feat(x509.extension) support create by ASN.1 octet string and nconf

Author: fffonion

README.md

@@ -1557,6 +1557,12 @@ finds from beginning. Index is 1-based.
 
 ```lua
 local ext, pos, err = x509:get_extension("keyUsage")
+ngx.say(ext:text())
+-- outputs "Digital Signature, Key Encipherment"
+
+local ext, pos, err = x509:get_extension("subjectKeyIdentifier")
+ngx.say(ext:text())
+-- outputs "3D:42:13:57:8F:79:BE:30:7D:86:A9:AC:67:50:E5:56:3E:0E:AF:4F"
 ```
 
 [Back to TOC](#table-of-contents)
@@ -1569,9 +1575,9 @@ Adds an X.509 `extension` to certificate, the first argument must be a
 [resty.openssl.x509.extension](#restyopensslx509extension) instance.
 
 ```lua
-local extension, err = require("resty.openssl.extension").new({
-    "keyUsage", "critical,keyCertSign,cRLSign",
-})
+local extension, err = require("resty.openssl.x509.extension").new(
+  "keyUsage", "critical,keyCertSign,cRLSign"
+)
 local x509, err = require("resty.openssl.x509").new()
 local ok, err = x509:add_extension(extension)
 ```
@@ -2261,26 +2267,67 @@ Module to interact with X.509 extensions.
 Creates a new `extension` instance. `name` and `value` are strings in OpenSSL
 [arbitrary extension format](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html).
 
-`data` can be a table or nil. Where data is a table, the following key will be looked up:
+`data` can be a table, string or nil. Where `data` is a table, the following key will be looked up:
 
 ```lua
 data = {
-    issuer = resty.openssl.x509 instance,
-    subject = resty.openssl.x509 instance,
-    request = resty.openssl.x509.csr instance,
-    crl = resty.openssl.x509.crl instance,
+  issuer = resty.openssl.x509 instance,
+  subject = resty.openssl.x509 instance,
+  request = resty.openssl.x509.csr instance,
+  crl = resty.openssl.x509.crl instance,
 }
 ```
 
-Example:
+When `data` is a string, it's the full nconf string. Using section lookup from `value` to
+`data` is also supported.
+
+<details>
+<summary>Example usages:</summary>
+
 ```lua
-local x509, err = require("resty.openssl.x509").new()
 local extension = require("resty.openssl.x509.extension")
+-- extendedKeyUsage=serverAuth,clientAuth
 local ext, err = extension.new("extendedKeyUsage", "serverAuth,clientAuth")
+-- crlDistributionPoints=URI:http://myhost.com/myca.crl
+ext, err = extension.new("crlDistributionPoints", "URI:http://myhost.com/myca.crl")
+-- with section lookup
+ext, err = extension.new(
+  "crlDistributionPoints", "crldp1_section",
+  [[
+  [crldp1_section]
+  fullname=URI:http://myhost.com/myca.crl
+  CRLissuer=dirName:issuer_sect
+  reasons=keyCompromise, CACompromise
+
+  [issuer_sect]
+  C=UK
+  O=Organisation
+  CN=Some Name
+  ]]
+)
+-- combine section lookup with other value
+ext, err = extension.new(
+"certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
+  [[
+  [polsect]
+  policyIdentifier = 1.3.5.8
+  CPS.1="http://my.host.name/"
+  CPS.2="http://my.your.name/"
+  userNotice.1=@notice
+
+  [notice]
+  explicitText="Explicit Text Here"
+  organization="Organisation Name"
+  noticeNumbers=1,2,3,4
+ ]]
+))
+-- subjectKeyIdentifier=hash
+local x509, err = require("resty.openssl.x509").new()
 ext, err =  extension.new("subjectKeyIdentifier", "hash", {
-    subject = crt
+    subject = x509
 })
 ```
+</details>
 
 See [examples/tls-alpn-01.lua](https://github.com/fffonion/lua-resty-openssl/blob/master/examples/tls-alpn-01.lua)
 for an example to create extension with an unknown nid.
@@ -2295,17 +2342,33 @@ Creates a new `extension` instance from `X509_EXTENSION*` pointer.
 
 [Back to TOC](#table-of-contents)
 
+### extension.from_der
+
+**syntax**: *ext, ok = extension.from_der(der, nid_or_txt, crit?)*
+
+Creates a new `extension` instance. `der` is the ASN.1 encoded string to be
+set for the extension.
+
+`nid_or_txt` is a number or text representation of [NID] and
+`crit` is the critical flag of the extension.
+
+See [examples/tls-alpn-01.lua](https://github.com/fffonion/lua-resty-openssl/blob/master/examples/tls-alpn-01.lua)
+for an example to create extension with an unknown nid.
+
+[Back to TOC](#table-of-contents)
+
 ### extension.from_data
 
-**syntax**: *ext, ok = extension.from_data(table, nid, crit?)*
+**syntax**: *ext, ok = extension.from_data(table, nid_or_txt, crit?)*
 
 Creates a new `extension` instance. `table` can be instance of:
 
 - [x509.altname](#restyopensslx509altname)
 - [x509.extension.info_access](#restyopensslx509extensioninfo_access)
 - [x509.extension.dist_points](#restyopensslx509extensiondist_points)
 
-`nid` is a number of [NID] and `crit` is the critical flag of the extension.
+`nid_or_txt` is a number or text representation of [NID] and
+`crit` is the critical flag of the extension.
 
 [Back to TOC](#table-of-contents)
 

examples/tls-alpn-01.lua

@@ -22,18 +22,27 @@ end
 -- with given domain name and challenge token
 function serve_challenge_cert(domain, challenge)
   local dgst = assert(digest.new("sha256"):final(challenge))
+
+  -- There're two ways to set ASN.1 octect string to the extension
+  -- The recommanded way is to pass the string directly to extension.from_der()
+  local ext, err = extension.from_der(dgst, nid, true)
+  if err then
+    return nil, nil, err
+  end
+  -- OR we put the ASN.1 signature for this string by ourselves
   -- 0x04: OCTET STRING
   -- 0x20: length
-  dgst = "DER:0420" .. dgst:gsub("(.)", function(s) return string.format("%02x", string.byte(s)) end)
-
-  local key = pkey.new()
-  local cert = x509.new()
-  cert:set_pubkey(key)
-  local ext, err = extension.new(nid, dgst)
+  local dgst_hex = "DER:0420" .. dgst:gsub("(.)", function(s) return string.format("%02x", string.byte(s)) end)
+  local ext, err = extension.new(nid, dgst_hex)
   if err then
     return nil, nil, err
   end
   ext:set_critical(true)
+
+  local key = pkey.new()
+  local cert = x509.new()
+  cert:set_pubkey(key)
+
   cert:add_extension(ext)
 
   local alt = assert(altname.new():add(

lib/resty/openssl/include/conf.lua

@@ -0,0 +1,9 @@
+local ffi = require "ffi"
+
+require "resty.openssl.include.ossl_typ"
+
+ffi.cdef [[
+    CONF *NCONF_new(CONF_METHOD *meth);
+    void NCONF_free(CONF *conf);
+    int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);
+]]

lib/resty/openssl/include/ossl_typ.lua

@@ -43,6 +43,7 @@ ffi.cdef(
   typedef struct asn1_string_st ASN1_STRING;
   typedef struct asn1_object_st ASN1_OBJECT;
   typedef struct conf_st CONF;
+  typedef struct conf_method_st CONF_METHOD;
   typedef int ASN1_BOOLEAN;
   typedef int ASN1_NULL;
   typedef struct ec_key_st EC_KEY;

lib/resty/openssl/include/x509/init.lua

@@ -33,6 +33,9 @@ ffi.cdef [[
   ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
   ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
   X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+  X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
+                                             int nid, int crit,
+                                             ASN1_OCTET_STRING *data);
 
   // needed by pkey
   EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);

lib/resty/openssl/include/x509v3.lua

@@ -13,6 +13,7 @@ ffi.cdef [[
   // STACK_OF(OPENSSL_STRING)
   OPENSSL_STACK *X509_get1_ocsp(X509 *x);
   void X509_email_free(OPENSSL_STACK *sk);
+  void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
 
   typedef struct EDIPartyName_st EDIPARTYNAME;
 

lib/resty/openssl/x509/extension.lua

@@ -6,6 +6,10 @@ local ffi_cast = ffi.cast
 
 require "resty.openssl.include.x509"
 require "resty.openssl.include.x509.extension"
+require "resty.openssl.include.x509v3"
+require "resty.openssl.include.asn1"
+require "resty.openssl.include.bio"
+require "resty.openssl.include.conf"
 local objects_lib = require "resty.openssl.objects"
 local stack_lib = require("resty.openssl.stack")
 local util = require "resty.openssl.util"
@@ -21,21 +25,49 @@ local extension_types = {
   subject = "resty.openssl.x509",
   request = "resty.openssl.x509.csr",
   crl     = "resty.openssl.x509.crl",
-  -- db,           -- NYI
 }
+
+local function nconf_load(conf, str)
+  local bio = C.BIO_new_mem_buf(str, #str)
+  if bio == nil then
+    return format_error("BIO_new_mem_buf")
+  end
+  ffi_gc(bio, C.BIO_free)
+
+  if C.NCONF_load_bio(conf, bio, nil) ~= 1 then
+    return format_error("NCONF_load_bio")
+  end
+end
+
 function _M.new(txtnid, value, data)
   local nid, err = objects_lib.txtnid2nid(txtnid)
   if err then
-    return nil, err
+    return nil, "x509.extension.new: " .. err
   end
   if type(value) ~= 'string' then
     return nil, "x509.extension.new: expect string at #2"
   end
   -- get a ptr and also zerofill the struct
   local x509_ctx_ptr = ffi_new('X509V3_CTX[1]')
 
+  local conf = C.NCONF_new(nil)
+	if conf == nil then
+    return nil, format_error("NCONF_new")
+  end
+  ffi_gc(conf, C.NCONF_free)
+
   if type(data) == 'table' then
     local args = {}
+    if data.db then
+      if type(data.db) ~= 'string' then
+        return nil, "x509.extension.new: expect data.db must be a string"
+      end
+      err = nconf_load(conf, data)
+      if err then
+        return nil, "x509.extension.new: " .. err
+      end
+    end
+
     for k, t in pairs(extension_types) do
       if data[k] then
         local lib = require(t)
@@ -45,12 +77,21 @@ function _M.new(txtnid, value, data)
         args[k] = data[k].ctx
       end
     end
-    C.X509V3_set_ctx(x509_ctx_ptr[0], args.issuer, args.subject, args.request, nil, 0)
+    C.X509V3_set_ctx(x509_ctx_ptr[0], args.issuer, args.subject, args.request, args.crl, 0)
+  elseif type(data) == 'string' then
+    err = nconf_load(conf, data)
+    if err then
+      return nil, "x509.extension.new: " .. err
+    end
   elseif data then
-    return nil, "x509.extension.new: expect nil or a table at #3"
+    return nil, "x509.extension.new: expect nil, string a table at #3"
   end
 
-  local ctx = C.X509V3_EXT_nconf_nid(nil, x509_ctx_ptr[0], nid, value)
+  -- setting conf is required for some extensions to load
+  -- crypto/x509/v3_conf.c:do_ext_conf "else if (method->r2i) {" branch
+  C.X509V3_set_nconf(x509_ctx_ptr[0], conf)
+
+  local ctx = C.X509V3_EXT_nconf_nid(conf, x509_ctx_ptr[0], nid, value)
   if ctx == nil then
     return nil, format_error("x509.extension.new")
   end
@@ -85,7 +126,45 @@ function _M.dup(ctx)
   return self, nil
 end
 
-function _M.from_data(any, nid, crit)
+function _M.from_der(value, txtnid, crit)
+  local nid, err = objects_lib.txtnid2nid(txtnid)
+  if err then
+    return nil, "x509.extension.from_der: " .. err
+  end
+  if type(value) ~= 'string' then
+    return nil, "x509.extension.from_der: expect string at #1"
+  end
+
+  local asn1 = C.ASN1_STRING_new()
+  if asn1 == nil then
+    return nil, format_error("x509.extension.from_der: ASN1_STRING_new")
+  end
+  ffi_gc(asn1, C.ASN1_STRING_free)
+
+  if C.ASN1_STRING_set(asn1, value, #value) ~= 1 then
+    return nil, format_error("x509.extension.from_der: ASN1_STRING_set")
+  end
+
+  local ctx = C.X509_EXTENSION_create_by_NID(nil, nid, crit and 1 or 0, asn1)
+  if ctx == nil then
+    return nil, format_error("x509.extension.from_der: X509_EXTENSION_create_by_NID")
+  end
+  ffi_gc(ctx, C.X509_EXTENSION_free)
+
+  local self = setmetatable({
+    ctx = ctx,
+  }, mt)
+
+  return self, nil
+
+end
+
+function _M.from_data(any, txtnid, crit)
+  local nid, err = objects_lib.txtnid2nid(txtnid)
+  if err then
+    return nil, "x509.extension.from_der: " .. err
+  end
+
   if type(any) ~= "table" or type(any.ctx) ~= "cdata" then
     return nil, "x509.extension.from_data: expect a table with ctx at #1"
   elseif type(nid) ~= "number" then

lua-resty-openssl-0.6.5-1.rockspec

@@ -26,6 +26,7 @@ build = {
       ["resty.openssl.include.asn1"] = "lib/resty/openssl/include/asn1.lua",
       ["resty.openssl.include.bio"] = "lib/resty/openssl/include/bio.lua",
       ["resty.openssl.include.bn"] = "lib/resty/openssl/include/bn.lua",
+      ["resty.openssl.include.conf"] = "lib/resty/openssl/include/conf.lua",
       ["resty.openssl.include.crypto"] = "lib/resty/openssl/include/crypto.lua",
       ["resty.openssl.include.ec"] = "lib/resty/openssl/include/ec.lua",
       ["resty.openssl.include.evp"] = "lib/resty/openssl/include/evp.lua",