luasec/src/x509.c

715 lines
16 KiB
C
Raw Normal View History

2013-03-30 13:21:40 +01:00
/*--------------------------------------------------------------------------
2015-08-21 16:21:16 +02:00
* LuaSec 0.6a
2014-01-29 21:43:33 +01:00
*
2015-08-21 16:21:16 +02:00
* Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
2013-03-30 13:21:40 +01:00
*
*--------------------------------------------------------------------------*/
#include <stdio.h>
2013-03-30 13:21:40 +01:00
#include <string.h>
#if defined(WIN32)
2015-03-12 21:05:53 +01:00
#include <ws2tcpip.h>
2013-03-30 13:21:40 +01:00
#include <windows.h>
2015-03-12 21:05:53 +01:00
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
2013-03-30 13:21:40 +01:00
#endif
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <lua.h>
#include <lauxlib.h>
#include "x509.h"
static const char* hex_tab = "0123456789abcdef";
/**
* Push the certificate on the stack.
*/
void lsec_pushx509(lua_State* L, X509 *cert)
{
p_x509 cert_obj = (p_x509)lua_newuserdata(L, sizeof(t_x509));
cert_obj->cert = cert;
cert_obj->encode = LSEC_AI5_STRING;
2013-03-30 13:21:40 +01:00
luaL_getmetatable(L, "SSL:Certificate");
lua_setmetatable(L, -2);
}
/**
* Return the OpenSSL certificate X509.
*/
X509* lsec_checkx509(lua_State* L, int idx)
{
return ((p_x509)luaL_checkudata(L, idx, "SSL:Certificate"))->cert;
}
/**
* Return LuaSec certificate X509 representation.
*/
p_x509 lsec_checkp_x509(lua_State* L, int idx)
{
return (p_x509)luaL_checkudata(L, idx, "SSL:Certificate");
}
2013-03-30 13:21:40 +01:00
/*---------------------------------------------------------------------------*/
#if defined(LUASEC_INET_NTOP)
/*
* For WinXP (SP3), set the following preprocessor macros:
* LUASEC_INET_NTOP
* WINVER=0x0501
* _WIN32_WINNT=0x0501
* NTDDI_VERSION=0x05010300
*
* For IPv6 addresses, you need to add IPv6 Protocol to your interface.
*
*/
static const char *inet_ntop(int af, const char *src, char *dst, socklen_t size)
{
int addrsize;
struct sockaddr *addr;
struct sockaddr_in addr4;
struct sockaddr_in6 addr6;
switch (af) {
case AF_INET:
2015-08-01 06:14:16 +02:00
memset((void*)&addr4, 0, sizeof(addr4));
addr4.sin_family = AF_INET;
memcpy((void*)&addr4.sin_addr, src, sizeof(struct in_addr));
addr = (struct sockaddr*)&addr4;
addrsize = sizeof(struct sockaddr_in);
break;
case AF_INET6:
2015-08-01 06:14:16 +02:00
memset((void*)&addr6, 0, sizeof(addr6));
addr6.sin6_family = AF_INET6;
memcpy((void*)&addr6.sin6_addr, src, sizeof(struct in6_addr));
addr = (struct sockaddr*)&addr6;
2015-08-01 06:14:16 +02:00
addrsize = sizeof(struct sockaddr_in6);
break;
default:
return NULL;
}
if(getnameinfo(addr, addrsize, dst, size, NULL, 0, NI_NUMERICHOST) != 0)
return NULL;
return dst;
}
#endif
/*---------------------------------------------------------------------------*/
2013-03-30 13:21:40 +01:00
/**
* Convert the buffer 'in' to hexadecimal.
*/
static void to_hex(const char* in, int length, char* out)
{
int i;
for (i = 0; i < length; i++) {
out[i*2] = hex_tab[(in[i] >> 4) & 0xF];
out[i*2+1] = hex_tab[(in[i]) & 0xF];
}
}
/**
* Converts the ASN1_OBJECT into a textual representation and put it
* on the Lua stack.
*/
static void push_asn1_objname(lua_State* L, ASN1_OBJECT *object, int no_name)
{
char buffer[256];
int len = OBJ_obj2txt(buffer, sizeof(buffer), object, no_name);
len = (len < sizeof(buffer)) ? len : sizeof(buffer);
lua_pushlstring(L, buffer, len);
}
/**
* Push the ASN1 string on the stack.
*/
static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
2013-03-30 13:21:40 +01:00
{
2014-04-19 03:50:40 +02:00
int len;
unsigned char *data;
2014-06-08 12:41:20 +02:00
if (!string) {
lua_pushnil(L);
2014-06-08 12:41:20 +02:00
return;
}
switch (encode) {
case LSEC_AI5_STRING:
2013-03-30 13:21:40 +01:00
lua_pushlstring(L, (char*)ASN1_STRING_data(string),
ASN1_STRING_length(string));
break;
case LSEC_UTF8_STRING:
len = ASN1_STRING_to_UTF8(&data, string);
if (len >= 0) {
lua_pushlstring(L, (char*)data, len);
OPENSSL_free(data);
}
else
lua_pushnil(L);
}
2013-03-30 13:21:40 +01:00
}
/**
* Return a human readable time.
*/
static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm)
{
char *tmp;
long size;
BIO *out = BIO_new(BIO_s_mem());
ASN1_TIME_print(out, tm);
size = BIO_get_mem_data(out, &tmp);
lua_pushlstring(L, tmp, size);
BIO_free(out);
return 1;
}
/**
* Return a human readable IP address.
*/
static void push_asn1_ip(lua_State *L, ASN1_STRING *string)
{
int af;
char dst[INET6_ADDRSTRLEN];
unsigned char *ip = ASN1_STRING_data(string);
switch(ASN1_STRING_length(string)) {
case 4:
af = AF_INET;
break;
case 16:
af = AF_INET6;
break;
default:
lua_pushnil(L);
return;
}
if(inet_ntop(af, ip, dst, INET6_ADDRSTRLEN))
lua_pushstring(L, dst);
else
lua_pushnil(L);
}
2013-03-30 13:21:40 +01:00
/**
*
*/
static int push_subtable(lua_State* L, int idx)
{
lua_pushvalue(L, -1);
lua_gettable(L, idx-1);
if (lua_isnil(L, -1)) {
lua_pop(L, 1);
lua_newtable(L);
lua_pushvalue(L, -2);
lua_pushvalue(L, -2);
lua_settable(L, idx-3);
lua_replace(L, -2); /* Replace key with table */
return 1;
}
lua_replace(L, -2); /* Replace key with table */
return 0;
}
/**
* Retrive the general names from the object.
*/
static int push_x509_name(lua_State* L, X509_NAME *name, int encode)
2013-03-30 13:21:40 +01:00
{
int i;
int n_entries;
ASN1_OBJECT *object;
X509_NAME_ENTRY *entry;
lua_newtable(L);
n_entries = X509_NAME_entry_count(name);
for (i = 0; i < n_entries; i++) {
entry = X509_NAME_get_entry(name, i);
object = X509_NAME_ENTRY_get_object(entry);
lua_newtable(L);
push_asn1_objname(L, object, 1);
lua_setfield(L, -2, "oid");
push_asn1_objname(L, object, 0);
lua_setfield(L, -2, "name");
push_asn1_string(L, X509_NAME_ENTRY_get_data(entry), encode);
2013-03-30 13:21:40 +01:00
lua_setfield(L, -2, "value");
lua_rawseti(L, -2, i+1);
}
return 1;
}
/*---------------------------------------------------------------------------*/
/**
* Retrive the Subject from the certificate.
*/
static int meth_subject(lua_State* L)
{
p_x509 px = lsec_checkp_x509(L, 1);
return push_x509_name(L, X509_get_subject_name(px->cert), px->encode);
2013-03-30 13:21:40 +01:00
}
/**
* Retrive the Issuer from the certificate.
*/
static int meth_issuer(lua_State* L)
{
p_x509 px = lsec_checkp_x509(L, 1);
return push_x509_name(L, X509_get_issuer_name(px->cert), px->encode);
2013-03-30 13:21:40 +01:00
}
/**
* Retrieve the extensions from the certificate.
*/
int meth_extensions(lua_State* L)
{
int j;
int i = -1;
int n_general_names;
OTHERNAME *otherName;
X509_EXTENSION *extension;
GENERAL_NAME *general_name;
STACK_OF(GENERAL_NAME) *values;
p_x509 px = lsec_checkp_x509(L, 1);
X509 *peer = px->cert;
2013-03-30 13:21:40 +01:00
/* Return (ret) */
lua_newtable(L);
while ((i = X509_get_ext_by_NID(peer, NID_subject_alt_name, i)) != -1) {
extension = X509_get_ext(peer, i);
if (extension == NULL)
break;
values = X509V3_EXT_d2i(extension);
if (values == NULL)
break;
/* Push ret[oid] */
push_asn1_objname(L, extension->object, 1);
push_subtable(L, -2);
/* Set ret[oid].name = name */
push_asn1_objname(L, extension->object, 0);
lua_setfield(L, -2, "name");
n_general_names = sk_GENERAL_NAME_num(values);
for (j = 0; j < n_general_names; j++) {
general_name = sk_GENERAL_NAME_value(values, j);
switch (general_name->type) {
case GEN_OTHERNAME:
otherName = general_name->d.otherName;
push_asn1_objname(L, otherName->type_id, 1);
if (push_subtable(L, -2)) {
push_asn1_objname(L, otherName->type_id, 0);
lua_setfield(L, -2, "name");
}
push_asn1_string(L, otherName->value->value.asn1_string, px->encode);
2013-03-30 13:21:40 +01:00
lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
lua_pop(L, 1);
break;
case GEN_DNS:
lua_pushstring(L, "dNSName");
2015-08-01 06:14:16 +02:00
push_subtable(L, -2);
push_asn1_string(L, general_name->d.dNSName, px->encode);
2013-03-30 13:21:40 +01:00
lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
lua_pop(L, 1);
break;
case GEN_EMAIL:
lua_pushstring(L, "rfc822Name");
push_subtable(L, -2);
push_asn1_string(L, general_name->d.rfc822Name, px->encode);
2013-03-30 13:21:40 +01:00
lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
lua_pop(L, 1);
break;
case GEN_URI:
lua_pushstring(L, "uniformResourceIdentifier");
push_subtable(L, -2);
push_asn1_string(L, general_name->d.uniformResourceIdentifier, px->encode);
2013-03-30 13:21:40 +01:00
lua_rawseti(L, -2, lua_rawlen(L, -2)+1);
lua_pop(L, 1);
break;
case GEN_IPADD:
lua_pushstring(L, "iPAddress");
push_subtable(L, -2);
push_asn1_ip(L, general_name->d.iPAddress);
2013-03-30 13:21:40 +01:00
lua_rawseti(L, -2, lua_rawlen(L, -2)+1);
lua_pop(L, 1);
break;
case GEN_X400:
/* x400Address */
/* not supported */
break;
case GEN_DIRNAME:
/* directoryName */
/* not supported */
break;
case GEN_EDIPARTY:
/* ediPartyName */
/* not supported */
break;
case GEN_RID:
/* registeredID */
/* not supported */
break;
}
}
lua_pop(L, 1); /* ret[oid] */
i++; /* Next extension */
}
return 1;
}
/**
* Convert the certificate to PEM format.
*/
static int meth_pem(lua_State* L)
{
char* data;
long bytes;
X509* cert = lsec_checkx509(L, 1);
BIO *bio = BIO_new(BIO_s_mem());
if (!PEM_write_bio_X509(bio, cert)) {
lua_pushnil(L);
return 1;
}
bytes = BIO_get_mem_data(bio, &data);
if (bytes > 0)
lua_pushlstring(L, data, bytes);
else
lua_pushnil(L);
BIO_free(bio);
return 1;
}
/**
* Extract public key in PEM format.
*/
static int meth_pubkey(lua_State* L)
{
char* data;
long bytes;
int ret = 1;
X509* cert = lsec_checkx509(L, 1);
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = X509_get_pubkey(cert);
if(PEM_write_bio_PUBKEY(bio, pkey)) {
bytes = BIO_get_mem_data(bio, &data);
if (bytes > 0) {
lua_pushlstring(L, data, bytes);
switch(EVP_PKEY_type(pkey->type)) {
case EVP_PKEY_RSA:
lua_pushstring(L, "RSA");
break;
case EVP_PKEY_DSA:
lua_pushstring(L, "DSA");
break;
case EVP_PKEY_DH:
lua_pushstring(L, "DH");
break;
case EVP_PKEY_EC:
lua_pushstring(L, "EC");
break;
default:
lua_pushstring(L, "Unknown");
break;
}
lua_pushinteger(L, EVP_PKEY_bits(pkey));
ret = 3;
}
else
lua_pushnil(L);
}
else
lua_pushnil(L);
/* Cleanup */
BIO_free(bio);
EVP_PKEY_free(pkey);
return ret;
}
2013-03-30 13:21:40 +01:00
/**
* Compute the fingerprint.
*/
static int meth_digest(lua_State* L)
{
unsigned int bytes;
const EVP_MD *digest = NULL;
unsigned char buffer[EVP_MAX_MD_SIZE];
char hex_buffer[EVP_MAX_MD_SIZE*2];
X509 *cert = lsec_checkx509(L, 1);
const char *str = luaL_optstring(L, 2, NULL);
if (!str)
digest = EVP_sha1();
else {
if (!strcmp(str, "sha1"))
digest = EVP_sha1();
else if (!strcmp(str, "sha256"))
digest = EVP_sha256();
else if (!strcmp(str, "sha512"))
digest = EVP_sha512();
}
if (!digest) {
lua_pushnil(L);
lua_pushfstring(L, "digest algorithm not supported (%s)", str);
2013-03-30 13:21:40 +01:00
return 2;
}
if (!X509_digest(cert, digest, buffer, &bytes)) {
lua_pushnil(L);
lua_pushfstring(L, "error processing the certificate (%s)",
ERR_reason_error_string(ERR_get_error()));
2013-03-30 13:21:40 +01:00
return 2;
}
to_hex((char*)buffer, bytes, hex_buffer);
lua_pushlstring(L, hex_buffer, bytes*2);
return 1;
}
/**
* Check if the certificate is valid in a given time.
*/
static int meth_valid_at(lua_State* L)
{
X509* cert = lsec_checkx509(L, 1);
time_t time = luaL_checkinteger(L, 2);
lua_pushboolean(L, (X509_cmp_time(X509_get_notAfter(cert), &time) >= 0
&& X509_cmp_time(X509_get_notBefore(cert), &time) <= 0));
return 1;
}
/**
* Return the serial number.
*/
static int meth_serial(lua_State *L)
{
char *tmp;
BIGNUM *bn;
ASN1_INTEGER *serial;
X509* cert = lsec_checkx509(L, 1);
serial = X509_get_serialNumber(cert);
bn = ASN1_INTEGER_to_BN(serial, NULL);
tmp = BN_bn2hex(bn);
lua_pushstring(L, tmp);
BN_free(bn);
OPENSSL_free(tmp);
return 1;
}
/**
* Return not before date.
*/
static int meth_notbefore(lua_State *L)
{
X509* cert = lsec_checkx509(L, 1);
return push_asn1_time(L, X509_get_notBefore(cert));
}
/**
* Return not after date.
*/
static int meth_notafter(lua_State *L)
{
X509* cert = lsec_checkx509(L, 1);
return push_asn1_time(L, X509_get_notAfter(cert));
}
/**
* Check if this certificate issued some other certificate
*/
static int meth_issued(lua_State* L)
{
int ret, i, len;
X509_STORE_CTX* ctx = NULL;
X509_STORE* root = NULL;
STACK_OF(X509)* chain = NULL;
X509* issuer = lsec_checkx509(L, 1);
X509* subject = lsec_checkx509(L, 2);
X509* cert = NULL;
len = lua_gettop(L);
/* Check that all arguments are certificates */
for (i = 3; i <= len; i++) {
lsec_checkx509(L, i);
}
/* Before allocating things that require freeing afterwards */
chain = sk_X509_new_null();
ctx = X509_STORE_CTX_new();
root = X509_STORE_new();
if (ctx == NULL || root == NULL) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_new() or X509_STORE_CTX_new() error");
ret = 2;
goto cleanup;
}
ret = X509_STORE_add_cert(root, issuer);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_add_cert() error");
ret = 2;
goto cleanup;
}
for (i = 3; i <= len && lua_isuserdata(L, i); i++) {
cert = lsec_checkx509(L, i);
sk_X509_push(chain, cert);
}
ret = X509_STORE_CTX_init(ctx, root, subject, chain);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_CTX_init() error");
ret = 2;
goto cleanup;
}
/* Actual verification */
if (X509_verify_cert(ctx) <= 0) {
ret = X509_STORE_CTX_get_error(ctx);
lua_pushnil(L);
lua_pushstring(L, X509_verify_cert_error_string(ret));
ret = 2;
} else {
lua_pushboolean(L, 1);
ret = 1;
}
cleanup:
if (ctx != NULL) {
X509_STORE_CTX_free(ctx);
}
if (chain != NULL) {
X509_STORE_free(root);
}
sk_X509_free(chain);
return ret;
}
2013-03-30 13:21:40 +01:00
/**
* Collect X509 objects.
*/
static int meth_destroy(lua_State* L)
{
X509_free(lsec_checkx509(L, 1));
return 0;
}
static int meth_tostring(lua_State *L)
{
X509* cert = lsec_checkx509(L, 1);
lua_pushfstring(L, "X509 certificate: %p", cert);
return 1;
}
/**
* Set the encode for ASN.1 string.
*/
static int meth_set_encode(lua_State* L)
{
int succ = 0;
p_x509 px = lsec_checkp_x509(L, 1);
const char *enc = luaL_checkstring(L, 2);
if (strncmp(enc, "ai5", 3) == 0) {
succ = 1;
px->encode = LSEC_AI5_STRING;
} else if (strncmp(enc, "utf8", 4) == 0) {
succ = 1;
px->encode = LSEC_UTF8_STRING;
}
lua_pushboolean(L, succ);
return 1;
}
2013-03-30 13:21:40 +01:00
/*---------------------------------------------------------------------------*/
static int load_cert(lua_State* L)
{
X509 *cert;
size_t bytes;
const char* data;
BIO *bio = BIO_new(BIO_s_mem());
data = luaL_checklstring(L, 1, &bytes);
BIO_write(bio, data, bytes);
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (cert)
lsec_pushx509(L, cert);
else
lua_pushnil(L);
BIO_free(bio);
return 1;
}
/*---------------------------------------------------------------------------*/
/**
* Certificate methods.
*/
static luaL_Reg methods[] = {
{"digest", meth_digest},
{"setencode", meth_set_encode},
2013-03-30 13:21:40 +01:00
{"extensions", meth_extensions},
{"issuer", meth_issuer},
{"notbefore", meth_notbefore},
{"notafter", meth_notafter},
{"issued", meth_issued},
2013-03-30 13:21:40 +01:00
{"pem", meth_pem},
2014-04-19 23:11:32 +02:00
{"pubkey", meth_pubkey},
2013-03-30 13:21:40 +01:00
{"serial", meth_serial},
{"subject", meth_subject},
{"validat", meth_valid_at},
{NULL, NULL}
};
/**
* X509 metamethods.
*/
static luaL_Reg meta[] = {
{"__gc", meth_destroy},
{"__tostring", meth_tostring},
{NULL, NULL}
};
/**
* X509 functions.
*/
static luaL_Reg funcs[] = {
{"load", load_cert},
{NULL, NULL}
};
/*--------------------------------------------------------------------------*/
LSEC_API int luaopen_ssl_x509(lua_State *L)
{
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Certificate");
2015-02-12 19:32:54 +01:00
setfuncs(L, meta);
2013-03-30 13:21:40 +01:00
2015-02-06 20:44:08 +01:00
luaL_newlib(L, methods);
2013-03-30 13:21:40 +01:00
lua_setfield(L, -2, "__index");
2015-02-06 20:44:08 +01:00
luaL_newlib(L, funcs);
2013-03-30 13:21:40 +01:00
return 1;
}