Merge pull request #133 from quickdudley/multi-certs

Enable multiple SSL certificates

samples/multicert/client.lua

@@ -0,0 +1,33 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --
+   curve = "secp384r1",
+}
+
+--------------------------------------------------------------------------------
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO  ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()

samples/multicert/server.lua

@@ -0,0 +1,48 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   certificates = {
+      {
+         key = "../certs/serverAkey.pem",
+         certificate = "../certs/serverA.pem"
+      },
+      {
+         key = "../certs/serverBkey.pem",
+         certificate = "../certs/serverB.pem"
+      }
+   },
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --
+   curve = "secp384r1",
+}
+
+------------------------------------------------------------------------------
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

src/ssl.lua

@@ -74,25 +74,41 @@ local function newcontext(cfg)
    -- Mode
    succ, msg = context.setmode(ctx, cfg.mode)
    if not succ then return nil, msg end
-   -- Load the key
+   if not cfg.certificates then
-   if cfg.key then
+      cfg.certificates = {}
-      if cfg.password and
-         type(cfg.password) ~= "function" and
-         type(cfg.password) ~= "string"
-      then
-         return nil, "invalid password type"
-      end
-      succ, msg = context.loadkey(ctx, cfg.key, cfg.password)
-      if not succ then return nil, msg end
    end
-   -- Load the certificate
+   local singularcertificate = {}
-   if cfg.certificate then
+   local singularexists = false
-     succ, msg = context.loadcert(ctx, cfg.certificate)
+   for _, prop in pairs({ "key", "certificate", "password" }) do
-     if not succ then return nil, msg end
+      if cfg[prop] then
-     if cfg.key and context.checkkey then
+         singularexists = true
-       succ = context.checkkey(ctx)
+         singularcertificate[prop] = cfg[prop]
-       if not succ then return nil, "private key does not match public key" end
+      end
-     end
+   end
+   if singularexists then
+      table.insert(crt.certificates, singularcertificate)
+   end
+   for _, certificate in pairs(cfg.certificates) do
+      -- Load the key
+      if certificate.key then
+         if certificate.password and
+            type(certificate.password) ~= "function" and
+            type(certificate.password) ~= "string"
+         then
+            return nil, "invalid password type"
+         end
+         succ, msg = context.loadkey(ctx, certificate.key, certificate.password)
+         if not succ then return nil, msg end
+      end
+      -- Load the certificate(s)
+      if certificate.certificate then
+        succ, msg = context.loadcert(ctx, certificate.certificate)
+        if not succ then return nil, msg end
+        if certificate.key and context.checkkey then
+          succ = context.checkkey(ctx)
+          if not succ then return nil, "private key does not match public key" end
+        end
+      end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then