diff --git a/src/context.c b/src/context.c index cafc222..4d2c838 100644 --- a/src/context.c +++ b/src/context.c @@ -395,6 +395,17 @@ static int load_key(lua_State *L) return ret; } +/** + * Check that the certificate public key matches the private key + */ + +static int check_key(lua_State *L) +{ + SSL_CTX *ctx = lsec_checkcontext(L, 1); + lua_pushboolean(L, SSL_CTX_check_private_key(ctx)); + return 1; +} + /** * Set the cipher list. */ @@ -564,6 +575,7 @@ static luaL_Reg funcs[] = { {"locations", load_locations}, {"loadcert", load_cert}, {"loadkey", load_key}, + {"checkkey", check_key}, {"setcipher", set_cipher}, {"setdepth", set_depth}, {"setdhparam", set_dhparam}, diff --git a/src/ssl.lua b/src/ssl.lua index 64f805b..7de8fc2 100644 --- a/src/ssl.lua +++ b/src/ssl.lua @@ -61,6 +61,10 @@ function newcontext(cfg) succ, msg = context.loadcert(ctx, cfg.certificate) if not succ then return nil, msg end end + if context.checkkey then + succ = context.checkkey(ctx) + if not succ then return nil, "private key does not match public key" end + end -- Load the CA certificates if cfg.cafile or cfg.capath then succ, msg = context.locations(ctx, cfg.cafile, cfg.capath)