Skip to content

Commit 39a331b

Browse files
daurnimatordaurnimator
committed
src/openssl.c: Add bindings to chain management
Adds support for setting and retrieving intermediate certificates
1 parent 747ddf8 commit 39a331b

File tree

2 files changed

+114
-0
lines changed

2 files changed

+114
-0
lines changed

doc/luaossl.tex

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -967,6 +967,18 @@ \section{Modules}
967967

968968
\emph{Only supported since OpenSSL 1.0.2.}
969969

970+
\subsubsection[\fn{context:setCertificateChain}]{\fn{context:setCertificateChain($chain$)}}
971+
972+
Sets the X.509 certificate chain \module{openssl.x509.chain} object $chain$ to send during SSL connection instance handshakes.
973+
974+
\emph{Only supported since OpenSSL 1.0.2.}
975+
976+
\subsubsection[\fn{context:getCertificateChain}]{\fn{context:getCertificateChain()}}
977+
978+
Returns the X.509 certificate chain \module{openssl.x509.chain} object to be sent during SSL connection instance handshakes.
979+
980+
\emph{Only supported since OpenSSL 1.0.2.}
981+
970982
\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey($key$)}}
971983

972984
Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes.
@@ -1171,6 +1183,20 @@ \section{Modules}
11711183
Sets the X.509 certificate \module{openssl.x509} object $crt$ to send during SSL connection instance handshakes.
11721184
See \fn{openssl.ssl.context:setCertificate}.
11731185

1186+
\subsubsection[\fn{ssl:setCertificateChain}]{\fn{ssl:setCertificateChain($chain$)}}
1187+
1188+
Sets the X.509 certificate chain \module{openssl.x509.chain} object $chain$ to send during SSL connection instance handshakes.
1189+
See \fn{openssl.ssl.context:setCertificateChain}.
1190+
1191+
\emph{Only supported since OpenSSL 1.0.2.}
1192+
1193+
\subsubsection[\fn{context:getCertificateChain}]{\fn{context:getCertificateChain()}}
1194+
1195+
Returns the X.509 certificate chain \module{openssl.x509.chain} object to be sent during SSL connection instance handshakes.
1196+
See \fn{openssl.ssl.context:getCertificateChain}.
1197+
1198+
\emph{Only supported since OpenSSL 1.0.2.}
1199+
11741200
\subsubsection[\fn{ssl:setPrivateKey}]{\fn{ssl:setPrivateKey($key$)}}
11751201

11761202
Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes.

src/openssl.c

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -279,6 +279,10 @@
279279
#define HAVE_SSL_CTX_ADD_CUSTOM_EXT OPENSSL_PREREQ(1,1,1)
280280
#endif
281281

282+
#ifndef HAVE_SSL_CTX_GET0_CHAIN_CERTS
283+
#define HAVE_SSL_CTX_GET0_CHAIN_CERTS OPENSSL_PREREQ(1,0,2)
284+
#endif
285+
282286
#ifndef HAVE_SSL_CTX_GET0_PARAM
283287
#define HAVE_SSL_CTX_GET0_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0))
284288
#endif
@@ -315,6 +319,10 @@
315319
#define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || OPENSSL_PREREQ(1,1,1)) /* backwards compatible with old macro name */
316320
#endif
317321

322+
#ifndef HAVE_SSL_CTX_SET1_CHAIN
323+
#define HAVE_SSL_CTX_SET1_CHAIN OPENSSL_PREREQ(1,0,2)
324+
#endif
325+
318326
#ifndef HAVE_SSL_CTX_SET1_PARAM
319327
#define HAVE_SSL_CTX_SET1_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,0))
320328
#endif
@@ -363,6 +371,10 @@
363371
#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
364372
#endif
365373

374+
#ifndef HAVE_SSL_GET0_CHAIN_CERTS
375+
#define HAVE_SSL_GET0_CHAIN_CERTS OPENSSL_PREREQ(1,0,2)
376+
#endif
377+
366378
#ifndef HAVE_SSL_GET0_PARAM
367379
#define HAVE_SSL_GET0_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0))
368380
#endif
@@ -387,6 +399,10 @@
387399
#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
388400
#endif
389401

402+
#ifndef HAVE_SSL_SET1_CHAIN
403+
#define HAVE_SSL_SET1_CHAIN OPENSSL_PREREQ(1,0,2)
404+
#endif
405+
390406
#ifndef HAVE_SSL_SET1_PARAM
391407
#define HAVE_SSL_SET1_PARAM (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
392408
#endif
@@ -8758,6 +8774,36 @@ static int sx_getCertificate(lua_State *L) {
87588774
#endif
87598775

87608776

8777+
#if HAVE_SSL_CTX_SET1_CHAIN
8778+
static int sx_setCertificateChain(lua_State *L) {
8779+
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8780+
STACK_OF(X509) *certs = checksimple(L, 2, X509_CHAIN_CLASS);
8781+
8782+
if (!SSL_CTX_set1_chain(ctx, certs))
8783+
return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCertificateChain");
8784+
8785+
lua_pushboolean(L, 1);
8786+
8787+
return 1;
8788+
} /* sx_setCertificateChain() */
8789+
#endif
8790+
8791+
8792+
#if HAVE_SSL_CTX_GET0_CHAIN_CERTS
8793+
static int sx_getCertificateChain(lua_State *L) {
8794+
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8795+
STACK_OF(X509) *certs;
8796+
8797+
if (!SSL_CTX_get0_chain_certs(ctx, &certs))
8798+
return auxL_error(L, auxL_EOPENSSL, "ssl.context:getCertificateChain");
8799+
8800+
xl_dup(L, certs, 1);
8801+
8802+
return 1;
8803+
} /* sx_getCertificateChain() */
8804+
#endif
8805+
8806+
87618807
static int sx_setPrivateKey(lua_State *L) {
87628808
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
87638809
EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -9499,6 +9545,12 @@ static const auxL_Reg sx_methods[] = {
94999545
{ "setCertificate", &sx_setCertificate },
95009546
#if HAVE_SSL_CTX_GET0_CERTIFICATE
95019547
{ "getCertificate", &sx_getCertificate },
9548+
#endif
9549+
#if HAVE_SSL_CTX_SET1_CHAIN
9550+
{ "setCertificateChain", &sx_setCertificateChain },
9551+
#endif
9552+
#if HAVE_SSL_CTX_GET0_CHAIN_CERTS
9553+
{ "getCertificateChain", &sx_getCertificateChain },
95029554
#endif
95039555
{ "setPrivateKey", &sx_setPrivateKey },
95049556
{ "setCipherList", &sx_setCipherList },
@@ -9982,6 +10034,36 @@ static int ssl_setCertificate(lua_State *L) {
998210034
} /* ssl_setCertificate() */
998310035

998410036

10037+
#if HAVE_SSL_SET1_CHAIN
10038+
static int ssl_setCertificateChain(lua_State *L) {
10039+
SSL *ssl = checksimple(L, 1, SSL_CLASS);
10040+
STACK_OF(X509) *certs = checksimple(L, 2, X509_CHAIN_CLASS);
10041+
10042+
if (!SSL_set1_chain(ssl, certs))
10043+
return auxL_error(L, auxL_EOPENSSL, "ssl:setCertificateChain");
10044+
10045+
lua_pushboolean(L, 1);
10046+
10047+
return 1;
10048+
} /* ssl_setCertificateChain() */
10049+
#endif
10050+
10051+
10052+
#if HAVE_SSL_GET0_CHAIN_CERTS
10053+
static int ssl_getCertificateChain(lua_State *L) {
10054+
SSL *ssl = checksimple(L, 1, SSL_CLASS);
10055+
STACK_OF(X509) *certs;
10056+
10057+
if (!SSL_get0_chain_certs(ssl, &certs))
10058+
return auxL_error(L, auxL_EOPENSSL, "ssl:getCertificateChain");
10059+
10060+
xl_dup(L, X509_chain_up_ref(certs), 1);
10061+
10062+
return 1;
10063+
} /* ssl_getCertificateChain() */
10064+
#endif
10065+
10066+
998510067
static int ssl_setPrivateKey(lua_State *L) {
998610068
SSL *ssl = checksimple(L, 1, SSL_CLASS);
998710069
EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -10392,6 +10474,12 @@ static const auxL_Reg ssl_methods[] = {
1039210474
{ "getVerify", &ssl_getVerify },
1039310475
{ "getVerifyResult", &ssl_getVerifyResult },
1039410476
{ "setCertificate", &ssl_setCertificate },
10477+
#if HAVE_SSL_SET1_CHAIN
10478+
{ "setCertificateChain", &ssl_setCertificateChain },
10479+
#endif
10480+
#if HAVE_SSL_GET0_CHAIN_CERTS
10481+
{ "getCertificateChain", &ssl_getCertificateChain },
10482+
#endif
1039510483
{ "setPrivateKey", &ssl_setPrivateKey },
1039610484
{ "getCertificate", &ssl_getCertificate },
1039710485
{ "getPeerCertificate", &ssl_getPeerCertificate },

0 commit comments

Comments
 (0)