Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Openssl binding for Lua
branch: master

This branch is 2 commits ahead, 388 commits behind zhaozg:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


OpenSSL binding for Lua


1. Introduce
2. Certificate
3. Public/Private Key
4. Cipher
5. Message Digest
7. CSR & CRL
8. Pkcs12
9. Misc

I.   Howto.
II.  Examples
III. Contacts

1. Introduction

NEW: support for S/MIME encrypt/decrypt/sign/verify, as well as more
flexibility for specifying certificates/keys.

The functions implemented so far make it possible to seal and open data, and
also create and verify signatures.

Most of the functions require a key or a certificate as a parameter; to make
things easy for you to use openssl, this extension allows you to specify 
certificates or key in the following way:

1. As an openssl.x509 object returned from openssl.x509_read
2. As an openssl.evp_pkey object return from openssl.pkey_read 
   or openssl.pkey_new

Similarly, you can use the following methods of specifying a public key:

1. As a key object returned from object:get_public

There are many important lua object type:,		
They are short write as bio, x509, sk_x509, x509_req, evp_pkey,evp_digest, evp_cipher,
	engine(not used now!), cipher_ctx,  digest_ctx

Notes, In next section of this document,

    => means return a lua_openssl object
    -> means return a basic type of lua

If function return a nil, it will be follow by a error number and string

2. Certificate

openssl.x509_read(string val) => x509
    val is a string containing the data from the certificate file

x509:export([bool notext=true]) -> string
    export x509 as certificate content data

x509:parse([bool shortnames=true]) -> table
    return a table which contain all x509 information

x509:check_private_key(evp_pkey pkey) -> boolean

x509:get_public() => evp_pkey

x509:checkpurpose(string purpose, sk_x509 ca [,sk_x509 untrusted])->boolean
    purpose canbe one of: ssl_client, ssl_server, ns_ssl_server, smime_sign,
    smime_encrypt, crl_sign, any, ocsp_helper, timestamp_sign

    ca is an openssl.stack_of_x509 object contain certchain.
    untrusted is an openssl.stack_of_x509 object containing a bunch of certs
    that are not trusted but may be useful in validating the certificate.

openssl.stack_of_x509 is an important object ina lua-openssl, it can be used
as a certchaina, trusted CA files or unstrustcerts.

openssl.sk_x509_read(filename) => sk_x509
openssl.sk_x509_new([table array={}]} ->sk_x509

sk_x509:push(openssl.x509 cert) => sk_x509
sk_x509:pop()	=> x509

sk_x509:set(number i, x509 cert) =>sk_x509
sk_x509:get(number i) => x509

sk_x509:insert(x509 cert,number i, ) =>sk_x509
sk_x509:delete(number i) => x509

sk_x509:totable() -> table 
    tableas array contain x509 from index 1


#sk_x509  -> number
    return number of certs in stack_of_x509

3. Public/Private key functions

openssl.evp_new([string alg='rsa' [,int bits=1024|512, [...]]]) => evp_pkey
    default generate RSA key, bits=1024, 3rd paramater e default is 0x10001
    dsa,with bits default 1024 ,and seed data default have no data
    dh, with bits(prime_len) default 512, and generator default is 
    ec, not use any paramater, not fully support

openssl.pkey_new([table args]) =>  evp_pkey
    args = {dsa={n=,e=,...}|dh={}|dsa={}}
    private key should has it factor named n,q,e and so on, value is hex 
    encoded string

openssl.evp_read(string data|x509 cert [,bool public_key=true 
    [,string passphrase]]) => evp_pkey

   Read from a file or a data, coerce it into a EVP_PKEY object.
   It can be:
       1. X509 object -> public key will be extracted from it
       2. interpreted as the data from the cert/key file and interpreted in
       same way as openssl_get_privatekey()

    NOTE: If you are requesting a private key but have not specified a 
    passphrase, you should use an empty string rather than NULL for the 
    passphrase - NULL causes a passphrase prompt to be emitted Lua error !

evp_pkey:export(epv_pkey key [,boolean raw_key=false [, string passphrase]]) 
   -> string

   If raw_key is true, export will export rsa,dsa or dh data
evp_peky:parse(evp_pkey key) -> table
    returns an table with the key details (bits, pkey, type)
    pkey may be rsa, dh, dsa showd as table with factor hex encoded bignum.

evp_pkey:is_private() -> boolean
    Check whether the supplied key is a private key by checking if the secret
    prime factors are set

About padding

    Now supporting 6 padding mode, they are:
	sslv23:	RSA_SSLV23_PADDING	2
	x931:	RSA_X931_PADDING	5

   If input other padding string value other(ingore capatical) than above,
   will raise lua error.

evp_pkey:encrypt(string data [,string padding=pkcs1]) -> string
evp_pkey:decrypt(string data [,string padding=pkcs1]) -> string

4. Cipher

openssl.get_cipher(string alg|number alg_id) => evp_pkey
    return a evp_cipher method
openssl.get_cipher([bool aliases = true]) ->table
    return all ciphers methods default with alias, 

evp_cipher:info() ->table
    result with name, block_size,key_length,iv_length,flags,mode keys
evp_cipher:encrypt_init([ string key [,string iv [,engine engimp]]]) 
    => cipher_ctx
evp_cipher:decrypt_init([ string key [,string iv [,engine engimp]]]) 
    => cipher_ctx
evp_cipher:cipher_init(bool enc, [, string key [,string iv 
    [,engine engimp]]]) => cipher_ctx

evp_cipher:encrypt(string data, [ string key [,string iv 
    [,engine engimp]]]) -> string

evp_cipher:decrypt(string data, [ string key [,string iv 
    [,engine engimp]]]) -> string

cipher_ctx:info() ->table
    result with block_size,key_length,iv_length,flags,mode,nid,type 
    and evp_cipher object keys
cipher_ctx:encrypt_update(string data)->string
    return string may be 0 length
cipher_ctx:decrypt_update(string data)->string
    return string may be 0 length

cipher_ctx:update(string data)->string
    return string may be 0 length

cipher_ctx:cleanup() -> boolean
    reset state make object resulable.

5. Message Digest

openssl.get_digest(string alg|int alg_id) => digest_ctx
    return a evp_digest object
openssl.get_digest([bool alias=true]) -> table
    return all md methods default with alias

evp_digest:info() -> table
    return a table with key nid,name, size, block_size, pkey_type, flags
evp_digest:evp_digest(string in) -> string
    return binary evp_digest result

evp_digest:init() => digest_ctx

digest_ctx:info() -> table
    return a table with key block_size, size, type and diget object
digest_ctx:update(string data) -> boolean
digest_ctx:final() -> string
digest_ctx:cleanup() ->boolean

6. PKCS7 (S/MIME) Sign/Verify/Encrypt/Decrypt Functions:

These functions allow you to manipulate S/MIME messages!

They are based on apps/smime.c from the openssl dist, so for information,
see the documentation for openssl.

Strings "detached", "nodetached", "text", "nointern", "noverify",  "nochain",
"nocerts", "noattr", "binary", "nosigs" are supported

Decrypts the S/MIME message in the BIO object and and output the results to
BIO object. recipcert is a CERT for one of the recipients. recipkey 
specifies the private key matching recipcert.

headers is an array of headers to prepend to the message: they will
not be included in the encoded section.
flags is flag information as described above.
Hint: you will want to put "To", "From", and "Subject" headers in headers.
Headers can be either an assoc array keyed by header named, or can be
and indexed array containing a single header line per value.

openssl.pkcs7_sign(bio in, bio out, x509 signcert, evp_pkey signkey, 
	table headers [, string flags [,stack_of_x509 extracerts]])->boolean

   Signs the MIME message in the BIO in with signcert/signkey and output the 
   result to BIO out. 
   headers lists plain text headers to exclude from the signed portion of the
   message, and should include to, from and subject as a minimum 

openssl.pkcs7_verify(bio in, string flags [, stack_of_x509 signerscerts,
   [, stack_of_x509 cacerts, [, stack_of_x509 extracerts [,bio content])

   Verifys that the data block is intact, the signer is who they say they are,
   and returns the CERTs of the signers 

openssl.pkcs7_encrypt(bio in, bio out, stack_of_x509 recipcerts, table header
    [, string flags [,evp_cipher md] -> boolean

    Encrypts the message in the file named infile with the certificates in 
    recipcerts and output the result to the file named outfile

openssl.pkcs7_decrypt(bio in, bio out, x509 recipcert [,evp_pkey recipkey])

7. Certificate sign request and Certificate revocked list

openssl.csr_new(evp_pkey privkey, table dn={} [,table args = nil]) => x509_req
openssl.csr_read(string data) => x509_req

csr:sign(x509 cert, evp_pkey privkey, table arg) -> x509
	args must have serialNumber as hexecoded string, num_days as number
csr:export([boolean pem=true [, boolean noext=true]])->string
csr:get_public() -> evp_pkey

openssl.crl_read(string data) => x509_crl
openssl.crl_new(number version, x509 cacert,number lastUpdate,
    number nextUpdate, table revoked{hexserial=time,...}) => x509_crl

    Create a new X509 CRL object, lastUpdate and nextUpdate is time_t value,
    revoked is a table that hex cert serial is key, and time_t revocked time.

crl:verify(x509 cacert) -> boolean
crl:sign(evp_pkey privkey, [string alg=sha1WithRSAEncryption|digest md])
    -> boolean

crl:set_version(number version=0) -> boolean
crl:set_update_time([number lastUpdate=date() [, number nextUpdate=last+7d]])
    -> boolean
crl:set_issuer(x509 cacert) -> boolean
crl:add_revocked(string hexserial [,number time=now() 
    [, string reason|number reason = 0]) -> boolean

crl:parse() -> table
    table content is below.

8. PKCS12 Function

openssl.pkcs12_read(string pkcs12data, string pass) -> table
	Parses a PKCS12 data to an table
	return a table which have cert, pkey, and extracerts three keys

openssl.pkcs12_export(x509 cert, evp_pkey pkey, string pass 
	[[, string friendname ], table extracerts])) -> string
	Creates and exports a PKCS12 data

	friendname is options, if exist, must at 4th paramater
	extracerts is options, it can be at 4th or 5th(if friendname exist) paramater

9. Misc Function

openssl.object_create(string oid, string name [, string alias] ) -> boolean
    Add one object.
openssl.object_create(tables args) -> boolean
    Add a lot of object, args must be array index start from 1, and every 
    node is a table have oid,name and optional alias key.

openssl.random_bytes(number length [, boolean strong=false]) 
    -> string, boolean
    Returns a string of the length specified filled with random bytes

openssl.error_string()-> number, string
    If found error, it will return a error number code, followedd by string 
    description or it will return nothing and clear error state,
    so you can call it twice.

openssl.sign(string data,  evp_pkey key [, evp_digest md|string md_alg=SHA1])
    Uses key to create signature for data, returns signed result

openssl.verify(string data, string signature, evp_pkey key 
    [, evp_digest md|string md_alg=SHA1]) ->boolean
    Uses key to verify that the signature is correct for the given data.

openssl.seal(string data, table pubkeys [, evp_cipher enc|string md_alg=RC4])
    -> string, table
    Encrypts data using pubkeys, so that only owners of the respective
    private keys and ekeys can decrypt and read the data. Returns the
    sealed data and table contain ekeys hold envelope keys on success, 
    else nil. data, string ekey, int privkey, 
    [, evp_cipher enc|string md_alg=RC4]) -> string

Opens (decrypts) sealed data using a private key and the corresponding
envelope key. Returns decrypted data on success and nil on failure. 

openssl.bio_new_mem([string data]) => bio
    If data is none or nil, that will be a output object or input.

openssl.bio_new_file(string file [,string mode=r]) => bio
    If mode not gived, will return a input bio object.

openssl.bio_new_mem([string data]) => bio
    Create a memory bio, if data gived, that will be memory buffer data
openssl.bio_new_file(string file, [string mode='r'])->bio
    Create a file bio, if mode not gived, that default is 'r'

BIO object
bio:read(number len) -> string
bio:gets([number len=256]) -> string
bio:write(string data)->number
bio:puts(string data)->number

    only support bio mem bio


Howto 1: Build on Linux/Unix System.

   Before build, please change setting in config file
   work with Lua5.1£¬ sould support lua5.2 by update config file

	make install
	make clean

Howto 2: Build on Windows with MSVC.

   Before build, please change setting in file
   work with Lua5.1£¬ sould support lua5.2 by update file

	nmake -f
	nmake -f install
	nmake -f clean

Howto 3: Build on Windows with mingw.

II.  Example usage

Example 1: short encrypt/decrypt

	local evp_cipher = openssl.get_cipher('des')
	m = 'abcdefghick'
	key = m
	cdata = evp_cipher:encrypt(m,key)
	m1  = evp_cipher:decrypt(cdata,key)

Example 2: quich evp_digest

        md = openssl.get_digest('md5')
        m = 'abcd' 
        aa = md:evp_digest(m)

        bb = mdc:final()
Example 3:  Iterator a openssl.stack_of_x509(sk_x509) object

	n = #sk
	for i=1, n do
		x = sk:get(i)

Example 4: read and parse certificate

	local openssl = require('openssl')

	function dump(t,i)
		for k,v in pairs(t) do
			if(type(v)=='table') then
				print( string.rep('\t',i),k..'={')
				print( string.rep('\t',i),k..'=}')
				print( string.rep('\t',i),k..'='..tostring(v))

	function test_x509()
		local x = openssl.x509_read(certasstring)
		t = x:parse()


More please see test lua script file.
Something went wrong with that request. Please try again.