- add custom extension support

- add support to retrive custom extension value
- add support to add custom protocol for protocol negotiation

Signed-off-by: Tiger <rbalajis25@gmail.com>

cert.go

@@ -331,6 +331,14 @@ func (c *Certificate) AddExtension(nid NID, value string) error {
 	return nil
 }
 
+// AddCustomExtension add custom extenstion to the certificate.
+func (c *Certificate) AddCustomExtension(nid NID, value []byte) error {
+	if int(C.add_custom_ext(c.x, C.int(nid), (*C.char)(C.CBytes(value)), C.int(len(value)))) == 0 {
+		return errors.New("Unable to add extension")
+	}
+	return nil
+}
+
 // Wraps AddExtension using a map of NID to text extension.
 // Will return without finishing if it encounters an error.
 func (c *Certificate) AddExtensions(extensions map[NID]string) error {
@@ -413,3 +421,17 @@ func (c *Certificate) SetVersion(version X509_Version) error {
 	}
 	return nil
 }
+
+// GetExtensionValue returns the value of the given NID's extension.
+func (c *Certificate) GetExtensionValue(nid NID) []byte {
+	dataLength := C.int(0)
+	val := C.get_extention(c.x, C.int(nid), &dataLength)
+	return charToBytes(val, int(dataLength))
+}
+
+// charToBytes converts c unisgned char to golang bytes
+func charToBytes(src *C.uchar, sz int) []byte {
+	dest := make([]byte, sz)
+	copy(dest, (*(*[1024]byte)(unsafe.Pointer(src)))[:sz:sz])
+	return dest
+}

ctx.go

@@ -522,6 +522,29 @@ func (c *Ctx) SetCipherList(list string) error {
 	return nil
 }
 
+// SetNextProtos sets Negotiation protocol to the ctx.
+func (c *Ctx) SetNextProtos(protos []string) error {
+	if len(protos) == 0 {
+		return nil
+	}
+	vector := make([]byte, 0)
+	for _, proto := range protos {
+		if len(proto) > 255 {
+			return fmt.Errorf(
+				"Proto length can't be more than 255. But got a proto %s with length %d",
+				proto, len(proto))
+		}
+		vector = append(vector, byte(uint8(len(proto))))
+		vector = append(vector, []byte(proto)...)
+	}
+	ret := int(C.SSL_CTX_set_alpn_protos(c.ctx, (*C.uchar)(unsafe.Pointer(&vector[0])),
+		C.uint(len(vector))))
+	if ret != 0 {
+		return errors.New("Error while setting protos to ctx")
+	}
+	return nil
+}
+
 type SessionCacheModes int
 
 const (

exntension.c

@@ -0,0 +1,40 @@
+
+
+#include <openssl/x509v3.h>
+#include <string.h>
+
+const unsigned char * get_extention(X509 *x, int NID, int *data_len){
+    int loc;
+    ASN1_OCTET_STRING *octet_str;
+    long xlen;
+    int tag, xclass;
+
+    loc = X509_get_ext_by_NID( x, NID, -1);
+    X509_EXTENSION *ex = X509_get_ext(x, loc);
+    octet_str = X509_EXTENSION_get_data(ex);
+	*data_len = octet_str->length;
+    return octet_str->data;
+}
+
+// Copied from https://github.com/libtor/openssl/blob/master/demos/x509/mkcert.c#L153
+int add_custom_ext(X509 *cert, int nid,unsigned char *value, int len)
+{
+	X509_EXTENSION *ex;
+	ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os,value,len);   
+	X509V3_CTX ctx;
+	/* This sets the 'context' of the extensions. */
+	/* No configuration database */
+	X509V3_set_ctx_nodb(&ctx);
+	/* Issuer and subject certs: both the target since it is self signed,
+	 * no request and no CRL
+	 */
+	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
+	// ref http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-td47446.html
+	ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os); 
+	if (!X509_add_ext(cert,ex,-1))
+		return 0;
+
+	X509_EXTENSION_free(ex);
+	return 1;
+}

extension.c

@@ -0,0 +1,40 @@
+
+
+#include <openssl/x509v3.h>
+#include <string.h>
+
+const unsigned char * get_extention(X509 *x, int NID, int *data_len){
+    int loc;
+    ASN1_OCTET_STRING *octet_str;
+    long xlen;
+    int tag, xclass;
+
+    loc = X509_get_ext_by_NID( x, NID, -1);
+    X509_EXTENSION *ex = X509_get_ext(x, loc);
+    octet_str = X509_EXTENSION_get_data(ex);
+	*data_len = octet_str->length;
+    return octet_str->data;
+}
+
+// Copied from https://github.com/libtor/openssl/blob/master/demos/x509/mkcert.c#L153
+int add_custom_ext(X509 *cert, int nid,unsigned char *value, int len)
+{
+	X509_EXTENSION *ex;
+	ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os,value,len);   
+	X509V3_CTX ctx;
+	/* This sets the 'context' of the extensions. */
+	/* No configuration database */
+	X509V3_set_ctx_nodb(&ctx);
+	/* Issuer and subject certs: both the target since it is self signed,
+	 * no request and no CRL
+	 */
+	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
+	// ref http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-td47446.html
+	ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os); 
+	if (!X509_add_ext(cert,ex,-1))
+		return 0;
+
+	X509_EXTENSION_free(ex);
+	return 1;
+}

object.go

@@ -19,6 +19,6 @@ import "C"
 
 // CreateObjectIdentifier creates ObjectIdentifier and returns NID for the created
 // ObjectIdentifier
-func CreateObjectIdentifier(oid string, shortName string, longName string) int {
-	return int(C.OBJ_create(C.CString(oid), C.CString(shortName), C.CString(longName)))
+func CreateObjectIdentifier(oid string, shortName string, longName string) NID {
+	return NID(C.OBJ_create(C.CString(oid), C.CString(shortName), C.CString(longName)))
 }

shim.h

@@ -90,6 +90,8 @@ extern int X_SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX *sslctx,
 extern int X_SSL_CTX_ticket_key_cb(SSL *s, unsigned char key_name[16],
         unsigned char iv[EVP_MAX_IV_LENGTH],
         EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc);
+extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
+                             unsigned int protos_len);
 
 /* BIO methods */
 extern int X_BIO_get_flags(BIO *b);
@@ -174,3 +176,7 @@ extern int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const
 
 /* Object methods */
 extern int OBJ_create(const char *oid,const char *sn,const char *ln);
+
+/* Extension helper method */
+extern const unsigned char * get_extention(X509 *x, int NID, int *data_len);
+extern int add_custom_ext(X509 *cert, int nid, char *value, int len);