Adding upstream version 7.94+git20230807.3be01efb1+dfsg.upstream/7.94+git20230807.3be01efb1+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 713 insertions, 0 deletions

diff --git a/nse_ssl_cert.cc b/nse_ssl_cert.cc
new file mode 100644
index 0000000..09cbd04
--- /dev/null
+++ b/nse_ssl_cert.cc
@@ -0,0 +1,713 @@
+
+/***************************************************************************
+ * nse_ssl_cert.cc -- NSE userdatum representing an SSL certificate.       *
+ *                                                                         *
+ ***********************IMPORTANT NMAP LICENSE TERMS************************
+ *
+ * The Nmap Security Scanner is (C) 1996-2023 Nmap Software LLC ("The Nmap
+ * Project"). Nmap is also a registered trademark of the Nmap Project.
+ *
+ * This program is distributed under the terms of the Nmap Public Source
+ * License (NPSL). The exact license text applying to a particular Nmap
+ * release or source code control revision is contained in the LICENSE
+ * file distributed with that version of Nmap or source code control
+ * revision. More Nmap copyright/legal information is available from
+ * https://nmap.org/book/man-legal.html, and further information on the
+ * NPSL license itself can be found at https://nmap.org/npsl/ . This
+ * header summarizes some key points from the Nmap license, but is no
+ * substitute for the actual license text.
+ *
+ * Nmap is generally free for end users to download and use themselves,
+ * including commercial use. It is available from https://nmap.org.
+ *
+ * The Nmap license generally prohibits companies from using and
+ * redistributing Nmap in commercial products, but we sell a special Nmap
+ * OEM Edition with a more permissive license and special features for
+ * this purpose. See https://nmap.org/oem/
+ *
+ * If you have received a written Nmap license agreement or contract
+ * stating terms other than these (such as an Nmap OEM license), you may
+ * choose to use and redistribute Nmap under those terms instead.
+ *
+ * The official Nmap Windows builds include the Npcap software
+ * (https://npcap.com) for packet capture and transmission. It is under
+ * separate license terms which forbid redistribution without special
+ * permission. So the official Nmap Windows builds may not be redistributed
+ * without special permission (such as an Nmap OEM license).
+ *
+ * Source is provided to this software because we believe users have a
+ * right to know exactly what a program is going to do before they run it.
+ * This also allows you to audit the software for security holes.
+ *
+ * Source code also allows you to port Nmap to new platforms, fix bugs, and add
+ * new features. You are highly encouraged to submit your changes as a Github PR
+ * or by email to the dev@nmap.org mailing list for possible incorporation into
+ * the main distribution. Unless you specify otherwise, it is understood that
+ * you are offering us very broad rights to use your submissions as described in
+ * the Nmap Public Source License Contributor Agreement. This is important
+ * because we fund the project by selling licenses with various terms, and also
+ * because the inability to relicense code has caused devastating problems for
+ * other Free Software projects (such as KDE and NASM).
+ *
+ * The free version of Nmap is distributed in the hope that it will be
+ * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties,
+ * indemnification and commercial support are all available through the
+ * Npcap OEM program--see https://nmap.org/oem/
+ *
+ ***************************************************************************/
+
+/* $Id:$ */
+
+#include "nbase.h"
+
+#ifdef HAVE_CONFIG_H
+#include "nmap_config.h"
+#endif
+
+#include <assert.h>
+#include <ctype.h>
+#include <errno.h>
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined LIBRESSL_VERSION_NUMBER
+/* Technically some of these things were added in 0x10100006
+ * but that was pre-release. */
+#define HAVE_OPAQUE_STRUCTS 1
+#else
+#define X509_get0_notBefore X509_get_notBefore
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+/* Deprecated in OpenSSL 3.0 */
+#define SSL_get_peer_certificate SSL_get1_peer_certificate
+#else
+#include <openssl/rsa.h>
+#endif
+
+
+/* struct tm */
+#include <time.h>
+
+#include "nse_lua.h"
+
+#include "nse_nsock.h"
+#include "nse_openssl.h"
+
+struct cert_userdata {
+  X509 *cert;
+  int attributes_table;
+};
+
+SSL *nse_nsock_get_ssl(lua_State *L);
+
+/* This is a reference to a table that will be used as the metatable for
+   certificate attribute tables. It has an __index entry that points to the
+   global table of certificate functions like digest. */
+static int ssl_cert_methods_index_ref = LUA_NOREF;
+
+/* Calculate the digest of the certificate using the given algorithm. */
+static int ssl_cert_digest(lua_State *L)
+{
+  struct cert_userdata *udata;
+  const char *algorithm;
+  unsigned char buf[256];
+  unsigned int n;
+  const EVP_MD *md;
+
+  udata = (struct cert_userdata *) luaL_checkudata(L, 1, "SSL_CERT");
+  algorithm = luaL_checkstring(L, 2);
+
+  md = EVP_get_digestbyname(algorithm);
+  if (md == NULL)
+      return 0;
+
+  n = sizeof(buf);
+  if (X509_digest(udata->cert, md, buf, &n) != 1)
+      return 0;
+  lua_pushlstring(L, (char *) buf, n);
+
+  return 1;
+}
+
+/* These are the contents of the table that is pointed to by the table that has
+   ssl_cert_methods_index_ref as a reference. */
+static struct luaL_Reg ssl_cert_methods[] = {
+  { "digest", ssl_cert_digest },
+  { NULL, NULL },
+};
+
+/* This is a helper function for x509_name_to_table. It takes the ASN1_OBJECT
+   passed as an argument, turns it into a table key, and pushes it on the stack.
+   The key is a string (like "commonName") if the object has an NID known by
+   OBJ_obj2nid; otherwise it is an array containing the OID components as
+   strings: { "2", "5", "4", "3" }. */
+static void obj_to_key(lua_State *L, const ASN1_OBJECT *obj)
+{
+  int nid;
+
+  nid = OBJ_obj2nid(obj);
+  if (nid == NID_undef) {
+    size_t size = 1;
+    char *buf = (char *) lua_newuserdata(L, size);
+    const char *p, *q;
+    int i, n;
+
+    while ((n = OBJ_obj2txt(buf, size, obj, 1)) < 0 || (unsigned) n >= size) {
+      size = size * 2;
+      buf = (char *) lua_newuserdata(L, size);
+      memcpy(lua_touserdata(L, -1), lua_touserdata(L, -2), lua_rawlen(L, -2));
+      lua_replace(L, -2);
+    }
+
+    lua_newtable(L);
+
+    i = 1;
+    p = buf;
+    q = p;
+    while (*q != '\0') {
+      q = strchr(p, '.');
+      if (q == NULL)
+        q = strchr(p, '\0');
+      lua_pushlstring(L, p, q - p);
+      lua_rawseti(L, -2, i++);
+      p = q + 1;
+    }
+    lua_replace(L, -2); /* replace userdata with table */
+  } else {
+    lua_pushstring(L, OBJ_nid2ln(nid));
+  }
+}
+
+/* This is a helper function for l_get_ssl_certificate. It builds a table from
+   the given X509_NAME, using keys returned from obj_to_key as keys. The result
+   is pushed on the stack. */
+static void x509_name_to_table(lua_State *L, X509_NAME *name)
+{
+  int i;
+
+  lua_createtable(L, 0, X509_NAME_entry_count(name));
+
+  for (i = 0; i < X509_NAME_entry_count(name); i++) {
+    X509_NAME_ENTRY *entry;
+    const ASN1_OBJECT *obj;
+    const ASN1_STRING *value;
+
+    entry = X509_NAME_get_entry(name, i);
+    obj = X509_NAME_ENTRY_get_object(entry);
+    value = X509_NAME_ENTRY_get_data(entry);
+
+    obj_to_key(L, obj);
+    lua_pushlstring(L, (const char *) value->data, value->length);
+
+    lua_settable(L, -3);
+  }
+}
+
+static bool x509_extensions_to_table(lua_State *L, const STACK_OF(X509_EXTENSION) *exts)
+{
+  if (sk_X509_EXTENSION_num(exts) <= 0)
+    return false;
+
+  lua_createtable(L, sk_X509_EXTENSION_num(exts), 0);
+
+  for (int i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+    ASN1_OBJECT *obj;
+    X509_EXTENSION *ext;
+    char *value = NULL;
+    BIO *out;
+
+    ext = sk_X509_EXTENSION_value(exts, i);
+    obj = X509_EXTENSION_get_object(ext);
+
+#define NSE_NUM_X509_EXTENSION_FIELDS 3
+    lua_createtable(L, 0, NSE_NUM_X509_EXTENSION_FIELDS);
+    char objname[256];
+    long len = 0;
+    len = OBJ_obj2txt(objname, 256, obj, 0);
+    lua_pushlstring(L, objname, MIN(len, 256));
+    lua_setfield(L, -2, "name");
+
+
+    if (X509_EXTENSION_get_critical(ext)) {
+      lua_pushboolean(L, true);
+      lua_setfield(L, -2, "critical");
+    }
+
+    out = BIO_new(BIO_s_mem());
+    if (!X509V3_EXT_print(out, ext, 0, 0)) {
+      lua_pushboolean(L, true);
+      lua_setfield(L, -2, "error");
+    }
+    else {
+      len = BIO_get_mem_data(out, &value);
+      lua_pushlstring(L, value, len);
+      lua_setfield(L, -2, "value");
+    }
+    BIO_free_all(out);
+
+    lua_rawseti(L, -2, i+1);
+  }
+
+  return true;
+
+}
+
+/* Parse as a decimal integer the len characters starting at s. This function
+   can only process positive numbers; if the return value is negative then a
+   parsing error occurred. */
+static int parse_int(const unsigned char *s, size_t len)
+{
+  char buf[32];
+  char *tail;
+  long v;
+
+  if (len == 0)
+    return -1;
+  if (!isdigit((int) (unsigned char) s[0]))
+    return -1;
+  if (len > sizeof(buf) - 1)
+    return -1;
+  memcpy(buf, s, len);
+  buf[len] = '\0';
+
+  errno = 0;
+  v = strtol(buf, &tail, 10);
+  if (errno != 0 || *tail != '\0')
+    return -1;
+  if ((int) v != v || v < 0)
+    return -1;
+
+  return (int) v;
+}
+
+/* This is a helper function for asn1_time_to_obj. It parses a textual ASN1_TIME
+   value and stores the time in the given struct tm. It returns 0 on success and
+   -1 on a parse error. */
+static int time_to_tm(const ASN1_TIME *t, struct tm *result)
+{
+  const unsigned char *p;
+
+  p = t->data;
+  if (t->length == 13 && t->data[t->length - 1] == 'Z') {
+    /* yymmddhhmmssZ */
+    int year;
+
+    year = parse_int(t->data, 2);
+    if (year < 0)
+      return -1;
+    /* "In coming up with the worlds least efficient machine-readable time
+       encoding format, the ISO nevertheless decided to forgo the encoding of
+       centuries, a problem which has been kludged around by redefining the time
+       as UTCTime if the date is 2049 or earlier, and GeneralizedTime if the date
+       is 2050 or later."
+       http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt */
+    if (year < 50)
+      result->tm_year = 2000 + year;
+    else
+      result->tm_year = 1900 + year;
+    p = t->data + 2;
+  } else if (t->length == 15 && t->data[t->length - 1] == 'Z') {
+    /* yyyymmddhhmmssZ */
+    result->tm_year = parse_int(t->data, 4);
+    if (result->tm_year < 0)
+      return -1;
+    p = t->data + 4;
+  } else {
+    return -1;
+  }
+
+  result->tm_mon = parse_int(p, 2);
+  /* struct tm uses zero-indexed months. */
+  if (result->tm_mon == 0)
+    return -1;
+  result->tm_mon--;
+  result->tm_mday = parse_int(p + 2, 2);
+  result->tm_hour = parse_int(p + 4, 2);
+  result->tm_min = parse_int(p + 6, 2);
+  result->tm_sec = parse_int(p + 8, 2);
+
+  if (result->tm_mon < 0 || result->tm_mday < 0 || result->tm_hour < 0
+      || result->tm_min < 0 || result->tm_sec < 0) {
+    return -1;
+  }
+
+  return 0;
+}
+
+/* This is a helper function for asn1_time_to_obj. It converts a struct tm into
+   a date table as returned by the Lua date os.date("!*t"), with the exception
+   that the wday and yday fields are not present. */
+static void tm_to_table(lua_State *L, const struct tm *tm)
+{
+#define NSE_NUM_TM_FIELDS 6
+  lua_createtable(L, 0, NSE_NUM_TM_FIELDS);
+
+  lua_pushinteger(L, tm->tm_year);
+  lua_setfield(L, -2, "year");
+  /* Lua uses one-indexed months. */
+  lua_pushinteger(L, tm->tm_mon + 1);
+  lua_setfield(L, -2, "month");
+  lua_pushinteger(L, tm->tm_mday);
+  lua_setfield(L, -2, "day");
+  lua_pushinteger(L, tm->tm_hour);
+  lua_setfield(L, -2, "hour");
+  lua_pushinteger(L, tm->tm_min);
+  lua_setfield(L, -2, "min");
+  lua_pushinteger(L, tm->tm_sec);
+  lua_setfield(L, -2, "sec");
+  /* Omit tm_wday and tm_yday. */
+}
+
+/* This is a helper function for x509_validity_to_table. It takes the given
+   ASN1_TIME and converts it to a value on the stack, which is one of
+     nil, if the time is NULL;
+     a date table, if the date can be parsed; and
+     a string of the raw bytes, if the date cannot be parsed. */
+static void asn1_time_to_obj(lua_State *L, const ASN1_TIME *s)
+{
+  struct tm tm;
+
+  if (s == NULL) {
+      lua_pushnil(L);
+  } else if (time_to_tm(s, &tm) == 0) {
+      tm_to_table(L, &tm);
+  } else {
+      lua_pushlstring(L, (const char *) s->data, s->length);
+  }
+}
+
+/* This is a helper function for x509_validity_to_table. It builds a table with
+   the two members "notBefore" and "notAfter", whose values are what is returned
+   from asn1_time_to_obj. */
+static void x509_validity_to_table(lua_State *L, X509 *cert)
+{
+#define NSE_NUM_VALIDITY_FIELDS 2
+  lua_createtable(L, 0, NSE_NUM_VALIDITY_FIELDS);
+
+  asn1_time_to_obj(L, X509_get0_notBefore(cert));
+  lua_setfield(L, -2, "notBefore");
+  asn1_time_to_obj(L, X509_get0_notAfter(cert));
+  lua_setfield(L, -2, "notAfter");
+}
+
+/* This is a helper function for l_get_ssl_certificate. It converts the
+   certificate into a PEM-encoded string on the stack. */
+static void cert_pem_to_string(lua_State *L, X509 *cert)
+{
+  BIO *bio;
+  char *buf;
+  long size;
+
+  bio = BIO_new(BIO_s_mem());
+  assert(bio != NULL);
+
+  assert(PEM_write_bio_X509(bio, cert));
+
+  size = BIO_get_mem_data(bio, &buf);
+  lua_pushlstring(L, buf, size);
+
+  BIO_vfree(bio);
+}
+
+/* This is a helper function for l_get_ssl_certificate. It converts the
+   public-key type to a string. */
+static const char *pkey_type_to_string(int type)
+{
+  switch (type) {
+  case EVP_PKEY_RSA:
+    return "rsa";
+  case EVP_PKEY_DSA:
+    return "dsa";
+  case EVP_PKEY_DH:
+    return "dh";
+#ifdef EVP_PKEY_EC
+  case EVP_PKEY_EC:
+    return "ec";
+#endif
+  default:
+    return "unknown";
+  }
+}
+
+int lua_push_ecdhparams(lua_State *L, EVP_PKEY *pubkey) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  char tmp[64] = {0};
+  size_t len = 0;
+  /* This structure (ecdhparams.curve_params) comes from tls.lua */
+  lua_createtable(L, 0, 1); /* ecdhparams */
+  lua_createtable(L, 0, 2); /* curve_params */
+  if (EVP_PKEY_get_utf8_string_param(pubkey, OSSL_PKEY_PARAM_GROUP_NAME,
+        tmp, sizeof(tmp), &len)) {
+    lua_pushlstring(L, tmp, len);
+    lua_setfield(L, -2, "curve");
+    lua_pushliteral(L, "namedcurve");
+    lua_setfield(L, -2, "ec_curve_type");
+  }
+  else if (EVP_PKEY_get_utf8_string_param(pubkey, OSSL_PKEY_PARAM_EC_FIELD_TYPE,
+        tmp, sizeof(tmp), &len)) {
+    /* According to RFC 5480 section 2.1.1, explicit curves must not be used with
+       X.509. This may change in the future, but for now it doesn't seem worth it
+       to add in code to extract the extra parameters. */
+    if (0 == strncmp(tmp, "prime-field", len)) {
+      lua_pushliteral(L, "explicit_prime");
+    }
+    else if (0 == strncmp(tmp, "characteristic-two-field", len)) {
+      lua_pushliteral(L, "explicit_char2");
+    }
+    else {
+      /* Something weird happened. */
+      lua_pushlstring(L, tmp, len);
+    }
+    lua_setfield(L, -2, "ec_curve_type");
+  }
+  lua_setfield(L, -2, "curve_params");
+  return 1;
+#elif !defined(OPENSSL_NO_EC)
+  EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pubkey);
+  const EC_GROUP *group = EC_KEY_get0_group(ec_key);
+  int nid;
+  /* This structure (ecdhparams.curve_params) comes from tls.lua */
+  lua_createtable(L, 0, 1); /* ecdhparams */
+  lua_createtable(L, 0, 2); /* curve_params */
+  if ((nid = EC_GROUP_get_curve_name(group)) != 0) {
+    lua_pushstring(L, OBJ_nid2sn(nid));
+    lua_setfield(L, -2, "curve");
+    lua_pushstring(L, "namedcurve");
+    lua_setfield(L, -2, "ec_curve_type");
+  }
+  else {
+    /* According to RFC 5480 section 2.1.1, explicit curves must not be used with
+       X.509. This may change in the future, but for now it doesn't seem worth it
+       to add in code to extract the extra parameters. */
+    nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
+    if (nid == NID_X9_62_prime_field) {
+      lua_pushstring(L, "explicit_prime");
+    }
+    else if (nid == NID_X9_62_characteristic_two_field) {
+      lua_pushstring(L, "explicit_char2");
+    }
+    else {
+      /* Something weird happened. */
+      lua_pushstring(L, "UNKNOWN");
+    }
+    lua_setfield(L, -2, "ec_curve_type");
+  }
+  lua_setfield(L, -2, "curve_params");
+  EC_KEY_free(ec_key);
+  return 1;
+#else
+  return 0;
+#endif
+}
+
+static int parse_ssl_cert(lua_State *L, X509 *cert);
+
+int l_parse_ssl_certificate(lua_State *L)
+{
+  X509 *cert;
+  size_t l;
+  const char *der;
+
+  der = luaL_checklstring(L, 1, &l);
+  if (der == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+
+  cert = d2i_X509(NULL, (const unsigned char **) &der, l);
+  if (cert == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+  return parse_ssl_cert(L, cert);
+}
+
+int l_get_ssl_certificate(lua_State *L)
+{
+  SSL *ssl;
+  X509 *cert;
+
+  ssl = nse_nsock_get_ssl(L);
+  cert = SSL_get_peer_certificate(ssl);
+  if (cert == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+  return parse_ssl_cert(L, cert);
+}
+
+static int parse_ssl_cert(lua_State *L, X509 *cert)
+{
+  struct cert_userdata *udata;
+  X509_NAME *subject, *issuer;
+  EVP_PKEY *pubkey;
+  int pkey_type;
+
+  udata = (struct cert_userdata *) lua_newuserdata(L, sizeof(*udata));
+  udata->cert = cert;
+
+#define NSE_NUM_CERT_FIELDS 7
+  lua_createtable(L, 0, NSE_NUM_CERT_FIELDS);
+
+  subject = X509_get_subject_name(cert);
+  if (subject != NULL) {
+    x509_name_to_table(L, subject);
+    lua_setfield(L, -2, "subject");
+  }
+
+#if HAVE_OPAQUE_STRUCTS
+  const char *sig_algo = OBJ_nid2ln(X509_get_signature_nid(cert));
+#else
+  const char *sig_algo = OBJ_nid2ln(OBJ_obj2nid(cert->sig_alg->algorithm));
+#endif
+  lua_pushstring(L, sig_algo);
+  lua_setfield(L, -2, "sig_algorithm");
+
+  issuer = X509_get_issuer_name(cert);
+  if (issuer != NULL) {
+    x509_name_to_table(L, issuer);
+    lua_setfield(L, -2, "issuer");
+  }
+
+  x509_validity_to_table(L, cert);
+  lua_setfield(L, -2, "validity");
+
+  cert_pem_to_string(L, cert);
+  lua_setfield(L, -2, "pem");
+
+#if HAVE_OPAQUE_STRUCTS
+  if (x509_extensions_to_table(L, X509_get0_extensions(cert))) {
+#else
+  if (x509_extensions_to_table(L, cert->cert_info->extensions)) {
+#endif
+    lua_setfield(L, -2, "extensions");
+  }
+
+  pubkey = X509_get_pubkey(cert);
+  if (pubkey == NULL) {
+    lua_pushnil(L);
+    lua_pushfstring(L, "Error parsing cert: %s", ERR_error_string(ERR_get_error(), NULL));
+    X509_free(cert);
+    return 2;
+  }
+#define NSE_NUM_PKEY_FIELDS 4
+  lua_createtable(L, 0, NSE_NUM_PKEY_FIELDS);
+#if HAVE_OPAQUE_STRUCTS
+  pkey_type = EVP_PKEY_base_id(pubkey);
+#else
+  pkey_type = EVP_PKEY_type(pubkey->type);
+#endif
+#ifdef EVP_PKEY_EC
+  if (pkey_type == EVP_PKEY_EC) {
+    lua_push_ecdhparams(L, pubkey);
+    lua_setfield(L, -2, "ecdhparams");
+  }
+  else
+#endif
+  if (pkey_type == EVP_PKEY_RSA) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    BIGNUM *n = NULL, *e = NULL;
+    bool should_free = true;
+    EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
+    EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
+#else
+    bool should_free = false;
+    RSA *rsa = EVP_PKEY_get1_RSA(pubkey);
+    if (!rsa) {
+      // This should be impossible for this key type
+      return luaL_error(L, "EVP_PKEY_RSA missing RSA key!");
+    }
+# if HAVE_OPAQUE_STRUCTS
+    const BIGNUM *n = NULL, *e = NULL;
+    RSA_get0_key(rsa, &n, &e, NULL);
+# endif
+#endif
+#if HAVE_OPAQUE_STRUCTS
+# define PASS_RSA_PARAM(_P) ((BIGNUM *)(_P))
+#else /* not HAVE_OPAQUE_STRUCTS */
+# define PASS_RSA_PARAM(_P) (rsa->_P)
+#endif
+    /* exponent */
+    nse_pushbn(L, PASS_RSA_PARAM(e), should_free);
+    lua_setfield(L, -2, "exponent");
+    /* modulus */
+    nse_pushbn(L, PASS_RSA_PARAM(n), should_free);
+    lua_setfield(L, -2, "modulus");
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    RSA_free(rsa);
+#endif
+  }
+  lua_pushstring(L, pkey_type_to_string(pkey_type));
+  lua_setfield(L, -2, "type");
+  lua_pushinteger(L, EVP_PKEY_bits(pubkey));
+  lua_setfield(L, -2, "bits");
+  lua_setfield(L, -2, "pubkey");
+  EVP_PKEY_free(pubkey);
+
+  /* At this point the certificate-specific table of attributes is at the top of
+     the stack. We give it a metatable with an __index entry that points into
+     the global shared table of certificate functions. */
+  lua_rawgeti(L, LUA_REGISTRYINDEX, ssl_cert_methods_index_ref);
+  lua_setmetatable(L, -2);
+
+  udata->attributes_table = luaL_ref(L, LUA_REGISTRYINDEX);
+
+  luaL_getmetatable(L, "SSL_CERT");
+  lua_setmetatable(L, -2);
+
+  return 1;
+}
+
+static int l_ssl_cert_index(lua_State *L)
+{
+  struct cert_userdata *udata;
+
+  udata = (struct cert_userdata *) luaL_checkudata(L, 1, "SSL_CERT");
+  lua_rawgeti(L, LUA_REGISTRYINDEX, udata->attributes_table);
+  /* The key. */
+  lua_pushvalue(L, 2);
+  /* Look it up in the table of attributes. */
+  lua_gettable(L, -2);
+
+  return 1;
+}
+
+static int l_ssl_cert_gc(lua_State *L)
+{
+  struct cert_userdata *udata;
+
+  udata = (struct cert_userdata *) luaL_checkudata(L, 1, "SSL_CERT");
+  X509_free(udata->cert);
+  luaL_unref(L, LUA_REGISTRYINDEX, udata->attributes_table);
+
+  return 0;
+}
+
+void nse_nsock_init_ssl_cert(lua_State *L)
+{
+  luaL_newmetatable(L, "SSL_CERT");
+  lua_pushcclosure(L, l_ssl_cert_index, 0);
+  lua_setfield(L, -2, "__index");
+  lua_pushcclosure(L, l_ssl_cert_gc, 0);
+  lua_setfield(L, -2, "__gc");
+
+  /* Create a table with an __index entry that will be used as a metatable for
+     per-certificate attribute tables. This gives the tables access to the
+     global shared table of certificate functions. */
+  lua_newtable(L);
+  lua_newtable(L);
+  luaL_setfuncs(L, ssl_cert_methods, 0);
+  lua_setfield(L, -2, "__index");
+  ssl_cert_methods_index_ref = luaL_ref(L, LUA_REGISTRYINDEX);
+}