Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes MAISTRA-1226: added support for importPublicKey in lua filter #6

Merged
merged 1 commit into from
Mar 9, 2020
Merged

Fixes MAISTRA-1226: added support for importPublicKey in lua filter #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions source/extensions/common/crypto/utility_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, Cr
if (md == nullptr) {
return {false, absl::StrCat(hash, " is not supported.")};
}

// Step 3: initialize EVP_DigestVerify
auto pkey_wrapper = Common::Crypto::Access::getTyped<Common::Crypto::PublicKeyObject>(key);
EVP_PKEY* pkey = pkey_wrapper->getEVP_PKEY();
Expand All @@ -77,10 +78,9 @@ const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, Cr
return {false, absl::StrCat("Failed to verify digest. Error code: ", ok)};
}

// This is a dummy implementation of the interface, as EVP_parse_public_key isn't available under OpenSSL
CryptoObjectPtr UtilityImpl::importPublicKey(const std::vector<uint8_t>& key) {
CBS cbs({key.data(), key.size()});
return std::make_unique<PublicKeyObject>(); //EVP_parse_public_key(&cbs));
const unsigned char* tmp = key.data();
return std::make_unique<PublicKeyObject>(d2i_PUBKEY(nullptr, &tmp, key.size()));
}

const EVP_MD* UtilityImpl::getHashFunction(absl::string_view name) {
Expand Down
16 changes: 16 additions & 0 deletions source/extensions/filters/http/lua/lua_filter.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,22 @@ int StreamHandleWrapper::luaVerifySignature(lua_State* state) {
return 2;
}

int StreamHandleWrapper::luaImportPublicKey(lua_State* state) {
// Get byte array and the length.
const char* str = luaL_checkstring(state, 2);
int n = luaL_checknumber(state, 3);
std::vector<uint8_t> key(str, str + n);
if (public_key_wrapper_.get() != nullptr) {
public_key_wrapper_.pushStack();
} else {
auto& crypto_util = Envoy::Common::Crypto::UtilitySingleton::get();
Common::Crypto::CryptoObjectPtr crypto_ptr = crypto_util.importPublicKey(key);
public_key_wrapper_.reset(PublicKeyWrapper::create(state, std::move(crypto_ptr)), true);
}

return 1;
}

FilterConfig::FilterConfig(const std::string& lua_code, ThreadLocal::SlotAllocator& tls,
Upstream::ClusterManager& cluster_manager)
: cluster_manager_(cluster_manager), lua_state_(lua_code, tls) {
Expand Down
9 changes: 9 additions & 0 deletions source/extensions/filters/http/lua/lua_filter.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject<StreamHan
{"respond", static_luaRespond},
{"streamInfo", static_luaStreamInfo},
{"connection", static_luaConnection},
{"importPublicKey", static_luaImportPublicKey},
{"verifySignature", static_luaVerifySignature}};
}

Expand Down Expand Up @@ -232,6 +233,14 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject<StreamHan
*/
DECLARE_LUA_FUNCTION(StreamHandleWrapper, luaVerifySignature);

/**
* Import public key.
* @param 1 (string) keyder string
* @param 2 (int) length of keyder string
* @return pointer to public key
*/
DECLARE_LUA_FUNCTION(StreamHandleWrapper, luaImportPublicKey);

/**
* This is the closure/iterator returned by luaBodyChunks() above.
*/
Expand Down
4 changes: 2 additions & 2 deletions test/common/crypto/utility_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ TEST(UtilityTest, TestSha256HmacWithEmptyArguments) {
}

// TODO (dmitri-d) re-enabled when importPublicKey OpenSSL-compatible implementation has been added
TEST(UtilityTest, DISABLED_TestImportPublicKey) {
TEST(UtilityTest, TestImportPublicKey) {
auto key = "30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7471266d01d160308d"
"73409c06f2e8d35c531c458d3e480e9f3191847d062ec5ccff7bc51e949d5f2c3540c189a4eca1e8633a6"
"2cf2d0923101c27e38013e71de9ae91a704849bff7fbe2ce5bf4bd666fd9731102a53193fe5a9a5a50644"
Expand All @@ -77,7 +77,7 @@ TEST(UtilityTest, DISABLED_TestImportPublicKey) {
}

// TODO (dmitri-d) re-enabled when importPublicKey OpenSSL-compatible implementation has been added
TEST(UtilityTest, DISABLED_TestVerifySignature) {
TEST(UtilityTest, TestVerifySignature) {
auto key = "30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7471266d01d160308d"
"73409c06f2e8d35c531c458d3e480e9f3191847d062ec5ccff7bc51e949d5f2c3540c189a4eca1e8633a6"
"2cf2d0923101c27e38013e71de9ae91a704849bff7fbe2ce5bf4bd666fd9731102a53193fe5a9a5a50644"
Expand Down
6 changes: 3 additions & 3 deletions test/extensions/filters/http/lua/lua_filter_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1608,7 +1608,7 @@ TEST_F(LuaHttpFilterTest, CheckConnection) {
}

// TODO (dmitri-d) re-enable after importPublicKey method has been fixed
TEST_F(LuaHttpFilterTest, DISABLED_ImportPublicKey) {
TEST_F(LuaHttpFilterTest, ImportPublicKey) {
const std::string SCRIPT{R"EOF(
function string.fromhex(str)
return (str:gsub('..', function (cc)
Expand Down Expand Up @@ -1638,7 +1638,7 @@ TEST_F(LuaHttpFilterTest, DISABLED_ImportPublicKey) {
}

// TODO (dmitri-d) re-enable when importPublicKey has been fixed
TEST_F(LuaHttpFilterTest, DISABLED_InvalidPublicKey) {
TEST_F(LuaHttpFilterTest, InvalidPublicKey) {
const std::string SCRIPT{R"EOF(
function string.fromhex(str)
return (str:gsub('..', function (cc)
Expand Down Expand Up @@ -1668,7 +1668,7 @@ TEST_F(LuaHttpFilterTest, DISABLED_InvalidPublicKey) {
}

// TODO (dmitri-d) re-enable when importPublicKey has been fixed
TEST_F(LuaHttpFilterTest, DISABLED_SignatureVerify) {
TEST_F(LuaHttpFilterTest, SignatureVerify) {
const std::string SCRIPT{R"EOF(
function string.fromhex(str)
return (str:gsub('..', function (cc)
Expand Down
4 changes: 2 additions & 2 deletions test/extensions/filters/http/lua/lua_integration_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -423,7 +423,7 @@ name: envoy.lua

// TODO (dmitri-d) re-enable when importPublicKey method is added
// Basic test for verifying signature.
TEST_P(LuaIntegrationTest, DISABLED_SignatureVerification) {
TEST_P(LuaIntegrationTest, SignatureVerification) {
const std::string FILTER_AND_CODE =
R"EOF(
name: envoy.lua
Expand Down Expand Up @@ -470,7 +470,7 @@ name: envoy.lua
local sig = request_handle:headers():get("signature")
local rawsig = sig:fromhex()
local data = request_handle:headers():get("message")
local ok, error = request_handle:verifySignature(hash, pubkey, rawsig, string.len(rawsig), data, string.len(data))
local ok, error = request_handle:verifySignature(hash, pubkey, rawsig, string.len(rawsig), data, string.len(data))

if ok then
request_handle:headers():add("signature_verification", "approved")
Expand Down