feat(x509.csr) finish {set,add}_extension functions

fffonion · Aug 26, 2020 · d34b702 · d34b702
1 parent 15a5c7f
commit d34b702
Show file tree

Hide file tree

Showing 13 changed files with 455 additions and 160 deletions.
diff --git a/README.md b/README.md
@@ -108,7 +108,10 @@ Table of Contents
     + [csr.istype](#csristype)
     + [csr:get_*, csr:set_*](#csrget_-csrset_)
     + [csr:get_extension](#csrget_extension)
-    + [csr:get_extensions](#csrget_extensions)
+    + [csr:add_extension](#csradd_extension)
+    + [csr:set_extension](#csrset_extension)
+    + [csr:get_extension_critical](#csrget_extension_critical)
+    + [csr:set_extension_critical](#csrset_extension_critical)
     + [csr:sign](#csrsign)
     + [csr:verify](#csrverify)
     + [csr:tostring](#csrtostring)
@@ -1712,6 +1715,9 @@ Additionally, getters and setters for extensions are also available:
 | ------------   | ---- | ----------- |
 | subject_alt_name   | [x509.altname](#restyopensslx509altname) | [Subject Alternative Name](https://tools.ietf.org/html/rfc5280#section-4.2.1.6) of the certificate request, SANs are usually used to define "additional Common Names"  |
 
+For all extensions, `get_{extension}_critical` and `set_{extension}_critical` is also supported to
+access the `critical` flag of the extension.
+
 If the attribute is not found, getter will return `nil, nil`.
 
 ```lua
@@ -1722,7 +1728,14 @@ ngx.say(version)
 -- outputs 3
 ```
 
-Setters and getters for x509 attributes share the same syntax.
+Note that user may also access the certain extension by [csr:get_extension](#csrget_extension) and
+[csr:set_extension](#csrset_extension), while the later two function returns or requires
+[extension](#restyopensslx509extension) instead. User may use getter and setters listed here if modification
+of current extensions is needed; use [csr:get_extension](#csrget_extension) or
+[csr:set_extension](#csrset_extension) if user are adding or replacing the whole extension or
+getters/setters are not implemented. If the getter returned a type of `x509.*` instance, it can be
+converted to a [extension](#restyopensslx509extension) instance by [extension:from_data](#extensionfrom_data),
+and thus used by [csr:get_extension](#csrget_extension) and [csr:set_extension](#csrset_extension) 
 
 [Back to TOC](#table-of-contents)
 
@@ -1757,6 +1770,45 @@ Return all extensions as a [resty.openssl.x509.extensions](#restyopensslx509exte
 
 [Back to TOC](#table-of-contents)
 
+### csr:add_extension
+
+**syntax**: *ok, err = csr:add_extension(extension)*
+
+Adds an X.509 `extension` to csr, the first argument must be a
+[resty.openssl.x509.extension](#restyopensslx509extension) instance.
+
+[Back to TOC](#table-of-contents)
+
+### csr:set_extension
+
+**syntax**: *ok, err = csr:set_extension(extension)*
+
+Adds an X.509 `extension` to csr, the first argument must be a
+[resty.openssl.x509.extension](#restyopensslx509extension) instance.
+The difference from [csr:add_extension](#csradd_extension) is that
+in this function if a `extension` with same type already exists,
+the old extension will be replaced.
+
+Note this function is not thread-safe.
+
+[Back to TOC](#table-of-contents)
+
+### csr:get_extension_critical
+
+**syntax**: *ok, err = csr:get_extension_critical(nid_or_txt)*
+
+Get critical flag of the X.509 `extension` matching the given [NID] from csr.
+
+[Back to TOC](#table-of-contents)
+
+### csr:set_extension_critical
+
+**syntax**: *ok, err = csr:set_extension_critical(nid_or_txt, crit?)*
+
+Set critical flag of the X.509 `extension` matching the given [NID] to csr.
+
+[Back to TOC](#table-of-contents)
+
 ### csr:sign
 
 **syntax**: *ok, err = csr:sign(pkey, digest?)*

diff --git a/lib/resty/openssl/include/ossl_typ.lua b/lib/resty/openssl/include/ossl_typ.lua
@@ -16,6 +16,8 @@ ffi.cdef(
   typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
   typedef struct engine_st ENGINE;
   typedef struct x509_st X509;
+  typedef struct x509_attributes_st X509_ATTRIBUTE;
+  typedef struct X509_extension_st X509_EXTENSION;
   typedef struct X509_name_st X509_NAME;
   typedef struct X509_name_entry_st X509_NAME_ENTRY;
   typedef struct X509_req_st X509_REQ;

diff --git a/lib/resty/openssl/include/stack.lua b/lib/resty/openssl/include/stack.lua
@@ -29,6 +29,7 @@ if OPENSSL_11_OR_LATER then
     void *OPENSSL_sk_value(const OPENSSL_STACK *, int);
     OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
     void OPENSSL_sk_free(OPENSSL_STACK *);
+    void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
 
     typedef void (*OPENSSL_sk_freefunc)(void *);
     typedef void *(*OPENSSL_sk_copyfunc)(const void *);
@@ -44,6 +45,7 @@ if OPENSSL_11_OR_LATER then
   _M.OPENSSL_sk_num = C.OPENSSL_sk_num
   _M.OPENSSL_sk_value = C.OPENSSL_sk_value
   _M.OPENSSL_sk_dup = C.OPENSSL_sk_dup
+  _M.OPENSSL_sk_delete = C.OPENSSL_sk_delete
   _M.OPENSSL_sk_free = C.OPENSSL_sk_free
   _M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy
 elseif OPENSSL_10 then
@@ -59,6 +61,7 @@ elseif OPENSSL_10 then
     void *sk_value(const _STACK *, int);
     _STACK *sk_dup(_STACK *st);
     void sk_free(_STACK *st);
+    void *sk_delete(_STACK *st, int loc);
 
     _STACK *sk_deep_copy(_STACK *, void *(*)(void *), void (*)(void *));
   ]]
@@ -69,6 +72,7 @@ elseif OPENSSL_10 then
   _M.OPENSSL_sk_pop_free = C.sk_pop_free
   _M.OPENSSL_sk_num = C.sk_num
   _M.OPENSSL_sk_value = C.sk_value
+  _M.OPENSSL_sk_delete = C.sk_delete
   _M.OPENSSL_sk_dup = C.sk_dup
   _M.OPENSSL_sk_free = C.sk_free
   _M.OPENSSL_sk_deep_copy = C.sk_deep_copy

diff --git a/lib/resty/openssl/include/x509/csr.lua b/lib/resty/openssl/include/x509/csr.lua
@@ -27,6 +27,13 @@ ffi.cdef [[
   X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
   int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
 
+  int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
+  void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
+  int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
+  X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+
+  int *X509_REQ_get_extension_nids(void);
+
   int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
   int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
 

diff --git a/lib/resty/openssl/include/x509/init.lua b/lib/resty/openssl/include/x509/init.lua
@@ -15,12 +15,9 @@ ffi.cdef [[
   int i2d_X509_bio(BIO *bp, X509 *x509);
   X509 *d2i_X509_bio(BIO *bp, X509 **x509);
 
-
   // STACK_OF(X509)
   OPENSSL_STACK *X509_chain_up_ref(OPENSSL_STACK *chain);
 
-  typedef struct X509_extension_st X509_EXTENSION;
-
   int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
   int X509_verify(X509 *a, EVP_PKEY *r);
 

diff --git a/lib/resty/openssl/x509/crl.lua b/lib/resty/openssl/x509/crl.lua
@@ -346,8 +346,6 @@ function _M:set_issuer_name(toset)
   if accessors.set_issuer_name(self.ctx, toset) == 0 then
     return false, format_error("x509.crl:set_issuer_name")
   end
-
-  return true
 end
 
 -- AUTO GENERATED
@@ -374,8 +372,6 @@ function _M:set_last_update(toset)
   if accessors.set_last_update(self.ctx, toset) == 0 then
     return false, format_error("x509.crl:set_last_update")
   end
-
-  return true
 end
 
 -- AUTO GENERATED
@@ -402,8 +398,6 @@ function _M:set_next_update(toset)
   if accessors.set_next_update(self.ctx, toset) == 0 then
     return false, format_error("x509.crl:set_next_update")
   end
-
-  return true
 end
 
 -- AUTO GENERATED
@@ -431,8 +425,6 @@ function _M:set_version(toset)
   if accessors.set_version(self.ctx, toset) == 0 then
     return false, format_error("x509.crl:set_version")
   end
-
-  return true
 end