feat(*) add x509.digest and bn.to_hex

digest buffer now uses the exact block size of that algorithm

Author: fffonion

README.md

@@ -32,6 +32,7 @@ Table of Contents
     + [bn.istype](#bnistype)
     + [bn.from_binary](#bnfrom_binary)
     + [bn:to_binary](#bnto_binary)
+    + [bn:to_hex](#bnto_hex)
   * [resty.openssl.cipher](#restyopensslcipher)
     + [cipher.new](#ciphernew)
     + [cipher.istype](#cipheristype)
@@ -56,6 +57,8 @@ Table of Contents
     + [x509.new](#x509new)
     + [x509.istype](#x509istype)
     + [x509:add_extension](#x509add_extension)
+    + [x509:digest](#x509digest)
+    + [x509:pubkey_digest](#x509pubkey_digest)
     + [x509:get_*, x509:set_*](#x509get_-x509set_)
     + [x509:get_lifetime](#x509get_lifetime)
     + [x509:set_lifetime](#x509set_lifetime)
@@ -185,11 +188,11 @@ and `DIR` are supported.
 ```lua
 local version = require("resty.openssl.version")
 ngx.say(string.format("%x", version.version_num))
--- Outputs 101000bf
+-- outputs "101000bf"
 ngx.say(version.version_text)
--- Outputs OpenSSL 1.1.0k  28 May 2019
+-- outputs "OpenSSL 1.1.0k  28 May 2019"
 ngx.say(version.version(version.PLATFORM))
--- Outputs darwin64-x86_64-cc
+-- outputs "darwin64-x86_64-cc"
 ```
 
 ### OPENSSL_11
@@ -336,11 +339,21 @@ ngx.say(ngx.encode_base64(bin))
 
 Export the BIGNUM value in binary string.
 
+
+### bn:to_hex
+
+**syntax**: *hex, err = bn:to_hex()*
+
+Export the BIGNUM value in hex encoded string.
+
 ```lua
 local b, err = require("resty.openssl.bn").new(23333)
 local bin, err = b:to_binary()
 ngx.say(ngx.encode_base64(bin))
 -- outputs "WyU="
+local hex, err = b:to_hex()
+ngx.say(hex)
+-- outputs "5B25"
 ```
 
 ## resty.openssl.cipher
@@ -449,7 +462,7 @@ ngx.say(cipher)
 
 ## resty.openssl.digest
 
-Module to interact with message digest (EVP_MD).
+Module to interact with message digest (EVP_MD_CTX).
 
 ### digest.new
 
@@ -581,6 +594,28 @@ local x509, err = require("resty.openssl.x509").new()
 local ok, err = x509:add_extension(extension)
 ```
 
+### x509:digest
+
+**syntax**: *d, err = x509:digest(digest_name?)*
+
+Returns a digest of the DER representation of the X509 certificate object in raw binary text.
+
+`digest_name` is a case-insensitive string of digest algorithm name.
+To view a list of digest algorithms implemented, use `openssl list -digest-algorithms`.
+
+If `digest_name` is omitted, it's by default to `sha1`.
+
+### x509:pubkey_digest
+
+**syntax**: *d, err = x509:pubkey_digest(digest_name?)*
+
+Returns a digest of the DER representation of the pubkey in the X509 object in raw binary text.
+
+`digest_name` is a case-insensitive string of digest algorithm name.
+To view a list of digest algorithms implemented, use `openssl list -digest-algorithms`.
+
+If `digest_name` is omitted, it's by default to `sha1`.
+
 ### x509:get_*, x509:set_*
 
 **syntax**: *ok, err = x509:set_attribute(instance)*
@@ -605,7 +640,7 @@ local x509, err = require("resty.openssl.x509").new()
 err = x509:set_not_before(ngx.time())
 local not_before, err = x509:get_not_before()
 ngx.say(not_before)
--- Outputs 1571875065
+-- outputs 1571875065
 ```
 
 ### x509:get_lifetime
@@ -712,7 +747,7 @@ Returns `true` if table is an instance of `altname`. Returns `false` otherwise.
 
 **syntax**: *altname, err = altname:add(key, value)*
 
-Adds a name to altname stack, first argument is case-insensitive and can be selection of
+Adds a name to altname stack, first argument is case-insensitive and can be one of
 
     RFC822Name
     RFC822
@@ -845,8 +880,8 @@ If you plan to use this library on an untested version of OpenSSL (like custom b
 TODO
 ====
 
-- review get0 function calls to ensure there's no double free
-- find a way to test memory leak
+- test memory leak
+- add tests for x509 getters/setters
 
 [Back to TOC](#table-of-contents)
 

lib/resty/openssl/bn.lua

@@ -45,6 +45,14 @@ function _M:to_binary()
   return buf, nil
 end
 
+function _M:to_hex()
+  local buf = C.BN_bn2hex(self.ctx)
+  if buf == nil then
+    return nil, format_error("bn:to_hex")
+  end
+  return ffi_str(buf), nil
+end
+
 function _M.from_binary(s)
   if type(s) ~= "string" then
     return nil, "expect a string at #1"

lib/resty/openssl/digest.lua

@@ -4,7 +4,7 @@ local ffi_gc = ffi.gc
 local ffi_new = ffi.new
 local ffi_str = ffi.string
 
-require "resty.openssl.include.evp"
+local evp_macro = require "resty.openssl.include.evp"
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11 = require("resty.openssl.version").OPENSSL_11
@@ -37,7 +37,10 @@ function _M.new(typ)
     return nil, format_error("digest.new")
   end
 
-  return setmetatable({ ctx = ctx }, mt), nil
+  return setmetatable({
+    ctx = ctx,
+    md_size = C.EVP_MD_size(dtyp),
+  }, mt), nil
 end
 
 function _M.istype(l)
@@ -62,8 +65,8 @@ function _M:final(s)
       return nil, err
     end
   end
-  -- # define EVP_MAX_MD_SIZE                 64/* longest known is SHA512 */
-  local buf = ffi_new('unsigned char[?]', 64)
+
+  local buf = ffi_new('unsigned char[?]', self.md_size)
   local length = uint_ptr()
   -- no return value of EVP_DigestFinal_ex
   C.EVP_DigestFinal_ex(self.ctx, buf, length)

lib/resty/openssl/hmac.lua

@@ -5,6 +5,7 @@ local ffi_new = ffi.new
 local ffi_str = ffi.string
 
 require "resty.openssl.include.hmac"
+local evp_macro = require "resty.openssl.include.evp"
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11 = require("resty.openssl.version").OPENSSL_11
@@ -38,7 +39,10 @@ function _M.new(key, typ)
     return nil, format_error("hmac.new")
   end
 
-  return setmetatable({ ctx = ctx }, mt), nil
+  return setmetatable({
+    ctx = ctx,
+    md_size = C.EVP_MD_size(dtyp),
+  }, mt), nil
 end
 
 function _M.istype(l)
@@ -63,8 +67,8 @@ function _M:final(s)
       return nil, err
     end
   end
-  -- # define EVP_MAX_MD_SIZE                 64/* longest known is SHA512 */
-  local buf = ffi_new('unsigned char[?]', 64)
+
+  local buf = ffi_new('unsigned char[?]', self.md_size)
   local length = uint_ptr()
   if C.HMAC_Final(self.ctx, buf, length) ~= 1 then
     return nil, format_error("hmac:final: HMAC_Final")

lib/resty/openssl/include/bn.lua

@@ -19,5 +19,6 @@ ffi.cdef(
   int BN_num_bits(const BIGNUM *a);
   BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
   int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+  char *BN_bn2hex(const BIGNUM *a);
 ]]
 )

lib/resty/openssl/include/evp.lua

@@ -30,6 +30,7 @@ ffi.cdef [[
                          EVP_PKEY *pkey);
   /*__owur*/ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
                            unsigned int siglen, EVP_PKEY *pkey);
+  int EVP_MD_size(const EVP_MD *md);
 
   int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
   const EVP_MD *EVP_get_digestbyname(const char *name);

lib/resty/openssl/include/x509/init.lua

@@ -37,6 +37,10 @@ ffi.cdef [[
   int X509_set_subject_name(X509 *x, X509_NAME *name);
   int X509_set_issuer_name(X509 *x, X509_NAME *name);
 
+  int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
+                       unsigned char *md, unsigned int *len);
+  int X509_digest(const X509 *data, const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
 ]]
 
 if OPENSSL_11 then

lib/resty/openssl/x509/init.lua

@@ -1,8 +1,11 @@
 local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
+local ffi_new = ffi.new
+local ffi_str = ffi.string
 
 require "resty.openssl.include.x509"
+local evp_macro = require "resty.openssl.include.evp"
 local asn1_lib = require("resty.openssl.asn1")
 local digest_lib = require("resty.openssl.digest")
 local util = require("resty.openssl.util")
@@ -337,6 +340,46 @@ function _M:sign(pkey, digest)
   return true
 end
 
+local uint_ptr = ffi.typeof("unsigned int[1]")
+
+local function digest(self, cfunc, typ)
+  -- TODO: dedup the following with resty.openssl.digest
+  local ctx
+  if OPENSSL_11 then
+    ctx = C.EVP_MD_CTX_new()
+    ffi_gc(ctx, C.EVP_MD_CTX_free)
+  elseif OPENSSL_10 then
+    ctx = C.EVP_MD_CTX_create()
+    ffi_gc(ctx, C.EVP_MD_CTX_destroy)
+  end
+  if ctx == nil then
+    return nil, "failed to create EVP_MD_CTX"
+  end
+
+  local dtyp = C.EVP_get_digestbyname(typ or 'sha1')
+  if dtyp == nil then
+    return nil, string.format("invalid digest type \"%s\"", typ)
+  end
+
+  local md_size = C.EVP_MD_size(dtyp)
+  local buf = ffi_new('unsigned char[?]', md_size)
+  local length = uint_ptr()
+
+  if cfunc(self.ctx, dtyp, buf, length) ~= 1 then
+    return nil, format_error("x509:digest")
+  end
+
+  return ffi_str(buf, length[0])
+end
+
+function _M:digest(typ)
+  return digest(self, C.X509_digest, typ)
+end
+
+function _M:pubkey_digest(typ)
+  return digest(self, C.X509_pubkey_digest, typ)
+end
+
 function _M:to_PEM()
   return util.read_using_bio(C.PEM_write_bio_X509, self.ctx)
 end

t/openssl/bn.t

@@ -119,4 +119,29 @@ bn:to_binary failed
 --- response_body eval
 "WyU="
 --- no_error_log
+[error]
+
+=== TEST 5: Export as hex string
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local bn, err = require("resty.openssl.bn").new(0x5b25)
+            if err then
+                ngx.log(ngx.ERR, err)
+                return
+            end
+            local b, err = bn:to_hex()
+            if err then
+                ngx.log(ngx.ERR, err)
+                return
+            end
+            ngx.print(b)
+        }
+    }
+--- request
+    GET /t
+--- response_body eval
+"5B25"
+--- no_error_log
 [error]

t/openssl/pkey.t

@@ -268,4 +268,4 @@ expect a digest instance at #2
 --- response_body_like eval
 "-----BEGIN PUBLIC KEY-----"
 --- no_error_log
-[error]
+[error]