!X509_REVOKED_set_serialNumber(rev, aserial)) goto error; + + if (!(date = ASN1_TIME_new())) goto error; + if (lua_isnil(L, 3)) X509_gmtime_adj(date, 0); + else if (!ASN1_TIME_set(date, luaL_checknumber(L, 3))) goto error; + if (!X509_REVOKED_set_revocationDate(rev, date)) goto error; + + if (!X509_CRL_add0_revoked(crl, rev)) goto error; + + goto done; + + error: + ok = 0; + + done: + if (date) ASN1_TIME_free(date); + if (serial) ASN1_INTEGER_free(aserial); + if (!ok && rev) X509_REVOKED_free(rev); + + return ok ? 0 : throwssl(L, "x509.crl:add"); +} /* xx_setIssuer() */ + + +static int xx_sign(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); + + if (!X509_CRL_sign(crl, key, xc_signature(L, 3, key))) + return throwssl(L, "x509.crl:sign"); + + lua_pushboolean(L, 1); + + return 1; +} /* xx_sign() */ + + +static int xx__tostring(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + int type = optencoding(L, 2, "pem", X509_PEM|X509_DER); + BIO *bio = getbio(L); + char *data; + long len; + + switch (type) { + case X509_PEM: + if (!PEM_write_bio_X509_CRL(bio, crl)) + return throwssl(L, "x509.crl:__tostring"); + break; + case X509_DER: + if (!i2d_X509_CRL_bio(bio, crl)) + return throwssl(L, "x509.crl:__tostring"); + break; + } /* switch() */ + + len = BIO_get_mem_data(bio, &data); + + lua_pushlstring(L, data, len); + + return 1; +} /* xx__tostring() */ + + +static int xx__gc(lua_State *L) { + X509_CRL **ud = luaL_checkudata(L, 1, X509_CRL_CLASS); + + X509_CRL_free(*ud); + *ud = NULL; + + return 0; +} /* xx__gc() */ + +static const luaL_Reg xx_methods[] = { + { "getVersion", &xx_getVersion }, + { "setVersion", &xx_setVersion }, + { "getUpdateTimes", &xx_getUpdateTimes }, + { "setUpdateTimes", &xx_setUpdateTimes }, + { "getIssuer", &xx_getIssuer }, + { "setIssuer", &xx_setIssuer }, + { "add", &xx_add }, + { "sign", &xx_sign }, + { NULL, NULL }, +}; + +static const luaL_Reg xx_metatable[] = { + { "__tostring", &xx__tostring }, + { "__gc", &xx__gc }, + { NULL, NULL }, +}; + + +static const luaL_Reg xx_globals[] = { + { "new", &xx_new }, + { "interpose", &xx_interpose }, + { NULL, NULL }, +}; + +int luaopen__openssl_x509_crl(lua_State *L) { + initall(L); + + luaL_newlib(L, xx_globals); + + return 1; +} /* luaopen__openssl_x509_crl() */ + + /* * STACK_OF(X509) - openssl.x509.chain * @@ -4465,6 +4719,7 @@ static void initall(lua_State *L) { addclass(L, X509_GENS_CLASS, gn_methods, gn_metatable); addclass(L, X509_CERT_CLASS, xc_methods, xc_metatable); addclass(L, X509_CSR_CLASS, xr_methods, xr_metatable); + addclass(L, X509_CRL_CLASS, xx_methods, xx_metatable); addclass(L, X509_CHAIN_CLASS, xl_methods, xl_metatable); addclass(L, X509_STORE_CLASS, xs_methods, xs_metatable); addclass(L, SSL_CTX_CLASS, sx_methods, sx_metatable); diff --git a/src/openssl.x509.crl.lua b/src/openssl.x509.crl.lua new file mode 100644 index 0000000..7f8a019 --- /dev/null +++ b/src/openssl.x509.crl.lua @@ -0,0 +1 @@ +return require('_openssl.x509.crl') -- cgit v1.2.3-59-g8ed1b From 74a0cb8873f5760f12c9e96e03dee26c126a84c2 Mon Sep 17 00:00:00 2001 From: william Date: Fri, 9 May 2014 19:13:17 -0700 Subject: replace getUpdateTimes/setUpdateTimes with getLastUpdate/setLastUpdate and getNextUpdate/setNextUpdate, because the semantics don't quite match that of crt:getLifetime, which it was copied from --- src/openssl.c | 107 +++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 64 insertions(+), 43 deletions(-) (limited to 'src') diff --git a/src/openssl.c b/src/openssl.c index ef5515e..f2166f5 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -2894,7 +2894,9 @@ static int xx_new(lua_State *L) { X509_CRL **ud; ud = prepsimple(L, X509_CRL_CLASS); - if (!(*ud = X509_CRL_new())) throwssl(L, "x509.crl.new"); + + if (!(*ud = X509_CRL_new())) + return throwssl(L, "x509.crl.new"); X509_gmtime_adj(X509_CRL_get_lastUpdate(*ud), 0); @@ -2926,71 +2928,88 @@ static int xx_setVersion(lua_State *L) { lua_pushboolean(L, 1); return 1; -} /* xr_setVersion() */ +} /* xx_setVersion() */ -static int xx_getUpdateTimes(lua_State *L) { +static int xx_getLastUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); - double begin = INFINITY, end = INFINITY; + double updated = INFINITY; ASN1_TIME *time; if ((time = X509_CRL_get_lastUpdate(crl))) - begin = timeutc(time); - - if ((time = X509_CRL_get_nextUpdate(crl))) - end = timeutc(time); + updated = timeutc(time); - if (isfinite(begin)) - lua_pushnumber(L, begin); + if (isfinite(updated)) + lua_pushnumber(L, 1); else lua_pushnil(L); - if (isfinite(end)) - lua_pushnumber(L, end); - else - lua_pushnil(L); + return 1; +} /* xx_getLastUpdate() */ - if (isfinite(begin) && isfinite(end) && begin <= end) - lua_pushnumber(L, fabs(end - begin)); - else - lua_pushnumber(L, 0.0); - return 3; -} /* xx_getUpdateTimes() */ +static int xx_setLastUpdate(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + double updated = luaL_checknumber(L, 2); + ASN1_TIME *time = NULL; + /* lastUpdate always present */ + if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated)) + return throwssl(L, "x509.crl:setLastUpdate"); -static int xx_setUpdateTimes(lua_State *L) { - int ok = 1; + lua_pushboolean(L, 1); + + return 1; +} /* xx_setLastUpdate() */ + +static int xx_getNextUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); - double ut; + double updateby = INFINITY; + ASN1_TIME *time; + + if ((time = X509_CRL_get_nextUpdate(crl))) + updateby = timeutc(time); + + if (isfinite(updateby)) + lua_pushnumber(L, 1); + else + lua_pushnil(L); + + return 1; +} /* xx_getNextUpdate() */ + + +static int xx_setNextUpdate(lua_State *L) { + X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); + double updateby = luaL_checknumber(L, 2); ASN1_TIME *time = NULL; - lua_settop(L, 3); + if (X509_CRL_get_nextUpdate(crl)) { + if (!ASN1_TIME_set(X509_CRL_get_nextUpdate(crl), updateby)) + goto error; + } else { + if (!(time = ASN1_TIME_new())) + goto error; - if (!lua_isnil(L, 2)) { - ut = lua_tonumber(L, 2); - if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), ut)) + if (!(ASN1_TIME_set(time, updateby))) goto error; - } - if (!lua_isnil(L, 3)) { - ut = lua_tonumber(L, 3); - if (!(time = ASN1_TIME_new())) goto error; - if (!ASN1_TIME_set(time, ut)) goto error; - if (!X509_CRL_set_nextUpdate(crl, time)) goto error; - } + if (!X509_CRL_set_nextUpdate(crl, time)) + goto error; - goto done; + time = NULL; + } - error: - ok = 0; + lua_pushboolean(L, 1); - done: - if (time) ASN1_TIME_free(time); + return 1; +error: + if (time) + ASN1_TIME_free(time); - return ok ? 0 : throwssl(L, "x509.crl:setUpdateTimes"); -} /* xx_setUpdateTimes() */ + return throwssl(L, "x509.crl:setNextUpdate"); +} /* xx_setNextUpdate() */ static int xx_getIssuer(lua_State *L) { @@ -3107,8 +3126,10 @@ static int xx__gc(lua_State *L) { static const luaL_Reg xx_methods[] = { { "getVersion", &xx_getVersion }, { "setVersion", &xx_setVersion }, - { "getUpdateTimes", &xx_getUpdateTimes }, - { "setUpdateTimes", &xx_setUpdateTimes }, + { "getLastUpdate", &xx_getLastUpdate }, + { "setLastUpdate", &xx_setLastUpdate }, + { "getNextUpdate", &xx_getNextUpdate }, + { "setNextUpdate", &xx_setNextUpdate }, { "getIssuer", &xx_getIssuer }, { "setIssuer", &xx_setIssuer }, { "add", &xx_add }, -- cgit v1.2.3-59-g8ed1b From 9ae361069c9c0528a563a1eecdda12d36af97cfe Mon Sep 17 00:00:00 2001 From: william Date: Sat, 10 May 2014 18:12:56 -0700 Subject: refactor xx_add to be more linear --- src/openssl.c | 62 ++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/src/openssl.c b/src/openssl.c index f2166f5..6079bee 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -30,7 +30,7 @@ #include /* memset(3) strerror_r(3) */ #include /* strcasecmp(3) */ #include /* INFINITY fabs(3) floor(3) frexp(3) fmod(3) round(3) isfinite(3) */ -#include /* struct tm time_t strptime(3) */ +#include /* struct tm time_t strptime(3) time(2) */ #include /* tolower(3) */ #include /* errno */ @@ -3039,40 +3039,53 @@ static int xx_setIssuer(lua_State *L) { static int xx_add(lua_State *L) { - int ok = 1; - - lua_settop(L, 3); X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); - BIGNUM *serial = checkbig(L, 2); - + BIGNUM *bn = checkbig(L, 2); + double ut = luaL_optnumber(L, 3, time(NULL)); X509_REVOKED *rev = NULL; - ASN1_INTEGER *aserial = NULL; + ASN1_INTEGER *serial = NULL; ASN1_TIME *date = NULL; - if (!(rev = X509_REVOKED_new())) goto error; + if (!(rev = X509_REVOKED_new())) + goto error; - if (!(aserial = BN_to_ASN1_INTEGER(serial, NULL))) goto error; - if (!X509_REVOKED_set_serialNumber(rev, aserial)) goto error; + if (!(serial = BN_to_ASN1_INTEGER(bn, NULL))) + goto error; - if (!(date = ASN1_TIME_new())) goto error; - if (lua_isnil(L, 3)) X509_gmtime_adj(date, 0); - else if (!ASN1_TIME_set(date, luaL_checknumber(L, 3))) goto error; - if (!X509_REVOKED_set_revocationDate(rev, date)) goto error; + if (!X509_REVOKED_set_serialNumber(rev, serial)) /* duplicates serial */ + goto error; - if (!X509_CRL_add0_revoked(crl, rev)) goto error; + ASN1_INTEGER_free(serial); + serial = NULL; - goto done; + if (!(date = ASN1_TIME_new())) + goto error; - error: - ok = 0; + if (!ASN1_TIME_set(date, ut)) + goto error; - done: - if (date) ASN1_TIME_free(date); - if (serial) ASN1_INTEGER_free(aserial); - if (!ok && rev) X509_REVOKED_free(rev); + if (!X509_REVOKED_set_revocationDate(rev, date)) /* duplicates date */ + goto error; - return ok ? 0 : throwssl(L, "x509.crl:add"); -} /* xx_setIssuer() */ + ASN1_TIME_free(date); + date = NULL; + + if (!X509_CRL_add0_revoked(crl, rev)) /* takes ownership of rev */ + goto error; + + lua_pushboolean(L, 1); + + return 1; +error: + if (date) + ASN1_TIME_free(date); + if (serial) + ASN1_INTEGER_free(serial); + if (rev) + X509_REVOKED_free(rev); + + return throwssl(L, "x509.crl:add"); +} /* xx_add() */ static int xx_sign(lua_State *L) { @@ -3134,6 +3147,7 @@ static const luaL_Reg xx_methods[] = { { "setIssuer", &xx_setIssuer }, { "add", &xx_add }, { "sign", &xx_sign }, + { "tostring", &xx__tostring }, { NULL, NULL }, }; -- cgit v1.2.3-59-g8ed1b From b1d1a810d0fdf8456e2180085d801c937bd516b6 Mon Sep 17 00:00:00 2001 From: william Date: Sat, 10 May 2014 18:15:19 -0700 Subject: add extra argument to be consumed by ellipsis in overloaded macros --- src/openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/openssl.c b/src/openssl.c index 6079bee..d5c0122 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -195,7 +195,7 @@ static void *prepsimple(lua_State *L, const char *tname, int (*gc)(lua_State *)) } /* prepsimple() */ #define prepsimple_(a, b, c, ...) prepsimple((a), (b), (c)) -#define prepsimple(...) prepsimple_(__VA_ARGS__, 0) +#define prepsimple(...) prepsimple_(__VA_ARGS__, 0, 0) static void *checksimple(lua_State *L, int index, const char *tname) { @@ -404,7 +404,7 @@ static BIGNUM *bn_push(lua_State *L) { #define checkbig_(a, b, c, ...) checkbig((a), (b), (c)) -#define checkbig(...) checkbig_(__VA_ARGS__, &(_Bool){ 0 }) +#define checkbig(...) checkbig_(__VA_ARGS__, &(_Bool){ 0 }, 0) static BIGNUM *(checkbig)(lua_State *, int, _Bool *); -- cgit v1.2.3-59-g8ed1b