From 8e5bcefbb6cf628e01aba269ab727b5eac2ab461 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 5 Feb 2014 01:48:58 +0100 Subject: [PATCH 1/2] Check that certificate matches private key --- src/context.c | 12 ++++++++++++ src/ssl.lua | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/src/context.c b/src/context.c index cafc222..4d2c838 100644 --- a/src/context.c +++ b/src/context.c @@ -395,6 +395,17 @@ static int load_key(lua_State *L) return ret; } +/** + * Check that the certificate public key matches the private key + */ + +static int check_key(lua_State *L) +{ + SSL_CTX *ctx = lsec_checkcontext(L, 1); + lua_pushboolean(L, SSL_CTX_check_private_key(ctx)); + return 1; +} + /** * Set the cipher list. */ @@ -564,6 +575,7 @@ static luaL_Reg funcs[] = { {"locations", load_locations}, {"loadcert", load_cert}, {"loadkey", load_key}, + {"checkkey", check_key}, {"setcipher", set_cipher}, {"setdepth", set_depth}, {"setdhparam", set_dhparam}, diff --git a/src/ssl.lua b/src/ssl.lua index 64f805b..7de8fc2 100644 --- a/src/ssl.lua +++ b/src/ssl.lua @@ -61,6 +61,10 @@ function newcontext(cfg) succ, msg = context.loadcert(ctx, cfg.certificate) if not succ then return nil, msg end end + if context.checkkey then + succ = context.checkkey(ctx) + if not succ then return nil, "private key does not match public key" end + end -- Load the CA certificates if cfg.cafile or cfg.capath then succ, msg = context.locations(ctx, cfg.cafile, cfg.capath) From 55d45f0542595061b2bd55a6f8837120127cec1c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 5 Feb 2014 16:51:30 +0100 Subject: [PATCH 2/2] Check if private key matches cert only if both key and cert are set --- src/ssl.lua | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/ssl.lua b/src/ssl.lua index 7de8fc2..0b465e2 100644 --- a/src/ssl.lua +++ b/src/ssl.lua @@ -58,12 +58,12 @@ function newcontext(cfg) end -- Load the certificate if cfg.certificate then - succ, msg = context.loadcert(ctx, cfg.certificate) - if not succ then return nil, msg end - end - if context.checkkey then - succ = context.checkkey(ctx) - if not succ then return nil, "private key does not match public key" end + succ, msg = context.loadcert(ctx, cfg.certificate) + if not succ then return nil, msg end + if cfg.key and context.checkkey then + succ = context.checkkey(ctx) + if not succ then return nil, "private key does not match public key" end + end end -- Load the CA certificates if cfg.cafile or cfg.capath then