Lua: how to obtain client details after successful client authentication with LuaSec

I am using the default 'oneshot' example (see below) from LuaSec 0.4 to implement 2-way authentication. Authentication is successful, so apparently the Certificate Authority (CA) acknowledges that the peers are who they claim to be.

But how can I see who the peers claim to be? E.g. how can I inspect the organization name of the peer's certificate? Because although the client can now trust that the server is known by the CA, the client does not know if the server is really the right peer.

And the other way around: the server knows that the connect client is known by the CA. But many clients are known by the CA, so how can the server know which client is connected?

-------- For the sake of completeness
-------  server code: 
require("socket")
require("ssl")
local params = {
   mode = "server",
   protocol = "sslv3",
   key = "../certs/serverAkey.pem",
   certificate = "../certs/s开发者_如何学JAVAerverA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = {"all", "no_sslv2"},
}
-- SSL context
local ctx = assert(ssl.newcontext(params))

local server = socket.tcp()
server:setoption('reuseaddr', true)
assert( server:bind("127.0.0.1", 8888) )
server:listen()
local peer = server:accept()
-- SSL wrapper
peer = assert( ssl.wrap(peer, ctx) )
assert( peer:dohandshake() )

local fd = peer:getfd()
peer:send("oneshot test\n")
peer:close()

-------  client code:
require("socket")
require("ssl")
local params = {
   mode = "client",
   protocol = "sslv3",
   key = "../certs/clientAkey.pem",
   certificate = "../certs/clientA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = {"all", "no_sslv2"},
}
local peer = socket.tcp()
peer:connect("127.0.0.1", 8888)
-- SSL wrapper
peer = assert( ssl.wrap(peer, params) )
assert(peer:dohandshake())
print(peer:receive("*l"))
peer:close()

As of 0.4 LuaSec does not provide an API for retrieving/decoding certificates. As we use LuaSec in the Prosody XMPP server and XMPP can also use TLS+certs for authentication, we've been hacking on LuaSec to support APIs for this.

Our work is not yet merged upstream, but hopefully it shall be soon. In the meantime you can find it here: http://code.matthewwild.co.uk/luasec-hg

Getting the remote entity's cert is as simple as:

   cert = conn:getpeercertificate()

This returns an X509 cert object with various methods like :subject(), :issuer() and :extensions().

Some of the APIs are probably going to change as we finalise the code, but feel free to contact me if you have any issues.

Unfortunately, it seems there is currently no way the get the identity/examine the certificate in LuaSec. It is a very simple binding (in terms of API, not functionality) to enable connecting to secured servers.

In order get the certificate, the easiest way is to modify LuaSec and add a function like getpeercert(), which internally uses SSL_get_peer_certificate(const SSL *ssl) and returns a Lua table with the main entries.