Support OCSP-Must-Staple

[KellerFuchs]

OCSP-Must-Staple makes certificate revocation work and scale: it is a standardized X.509 extension that specifies that the user agent must do a hard-fail revocation check, using a stapled OCSP response.

This requires:

• supporting OCSP stapling;
• supporting RFC 7633 TLS Features Extensions (might belong in luaossl);
• adding logic to handle this specific extension.

[daurnimator]

supporting OCSP stapling

Blocked on wahern/luaossl#49

supporting X.509 extensions;

They are supported:

local ssl = my_connection:checktls()
local cert = ssl:getPeerCertificate()
local ocsp_must_staple = cert:getExtension("1.3.6.1.5.5.7.1.24")
local data = ocsp_must_staple:getData()

adding logic to handle this specific extension.

We need to know what to do with the contents of data above.
I tried reading through https://tools.ietf.org/html/rfc7633 but I got lost.

[KellerFuchs]

@daurnimator I can try to implement this once wahern/luaossl#49 is resolved.

[KellerFuchs]

@daurnimator I think I just understood: the data associated to 1.3.6.1.5.5.7.1.24 is an ASN.1 INTEGER SEQUENCE, and each element is the id of a TLS Extension that the server must support.

They could have written it in a more straightforward way...

[daurnimator]

@daurnimator I can try to implement this once wahern/luaossl#49 is resolved.

Which bits do we need exactly? I wrote what might be enough over here: wahern/luaossl#83

[KellerFuchs]

@daurnimator I will check it out.
Unfortunately, I can't self-assign the issue it seems.

[daurnimator]

@KellerFuchs ping?

[KellerFuchs]

@daurnimator I had completely forgotten about this: since I wasn't subscribed to wahern/luaossl#83 (only the corresponding issue), I didn't see it got merged earlier this year.
Now that luaossl binds the necessary functions, I will have a stab at this later, spoons permitting.

[daurnimator]

@KellerFuchs ping?