luasec/samples/chain/server.lua

--
-- Public domain
--
local socket = require("socket")
local ssl    = require("ssl")
local util   = require("util")

local params = {
   mode = "server",
   protocol = "any",
   key = "../certs/serverAkey.pem",
   certificate = "../certs/serverA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
}

local ctx = assert(ssl.newcontext(params))

local server = socket.tcp()
server:setoption('reuseaddr', true)
assert( server:bind("127.0.0.1", 8888) )
server:listen()

local conn = server:accept()

conn = assert( ssl.wrap(conn, ctx) )
assert( conn:dohandshake() )

util.show( conn:getpeercertificate() )

print("----------------------------------------------------------------------")

local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }

local peerchain = conn:getpeerchain()
assert(#peerchain == #expectedpeerchain)
for k, cert in ipairs( peerchain ) do
  util.show(cert)
  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
end

local expectedlocalchain = { "../certs/serverAcert.pem" }

local localchain = assert(conn:getlocalchain())
assert(#localchain == #expectedlocalchain)
for k, cert in ipairs( localchain ) do
  util.show(cert)
  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
  if k == 1 then
    assert(cert:pem() == conn:getlocalcertificate():pem())
  end
end

local f = io.open(params.certificate)
local str = f:read("*a")
f:close()

util.show( ssl.loadcertificate(str) )

print("----------------------------------------------------------------------")
local cert = conn:getpeercertificate()
print( cert )
print( cert:digest() )
print( cert:digest("sha1") )
print( cert:digest("sha256") )
print( cert:digest("sha512") )

conn:close()
server:close()
LuaSec 20120616 (unofficial) + patches 2013-03-30 13:21:40 +01:00			`--`
			`-- Public domain`
			`--`
			`local socket = require("socket")`
			`local ssl = require("ssl")`
			`local util = require("util")`

			`local params = {`
			`mode = "server",`
update protocol samples(bring "tlsv1_2" to clients and "any" to servers) 2015-11-18 00:39:05 +01:00			`protocol = "any",`
LuaSec 20120616 (unofficial) + patches 2013-03-30 13:21:40 +01:00			`key = "../certs/serverAkey.pem",`
			`certificate = "../certs/serverA.pem",`
			`cafile = "../certs/rootA.pem",`
			`verify = {"peer", "fail_if_no_peer_cert"},`
Update samples (using 'tlsv1'). 2015-11-12 22:04:37 +01:00			`options = "all",`
LuaSec 20120616 (unofficial) + patches 2013-03-30 13:21:40 +01:00			`}`

			`local ctx = assert(ssl.newcontext(params))`

			`local server = socket.tcp()`
			`server:setoption('reuseaddr', true)`
			`assert( server:bind("127.0.0.1", 8888) )`
			`server:listen()`

			`local conn = server:accept()`

			`conn = assert( ssl.wrap(conn, ctx) )`
			`assert( conn:dohandshake() )`

			`util.show( conn:getpeercertificate() )`

			`print("----------------------------------------------------------------------")`

ssl: Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods These methods mirror the existing methods that fetch the peer certificate and chain. Due to various factors (SNI, multiple key types, etc.) it is not always trivial for an application to determine what certificate was presented to the client. However there are various use-cases where this is needed, such as tls-server-end-point channel binding and OCSP stapling. Requires OpenSSL 1.0.2+ (note: SSL_get_certificate() has existed for a very long time, but was lacking documentation until OpenSSL 3.0). 2022-09-21 19:40:10 +02:00			`local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }`

			`local peerchain = conn:getpeerchain()`
			`assert(#peerchain == #expectedpeerchain)`
			`for k, cert in ipairs( peerchain ) do`
			`util.show(cert)`
			`local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")`
			`assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))`
			`end`

			`local expectedlocalchain = { "../certs/serverAcert.pem" }`

			`local localchain = assert(conn:getlocalchain())`
			`assert(#localchain == #expectedlocalchain)`
			`for k, cert in ipairs( localchain ) do`
LuaSec 20120616 (unofficial) + patches 2013-03-30 13:21:40 +01:00			`util.show(cert)`
ssl: Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods These methods mirror the existing methods that fetch the peer certificate and chain. Due to various factors (SNI, multiple key types, etc.) it is not always trivial for an application to determine what certificate was presented to the client. However there are various use-cases where this is needed, such as tls-server-end-point channel binding and OCSP stapling. Requires OpenSSL 1.0.2+ (note: SSL_get_certificate() has existed for a very long time, but was lacking documentation until OpenSSL 3.0). 2022-09-21 19:40:10 +02:00			`local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")`
			`assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))`
			`if k == 1 then`
			`assert(cert:pem() == conn:getlocalcertificate():pem())`
			`end`
LuaSec 20120616 (unofficial) + patches 2013-03-30 13:21:40 +01:00			`end`

			`local f = io.open(params.certificate)`
			`local str = f:read("*a")`
			`f:close()`

			`util.show( ssl.loadcertificate(str) )`

			`print("----------------------------------------------------------------------")`
			`local cert = conn:getpeercertificate()`
			`print( cert )`
			`print( cert:digest() )`
			`print( cert:digest("sha1") )`
			`print( cert:digest("sha256") )`
			`print( cert:digest("sha512") )`

			`conn:close()`
			`server:close()`