From e7705e503d5e3aa856e756ca33b3d970e6a9888d Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 24 Sep 2014 15:39:36 -0700 Subject: [PATCH 01/56] feature: implemented the ssl_certificate_by_lua and ssl_certificate_by_lua_file directives. also added the Lua module ngx.ssl under the lua/ directory. --- .gitignore | 1 + config | 2 + lua/ngx/ssl.lua | 142 ++++ patches/nginx-ssl-cert.patch | 37 ++ src/ngx_http_lua_common.h | 25 +- src/ngx_http_lua_contentby.h | 2 +- src/ngx_http_lua_directive.c | 5 +- src/ngx_http_lua_module.c | 77 ++- src/ngx_http_lua_sleep.c | 3 +- src/ngx_http_lua_socket_tcp.c | 10 +- src/ngx_http_lua_sslcertby.c | 641 ++++++++++++++++++ src/ngx_http_lua_sslcertby.h | 28 + src/ngx_http_lua_util.c | 3 +- src/ngx_http_lua_util.h | 2 + t/014-bugs.t | 1 + t/130-ssl-cert-by.t | 1158 +++++++++++++++++++++++++++++++++ t/cert/test.crt.der | Bin 0 -> 685 bytes t/cert/test.key.der | Bin 0 -> 610 bytes t/cert/test2.crt | 16 + t/cert/test2.key | 15 + util/build2.sh | 1 + 21 files changed, 2153 insertions(+), 16 deletions(-) create mode 100644 lua/ngx/ssl.lua create mode 100644 patches/nginx-ssl-cert.patch create mode 100644 src/ngx_http_lua_sslcertby.c create mode 100644 src/ngx_http_lua_sslcertby.h create mode 100644 t/130-ssl-cert-by.t create mode 100644 t/cert/test.crt.der create mode 100644 t/cert/test.key.der create mode 100644 t/cert/test2.crt create mode 100644 t/cert/test2.key diff --git a/.gitignore b/.gitignore index 61613b2dca..db7e1a902e 100644 --- a/.gitignore +++ b/.gitignore @@ -153,6 +153,7 @@ src/uthread.[ch] src/timer.[ch] src/config.[ch] src/worker.[ch] +src/sslcertby.[ch] *.plist lua ttimer diff --git a/config b/config index 1cb9fd33e1..748948dd84 100644 --- a/config +++ b/config @@ -253,6 +253,7 @@ NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ $ngx_addon_dir/src/ngx_http_lua_timer.c \ $ngx_addon_dir/src/ngx_http_lua_config.c \ $ngx_addon_dir/src/ngx_http_lua_worker.c \ + $ngx_addon_dir/src/ngx_http_lua_sslcertby.c \ " NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ @@ -306,6 +307,7 @@ NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ $ngx_addon_dir/src/ngx_http_lua_timer.h \ $ngx_addon_dir/src/ngx_http_lua_config.h \ $ngx_addon_dir/src/ngx_http_lua_worker.h \ + $ngx_addon_dir/src/ngx_http_lua_sslcertby.h \ " CFLAGS="$CFLAGS -DNDK_SET_VAR" diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua new file mode 100644 index 0000000000..0111b5358a --- /dev/null +++ b/lua/ngx/ssl.lua @@ -0,0 +1,142 @@ +-- Copyright (C) 2014 Yichun Zhang + + +local ffi = require "ffi" +local base = require "resty.core.base" + + +local C = ffi.C +local ffi_str = ffi.string +local getfenv = getfenv +local errmsg = base.get_errmsg_ptr() +local get_string_buf = base.get_string_buf +local get_size_ptr = base.get_size_ptr +local FFI_DECLINED = base.FFI_DECLINED +local FFI_OK = base.FFI_OK + + +ffi.cdef[[ + +struct ngx_ssl_conn_s; +typedef struct ngx_ssl_conn_s ngx_ssl_conn_t; + +int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, + const char *data, size_t len, char **err); + +int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err); + +int ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, + const char *data, size_t len, char **err); + +int ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err); + +int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err); + +]] + + +local _M = {} + + +local charpp = ffi.new("char*[1]") +local intp = ffi.new("int[1]") + + +function _M.clear_certs(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_clear_certs(r, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.set_der_cert(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.set_der_pkey(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +local addr_types = { + [1] = "unix", + [2] = "inet", + [10] = "inet6", +} + + +function _M.raw_server_addr() + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local sizep = get_size_ptr() + + local rc = C.ngx_http_lua_ffi_ssl_raw_server_addr(r, charpp, sizep, + intp, errmsg) + if rc == FFI_OK then + local typ = addr_types[intp[0]] + if not typ then + return nil, nil, "unknown address type: " .. intp[0] + end + return ffi_str(charpp[0], sizep[0]), typ + end + + return nil, nil, ffi_str(errmsg[0]) +end + + +function _M.server_name() + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local sizep = get_size_ptr() + + local rc = C.ngx_http_lua_ffi_ssl_server_name(r, charpp, sizep, errmsg) + if rc == FFI_OK then + return ffi_str(charpp[0], sizep[0]) + end + + if rc == FFI_DECLINED then + return nil + end + + return nil, ffi_str(errmsg[0]) +end + + +return _M diff --git a/patches/nginx-ssl-cert.patch b/patches/nginx-ssl-cert.patch new file mode 100644 index 0000000000..2cf6dee59d --- /dev/null +++ b/patches/nginx-ssl-cert.patch @@ -0,0 +1,37 @@ +diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c 2014-08-05 04:13:07.000000000 -0700 ++++ b/src/event/ngx_event_openssl.c 2014-09-12 12:17:33.034582693 -0700 +@@ -1121,6 +1121,21 @@ ngx_ssl_handshake(ngx_connection_t *c) + return NGX_AGAIN; + } + ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; +diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +--- a/src/event/ngx_event_openssl.h 2014-08-05 04:13:07.000000000 -0700 ++++ b/src/event/ngx_event_openssl.h 2014-09-12 12:16:32.016208272 -0700 +@@ -56,6 +56,8 @@ typedef struct { + ngx_event_handler_pt saved_read_handler; + ngx_event_handler_pt saved_write_handler; + ++ void *ctx; /* used by 3rd-party modules */ ++ + unsigned handshaked:1; + unsigned renegotiation:1; + unsigned buffer:1; diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index dd69d1cbd3..d632f0d6c6 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -94,6 +94,7 @@ typedef struct { #define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x040 #define NGX_HTTP_LUA_CONTEXT_TIMER 0x080 #define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x100 +#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x200 #ifndef NGX_LUA_NO_FFI_API @@ -103,10 +104,13 @@ typedef struct { typedef struct ngx_http_lua_main_conf_s ngx_http_lua_main_conf_t; +typedef struct ngx_http_lua_srv_conf_s ngx_http_lua_srv_conf_t; -typedef ngx_int_t (*ngx_http_lua_conf_handler_pt)(ngx_log_t *log, - ngx_http_lua_main_conf_t *lmcf, lua_State *L); +typedef ngx_int_t (*ngx_http_lua_main_conf_handler_pt)(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); +typedef ngx_int_t (*ngx_http_lua_srv_conf_handler_pt)(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lmcf, lua_State *L); typedef struct { @@ -145,11 +149,11 @@ struct ngx_http_lua_main_conf_s { ngx_flag_t postponed_to_rewrite_phase_end; ngx_flag_t postponed_to_access_phase_end; - ngx_http_lua_conf_handler_pt init_handler; - ngx_str_t init_src; + ngx_http_lua_main_conf_handler_pt init_handler; + ngx_str_t init_src; - ngx_http_lua_conf_handler_pt init_worker_handler; - ngx_str_t init_worker_src; + ngx_http_lua_main_conf_handler_pt init_worker_handler; + ngx_str_t init_worker_src; ngx_uint_t shm_zones_inited; @@ -163,6 +167,15 @@ struct ngx_http_lua_main_conf_s { }; +struct ngx_http_lua_srv_conf_s { +#if (NGX_HTTP_SSL) + ngx_http_lua_srv_conf_handler_pt ssl_cert_handler; + ngx_str_t ssl_cert_src; + u_char *ssl_cert_src_key; +#endif +}; + + typedef struct { #if (NGX_HTTP_SSL) ngx_ssl_t *ssl; /* shared by SSL cosockets */ diff --git a/src/ngx_http_lua_contentby.h b/src/ngx_http_lua_contentby.h index 766baa6c9b..58ba8e1624 100644 --- a/src/ngx_http_lua_contentby.h +++ b/src/ngx_http_lua_contentby.h @@ -12,7 +12,7 @@ #include "ngx_http_lua_common.h" -ngx_int_t ngx_http_lua_content_by_chunk(lua_State *l, ngx_http_request_t *r); +ngx_int_t ngx_http_lua_content_by_chunk(lua_State *L, ngx_http_request_t *r); void ngx_http_lua_content_wev_handler(ngx_http_request_t *r); ngx_int_t ngx_http_lua_content_handler_file(ngx_http_request_t *r); ngx_int_t ngx_http_lua_content_handler_inline(ngx_http_request_t *r); diff --git a/src/ngx_http_lua_directive.c b/src/ngx_http_lua_directive.c index ef0751fe66..8106effda3 100644 --- a/src/ngx_http_lua_directive.c +++ b/src/ngx_http_lua_directive.c @@ -24,6 +24,7 @@ #include "ngx_http_lua_initby.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_shdict.h" +#include "ngx_http_lua_sslcertby.h" #if defined(NDK) && NDK @@ -898,7 +899,7 @@ ngx_http_lua_init_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return NGX_CONF_ERROR; } - lmcf->init_handler = (ngx_http_lua_conf_handler_pt) cmd->post; + lmcf->init_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post; if (cmd->post == ngx_http_lua_init_by_file) { name = ngx_http_lua_rebase_path(cf->pool, value[1].data, @@ -939,7 +940,7 @@ ngx_http_lua_init_worker_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, value = cf->args->elts; - lmcf->init_worker_handler = (ngx_http_lua_conf_handler_pt) cmd->post; + lmcf->init_worker_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post; if (cmd->post == ngx_http_lua_init_worker_by_file) { name = ngx_http_lua_rebase_path(cf->pool, value[1].data, diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 1c57d904d7..374461f557 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -23,6 +23,8 @@ #include "ngx_http_lua_initby.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_probe.h" +#include "ngx_http_lua_sslcertby.h" +#include #if !defined(nginx_version) || nginx_version < 8054 @@ -32,7 +34,11 @@ static void *ngx_http_lua_create_main_conf(ngx_conf_t *cf); static char *ngx_http_lua_init_main_conf(ngx_conf_t *cf, void *conf); +static void *ngx_http_lua_create_srv_conf(ngx_conf_t *cf); +static char *ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, + void *child); static void *ngx_http_lua_create_loc_conf(ngx_conf_t *cf); + static char *ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t ngx_http_lua_init(ngx_conf_t *cf); @@ -404,6 +410,24 @@ static ngx_command_t ngx_http_lua_cmds[] = { offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), NULL }, +#if (NGX_HTTP_SSL) + + { ngx_string("ssl_certificate_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_http_lua_ssl_cert_by_lua, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_cert_handler_inline }, + + { ngx_string("ssl_certificate_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + ngx_http_lua_ssl_cert_by_lua, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_cert_handler_file }, + +#endif /* NGX_HTTP_SSL */ + { ngx_string("lua_ssl_verify_depth"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_num_slot, @@ -438,8 +462,8 @@ ngx_http_module_t ngx_http_lua_module_ctx = { ngx_http_lua_create_main_conf, /* create main configuration */ ngx_http_lua_init_main_conf, /* init main configuration */ - NULL, /* create server configuration */ - NULL, /* merge server configuration */ + ngx_http_lua_create_srv_conf, /* create server configuration */ + ngx_http_lua_merge_srv_conf, /* merge server configuration */ ngx_http_lua_create_loc_conf, /* create location configuration */ ngx_http_lua_merge_loc_conf /* merge location configuration */ @@ -679,6 +703,55 @@ ngx_http_lua_init_main_conf(ngx_conf_t *cf, void *conf) } +static void * +ngx_http_lua_create_srv_conf(ngx_conf_t *cf) +{ + ngx_http_lua_srv_conf_t *lscf; + + lscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_lua_srv_conf_t)); + if (lscf == NULL) { + return NULL; + } + + /* set by ngx_pcalloc: + * lscf->ssl_cert_handler = NULL; + * lscf->ssl_cert_src = { 0, NULL }; + */ + + return lscf; +} + + +static char * +ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +{ + ngx_http_lua_srv_conf_t *prev = parent; + ngx_http_lua_srv_conf_t *conf = child; + ngx_http_ssl_srv_conf_t *sscf; + + dd("merge srv conf"); + + if (conf->ssl_cert_src.len == 0) { + conf->ssl_cert_src = prev->ssl_cert_src; + conf->ssl_cert_handler = prev->ssl_cert_handler; + } + + if (conf->ssl_cert_src.len) { + sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module); + if (sscf == NULL || sscf->ssl.ctx == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl configured for the server"); + + return NGX_CONF_ERROR; + } + + SSL_CTX_set_cert_cb(sscf->ssl.ctx, ngx_http_lua_ssl_cert_handler, NULL); + } + + return NGX_CONF_OK; +} + + static void * ngx_http_lua_create_loc_conf(ngx_conf_t *cf) { diff --git a/src/ngx_http_lua_sleep.c b/src/ngx_http_lua_sleep.c index c667af5997..eeb9651dbe 100644 --- a/src/ngx_http_lua_sleep.c +++ b/src/ngx_http_lua_sleep.c @@ -55,7 +55,8 @@ ngx_http_lua_ngx_sleep(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ctx->cur_co_ctx; if (coctx == NULL) { diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 52cc89d24d..ed0922d9f6 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -383,7 +383,8 @@ ngx_http_lua_socket_tcp(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); lua_createtable(L, 3 /* narr */, 1 /* nrec */); lua_pushlightuserdata(L, &ngx_http_lua_tcp_socket_metatable_key); @@ -440,7 +441,8 @@ ngx_http_lua_socket_tcp_connect(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); luaL_checktype(L, 1, LUA_TTABLE); @@ -1317,6 +1319,10 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) u->ssl_name = name; u->write_co_ctx = coctx; +#if 0 + SSL_set_tlsext_status_type(c->ssl->connection, TLSEXT_STATUSTYPE_ocsp); +#endif + rc = ngx_ssl_handshake(c); dd("ngx_ssl_handshake returned %d", (int) rc); diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c new file mode 100644 index 0000000000..908b89caae --- /dev/null +++ b/src/ngx_http_lua_sslcertby.c @@ -0,0 +1,641 @@ + +/* + * Copyright (C) Yichun Zhang (agentzh) + */ + + +#ifndef DDEBUG +#define DDEBUG 0 +#endif +#include "ddebug.h" + + +#if (NGX_HTTP_SSL) + + +#include "ngx_http_lua_cache.h" +#include "ngx_http_lua_initworkerby.h" +#include "ngx_http_lua_util.h" +#include "ngx_http_ssl_module.h" +#include "ngx_http_lua_contentby.h" + + +static void ngx_http_lua_ssl_cert_done(void *data); +static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, + size_t len); +static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, + ngx_http_request_t *r); + + +typedef struct { + ngx_event_t sleep; + unsigned done; /* :1 */ +} ngx_http_lua_ssl_cert_ctx_t; + + +ngx_int_t +ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L) +{ + ngx_int_t rc; + + rc = ngx_http_lua_cache_loadfile(r, L, lscf->ssl_cert_src.data, + lscf->ssl_cert_src_key); + if (rc != NGX_OK) { + return rc; + } + + /* make sure we have a valid code chunk */ + ngx_http_lua_assert(lua_isfunction(L, -1)); + + return ngx_http_lua_ssl_cert_by_chunk(L, r); +} + + +ngx_int_t +ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L) +{ + ngx_int_t rc; + + rc = ngx_http_lua_cache_loadbuffer(r, L, lscf->ssl_cert_src.data, + lscf->ssl_cert_src.len, + lscf->ssl_cert_src_key, + "=ssl_certificate_by_lua"); + if (rc != NGX_OK) { + return rc; + } + + /* make sure we have a valid code chunk */ + ngx_http_lua_assert(lua_isfunction(L, -1)); + + return ngx_http_lua_ssl_cert_by_chunk(L, r); +} + + +char * +ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf) +{ + u_char *p; + u_char *name; + ngx_str_t *value; + ngx_http_lua_srv_conf_t *lscf = conf; + + dd("enter"); + + /* must specifiy a content handler */ + if (cmd->post == NULL) { + return NGX_CONF_ERROR; + } + + if (lscf->ssl_cert_handler) { + return "is duplicate"; + } + + value = cf->args->elts; + + lscf->ssl_cert_handler = (ngx_http_lua_srv_conf_handler_pt) cmd->post; + + if (cmd->post == ngx_http_lua_ssl_cert_handler_file) { + /* Lua code in an external file */ + + name = ngx_http_lua_rebase_path(cf->pool, value[1].data, + value[1].len); + if (name == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src.data = name; + lscf->ssl_cert_src.len = ngx_strlen(name); + + p = ngx_palloc(cf->pool, NGX_HTTP_LUA_FILE_KEY_LEN + 1); + if (p == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src_key = p; + + p = ngx_copy(p, NGX_HTTP_LUA_FILE_TAG, NGX_HTTP_LUA_FILE_TAG_LEN); + p = ngx_http_lua_digest_hex(p, value[1].data, value[1].len); + *p = '\0'; + + } else { + /* inlined Lua code */ + + lscf->ssl_cert_src = value[1]; + + p = ngx_palloc(cf->pool, NGX_HTTP_LUA_INLINE_KEY_LEN + 1); + if (p == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src_key = p; + + p = ngx_copy(p, NGX_HTTP_LUA_INLINE_TAG, NGX_HTTP_LUA_INLINE_TAG_LEN); + p = ngx_http_lua_digest_hex(p, value[1].data, value[1].len); + *p = '\0'; + } + + return NGX_CONF_OK; +} + + +int +ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) +{ + lua_State *L; + ngx_int_t rc; + ngx_connection_t *c, *fc; + ngx_http_request_t *r = NULL; + ngx_pool_cleanup_t *cln; + ngx_http_connection_t *hc; + ngx_http_lua_srv_conf_t *lscf; + ngx_http_lua_ssl_cert_ctx_t *cctx; + + c = ngx_ssl_get_connection(ssl_conn); + + cctx = c->ssl->ctx; + + dd("ssl cert handler, cert-ctx=%p", cctx); + + if (cctx) { + /* not the first time */ + + if (cctx->done) { + dd("lua ssl cert done, finally"); + c->ssl->ctx = NULL; + return 1; + } + + return -1; + } + + /* cctx == NULL */ + + dd("first time"); + + hc = c->data; + + fc = ngx_http_lua_create_fake_connection(); + if (fc == NULL) { + goto failed; + } + + fc->log->handler = ngx_http_lua_log_ssl_cert_error; + + r = ngx_http_lua_create_fake_request(fc); + if (r == NULL) { + goto failed; + } + + r->main_conf = hc->conf_ctx->main_conf; + r->srv_conf = hc->conf_ctx->srv_conf; + r->loc_conf = hc->conf_ctx->loc_conf; + + fc->log->file = c->log->file; + fc->log->log_level = c->log->log_level; + fc->ssl = c->ssl; + + lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module); + + /* TODO honor lua_code_cache off */ + L = ngx_http_lua_get_lua_vm(r, NULL); + + rc = lscf->ssl_cert_handler(r, lscf, L); + + if (rc == NGX_OK) { + return 1; /* continue ssl handshaking */ + } + + if (rc == NGX_ERROR || rc > NGX_OK) { + return 0; /* error */ + } + + /* rc == NGX_DONE */ + + cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_cert_ctx_t)); + if (cctx == NULL) { + goto failed; /* error */ + } + + c->ssl->ctx = cctx; + + cln = ngx_pool_cleanup_add(fc->pool, 0); + if (cln == NULL) { + goto failed; + } + + cln->handler = ngx_http_lua_ssl_cert_done; + cln->data = ssl_conn; + +#if 0 + cctx->sleep.handler = ngx_http_lua_ssl_cert_done; + cctx->sleep.data = ssl_conn; + cctx->sleep.log = c->log; + + ngx_add_timer(&cctx->sleep, 1000); +#endif + + c->log->action = "loading SSL certificate by lua"; + + return -1; + +#if 1 +failed: + + if (r && r->pool) { + ngx_http_lua_free_fake_request(r); + } + + if (fc) { + ngx_http_lua_close_fake_connection(fc); + } + + return 0; +#endif +} + + +static void +ngx_http_lua_ssl_cert_done(void *data) +{ + ngx_ssl_conn_t *ssl_conn = data; + ngx_connection_t *c; + ngx_http_lua_ssl_cert_ctx_t *cctx; + + dd("lua ssl cert done"); + + c = ngx_ssl_get_connection(ssl_conn); + + cctx = c->ssl->ctx; + if (cctx == NULL) { + return; + } + + cctx->done = 1; + + c->log->action = "SSL handshaking"; + c->write->handler(c->write);; +} + + +static u_char * +ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len) +{ + u_char *p; + + if (log->action) { + p = ngx_snprintf(buf, len, " while %s", log->action); + len -= p - buf; + buf = p; + } + + return ngx_snprintf(buf, len, ", context: ssl_certificate_by_lua*"); +} + + +static ngx_int_t +ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) +{ + int co_ref; + ngx_int_t rc; + lua_State *co; + ngx_http_lua_ctx_t *ctx; + ngx_http_cleanup_t *cln; + + ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module); + + if (ctx == NULL) { + ctx = ngx_http_lua_create_ctx(r); + if (ctx == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + } else { + dd("reset ctx"); + ngx_http_lua_reset_ctx(r, L, ctx); + } + + ctx->entered_content_phase = 1; + + /* {{{ new coroutine to handle request */ + co = ngx_http_lua_new_thread(r, L, &co_ref); + + if (co == NULL) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "lua: failed to create new coroutine to handle request"); + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + /* move code closure to new coroutine */ + lua_xmove(L, co, 1); + + /* set closure's env table to new coroutine's globals table */ + ngx_http_lua_get_globals_table(co); + lua_setfenv(co, -2); + + /* save nginx request in coroutine globals table */ + ngx_http_lua_set_req(co, r); + + ctx->cur_co_ctx = &ctx->entry_co_ctx; + ctx->cur_co_ctx->co = co; + ctx->cur_co_ctx->co_ref = co_ref; +#ifdef NGX_LUA_USE_ASSERT + ctx->cur_co_ctx->co_top = 1; +#endif + + /* register request cleanup hooks */ + if (ctx->cleanup == NULL) { + cln = ngx_http_cleanup_add(r, 0); + if (cln == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + cln->handler = ngx_http_lua_request_cleanup_handler; + cln->data = ctx; + ctx->cleanup = &cln->handler; + } + + ctx->context = NGX_HTTP_LUA_CONTEXT_SSL_CERT; + + rc = ngx_http_lua_run_thread(L, r, ctx, 0); + + if (rc == NGX_ERROR || rc >= NGX_OK) { + /* do nothing */ + + } else if (rc == NGX_AGAIN) { + rc = ngx_http_lua_content_run_posted_threads(L, r, ctx, 0); + + } else if (rc == NGX_DONE) { + rc = ngx_http_lua_content_run_posted_threads(L, r, ctx, 1); + + } else { + rc = NGX_OK; + } + + ngx_http_lua_finalize_request(r, rc); + return rc; +} + + +int +ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + SSL_certs_clear(ssl_conn); + return NGX_OK; +} + + +int +ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, + const char *data, size_t len, char **err) +{ + BIO *bio = NULL; + X509 *x509 = NULL; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + bio = BIO_new_mem_buf((char *) data, len); + if (bio == NULL) { + *err = " BIO_new_mem_buf() failed"; + goto failed; + } + + x509 = d2i_X509_bio(bio, NULL); + if (x509 == NULL) { + *err = " d2i_X509_bio() failed"; + goto failed; + } + + if (SSL_use_certificate(ssl_conn, x509) == 0) { + *err = " SSL_use_certificate() failed"; + goto failed; + } + + if (SSL_set_ex_data(ssl_conn, ngx_ssl_certificate_index, x509) == 0) { + *err = " SSL_set_ex_data() failed"; + goto failed; + } + + X509_free(x509); + x509 = NULL; + + /* read rest of the chain */ + + while (!BIO_eof(bio)) { + + x509 = d2i_X509_bio(bio, NULL); + if (x509 == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + if (SSL_add0_chain_cert(ssl_conn, x509) == 0) { + *err = "SSL_add0_chain_cert() failed"; + goto failed; + } + } + + BIO_free(bio); + + *err = NULL; + return NGX_OK; + +failed: + + if (bio) { + BIO_free(bio); + } + + if (x509) { + X509_free(x509); + } + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, + const char *data, size_t len, char **err) +{ + BIO *bio = NULL; + EVP_PKEY *pkey = NULL; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + bio = BIO_new_mem_buf((char *) data, len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + goto failed; + } + + pkey = d2i_PrivateKey_bio(bio, NULL); + if (pkey == NULL) { + *err = "d2i_PrivateKey_bio() failed"; + goto failed; + } + + if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) { + *err = "SSL_CTX_use_PrivateKey() failed"; + goto failed; + } + + EVP_PKEY_free(pkey); + BIO_free(bio); + + return NGX_OK; + +failed: + + if (pkey) { + EVP_PKEY_free(pkey); + } + + if (bio) { + BIO_free(bio); + } + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err) +{ +#if (NGX_HAVE_UNIX_DOMAIN) + struct sockaddr_un *saun; +#endif + ngx_ssl_conn_t *ssl_conn; + ngx_connection_t *c; + struct sockaddr_in *sin; +#if (NGX_HAVE_INET6) + struct sockaddr_in6 *sin6; +#endif + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + c = ngx_ssl_get_connection(ssl_conn); + + if (ngx_connection_local_sockaddr(c, NULL, 0) != NGX_OK) { + return 0; + } + + switch (c->local_sockaddr->sa_family) { + +#if (NGX_HAVE_INET6) + case AF_INET6: + sin6 = (struct sockaddr_in6 *) c->local_sockaddr; + *addrlen = 16; + *addr = (char *) &sin6->sin6_addr.s6_addr; + *addrtype = AF_INET6; + + break; +#endif + +#if (NGX_HAVE_UNIX_DOMAIN) + case AF_UNIX: + saun = (struct sockaddr_un *) c->local_sockaddr; + + /* on Linux sockaddr might not include sun_path at all */ + if (c->local_socklen <= + (socklen_t) offsetof(struct sockaddr_un, sun_path)) + { + *addr = ""; + *addrlen = 0; + + } else { + *addr = saun->sun_path; + *addrlen = ngx_strlen(saun->sun_path); + } + + *addrtype = AF_UNIX; + break; +#endif + + default: /* AF_INET */ + sin = (struct sockaddr_in *) c->local_sockaddr; + *addr = (char *) &sin->sin_addr.s_addr; + *addrlen = 4; + *addrtype = AF_INET; + break; + } + + return NGX_OK; +} + + +int +ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + *name = (char *) SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + + if (*name) { + *namelen = ngx_strlen(*name); + return NGX_OK; + } + + return NGX_DECLINED; +} + + +#endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_sslcertby.h new file mode 100644 index 0000000000..3135bfb0ef --- /dev/null +++ b/src/ngx_http_lua_sslcertby.h @@ -0,0 +1,28 @@ + +/* + * Copyright (C) Yichun Zhang (agentzh) + */ + + +#ifndef _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ +#define _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ + + +#include "ngx_http_lua_common.h" + + +ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); + +ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); + +char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + +int ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); + + +#endif /* _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ */ + +/* vi:set ft=c ts=4 sw=4 et fdm=marker: */ diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index 794d08553f..c56d04c45a 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -111,7 +111,6 @@ static void ngx_http_lua_cleanup_zombie_child_uthreads(ngx_http_request_t *r, lua_State *L, ngx_http_lua_ctx_t *ctx, ngx_http_lua_co_ctx_t *coctx); static ngx_int_t ngx_http_lua_on_abort_resume(ngx_http_request_t *r); static void ngx_http_lua_close_fake_request(ngx_http_request_t *r); -static void ngx_http_lua_free_fake_request(ngx_http_request_t *r); static ngx_int_t ngx_http_lua_flush_pending_output(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx); static ngx_int_t @@ -3565,7 +3564,7 @@ ngx_http_lua_close_fake_request(ngx_http_request_t *r) } -static void +void ngx_http_lua_free_fake_request(ngx_http_request_t *r) { ngx_log_t *log; diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index f735ffbcbb..627f662c7c 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -215,6 +215,8 @@ void ngx_http_lua_finalize_fake_request(ngx_http_request_t *r, void ngx_http_lua_close_fake_connection(ngx_connection_t *c); +void ngx_http_lua_free_fake_request(ngx_http_request_t *r); + void ngx_http_lua_release_ngx_ctx_table(ngx_log_t *log, lua_State *L, ngx_http_lua_ctx_t *ctx); diff --git a/t/014-bugs.t b/t/014-bugs.t index a09f0ad394..f27a6b0717 100644 --- a/t/014-bugs.t +++ b/t/014-bugs.t @@ -789,6 +789,7 @@ qr/recv\(\) failed \(\d+: Connection refused\) while resolving/ === TEST 35: github issue #218: ngx.location.capture hangs when querying a remote host that does not exist or is really slow to respond +--- ONLY --- config set $myurl "https://not-exist.agentzh.org"; location /toto { diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t new file mode 100644 index 0000000000..404288250f --- /dev/null +++ b/t/130-ssl-cert-by.t @@ -0,0 +1,1158 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: + +use lib 'lib'; +use Test::Nginx::Socket::Lua; + +repeat_each(3); + +plan tests => repeat_each() * (blocks() * 6); + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211; +$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8'; + +#log_level 'warn'; +log_level 'debug'; + +no_long_string(); +#no_diff(); + +run_tests(); + +__DATA__ + +=== TEST 1: simple logging +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua 'print("ssl cert by lua is running!")'; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +ssl_certificate_by_lua:1: ssl cert by lua is running! + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 2: sleep +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local begin = ngx.now() + ngx.sleep(0.1) + print("elapsed in ssl cert by lua: ", ngx.now() - begin) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log eval +[ +'lua ssl server name: "test.com"', +qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, +] + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 3: timer +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local function f() + print("my timer run!") + end + local ok, err = ngx.timer.at(0, f) + if not ok then + ngx.log(ngx.ERR, "failed to create timer: ", err) + return + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +my timer run! + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 4: cosocket +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_MEMCACHED_PORT) + if not ok then + ngx.log(ngx.ERR, "failed to connect to memc: ", err) + return + end + + local bytes, err = sock:send("flush_all\\r\\n") + if not bytes then + ngx.log(ngx.ERR, "failed to send flush_all command: ", err) + return + end + + local res, err = sock:receive() + if not res then + ngx.log(ngx.ERR, "failed to receive memc reply: ", err) + return + end + + print("received memc reply: ", res) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +received memc reply: OK + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 5: clear certs +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + ssl.clear_certs() + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log +lua ssl server name: "test.com" +sslv3 alert handshake failure + +--- no_error_log +[alert] +[emerg] +--- timeout: 3 + + + +=== TEST 6: set DER cert and private key +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + ssl.clear_certs() + + local f = assert(io.open("t/cert/test.crt.der")) + local cert_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_cert(cert_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + + local f = assert(io.open("t/cert/test.key.der")) + local pkey_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_pkey(pkey_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + '; + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] +[emerg] +--- timeout: 3 + + + +=== TEST 7: read SNI name via ssl.server_name() +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + print("read SNI name from Lua: ", ssl.server_name()) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +read SNI name from Lua: test.com + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 8: read raw server addr via ssl.raw_server_addr() (unix domain socket) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log eval +[ +'lua ssl server name: "test.com"', +qr/Using unix socket file .*?nginx\.sock/ +] + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 9: read raw server addr via ssl.raw_server_addr() (IPv4) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.1:12345 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local byte = string.byte + + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.1", 12345) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +Using IPv4 address: 127.0.0.1 + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 10: read raw server addr via ssl.raw_server_addr() (IPv6) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen [::1]:12345 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local byte = string.byte + + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("[::1]", 12345) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +Using IPv6 address: 0.0.0.1 + +--- no_error_log +[error] +[alert] +--- timeout: 3 + diff --git a/t/cert/test.crt.der b/t/cert/test.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..0b6ef6344989954d7fe0d3413cb94317e7179a1d GIT binary patch literal 685 zcmXqLVp?g?#3aPT$*`0!H*C`OX^#we**LY@JlekVGBUEVG8i;YH{>?pWMd9xVH0Kw z4K@@u5Cm~Jc(|Msb28KNi}ErP4aE#ZK!WT%yupci3T{P-dC8f@$@zvt1_B^)E*?(* zg4DdA)Z&s#m>4&*n4keaNF6f|M+s1kUUGh}p@M-N+##HdVuFe3sd*(;84l^WiJ3Vd z6$T38yoM$Q=0=7F#zw{_=1~&-Muw(_24;rFP=P`0_Qv_h;mpX&z}(mi4C_v&#zux0 ze{0Tqzn!^gf_6@vy}o2ljL=D=55G)zZNEMv6Fs0ykJ+lE#)8{Y% literal 0 HcmV?d00001 diff --git a/t/cert/test.key.der b/t/cert/test.key.der new file mode 100644 index 0000000000000000000000000000000000000000..537a4f1b32630ed8b73a53eb18f99af542d0b11e GIT binary patch literal 610 zcmV-o0-gOZf&yLw0RRGlfdJ_Je9cSknWB&@Y+gSv8Ejk<$ujWzHM+OgnQA27bH(?G zvwd0VtHgZdO&Fxa{oDZx2u&NAi3`Qy4#PXF43j_G(>x!6er|cus?(0ZB>t!VY$Xin z#z@*G1iBYPIy<#jy3#2Gn|5*yN~a|9Ot*MQnC@3fig+;dE@iJ)gjWIs0RRC4fq?+n z0qd&@G6uFtqj{YNM@w?U3P-OB>u%KLjOCXb2ZElDnF8m$Y=7%>KGvIhXNXj2LOkFA zE}(c}#Qs9l7x%8{GgBjQR_!0VBIb&^QH-hHEe7={x{QhyA3gr_Ba~{a3T&^NMSm4b zMl2nffw1zquOoTVB`~o~Je}#N1Kt4wK>+k*y+f0acv%dzTx=l?U)WTvWDAY|S1D!! zYGdXa0N%_<@snF8-R^aU{g@=&W4-@qp@)bt!|uUOjXfGkmf-?H0Q3$VEtUG+lLOyA z=(zg%HZX8uB!uA&eOgD`nUMNL;1~TtcdEdiixbtiKx5>mnPuBc4vN2!w$MqwY(@N9 zHv&K;kw!RdMb%CXwwCpt&w%6_^k@QYX6Xex&=E1Rz>I=M6Yr8~MuBJVrmgOmG>X z&}cSw`3puBNks~+?}99m&sE_Xc%PwqZKC)t9en~p0P2=mdc7ora Date: Wed, 24 Sep 2014 16:19:01 -0700 Subject: [PATCH 02/56] tests: added passing tests for set DER certificate chain. --- t/130-ssl-cert-by.t | 126 ++++++++++++++++++++++++++++++++++ t/cert/chain/chain.der | Bin 0 -> 1903 bytes t/cert/chain/root-ca.crt | 16 +++++ t/cert/chain/test-com.key.der | Bin 0 -> 608 bytes 4 files changed, 142 insertions(+) create mode 100644 t/cert/chain/chain.der create mode 100644 t/cert/chain/root-ca.crt create mode 100644 t/cert/chain/test-com.key.der diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 404288250f..4d12b73024 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -1156,3 +1156,129 @@ Using IPv6 address: 0.0.0.1 [alert] --- timeout: 3 + + +=== TEST 11: set DER cert chain +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + ssl.clear_certs() + + local f = assert(io.open("t/cert/chain/chain.der")) + local cert_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_cert(cert_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + + local f = assert(io.open("t/cert/chain/test-com.key.der")) + local pkey_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_pkey(pkey_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + '; + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] +[emerg] +--- timeout: 3 + diff --git a/t/cert/chain/chain.der b/t/cert/chain/chain.der new file mode 100644 index 0000000000000000000000000000000000000000..ee6d9bad2655d9b5491d78fa40e231ec805ea1e0 GIT binary patch literal 1903 zcmXqLV(KzzV*I>-nTe5!iAjLPfR~L^tIebBJ1-+6D=UM6uOYVqCmVAp3!5-gXt1HM zfgp&(!NcX8n3I{7UzC@bXeeYL021Wl;q)&^%?nB`E~zvWH4p}gG4t>QXQt<6=B4X8 zJL(!4D2VeKniyCb85o!vnVXnJN$?vP0tGCL%%K7Xo@81mXuuD#kfQ|X0KMe=T!Y5> z$i87@WngaXWiV*$WNK_=xDmW&O^p4|h85GiH$>cyYP)yJfa#{>iEkoD9ZovF-d%O^ z;m>K-Ay;4QUlS1JDR^sUg3ANd3B@71FkNh^adE>!wz=DggEVb%1IqANx2Ow5c7 zjEk!cD#4*EE6l=Vz+j-m#+lIO!Pxf0iIJB@UQ8AgoWa393ht?SsYQt;sVNH1sYNB3 zX_?7Dj)5%Dzp{KRVk{!^w-4O3@h)F6YmKpdb-|JIyH2p*HIN5ME3-%#h&6~zhw%RnN=sSd|>Xyz^F&(~p08g=hNjshOO;6;oxM!Y-k{ zFmYRi(KLbSpXwQoxHxa0`^YfU|IpN45< zI=)ulpou9Nm>SQ(QX?~(8>yQb4N+2~seuV}=jyx@`pOfh znL7K-?DTvGmFq75uiWdsVkYy@T>Jk2Ow(L$|8=v(p07Nna=CBGVSUvbpVNx_TKeWJ zJO1-r&-S?qYOOx~U!29)&z&OmRk2z|d(OLmUZ--8pMR&tq#>UtJf+n>U@^1A-khIX z=bG@ zfCrTFgjrY(m>C)WqeUSonOS>pGYl-6_1-BVZbm}kbu}-yk9_hR`<_Y1Kl-Z?(!22} zXFkj6%sZBG=?^B(7nrigbb?pvzlgmr=SqCobVMhQm0?M8WLE2WJ`Jn2CNgq89Ou_m zN<7mR^PI!YnHHcKT){HWR^8zUPtmoWYa8c${q&<}4ma;Z@7Zrort--BQ)izBOlD=k zWOg5x%$U&JXplfe86;*P0xECVd3b{p^Ay~Q67!NXi<9%Q7KQ=_d?2;VJnTXF`6UX@ zj>sv`z|z1JCFOwysGIT(@us|;vuw8+-rd&qaeks|Wx=;s-dX%SMXy}{_y(T;TG%mV z&QBJHnSXV~MXm0|7kIH%3jc2OTzf0hMX0f4?hQ#hzZb_D-u;}`Shb(?S;vOQn_irH zT%`P@t=aL^X3qm(%et;_{j*p|TAO=IxPZ!Zhkd8TpC7$9Svqpce-rz&z9MCue4nwU zJgf-|Ipu|=p6pHyRo7cB@rMea*B_eGnOVPApB| za;xEg39Ti4BIVVKbV9s8EY)ciI&xLUE56!L?QQa|tIdzL${zk~vS8QUckS;A3fD;= Ooj#jm*_^cp4gmmuYmdJG literal 0 HcmV?d00001 diff --git a/t/cert/chain/root-ca.crt b/t/cert/chain/root-ca.crt new file mode 100644 index 0000000000..d2f3c8fa07 --- /dev/null +++ b/t/cert/chain/root-ca.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIJAK3s1yAQ5tdfMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTQw +OTIwMDM1NTU0WhgPMjExNDA4MjcwMzU1NTRaMGAxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQK +DAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBAN7CcpCjiafBdl1KaExRcuutAF0/eq4/ht7L4/i0nPDzikscFJ/O +aVyH3UpUF/KMq+72vom2bEbUeRROr1rL/JRe9raGlQtvdovHZt6f4c3/Coihtupp +9BXYrBCU4P+Bxai5gtTXGFvLC2a72qKcXDNeH+NxpIaemfPxSvemCYUXAgMBAAGj +UDBOMB0GA1UdDgQWBBRWZcmLZVUnLqsU8CZGvbueoStBWDAfBgNVHSMEGDAWgBRW +ZcmLZVUnLqsU8CZGvbueoStBWDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAGjMH6qkY+61311DERFhDuYzMSSZjH53qzFseq/chlIMGjrgJIMy6rl7T0AU +2hjvW+FOyhf5NqRrAQDTTuLbtXZ/ygiUformE8lR/SNRY/DVj1yarQkWUC5UpqOs +GWG1VW9DHQAMFVkYwPO3XKeTXpEFOxPLHtXBYcVemCT4zo42 +-----END CERTIFICATE----- diff --git a/t/cert/chain/test-com.key.der b/t/cert/chain/test-com.key.der new file mode 100644 index 0000000000000000000000000000000000000000..3a19bbc15f54965569b9cdbc364ad802fcf0f98d GIT binary patch literal 608 zcmV-m0-yabf&yFu0RRGlfdJT3tgKu=`GBaFOR!kmT87@rFap^b$o3S)K*>StyL!># z`Ib9W)#$&hP+Cb5+L>TP;3a54HhlKZw4AwE*6Qa(m}Bdra`@?Kv`S5AhC#|_SYhUH z=m`F;!gX0B4)8A;aD$AacVy^I)x{`csZ-IRBK0;yr$zv(msE1paz_FK0RRC4fq?*t zf92^&S%HN;qY6m$vA967t6~W4Wo}NpwFMC8O{T=sQwRxdeCFCAx~%v%DVqS2C^ayV zs{Z#s2=mkm8)d$Yo3z7esA00!r09uLV5cKpP;N8z6yR-lD?i_a)mxVRoC<$Jk>t%f z^VyApSHt%>UQybzFw8O^67zID)80V>K>+)z56noCvD!IBe?!nkep3Dj4^Jba5}R?C zMsCV}nvah|(3m<=I_(Dvf5Lbkost%6yPA~my)MPH58Bym39|x00Nf42!fShU4<=$l z1Ocofv+Kj!#VELw)Apmv6#I~;#^D@2x1Lg!k5xQVu>g^MlsY&sB5 z9RfgDd2tkAZ!#B#3h1)#g@5C%YbW-qkWczm^w`cCVrTRaX~yfll+hxCS1pq;r;@$N zBfQX?i>&s^F$}`CmCj$vYktvGYO=0Rlii=bg|=440CE0a7HV8PO6s^wmc3 u;gLyx|KBGYtFNts;fU>EZ-g=UjMGcIpF7wAU?L2S1S;VG literal 0 HcmV?d00001 From dd5644e061757580fb6d78d5a4b1522717384f26 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 24 Sep 2014 15:39:36 -0700 Subject: [PATCH 03/56] feature: implemented the ssl_certificate_by_lua and ssl_certificate_by_lua_file directives. also added the Lua module ngx.ssl under the lua/ directory. --- .gitignore | 1 + config | 2 + lua/ngx/ssl.lua | 142 ++++ patches/nginx-ssl-cert.patch | 37 ++ src/ngx_http_lua_common.h | 25 +- src/ngx_http_lua_contentby.h | 2 +- src/ngx_http_lua_directive.c | 5 +- src/ngx_http_lua_module.c | 77 ++- src/ngx_http_lua_sleep.c | 3 +- src/ngx_http_lua_socket_tcp.c | 10 +- src/ngx_http_lua_sslcertby.c | 641 ++++++++++++++++++ src/ngx_http_lua_sslcertby.h | 28 + src/ngx_http_lua_util.c | 3 +- src/ngx_http_lua_util.h | 2 + t/014-bugs.t | 1 + t/130-ssl-cert-by.t | 1158 +++++++++++++++++++++++++++++++++ t/cert/test.crt.der | Bin 0 -> 685 bytes t/cert/test.key.der | Bin 0 -> 610 bytes t/cert/test2.crt | 16 + t/cert/test2.key | 15 + 20 files changed, 2152 insertions(+), 16 deletions(-) create mode 100644 lua/ngx/ssl.lua create mode 100644 patches/nginx-ssl-cert.patch create mode 100644 src/ngx_http_lua_sslcertby.c create mode 100644 src/ngx_http_lua_sslcertby.h create mode 100644 t/130-ssl-cert-by.t create mode 100644 t/cert/test.crt.der create mode 100644 t/cert/test.key.der create mode 100644 t/cert/test2.crt create mode 100644 t/cert/test2.key diff --git a/.gitignore b/.gitignore index 61613b2dca..db7e1a902e 100644 --- a/.gitignore +++ b/.gitignore @@ -153,6 +153,7 @@ src/uthread.[ch] src/timer.[ch] src/config.[ch] src/worker.[ch] +src/sslcertby.[ch] *.plist lua ttimer diff --git a/config b/config index 1cb9fd33e1..748948dd84 100644 --- a/config +++ b/config @@ -253,6 +253,7 @@ NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ $ngx_addon_dir/src/ngx_http_lua_timer.c \ $ngx_addon_dir/src/ngx_http_lua_config.c \ $ngx_addon_dir/src/ngx_http_lua_worker.c \ + $ngx_addon_dir/src/ngx_http_lua_sslcertby.c \ " NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ @@ -306,6 +307,7 @@ NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ $ngx_addon_dir/src/ngx_http_lua_timer.h \ $ngx_addon_dir/src/ngx_http_lua_config.h \ $ngx_addon_dir/src/ngx_http_lua_worker.h \ + $ngx_addon_dir/src/ngx_http_lua_sslcertby.h \ " CFLAGS="$CFLAGS -DNDK_SET_VAR" diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua new file mode 100644 index 0000000000..0111b5358a --- /dev/null +++ b/lua/ngx/ssl.lua @@ -0,0 +1,142 @@ +-- Copyright (C) 2014 Yichun Zhang + + +local ffi = require "ffi" +local base = require "resty.core.base" + + +local C = ffi.C +local ffi_str = ffi.string +local getfenv = getfenv +local errmsg = base.get_errmsg_ptr() +local get_string_buf = base.get_string_buf +local get_size_ptr = base.get_size_ptr +local FFI_DECLINED = base.FFI_DECLINED +local FFI_OK = base.FFI_OK + + +ffi.cdef[[ + +struct ngx_ssl_conn_s; +typedef struct ngx_ssl_conn_s ngx_ssl_conn_t; + +int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, + const char *data, size_t len, char **err); + +int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err); + +int ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, + const char *data, size_t len, char **err); + +int ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err); + +int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err); + +]] + + +local _M = {} + + +local charpp = ffi.new("char*[1]") +local intp = ffi.new("int[1]") + + +function _M.clear_certs(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_clear_certs(r, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.set_der_cert(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.set_der_pkey(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +local addr_types = { + [1] = "unix", + [2] = "inet", + [10] = "inet6", +} + + +function _M.raw_server_addr() + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local sizep = get_size_ptr() + + local rc = C.ngx_http_lua_ffi_ssl_raw_server_addr(r, charpp, sizep, + intp, errmsg) + if rc == FFI_OK then + local typ = addr_types[intp[0]] + if not typ then + return nil, nil, "unknown address type: " .. intp[0] + end + return ffi_str(charpp[0], sizep[0]), typ + end + + return nil, nil, ffi_str(errmsg[0]) +end + + +function _M.server_name() + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local sizep = get_size_ptr() + + local rc = C.ngx_http_lua_ffi_ssl_server_name(r, charpp, sizep, errmsg) + if rc == FFI_OK then + return ffi_str(charpp[0], sizep[0]) + end + + if rc == FFI_DECLINED then + return nil + end + + return nil, ffi_str(errmsg[0]) +end + + +return _M diff --git a/patches/nginx-ssl-cert.patch b/patches/nginx-ssl-cert.patch new file mode 100644 index 0000000000..2cf6dee59d --- /dev/null +++ b/patches/nginx-ssl-cert.patch @@ -0,0 +1,37 @@ +diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c 2014-08-05 04:13:07.000000000 -0700 ++++ b/src/event/ngx_event_openssl.c 2014-09-12 12:17:33.034582693 -0700 +@@ -1121,6 +1121,21 @@ ngx_ssl_handshake(ngx_connection_t *c) + return NGX_AGAIN; + } + ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; +diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +--- a/src/event/ngx_event_openssl.h 2014-08-05 04:13:07.000000000 -0700 ++++ b/src/event/ngx_event_openssl.h 2014-09-12 12:16:32.016208272 -0700 +@@ -56,6 +56,8 @@ typedef struct { + ngx_event_handler_pt saved_read_handler; + ngx_event_handler_pt saved_write_handler; + ++ void *ctx; /* used by 3rd-party modules */ ++ + unsigned handshaked:1; + unsigned renegotiation:1; + unsigned buffer:1; diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index dd69d1cbd3..d632f0d6c6 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -94,6 +94,7 @@ typedef struct { #define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x040 #define NGX_HTTP_LUA_CONTEXT_TIMER 0x080 #define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x100 +#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x200 #ifndef NGX_LUA_NO_FFI_API @@ -103,10 +104,13 @@ typedef struct { typedef struct ngx_http_lua_main_conf_s ngx_http_lua_main_conf_t; +typedef struct ngx_http_lua_srv_conf_s ngx_http_lua_srv_conf_t; -typedef ngx_int_t (*ngx_http_lua_conf_handler_pt)(ngx_log_t *log, - ngx_http_lua_main_conf_t *lmcf, lua_State *L); +typedef ngx_int_t (*ngx_http_lua_main_conf_handler_pt)(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); +typedef ngx_int_t (*ngx_http_lua_srv_conf_handler_pt)(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lmcf, lua_State *L); typedef struct { @@ -145,11 +149,11 @@ struct ngx_http_lua_main_conf_s { ngx_flag_t postponed_to_rewrite_phase_end; ngx_flag_t postponed_to_access_phase_end; - ngx_http_lua_conf_handler_pt init_handler; - ngx_str_t init_src; + ngx_http_lua_main_conf_handler_pt init_handler; + ngx_str_t init_src; - ngx_http_lua_conf_handler_pt init_worker_handler; - ngx_str_t init_worker_src; + ngx_http_lua_main_conf_handler_pt init_worker_handler; + ngx_str_t init_worker_src; ngx_uint_t shm_zones_inited; @@ -163,6 +167,15 @@ struct ngx_http_lua_main_conf_s { }; +struct ngx_http_lua_srv_conf_s { +#if (NGX_HTTP_SSL) + ngx_http_lua_srv_conf_handler_pt ssl_cert_handler; + ngx_str_t ssl_cert_src; + u_char *ssl_cert_src_key; +#endif +}; + + typedef struct { #if (NGX_HTTP_SSL) ngx_ssl_t *ssl; /* shared by SSL cosockets */ diff --git a/src/ngx_http_lua_contentby.h b/src/ngx_http_lua_contentby.h index 766baa6c9b..58ba8e1624 100644 --- a/src/ngx_http_lua_contentby.h +++ b/src/ngx_http_lua_contentby.h @@ -12,7 +12,7 @@ #include "ngx_http_lua_common.h" -ngx_int_t ngx_http_lua_content_by_chunk(lua_State *l, ngx_http_request_t *r); +ngx_int_t ngx_http_lua_content_by_chunk(lua_State *L, ngx_http_request_t *r); void ngx_http_lua_content_wev_handler(ngx_http_request_t *r); ngx_int_t ngx_http_lua_content_handler_file(ngx_http_request_t *r); ngx_int_t ngx_http_lua_content_handler_inline(ngx_http_request_t *r); diff --git a/src/ngx_http_lua_directive.c b/src/ngx_http_lua_directive.c index ef0751fe66..8106effda3 100644 --- a/src/ngx_http_lua_directive.c +++ b/src/ngx_http_lua_directive.c @@ -24,6 +24,7 @@ #include "ngx_http_lua_initby.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_shdict.h" +#include "ngx_http_lua_sslcertby.h" #if defined(NDK) && NDK @@ -898,7 +899,7 @@ ngx_http_lua_init_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return NGX_CONF_ERROR; } - lmcf->init_handler = (ngx_http_lua_conf_handler_pt) cmd->post; + lmcf->init_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post; if (cmd->post == ngx_http_lua_init_by_file) { name = ngx_http_lua_rebase_path(cf->pool, value[1].data, @@ -939,7 +940,7 @@ ngx_http_lua_init_worker_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, value = cf->args->elts; - lmcf->init_worker_handler = (ngx_http_lua_conf_handler_pt) cmd->post; + lmcf->init_worker_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post; if (cmd->post == ngx_http_lua_init_worker_by_file) { name = ngx_http_lua_rebase_path(cf->pool, value[1].data, diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 1c57d904d7..374461f557 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -23,6 +23,8 @@ #include "ngx_http_lua_initby.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_probe.h" +#include "ngx_http_lua_sslcertby.h" +#include #if !defined(nginx_version) || nginx_version < 8054 @@ -32,7 +34,11 @@ static void *ngx_http_lua_create_main_conf(ngx_conf_t *cf); static char *ngx_http_lua_init_main_conf(ngx_conf_t *cf, void *conf); +static void *ngx_http_lua_create_srv_conf(ngx_conf_t *cf); +static char *ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, + void *child); static void *ngx_http_lua_create_loc_conf(ngx_conf_t *cf); + static char *ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t ngx_http_lua_init(ngx_conf_t *cf); @@ -404,6 +410,24 @@ static ngx_command_t ngx_http_lua_cmds[] = { offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), NULL }, +#if (NGX_HTTP_SSL) + + { ngx_string("ssl_certificate_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_http_lua_ssl_cert_by_lua, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_cert_handler_inline }, + + { ngx_string("ssl_certificate_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + ngx_http_lua_ssl_cert_by_lua, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_cert_handler_file }, + +#endif /* NGX_HTTP_SSL */ + { ngx_string("lua_ssl_verify_depth"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_num_slot, @@ -438,8 +462,8 @@ ngx_http_module_t ngx_http_lua_module_ctx = { ngx_http_lua_create_main_conf, /* create main configuration */ ngx_http_lua_init_main_conf, /* init main configuration */ - NULL, /* create server configuration */ - NULL, /* merge server configuration */ + ngx_http_lua_create_srv_conf, /* create server configuration */ + ngx_http_lua_merge_srv_conf, /* merge server configuration */ ngx_http_lua_create_loc_conf, /* create location configuration */ ngx_http_lua_merge_loc_conf /* merge location configuration */ @@ -679,6 +703,55 @@ ngx_http_lua_init_main_conf(ngx_conf_t *cf, void *conf) } +static void * +ngx_http_lua_create_srv_conf(ngx_conf_t *cf) +{ + ngx_http_lua_srv_conf_t *lscf; + + lscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_lua_srv_conf_t)); + if (lscf == NULL) { + return NULL; + } + + /* set by ngx_pcalloc: + * lscf->ssl_cert_handler = NULL; + * lscf->ssl_cert_src = { 0, NULL }; + */ + + return lscf; +} + + +static char * +ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +{ + ngx_http_lua_srv_conf_t *prev = parent; + ngx_http_lua_srv_conf_t *conf = child; + ngx_http_ssl_srv_conf_t *sscf; + + dd("merge srv conf"); + + if (conf->ssl_cert_src.len == 0) { + conf->ssl_cert_src = prev->ssl_cert_src; + conf->ssl_cert_handler = prev->ssl_cert_handler; + } + + if (conf->ssl_cert_src.len) { + sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module); + if (sscf == NULL || sscf->ssl.ctx == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl configured for the server"); + + return NGX_CONF_ERROR; + } + + SSL_CTX_set_cert_cb(sscf->ssl.ctx, ngx_http_lua_ssl_cert_handler, NULL); + } + + return NGX_CONF_OK; +} + + static void * ngx_http_lua_create_loc_conf(ngx_conf_t *cf) { diff --git a/src/ngx_http_lua_sleep.c b/src/ngx_http_lua_sleep.c index c667af5997..eeb9651dbe 100644 --- a/src/ngx_http_lua_sleep.c +++ b/src/ngx_http_lua_sleep.c @@ -55,7 +55,8 @@ ngx_http_lua_ngx_sleep(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ctx->cur_co_ctx; if (coctx == NULL) { diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 374354812b..14cbc44009 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -383,7 +383,8 @@ ngx_http_lua_socket_tcp(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); lua_createtable(L, 3 /* narr */, 1 /* nrec */); lua_pushlightuserdata(L, &ngx_http_lua_tcp_socket_metatable_key); @@ -440,7 +441,8 @@ ngx_http_lua_socket_tcp_connect(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); luaL_checktype(L, 1, LUA_TTABLE); @@ -1317,6 +1319,10 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) u->ssl_name = name; u->write_co_ctx = coctx; +#if 0 + SSL_set_tlsext_status_type(c->ssl->connection, TLSEXT_STATUSTYPE_ocsp); +#endif + rc = ngx_ssl_handshake(c); dd("ngx_ssl_handshake returned %d", (int) rc); diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c new file mode 100644 index 0000000000..908b89caae --- /dev/null +++ b/src/ngx_http_lua_sslcertby.c @@ -0,0 +1,641 @@ + +/* + * Copyright (C) Yichun Zhang (agentzh) + */ + + +#ifndef DDEBUG +#define DDEBUG 0 +#endif +#include "ddebug.h" + + +#if (NGX_HTTP_SSL) + + +#include "ngx_http_lua_cache.h" +#include "ngx_http_lua_initworkerby.h" +#include "ngx_http_lua_util.h" +#include "ngx_http_ssl_module.h" +#include "ngx_http_lua_contentby.h" + + +static void ngx_http_lua_ssl_cert_done(void *data); +static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, + size_t len); +static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, + ngx_http_request_t *r); + + +typedef struct { + ngx_event_t sleep; + unsigned done; /* :1 */ +} ngx_http_lua_ssl_cert_ctx_t; + + +ngx_int_t +ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L) +{ + ngx_int_t rc; + + rc = ngx_http_lua_cache_loadfile(r, L, lscf->ssl_cert_src.data, + lscf->ssl_cert_src_key); + if (rc != NGX_OK) { + return rc; + } + + /* make sure we have a valid code chunk */ + ngx_http_lua_assert(lua_isfunction(L, -1)); + + return ngx_http_lua_ssl_cert_by_chunk(L, r); +} + + +ngx_int_t +ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L) +{ + ngx_int_t rc; + + rc = ngx_http_lua_cache_loadbuffer(r, L, lscf->ssl_cert_src.data, + lscf->ssl_cert_src.len, + lscf->ssl_cert_src_key, + "=ssl_certificate_by_lua"); + if (rc != NGX_OK) { + return rc; + } + + /* make sure we have a valid code chunk */ + ngx_http_lua_assert(lua_isfunction(L, -1)); + + return ngx_http_lua_ssl_cert_by_chunk(L, r); +} + + +char * +ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf) +{ + u_char *p; + u_char *name; + ngx_str_t *value; + ngx_http_lua_srv_conf_t *lscf = conf; + + dd("enter"); + + /* must specifiy a content handler */ + if (cmd->post == NULL) { + return NGX_CONF_ERROR; + } + + if (lscf->ssl_cert_handler) { + return "is duplicate"; + } + + value = cf->args->elts; + + lscf->ssl_cert_handler = (ngx_http_lua_srv_conf_handler_pt) cmd->post; + + if (cmd->post == ngx_http_lua_ssl_cert_handler_file) { + /* Lua code in an external file */ + + name = ngx_http_lua_rebase_path(cf->pool, value[1].data, + value[1].len); + if (name == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src.data = name; + lscf->ssl_cert_src.len = ngx_strlen(name); + + p = ngx_palloc(cf->pool, NGX_HTTP_LUA_FILE_KEY_LEN + 1); + if (p == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src_key = p; + + p = ngx_copy(p, NGX_HTTP_LUA_FILE_TAG, NGX_HTTP_LUA_FILE_TAG_LEN); + p = ngx_http_lua_digest_hex(p, value[1].data, value[1].len); + *p = '\0'; + + } else { + /* inlined Lua code */ + + lscf->ssl_cert_src = value[1]; + + p = ngx_palloc(cf->pool, NGX_HTTP_LUA_INLINE_KEY_LEN + 1); + if (p == NULL) { + return NGX_CONF_ERROR; + } + + lscf->ssl_cert_src_key = p; + + p = ngx_copy(p, NGX_HTTP_LUA_INLINE_TAG, NGX_HTTP_LUA_INLINE_TAG_LEN); + p = ngx_http_lua_digest_hex(p, value[1].data, value[1].len); + *p = '\0'; + } + + return NGX_CONF_OK; +} + + +int +ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) +{ + lua_State *L; + ngx_int_t rc; + ngx_connection_t *c, *fc; + ngx_http_request_t *r = NULL; + ngx_pool_cleanup_t *cln; + ngx_http_connection_t *hc; + ngx_http_lua_srv_conf_t *lscf; + ngx_http_lua_ssl_cert_ctx_t *cctx; + + c = ngx_ssl_get_connection(ssl_conn); + + cctx = c->ssl->ctx; + + dd("ssl cert handler, cert-ctx=%p", cctx); + + if (cctx) { + /* not the first time */ + + if (cctx->done) { + dd("lua ssl cert done, finally"); + c->ssl->ctx = NULL; + return 1; + } + + return -1; + } + + /* cctx == NULL */ + + dd("first time"); + + hc = c->data; + + fc = ngx_http_lua_create_fake_connection(); + if (fc == NULL) { + goto failed; + } + + fc->log->handler = ngx_http_lua_log_ssl_cert_error; + + r = ngx_http_lua_create_fake_request(fc); + if (r == NULL) { + goto failed; + } + + r->main_conf = hc->conf_ctx->main_conf; + r->srv_conf = hc->conf_ctx->srv_conf; + r->loc_conf = hc->conf_ctx->loc_conf; + + fc->log->file = c->log->file; + fc->log->log_level = c->log->log_level; + fc->ssl = c->ssl; + + lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module); + + /* TODO honor lua_code_cache off */ + L = ngx_http_lua_get_lua_vm(r, NULL); + + rc = lscf->ssl_cert_handler(r, lscf, L); + + if (rc == NGX_OK) { + return 1; /* continue ssl handshaking */ + } + + if (rc == NGX_ERROR || rc > NGX_OK) { + return 0; /* error */ + } + + /* rc == NGX_DONE */ + + cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_cert_ctx_t)); + if (cctx == NULL) { + goto failed; /* error */ + } + + c->ssl->ctx = cctx; + + cln = ngx_pool_cleanup_add(fc->pool, 0); + if (cln == NULL) { + goto failed; + } + + cln->handler = ngx_http_lua_ssl_cert_done; + cln->data = ssl_conn; + +#if 0 + cctx->sleep.handler = ngx_http_lua_ssl_cert_done; + cctx->sleep.data = ssl_conn; + cctx->sleep.log = c->log; + + ngx_add_timer(&cctx->sleep, 1000); +#endif + + c->log->action = "loading SSL certificate by lua"; + + return -1; + +#if 1 +failed: + + if (r && r->pool) { + ngx_http_lua_free_fake_request(r); + } + + if (fc) { + ngx_http_lua_close_fake_connection(fc); + } + + return 0; +#endif +} + + +static void +ngx_http_lua_ssl_cert_done(void *data) +{ + ngx_ssl_conn_t *ssl_conn = data; + ngx_connection_t *c; + ngx_http_lua_ssl_cert_ctx_t *cctx; + + dd("lua ssl cert done"); + + c = ngx_ssl_get_connection(ssl_conn); + + cctx = c->ssl->ctx; + if (cctx == NULL) { + return; + } + + cctx->done = 1; + + c->log->action = "SSL handshaking"; + c->write->handler(c->write);; +} + + +static u_char * +ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len) +{ + u_char *p; + + if (log->action) { + p = ngx_snprintf(buf, len, " while %s", log->action); + len -= p - buf; + buf = p; + } + + return ngx_snprintf(buf, len, ", context: ssl_certificate_by_lua*"); +} + + +static ngx_int_t +ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) +{ + int co_ref; + ngx_int_t rc; + lua_State *co; + ngx_http_lua_ctx_t *ctx; + ngx_http_cleanup_t *cln; + + ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module); + + if (ctx == NULL) { + ctx = ngx_http_lua_create_ctx(r); + if (ctx == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + } else { + dd("reset ctx"); + ngx_http_lua_reset_ctx(r, L, ctx); + } + + ctx->entered_content_phase = 1; + + /* {{{ new coroutine to handle request */ + co = ngx_http_lua_new_thread(r, L, &co_ref); + + if (co == NULL) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "lua: failed to create new coroutine to handle request"); + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + /* move code closure to new coroutine */ + lua_xmove(L, co, 1); + + /* set closure's env table to new coroutine's globals table */ + ngx_http_lua_get_globals_table(co); + lua_setfenv(co, -2); + + /* save nginx request in coroutine globals table */ + ngx_http_lua_set_req(co, r); + + ctx->cur_co_ctx = &ctx->entry_co_ctx; + ctx->cur_co_ctx->co = co; + ctx->cur_co_ctx->co_ref = co_ref; +#ifdef NGX_LUA_USE_ASSERT + ctx->cur_co_ctx->co_top = 1; +#endif + + /* register request cleanup hooks */ + if (ctx->cleanup == NULL) { + cln = ngx_http_cleanup_add(r, 0); + if (cln == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + cln->handler = ngx_http_lua_request_cleanup_handler; + cln->data = ctx; + ctx->cleanup = &cln->handler; + } + + ctx->context = NGX_HTTP_LUA_CONTEXT_SSL_CERT; + + rc = ngx_http_lua_run_thread(L, r, ctx, 0); + + if (rc == NGX_ERROR || rc >= NGX_OK) { + /* do nothing */ + + } else if (rc == NGX_AGAIN) { + rc = ngx_http_lua_content_run_posted_threads(L, r, ctx, 0); + + } else if (rc == NGX_DONE) { + rc = ngx_http_lua_content_run_posted_threads(L, r, ctx, 1); + + } else { + rc = NGX_OK; + } + + ngx_http_lua_finalize_request(r, rc); + return rc; +} + + +int +ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + SSL_certs_clear(ssl_conn); + return NGX_OK; +} + + +int +ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, + const char *data, size_t len, char **err) +{ + BIO *bio = NULL; + X509 *x509 = NULL; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + bio = BIO_new_mem_buf((char *) data, len); + if (bio == NULL) { + *err = " BIO_new_mem_buf() failed"; + goto failed; + } + + x509 = d2i_X509_bio(bio, NULL); + if (x509 == NULL) { + *err = " d2i_X509_bio() failed"; + goto failed; + } + + if (SSL_use_certificate(ssl_conn, x509) == 0) { + *err = " SSL_use_certificate() failed"; + goto failed; + } + + if (SSL_set_ex_data(ssl_conn, ngx_ssl_certificate_index, x509) == 0) { + *err = " SSL_set_ex_data() failed"; + goto failed; + } + + X509_free(x509); + x509 = NULL; + + /* read rest of the chain */ + + while (!BIO_eof(bio)) { + + x509 = d2i_X509_bio(bio, NULL); + if (x509 == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + if (SSL_add0_chain_cert(ssl_conn, x509) == 0) { + *err = "SSL_add0_chain_cert() failed"; + goto failed; + } + } + + BIO_free(bio); + + *err = NULL; + return NGX_OK; + +failed: + + if (bio) { + BIO_free(bio); + } + + if (x509) { + X509_free(x509); + } + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, + const char *data, size_t len, char **err) +{ + BIO *bio = NULL; + EVP_PKEY *pkey = NULL; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + bio = BIO_new_mem_buf((char *) data, len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + goto failed; + } + + pkey = d2i_PrivateKey_bio(bio, NULL); + if (pkey == NULL) { + *err = "d2i_PrivateKey_bio() failed"; + goto failed; + } + + if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) { + *err = "SSL_CTX_use_PrivateKey() failed"; + goto failed; + } + + EVP_PKEY_free(pkey); + BIO_free(bio); + + return NGX_OK; + +failed: + + if (pkey) { + EVP_PKEY_free(pkey); + } + + if (bio) { + BIO_free(bio); + } + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err) +{ +#if (NGX_HAVE_UNIX_DOMAIN) + struct sockaddr_un *saun; +#endif + ngx_ssl_conn_t *ssl_conn; + ngx_connection_t *c; + struct sockaddr_in *sin; +#if (NGX_HAVE_INET6) + struct sockaddr_in6 *sin6; +#endif + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + c = ngx_ssl_get_connection(ssl_conn); + + if (ngx_connection_local_sockaddr(c, NULL, 0) != NGX_OK) { + return 0; + } + + switch (c->local_sockaddr->sa_family) { + +#if (NGX_HAVE_INET6) + case AF_INET6: + sin6 = (struct sockaddr_in6 *) c->local_sockaddr; + *addrlen = 16; + *addr = (char *) &sin6->sin6_addr.s6_addr; + *addrtype = AF_INET6; + + break; +#endif + +#if (NGX_HAVE_UNIX_DOMAIN) + case AF_UNIX: + saun = (struct sockaddr_un *) c->local_sockaddr; + + /* on Linux sockaddr might not include sun_path at all */ + if (c->local_socklen <= + (socklen_t) offsetof(struct sockaddr_un, sun_path)) + { + *addr = ""; + *addrlen = 0; + + } else { + *addr = saun->sun_path; + *addrlen = ngx_strlen(saun->sun_path); + } + + *addrtype = AF_UNIX; + break; +#endif + + default: /* AF_INET */ + sin = (struct sockaddr_in *) c->local_sockaddr; + *addr = (char *) &sin->sin_addr.s_addr; + *addrlen = 4; + *addrtype = AF_INET; + break; + } + + return NGX_OK; +} + + +int +ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + *name = (char *) SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + + if (*name) { + *namelen = ngx_strlen(*name); + return NGX_OK; + } + + return NGX_DECLINED; +} + + +#endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_sslcertby.h new file mode 100644 index 0000000000..3135bfb0ef --- /dev/null +++ b/src/ngx_http_lua_sslcertby.h @@ -0,0 +1,28 @@ + +/* + * Copyright (C) Yichun Zhang (agentzh) + */ + + +#ifndef _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ +#define _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ + + +#include "ngx_http_lua_common.h" + + +ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); + +ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_log_t *log, + ngx_http_lua_main_conf_t *lmcf, lua_State *L); + +char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + +int ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); + + +#endif /* _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ */ + +/* vi:set ft=c ts=4 sw=4 et fdm=marker: */ diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index 794d08553f..c56d04c45a 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -111,7 +111,6 @@ static void ngx_http_lua_cleanup_zombie_child_uthreads(ngx_http_request_t *r, lua_State *L, ngx_http_lua_ctx_t *ctx, ngx_http_lua_co_ctx_t *coctx); static ngx_int_t ngx_http_lua_on_abort_resume(ngx_http_request_t *r); static void ngx_http_lua_close_fake_request(ngx_http_request_t *r); -static void ngx_http_lua_free_fake_request(ngx_http_request_t *r); static ngx_int_t ngx_http_lua_flush_pending_output(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx); static ngx_int_t @@ -3565,7 +3564,7 @@ ngx_http_lua_close_fake_request(ngx_http_request_t *r) } -static void +void ngx_http_lua_free_fake_request(ngx_http_request_t *r) { ngx_log_t *log; diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index f735ffbcbb..627f662c7c 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -215,6 +215,8 @@ void ngx_http_lua_finalize_fake_request(ngx_http_request_t *r, void ngx_http_lua_close_fake_connection(ngx_connection_t *c); +void ngx_http_lua_free_fake_request(ngx_http_request_t *r); + void ngx_http_lua_release_ngx_ctx_table(ngx_log_t *log, lua_State *L, ngx_http_lua_ctx_t *ctx); diff --git a/t/014-bugs.t b/t/014-bugs.t index a09f0ad394..f27a6b0717 100644 --- a/t/014-bugs.t +++ b/t/014-bugs.t @@ -789,6 +789,7 @@ qr/recv\(\) failed \(\d+: Connection refused\) while resolving/ === TEST 35: github issue #218: ngx.location.capture hangs when querying a remote host that does not exist or is really slow to respond +--- ONLY --- config set $myurl "https://not-exist.agentzh.org"; location /toto { diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t new file mode 100644 index 0000000000..404288250f --- /dev/null +++ b/t/130-ssl-cert-by.t @@ -0,0 +1,1158 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: + +use lib 'lib'; +use Test::Nginx::Socket::Lua; + +repeat_each(3); + +plan tests => repeat_each() * (blocks() * 6); + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211; +$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8'; + +#log_level 'warn'; +log_level 'debug'; + +no_long_string(); +#no_diff(); + +run_tests(); + +__DATA__ + +=== TEST 1: simple logging +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua 'print("ssl cert by lua is running!")'; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +ssl_certificate_by_lua:1: ssl cert by lua is running! + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 2: sleep +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local begin = ngx.now() + ngx.sleep(0.1) + print("elapsed in ssl cert by lua: ", ngx.now() - begin) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log eval +[ +'lua ssl server name: "test.com"', +qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, +] + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 3: timer +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local function f() + print("my timer run!") + end + local ok, err = ngx.timer.at(0, f) + if not ok then + ngx.log(ngx.ERR, "failed to create timer: ", err) + return + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +my timer run! + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 4: cosocket +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_MEMCACHED_PORT) + if not ok then + ngx.log(ngx.ERR, "failed to connect to memc: ", err) + return + end + + local bytes, err = sock:send("flush_all\\r\\n") + if not bytes then + ngx.log(ngx.ERR, "failed to send flush_all command: ", err) + return + end + + local res, err = sock:receive() + if not res then + ngx.log(ngx.ERR, "failed to receive memc reply: ", err) + return + end + + print("received memc reply: ", res) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +received memc reply: OK + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 5: clear certs +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + ssl.clear_certs() + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log +lua ssl server name: "test.com" +sslv3 alert handshake failure + +--- no_error_log +[alert] +[emerg] +--- timeout: 3 + + + +=== TEST 6: set DER cert and private key +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + ssl.clear_certs() + + local f = assert(io.open("t/cert/test.crt.der")) + local cert_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_cert(cert_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + + local f = assert(io.open("t/cert/test.key.der")) + local pkey_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_pkey(pkey_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + '; + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] +[emerg] +--- timeout: 3 + + + +=== TEST 7: read SNI name via ssl.server_name() +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + print("read SNI name from Lua: ", ssl.server_name()) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +read SNI name from Lua: test.com + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 8: read raw server addr via ssl.raw_server_addr() (unix domain socket) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log eval +[ +'lua ssl server name: "test.com"', +qr/Using unix socket file .*?nginx\.sock/ +] + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 9: read raw server addr via ssl.raw_server_addr() (IPv4) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.1:12345 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local byte = string.byte + + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.1", 12345) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +Using IPv4 address: 127.0.0.1 + +--- no_error_log +[error] +[alert] +--- timeout: 3 + + + +=== TEST 10: read raw server addr via ssl.raw_server_addr() (IPv6) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen [::1]:12345 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local byte = string.byte + + local addr, addrtyp, err = ssl.raw_server_addr() + if not addr then + ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) + return + end + if addrtyp == "inet" then -- IPv4 + ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), + byte(addr, 3), byte(addr, 4)) + print("Using IPv4 address: ", ip) + + elseif addrtyp == "inet6" then -- IPv6 + ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), + byte(addr, 15), byte(addr, 16)) + print("Using IPv6 address: ", ip) + + else -- unix + print("Using unix socket file ", addr) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("[::1]", 12345) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +Using IPv6 address: 0.0.0.1 + +--- no_error_log +[error] +[alert] +--- timeout: 3 + diff --git a/t/cert/test.crt.der b/t/cert/test.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..0b6ef6344989954d7fe0d3413cb94317e7179a1d GIT binary patch literal 685 zcmXqLVp?g?#3aPT$*`0!H*C`OX^#we**LY@JlekVGBUEVG8i;YH{>?pWMd9xVH0Kw z4K@@u5Cm~Jc(|Msb28KNi}ErP4aE#ZK!WT%yupci3T{P-dC8f@$@zvt1_B^)E*?(* zg4DdA)Z&s#m>4&*n4keaNF6f|M+s1kUUGh}p@M-N+##HdVuFe3sd*(;84l^WiJ3Vd z6$T38yoM$Q=0=7F#zw{_=1~&-Muw(_24;rFP=P`0_Qv_h;mpX&z}(mi4C_v&#zux0 ze{0Tqzn!^gf_6@vy}o2ljL=D=55G)zZNEMv6Fs0ykJ+lE#)8{Y% literal 0 HcmV?d00001 diff --git a/t/cert/test.key.der b/t/cert/test.key.der new file mode 100644 index 0000000000000000000000000000000000000000..537a4f1b32630ed8b73a53eb18f99af542d0b11e GIT binary patch literal 610 zcmV-o0-gOZf&yLw0RRGlfdJ_Je9cSknWB&@Y+gSv8Ejk<$ujWzHM+OgnQA27bH(?G zvwd0VtHgZdO&Fxa{oDZx2u&NAi3`Qy4#PXF43j_G(>x!6er|cus?(0ZB>t!VY$Xin z#z@*G1iBYPIy<#jy3#2Gn|5*yN~a|9Ot*MQnC@3fig+;dE@iJ)gjWIs0RRC4fq?+n z0qd&@G6uFtqj{YNM@w?U3P-OB>u%KLjOCXb2ZElDnF8m$Y=7%>KGvIhXNXj2LOkFA zE}(c}#Qs9l7x%8{GgBjQR_!0VBIb&^QH-hHEe7={x{QhyA3gr_Ba~{a3T&^NMSm4b zMl2nffw1zquOoTVB`~o~Je}#N1Kt4wK>+k*y+f0acv%dzTx=l?U)WTvWDAY|S1D!! zYGdXa0N%_<@snF8-R^aU{g@=&W4-@qp@)bt!|uUOjXfGkmf-?H0Q3$VEtUG+lLOyA z=(zg%HZX8uB!uA&eOgD`nUMNL;1~TtcdEdiixbtiKx5>mnPuBc4vN2!w$MqwY(@N9 zHv&K;kw!RdMb%CXwwCpt&w%6_^k@QYX6Xex&=E1Rz>I=M6Yr8~MuBJVrmgOmG>X z&}cSw`3puBNks~+?}99m&sE_Xc%PwqZKC)t9en~p0P2=mdc7ora Date: Wed, 24 Sep 2014 16:19:01 -0700 Subject: [PATCH 04/56] tests: added passing tests for set DER certificate chain. --- t/130-ssl-cert-by.t | 126 ++++++++++++++++++++++++++++++++++ t/cert/chain/chain.der | Bin 0 -> 1903 bytes t/cert/chain/root-ca.crt | 16 +++++ t/cert/chain/test-com.key.der | Bin 0 -> 608 bytes 4 files changed, 142 insertions(+) create mode 100644 t/cert/chain/chain.der create mode 100644 t/cert/chain/root-ca.crt create mode 100644 t/cert/chain/test-com.key.der diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 404288250f..4d12b73024 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -1156,3 +1156,129 @@ Using IPv6 address: 0.0.0.1 [alert] --- timeout: 3 + + +=== TEST 11: set DER cert chain +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + ssl.clear_certs() + + local f = assert(io.open("t/cert/chain/chain.der")) + local cert_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_cert(cert_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + + local f = assert(io.open("t/cert/chain/test-com.key.der")) + local pkey_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_pkey(pkey_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + '; + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] +[emerg] +--- timeout: 3 + diff --git a/t/cert/chain/chain.der b/t/cert/chain/chain.der new file mode 100644 index 0000000000000000000000000000000000000000..ee6d9bad2655d9b5491d78fa40e231ec805ea1e0 GIT binary patch literal 1903 zcmXqLV(KzzV*I>-nTe5!iAjLPfR~L^tIebBJ1-+6D=UM6uOYVqCmVAp3!5-gXt1HM zfgp&(!NcX8n3I{7UzC@bXeeYL021Wl;q)&^%?nB`E~zvWH4p}gG4t>QXQt<6=B4X8 zJL(!4D2VeKniyCb85o!vnVXnJN$?vP0tGCL%%K7Xo@81mXuuD#kfQ|X0KMe=T!Y5> z$i87@WngaXWiV*$WNK_=xDmW&O^p4|h85GiH$>cyYP)yJfa#{>iEkoD9ZovF-d%O^ z;m>K-Ay;4QUlS1JDR^sUg3ANd3B@71FkNh^adE>!wz=DggEVb%1IqANx2Ow5c7 zjEk!cD#4*EE6l=Vz+j-m#+lIO!Pxf0iIJB@UQ8AgoWa393ht?SsYQt;sVNH1sYNB3 zX_?7Dj)5%Dzp{KRVk{!^w-4O3@h)F6YmKpdb-|JIyH2p*HIN5ME3-%#h&6~zhw%RnN=sSd|>Xyz^F&(~p08g=hNjshOO;6;oxM!Y-k{ zFmYRi(KLbSpXwQoxHxa0`^YfU|IpN45< zI=)ulpou9Nm>SQ(QX?~(8>yQb4N+2~seuV}=jyx@`pOfh znL7K-?DTvGmFq75uiWdsVkYy@T>Jk2Ow(L$|8=v(p07Nna=CBGVSUvbpVNx_TKeWJ zJO1-r&-S?qYOOx~U!29)&z&OmRk2z|d(OLmUZ--8pMR&tq#>UtJf+n>U@^1A-khIX z=bG@ zfCrTFgjrY(m>C)WqeUSonOS>pGYl-6_1-BVZbm}kbu}-yk9_hR`<_Y1Kl-Z?(!22} zXFkj6%sZBG=?^B(7nrigbb?pvzlgmr=SqCobVMhQm0?M8WLE2WJ`Jn2CNgq89Ou_m zN<7mR^PI!YnHHcKT){HWR^8zUPtmoWYa8c${q&<}4ma;Z@7Zrort--BQ)izBOlD=k zWOg5x%$U&JXplfe86;*P0xECVd3b{p^Ay~Q67!NXi<9%Q7KQ=_d?2;VJnTXF`6UX@ zj>sv`z|z1JCFOwysGIT(@us|;vuw8+-rd&qaeks|Wx=;s-dX%SMXy}{_y(T;TG%mV z&QBJHnSXV~MXm0|7kIH%3jc2OTzf0hMX0f4?hQ#hzZb_D-u;}`Shb(?S;vOQn_irH zT%`P@t=aL^X3qm(%et;_{j*p|TAO=IxPZ!Zhkd8TpC7$9Svqpce-rz&z9MCue4nwU zJgf-|Ipu|=p6pHyRo7cB@rMea*B_eGnOVPApB| za;xEg39Ti4BIVVKbV9s8EY)ciI&xLUE56!L?QQa|tIdzL${zk~vS8QUckS;A3fD;= Ooj#jm*_^cp4gmmuYmdJG literal 0 HcmV?d00001 diff --git a/t/cert/chain/root-ca.crt b/t/cert/chain/root-ca.crt new file mode 100644 index 0000000000..d2f3c8fa07 --- /dev/null +++ b/t/cert/chain/root-ca.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIJAK3s1yAQ5tdfMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTQw +OTIwMDM1NTU0WhgPMjExNDA4MjcwMzU1NTRaMGAxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQK +DAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBAN7CcpCjiafBdl1KaExRcuutAF0/eq4/ht7L4/i0nPDzikscFJ/O +aVyH3UpUF/KMq+72vom2bEbUeRROr1rL/JRe9raGlQtvdovHZt6f4c3/Coihtupp +9BXYrBCU4P+Bxai5gtTXGFvLC2a72qKcXDNeH+NxpIaemfPxSvemCYUXAgMBAAGj +UDBOMB0GA1UdDgQWBBRWZcmLZVUnLqsU8CZGvbueoStBWDAfBgNVHSMEGDAWgBRW +ZcmLZVUnLqsU8CZGvbueoStBWDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAGjMH6qkY+61311DERFhDuYzMSSZjH53qzFseq/chlIMGjrgJIMy6rl7T0AU +2hjvW+FOyhf5NqRrAQDTTuLbtXZ/ygiUformE8lR/SNRY/DVj1yarQkWUC5UpqOs +GWG1VW9DHQAMFVkYwPO3XKeTXpEFOxPLHtXBYcVemCT4zo42 +-----END CERTIFICATE----- diff --git a/t/cert/chain/test-com.key.der b/t/cert/chain/test-com.key.der new file mode 100644 index 0000000000000000000000000000000000000000..3a19bbc15f54965569b9cdbc364ad802fcf0f98d GIT binary patch literal 608 zcmV-m0-yabf&yFu0RRGlfdJT3tgKu=`GBaFOR!kmT87@rFap^b$o3S)K*>StyL!># z`Ib9W)#$&hP+Cb5+L>TP;3a54HhlKZw4AwE*6Qa(m}Bdra`@?Kv`S5AhC#|_SYhUH z=m`F;!gX0B4)8A;aD$AacVy^I)x{`csZ-IRBK0;yr$zv(msE1paz_FK0RRC4fq?*t zf92^&S%HN;qY6m$vA967t6~W4Wo}NpwFMC8O{T=sQwRxdeCFCAx~%v%DVqS2C^ayV zs{Z#s2=mkm8)d$Yo3z7esA00!r09uLV5cKpP;N8z6yR-lD?i_a)mxVRoC<$Jk>t%f z^VyApSHt%>UQybzFw8O^67zID)80V>K>+)z56noCvD!IBe?!nkep3Dj4^Jba5}R?C zMsCV}nvah|(3m<=I_(Dvf5Lbkost%6yPA~my)MPH58Bym39|x00Nf42!fShU4<=$l z1Ocofv+Kj!#VELw)Apmv6#I~;#^D@2x1Lg!k5xQVu>g^MlsY&sB5 z9RfgDd2tkAZ!#B#3h1)#g@5C%YbW-qkWczm^w`cCVrTRaX~yfll+hxCS1pq;r;@$N zBfQX?i>&s^F$}`CmCj$vYktvGYO=0Rlii=bg|=440CE0a7HV8PO6s^wmc3 u;gLyx|KBGYtFNts;fU>EZ-g=UjMGcIpF7wAU?L2S1S;VG literal 0 HcmV?d00001 From 11c11310ef1e165144ce7bab0399f427b09afcc8 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Mon, 29 Sep 2014 12:06:06 -0700 Subject: [PATCH 05/56] feature: ngx.ssl: renamed set_der_pkey to set_der_priv_key. also added cert_pem_to_der(). --- lua/ngx/ssl.lua | 21 ++- src/ngx_http_lua_sslcertby.c | 78 +++++++++++ t/059-unix-socket.t | 1 - t/130-ssl-cert-by.t | 258 ++++++++++++++++++++++++++++++++--- t/cert/chain/chain.pem | 172 +++++++++++++++++++++++ 5 files changed, 511 insertions(+), 19 deletions(-) create mode 100644 t/cert/chain/chain.pem diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 0111b5358a..51f1a8b3f3 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -34,6 +34,8 @@ int ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, size_t *namelen, char **err); +int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, + unsigned char *der, char **err); ]] @@ -74,7 +76,7 @@ function _M.set_der_cert(data) end -function _M.set_der_pkey(data) +function _M.set_der_priv_key(data) local r = getfenv(0).__ngx_req if not r then return error("no request found") @@ -139,4 +141,21 @@ function _M.server_name() end +function _M.cert_pem_to_der(pem) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local outbuf = get_string_buf(#pem) + + local sz = C.ngx_http_lua_ffi_cert_pem_to_der(pem, #pem, outbuf, errmsg) + if sz > 0 then + return ffi_str(outbuf, sz) + end + + return nil, ffi_str(errmsg[0]) +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 908b89caae..445acf2191 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -380,6 +380,8 @@ ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) } +#ifndef NGX_LUA_NO_FFI_API + int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) { @@ -437,10 +439,12 @@ ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, goto failed; } +#if 0 if (SSL_set_ex_data(ssl_conn, ngx_ssl_certificate_index, x509) == 0) { *err = " SSL_set_ex_data() failed"; goto failed; } +#endif X509_free(x509); x509 = NULL; @@ -638,4 +642,78 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, } +int +ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, + char **err) +{ + int total, len; + BIO *bio; + X509 *x509; + u_long n; + + bio = BIO_new_mem_buf((char *) pem, (int) pem_len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NGX_ERROR; + } + + x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); + if (x509 == NULL) { + *err = "PEM_read_bio_X509_AUX() failed"; + return NGX_ERROR; + } + + total = i2d_X509(x509, &der); + if (total < 0) { + X509_free(x509); + BIO_free(bio); + return NGX_ERROR; + } + + X509_free(x509); + + /* read rest of the chain */ + + for ( ;; ) { + + x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (x509 == NULL) { + n = ERR_peek_last_error(); + + if (ERR_GET_LIB(n) == ERR_LIB_PEM + && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) + { + /* end of file */ + ERR_clear_error(); + break; + } + + /* some real error */ + + *err = "PEM_read_bio_X509() failed"; + BIO_free(bio); + return NGX_ERROR; + } + + len = i2d_X509(x509, &der); + if (len < 0) { + *err = "i2d_X509() failed"; + X509_free(x509); + BIO_free(bio); + return NGX_ERROR; + } + + total += len; + + X509_free(x509); + } + + BIO_free(bio); + + return total; +} + +#endif /* NGX_LUA_NO_FFI_API */ + + #endif /* NGX_HTTP_SSL */ diff --git a/t/059-unix-socket.t b/t/059-unix-socket.t index 69edf23fd2..3c5f93e2fb 100644 --- a/t/059-unix-socket.t +++ b/t/059-unix-socket.t @@ -48,7 +48,6 @@ qr{\[crit\] .*? connect\(\) to unix:/tmp/nosuchfile\.sock failed} - === TEST 2: invalid host argument --- config location /test { diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 4d12b73024..9650005d9e 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -119,7 +119,6 @@ ssl_certificate_by_lua:1: ssl cert by lua is running! --- no_error_log [error] [alert] ---- timeout: 3 @@ -226,7 +225,6 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, --- no_error_log [error] [alert] ---- timeout: 3 @@ -336,7 +334,6 @@ my timer run! --- no_error_log [error] [alert] ---- timeout: 3 @@ -461,7 +458,6 @@ received memc reply: OK --- no_error_log [error] [alert] ---- timeout: 3 @@ -556,7 +552,6 @@ sslv3 alert handshake failure --- no_error_log [alert] [emerg] ---- timeout: 3 @@ -586,7 +581,7 @@ sslv3 alert handshake failure local pkey_data = f:read("*a") f:close() - local ok, err = ssl.set_der_pkey(pkey_data) + local ok, err = ssl.set_der_priv_key(pkey_data) if not ok then ngx.log(ngx.ERR, "failed to set DER cert: ", err) return @@ -681,7 +676,6 @@ lua ssl server name: "test.com" [error] [alert] [emerg] ---- timeout: 3 @@ -785,11 +779,114 @@ read SNI name from Lua: test.com --- no_error_log [error] [alert] ---- timeout: 3 -=== TEST 8: read raw server addr via ssl.raw_server_addr() (unix domain socket) +=== TEST 8: read SNI name via ssl.server_name() when no SNI name specified +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + local name = ssl.server_name(), + print("read SNI name from Lua: ", name, ", type: ", type(name)) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, nil, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +read SNI name from Lua: nil, type: nil + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 9: read raw server addr via ssl.raw_server_addr() (unix domain socket) --- http_config lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; @@ -908,11 +1005,10 @@ qr/Using unix socket file .*?nginx\.sock/ --- no_error_log [error] [alert] ---- timeout: 3 -=== TEST 9: read raw server addr via ssl.raw_server_addr() (IPv4) +=== TEST 10: read raw server addr via ssl.raw_server_addr() (IPv4) --- http_config lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; @@ -1031,11 +1127,10 @@ Using IPv4 address: 127.0.0.1 --- no_error_log [error] [alert] ---- timeout: 3 -=== TEST 10: read raw server addr via ssl.raw_server_addr() (IPv6) +=== TEST 11: read raw server addr via ssl.raw_server_addr() (IPv6) --- http_config lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; @@ -1154,11 +1249,10 @@ Using IPv6 address: 0.0.0.1 --- no_error_log [error] [alert] ---- timeout: 3 -=== TEST 11: set DER cert chain +=== TEST 12: set DER cert chain --- http_config lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; @@ -1184,7 +1278,138 @@ Using IPv6 address: 0.0.0.1 local pkey_data = f:read("*a") f:close() - local ok, err = ssl.set_der_pkey(pkey_data) + local ok, err = ssl.set_der_priv_key(pkey_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + '; + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 13: read PEM cert chain but set DER cert chain +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + ssl.clear_certs() + + local f = assert(io.open("t/cert/chain/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local ok, err = ssl.set_der_cert(cert_data) + if not ok then + ngx.log(ngx.ERR, "failed to set DER cert: ", err) + return + end + + local f = assert(io.open("t/cert/chain/test-com.key.der")) + local pkey_data = f:read("*a") + f:close() + + local ok, err = ssl.set_der_priv_key(pkey_data) if not ok then ngx.log(ngx.ERR, "failed to set DER cert: ", err) return @@ -1280,5 +1505,4 @@ lua ssl server name: "test.com" [error] [alert] [emerg] ---- timeout: 3 diff --git a/t/cert/chain/chain.pem b/t/cert/chain/chain.pem new file mode 100644 index 0000000000..21b704f2fc --- /dev/null +++ b/t/cert/chain/chain.pem @@ -0,0 +1,172 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4100 (0x1004) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-2 + Validity + Not Before: Sep 20 05:27:46 2014 GMT + Not After : Aug 27 05:27:46 2114 GMT + Subject: C=US, ST=California, O=OpenResty, CN=test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:d8:53:ac:ac:5c:3f:f9:80:a8:96:4b:b0:58:db: + 5a:86:de:ca:30:02:d9:19:c8:f6:14:c5:40:c9:41: + eb:bb:7a:d1:e1:f9:96:3b:54:d5:e8:bf:ac:50:5a: + 49:11:da:99:60:44:e0:25:68:40:36:7c:f6:ce:b4: + 9c:b9:58:d6:ea:e7:44:98:63:eb:a2:72:f8:e9:69: + b4:4a:4d:68:86:41:ca:67:58:61:e6:70:e8:08:fe: + ad:c2:75:59:24:0e:f0:2f:1a:70:83:8c:a3:77:64: + e8:4d:d5:c5:28:62:a9:53:d1:a1:22:f5:36:43:a7: + 46:00:aa:97:54:72:d4:72:47 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 1F:DB:C0:D9:3C:4B:77:A8:9A:AC:33:1F:7B:70:C4:CF:BA:C8:07:DD + X509v3 Authority Key Identifier: + keyid:39:77:77:A3:4E:92:8B:E2:25:20:72:64:35:0A:7A:87:A8:58:A9:F8 + + Signature Algorithm: sha1WithRSAEncryption + 1e:cd:83:66:b1:db:ea:5c:37:7e:bc:31:44:52:72:03:ae:9b: + 44:20:2c:ad:00:20:a5:dc:cf:9d:c8:c8:8f:df:cf:24:26:9c: + 43:83:f4:d2:ff:eb:d9:e4:7d:25:cf:1f:b8:aa:63:58:03:b9: + da:52:42:f8:fe:2e:71:cc:8f:de:26:34:cd:da:5c:7a:3b:64: + 07:18:27:a1:61:b6:58:32:96:10:97:f2:7f:00:c4:44:43:b7: + 9d:e2:31:69:4f:c2:95:c5:a3:32:d1:c0:00:c6:ef:58:b9:0f: + e6:08:3a:0d:c9:c0:14:f7:26:8c:43:13:55:1b:93:71:72:c7: + ad:2f +-----BEGIN CERTIFICATE----- +MIICijCCAfOgAwIBAgICEAQwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UE +AwwMU2lnbmluZy1DQS0yMCAXDTE0MDkyMDA1Mjc0NloYDzIxMTQwODI3MDUyNzQ2 +WjBJMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJ +T3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEA2FOsrFw/+YColkuwWNtaht7KMALZGcj2FMVAyUHru3rR4fmWO1TV +6L+sUFpJEdqZYETgJWhANnz2zrScuVjW6udEmGPronL46Wm0Sk1ohkHKZ1hh5nDo +CP6twnVZJA7wLxpwg4yjd2ToTdXFKGKpU9GhIvU2Q6dGAKqXVHLUckcCAwEAAaN7 +MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg +Q2VydGlmaWNhdGUwHQYDVR0OBBYEFB/bwNk8S3eomqwzH3twxM+6yAfdMB8GA1Ud +IwQYMBaAFDl3d6NOkoviJSByZDUKeoeoWKn4MA0GCSqGSIb3DQEBBQUAA4GBAB7N +g2ax2+pcN368MURScgOum0QgLK0AIKXcz53IyI/fzyQmnEOD9NL/69nkfSXPH7iq +Y1gDudpSQvj+LnHMj94mNM3aXHo7ZAcYJ6FhtlgylhCX8n8AxERDt53iMWlPwpXF +ozLRwADG71i5D+YIOg3JwBT3JoxDE1Ubk3Fyx60v +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4098 (0x1002) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=OpenResty, CN=Root CA + Validity + Not Before: Sep 20 05:09:05 2014 GMT + Not After : Aug 27 05:09:05 2114 GMT + Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:b9:9a:3d:b6:31:dd:b6:8a:f1:9f:61:25:79:70: + f6:ea:4b:6a:0f:0c:72:ea:45:fc:4d:51:cf:f5:71: + 88:94:9c:f9:04:40:99:fd:2d:17:15:3a:de:5f:70: + 4a:06:79:13:fb:81:49:ad:da:59:44:12:81:74:9d: + d8:19:3e:4e:e8:c7:00:ee:f9:96:81:7a:bf:09:e6: + 88:b0:e3:b2:e8:ca:e3:72:23:e4:86:83:41:ca:b3: + 49:c0:f5:76:8a:d7:b5:fc:a3:12:1b:2b:0b:b4:57: + 10:24:97:40:be:cb:17:e7:c5:de:93:1b:59:94:ff: + 34:3f:cd:4d:14:76:09:0e:f3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 12:57:8E:2C:9B:CA:C9:8D:F8:88:B1:4D:EE:A6:6D:F3:99:C3:AF:E1 + X509v3 Authority Key Identifier: + keyid:56:65:C9:8B:65:55:27:2E:AB:14:F0:26:46:BD:BB:9E:A1:2B:41:58 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 1e:fb:6f:3e:12:bd:45:11:59:52:d5:60:ff:7c:73:9e:32:ce: + 76:fa:0b:b6:4a:58:68:db:92:a4:a0:d2:63:24:27:9c:6a:c5: + 6c:fa:84:d4:b5:80:93:b0:79:8f:33:c6:06:99:49:81:99:f4: + 52:ba:bd:ff:6e:f5:69:3f:65:e0:59:51:ce:16:66:2f:39:b5: + 31:ff:18:2a:a4:8e:14:77:7b:a2:2c:54:4b:f0:a5:2c:83:12: + c4:d5:1c:4a:5f:7b:31:26:ed:63:ba:d5:83:e2:b5:1d:c3:f3: + 34:a0:ba:dd:ee:87:ee:70:71:ae:1b:c5:97:9b:08:a6:9c:ad: + c0:c2 +-----BEGIN CERTIFICATE----- +MIICdjCCAd+gAwIBAgICEAIwDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEjAQ +BgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9vdCBDQTAgFw0xNDA5MjAwNTA5 +MDVaGA8yMTE0MDgyNzA1MDkwNVowTTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh +bGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1D +QS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5mj22Md22ivGfYSV5cPbq +S2oPDHLqRfxNUc/1cYiUnPkEQJn9LRcVOt5fcEoGeRP7gUmt2llEEoF0ndgZPk7o +xwDu+ZaBer8J5oiw47LoyuNyI+SGg0HKs0nA9XaK17X8oxIbKwu0VxAkl0C+yxfn +xd6TG1mU/zQ/zU0UdgkO8wIDAQABo1AwTjAdBgNVHQ4EFgQUEleOLJvKyY34iLFN +7qZt85nDr+EwHwYDVR0jBBgwFoAUVmXJi2VVJy6rFPAmRr27nqErQVgwDAYDVR0T +BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAe+28+Er1FEVlS1WD/fHOeMs52+gu2 +Slho25KkoNJjJCecasVs+oTUtYCTsHmPM8YGmUmBmfRSur3/bvVpP2XgWVHOFmYv +ObUx/xgqpI4Ud3uiLFRL8KUsgxLE1RxKX3sxJu1jutWD4rUdw/M0oLrd7ofucHGu +G8WXmwimnK3Awg== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4099 (0x1003) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-1 + Validity + Not Before: Sep 20 05:25:04 2014 GMT + Not After : Aug 27 05:25:04 2114 GMT + Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:a4:d0:ae:16:a8:8f:9d:2c:ee:12:f5:0c:5e:29: + 65:9b:cc:9b:67:6f:40:24:d7:44:ff:d4:de:8d:d4: + 36:1c:e1:37:2b:df:ff:69:35:6d:0b:4f:ae:9a:16: + e7:a9:c6:24:d3:8e:a4:c3:2f:25:d8:f3:66:73:8e: + 84:8e:9c:a6:c7:f9:ce:8c:b7:9d:60:26:85:4c:8f: + f4:43:17:af:9d:94:1a:f5:21:7b:1c:2b:9c:ee:fe: + 4a:ca:6d:c7:cf:ee:2a:02:28:1f:6e:13:94:85:3f: + 50:a3:03:18:bd:6c:f9:b5:9d:37:b9:27:61:29:75: + d3:39:77:5e:83:41:aa:8c:21 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 39:77:77:A3:4E:92:8B:E2:25:20:72:64:35:0A:7A:87:A8:58:A9:F8 + X509v3 Authority Key Identifier: + keyid:12:57:8E:2C:9B:CA:C9:8D:F8:88:B1:4D:EE:A6:6D:F3:99:C3:AF:E1 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 3b:4b:b6:31:51:72:9a:ef:42:60:5e:98:60:71:d7:26:4a:46: + f1:0e:1f:08:be:e6:1b:5f:e2:fd:28:54:8d:b1:c5:09:6f:04: + cb:69:dc:39:5e:67:e0:91:9f:10:94:bc:35:90:4a:65:fe:58: + bd:e9:9d:18:f0:b2:c4:2c:6e:05:00:a4:63:59:6a:85:cf:0e: + 28:3a:ad:34:1c:1e:8c:08:cf:ac:79:18:e6:2b:16:49:9c:0b: + 09:66:50:29:53:78:04:9e:3d:27:40:c4:0c:72:d6:8c:d6:b1: + 9c:f5:f2:f8:8c:9c:0b:0d:e1:4b:9b:ec:c9:65:0c:1e:fe:27: + 07:96 +-----BEGIN CERTIFICATE----- +MIICYzCCAcygAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UE +AwwMU2lnbmluZy1DQS0xMCAXDTE0MDkyMDA1MjUwNFoYDzIxMTQwODI3MDUyNTA0 +WjBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJ +T3BlblJlc3R5MRUwEwYDVQQDDAxTaWduaW5nLUNBLTIwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBAKTQrhaoj50s7hL1DF4pZZvMm2dvQCTXRP/U3o3UNhzhNyvf +/2k1bQtPrpoW56nGJNOOpMMvJdjzZnOOhI6cpsf5zoy3nWAmhUyP9EMXr52UGvUh +exwrnO7+Ssptx8/uKgIoH24TlIU/UKMDGL1s+bWdN7knYSl10zl3XoNBqowhAgMB +AAGjUDBOMB0GA1UdDgQWBBQ5d3ejTpKL4iUgcmQ1CnqHqFip+DAfBgNVHSMEGDAW +gBQSV44sm8rJjfiIsU3upm3zmcOv4TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB +BQUAA4GBADtLtjFRcprvQmBemGBx1yZKRvEOHwi+5htf4v0oVI2xxQlvBMtp3Dle +Z+CRnxCUvDWQSmX+WL3pnRjwssQsbgUApGNZaoXPDig6rTQcHowIz6x5GOYrFkmc +CwlmUClTeASePSdAxAxy1ozWsZz18viMnAsN4Uub7MllDB7+JweW +-----END CERTIFICATE----- From 942d460da4866f4298065c208d05388eb1a77eb8 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Mon, 13 Oct 2014 17:40:48 -0700 Subject: [PATCH 06/56] refactor: renamed the "ctx" field in ngx_ssl_connection_t to "lua_ctx". --- patches/nginx-ssl-cert.patch | 2 +- src/ngx_http_lua_sslcertby.c | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/patches/nginx-ssl-cert.patch b/patches/nginx-ssl-cert.patch index 2cf6dee59d..94ffd8b756 100644 --- a/patches/nginx-ssl-cert.patch +++ b/patches/nginx-ssl-cert.patch @@ -30,7 +30,7 @@ diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.h b/src ngx_event_handler_pt saved_read_handler; ngx_event_handler_pt saved_write_handler; -+ void *ctx; /* used by 3rd-party modules */ ++ void *lua_ctx; /* used by 3rd-party modules */ + unsigned handshaked:1; unsigned renegotiation:1; diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 445acf2191..5e7bc3f7ff 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -155,7 +155,7 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) c = ngx_ssl_get_connection(ssl_conn); - cctx = c->ssl->ctx; + cctx = c->ssl->lua_ctx; dd("ssl cert handler, cert-ctx=%p", cctx); @@ -164,7 +164,6 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) if (cctx->done) { dd("lua ssl cert done, finally"); - c->ssl->ctx = NULL; return 1; } @@ -219,7 +218,7 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) goto failed; /* error */ } - c->ssl->ctx = cctx; + c->ssl->lua_ctx = cctx; cln = ngx_pool_cleanup_add(fc->pool, 0); if (cln == NULL) { @@ -268,7 +267,7 @@ ngx_http_lua_ssl_cert_done(void *data) c = ngx_ssl_get_connection(ssl_conn); - cctx = c->ssl->ctx; + cctx = c->ssl->lua_ctx; if (cctx == NULL) { return; } From e2db181b787fbd3c69d8afe6c3c26309560aeb6d Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 14 Oct 2014 15:51:27 -0700 Subject: [PATCH 07/56] feature: added the get_ocsp_responder_from_der_chain() function to the ngx.ssl module. --- lua/ngx/ssl.lua | 42 +- src/ngx_http_lua_sslcertby.c | 106 +++++ t/130-ssl-cert-by.t | 472 ++++++++++++++++++++++- t/cert/ocsp/chain.pem | 183 +++++++++ t/cert/ocsp/test-com.crt | 69 ++++ t/cert/ocsp/wrong-issuer-order-chain.pem | 183 +++++++++ 6 files changed, 1052 insertions(+), 3 deletions(-) create mode 100644 t/cert/ocsp/chain.pem create mode 100644 t/cert/ocsp/test-com.crt create mode 100644 t/cert/ocsp/wrong-issuer-order-chain.pem diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 51f1a8b3f3..4eb09ab7ca 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -10,9 +10,11 @@ local ffi_str = ffi.string local getfenv = getfenv local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf +local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK +local FFI_BUSY = -3 -- base.FFI_BUSY ffi.cdef[[ @@ -36,6 +38,10 @@ int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, unsigned char *der, char **err); + +int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( + const char *chain_data, size_t chain_len, char *out, size_t *out_size, + char **err); ]] @@ -67,7 +73,8 @@ function _M.set_der_cert(data) return error("no request found") end - local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, errmsg) + local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, + errmsg) if rc == FFI_OK then return true end @@ -82,7 +89,8 @@ function _M.set_der_priv_key(data) return error("no request found") end - local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, errmsg) + local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, + errmsg) if rc == FFI_OK then return true end @@ -158,4 +166,34 @@ function _M.cert_pem_to_der(pem) end +function _M.get_ocsp_responder_from_der_chain(data, maxlen) + + local buf_size = maxlen + if not buf_size then + buf_size = get_string_buf_size() + end + local buf = get_string_buf(buf_size) + + local sizep = get_size_ptr() + sizep[0] = buf_size + + local rc = C.ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain(data, + #data, buf, sizep, errmsg) + + if rc == FFI_DECLINED then + return nil + end + + if rc == FFI_OK then + return ffi_str(buf, sizep[0]) + end + + if rc == FFI_BUSY then + return ffi_str(buf, sizep[0]), "truncated" + end + + return nil, ffi_str(errmsg[0]) +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 5e7bc3f7ff..a705d9ffcd 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -712,6 +712,112 @@ ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, return total; } + +int +ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( + const char *chain_data, size_t chain_len, u_char *out, size_t *out_size, + char **err) +{ + int rc = NGX_OK; + BIO *bio = NULL; + char *s; + X509 *cert = NULL, *issuer = NULL; + size_t len; + STACK_OF(OPENSSL_STRING) *aia = NULL; + + /* certificate */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + rc = NGX_ERROR; + goto done; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *err = "d2i_X509_bio() failed"; + rc = NGX_ERROR; + goto done; + } + + /* responder */ + + aia = X509_get1_ocsp(cert); + if (aia == NULL) { + rc = NGX_DECLINED; + goto done; + } + + s = sk_OPENSSL_STRING_value(aia, 0); + if (s == NULL) { + rc = NGX_DECLINED; + goto done; + } + + len = ngx_strlen(s); + if (len > *out_size) { + len = *out_size; + rc = NGX_BUSY; + + } else { + rc = NGX_OK; + *out_size = len; + } + + ngx_memcpy(out, s, len); + + X509_email_free(aia); + aia = NULL; + + /* issuer */ + + if (BIO_eof(bio)) { + *err = "no issuer certificate in chain"; + rc = NGX_ERROR; + goto done; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *err = "d2i_X509_bio() failed"; + rc = NGX_ERROR; + goto done; + } + + if (X509_check_issued(issuer, cert) != X509_V_OK) { + *err = "issuer certificate not next to leaf"; + rc = NGX_ERROR; + goto done; + } + + X509_free(issuer); + X509_free(cert); + BIO_free(bio); + + return rc; + +done: + + if (aia) { + X509_email_free(aia); + } + + if (issuer) { + X509_free(issuer); + } + + if (cert) { + X509_free(cert); + } + + if (bio) { + BIO_free(bio); + } + + return rc; +} + #endif /* NGX_LUA_NO_FFI_API */ diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 9650005d9e..17ae4bdf41 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6); +plan tests => repeat_each() * (blocks() * 6 + 4); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -1506,3 +1506,473 @@ lua ssl server name: "test.com" [alert] [emerg] + + +=== TEST 14: get OCSP responder (good case) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + if not url then + ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP url found: ", url) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP url found: http://127.0.0.1:8888/, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 15: get OCSP responder (not found) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/chain/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + if not url then + if err then + ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) + else + ngx.log(ngx.WARN, "OCSP responder not found") + end + return + end + + ngx.log(ngx.WARN, "OCSP url found: ", url) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP responder not found + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 16: get OCSP responder (no issuer cert at all) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/test-com.crt")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + if not url then + if err then + ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) + else + ngx.log(ngx.WARN, "OCSP responder not found") + end + return + end + + ngx.log(ngx.WARN, "OCSP url found: ", url) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to get OCSP responder: no issuer certificate in chain + +--- no_error_log +[alert] +[emerg] + + + +=== TEST 17: get OCSP responder (issuer cert not next to the leaf cert) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/wrong-issuer-order-chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + if not url then + if err then + ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) + else + ngx.log(ngx.WARN, "OCSP responder not found") + end + return + end + + ngx.log(ngx.WARN, "OCSP url found: ", url) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to get OCSP responder: issuer certificate not next to leaf + +--- no_error_log +[alert] +[emerg] + + + +=== TEST 18: get OCSP responder (truncated) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data, + 6) + if not url then + if err then + ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) + else + ngx.log(ngx.WARN, "OCSP responder not found") + end + return + end + + if err then + ngx.log(ngx.WARN, "still get an error: ", err) + end + + ngx.log(ngx.WARN, "OCSP url found: ", url) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP url found: http:/, +still get an error: truncated + +--- no_error_log +[error] +[alert] +[emerg] + diff --git a/t/cert/ocsp/chain.pem b/t/cert/ocsp/chain.pem new file mode 100644 index 0000000000..26d9d61f5a --- /dev/null +++ b/t/cert/ocsp/chain.pem @@ -0,0 +1,183 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: + f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: + 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: + c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: + 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: + fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: + 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: + 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: + c3:bb:ed:ea:12:fc:b7:77:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + X509v3 Authority Key Identifier: + keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 + serial:03 + + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ + + Signature Algorithm: sha1WithRSAEncryption + 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: + f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: + 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: + 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: + 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: + ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: + 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: + dc:3b +-----BEGIN CERTIFICATE----- +MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy +MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR +zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh +1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw +ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD +VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv +MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R +dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy +e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH +Stw7 +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:cb:87:d5:f0:e5:d7:b6:fe:21:5e:f1:8b:80:8b: + 56:88:86:ef:32:5d:91:75:df:d3:71:f9:36:3d:31: + fa:4c:98:52:eb:3b:cf:44:be:30:5c:99:95:d4:dc: + 91:7a:ae:35:88:d8:e9:32:00:55:a7:09:29:34:17: + e7:f2:bc:82:a7:0b:1c:dd:57:76:50:5d:85:74:47: + fe:d1:74:cf:2d:7e:89:44:9e:a8:ea:9e:4a:16:58: + c1:5d:40:6c:18:86:c9:b4:86:35:d7:d9:44:24:fa: + 92:47:53:cf:0e:55:8d:dd:57:ed:35:4c:36:9a:6e: + dc:42:bb:53:3b:a2:ed:3b:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + X509v3 Authority Key Identifier: + keyid:45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 17:5f:d2:05:0e:2f:7f:6e:b6:aa:63:74:3b:42:ff:24:76:04: + 83:0f:ee:0a:d8:9c:eb:f0:47:30:bf:f5:65:f7:2f:81:2e:6b: + 14:17:36:51:c6:07:66:2b:81:45:4b:41:4c:7d:ea:57:f8:ff: + 5d:75:14:6e:e0:36:3c:7c:87:c5:d9:1c:3f:9e:53:d0:74:e3: + fc:9f:e3:ee:47:b4:ff:fb:03:ee:3d:c0:15:62:5f:b0:16:58: + 94:c3:63:a5:6a:d9:da:a7:60:c4:4b:de:c1:bf:fb:09:29:17: + 63:1b:9d:25:57:c6:4c:db:cf:85:86:c5:d1:be:7e:9d:a0:7b: + b7:15 +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTQy +MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBAMuH1fDl17b+IV7xi4CLVoiG7zJdkXXf03H5Nj0x+kyYUus7z0S+ +MFyZldTckXquNYjY6TIAVacJKTQX5/K8gqcLHN1XdlBdhXRH/tF0zy1+iUSeqOqe +ShZYwV1AbBiGybSGNdfZRCT6kkdTzw5Vjd1X7TVMNppu3EK7Uzui7Ts3AgMBAAGj +UDBOMB0GA1UdDgQWBBS/8wWuR2v8jCLwIzvmWWIjJbB1bTAfBgNVHSMEGDAWgBRF +uMx2NrFQ1Vnf1523VCuJjshKZDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBABdf0gUOL39utqpjdDtC/yR2BIMP7grYnOvwRzC/9WX3L4EuaxQXNlHGB2Yr +gUVLQUx96lf4/111FG7gNjx8h8XZHD+eU9B04/yf4+5HtP/7A+49wBViX7AWWJTD +Y6Vq2dqnYMRL3sG/+wkpF2MbnSVXxkzbz4WGxdG+fp2ge7cV +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:bc:7d:4b:3f:d8:66:9b:c2:69:59:ab:26:bf:3d: + 7d:8f:fe:36:e2:4e:7a:26:e3:72:81:e5:7c:55:ca: + 35:a2:30:52:44:fb:bd:29:62:b9:40:eb:fa:19:49: + 4a:4c:cb:38:1e:d5:4b:09:83:46:9a:6a:6e:64:34: + c1:92:19:51:75:25:ea:37:47:f9:f8:4d:e1:3d:0a: + 16:40:e9:ea:6a:c3:9a:10:c3:93:db:97:fc:42:85: + ab:ca:30:43:45:50:33:9e:04:c6:f7:1c:de:fa:66: + 0d:f0:7d:36:50:c5:c7:37:07:17:4c:51:e1:fe:d0: + 51:ef:40:47:08:c5:12:c6:c9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + X509v3 Authority Key Identifier: + keyid:94:5E:37:4D:32:20:13:B0:FD:CD:CF:4A:2C:6A:22:05:D8:EE:EA:34 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 99:a6:16:ca:7d:be:3e:6e:c7:0f:b4:b9:8c:95:63:7e:54:79: + 60:23:b8:c2:fa:0c:f2:7b:b9:34:f0:2f:7f:e3:d7:85:9c:77: + 67:47:63:4a:db:a1:72:a0:9c:ea:c4:56:e5:51:fe:42:31:a9: + 75:2b:24:e9:b6:1c:d3:41:1f:97:a5:1b:6c:16:50:db:f1:dc: + 61:6d:fc:9f:9f:54:54:de:fe:9f:98:e0:1c:4f:11:0d:ce:8d: + 32:7c:a4:6f:96:3f:db:75:f7:18:eb:b0:70:2d:d2:4d:eb:49: + 4c:3c:0f:bc:28:e7:bb:e6:6d:2f:e5:bd:00:68:69:bd:7d:f6: + d1:fb +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE0MjEwNjM2 +WhgPMjExNDA5MjAyMTA2MzZaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 +eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQC8fUs/2GabwmlZqya/PX2P/jbiTnom43KB5XxVyjWiMFJE+70pYrlA6/oZ +SUpMyzge1UsJg0aaam5kNMGSGVF1Jeo3R/n4TeE9ChZA6epqw5oQw5Pbl/xChavK +MENFUDOeBMb3HN76Zg3wfTZQxcc3BxdMUeH+0FHvQEcIxRLGyQIDAQABo1AwTjAd +BgNVHQ4EFgQURbjMdjaxUNVZ39edt1QriY7ISmQwHwYDVR0jBBgwFoAUlF43TTIg +E7D9zc9KLGoiBdju6jQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCZ +phbKfb4+bscPtLmMlWN+VHlgI7jC+gzye7k08C9/49eFnHdnR2NK26FyoJzqxFbl +Uf5CMal1KyTpthzTQR+XpRtsFlDb8dxhbfyfn1RU3v6fmOAcTxENzo0yfKRvlj/b +dfcY67BwLdJN60lMPA+8KOe75m0v5b0AaGm9ffbR+w== +-----END CERTIFICATE----- diff --git a/t/cert/ocsp/test-com.crt b/t/cert/ocsp/test-com.crt new file mode 100644 index 0000000000..9afa04c193 --- /dev/null +++ b/t/cert/ocsp/test-com.crt @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: + f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: + 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: + c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: + 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: + fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: + 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: + 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: + c3:bb:ed:ea:12:fc:b7:77:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + X509v3 Authority Key Identifier: + keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 + serial:03 + + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ + + Signature Algorithm: sha1WithRSAEncryption + 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: + f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: + 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: + 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: + 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: + ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: + 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: + dc:3b +-----BEGIN CERTIFICATE----- +MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy +MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR +zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh +1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw +ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD +VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv +MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R +dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy +e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH +Stw7 +-----END CERTIFICATE----- diff --git a/t/cert/ocsp/wrong-issuer-order-chain.pem b/t/cert/ocsp/wrong-issuer-order-chain.pem new file mode 100644 index 0000000000..04be6d241c --- /dev/null +++ b/t/cert/ocsp/wrong-issuer-order-chain.pem @@ -0,0 +1,183 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: + f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: + 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: + c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: + 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: + fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: + 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: + 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: + c3:bb:ed:ea:12:fc:b7:77:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + X509v3 Authority Key Identifier: + keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 + serial:03 + + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ + + Signature Algorithm: sha1WithRSAEncryption + 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: + f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: + 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: + 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: + 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: + ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: + 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: + dc:3b +-----BEGIN CERTIFICATE----- +MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy +MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR +zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh +1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw +ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD +VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv +MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R +dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy +e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH +Stw7 +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:bc:7d:4b:3f:d8:66:9b:c2:69:59:ab:26:bf:3d: + 7d:8f:fe:36:e2:4e:7a:26:e3:72:81:e5:7c:55:ca: + 35:a2:30:52:44:fb:bd:29:62:b9:40:eb:fa:19:49: + 4a:4c:cb:38:1e:d5:4b:09:83:46:9a:6a:6e:64:34: + c1:92:19:51:75:25:ea:37:47:f9:f8:4d:e1:3d:0a: + 16:40:e9:ea:6a:c3:9a:10:c3:93:db:97:fc:42:85: + ab:ca:30:43:45:50:33:9e:04:c6:f7:1c:de:fa:66: + 0d:f0:7d:36:50:c5:c7:37:07:17:4c:51:e1:fe:d0: + 51:ef:40:47:08:c5:12:c6:c9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + X509v3 Authority Key Identifier: + keyid:94:5E:37:4D:32:20:13:B0:FD:CD:CF:4A:2C:6A:22:05:D8:EE:EA:34 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 99:a6:16:ca:7d:be:3e:6e:c7:0f:b4:b9:8c:95:63:7e:54:79: + 60:23:b8:c2:fa:0c:f2:7b:b9:34:f0:2f:7f:e3:d7:85:9c:77: + 67:47:63:4a:db:a1:72:a0:9c:ea:c4:56:e5:51:fe:42:31:a9: + 75:2b:24:e9:b6:1c:d3:41:1f:97:a5:1b:6c:16:50:db:f1:dc: + 61:6d:fc:9f:9f:54:54:de:fe:9f:98:e0:1c:4f:11:0d:ce:8d: + 32:7c:a4:6f:96:3f:db:75:f7:18:eb:b0:70:2d:d2:4d:eb:49: + 4c:3c:0f:bc:28:e7:bb:e6:6d:2f:e5:bd:00:68:69:bd:7d:f6: + d1:fb +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE0MjEwNjM2 +WhgPMjExNDA5MjAyMTA2MzZaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 +eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQC8fUs/2GabwmlZqya/PX2P/jbiTnom43KB5XxVyjWiMFJE+70pYrlA6/oZ +SUpMyzge1UsJg0aaam5kNMGSGVF1Jeo3R/n4TeE9ChZA6epqw5oQw5Pbl/xChavK +MENFUDOeBMb3HN76Zg3wfTZQxcc3BxdMUeH+0FHvQEcIxRLGyQIDAQABo1AwTjAd +BgNVHQ4EFgQURbjMdjaxUNVZ39edt1QriY7ISmQwHwYDVR0jBBgwFoAUlF43TTIg +E7D9zc9KLGoiBdju6jQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCZ +phbKfb4+bscPtLmMlWN+VHlgI7jC+gzye7k08C9/49eFnHdnR2NK26FyoJzqxFbl +Uf5CMal1KyTpthzTQR+XpRtsFlDb8dxhbfyfn1RU3v6fmOAcTxENzo0yfKRvlj/b +dfcY67BwLdJN60lMPA+8KOe75m0v5b0AaGm9ffbR+w== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Validity + Not Before: Oct 14 21:06:36 2014 GMT + Not After : Sep 20 21:06:36 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:cb:87:d5:f0:e5:d7:b6:fe:21:5e:f1:8b:80:8b: + 56:88:86:ef:32:5d:91:75:df:d3:71:f9:36:3d:31: + fa:4c:98:52:eb:3b:cf:44:be:30:5c:99:95:d4:dc: + 91:7a:ae:35:88:d8:e9:32:00:55:a7:09:29:34:17: + e7:f2:bc:82:a7:0b:1c:dd:57:76:50:5d:85:74:47: + fe:d1:74:cf:2d:7e:89:44:9e:a8:ea:9e:4a:16:58: + c1:5d:40:6c:18:86:c9:b4:86:35:d7:d9:44:24:fa: + 92:47:53:cf:0e:55:8d:dd:57:ed:35:4c:36:9a:6e: + dc:42:bb:53:3b:a2:ed:3b:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + X509v3 Authority Key Identifier: + keyid:45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 17:5f:d2:05:0e:2f:7f:6e:b6:aa:63:74:3b:42:ff:24:76:04: + 83:0f:ee:0a:d8:9c:eb:f0:47:30:bf:f5:65:f7:2f:81:2e:6b: + 14:17:36:51:c6:07:66:2b:81:45:4b:41:4c:7d:ea:57:f8:ff: + 5d:75:14:6e:e0:36:3c:7c:87:c5:d9:1c:3f:9e:53:d0:74:e3: + fc:9f:e3:ee:47:b4:ff:fb:03:ee:3d:c0:15:62:5f:b0:16:58: + 94:c3:63:a5:6a:d9:da:a7:60:c4:4b:de:c1:bf:fb:09:29:17: + 63:1b:9d:25:57:c6:4c:db:cf:85:86:c5:d1:be:7e:9d:a0:7b: + b7:15 +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTQy +MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBAMuH1fDl17b+IV7xi4CLVoiG7zJdkXXf03H5Nj0x+kyYUus7z0S+ +MFyZldTckXquNYjY6TIAVacJKTQX5/K8gqcLHN1XdlBdhXRH/tF0zy1+iUSeqOqe +ShZYwV1AbBiGybSGNdfZRCT6kkdTzw5Vjd1X7TVMNppu3EK7Uzui7Ts3AgMBAAGj +UDBOMB0GA1UdDgQWBBS/8wWuR2v8jCLwIzvmWWIjJbB1bTAfBgNVHSMEGDAWgBRF +uMx2NrFQ1Vnf1523VCuJjshKZDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBABdf0gUOL39utqpjdDtC/yR2BIMP7grYnOvwRzC/9WX3L4EuaxQXNlHGB2Yr +gUVLQUx96lf4/111FG7gNjx8h8XZHD+eU9B04/yf4+5HtP/7A+49wBViX7AWWJTD +Y6Vq2dqnYMRL3sG/+wkpF2MbnSVXxkzbz4WGxdG+fp2ge7cV +-----END CERTIFICATE----- From 418a977ca135b82ac18d8f8b3af7d9c5a12ad5e0 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 14 Oct 2014 21:42:43 -0700 Subject: [PATCH 08/56] feature: added the create_ocsp_request() function to the ngx.ssl Lua module. --- lua/ngx/ssl.lua | 31 +++ src/ngx_http_lua_sslcertby.c | 105 +++++++++- t/130-ssl-cert-by.t | 371 ++++++++++++++++++++++++++++++++++- 3 files changed, 505 insertions(+), 2 deletions(-) diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 4eb09ab7ca..4fe55a64fa 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -42,6 +42,9 @@ int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( const char *chain_data, size_t chain_len, char *out, size_t *out_size, char **err); + +int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, + size_t chain_len, unsigned char *out, size_t *out_size, char **err); ]] @@ -196,4 +199,32 @@ function _M.get_ocsp_responder_from_der_chain(data, maxlen) end +function _M.create_ocsp_request(data, maxlen) + + local buf_size = maxlen + if not buf_size then + buf_size = get_string_buf_size() + end + local buf = get_string_buf(buf_size) + + local sizep = get_size_ptr() + sizep[0] = buf_size + + local rc = C.ngx_http_lua_ffi_ssl_create_ocsp_request(data, + #data, buf, sizep, + errmsg) + + if rc == FFI_OK then + return ffi_str(buf, sizep[0]) + end + + if rc == FFI_BUSY then + return nil, ffi_str(errmsg[0]) .. ": " .. tonumber(sizep[0]) + .. " > " .. buf_size + end + + return nil, ffi_str(errmsg[0]) +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index a705d9ffcd..ce95a4fbb7 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -715,7 +715,7 @@ ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, u_char *out, size_t *out_size, + const char *chain_data, size_t chain_len, unsigned char *out, size_t *out_size, char **err) { int rc = NGX_OK; @@ -818,6 +818,109 @@ ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( return rc; } + +int +ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, + size_t chain_len, unsigned char *out, size_t *out_size, char **err) +{ + int rc = NGX_ERROR; + BIO *bio = NULL; + X509 *cert = NULL, *issuer = NULL; + size_t len; + OCSP_CERTID *id; + OCSP_REQUEST *ocsp = NULL; + + /* certificate */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + goto failed; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + if (BIO_eof(bio)) { + *err = "no issuer certificate in chain"; + goto failed; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + ocsp = OCSP_REQUEST_new(); + if (ocsp == NULL) { + *err = "OCSP_REQUEST_new() failed"; + goto failed; + } + + id = OCSP_cert_to_id(NULL, cert, issuer); + if (id == NULL) { + *err = "OCSP_cert_to_id() failed"; + goto failed; + } + + if (OCSP_request_add0_id(ocsp, id) == NULL) { + *err = "OCSP_request_add0_id() failed"; + goto failed; + } + + len = i2d_OCSP_REQUEST(ocsp, NULL); + if (len <= 0) { + *err = "i2d_OCSP_REQUEST() failed"; + goto failed; + } + + if (len > *out_size) { + *err = "output buffer too small"; + *out_size = len; + rc = NGX_BUSY; + goto failed; + } + + len = i2d_OCSP_REQUEST(ocsp, &out); + if (len <= 0) { + *err = "i2d_OCSP_REQUEST() failed"; + goto failed; + } + + *out_size = len; + + OCSP_REQUEST_free(ocsp); + X509_free(issuer); + X509_free(cert); + BIO_free(bio); + + return NGX_OK; + +failed: + + if (ocsp) { + OCSP_REQUEST_free(ocsp); + } + + if (issuer) { + X509_free(issuer); + } + + if (cert) { + X509_free(cert); + } + + if (bio) { + BIO_free(bio); + } + + return rc; +} + #endif /* NGX_LUA_NO_FFI_API */ diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 17ae4bdf41..74f54442db 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 4); +plan tests => repeat_each() * (blocks() * 6 + 6); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -1976,3 +1976,372 @@ still get an error: truncated [alert] [emerg] + + +=== TEST 19: create OCSP request (good) +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local req, err = ssl.create_ocsp_request(cert_data) + if not req then + ngx.log(ngx.ERR, "failed to create OCSP request: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP request created with length ", #req) + local bytes = {string.byte(req, 1, #req)} + for i, byte in ipairs(bytes) do + bytes[i] = string.format("%02x", byte) + end + ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP request created with length 68 +OCSP request content: 30 42 30 40 30 3e 30 3c 30 3a 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 d6 ea 26 21 83 6d 8e 8e 15 8e 46 ec 09 78 77 ca 60 be 25 c6 04 14 bf f3 05 ae 47 6b fc 8c 22 f0 23 3b e6 59 62 23 25 b0 75 6d 02 01 04, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 20: create OCSP request (buffer too small) +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local req, err = ssl.create_ocsp_request(cert_data, 67) + if not req then + ngx.log(ngx.ERR, "failed to create OCSP request: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP request created with length ", #req) + local bytes = {string.byte(req, 1, #req)} + for i, byte in ipairs(bytes) do + bytes[i] = string.format("%02x", byte) + end + ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to create OCSP request: output buffer too small: 68 > 67 + +--- no_error_log +[alert] +[emerg] + + + +=== TEST 21: create OCSP request (empty string cert chain) +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local cert_data = "" + local req, err = ssl.create_ocsp_request(cert_data, 67) + if not req then + ngx.log(ngx.ERR, "failed to create OCSP request: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP request created with length ", #req) + local bytes = {string.byte(req, 1, #req)} + for i, byte in ipairs(bytes) do + bytes[i] = string.format("%02x", byte) + end + ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to create OCSP request: d2i_X509_bio() failed + +--- no_error_log +[alert] +[emerg] + + + +=== TEST 22: create OCSP request (no issuer cert in the chain) +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/test-com.crt")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local req, err = ssl.create_ocsp_request(cert_data, 67) + if not req then + ngx.log(ngx.ERR, "failed to create OCSP request: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP request created with length ", #req) + local bytes = {string.byte(req, 1, #req)} + for i, byte in ipairs(bytes) do + bytes[i] = string.format("%02x", byte) + end + ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to create OCSP request: no issuer certificate in chain + +--- no_error_log +[alert] +[emerg] + From 3a170b4fc4839de9969de1000923a10c717f2dc1 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 15 Oct 2014 22:07:52 -0700 Subject: [PATCH 09/56] feature: added new function validate_ocsp_response() to the ngx.ssl Lua module. --- lua/ngx/ssl.lua | 28 + src/ngx_http_lua_sslcertby.c | 160 +++++ t/130-ssl-cert-by.t | 584 +++++++++++++++++- t/cert/ocsp/chain.pem | 198 +++--- t/cert/ocsp/ocsp-req.der | Bin 0 -> 68 bytes t/cert/ocsp/ocsp-resp-no-certs.der | Bin 0 -> 388 bytes .../ocsp-resp-signed-by-orphaned-no-certs.der | Bin 0 -> 384 bytes t/cert/ocsp/ocsp-resp-signed-by-orphaned.der | Bin 0 -> 1044 bytes t/cert/ocsp/ocsp-resp.der | Bin 0 -> 1056 bytes t/cert/ocsp/revoked-chain.pem | 183 ++++++ t/cert/ocsp/test-com.crt | 74 +-- t/cert/ocsp/wrong-issuer-order-chain.pem | 198 +++--- 12 files changed, 1183 insertions(+), 242 deletions(-) create mode 100644 t/cert/ocsp/ocsp-req.der create mode 100644 t/cert/ocsp/ocsp-resp-no-certs.der create mode 100644 t/cert/ocsp/ocsp-resp-signed-by-orphaned-no-certs.der create mode 100644 t/cert/ocsp/ocsp-resp-signed-by-orphaned.der create mode 100644 t/cert/ocsp/ocsp-resp.der create mode 100644 t/cert/ocsp/revoked-chain.pem diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 4fe55a64fa..1b7beee829 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -45,6 +45,10 @@ int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, size_t chain_len, unsigned char *out, size_t *out_size, char **err); + +int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, + size_t resp_len, const char *chain_data, size_t chain_len, + unsigned char *errbuf, size_t *errbuf_size); ]] @@ -227,4 +231,28 @@ function _M.create_ocsp_request(data, maxlen) end +function _M.validate_ocsp_response(resp, chain, max_errmsg_len) + + local errbuf_size = max_errmsg_len + if not errbuf_size then + errbuf_size = get_string_buf_size() + end + local errbuf = get_string_buf(errbuf_size) + + local sizep = get_size_ptr() + sizep[0] = errbuf_size + + local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( + resp, #resp, chain, #chain, errbuf, sizep) + + if rc == FFI_OK then + return true + end + + -- rc == FFI_ERROR + + return nil, ffi_str(errbuf, sizep[0]) +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index ce95a4fbb7..a25d1e4792 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -921,6 +921,166 @@ ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, return rc; } + +int +ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, + size_t resp_len, const char *chain_data, size_t chain_len, + u_char *errbuf, size_t *errbuf_size) +{ + int n; + BIO *bio = NULL; + X509 *cert = NULL, *issuer = NULL; + OCSP_CERTID *id = NULL; + OCSP_RESPONSE *ocsp = NULL; + OCSP_BASICRESP *basic = NULL; + STACK_OF(X509) *chain = NULL; + ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; + + ocsp = d2i_OCSP_RESPONSE(NULL, &resp, resp_len); + if (ocsp == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_OCSP_RESPONSE() failed") - errbuf; + goto error; + } + + n = OCSP_response_status(ocsp); + + if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP response not successful (%d: %s)", + n, OCSP_response_status_str(n)) - errbuf; + goto error; + } + + basic = OCSP_response_get1_basic(ocsp); + if (basic == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_response_get1_basic() failed") + - errbuf; + goto error; + } + + /* get issuer certificate from chain */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "BIO_new_mem_buf() failed") + - errbuf; + goto error; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_X509_bio() failed") + - errbuf; + goto error; + } + + if (BIO_eof(bio)) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "no issuer certificate in chain") + - errbuf; + goto error; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_X509_bio() failed") - errbuf; + goto error; + } + + chain = sk_X509_new_null(); + if (chain == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "sk_X509_new_null() failed") - errbuf; + goto error; + } + + (void) sk_X509_push(chain, issuer); + + if (OCSP_basic_verify(basic, chain, NULL, OCSP_NOVERIFY) != 1) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_basic_verify() failed") - errbuf; + goto error; + } + + id = OCSP_cert_to_id(NULL, cert, issuer); + if (id == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_cert_to_id() failed") - errbuf; + goto error; + } + + if (OCSP_resp_find_status(basic, id, &n, NULL, NULL, + &thisupdate, &nextupdate) + != 1) + { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "certificate status not found in the " + "OCSP response") - errbuf; + goto error; + } + + if (n != V_OCSP_CERTSTATUS_GOOD) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "certificate status \"%s\" in the OCSP " + "response", OCSP_cert_status_str(n)) + - errbuf; + goto error; + } + + if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_check_validity() failed") - errbuf; + goto error; + } + + sk_X509_free(chain); + X509_free(cert); + X509_free(issuer); + BIO_free(bio); + OCSP_CERTID_free(id); + OCSP_BASICRESP_free(basic); + OCSP_RESPONSE_free(ocsp); + + return NGX_OK; + +error: + + if (chain) { + sk_X509_free(chain); + } + + if (id) { + OCSP_CERTID_free(id); + } + + if (basic) { + OCSP_BASICRESP_free(basic); + } + + if (ocsp) { + OCSP_RESPONSE_free(ocsp); + } + + if (cert) { + X509_free(cert); + } + + if (issuer) { + X509_free(issuer); + } + + if (bio) { + BIO_free(bio); + } + + return NGX_ERROR; +} + #endif /* NGX_LUA_NO_FFI_API */ diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 74f54442db..fcdb48eb91 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 6); +plan tests => repeat_each() * (blocks() * 6 + 11); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -1589,7 +1589,7 @@ ssl handshake: userdata --- error_log lua ssl server name: "test.com" -OCSP url found: http://127.0.0.1:8888/, +OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, --- no_error_log [error] @@ -2005,11 +2005,13 @@ still get an error: truncated end ngx.log(ngx.WARN, "OCSP request created with length ", #req) - local bytes = {string.byte(req, 1, #req)} - for i, byte in ipairs(bytes) do - bytes[i] = string.format("%02x", byte) + + local f = assert(io.open("t/cert/ocsp/ocsp-req.der", "r")) + local expected = assert(f:read("*a")) + f:close() + if req ~= expected then + ngx.log(ngx.ERR, "ocsp responder: got unexpected OCSP request") end - ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) '; ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; @@ -2065,7 +2067,6 @@ ssl handshake: userdata --- error_log lua ssl server name: "test.com" OCSP request created with length 68 -OCSP request content: 30 42 30 40 30 3e 30 3c 30 3a 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 d6 ea 26 21 83 6d 8e 8e 15 8e 46 ec 09 78 77 ca 60 be 25 c6 04 14 bf f3 05 ae 47 6b fc 8c 22 f0 23 3b e6 59 62 23 25 b0 75 6d 02 01 04, --- no_error_log [error] @@ -2345,3 +2346,572 @@ failed to create OCSP request: no issuer certificate in chain [alert] [emerg] + + +=== TEST 23: validate good OCSP response +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP response validation ok + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 24: fail to validate OCSP response - no issuer cert +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/test-com.crt")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to validate OCSP response: no issuer certificate in chain + +--- no_error_log +OCSP response validation ok +[alert] +[emerg] + + + +=== TEST 25: validate good OCSP response - no certs in response +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/ocsp-resp-no-certs.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP response validation ok + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 26: validate OCSP response - OCSP response signed by an unknown cert and the OCSP response contains the unknown cert + +FIXME: we should complain in this case. + +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/ocsp-resp-signed-by-orphaned.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +OCSP response validation ok + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 27: fail to validate OCSP response - OCSP response signed by an unknown cert and the OCSP response does not contain the unknown cert + +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/ocsp-resp-signed-by-orphaned-no-certs.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to validate OCSP response: OCSP_basic_verify() failed + +--- no_error_log +OCSP response validation ok +[alert] +[emerg] + + + +=== TEST 28: fail to validate OCSP response - OCSP response returns revoked status + +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/revoked-chain.pem")) + local cert_data = f:read("*a") + f:close() + + cert_data, err = ssl.cert_pem_to_der(cert_data) + if not cert_data then + ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) + return + end + + local f = assert(io.open("t/cert/ocsp/revoked-ocsp-resp.der")) + local resp = f:read("*a") + f:close() + + local req, err = ssl.validate_ocsp_response(resp, cert_data) + if not req then + ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) + return + end + + ngx.log(ngx.WARN, "OCSP response validation ok") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +failed to validate OCSP response: certificate status "revoked" in the OCSP response + +--- no_error_log +OCSP response validation ok +[alert] +[emerg] + diff --git a/t/cert/ocsp/chain.pem b/t/cert/ocsp/chain.pem index 26d9d61f5a..4743a36020 100644 --- a/t/cert/ocsp/chain.pem +++ b/t/cert/ocsp/chain.pem @@ -5,22 +5,22 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: - f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: - 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: - c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: - 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: - fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: - 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: - 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: - c3:bb:ed:ea:12:fc:b7:77:59 + 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: + 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: + bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: + 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: + 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: + 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: + 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: + a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: + b1:ef:6b:e9:f5:ad:29:87:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -28,44 +28,44 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: - B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 X509v3 Authority Key Identifier: - keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 serial:03 Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ + OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 Signature Algorithm: sha1WithRSAEncryption - 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: - f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: - 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: - 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: - 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: - ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: - 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: - dc:3b + 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: + 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: + 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: + 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: + ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: + 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: + cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: + e3:e8 -----BEGIN CERTIFICATE----- -MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy -MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR -zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh -1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw -ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD -VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 +AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E +418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw +ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD +VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI -KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv -MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R -dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy -e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH -Stw7 +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI +KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv +b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt ++LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm +hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF +bC7VKgqN84joJkjj6A== -----END CERTIFICATE----- Certificate: Data: @@ -74,55 +74,55 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:cb:87:d5:f0:e5:d7:b6:fe:21:5e:f1:8b:80:8b: - 56:88:86:ef:32:5d:91:75:df:d3:71:f9:36:3d:31: - fa:4c:98:52:eb:3b:cf:44:be:30:5c:99:95:d4:dc: - 91:7a:ae:35:88:d8:e9:32:00:55:a7:09:29:34:17: - e7:f2:bc:82:a7:0b:1c:dd:57:76:50:5d:85:74:47: - fe:d1:74:cf:2d:7e:89:44:9e:a8:ea:9e:4a:16:58: - c1:5d:40:6c:18:86:c9:b4:86:35:d7:d9:44:24:fa: - 92:47:53:cf:0e:55:8d:dd:57:ed:35:4c:36:9a:6e: - dc:42:bb:53:3b:a2:ed:3b:37 + 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: + a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: + dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: + d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: + ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: + f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: + 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: + e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: + 9a:c1:64:e0:9b:dd:67:e5:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: - BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 X509v3 Authority Key Identifier: - keyid:45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption - 17:5f:d2:05:0e:2f:7f:6e:b6:aa:63:74:3b:42:ff:24:76:04: - 83:0f:ee:0a:d8:9c:eb:f0:47:30:bf:f5:65:f7:2f:81:2e:6b: - 14:17:36:51:c6:07:66:2b:81:45:4b:41:4c:7d:ea:57:f8:ff: - 5d:75:14:6e:e0:36:3c:7c:87:c5:d9:1c:3f:9e:53:d0:74:e3: - fc:9f:e3:ee:47:b4:ff:fb:03:ee:3d:c0:15:62:5f:b0:16:58: - 94:c3:63:a5:6a:d9:da:a7:60:c4:4b:de:c1:bf:fb:09:29:17: - 63:1b:9d:25:57:c6:4c:db:cf:85:86:c5:d1:be:7e:9d:a0:7b: - b7:15 + 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: + 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: + f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: + 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: + f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: + d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: + 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: + 99:b7 -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTQy -MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBAMuH1fDl17b+IV7xi4CLVoiG7zJdkXXf03H5Nj0x+kyYUus7z0S+ -MFyZldTckXquNYjY6TIAVacJKTQX5/K8gqcLHN1XdlBdhXRH/tF0zy1+iUSeqOqe -ShZYwV1AbBiGybSGNdfZRCT6kkdTzw5Vjd1X7TVMNppu3EK7Uzui7Ts3AgMBAAGj -UDBOMB0GA1UdDgQWBBS/8wWuR2v8jCLwIzvmWWIjJbB1bTAfBgNVHSMEGDAWgBRF -uMx2NrFQ1Vnf1523VCuJjshKZDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBABdf0gUOL39utqpjdDtC/yR2BIMP7grYnOvwRzC/9WX3L4EuaxQXNlHGB2Yr -gUVLQUx96lf4/111FG7gNjx8h8XZHD+eU9B04/yf4+5HtP/7A+49wBViX7AWWJTD -Y6Vq2dqnYMRL3sG/+wkpF2MbnSVXxkzbz4WGxdG+fp2ge7cV +gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk +VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 +vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj +UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS +MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C +7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh +boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 -----END CERTIFICATE----- Certificate: Data: @@ -131,53 +131,53 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:bc:7d:4b:3f:d8:66:9b:c2:69:59:ab:26:bf:3d: - 7d:8f:fe:36:e2:4e:7a:26:e3:72:81:e5:7c:55:ca: - 35:a2:30:52:44:fb:bd:29:62:b9:40:eb:fa:19:49: - 4a:4c:cb:38:1e:d5:4b:09:83:46:9a:6a:6e:64:34: - c1:92:19:51:75:25:ea:37:47:f9:f8:4d:e1:3d:0a: - 16:40:e9:ea:6a:c3:9a:10:c3:93:db:97:fc:42:85: - ab:ca:30:43:45:50:33:9e:04:c6:f7:1c:de:fa:66: - 0d:f0:7d:36:50:c5:c7:37:07:17:4c:51:e1:fe:d0: - 51:ef:40:47:08:c5:12:c6:c9 + 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: + ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: + 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: + 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: + d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: + 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: + 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: + 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: + 8e:34:fe:93:e4:d2:fc:97:57 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: - 45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 X509v3 Authority Key Identifier: - keyid:94:5E:37:4D:32:20:13:B0:FD:CD:CF:4A:2C:6A:22:05:D8:EE:EA:34 + keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption - 99:a6:16:ca:7d:be:3e:6e:c7:0f:b4:b9:8c:95:63:7e:54:79: - 60:23:b8:c2:fa:0c:f2:7b:b9:34:f0:2f:7f:e3:d7:85:9c:77: - 67:47:63:4a:db:a1:72:a0:9c:ea:c4:56:e5:51:fe:42:31:a9: - 75:2b:24:e9:b6:1c:d3:41:1f:97:a5:1b:6c:16:50:db:f1:dc: - 61:6d:fc:9f:9f:54:54:de:fe:9f:98:e0:1c:4f:11:0d:ce:8d: - 32:7c:a4:6f:96:3f:db:75:f7:18:eb:b0:70:2d:d2:4d:eb:49: - 4c:3c:0f:bc:28:e7:bb:e6:6d:2f:e5:bd:00:68:69:bd:7d:f6: - d1:fb + a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: + e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: + a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: + 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: + 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: + c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: + 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: + 37:a2 -----BEGIN CERTIFICATE----- MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE0MjEwNjM2 -WhgPMjExNDA5MjAyMTA2MzZaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 +WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQC8fUs/2GabwmlZqya/PX2P/jbiTnom43KB5XxVyjWiMFJE+70pYrlA6/oZ -SUpMyzge1UsJg0aaam5kNMGSGVF1Jeo3R/n4TeE9ChZA6epqw5oQw5Pbl/xChavK -MENFUDOeBMb3HN76Zg3wfTZQxcc3BxdMUeH+0FHvQEcIxRLGyQIDAQABo1AwTjAd -BgNVHQ4EFgQURbjMdjaxUNVZ39edt1QriY7ISmQwHwYDVR0jBBgwFoAUlF43TTIg -E7D9zc9KLGoiBdju6jQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCZ -phbKfb4+bscPtLmMlWN+VHlgI7jC+gzye7k08C9/49eFnHdnR2NK26FyoJzqxFbl -Uf5CMal1KyTpthzTQR+XpRtsFlDb8dxhbfyfn1RU3v6fmOAcTxENzo0yfKRvlj/b -dfcY67BwLdJN60lMPA+8KOe75m0v5b0AaGm9ffbR+w== +iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb +fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C +Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd +BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk +6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm +Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m +fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 +7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== -----END CERTIFICATE----- diff --git a/t/cert/ocsp/ocsp-req.der b/t/cert/ocsp/ocsp-req.der new file mode 100644 index 0000000000000000000000000000000000000000..f125311ac88017de061a5b2b40721988c93423f1 GIT binary patch literal 68 zcmXqTGH@`kGq5qRGT>xm)#hVnl450G5xMqCO|dz*uTQkk?G0x|`Kg3`s>fJFHgkWi Y4HOHk(=b20h+kG;;6UKw%}k6e0CkEKt^fc4 literal 0 HcmV?d00001 diff --git a/t/cert/ocsp/ocsp-resp-no-certs.der b/t/cert/ocsp/ocsp-resp-no-certs.der new file mode 100644 index 0000000000000000000000000000000000000000..01a45cf9f3b8fd8c6e613efceea716e67f3492cf GIT binary patch literal 388 zcmXqLVr<}IWLVI|SZUD2Sjxt!&Bn;e%5K2O$kN1^1{6v%Xgsqp%^<~)+klgeIh2J> zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVo;^b!aT*9>3NxX>AJ~@x<(TGMh1o^h6aXa2F6C_29{98tRzQnc zwfUHtq*xhPM6SJ3Q*6%d>l5vBd&5~#ekx&~>M<6P&D>vW1H}UCG|Ue#;+NGII1spa zGZQ0A0|Ta!ylk9WZ60mkc^QEoWngY>WY9Vl#AhPE63>5UVWF4* zb_?B!5Loi1aI&vi^4cRel; zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVuA+zATefPj{Ks6jKsXu6bXJK149!-14Am9S6s7>mee?yt3hVu5uU=7$&Y%jydp2wc3G ziIJs&0nrEx7#f^yM?|2@*T|XLaY2k IVOHZ>0M{jgYXATM literal 0 HcmV?d00001 diff --git a/t/cert/ocsp/ocsp-resp-signed-by-orphaned.der b/t/cert/ocsp/ocsp-resp-signed-by-orphaned.der new file mode 100644 index 0000000000000000000000000000000000000000..506dbd2d967ec204e9bdd89deb4cbcf3f1e0d8e8 GIT binary patch literal 1044 zcmXqLViDkCWLVI|!fDXN!pg>}&Bn;e%5K2O$kN38&7g_-lR@K&g-HephTI06Y|No7 zY{E>T!G^*Hf*=luFqd;;PG(wuQC?=Ep{Ri{NRVBa$0ao_u{5Vd!8x;}(oo1i03^&M z%;{f{nirH>3=|VI;0K8@3v=Wb6=WplrKU*m8yOgy7#bLw85kRx8(2me1RD4oSOG0% z)#hVnl450G5xMqCO|dz*uTQkk?G0x|`Kg3`s>fJFHgkWi4HOHk(=b20h+kG;;6UKw z%}k6e4Gfq@^0IMiwRyCC=Vb(Xl7YFgks;Y3V1Dq0LX%Go+pfPUQf4`#*Y(BINI(0C zW$g3m4IY|4TJuxBUf6r1++@{F>!{)}aZixg**~j0&+gpf zZw#{<*Dh#cnqbhx)C0sF22G3~7cet1GBGi78lXCr_Tg`!AkK>t{=m>PG&C`=G%|uk z2+h-gLF0U6e=~xjsF%T@v6BfHQ#BlDdU&0BHPe&y z@ADTgRa7X_eIu-R+;nx-^SsYOtVatN|KyNHb^X89p$m zU0LC6CJ&Jiunr!oS*mANu(ZLSJZZ7@ms0Qmd1z7ubuG>`nqEJjj$)0 zOw5c7jEe&d{0wA)NmrJSMT|ux>(EM5p`|xJC@41UoZ(d_<$h*Ey@5PPTA4+{K&%0~ z0v?b8VHQ>cW=6*U$R38KN#Xzekq;PUCNJRc$vw4xcSKm^7O%*g201m|QZoNyUZ1_k zARg&D@9*+&WvAp$ZkuXwH1S)*rqcp%j81$^w{>bxWY_KEel4N-Z?fBqb3YgrviB^V zyLivdOdiE4J4`@~97dByYITR9V0p-GA A%>V!Z literal 0 HcmV?d00001 diff --git a/t/cert/ocsp/ocsp-resp.der b/t/cert/ocsp/ocsp-resp.der new file mode 100644 index 0000000000000000000000000000000000000000..1fe910f4ff053b55062d38b85bf002bb35872a60 GIT binary patch literal 1056 zcmXqLVv*ruWLVI|B5KgYBFM(6&Bn;e%5K2O$kN2ZWYEO?&!F+l!Zd>vLv903Hs(+k zHesgFU_)U8K@f*Sn9DgaCo?U-C@(Y7P}D#eB*-qzm8(0A? zX4U3nW|CrMU=g|YN=>mjx35pM&+QFoMfs_OeX7S;L^gAOtql|ltkW<*yog^`U*JIC z;>}EqEDa2pM)I<8YPET^edlEadX#~=v5`URR1lxZd>8*mWlv|Hc&8AwG4FIy$eyk@ zd3Q@VwSLq!SjTXk=J@kB=~H~eCuf&}E{i-5se2Dtb|1M>J0s;Ce~(bh<4HXKorQ&7 z{@X2dCqiJ!m%_=uX31-h+)$pgRQmVt??T&8uS)*B^F?0G9rlO!@2ov^JHX|k9{0Rh z`Fo!^K4dItVwz#l#54tnCm1v_{#?M!#K^?N$ZUY>RJz20p@D)pFG?H$L(tIB#K6+X z2o@=HNec#z^O60}2#Ts+27|^JtBe-rc)qsL)oi$y+AVJN z!TSzR`0uNR8B3ppw1xhZUU9wFh|&6djD_~sJ(s&rY+GHHYV^$e>XW}0C!H|PD*1f; z&Gf^^=Rdg`TDoJeC)WBYPN{HhB^c92Y$F!SX}dTz}^)6GG(GY(s3z;}2~1IwZYK z;*wCWif`Fhc5V?nab2f(tp>Lr`!=RWPUqUZ`>6V>%wz9n#<-XT+Z}Pw`0?*pu*L7^ zvv_QBDkf`Q@~qXokeJsv``R0+M|Md`j(c)_jVG2V#2FQE*r^o#+t}3{&LX+>^vvx5 D%^+kP literal 0 HcmV?d00001 diff --git a/t/cert/ocsp/revoked-chain.pem b/t/cert/ocsp/revoked-chain.pem new file mode 100644 index 0000000000..3f98b7c2fa --- /dev/null +++ b/t/cert/ocsp/revoked-chain.pem @@ -0,0 +1,183 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8 (0x8) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Validity + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=revoked-test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:ca:50:23:9a:59:70:ea:00:47:ff:72:05:29:9b: + 5d:6d:4b:73:37:a4:ff:38:20:4b:5b:ac:1f:3b:34: + f5:12:f8:8b:0e:02:bc:bd:14:34:39:6f:7d:5b:1f: + d4:15:e7:64:2e:65:fb:b1:a8:aa:f6:96:d3:e6:2b: + 00:0e:f3:8a:ef:99:ab:3e:e6:5d:eb:6d:a6:4a:d0: + aa:ff:a9:d6:9a:41:f0:66:22:0a:38:9c:28:4f:1f: + 0d:cf:a2:79:96:f9:fc:3d:1e:83:70:f5:97:6e:07: + cf:a2:17:87:0d:2a:41:19:3a:44:96:89:e7:0d:cb: + 88:20:86:e1:de:08:8b:0d:db + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + FB:98:2B:56:90:69:E1:B4:2B:C2:DB:25:7C:13:87:D5:D7:BC:70:B6 + X509v3 Authority Key Identifier: + keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 + DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 + serial:03 + + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 + + Signature Algorithm: sha1WithRSAEncryption + 43:77:33:e9:cc:b1:42:35:94:0a:57:a5:dd:94:21:c0:cc:42: + 04:81:bd:b2:ac:4d:10:68:f3:fe:33:0a:8e:b9:3e:e9:f2:44: + aa:1c:e7:3e:e8:e0:57:40:41:ef:4a:b1:32:b0:f2:75:7c:aa: + 77:d2:64:9d:ba:a1:12:ea:f9:83:31:ba:9f:83:58:1c:38:e9: + d0:a6:dd:04:72:85:d1:2d:c7:3b:b2:71:ef:e4:f6:57:0c:6a: + b6:fc:e5:13:2d:be:a6:c1:f4:4b:4d:c8:69:cc:7c:2e:25:c1: + 8e:80:9e:19:c3:17:b2:21:a7:af:e8:2f:f1:d4:bb:8c:a3:39: + be:49 +-----BEGIN CERTIFICATE----- +MIIDcTCCAtqgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MRkwFwYDVQQDExByZXZva2VkLXRlc3QuY29tMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDKUCOaWXDqAEf/cgUpm11tS3M3pP84IEtbrB87NPUS+IsO +Ary9FDQ5b31bH9QV52QuZfuxqKr2ltPmKwAO84rvmas+5l3rbaZK0Kr/qdaaQfBm +Igo4nChPHw3PonmW+fw9HoNw9ZduB8+iF4cNKkEZOkSWiecNy4gghuHeCIsN2wID +AQABo4IBKzCCAScwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH +ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPuYK1aQaeG0K8LbJXwTh9XX +vHC2MIGOBgNVHSMEgYYwgYOAFLML9X1RFlF+KDfDog8dLxDAUaOzoWikZjBkMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVs +dCBDaXR5MRIwEAYDVQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2Et +MYIBAzA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly8xMjcuMC4w +LjE6ODg4OC9vY3NwP2Zvbz0xMA0GCSqGSIb3DQEBBQUAA4GBAEN3M+nMsUI1lApX +pd2UIcDMQgSBvbKsTRBo8/4zCo65PunyRKoc5z7o4FdAQe9KsTKw8nV8qnfSZJ26 +oRLq+YMxup+DWBw46dCm3QRyhdEtxzuyce/k9lcMarb85RMtvqbB9EtNyGnMfC4l +wY6AnhnDF7Ihp6/oL/HUu4yjOb5J +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Validity + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: + a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: + dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: + d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: + ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: + f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: + 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: + e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: + 9a:c1:64:e0:9b:dd:67:e5:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 + X509v3 Authority Key Identifier: + keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: + 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: + f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: + 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: + f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: + d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: + 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: + 99:b7 +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl +blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk +VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 +vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj +UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS +MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C +7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh +boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca + Validity + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT + Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: + ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: + 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: + 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: + d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: + 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: + 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: + 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: + 8e:34:fe:93:e4:d2:fc:97:57 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 + X509v3 Authority Key Identifier: + keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: + e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: + a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: + 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: + 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: + c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: + 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: + 37:a2 +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD +VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 +WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 +eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb +fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C +Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd +BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk +6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm +Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m +fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 +7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== +-----END CERTIFICATE----- diff --git a/t/cert/ocsp/test-com.crt b/t/cert/ocsp/test-com.crt index 9afa04c193..d34cb6b9e7 100644 --- a/t/cert/ocsp/test-com.crt +++ b/t/cert/ocsp/test-com.crt @@ -5,22 +5,22 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: - f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: - 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: - c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: - 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: - fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: - 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: - 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: - c3:bb:ed:ea:12:fc:b7:77:59 + 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: + 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: + bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: + 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: + 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: + 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: + 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: + a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: + b1:ef:6b:e9:f5:ad:29:87:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -28,42 +28,42 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: - B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 X509v3 Authority Key Identifier: - keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 serial:03 Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ + OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 Signature Algorithm: sha1WithRSAEncryption - 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: - f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: - 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: - 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: - 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: - ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: - 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: - dc:3b + 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: + 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: + 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: + 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: + ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: + 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: + cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: + e3:e8 -----BEGIN CERTIFICATE----- -MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy -MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR -zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh -1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw -ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD -VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 +AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E +418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw +ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD +VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI -KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv -MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R -dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy -e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH -Stw7 +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI +KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv +b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt ++LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm +hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF +bC7VKgqN84joJkjj6A== -----END CERTIFICATE----- diff --git a/t/cert/ocsp/wrong-issuer-order-chain.pem b/t/cert/ocsp/wrong-issuer-order-chain.pem index 04be6d241c..098e862bae 100644 --- a/t/cert/ocsp/wrong-issuer-order-chain.pem +++ b/t/cert/ocsp/wrong-issuer-order-chain.pem @@ -5,22 +5,22 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:c1:15:20:74:35:94:10:83:48:5e:06:ec:5f:3b: - f6:eb:b7:81:f3:9f:57:74:1f:55:7d:e3:e5:d9:90: - 04:b3:4d:51:e9:40:df:65:57:87:bf:db:11:cd:75: - c7:51:da:cf:eb:8e:91:02:ae:45:9a:da:3d:8c:62: - 4f:8d:69:95:a5:de:a5:93:34:39:a9:74:09:86:51: - fd:d3:ba:4d:71:00:00:75:bc:0f:04:34:20:0b:88: - 61:d6:90:53:e1:0a:17:e6:8d:be:af:55:9e:1c:6b: - 14:32:04:bd:3b:fc:41:96:3f:58:6c:16:c9:72:b7: - c3:bb:ed:ea:12:fc:b7:77:59 + 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: + 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: + bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: + 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: + 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: + 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: + 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: + a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: + b1:ef:6b:e9:f5:ad:29:87:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -28,44 +28,44 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: - B7:E9:82:6F:DB:43:30:59:78:25:98:6B:65:98:17:F7:EA:6D:27:95 + 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 X509v3 Authority Key Identifier: - keyid:BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 serial:03 Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ + OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 Signature Algorithm: sha1WithRSAEncryption - 22:7f:fb:4c:be:d8:fc:91:18:07:e7:d3:92:80:03:79:0e:6b: - f1:b2:ce:41:6a:65:db:03:d5:ef:91:76:16:a6:e9:03:af:09: - 89:36:62:6b:f6:1f:2a:f6:6b:74:44:81:6a:98:62:7d:b8:00: - 97:1c:35:46:fb:40:d2:ce:9f:c1:a5:db:6b:09:8e:ac:d2:dd: - 90:d9:b0:54:b2:7b:a8:fc:24:f2:14:81:99:6c:c8:f4:4a:37: - ff:de:74:7d:74:b7:db:e2:3a:43:b7:99:34:80:a7:85:44:80: - 34:55:94:23:4b:22:c3:6a:84:86:fc:1e:99:a8:30:3b:87:4a: - dc:3b + 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: + 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: + 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: + 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: + ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: + 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: + cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: + e3:e8 -----BEGIN CERTIFICATE----- -MIIDXzCCAsigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET +MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTQy -MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAwRUgdDWUEINIXgbsXzv267eB859XdB9VfePl2ZAEs01R6UDfZVeHv9sR -zXXHUdrP646RAq5Fmto9jGJPjWmVpd6lkzQ5qXQJhlH907pNcQAAdbwPBDQgC4hh -1pBT4QoX5o2+r1WeHGsUMgS9O/xBlj9YbBbJcrfDu+3qEvy3d1kCAwEAAaOCASEw -ggEdMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBS36YJv20MwWXglmGtlmBf36m0nlTCBjgYD -VR0jBIGGMIGDgBS/8wWuR2v8jCLwIzvmWWIjJbB1baFopGYwZDELMAkGA1UEBhMC +gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 +AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E +418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw +ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD +VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwMgYI -KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjg4ODgv -MA0GCSqGSIb3DQEBBQUAA4GBACJ/+0y+2PyRGAfn05KAA3kOa/GyzkFqZdsD1e+R -dham6QOvCYk2Ymv2Hyr2a3REgWqYYn24AJccNUb7QNLOn8Gl22sJjqzS3ZDZsFSy -e6j8JPIUgZlsyPRKN//edH10t9viOkO3mTSAp4VEgDRVlCNLIsNqhIb8HpmoMDuH -Stw7 +MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI +KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv +b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt ++LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm +hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF +bC7VKgqN84joJkjj6A== -----END CERTIFICATE----- Certificate: Data: @@ -74,55 +74,55 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:bc:7d:4b:3f:d8:66:9b:c2:69:59:ab:26:bf:3d: - 7d:8f:fe:36:e2:4e:7a:26:e3:72:81:e5:7c:55:ca: - 35:a2:30:52:44:fb:bd:29:62:b9:40:eb:fa:19:49: - 4a:4c:cb:38:1e:d5:4b:09:83:46:9a:6a:6e:64:34: - c1:92:19:51:75:25:ea:37:47:f9:f8:4d:e1:3d:0a: - 16:40:e9:ea:6a:c3:9a:10:c3:93:db:97:fc:42:85: - ab:ca:30:43:45:50:33:9e:04:c6:f7:1c:de:fa:66: - 0d:f0:7d:36:50:c5:c7:37:07:17:4c:51:e1:fe:d0: - 51:ef:40:47:08:c5:12:c6:c9 + 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: + ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: + 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: + 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: + d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: + 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: + 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: + 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: + 8e:34:fe:93:e4:d2:fc:97:57 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: - 45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 X509v3 Authority Key Identifier: - keyid:94:5E:37:4D:32:20:13:B0:FD:CD:CF:4A:2C:6A:22:05:D8:EE:EA:34 + keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption - 99:a6:16:ca:7d:be:3e:6e:c7:0f:b4:b9:8c:95:63:7e:54:79: - 60:23:b8:c2:fa:0c:f2:7b:b9:34:f0:2f:7f:e3:d7:85:9c:77: - 67:47:63:4a:db:a1:72:a0:9c:ea:c4:56:e5:51:fe:42:31:a9: - 75:2b:24:e9:b6:1c:d3:41:1f:97:a5:1b:6c:16:50:db:f1:dc: - 61:6d:fc:9f:9f:54:54:de:fe:9f:98:e0:1c:4f:11:0d:ce:8d: - 32:7c:a4:6f:96:3f:db:75:f7:18:eb:b0:70:2d:d2:4d:eb:49: - 4c:3c:0f:bc:28:e7:bb:e6:6d:2f:e5:bd:00:68:69:bd:7d:f6: - d1:fb + a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: + e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: + a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: + 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: + 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: + c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: + 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: + 37:a2 -----BEGIN CERTIFICATE----- MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE0MjEwNjM2 -WhgPMjExNDA5MjAyMTA2MzZaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 +WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQC8fUs/2GabwmlZqya/PX2P/jbiTnom43KB5XxVyjWiMFJE+70pYrlA6/oZ -SUpMyzge1UsJg0aaam5kNMGSGVF1Jeo3R/n4TeE9ChZA6epqw5oQw5Pbl/xChavK -MENFUDOeBMb3HN76Zg3wfTZQxcc3BxdMUeH+0FHvQEcIxRLGyQIDAQABo1AwTjAd -BgNVHQ4EFgQURbjMdjaxUNVZ39edt1QriY7ISmQwHwYDVR0jBBgwFoAUlF43TTIg -E7D9zc9KLGoiBdju6jQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCZ -phbKfb4+bscPtLmMlWN+VHlgI7jC+gzye7k08C9/49eFnHdnR2NK26FyoJzqxFbl -Uf5CMal1KyTpthzTQR+XpRtsFlDb8dxhbfyfn1RU3v6fmOAcTxENzo0yfKRvlj/b -dfcY67BwLdJN60lMPA+8KOe75m0v5b0AaGm9ffbR+w== +iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb +fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C +Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd +BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk +6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm +Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m +fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 +7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== -----END CERTIFICATE----- Certificate: Data: @@ -131,53 +131,53 @@ Certificate: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 Validity - Not Before: Oct 14 21:06:36 2014 GMT - Not After : Sep 20 21:06:36 2114 GMT + Not Before: Oct 16 03:27:09 2014 GMT + Not After : Sep 22 03:27:09 2114 GMT Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: - 00:cb:87:d5:f0:e5:d7:b6:fe:21:5e:f1:8b:80:8b: - 56:88:86:ef:32:5d:91:75:df:d3:71:f9:36:3d:31: - fa:4c:98:52:eb:3b:cf:44:be:30:5c:99:95:d4:dc: - 91:7a:ae:35:88:d8:e9:32:00:55:a7:09:29:34:17: - e7:f2:bc:82:a7:0b:1c:dd:57:76:50:5d:85:74:47: - fe:d1:74:cf:2d:7e:89:44:9e:a8:ea:9e:4a:16:58: - c1:5d:40:6c:18:86:c9:b4:86:35:d7:d9:44:24:fa: - 92:47:53:cf:0e:55:8d:dd:57:ed:35:4c:36:9a:6e: - dc:42:bb:53:3b:a2:ed:3b:37 + 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: + a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: + dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: + d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: + ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: + f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: + 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: + e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: + 9a:c1:64:e0:9b:dd:67:e5:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: - BF:F3:05:AE:47:6B:FC:8C:22:F0:23:3B:E6:59:62:23:25:B0:75:6D + B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 X509v3 Authority Key Identifier: - keyid:45:B8:CC:76:36:B1:50:D5:59:DF:D7:9D:B7:54:2B:89:8E:C8:4A:64 + keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption - 17:5f:d2:05:0e:2f:7f:6e:b6:aa:63:74:3b:42:ff:24:76:04: - 83:0f:ee:0a:d8:9c:eb:f0:47:30:bf:f5:65:f7:2f:81:2e:6b: - 14:17:36:51:c6:07:66:2b:81:45:4b:41:4c:7d:ea:57:f8:ff: - 5d:75:14:6e:e0:36:3c:7c:87:c5:d9:1c:3f:9e:53:d0:74:e3: - fc:9f:e3:ee:47:b4:ff:fb:03:ee:3d:c0:15:62:5f:b0:16:58: - 94:c3:63:a5:6a:d9:da:a7:60:c4:4b:de:c1:bf:fb:09:29:17: - 63:1b:9d:25:57:c6:4c:db:cf:85:86:c5:d1:be:7e:9d:a0:7b: - b7:15 + 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: + 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: + f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: + 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: + f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: + d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: + 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: + 99:b7 -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTQy -MTA2MzZaGA8yMTE0MDkyMDIxMDYzNlowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw +MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBAMuH1fDl17b+IV7xi4CLVoiG7zJdkXXf03H5Nj0x+kyYUus7z0S+ -MFyZldTckXquNYjY6TIAVacJKTQX5/K8gqcLHN1XdlBdhXRH/tF0zy1+iUSeqOqe -ShZYwV1AbBiGybSGNdfZRCT6kkdTzw5Vjd1X7TVMNppu3EK7Uzui7Ts3AgMBAAGj -UDBOMB0GA1UdDgQWBBS/8wWuR2v8jCLwIzvmWWIjJbB1bTAfBgNVHSMEGDAWgBRF -uMx2NrFQ1Vnf1523VCuJjshKZDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBABdf0gUOL39utqpjdDtC/yR2BIMP7grYnOvwRzC/9WX3L4EuaxQXNlHGB2Yr -gUVLQUx96lf4/111FG7gNjx8h8XZHD+eU9B04/yf4+5HtP/7A+49wBViX7AWWJTD -Y6Vq2dqnYMRL3sG/+wkpF2MbnSVXxkzbz4WGxdG+fp2ge7cV +gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk +VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 +vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj +UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS +MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C +7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh +boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 -----END CERTIFICATE----- From da70dfe27c306dc60ba71bcd7b368d0b2594bd51 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 15 Oct 2014 22:21:04 -0700 Subject: [PATCH 10/56] style: minor fixes. --- src/ngx_http_lua_sslcertby.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index a25d1e4792..8300f6271b 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -715,8 +715,8 @@ ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, unsigned char *out, size_t *out_size, - char **err) + const char *chain_data, size_t chain_len, unsigned char *out, + size_t *out_size, char **err) { int rc = NGX_OK; BIO *bio = NULL; From 7c09341ee970ea1db6d4b02b199d701b304aa2ba Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Thu, 16 Oct 2014 14:16:22 -0700 Subject: [PATCH 11/56] feature: tcpsock:sslhandshake(): added an optional 5th argument, "status_req", for sending the status request in the TLS status extension. --- src/ngx_http_lua_socket_tcp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 14cbc44009..afa996966e 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -1312,6 +1312,18 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) if (n >= 4) { u->ssl_verify = lua_toboolean(L, 4); + + if (n >= 5) { + if (lua_toboolean(L, 5)) { +#ifdef TLSEXT_STATUSTYPE_ocsp + SSL_set_tlsext_status_type(c->ssl->connection, + TLSEXT_STATUSTYPE_ocsp); +#else + return luaL_error(L, "lack of status request support" + " in OpenSSL"); +#endif + } + } } } } From 08300ab463c3a3c207b28f4cab5d20068236887e Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Thu, 16 Oct 2014 15:56:24 -0700 Subject: [PATCH 12/56] ngx.ssl: make use of the new FFI_BUSY constant in the latest lua-resty-core library. --- lua/ngx/ssl.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 1b7beee829..bb2c4277cf 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -14,7 +14,7 @@ local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK -local FFI_BUSY = -3 -- base.FFI_BUSY +local FFI_BUSY = base.FFI_BUSY ffi.cdef[[ From d66e6f10af347fcd146e8054b2d80f04f4fdca4c Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Thu, 16 Oct 2014 16:54:40 -0700 Subject: [PATCH 13/56] feature: ngx.ssl: added new Lua function set_ocsp_status_resp(). --- lua/ngx/ssl.lua | 28 ++++++ src/ngx_http_lua_sslcertby.c | 54 +++++++++++ t/130-ssl-cert-by.t | 173 ++++++++++++++++++++++++++++++++++- 3 files changed, 254 insertions(+), 1 deletion(-) diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index bb2c4277cf..faaf49db9c 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -15,6 +15,7 @@ local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK local FFI_BUSY = base.FFI_BUSY +local FFI_DECLINED = base.FFI_DECLINED ffi.cdef[[ @@ -49,6 +50,9 @@ int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, size_t resp_len, const char *chain_data, size_t chain_len, unsigned char *errbuf, size_t *errbuf_size); + +int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + const unsigned char *resp, size_t resp_len, char **err); ]] @@ -255,4 +259,28 @@ function _M.validate_ocsp_response(resp, chain, max_errmsg_len) end +function _M.set_ocsp_status_resp(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_ocsp_status_resp(r, data, #data, + errmsg) + + if rc == FFI_DECLINED then + -- no client status req + return true, "no status req" + end + + if rc == FFI_OK then + return true + end + + -- rc == FFI_ERROR + + return nil, ffi_str(errmsg[0]) +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 8300f6271b..302d147b03 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -1081,6 +1081,60 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, return NGX_ERROR; } + +static int +ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) +{ + return SSL_TLSEXT_ERR_OK; +} + + +int +ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + const u_char *resp, size_t resp_len, char **err) +{ + u_char *p; + SSL_CTX *ctx; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + if (ssl_conn->tlsext_status_type == -1) { + dd("no ocsp status req from client"); + return NGX_DECLINED; + } + + /* we have to register an empty status callback here otherwise + * OpenSSL won't send the response staple. */ + + ctx = SSL_get_SSL_CTX(ssl_conn); + SSL_CTX_set_tlsext_status_cb(ctx, + ngx_http_lua_ssl_empty_status_callback); + + p = OPENSSL_malloc(resp_len); + if (p == NULL) { + *err = "OPENSSL_malloc() failed"; + return NGX_ERROR; + } + + ngx_memcpy(p, resp, resp_len); + + dd("set ocsp resp: resp_len=%d", (int) resp_len); + (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); + ssl_conn->tlsext_status_expected = 1; + + return NGX_OK; +} + #endif /* NGX_LUA_NO_FFI_API */ diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index fcdb48eb91..8a9472972a 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 11); +plan tests => repeat_each() * (blocks() * 6 + 13); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -2915,3 +2915,174 @@ OCSP response validation ok [alert] [emerg] + + +=== TEST 29: good status req from client +FIXME: check the OCSP staple actually received by the ssl client +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) + local resp = assert(f:read("*a")) + f:close() + + print("resp len: ", #resp) + + local ok, err = ssl.set_ocsp_status_resp(resp) + if not ok then + ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) + return + end + ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +ocsp status resp set ok: nil, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 30: no status req from client +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) + local resp = assert(f:read("*a")) + f:close() + + print("resp len: ", #resp) + + local ok, err = ssl.set_ocsp_status_resp(resp) + if not ok then + ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) + return + end + ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +ocsp status resp set ok: no status req, + +--- no_error_log +[error] +[alert] +[emerg] + From 4eec3425a36493825c430b941eb946bebe991a40 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 17 Oct 2014 15:35:12 -0700 Subject: [PATCH 14/56] bugfix: ssl_certificate_by_lua: memory issues might happen in ngx_http_run_posted_requests. we now avoid running the openssl handshake dispatcher directly in our fake connection's pool cleanup handler by means of posting an event. --- src/ngx_http_lua_socket_tcp.c | 2 ++ src/ngx_http_lua_sslcertby.c | 2 +- src/ngx_http_lua_util.c | 8 ++++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index afa996966e..7b55837725 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -2669,6 +2669,8 @@ ngx_http_lua_socket_tcp_handler(ngx_event_t *ev) r = u->request; c = r->connection; + dd("lua tcp socket handler: request: %p", r); + ctx = c->log->data; ctx->current_request = r; diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 302d147b03..c6d21a0dd0 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -275,7 +275,7 @@ ngx_http_lua_ssl_cert_done(void *data) cctx->done = 1; c->log->action = "SSL handshaking"; - c->write->handler(c->write);; + ngx_post_event(c->write, &ngx_posted_events); } diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index c56d04c45a..9116d2aa64 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -3606,8 +3606,8 @@ ngx_http_lua_close_fake_connection(ngx_connection_t *c) ngx_pool_t *pool; ngx_connection_t *saved_c = NULL; - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http lua close fake http connection"); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, + "http lua close fake http connection %p", c); c->destroyed = 1; @@ -3805,6 +3805,8 @@ ngx_http_lua_create_fake_connection(void) c->error = 1; + dd("created fake connection: %p", c); + return c; failed: @@ -3899,6 +3901,8 @@ ngx_http_lua_create_fake_request(ngx_connection_t *c) r->http_state = NGX_HTTP_PROCESS_REQUEST_STATE; r->discard_body = 1; + dd("created fake request %p", r); + return r; failed: From 8c3c48b09467d76d3a76a1f07c7cc209ea096987 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 17 Oct 2014 21:18:14 -0700 Subject: [PATCH 15/56] feature: ngx.ssl: added new Lua functions get_tls1_version() and get_tls1_version_str(). --- lua/ngx/ssl.lua | 47 +++++ src/ngx_http_lua_sslcertby.c | 22 +++ t/130-ssl-cert-by.t | 320 +++++++++++++++++++++++++++++++++++ 3 files changed, 389 insertions(+) diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index faaf49db9c..9f90998166 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -53,6 +53,8 @@ int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, const unsigned char *resp, size_t resp_len, char **err); + +int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err); ]] @@ -283,4 +285,49 @@ function _M.set_ocsp_status_resp(data) end +local function get_tls1_version() + + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local ver = C.ngx_http_lua_ffi_ssl_get_tls1_version(r, errmsg) + + ver = tonumber(ver) + + if ver >= 0 then + return ver + end + + -- rc == FFI_ERROR + + return nil, ffi_str(errmsg[0]) +end +_M.get_tls1_version = get_tls1_version + + +do + _M.SSL3_VERSION = 0x0300 + _M.TLS1_VERSION = 0x0301 + _M.TLS1_1_VERSION = 0x0302 + _M.TLS1_2_VERSION = 0x0303 + + local map = { + [_M.SSL3_VERSION] = "SSLv3", + [_M.TLS1_VERSION] = "TLSv1", + [_M.TLS1_1_VERSION] = "TLSv1.1", + [_M.TLS1_2_VERSION] = "TLSv1.2", + } + + function _M.get_tls1_version_str() + local ver, err = get_tls1_version() + if not ver then + return nil, err + end + return map[ver] + end +end + + return _M diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index c6d21a0dd0..d4c9124f0a 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -381,6 +381,28 @@ ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) #ifndef NGX_LUA_NO_FFI_API +int +ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + dd("tls1 ver: %d", (int) TLS1_get_version(ssl_conn)); + + return (int) TLS1_get_version(ssl_conn); +} + + int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) { diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 8a9472972a..7acd36f288 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -3086,3 +3086,323 @@ ocsp status resp set ok: no status req, [alert] [emerg] + + +=== TEST 31: tls version - SSLv3 +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local ver, err = ssl.get_tls1_version_str(resp) + if not ver then + ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + return + end + ngx.log(ngx.WARN, "got TLS1 version: ", ver) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + ssl_protocols SSLv3; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + lua_ssl_protocols SSLv3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +got TLS1 version: SSLv3, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 32: tls version - TLSv1 +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local ver, err = ssl.get_tls1_version_str(resp) + if not ver then + ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + return + end + ngx.log(ngx.WARN, "got TLS1 version: ", ver) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + ssl_protocols TLSv1; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + lua_ssl_protocols TLSv1; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +got TLS1 version: TLSv1, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 33: tls version - TLSv1.1 +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local ver, err = ssl.get_tls1_version_str(resp) + if not ver then + ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + return + end + ngx.log(ngx.WARN, "got TLS1 version: ", ver) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + ssl_protocols TLSv1.1; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + lua_ssl_protocols TLSv1.1; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +got TLS1 version: TLSv1.1, + +--- no_error_log +[error] +[alert] +[emerg] + + + +=== TEST 34: tls version - TLSv1.2 +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + local ssl = require "ngx.ssl" + + local ver, err = ssl.get_tls1_version_str(resp) + if not ver then + ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + return + end + ngx.log(ngx.WARN, "got TLS1 version: ", ver) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + ssl_protocols TLSv1.2; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + lua_ssl_protocols TLSv1.2; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +got TLS1 version: TLSv1.2, + +--- no_error_log +[error] +[alert] +[emerg] + From f2784847597d9602abbb458bb5c44e69a6a749d6 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 17 Oct 2014 21:20:59 -0700 Subject: [PATCH 16/56] ssl_certificate_by_lua: removed unused code. --- src/ngx_http_lua_sslcertby.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index d4c9124f0a..0f36095df3 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -28,7 +28,6 @@ static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, typedef struct { - ngx_event_t sleep; unsigned done; /* :1 */ } ngx_http_lua_ssl_cert_ctx_t; @@ -228,14 +227,6 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) cln->handler = ngx_http_lua_ssl_cert_done; cln->data = ssl_conn; -#if 0 - cctx->sleep.handler = ngx_http_lua_ssl_cert_done; - cctx->sleep.data = ssl_conn; - cctx->sleep.log = c->log; - - ngx_add_timer(&cctx->sleep, 1000); -#endif - c->log->action = "loading SSL certificate by lua"; return -1; From 01ba35bd6afc525a7c4b103fa1801c777b34b4de Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 17 Oct 2014 22:26:02 -0700 Subject: [PATCH 17/56] ssl_certificate_by_lua*: enabled the ngx.exit() API function in this context. also ensure Lua runtime errors are properly propagated. --- src/ngx_http_lua_control.c | 49 +++- src/ngx_http_lua_sslcertby.c | 49 ++-- src/ngx_http_lua_sslcertby.h | 15 +- src/ngx_http_lua_util.c | 27 +++ t/130-ssl-cert-by.t | 457 ++++++++++++++++++++++++++++++++++- 5 files changed, 568 insertions(+), 29 deletions(-) diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c index f164b0b129..b7b14c0463 100644 --- a/src/ngx_http_lua_control.c +++ b/src/ngx_http_lua_control.c @@ -10,6 +10,7 @@ #endif #include "ddebug.h" + #include "ngx_http_lua_control.h" #include "ngx_http_lua_util.h" #include "ngx_http_lua_coroutine.h" @@ -280,9 +281,9 @@ ngx_http_lua_ngx_redirect(lua_State *L) static int ngx_http_lua_ngx_exit(lua_State *L) { + ngx_int_t rc; ngx_http_request_t *r; ngx_http_lua_ctx_t *ctx; - ngx_int_t rc; if (lua_gettop(L) != 1) { return luaL_error(L, "expecting one argument"); @@ -302,10 +303,30 @@ ngx_http_lua_ngx_exit(lua_State *L) | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT | NGX_HTTP_LUA_CONTEXT_TIMER - | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER); + | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); rc = (ngx_int_t) luaL_checkinteger(L, 1); + if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) { + +#if (NGX_HTTP_SSL) + + ctx->exit_code = rc; + ctx->exited = 1; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "lua exit with code %i", rc); + + return lua_yield(L, 0); + +#else + + return luaL_error(L, "no SSL support"); + +#endif + } + if (ctx->no_abort && rc != NGX_ERROR && rc != NGX_HTTP_CLOSE @@ -421,13 +442,33 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err, | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT | NGX_HTTP_LUA_CONTEXT_TIMER - | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER, + | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT, err, errlen) != NGX_OK) { return NGX_ERROR; } + if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) { + +#if (NGX_HTTP_SSL) + + ctx->exit_code = status; + ctx->exited = 1; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "lua exit with code %d", status); + + return NGX_OK; + +#else + + return NGX_ERROR; + +#endif + } + if (ctx->no_abort && status != NGX_ERROR && status != NGX_HTTP_CLOSE @@ -448,7 +489,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err, { if (status != (ngx_int_t) r->headers_out.status) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "attempt to " - "set status %i via ngx.exit after sending out the " + "set status %d via ngx.exit after sending out the " "response status %ui", status, r->headers_out.status); } diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 0f36095df3..07c11a26e5 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -18,6 +18,7 @@ #include "ngx_http_lua_util.h" #include "ngx_http_ssl_module.h" #include "ngx_http_lua_contentby.h" +#include "ngx_http_lua_sslcertby.h" static void ngx_http_lua_ssl_cert_done(void *data); @@ -27,11 +28,6 @@ static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r); -typedef struct { - unsigned done; /* :1 */ -} ngx_http_lua_ssl_cert_ctx_t; - - ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, ngx_http_lua_srv_conf_t *lscf, lua_State *L) @@ -154,6 +150,8 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) c = ngx_ssl_get_connection(ssl_conn); + dd("c = %p", c); + cctx = c->ssl->lua_ctx; dd("ssl cert handler, cert-ctx=%p", cctx); @@ -162,8 +160,12 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) /* not the first time */ if (cctx->done) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, + "lua_certificate_by_lua: cert cb exit code: %d", + cctx->exit_code); + dd("lua ssl cert done, finally"); - return 1; + return cctx->exit_code; } return -1; @@ -195,29 +197,38 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) fc->log->log_level = c->log->log_level; fc->ssl = c->ssl; + cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_cert_ctx_t)); + if (cctx == NULL) { + goto failed; /* error */ + } + + cctx->exit_code = 1; /* successful by default */ + + dd("setting cctx"); + + c->ssl->lua_ctx = cctx; + lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module); /* TODO honor lua_code_cache off */ L = ngx_http_lua_get_lua_vm(r, NULL); + c->log->action = "loading SSL certificate by lua"; + rc = lscf->ssl_cert_handler(r, lscf, L); - if (rc == NGX_OK) { - return 1; /* continue ssl handshaking */ - } + if (rc >= NGX_OK || rc == NGX_ERROR) { + cctx->done = 1; - if (rc == NGX_ERROR || rc > NGX_OK) { - return 0; /* error */ - } + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, + "lua_certificate_by_lua: handler return value: %i, " + "cert cb exit code: %d", rc, cctx->exit_code); - /* rc == NGX_DONE */ - - cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_cert_ctx_t)); - if (cctx == NULL) { - goto failed; /* error */ + c->log->action = "SSL handshaking"; + return cctx->exit_code; } - c->ssl->lua_ctx = cctx; + /* rc == NGX_DONE */ cln = ngx_pool_cleanup_add(fc->pool, 0); if (cln == NULL) { @@ -227,8 +238,6 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) cln->handler = ngx_http_lua_ssl_cert_done; cln->data = ssl_conn; - c->log->action = "loading SSL certificate by lua"; - return -1; #if 1 diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_sslcertby.h index 3135bfb0ef..aa2d39ec70 100644 --- a/src/ngx_http_lua_sslcertby.h +++ b/src/ngx_http_lua_sslcertby.h @@ -11,11 +11,18 @@ #include "ngx_http_lua_common.h" -ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_log_t *log, - ngx_http_lua_main_conf_t *lmcf, lua_State *L); +typedef struct { + int exit_code; /* exit code for openssl's + set_cert_cb callback */ + unsigned done; /* :1 */ +} ngx_http_lua_ssl_cert_ctx_t; -ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_log_t *log, - ngx_http_lua_main_conf_t *lmcf, lua_State *L); + +ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L); + +ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, + ngx_http_lua_srv_conf_t *lscf, lua_State *L); char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index 9116d2aa64..b1cbf0a519 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -49,6 +49,7 @@ #include "ngx_http_lua_config.h" #include "ngx_http_lua_worker.h" #include "ngx_http_lua_socket_tcp.h" +#include "ngx_http_lua_sslcertby.h" #if 1 @@ -2184,6 +2185,10 @@ ngx_http_lua_handle_exit(lua_State *L, ngx_http_request_t *r, "lua thread aborting request with status %d", ctx->exit_code); + if (r->connection->fd == -1) { /* fake request */ + return ctx->exit_code; + } + #if 1 if (!r->header_sent && r->headers_out.status == 0 @@ -3507,6 +3512,11 @@ void ngx_http_lua_finalize_fake_request(ngx_http_request_t *r, ngx_int_t rc) { ngx_connection_t *c; +#if (NGX_HTTP_SSL) + ngx_ssl_conn_t *ssl_conn; + + ngx_http_lua_ssl_cert_ctx_t *cctx; +#endif c = r->connection; @@ -3520,6 +3530,23 @@ ngx_http_lua_finalize_fake_request(ngx_http_request_t *r, ngx_int_t rc) } if (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE) { + +#if (NGX_HTTP_SSL) + + if (r->connection->ssl) { + ssl_conn = r->connection->ssl->connection; + if (ssl_conn) { + c = ngx_ssl_get_connection(ssl_conn); + + if (c && c->ssl && c->ssl->lua_ctx) { + cctx = c->ssl->lua_ctx; + cctx->exit_code = 0; + } + } + } + +#endif + ngx_http_lua_close_fake_request(r); return; } diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 7acd36f288..63f7b2e15c 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 13); +plan tests => repeat_each() * (blocks() * 6 + 23); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -3406,3 +3406,458 @@ got TLS1 version: TLSv1.2, [alert] [emerg] + + +=== TEST 35: ngx.exit(0) - no yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.exit(0) + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +lua exit with code 0 + +--- no_error_log +should never reached here +[error] +[alert] +[emerg] + + + +=== TEST 36: ngx.exit(ngx.ERROR) - no yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.exit(ngx.ERROR) + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log eval +[ +'lua_certificate_by_lua: handler return value: -1, cert cb exit code: 0', +qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, +'lua exit with code -1', +] + +--- no_error_log +should never reached here +[alert] +[emerg] + + + +=== TEST 37: ngx.exit(0) - yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.sleep(0.001) + ngx.exit(0) + + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: boolean + +--- error_log +lua exit with code 0 + +--- no_error_log +should never reached here +[error] +[alert] +[emerg] + + + +=== TEST 38: ngx.exit(ngx.ERROR) - yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.sleep(0.001) + ngx.exit(ngx.ERROR) + + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log eval +[ +'lua_certificate_by_lua: cert cb exit code: 0', +qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, +'lua exit with code -1', +] + +--- no_error_log +should never reached here +[alert] +[emerg] + + + +=== TEST 39: lua exception - no yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + error("bad bad bad") + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log eval +[ +'runtime error: ssl_certificate_by_lua:2: bad bad bad', +'lua_certificate_by_lua: handler return value: 500, cert cb exit code: 0', +qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, +] + +--- no_error_log +should never reached here +[alert] +[emerg] + + + +=== TEST 40: lua exception - yield +--- http_config + lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen 127.0.0.2:8080 ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.sleep(0.001) + error("bad bad bad") + ngx.log(ngx.ERR, "should never reached here...") + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_verify_depth 3; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.2", 8080) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, nil, true, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log eval +[ +'runtime error: ssl_certificate_by_lua:3: bad bad bad', +'lua_certificate_by_lua: cert cb exit code: 0', +qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, +] + +--- no_error_log +should never reached here +[alert] +[emerg] + From 1a0c6323a0249ddb64e2853b8dfab8f381244d78 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 28 Oct 2014 21:41:18 -0700 Subject: [PATCH 18/56] bugfix: ngx.get_phase() did not work in the context of ssl_certificate_by_lua*. --- src/ngx_http_lua_phase.c | 4 +++ t/130-ssl-cert-by.t | 69 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/src/ngx_http_lua_phase.c b/src/ngx_http_lua_phase.c index 880ee7612c..194e6be3dd 100644 --- a/src/ngx_http_lua_phase.c +++ b/src/ngx_http_lua_phase.c @@ -72,6 +72,10 @@ ngx_http_lua_ngx_get_phase(lua_State *L) lua_pushliteral(L, "timer"); break; + case NGX_HTTP_LUA_CONTEXT_SSL_CERT: + lua_pushliteral(L, "ssl_cert"); + break; + default: return luaL_error(L, "unknown phase: %d", (int) ctx->context); } diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 63f7b2e15c..6b9210de12 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -3861,3 +3861,72 @@ should never reached here [alert] [emerg] + + +=== TEST 41: get phase +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua 'print("get_phase: ", ngx.get_phase())'; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end + collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata + +--- error_log +lua ssl server name: "test.com" +get_phase: ssl_cert + +--- no_error_log +[error] +[alert] + From a05bca3ce67d18a9934401d3d1c03a8e84848d20 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 4 Nov 2014 14:49:16 -0800 Subject: [PATCH 19/56] ssl: we did not clear OpenSSL's error stack when OCSP response validation fails. thanks Piotr Sikora for the report. --- src/ngx_http_lua_sslcertby.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 07c11a26e5..343804b499 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -1100,6 +1100,8 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, BIO_free(bio); } + ERR_clear_error(); + return NGX_ERROR; } From d29e1af9b7584163a2538253f6a17d63019b9308 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 14 Nov 2014 22:38:22 -0800 Subject: [PATCH 20/56] removed --- ONLY from 014-bugs.t. --- t/014-bugs.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/014-bugs.t b/t/014-bugs.t index 28cb199b63..e5fa86fbb2 100644 --- a/t/014-bugs.t +++ b/t/014-bugs.t @@ -789,7 +789,6 @@ qr/send\(\) failed \(\d+: Connection refused\) while resolving/ === TEST 35: github issue #218: ngx.location.capture hangs when querying a remote host that does not exist or is really slow to respond ---- ONLY --- config set $myurl "https://not-exist.agentzh.org"; location /toto { From da1803f50e0712bd2ac02b8df7f84d3ea6db9fc0 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 14 Nov 2014 22:39:53 -0800 Subject: [PATCH 21/56] bugfix: we did not abort our set cert cb as soon as the main ssl connection is closed prematurely. --- src/ngx_http_lua_sslcertby.c | 48 +++++++++++++++++++++---- src/ngx_http_lua_sslcertby.h | 5 ++- t/130-ssl-cert-by.t | 70 +++++++++++++++++++++++++++++++++++- 3 files changed, 114 insertions(+), 9 deletions(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 343804b499..4a5d8828a4 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -22,6 +22,7 @@ static void ngx_http_lua_ssl_cert_done(void *data); +static void ngx_http_lua_ssl_cert_aborted(void *data); static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len); static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, @@ -203,6 +204,8 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) } cctx->exit_code = 1; /* successful by default */ + cctx->connection = c; + cctx->request = r; dd("setting cctx"); @@ -236,7 +239,15 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) } cln->handler = ngx_http_lua_ssl_cert_done; - cln->data = ssl_conn; + cln->data = cctx; + + cln = ngx_pool_cleanup_add(c->pool, 0); + if (cln == NULL) { + goto failed; + } + + cln->handler = ngx_http_lua_ssl_cert_aborted; + cln->data = cctx; return -1; @@ -259,26 +270,49 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) static void ngx_http_lua_ssl_cert_done(void *data) { - ngx_ssl_conn_t *ssl_conn = data; ngx_connection_t *c; - ngx_http_lua_ssl_cert_ctx_t *cctx; + ngx_http_lua_ssl_cert_ctx_t *cctx = data; dd("lua ssl cert done"); - c = ngx_ssl_get_connection(ssl_conn); - - cctx = c->ssl->lua_ctx; - if (cctx == NULL) { + if (cctx->aborted) { return; } + ngx_http_lua_assert(cctx->done == 0); + cctx->done = 1; + c = cctx->connection; + c->log->action = "SSL handshaking"; + ngx_post_event(c->write, &ngx_posted_events); } +static void +ngx_http_lua_ssl_cert_aborted(void *data) +{ + ngx_http_lua_ssl_cert_ctx_t *cctx = data; + + dd("lua ssl cert done"); + + if (cctx->done) { + /* completed successfully already */ + return; + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, cctx->connection->log, 0, + "lua_certificate_by_lua: cert cb aborted"); + + cctx->aborted = 1; + cctx->request->connection->ssl = NULL; + + ngx_http_lua_finalize_fake_request(cctx->request, NGX_ERROR); +} + + static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len) { diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_sslcertby.h index aa2d39ec70..2d29325dd3 100644 --- a/src/ngx_http_lua_sslcertby.h +++ b/src/ngx_http_lua_sslcertby.h @@ -12,9 +12,12 @@ typedef struct { + ngx_connection_t *connection; /* original true connection */ + ngx_http_request_t *request; /* fake request */ int exit_code; /* exit code for openssl's set_cert_cb callback */ - unsigned done; /* :1 */ + unsigned done; /* :1 */ + unsigned aborted; /* :1 */ } ngx_http_lua_ssl_cert_ctx_t; diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 6b9210de12..b2ee3e9405 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 23); +plan tests => repeat_each() * (blocks() * 6 + 22); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -3930,3 +3930,71 @@ get_phase: ssl_cert [error] [alert] + + +=== TEST 42: connection aborted prematurely +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + ngx.sleep(0.4) + local ssl = require "ngx.ssl" + ssl.clear_certs() + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(300) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(false, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t + +--- response_body +connected: 1 +failed to do SSL handshake: timeout + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] + From c3b90b32d53ee728e6906706b2dc6487fed2d321 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 26 Nov 2014 15:56:57 -0800 Subject: [PATCH 22/56] bugfix: fixed a merge issue. --- src/ngx_http_lua_sslcertby.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 4a5d8828a4..b3ce9f33c9 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -178,7 +178,7 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) hc = c->data; - fc = ngx_http_lua_create_fake_connection(); + fc = ngx_http_lua_create_fake_connection(NULL); if (fc == NULL) { goto failed; } From c1ef760cafd4cbf2eb0d07b2bad2f3cb3d014d34 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 26 Nov 2014 16:19:47 -0800 Subject: [PATCH 23/56] feature: ssl_certificate_by_lua*: now error messages contain the ", client: xxx, server: xxx" context info. thanks Piotr Sikora for the suggestion. --- src/ngx_http_lua_sslcertby.c | 25 ++++++++++++++++++++++++- t/130-ssl-cert-by.t | 3 ++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index b3ce9f33c9..8e824f2676 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -184,6 +184,10 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) } fc->log->handler = ngx_http_lua_log_ssl_cert_error; + fc->log->data = fc; + + fc->addr_text = c->addr_text; + fc->listening = c->listening; r = ngx_http_lua_create_fake_request(fc); if (r == NULL) { @@ -317,6 +321,7 @@ static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len) { u_char *p; + ngx_connection_t *c; if (log->action) { p = ngx_snprintf(buf, len, " while %s", log->action); @@ -324,7 +329,25 @@ ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len) buf = p; } - return ngx_snprintf(buf, len, ", context: ssl_certificate_by_lua*"); + p = ngx_snprintf(buf, len, ", context: ssl_certificate_by_lua*"); + len -= p - buf; + buf = p; + + c = log->data; + + if (c->addr_text.len) { + p = ngx_snprintf(buf, len, ", client: %V", &c->addr_text); + len -= p - buf; + buf = p; + } + + if (c && c->listening && c->listening->addr_text.len) { + p = ngx_snprintf(buf, len, ", server: %V", &c->listening->addr_text); + /* len -= p - buf; */ + buf = p; + } + + return buf; } diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index b2ee3e9405..5c96cbe51f 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -5,7 +5,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 22); +plan tests => repeat_each() * (blocks() * 6 + 23); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -3777,6 +3777,7 @@ failed to do SSL handshake: handshake failed 'runtime error: ssl_certificate_by_lua:2: bad bad bad', 'lua_certificate_by_lua: handler return value: 500, cert cb exit code: 0', qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, +qr/context: ssl_certificate_by_lua\*, client: \d+\.\d+\.\d+\.\d+, server: 0\.0\.0\.0:\d+/, ] --- no_error_log From 3dccaced769ee30fe6826fb23266e1da998ce0ed Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 10 Feb 2015 14:33:05 -0800 Subject: [PATCH 24/56] bugfix: we did not print proper context name for ssl_certificate_by_lua*. thanks Zi Lin for the reminder. --- src/ngx_http_lua_util.h | 1 + t/130-ssl-cert-by.t | 64 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index f29a87f6e1..c83bdbefa2 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -83,6 +83,7 @@ extern char ngx_http_lua_headers_metatable_key; : (c) == NGX_HTTP_LUA_CONTEXT_HEADER_FILTER ? "header_filter_by_lua*" \ : (c) == NGX_HTTP_LUA_CONTEXT_TIMER ? "ngx.timer" \ : (c) == NGX_HTTP_LUA_CONTEXT_INIT_WORKER ? "init_worker_by_lua*" \ + : (c) == NGX_HTTP_LUA_CONTEXT_SSL_CERT ? "ssl_certificate_by_lua*" \ : "(unknown)") diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 5c96cbe51f..5018764c3b 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -3999,3 +3999,67 @@ lua ssl server name: "test.com" [error] [alert] + + +=== TEST 43: subrequests disabled +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua 'ngx.location.capture("/foo")'; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed + +--- error_log eval +[ +'lua ssl server name: "test.com"', +'ssl_certificate_by_lua:1: API disabled in the context of ssl_certificate_by_lua*', +qr/\[crit\] .*?cert cb error/, +] + +--- no_error_log +[alert] + From ceddd214f806c9893c31d66f671856c2a86897be Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Thu, 19 Mar 2015 14:11:36 -0700 Subject: [PATCH 25/56] bugfix: ssl_certificate_by_lua_file could not be used in the server {} context. thanks friendwu for the patch in #473. --- src/ngx_http_lua_module.c | 4 +- t/130-ssl-cert-by.t | 105 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index c99e925eb0..363eec66b5 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -420,9 +420,9 @@ static ngx_command_t ngx_http_lua_cmds[] = { (void *) ngx_http_lua_ssl_cert_handler_inline }, { ngx_string("ssl_certificate_by_lua_file"), - NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_http_lua_ssl_cert_by_lua, - NGX_HTTP_LOC_CONF_OFFSET, + NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_ssl_cert_handler_file }, diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 5018764c3b..efd5104c6b 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -4063,3 +4063,108 @@ qr/\[crit\] .*?cert cb error/, --- no_error_log [alert] + + +=== TEST 44: simple logging (by_lua_file) +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua_file html/a.lua; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } + +--- user_files +>>> a.lua +print("ssl cert by lua is running!") + +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- error_log +lua ssl server name: "test.com" +a.lua:1: ssl cert by lua is running! + +--- no_error_log +[error] +[alert] + From f4c7cbacf5c93a2085c39482f34c392d39eb0bc0 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 20 Mar 2015 16:13:07 -0700 Subject: [PATCH 26/56] fixed a comment in ngx_http_lua_create_srv_conf. --- src/ngx_http_lua_module.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 363eec66b5..23d141871f 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -716,6 +716,7 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf) /* set by ngx_pcalloc: * lscf->ssl_cert_handler = NULL; * lscf->ssl_cert_src = { 0, NULL }; + * lscf->ssl_cert_src_key = NULL; */ return lscf; From 6d378bdf383cd0dccab09220a8ca420cd99f6c53 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 24 Mar 2015 14:09:02 -0700 Subject: [PATCH 27/56] minor coding style fixes. --- src/ngx_http_lua_sslcertby.c | 2 +- src/ngx_http_lua_sslcertby.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 8e824f2676..97f63114cc 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -23,7 +23,7 @@ static void ngx_http_lua_ssl_cert_done(void *data); static void ngx_http_lua_ssl_cert_aborted(void *data); -static u_char * ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, +static u_char *ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len); static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r); diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_sslcertby.h index 2d29325dd3..31fdbb518f 100644 --- a/src/ngx_http_lua_sslcertby.h +++ b/src/ngx_http_lua_sslcertby.h @@ -27,7 +27,7 @@ ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, ngx_http_lua_srv_conf_t *lscf, lua_State *L); -char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, +char *ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); int ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); From 58daafa200a59c31933027f7e66ea1085bb03824 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 31 Mar 2015 14:24:03 -0700 Subject: [PATCH 28/56] fixed a potential test failure for ssl_certificate_by_lua. thanks Shuxin Yang for the report. --- t/130-ssl-cert-by.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index efd5104c6b..67a49b4a11 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -3777,7 +3777,7 @@ failed to do SSL handshake: handshake failed 'runtime error: ssl_certificate_by_lua:2: bad bad bad', 'lua_certificate_by_lua: handler return value: 500, cert cb exit code: 0', qr/\[crit\] .*? SSL_do_handshake\(\) failed .*?cert cb error/, -qr/context: ssl_certificate_by_lua\*, client: \d+\.\d+\.\d+\.\d+, server: 0\.0\.0\.0:\d+/, +qr/context: ssl_certificate_by_lua\*, client: \d+\.\d+\.\d+\.\d+, server: \d+\.\d+\.\d+\.\d+:\d+/, ] --- no_error_log From 7eb1757d9f7ca74a40885193e37ac869319a8f15 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Wed, 23 Dec 2015 01:25:18 -0800 Subject: [PATCH 29/56] fixed merge issues in the previous commit; also fixed the test suite for ssl-cert-by-lua. --- src/ngx_http_lua_sslcertby.c | 6 ++++-- t/130-ssl-cert-by.t | 11 +++++------ t/cert/ocsp/revoked-ocsp-resp.der | Bin 0 -> 1073 bytes util/build2.sh | 2 +- 4 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 t/cert/ocsp/revoked-ocsp-resp.der diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 97f63114cc..4047c44e1a 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -35,7 +35,8 @@ ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, { ngx_int_t rc; - rc = ngx_http_lua_cache_loadfile(r, L, lscf->ssl_cert_src.data, + rc = ngx_http_lua_cache_loadfile(r->connection->log, L, + lscf->ssl_cert_src.data, lscf->ssl_cert_src_key); if (rc != NGX_OK) { return rc; @@ -54,7 +55,8 @@ ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, { ngx_int_t rc; - rc = ngx_http_lua_cache_loadbuffer(r, L, lscf->ssl_cert_src.data, + rc = ngx_http_lua_cache_loadbuffer(r->connection->log, L, + lscf->ssl_cert_src.data, lscf->ssl_cert_src.len, lscf->ssl_cert_src_key, "=ssl_certificate_by_lua"); diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 67a49b4a11..2a10162391 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -2183,7 +2183,7 @@ failed to create OCSP request: output buffer too small: 68 > 67 local req, err = ssl.create_ocsp_request(cert_data, 67) if not req then ngx.log(ngx.ERR, "failed to create OCSP request: ", err) - return + return ngx.exit(ngx.ERROR) end ngx.log(ngx.WARN, "OCSP request created with length ", #req) @@ -2242,7 +2242,7 @@ failed to create OCSP request: output buffer too small: 68 > 67 GET /t --- response_body connected: 1 -ssl handshake: userdata +failed to do SSL handshake: handshake failed --- error_log lua ssl server name: "test.com" @@ -2823,7 +2823,6 @@ OCSP response validation ok === TEST 28: fail to validate OCSP response - OCSP response returns revoked status - --- http_config lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; @@ -2840,7 +2839,7 @@ OCSP response validation ok cert_data, err = ssl.cert_pem_to_der(cert_data) if not cert_data then ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return + return ngx.exit(ngx.ERROR) end local f = assert(io.open("t/cert/ocsp/revoked-ocsp-resp.der")) @@ -2850,7 +2849,7 @@ OCSP response validation ok local req, err = ssl.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return + return ngx.exit(ngx.ERROR) end ngx.log(ngx.WARN, "OCSP response validation ok") @@ -2904,7 +2903,7 @@ OCSP response validation ok GET /t --- response_body connected: 1 -ssl handshake: userdata +failed to do SSL handshake: handshake failed --- error_log lua ssl server name: "test.com" diff --git a/t/cert/ocsp/revoked-ocsp-resp.der b/t/cert/ocsp/revoked-ocsp-resp.der new file mode 100644 index 0000000000000000000000000000000000000000..71d41a77fd2f3bb2a36146472750afa746da6f87 GIT binary patch literal 1073 zcmXqLV$tPdWLVI|qGr&4xwXuP{H%^<~)+klgeIh2J> zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVo;^b!aT*9>3NxX>AJ~@x<(TGMh1o^h6aXa2F6C_29{9l5vBd&5~#ekx&~>M<6P&D>vW1H}UCG|Ue#;+NGII1spa zGZQ1nLO~28F$4^F**LY@JlekVG6H?hz}(o#;Gvy$Y*(1tX*T<-6aNJKmaM%x=it^q zCmM>_TJ%J2S5|C1zT>S~oa>UnxVIt4{xDo_7F$!>TTo}OT`#lYfzG3BKm7v#L}jKa zRkCuj@h=}uU6i!7D5XyQ?Goj?4tZxz9u1rpyrFB_H2H_Ft}_;}=zp>LCek*)fPK%e z^-Hc99$QznpowXQK@-yyAf8~*#Q1XoGZP~d6C*R4Q|S^Zh6W1ayeN?Z3_(Lf69Y>l zBUmiaC2<%u&PVn?BPgnR84MabnSe2NSw&{j(%lRD{!eg?9@v@XlXB8ELp8pwmBm02VV#2Q2{85D*EEZd`abm79)g3CFg zUt29vH{by&5N2UDU}j|ekL+P++T=+*a9r@v2g?s-bN!vKObC%zvkkE=k3X>4>yY#| ziAzGgD!yf3*||mR#C4tCwHn-h?Aw?gIh||s?xX6jGLOBR8RKFWY}zkN9@!-&Iqu2zHJ(_e5NA}tVW(2`Z(~<;IE&=g(=)dN E0NZk6z5oCK literal 0 HcmV?d00001 diff --git a/util/build2.sh b/util/build2.sh index f4d51dbfc7..d78284881c 100755 --- a/util/build2.sh +++ b/util/build2.sh @@ -30,7 +30,7 @@ time ngx-build $force $version \ --with-http_ssl_module \ --add-module=$root/../ndk-nginx-module \ --add-module=$root/../set-misc-nginx-module \ - --with-ld-opt="-L$PCRE_LIB -Wl,-rpath,$PCRE_LIB:$LIBDRIZZLE_LIB:/usr/local/lib" \ + --with-ld-opt="-L$PCRE_LIB -Wl,-rpath,$PCRE_LIB:$LIBDRIZZLE_LIB:$OPENSSL_LIB:/usr/local/lib" \ --without-mail_pop3_module \ --without-mail_imap_module \ --with-http_image_filter_module \ From 1d2bada190601056d2aa5b351287a27c651f45d6 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 10:24:10 -0800 Subject: [PATCH 30/56] util/build2.sh: added support for changing openssl libs at runtime via environments like LD_LIBRARY_PATH. --- util/build2.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/build2.sh b/util/build2.sh index d78284881c..6c52eff995 100755 --- a/util/build2.sh +++ b/util/build2.sh @@ -30,7 +30,7 @@ time ngx-build $force $version \ --with-http_ssl_module \ --add-module=$root/../ndk-nginx-module \ --add-module=$root/../set-misc-nginx-module \ - --with-ld-opt="-L$PCRE_LIB -Wl,-rpath,$PCRE_LIB:$LIBDRIZZLE_LIB:$OPENSSL_LIB:/usr/local/lib" \ + --with-ld-opt="-L$PCRE_LIB -Wl,-rpath,$PCRE_LIB:$LIBDRIZZLE_LIB" \ --without-mail_pop3_module \ --without-mail_imap_module \ --with-http_image_filter_module \ From 2805992409ba63cef783ec463ed753cd0fe959f4 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 10:25:14 -0800 Subject: [PATCH 31/56] avoided hard-coded copyright year in the Lua source. --- lua/ngx/ssl.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 9f90998166..8e328a7acf 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -1,4 +1,4 @@ --- Copyright (C) 2014 Yichun Zhang +-- Copyright (C) Yichun Zhang (agentzh) local ffi = require "ffi" From 6a53b1b5b8b3ecd8ffd1053de4cab8141ada15d5 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 14:36:08 -0800 Subject: [PATCH 32/56] bugfix: fixed compilation errors with OpenSSL older than 1.0.2. --- src/ngx_http_lua_common.h | 5 ++ src/ngx_http_lua_module.c | 8 +++ src/ngx_http_lua_sslcertby.c | 97 +++++++++++++++++++++++++++++++++++- 3 files changed, 108 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index b74c932bb8..d57a206a26 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -31,6 +31,11 @@ #endif +#if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) +# define NGX_HTTP_LUA_USE_OCSP 1 +#endif + + #ifndef MD5_DIGEST_LENGTH #define MD5_DIGEST_LENGTH 16 #endif diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 9904dd2ec8..f45b8909c5 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -896,7 +896,15 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x1000205fL + SSL_CTX_set_cert_cb(sscf->ssl.ctx, ngx_http_lua_ssl_cert_handler, NULL); + +#else + + return NGX_CONF_ERROR; + +#endif } return NGX_CONF_OK; diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index 89fa191652..fb6da0db69 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -27,6 +27,10 @@ static u_char *ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len); static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r); +#ifdef NGX_HTTP_LUA_USE_OCSP +static int ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, + void *data); +#endif ngx_int_t @@ -75,13 +79,21 @@ char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { +#if OPENSSL_VERSION_NUMBER < 0x1000205fL + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "at least OpenSSL 1.0.2e required but found " + OPENSSL_VERSION_TEXT); + + return NGX_CONF_ERROR; + +#else + u_char *p; u_char *name; ngx_str_t *value; ngx_http_lua_srv_conf_t *lscf = conf; - dd("enter"); - /* must specifiy a content handler */ if (cmd->post == NULL) { return NGX_CONF_ERROR; @@ -136,6 +148,8 @@ ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, } return NGX_CONF_OK; + +#endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ } @@ -443,6 +457,13 @@ ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err) { +#ifndef TLS1_get_version + + *err = "no TLS1 support"; + return NGX_ERROR; + +#else + ngx_ssl_conn_t *ssl_conn; if (r->connection == NULL || r->connection->ssl == NULL) { @@ -459,12 +480,21 @@ ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err) dd("tls1 ver: %d", (int) TLS1_get_version(ssl_conn)); return (int) TLS1_get_version(ssl_conn); + +#endif } int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) { +#if OPENSSL_VERSION_NUMBER < 0x1000205fL + + *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + return NGX_ERROR; + +#else + ngx_ssl_conn_t *ssl_conn; if (r->connection == NULL || r->connection->ssl == NULL) { @@ -480,6 +510,8 @@ ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err) SSL_certs_clear(ssl_conn); return NGX_OK; + +#endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ } @@ -487,6 +519,13 @@ int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, const char *data, size_t len, char **err) { +#if OPENSSL_VERSION_NUMBER < 0x1000205fL + + *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + return NGX_ERROR; + +#else + BIO *bio = NULL; X509 *x509 = NULL; ngx_ssl_conn_t *ssl_conn; @@ -561,6 +600,8 @@ ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, } return NGX_ERROR; + +#endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ } @@ -711,6 +752,8 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, return NGX_ERROR; } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + *name = (char *) SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); if (*name) { @@ -719,6 +762,13 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, } return NGX_DECLINED; + +#else + + *err = "no TLS extension support"; + return NGX_ERROR; + +#endif } @@ -799,6 +849,13 @@ ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( const char *chain_data, size_t chain_len, unsigned char *out, size_t *out_size, char **err) { +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + int rc = NGX_OK; BIO *bio = NULL; char *s; @@ -830,7 +887,11 @@ ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( goto done; } +#if OPENSSL_VERSION_NUMBER >= 0x10000000L s = sk_OPENSSL_STRING_value(aia, 0); +#else + s = sk_value(aia, 0); +#endif if (s == NULL) { rc = NGX_DECLINED; goto done; @@ -897,6 +958,8 @@ ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( } return rc; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ } @@ -904,6 +967,13 @@ int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, size_t chain_len, unsigned char *out, size_t *out_size, char **err) { +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + int rc = NGX_ERROR; BIO *bio = NULL; X509 *cert = NULL, *issuer = NULL; @@ -1000,6 +1070,8 @@ ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, } return rc; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ } @@ -1008,6 +1080,14 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, size_t resp_len, const char *chain_data, size_t chain_len, u_char *errbuf, size_t *errbuf_size) { +#ifndef NGX_HTTP_LUA_USE_OCSP + + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "no OCSP support") - errbuf; + return NGX_ERROR; + +#else + int n; BIO *bio = NULL; X509 *cert = NULL, *issuer = NULL; @@ -1162,20 +1242,31 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, ERR_clear_error(); return NGX_ERROR; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ } +#ifdef NGX_HTTP_LUA_USE_OCSP static int ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) { return SSL_TLSEXT_ERR_OK; } +#endif int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, const u_char *resp, size_t resp_len, char **err) { +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + u_char *p; SSL_CTX *ctx; ngx_ssl_conn_t *ssl_conn; @@ -1216,6 +1307,8 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, ssl_conn->tlsext_status_expected = 1; return NGX_OK; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ } #endif /* NGX_LUA_NO_FFI_API */ From 5311b18db499ea59f0ddfa9296d9bcfa728e455d Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 15:26:51 -0800 Subject: [PATCH 33/56] various minor fixes. --- src/ngx_http_lua_socket_tcp.c | 7 ++++--- src/ngx_http_lua_sslcertby.c | 10 +++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 4e66155efd..98801f56fe 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -1317,12 +1317,11 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) if (n >= 5) { if (lua_toboolean(L, 5)) { -#ifdef TLSEXT_STATUSTYPE_ocsp +#ifdef NGX_HTTP_LUA_USE_OCSP SSL_set_tlsext_status_type(c->ssl->connection, TLSEXT_STATUSTYPE_ocsp); #else - return luaL_error(L, "lack of status request support" - " in OpenSSL"); + return luaL_error(L, "no OCSP support"); #endif } } @@ -1370,7 +1369,9 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) u->write_co_ctx = coctx; #if 0 +#ifdef NGX_HTTP_LUA_USE_OCSP SSL_set_tlsext_status_type(c->ssl->connection, TLSEXT_STATUSTYPE_ocsp); +#endif #endif rc = ngx_ssl_handshake(c); diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_sslcertby.c index fb6da0db69..4b9b68deea 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_sslcertby.c @@ -94,7 +94,7 @@ ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, ngx_str_t *value; ngx_http_lua_srv_conf_t *lscf = conf; - /* must specifiy a content handler */ + /* must specifiy a concrete handler */ if (cmd->post == NULL) { return NGX_CONF_ERROR; } @@ -396,7 +396,7 @@ ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r) if (co == NULL) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "lua: failed to create new coroutine to handle request"); + "lua: failed to create new coroutine to handle request"); return NGX_HTTP_INTERNAL_SERVER_ERROR; } @@ -543,7 +543,7 @@ ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, bio = BIO_new_mem_buf((char *) data, len); if (bio == NULL) { - *err = " BIO_new_mem_buf() failed"; + *err = " BIO_new_mem_buf() failed"; goto failed; } @@ -708,8 +708,8 @@ ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, saun = (struct sockaddr_un *) c->local_sockaddr; /* on Linux sockaddr might not include sun_path at all */ - if (c->local_socklen <= - (socklen_t) offsetof(struct sockaddr_un, sun_path)) + if (c->local_socklen <= (socklen_t) + offsetof(struct sockaddr_un, sun_path)) { *addr = ""; *addrlen = 0; From 9e2c0e40ebdc4a010a5ebf8b716760581ed69445 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 16:13:12 -0800 Subject: [PATCH 34/56] renamed source files ngx_http_lua_sslcertby.[ch] to ngx_http_lua_ssl_certby.[ch]. --- .gitignore | 2 +- config | 4 ++-- src/ngx_http_lua_directive.c | 2 +- src/ngx_http_lua_module.c | 2 +- src/{ngx_http_lua_sslcertby.c => ngx_http_lua_ssl_certby.c} | 2 +- src/{ngx_http_lua_sslcertby.h => ngx_http_lua_ssl_certby.h} | 6 +++--- src/ngx_http_lua_util.c | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) rename src/{ngx_http_lua_sslcertby.c => ngx_http_lua_ssl_certby.c} (99%) rename src/{ngx_http_lua_sslcertby.h => ngx_http_lua_ssl_certby.h} (87%) diff --git a/.gitignore b/.gitignore index 5f02d821a8..606399c26f 100644 --- a/.gitignore +++ b/.gitignore @@ -153,7 +153,7 @@ src/uthread.[ch] src/timer.[ch] src/config.[ch] src/worker.[ch] -src/sslcertby.[ch] +src/certby.[ch] src/lex.[ch] src/balancer.[ch] src/semaphore.[ch] diff --git a/config b/config index 0f3450c62c..a88a6ab81f 100644 --- a/config +++ b/config @@ -351,7 +351,7 @@ NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ $ngx_addon_dir/src/ngx_http_lua_timer.c \ $ngx_addon_dir/src/ngx_http_lua_config.c \ $ngx_addon_dir/src/ngx_http_lua_worker.c \ - $ngx_addon_dir/src/ngx_http_lua_sslcertby.c \ + $ngx_addon_dir/src/ngx_http_lua_ssl_certby.c \ $ngx_addon_dir/src/ngx_http_lua_lex.c \ $ngx_addon_dir/src/ngx_http_lua_balancer.c \ " @@ -408,7 +408,7 @@ NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ $ngx_addon_dir/src/ngx_http_lua_timer.h \ $ngx_addon_dir/src/ngx_http_lua_config.h \ $ngx_addon_dir/src/ngx_http_lua_worker.h \ - $ngx_addon_dir/src/ngx_http_lua_sslcertby.h \ + $ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \ $ngx_addon_dir/src/ngx_http_lua_lex.h \ $ngx_addon_dir/src/ngx_http_lua_balancer.h \ " diff --git a/src/ngx_http_lua_directive.c b/src/ngx_http_lua_directive.c index 67d44b69e5..cd3cce55ab 100644 --- a/src/ngx_http_lua_directive.c +++ b/src/ngx_http_lua_directive.c @@ -24,7 +24,7 @@ #include "ngx_http_lua_initby.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_shdict.h" -#include "ngx_http_lua_sslcertby.h" +#include "ngx_http_lua_ssl_certby.h" #include "ngx_http_lua_lex.h" diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index f45b8909c5..61a053e573 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -25,7 +25,7 @@ #include "ngx_http_lua_probe.h" #include "ngx_http_lua_semaphore.h" #include "ngx_http_lua_balancer.h" -#include "ngx_http_lua_sslcertby.h" +#include "ngx_http_lua_ssl_certby.h" #include diff --git a/src/ngx_http_lua_sslcertby.c b/src/ngx_http_lua_ssl_certby.c similarity index 99% rename from src/ngx_http_lua_sslcertby.c rename to src/ngx_http_lua_ssl_certby.c index 4b9b68deea..1934e94f89 100644 --- a/src/ngx_http_lua_sslcertby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -18,7 +18,7 @@ #include "ngx_http_lua_util.h" #include "ngx_http_ssl_module.h" #include "ngx_http_lua_contentby.h" -#include "ngx_http_lua_sslcertby.h" +#include "ngx_http_lua_ssl_certby.h" static void ngx_http_lua_ssl_cert_done(void *data); diff --git a/src/ngx_http_lua_sslcertby.h b/src/ngx_http_lua_ssl_certby.h similarity index 87% rename from src/ngx_http_lua_sslcertby.h rename to src/ngx_http_lua_ssl_certby.h index 31fdbb518f..73586a01ea 100644 --- a/src/ngx_http_lua_sslcertby.h +++ b/src/ngx_http_lua_ssl_certby.h @@ -4,8 +4,8 @@ */ -#ifndef _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ -#define _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ +#ifndef _NGX_HTTP_LUA_SSL_CERTBY_H_INCLUDED_ +#define _NGX_HTTP_LUA_SSL_CERTBY_H_INCLUDED_ #include "ngx_http_lua_common.h" @@ -33,6 +33,6 @@ char *ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, int ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); -#endif /* _NGX_HTTP_LUA_SSLCERTBY_H_INCLUDED_ */ +#endif /* _NGX_HTTP_LUA_SSL_CERTBY_H_INCLUDED_ */ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */ diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index 23d3aab277..ac6ae8452f 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -49,7 +49,7 @@ #include "ngx_http_lua_config.h" #include "ngx_http_lua_worker.h" #include "ngx_http_lua_socket_tcp.h" -#include "ngx_http_lua_sslcertby.h" +#include "ngx_http_lua_ssl_certby.h" #if 1 From 4fd40877c53b8c374a80e9f9c7d8fdae1cc730d5 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 16:21:41 -0800 Subject: [PATCH 35/56] refator: moved OCSP related FFI C API functions from ngx_http_lua_ssl_certby.c to a separate compilation unit, ngx_http_lua_ssl_ocscp.c. --- .gitignore | 1 + config | 1 + src/ngx_http_lua_ssl_certby.c | 472 -------------------------------- src/ngx_http_lua_ssl_ocsp.c | 497 ++++++++++++++++++++++++++++++++++ 4 files changed, 499 insertions(+), 472 deletions(-) create mode 100644 src/ngx_http_lua_ssl_ocsp.c diff --git a/.gitignore b/.gitignore index 606399c26f..e5cbc8e7ac 100644 --- a/.gitignore +++ b/.gitignore @@ -154,6 +154,7 @@ src/timer.[ch] src/config.[ch] src/worker.[ch] src/certby.[ch] +src/ocsp.c src/lex.[ch] src/balancer.[ch] src/semaphore.[ch] diff --git a/config b/config index a88a6ab81f..030788cb3c 100644 --- a/config +++ b/config @@ -352,6 +352,7 @@ NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ $ngx_addon_dir/src/ngx_http_lua_config.c \ $ngx_addon_dir/src/ngx_http_lua_worker.c \ $ngx_addon_dir/src/ngx_http_lua_ssl_certby.c \ + $ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \ $ngx_addon_dir/src/ngx_http_lua_lex.c \ $ngx_addon_dir/src/ngx_http_lua_balancer.c \ " diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 1934e94f89..11f7103be0 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -27,10 +27,6 @@ static u_char *ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, size_t len); static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r); -#ifdef NGX_HTTP_LUA_USE_OCSP -static int ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, - void *data); -#endif ngx_int_t @@ -843,474 +839,6 @@ ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, return total; } - -int -ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, unsigned char *out, - size_t *out_size, char **err) -{ -#ifndef NGX_HTTP_LUA_USE_OCSP - - *err = "no OCSP support"; - return NGX_ERROR; - -#else - - int rc = NGX_OK; - BIO *bio = NULL; - char *s; - X509 *cert = NULL, *issuer = NULL; - size_t len; - STACK_OF(OPENSSL_STRING) *aia = NULL; - - /* certificate */ - - bio = BIO_new_mem_buf((char *) chain_data, chain_len); - if (bio == NULL) { - *err = "BIO_new_mem_buf() failed"; - rc = NGX_ERROR; - goto done; - } - - cert = d2i_X509_bio(bio, NULL); - if (cert == NULL) { - *err = "d2i_X509_bio() failed"; - rc = NGX_ERROR; - goto done; - } - - /* responder */ - - aia = X509_get1_ocsp(cert); - if (aia == NULL) { - rc = NGX_DECLINED; - goto done; - } - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - s = sk_OPENSSL_STRING_value(aia, 0); -#else - s = sk_value(aia, 0); -#endif - if (s == NULL) { - rc = NGX_DECLINED; - goto done; - } - - len = ngx_strlen(s); - if (len > *out_size) { - len = *out_size; - rc = NGX_BUSY; - - } else { - rc = NGX_OK; - *out_size = len; - } - - ngx_memcpy(out, s, len); - - X509_email_free(aia); - aia = NULL; - - /* issuer */ - - if (BIO_eof(bio)) { - *err = "no issuer certificate in chain"; - rc = NGX_ERROR; - goto done; - } - - issuer = d2i_X509_bio(bio, NULL); - if (issuer == NULL) { - *err = "d2i_X509_bio() failed"; - rc = NGX_ERROR; - goto done; - } - - if (X509_check_issued(issuer, cert) != X509_V_OK) { - *err = "issuer certificate not next to leaf"; - rc = NGX_ERROR; - goto done; - } - - X509_free(issuer); - X509_free(cert); - BIO_free(bio); - - return rc; - -done: - - if (aia) { - X509_email_free(aia); - } - - if (issuer) { - X509_free(issuer); - } - - if (cert) { - X509_free(cert); - } - - if (bio) { - BIO_free(bio); - } - - return rc; - -#endif /* NGX_HTTP_LUA_USE_OCSP */ -} - - -int -ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, - size_t chain_len, unsigned char *out, size_t *out_size, char **err) -{ -#ifndef NGX_HTTP_LUA_USE_OCSP - - *err = "no OCSP support"; - return NGX_ERROR; - -#else - - int rc = NGX_ERROR; - BIO *bio = NULL; - X509 *cert = NULL, *issuer = NULL; - size_t len; - OCSP_CERTID *id; - OCSP_REQUEST *ocsp = NULL; - - /* certificate */ - - bio = BIO_new_mem_buf((char *) chain_data, chain_len); - if (bio == NULL) { - *err = "BIO_new_mem_buf() failed"; - goto failed; - } - - cert = d2i_X509_bio(bio, NULL); - if (cert == NULL) { - *err = "d2i_X509_bio() failed"; - goto failed; - } - - if (BIO_eof(bio)) { - *err = "no issuer certificate in chain"; - goto failed; - } - - issuer = d2i_X509_bio(bio, NULL); - if (issuer == NULL) { - *err = "d2i_X509_bio() failed"; - goto failed; - } - - ocsp = OCSP_REQUEST_new(); - if (ocsp == NULL) { - *err = "OCSP_REQUEST_new() failed"; - goto failed; - } - - id = OCSP_cert_to_id(NULL, cert, issuer); - if (id == NULL) { - *err = "OCSP_cert_to_id() failed"; - goto failed; - } - - if (OCSP_request_add0_id(ocsp, id) == NULL) { - *err = "OCSP_request_add0_id() failed"; - goto failed; - } - - len = i2d_OCSP_REQUEST(ocsp, NULL); - if (len <= 0) { - *err = "i2d_OCSP_REQUEST() failed"; - goto failed; - } - - if (len > *out_size) { - *err = "output buffer too small"; - *out_size = len; - rc = NGX_BUSY; - goto failed; - } - - len = i2d_OCSP_REQUEST(ocsp, &out); - if (len <= 0) { - *err = "i2d_OCSP_REQUEST() failed"; - goto failed; - } - - *out_size = len; - - OCSP_REQUEST_free(ocsp); - X509_free(issuer); - X509_free(cert); - BIO_free(bio); - - return NGX_OK; - -failed: - - if (ocsp) { - OCSP_REQUEST_free(ocsp); - } - - if (issuer) { - X509_free(issuer); - } - - if (cert) { - X509_free(cert); - } - - if (bio) { - BIO_free(bio); - } - - return rc; - -#endif /* NGX_HTTP_LUA_USE_OCSP */ -} - - -int -ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, - size_t resp_len, const char *chain_data, size_t chain_len, - u_char *errbuf, size_t *errbuf_size) -{ -#ifndef NGX_HTTP_LUA_USE_OCSP - - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "no OCSP support") - errbuf; - return NGX_ERROR; - -#else - - int n; - BIO *bio = NULL; - X509 *cert = NULL, *issuer = NULL; - OCSP_CERTID *id = NULL; - OCSP_RESPONSE *ocsp = NULL; - OCSP_BASICRESP *basic = NULL; - STACK_OF(X509) *chain = NULL; - ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; - - ocsp = d2i_OCSP_RESPONSE(NULL, &resp, resp_len); - if (ocsp == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "d2i_OCSP_RESPONSE() failed") - errbuf; - goto error; - } - - n = OCSP_response_status(ocsp); - - if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "OCSP response not successful (%d: %s)", - n, OCSP_response_status_str(n)) - errbuf; - goto error; - } - - basic = OCSP_response_get1_basic(ocsp); - if (basic == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "OCSP_response_get1_basic() failed") - - errbuf; - goto error; - } - - /* get issuer certificate from chain */ - - bio = BIO_new_mem_buf((char *) chain_data, chain_len); - if (bio == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "BIO_new_mem_buf() failed") - - errbuf; - goto error; - } - - cert = d2i_X509_bio(bio, NULL); - if (cert == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "d2i_X509_bio() failed") - - errbuf; - goto error; - } - - if (BIO_eof(bio)) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "no issuer certificate in chain") - - errbuf; - goto error; - } - - issuer = d2i_X509_bio(bio, NULL); - if (issuer == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "d2i_X509_bio() failed") - errbuf; - goto error; - } - - chain = sk_X509_new_null(); - if (chain == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "sk_X509_new_null() failed") - errbuf; - goto error; - } - - (void) sk_X509_push(chain, issuer); - - if (OCSP_basic_verify(basic, chain, NULL, OCSP_NOVERIFY) != 1) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "OCSP_basic_verify() failed") - errbuf; - goto error; - } - - id = OCSP_cert_to_id(NULL, cert, issuer); - if (id == NULL) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "OCSP_cert_to_id() failed") - errbuf; - goto error; - } - - if (OCSP_resp_find_status(basic, id, &n, NULL, NULL, - &thisupdate, &nextupdate) - != 1) - { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "certificate status not found in the " - "OCSP response") - errbuf; - goto error; - } - - if (n != V_OCSP_CERTSTATUS_GOOD) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "certificate status \"%s\" in the OCSP " - "response", OCSP_cert_status_str(n)) - - errbuf; - goto error; - } - - if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { - *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, - "OCSP_check_validity() failed") - errbuf; - goto error; - } - - sk_X509_free(chain); - X509_free(cert); - X509_free(issuer); - BIO_free(bio); - OCSP_CERTID_free(id); - OCSP_BASICRESP_free(basic); - OCSP_RESPONSE_free(ocsp); - - return NGX_OK; - -error: - - if (chain) { - sk_X509_free(chain); - } - - if (id) { - OCSP_CERTID_free(id); - } - - if (basic) { - OCSP_BASICRESP_free(basic); - } - - if (ocsp) { - OCSP_RESPONSE_free(ocsp); - } - - if (cert) { - X509_free(cert); - } - - if (issuer) { - X509_free(issuer); - } - - if (bio) { - BIO_free(bio); - } - - ERR_clear_error(); - - return NGX_ERROR; - -#endif /* NGX_HTTP_LUA_USE_OCSP */ -} - - -#ifdef NGX_HTTP_LUA_USE_OCSP -static int -ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) -{ - return SSL_TLSEXT_ERR_OK; -} -#endif - - -int -ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, - const u_char *resp, size_t resp_len, char **err) -{ -#ifndef NGX_HTTP_LUA_USE_OCSP - - *err = "no OCSP support"; - return NGX_ERROR; - -#else - - u_char *p; - SSL_CTX *ctx; - ngx_ssl_conn_t *ssl_conn; - - if (r->connection == NULL || r->connection->ssl == NULL) { - *err = "bad request"; - return NGX_ERROR; - } - - ssl_conn = r->connection->ssl->connection; - if (ssl_conn == NULL) { - *err = "bad ssl conn"; - return NGX_ERROR; - } - - if (ssl_conn->tlsext_status_type == -1) { - dd("no ocsp status req from client"); - return NGX_DECLINED; - } - - /* we have to register an empty status callback here otherwise - * OpenSSL won't send the response staple. */ - - ctx = SSL_get_SSL_CTX(ssl_conn); - SSL_CTX_set_tlsext_status_cb(ctx, - ngx_http_lua_ssl_empty_status_callback); - - p = OPENSSL_malloc(resp_len); - if (p == NULL) { - *err = "OPENSSL_malloc() failed"; - return NGX_ERROR; - } - - ngx_memcpy(p, resp, resp_len); - - dd("set ocsp resp: resp_len=%d", (int) resp_len); - (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); - ssl_conn->tlsext_status_expected = 1; - - return NGX_OK; - -#endif /* NGX_HTTP_LUA_USE_OCSP */ -} - #endif /* NGX_LUA_NO_FFI_API */ diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c new file mode 100644 index 0000000000..9f9e276ee2 --- /dev/null +++ b/src/ngx_http_lua_ssl_ocsp.c @@ -0,0 +1,497 @@ + +/* + * Copyright (C) Yichun Zhang (agentzh) + */ + + +#ifndef DDEBUG +#define DDEBUG 0 +#endif +#include "ddebug.h" + + +#if (NGX_HTTP_SSL) + + +#include "ngx_http_lua_common.h" + + +#ifndef NGX_LUA_NO_FFI_API + +#ifdef NGX_HTTP_LUA_USE_OCSP +static int ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, + void *data); +#endif + + +int +ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( + const char *chain_data, size_t chain_len, unsigned char *out, + size_t *out_size, char **err) +{ +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + + int rc = NGX_OK; + BIO *bio = NULL; + char *s; + X509 *cert = NULL, *issuer = NULL; + size_t len; + STACK_OF(OPENSSL_STRING) *aia = NULL; + + /* certificate */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + rc = NGX_ERROR; + goto done; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *err = "d2i_X509_bio() failed"; + rc = NGX_ERROR; + goto done; + } + + /* responder */ + + aia = X509_get1_ocsp(cert); + if (aia == NULL) { + rc = NGX_DECLINED; + goto done; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + s = sk_OPENSSL_STRING_value(aia, 0); +#else + s = sk_value(aia, 0); +#endif + if (s == NULL) { + rc = NGX_DECLINED; + goto done; + } + + len = ngx_strlen(s); + if (len > *out_size) { + len = *out_size; + rc = NGX_BUSY; + + } else { + rc = NGX_OK; + *out_size = len; + } + + ngx_memcpy(out, s, len); + + X509_email_free(aia); + aia = NULL; + + /* issuer */ + + if (BIO_eof(bio)) { + *err = "no issuer certificate in chain"; + rc = NGX_ERROR; + goto done; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *err = "d2i_X509_bio() failed"; + rc = NGX_ERROR; + goto done; + } + + if (X509_check_issued(issuer, cert) != X509_V_OK) { + *err = "issuer certificate not next to leaf"; + rc = NGX_ERROR; + goto done; + } + + X509_free(issuer); + X509_free(cert); + BIO_free(bio); + + return rc; + +done: + + if (aia) { + X509_email_free(aia); + } + + if (issuer) { + X509_free(issuer); + } + + if (cert) { + X509_free(cert); + } + + if (bio) { + BIO_free(bio); + } + + return rc; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ +} + + +int +ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, + size_t chain_len, unsigned char *out, size_t *out_size, char **err) +{ +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + + int rc = NGX_ERROR; + BIO *bio = NULL; + X509 *cert = NULL, *issuer = NULL; + size_t len; + OCSP_CERTID *id; + OCSP_REQUEST *ocsp = NULL; + + /* certificate */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + goto failed; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + if (BIO_eof(bio)) { + *err = "no issuer certificate in chain"; + goto failed; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *err = "d2i_X509_bio() failed"; + goto failed; + } + + ocsp = OCSP_REQUEST_new(); + if (ocsp == NULL) { + *err = "OCSP_REQUEST_new() failed"; + goto failed; + } + + id = OCSP_cert_to_id(NULL, cert, issuer); + if (id == NULL) { + *err = "OCSP_cert_to_id() failed"; + goto failed; + } + + if (OCSP_request_add0_id(ocsp, id) == NULL) { + *err = "OCSP_request_add0_id() failed"; + goto failed; + } + + len = i2d_OCSP_REQUEST(ocsp, NULL); + if (len <= 0) { + *err = "i2d_OCSP_REQUEST() failed"; + goto failed; + } + + if (len > *out_size) { + *err = "output buffer too small"; + *out_size = len; + rc = NGX_BUSY; + goto failed; + } + + len = i2d_OCSP_REQUEST(ocsp, &out); + if (len <= 0) { + *err = "i2d_OCSP_REQUEST() failed"; + goto failed; + } + + *out_size = len; + + OCSP_REQUEST_free(ocsp); + X509_free(issuer); + X509_free(cert); + BIO_free(bio); + + return NGX_OK; + +failed: + + if (ocsp) { + OCSP_REQUEST_free(ocsp); + } + + if (issuer) { + X509_free(issuer); + } + + if (cert) { + X509_free(cert); + } + + if (bio) { + BIO_free(bio); + } + + return rc; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ +} + + +int +ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp, + size_t resp_len, const char *chain_data, size_t chain_len, + u_char *errbuf, size_t *errbuf_size) +{ +#ifndef NGX_HTTP_LUA_USE_OCSP + + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "no OCSP support") - errbuf; + return NGX_ERROR; + +#else + + int n; + BIO *bio = NULL; + X509 *cert = NULL, *issuer = NULL; + OCSP_CERTID *id = NULL; + OCSP_RESPONSE *ocsp = NULL; + OCSP_BASICRESP *basic = NULL; + STACK_OF(X509) *chain = NULL; + ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; + + ocsp = d2i_OCSP_RESPONSE(NULL, &resp, resp_len); + if (ocsp == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_OCSP_RESPONSE() failed") - errbuf; + goto error; + } + + n = OCSP_response_status(ocsp); + + if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP response not successful (%d: %s)", + n, OCSP_response_status_str(n)) - errbuf; + goto error; + } + + basic = OCSP_response_get1_basic(ocsp); + if (basic == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_response_get1_basic() failed") + - errbuf; + goto error; + } + + /* get issuer certificate from chain */ + + bio = BIO_new_mem_buf((char *) chain_data, chain_len); + if (bio == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "BIO_new_mem_buf() failed") + - errbuf; + goto error; + } + + cert = d2i_X509_bio(bio, NULL); + if (cert == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_X509_bio() failed") + - errbuf; + goto error; + } + + if (BIO_eof(bio)) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "no issuer certificate in chain") + - errbuf; + goto error; + } + + issuer = d2i_X509_bio(bio, NULL); + if (issuer == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "d2i_X509_bio() failed") - errbuf; + goto error; + } + + chain = sk_X509_new_null(); + if (chain == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "sk_X509_new_null() failed") - errbuf; + goto error; + } + + (void) sk_X509_push(chain, issuer); + + if (OCSP_basic_verify(basic, chain, NULL, OCSP_NOVERIFY) != 1) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_basic_verify() failed") - errbuf; + goto error; + } + + id = OCSP_cert_to_id(NULL, cert, issuer); + if (id == NULL) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_cert_to_id() failed") - errbuf; + goto error; + } + + if (OCSP_resp_find_status(basic, id, &n, NULL, NULL, + &thisupdate, &nextupdate) + != 1) + { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "certificate status not found in the " + "OCSP response") - errbuf; + goto error; + } + + if (n != V_OCSP_CERTSTATUS_GOOD) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "certificate status \"%s\" in the OCSP " + "response", OCSP_cert_status_str(n)) + - errbuf; + goto error; + } + + if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { + *errbuf_size = ngx_snprintf(errbuf, *errbuf_size, + "OCSP_check_validity() failed") - errbuf; + goto error; + } + + sk_X509_free(chain); + X509_free(cert); + X509_free(issuer); + BIO_free(bio); + OCSP_CERTID_free(id); + OCSP_BASICRESP_free(basic); + OCSP_RESPONSE_free(ocsp); + + return NGX_OK; + +error: + + if (chain) { + sk_X509_free(chain); + } + + if (id) { + OCSP_CERTID_free(id); + } + + if (basic) { + OCSP_BASICRESP_free(basic); + } + + if (ocsp) { + OCSP_RESPONSE_free(ocsp); + } + + if (cert) { + X509_free(cert); + } + + if (issuer) { + X509_free(issuer); + } + + if (bio) { + BIO_free(bio); + } + + ERR_clear_error(); + + return NGX_ERROR; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ +} + + +#ifdef NGX_HTTP_LUA_USE_OCSP +static int +ngx_http_lua_ssl_empty_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) +{ + return SSL_TLSEXT_ERR_OK; +} +#endif + + +int +ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + const u_char *resp, size_t resp_len, char **err) +{ +#ifndef NGX_HTTP_LUA_USE_OCSP + + *err = "no OCSP support"; + return NGX_ERROR; + +#else + + u_char *p; + SSL_CTX *ctx; + ngx_ssl_conn_t *ssl_conn; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + if (ssl_conn->tlsext_status_type == -1) { + dd("no ocsp status req from client"); + return NGX_DECLINED; + } + + /* we have to register an empty status callback here otherwise + * OpenSSL won't send the response staple. */ + + ctx = SSL_get_SSL_CTX(ssl_conn); + SSL_CTX_set_tlsext_status_cb(ctx, + ngx_http_lua_ssl_empty_status_callback); + + p = OPENSSL_malloc(resp_len); + if (p == NULL) { + *err = "OPENSSL_malloc() failed"; + return NGX_ERROR; + } + + ngx_memcpy(p, resp, resp_len); + + dd("set ocsp resp: resp_len=%d", (int) resp_len); + (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); + ssl_conn->tlsext_status_expected = 1; + + return NGX_OK; + +#endif /* NGX_HTTP_LUA_USE_OCSP */ +} + +#endif /* NGX_LUA_NO_FFI_API */ + + +#endif /* NGX_HTTP_SSL */ From 17409ee61d2539ddc146cf7377329348f5c28d5c Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 16:23:58 -0800 Subject: [PATCH 36/56] minor tweaks in tests. --- t/130-ssl-cert-by.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/130-ssl-cert-by.t b/t/130-ssl-cert-by.t index 2a10162391..7442228a50 100644 --- a/t/130-ssl-cert-by.t +++ b/t/130-ssl-cert-by.t @@ -1,6 +1,5 @@ # vim:set ft= ts=4 sw=4 et fdm=marker: -use lib 'lib'; use Test::Nginx::Socket::Lua; repeat_each(3); From eea52ab8f03559207d482701c72defa20848aec1 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 16:24:55 -0800 Subject: [PATCH 37/56] tests: renamed t/130-ssl-cert-by.t to t/139-ssl-cert-by.t. --- t/{130-ssl-cert-by.t => 139-ssl-cert-by.t} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename t/{130-ssl-cert-by.t => 139-ssl-cert-by.t} (100%) diff --git a/t/130-ssl-cert-by.t b/t/139-ssl-cert-by.t similarity index 100% rename from t/130-ssl-cert-by.t rename to t/139-ssl-cert-by.t From 3648acb9c3e216fb806da04a78940f93e48df8d9 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 19:34:37 -0800 Subject: [PATCH 38/56] bugfix: compilation failed without http_ssl_module in the nginx build. --- src/ngx_http_lua_module.c | 3 +++ src/ngx_http_lua_ssl_certby.h | 6 ++++++ util/build2.sh | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 61a053e573..c1fa533103 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -876,6 +876,8 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf) static char * ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) { +#if (NGX_HTTP_SSL) + ngx_http_lua_srv_conf_t *prev = parent; ngx_http_lua_srv_conf_t *conf = child; ngx_http_ssl_srv_conf_t *sscf; @@ -907,6 +909,7 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) #endif } +#endif /* NGX_HTTP_SSL */ return NGX_CONF_OK; } diff --git a/src/ngx_http_lua_ssl_certby.h b/src/ngx_http_lua_ssl_certby.h index 73586a01ea..ce0ab64999 100644 --- a/src/ngx_http_lua_ssl_certby.h +++ b/src/ngx_http_lua_ssl_certby.h @@ -11,6 +11,9 @@ #include "ngx_http_lua_common.h" +#if (NGX_HTTP_SSL) + + typedef struct { ngx_connection_t *connection; /* original true connection */ ngx_http_request_t *request; /* fake request */ @@ -33,6 +36,9 @@ char *ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, int ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); +#endif /* NGX_HTTP_SSL */ + + #endif /* _NGX_HTTP_LUA_SSL_CERTBY_H_INCLUDED_ */ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */ diff --git a/util/build2.sh b/util/build2.sh index 6c52eff995..c94c92867a 100755 --- a/util/build2.sh +++ b/util/build2.sh @@ -27,7 +27,7 @@ time ngx-build $force $version \ --with-ipv6 \ --with-cc-opt="-I$PCRE_INC" \ --with-http_realip_module \ - --with-http_ssl_module \ + --with-http_ssl_module \ --add-module=$root/../ndk-nginx-module \ --add-module=$root/../set-misc-nginx-module \ --with-ld-opt="-L$PCRE_LIB -Wl,-rpath,$PCRE_LIB:$LIBDRIZZLE_LIB" \ From 7caa2f84c8fd7a1cdd5eabfd5469e8fd045d5833 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 09:17:50 -0800 Subject: [PATCH 39/56] feature: enabled the coroutine.* API in the context of ssl_certificate_by_lua. --- src/ngx_http_lua_coroutine.c | 12 ++-- t/139-ssl-cert-by.t | 124 +++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+), 4 deletions(-) diff --git a/src/ngx_http_lua_coroutine.c b/src/ngx_http_lua_coroutine.c index fad9eae705..cb819c693b 100644 --- a/src/ngx_http_lua_coroutine.c +++ b/src/ngx_http_lua_coroutine.c @@ -76,7 +76,8 @@ ngx_http_lua_coroutine_create_helper(lua_State *L, ngx_http_request_t *r, ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); vm = ngx_http_lua_get_lua_vm(r, ctx); @@ -151,7 +152,8 @@ ngx_http_lua_coroutine_resume(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); p_coctx = ctx->cur_co_ctx; if (p_coctx == NULL) { @@ -210,7 +212,8 @@ ngx_http_lua_coroutine_yield(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ctx->cur_co_ctx; @@ -358,7 +361,8 @@ ngx_http_lua_coroutine_status(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ngx_http_lua_get_co_ctx(co, ctx); if (coctx == NULL) { diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 7442228a50..4e8bbd0b29 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -4166,3 +4166,127 @@ a.lua:1: ssl cert by lua is running! [error] [alert] + + +=== TEST 45: coroutine API +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + local cc, cr, cy = coroutine.create, coroutine.resume, coroutine.yield + + local function f() + local cnt = 0 + for i = 1, 20 do + print("co yield: ", cnt) + cy() + cnt = cnt + 1 + end + end + + local c = cc(f) + for i = 1, 3 do + print("co resume, status: ", coroutine.status(c)) + cr(c) + end + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- grep_error_log eval: qr/co (?:yield: \d+|resume, status: \w+)/ +--- grep_error_log_out +co resume, status: suspended +co yield: 0 +co resume, status: suspended +co yield: 1 +co resume, status: suspended +co yield: 2 + +--- error_log +lua ssl server name: "test.com" + +--- no_error_log +[error] +[alert] From bbc75f22f3a1a92b3383bd12ab87f92df18878b3 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 09:26:33 -0800 Subject: [PATCH 40/56] feature: enabled the ngx.thread.* API in the context of ssl_certificate_by_lua. --- src/ngx_http_lua_uthread.c | 6 +- t/139-ssl-cert-by.t | 125 ++++++++++++++++++++++++++++++++++++- 2 files changed, 128 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_uthread.c b/src/ngx_http_lua_uthread.c index de7a72c7f4..8195ec0f82 100644 --- a/src/ngx_http_lua_uthread.c +++ b/src/ngx_http_lua_uthread.c @@ -126,7 +126,8 @@ ngx_http_lua_uthread_wait(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ctx->cur_co_ctx; @@ -223,7 +224,8 @@ ngx_http_lua_uthread_kill(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); coctx = ctx->cur_co_ctx; diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 4e8bbd0b29..92b7aac063 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -4,7 +4,7 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 23); +plan tests => repeat_each() * (blocks() * 6 + 22); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -4290,3 +4290,126 @@ lua ssl server name: "test.com" --- no_error_log [error] [alert] + + + +=== TEST 46: simple user thread wait with yielding +--- http_config + lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua ' + function f() + ngx.sleep(0.01) + print("uthread: hello in thread") + return "done" + end + + local t, err = ngx.thread.spawn(f) + if not t then + ngx.log(ngx.ERR, "uthread: failed to spawn thread: ", err) + return ngx.exit(ngx.ERROR) + end + + print("uthread: thread created: ", coroutine.status(t)) + + local ok, res = ngx.thread.wait(t) + if not ok then + print("uthread: failed to wait thread: ", res) + return + end + + print("uthread: ", res) + '; + ssl_certificate ../../cert/test.crt; + ssl_certificate_key ../../cert/test.key; + + server_tokens off; + location /foo { + default_type 'text/plain'; + content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + more_clear_headers Date; + } + } +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER; + lua_ssl_trusted_certificate ../../cert/test.crt; + + location /t { + #set $port 5000; + set $port $TEST_NGINX_MEMCACHED_PORT; + + content_by_lua ' + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + '; + } + +--- request +GET /t +--- response_body +connected: 1 +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil + +--- no_error_log +[error] +[alert] +--- grep_error_log eval: qr/uthread: [^.,]+/ +--- grep_error_log_out +uthread: thread created: running +uthread: hello in thread +uthread: done From b4675a54643fd605b72d25b2a4441e8a785e5082 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 19:52:05 -0800 Subject: [PATCH 41/56] replaced ssl_certificate_by_lua "..." with ssl_certificate_by_lua_block {...}. --- src/ngx_http_lua_module.c | 6 +- src/ngx_http_lua_ssl_certby.c | 20 ++ src/ngx_http_lua_ssl_certby.h | 3 + t/139-ssl-cert-by.t | 456 +++++++++++++++++----------------- 4 files changed, 254 insertions(+), 231 deletions(-) diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index c1fa533103..89f27c37ba 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -511,9 +511,9 @@ static ngx_command_t ngx_http_lua_cmds[] = { #if (NGX_HTTP_SSL) - { ngx_string("ssl_certificate_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, - ngx_http_lua_ssl_cert_by_lua, + { ngx_string("ssl_certificate_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_cert_by_lua_block, NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_ssl_cert_handler_inline }, diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 11f7103be0..8013c0427b 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -19,6 +19,7 @@ #include "ngx_http_ssl_module.h" #include "ngx_http_lua_contentby.h" #include "ngx_http_lua_ssl_certby.h" +#include "ngx_http_lua_directive.h" static void ngx_http_lua_ssl_cert_done(void *data); @@ -71,6 +72,25 @@ ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, } +char * +ngx_http_lua_ssl_cert_by_lua_block(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf) +{ + char *rv; + ngx_conf_t save; + + save = *cf; + cf->handler = ngx_http_lua_ssl_cert_by_lua; + cf->handler_conf = conf; + + rv = ngx_http_lua_conf_lua_block_parse(cf, cmd); + + *cf = save; + + return rv; +} + + char * ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) diff --git a/src/ngx_http_lua_ssl_certby.h b/src/ngx_http_lua_ssl_certby.h index ce0ab64999..11cb9634f8 100644 --- a/src/ngx_http_lua_ssl_certby.h +++ b/src/ngx_http_lua_ssl_certby.h @@ -30,6 +30,9 @@ ngx_int_t ngx_http_lua_ssl_cert_handler_inline(ngx_http_request_t *r, ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, ngx_http_lua_srv_conf_t *lscf, lua_State *L); +char *ngx_http_lua_ssl_cert_by_lua_block(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + char *ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 92b7aac063..290ac8c5d6 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -28,14 +28,14 @@ __DATA__ server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua 'print("ssl cert by lua is running!")'; + ssl_certificate_by_lua_block { print("ssl cert by lua is running!") } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } more_clear_headers Date; } } @@ -48,7 +48,7 @@ __DATA__ #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -70,7 +70,7 @@ __DATA__ ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -93,7 +93,7 @@ __DATA__ ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -128,18 +128,18 @@ ssl_certificate_by_lua:1: ssl cert by lua is running! server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local begin = ngx.now() ngx.sleep(0.1) print("elapsed in ssl cert by lua: ", ngx.now() - begin) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -152,7 +152,7 @@ ssl_certificate_by_lua:1: ssl cert by lua is running! #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -174,7 +174,7 @@ ssl_certificate_by_lua:1: ssl cert by lua is running! ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -197,7 +197,7 @@ ssl_certificate_by_lua:1: ssl cert by lua is running! ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -234,7 +234,7 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local function f() print("my timer run!") end @@ -243,14 +243,14 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, ngx.log(ngx.ERR, "failed to create timer: ", err) return end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -263,7 +263,7 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -285,7 +285,7 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -308,7 +308,7 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -343,7 +343,7 @@ my timer run! server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local sock = ngx.socket.tcp() sock:settimeout(2000) @@ -354,7 +354,7 @@ my timer run! return end - local bytes, err = sock:send("flush_all\\r\\n") + local bytes, err = sock:send("flush_all\r\n") if not bytes then ngx.log(ngx.ERR, "failed to send flush_all command: ", err) return @@ -367,14 +367,14 @@ my timer run! end print("received memc reply: ", res) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -387,7 +387,7 @@ my timer run! #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -409,7 +409,7 @@ my timer run! ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -432,7 +432,7 @@ my timer run! ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -467,17 +467,17 @@ received memc reply: OK server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" ssl.clear_certs() - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -490,7 +490,7 @@ received memc reply: OK #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -512,7 +512,7 @@ received memc reply: OK ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -535,7 +535,7 @@ received memc reply: OK ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -561,7 +561,7 @@ sslv3 alert handshake failure server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" ssl.clear_certs() @@ -585,14 +585,14 @@ sslv3 alert handshake failure ngx.log(ngx.ERR, "failed to set DER cert: ", err) return end - '; + } ssl_certificate ../../cert/test2.crt; ssl_certificate_key ../../cert/test2.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -605,7 +605,7 @@ sslv3 alert handshake failure #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -627,7 +627,7 @@ sslv3 alert handshake failure ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -650,7 +650,7 @@ sslv3 alert handshake failure ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -685,17 +685,17 @@ lua ssl server name: "test.com" server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" print("read SNI name from Lua: ", ssl.server_name()) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -708,7 +708,7 @@ lua ssl server name: "test.com" #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -730,7 +730,7 @@ lua ssl server name: "test.com" ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -753,7 +753,7 @@ lua ssl server name: "test.com" ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -788,18 +788,18 @@ read SNI name from Lua: test.com server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local name = ssl.server_name(), print("read SNI name from Lua: ", name, ", type: ", type(name)) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -812,7 +812,7 @@ read SNI name from Lua: test.com #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -834,7 +834,7 @@ read SNI name from Lua: test.com ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -857,7 +857,7 @@ read SNI name from Lua: test.com ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -892,7 +892,7 @@ read SNI name from Lua: nil, type: nil server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local addr, addrtyp, err = ssl.raw_server_addr() if not addr then @@ -912,14 +912,14 @@ read SNI name from Lua: nil, type: nil else -- unix print("Using unix socket file ", addr) end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -932,7 +932,7 @@ read SNI name from Lua: nil, type: nil #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -954,7 +954,7 @@ read SNI name from Lua: nil, type: nil ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -977,7 +977,7 @@ read SNI name from Lua: nil, type: nil ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -1014,7 +1014,7 @@ qr/Using unix socket file .*?nginx\.sock/ server { listen 127.0.0.1:12345 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local byte = string.byte @@ -1036,14 +1036,14 @@ qr/Using unix socket file .*?nginx\.sock/ else -- unix print("Using unix socket file ", addr) end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1056,7 +1056,7 @@ qr/Using unix socket file .*?nginx\.sock/ #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1078,7 +1078,7 @@ qr/Using unix socket file .*?nginx\.sock/ ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -1101,7 +1101,7 @@ qr/Using unix socket file .*?nginx\.sock/ ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -1136,7 +1136,7 @@ Using IPv4 address: 127.0.0.1 server { listen [::1]:12345 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local byte = string.byte @@ -1158,14 +1158,14 @@ Using IPv4 address: 127.0.0.1 else -- unix print("Using unix socket file ", addr) end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1178,7 +1178,7 @@ Using IPv4 address: 127.0.0.1 #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1200,7 +1200,7 @@ Using IPv4 address: 127.0.0.1 ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -1223,7 +1223,7 @@ Using IPv4 address: 127.0.0.1 ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -1258,7 +1258,7 @@ Using IPv6 address: 0.0.0.1 server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" ssl.clear_certs() @@ -1282,14 +1282,14 @@ Using IPv6 address: 0.0.0.1 ngx.log(ngx.ERR, "failed to set DER cert: ", err) return end - '; + } ssl_certificate ../../cert/test2.crt; ssl_certificate_key ../../cert/test2.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1303,7 +1303,7 @@ Using IPv6 address: 0.0.0.1 #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1325,7 +1325,7 @@ Using IPv6 address: 0.0.0.1 ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -1348,7 +1348,7 @@ Using IPv6 address: 0.0.0.1 ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -1383,7 +1383,7 @@ lua ssl server name: "test.com" server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" ssl.clear_certs() @@ -1413,14 +1413,14 @@ lua ssl server name: "test.com" ngx.log(ngx.ERR, "failed to set DER cert: ", err) return end - '; + } ssl_certificate ../../cert/test2.crt; ssl_certificate_key ../../cert/test2.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1434,7 +1434,7 @@ lua ssl server name: "test.com" #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1456,7 +1456,7 @@ lua ssl server name: "test.com" ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -1479,7 +1479,7 @@ lua ssl server name: "test.com" ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -1514,7 +1514,7 @@ lua ssl server name: "test.com" server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -1534,14 +1534,14 @@ lua ssl server name: "test.com" end ngx.log(ngx.WARN, "OCSP url found: ", url) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1555,7 +1555,7 @@ lua ssl server name: "test.com" #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1577,7 +1577,7 @@ lua ssl server name: "test.com" ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -1604,7 +1604,7 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/chain/chain.pem")) @@ -1628,14 +1628,14 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, end ngx.log(ngx.WARN, "OCSP url found: ", url) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1649,7 +1649,7 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1671,7 +1671,7 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -1698,7 +1698,7 @@ OCSP responder not found server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/test-com.crt")) @@ -1722,14 +1722,14 @@ OCSP responder not found end ngx.log(ngx.WARN, "OCSP url found: ", url) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1743,7 +1743,7 @@ OCSP responder not found #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1765,7 +1765,7 @@ OCSP responder not found ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -1791,7 +1791,7 @@ failed to get OCSP responder: no issuer certificate in chain server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/wrong-issuer-order-chain.pem")) @@ -1815,14 +1815,14 @@ failed to get OCSP responder: no issuer certificate in chain end ngx.log(ngx.WARN, "OCSP url found: ", url) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1836,7 +1836,7 @@ failed to get OCSP responder: no issuer certificate in chain #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1858,7 +1858,7 @@ failed to get OCSP responder: no issuer certificate in chain ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -1884,7 +1884,7 @@ failed to get OCSP responder: issuer certificate not next to leaf server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -1913,14 +1913,14 @@ failed to get OCSP responder: issuer certificate not next to leaf end ngx.log(ngx.WARN, "OCSP url found: ", url) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -1934,7 +1934,7 @@ failed to get OCSP responder: issuer certificate not next to leaf #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -1956,7 +1956,7 @@ failed to get OCSP responder: issuer certificate not next to leaf ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -1984,7 +1984,7 @@ still get an error: truncated server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2011,14 +2011,14 @@ still get an error: truncated if req ~= expected then ngx.log(ngx.ERR, "ocsp responder: got unexpected OCSP request") end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2032,7 +2032,7 @@ still get an error: truncated #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2054,7 +2054,7 @@ still get an error: truncated ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2081,7 +2081,7 @@ OCSP request created with length 68 server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2106,14 +2106,14 @@ OCSP request created with length 68 bytes[i] = string.format("%02x", byte) end ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2127,7 +2127,7 @@ OCSP request created with length 68 #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2149,7 +2149,7 @@ OCSP request created with length 68 ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2175,7 +2175,7 @@ failed to create OCSP request: output buffer too small: 68 > 67 server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local cert_data = "" @@ -2191,14 +2191,14 @@ failed to create OCSP request: output buffer too small: 68 > 67 bytes[i] = string.format("%02x", byte) end ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2212,7 +2212,7 @@ failed to create OCSP request: output buffer too small: 68 > 67 #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2234,7 +2234,7 @@ failed to create OCSP request: output buffer too small: 68 > 67 ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2260,7 +2260,7 @@ failed to create OCSP request: d2i_X509_bio() failed server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/test-com.crt")) @@ -2285,14 +2285,14 @@ failed to create OCSP request: d2i_X509_bio() failed bytes[i] = string.format("%02x", byte) end ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2306,7 +2306,7 @@ failed to create OCSP request: d2i_X509_bio() failed #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2328,7 +2328,7 @@ failed to create OCSP request: d2i_X509_bio() failed ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2354,7 +2354,7 @@ failed to create OCSP request: no issuer certificate in chain server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2378,14 +2378,14 @@ failed to create OCSP request: no issuer certificate in chain end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2399,7 +2399,7 @@ failed to create OCSP request: no issuer certificate in chain #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2421,7 +2421,7 @@ failed to create OCSP request: no issuer certificate in chain ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2448,7 +2448,7 @@ OCSP response validation ok server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/test-com.crt")) @@ -2472,14 +2472,14 @@ OCSP response validation ok end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2493,7 +2493,7 @@ OCSP response validation ok #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2515,7 +2515,7 @@ OCSP response validation ok ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2542,7 +2542,7 @@ OCSP response validation ok server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2566,14 +2566,14 @@ OCSP response validation ok end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2587,7 +2587,7 @@ OCSP response validation ok #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2609,7 +2609,7 @@ OCSP response validation ok ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2639,7 +2639,7 @@ FIXME: we should complain in this case. server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2663,14 +2663,14 @@ FIXME: we should complain in this case. end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2684,7 +2684,7 @@ FIXME: we should complain in this case. #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2706,7 +2706,7 @@ FIXME: we should complain in this case. ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2734,7 +2734,7 @@ OCSP response validation ok server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/chain.pem")) @@ -2758,14 +2758,14 @@ OCSP response validation ok end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2779,7 +2779,7 @@ OCSP response validation ok #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2801,7 +2801,7 @@ OCSP response validation ok ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2828,7 +2828,7 @@ OCSP response validation ok server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/revoked-chain.pem")) @@ -2852,14 +2852,14 @@ OCSP response validation ok end ngx.log(ngx.WARN, "OCSP response validation ok") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2873,7 +2873,7 @@ OCSP response validation ok #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2895,7 +2895,7 @@ OCSP response validation ok ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -2923,7 +2923,7 @@ FIXME: check the OCSP staple actually received by the ssl client server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) @@ -2938,14 +2938,14 @@ FIXME: check the OCSP staple actually received by the ssl client return end ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -2959,7 +2959,7 @@ FIXME: check the OCSP staple actually received by the ssl client #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -2981,7 +2981,7 @@ FIXME: check the OCSP staple actually received by the ssl client ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3008,7 +3008,7 @@ ocsp status resp set ok: nil, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) @@ -3023,14 +3023,14 @@ ocsp status resp set ok: nil, return end ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3044,7 +3044,7 @@ ocsp status resp set ok: nil, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3066,7 +3066,7 @@ ocsp status resp set ok: nil, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3093,7 +3093,7 @@ ocsp status resp set ok: no status req, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local ver, err = ssl.get_tls1_version_str(resp) @@ -3102,7 +3102,7 @@ ocsp status resp set ok: no status req, return end ngx.log(ngx.WARN, "got TLS1 version: ", ver) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; ssl_protocols SSLv3; @@ -3110,7 +3110,7 @@ ocsp status resp set ok: no status req, server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3125,7 +3125,7 @@ ocsp status resp set ok: no status req, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3147,7 +3147,7 @@ ocsp status resp set ok: no status req, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3173,7 +3173,7 @@ got TLS1 version: SSLv3, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local ver, err = ssl.get_tls1_version_str(resp) @@ -3182,7 +3182,7 @@ got TLS1 version: SSLv3, return end ngx.log(ngx.WARN, "got TLS1 version: ", ver) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; ssl_protocols TLSv1; @@ -3190,7 +3190,7 @@ got TLS1 version: SSLv3, server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3205,7 +3205,7 @@ got TLS1 version: SSLv3, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3227,7 +3227,7 @@ got TLS1 version: SSLv3, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3253,7 +3253,7 @@ got TLS1 version: TLSv1, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local ver, err = ssl.get_tls1_version_str(resp) @@ -3262,7 +3262,7 @@ got TLS1 version: TLSv1, return end ngx.log(ngx.WARN, "got TLS1 version: ", ver) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; ssl_protocols TLSv1.1; @@ -3270,7 +3270,7 @@ got TLS1 version: TLSv1, server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3285,7 +3285,7 @@ got TLS1 version: TLSv1, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3307,7 +3307,7 @@ got TLS1 version: TLSv1, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3333,7 +3333,7 @@ got TLS1 version: TLSv1.1, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" local ver, err = ssl.get_tls1_version_str(resp) @@ -3342,7 +3342,7 @@ got TLS1 version: TLSv1.1, return end ngx.log(ngx.WARN, "got TLS1 version: ", ver) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; ssl_protocols TLSv1.2; @@ -3350,7 +3350,7 @@ got TLS1 version: TLSv1.1, server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3365,7 +3365,7 @@ got TLS1 version: TLSv1.1, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3387,7 +3387,7 @@ got TLS1 version: TLSv1.1, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3413,17 +3413,17 @@ got TLS1 version: TLSv1.2, server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.exit(0) ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3437,7 +3437,7 @@ got TLS1 version: TLSv1.2, #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3459,7 +3459,7 @@ got TLS1 version: TLSv1.2, ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3486,17 +3486,17 @@ should never reached here server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.exit(ngx.ERROR) ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3510,7 +3510,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3532,7 +3532,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3562,19 +3562,19 @@ should never reached here server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.sleep(0.001) ngx.exit(0) ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3588,7 +3588,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3610,7 +3610,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3637,19 +3637,19 @@ should never reached here server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.sleep(0.001) ngx.exit(ngx.ERROR) ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3663,7 +3663,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3685,7 +3685,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3715,17 +3715,17 @@ should never reached here server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { error("bad bad bad") ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3739,7 +3739,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3761,7 +3761,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3792,18 +3792,18 @@ should never reached here server { listen 127.0.0.2:8080 ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.sleep(0.001) error("bad bad bad") ngx.log(ngx.ERR, "should never reached here...") - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3817,7 +3817,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3839,7 +3839,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end -- do - '; + } } --- request @@ -3869,14 +3869,14 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua 'print("get_phase: ", ngx.get_phase())'; + ssl_certificate_by_lua_block {print("get_phase: ", ngx.get_phase())} ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -3889,7 +3889,7 @@ should never reached here #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3912,7 +3912,7 @@ should never reached here ngx.say("ssl handshake: ", type(sess)) end collectgarbage() - '; + } } --- request @@ -3938,11 +3938,11 @@ get_phase: ssl_cert server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { ngx.sleep(0.4) local ssl = require "ngx.ssl" ssl.clear_certs() - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; @@ -3957,7 +3957,7 @@ get_phase: ssl_cert #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3980,7 +3980,7 @@ get_phase: ssl_cert ngx.say("ssl handshake: ", type(sess)) end -- do -- collectgarbage() - '; + } } --- request @@ -4006,7 +4006,7 @@ lua ssl server name: "test.com" server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua 'ngx.location.capture("/foo")'; + ssl_certificate_by_lua_block {ngx.location.capture("/foo")} ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; } @@ -4019,7 +4019,7 @@ lua ssl server name: "test.com" #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4042,7 +4042,7 @@ lua ssl server name: "test.com" ngx.say("ssl handshake: ", type(sess)) end -- do -- collectgarbage() - '; + } } --- request @@ -4077,7 +4077,7 @@ qr/\[crit\] .*?cert cb error/, server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} more_clear_headers Date; } } @@ -4095,7 +4095,7 @@ print("ssl cert by lua is running!") #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4117,7 +4117,7 @@ print("ssl cert by lua is running!") ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -4140,7 +4140,7 @@ print("ssl cert by lua is running!") ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request From ba66f24379c6b0bb71ede3206d1135173b2a4589 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Fri, 1 Jan 2016 20:06:33 -0800 Subject: [PATCH 42/56] refactor: extracted the OCSP related API from the ngx.ssl module to form a new module named ngx.ocsp. --- lua/ngx/ocsp.lua | 146 ++++++++++++++++++++++++++++++++++++++++++++ lua/ngx/ssl.lua | 125 +------------------------------------ t/139-ssl-cert-by.t | 52 ++++++++++------ 3 files changed, 181 insertions(+), 142 deletions(-) create mode 100644 lua/ngx/ocsp.lua diff --git a/lua/ngx/ocsp.lua b/lua/ngx/ocsp.lua new file mode 100644 index 0000000000..b43debe048 --- /dev/null +++ b/lua/ngx/ocsp.lua @@ -0,0 +1,146 @@ +-- Copyright (C) Yichun Zhang (agentzh) + + +local ffi = require "ffi" +local base = require "resty.core.base" + + +local C = ffi.C +local ffi_str = ffi.string +local getfenv = getfenv +local errmsg = base.get_errmsg_ptr() +local get_string_buf = base.get_string_buf +local get_string_buf_size = base.get_string_buf_size +local get_size_ptr = base.get_size_ptr +local FFI_DECLINED = base.FFI_DECLINED +local FFI_OK = base.FFI_OK +local FFI_BUSY = base.FFI_BUSY + + +ffi.cdef[[ +int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( + const char *chain_data, size_t chain_len, char *out, size_t *out_size, + char **err); + +int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, + size_t chain_len, unsigned char *out, size_t *out_size, char **err); + +int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, + size_t resp_len, const char *chain_data, size_t chain_len, + unsigned char *errbuf, size_t *errbuf_size); + +int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + const unsigned char *resp, size_t resp_len, char **err); +]] + + +local _M = { version = base.version } + + +function _M.get_ocsp_responder_from_der_chain(data, maxlen) + + local buf_size = maxlen + if not buf_size then + buf_size = get_string_buf_size() + end + local buf = get_string_buf(buf_size) + + local sizep = get_size_ptr() + sizep[0] = buf_size + + local rc = C.ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain(data, + #data, buf, sizep, errmsg) + + if rc == FFI_DECLINED then + return nil + end + + if rc == FFI_OK then + return ffi_str(buf, sizep[0]) + end + + if rc == FFI_BUSY then + return ffi_str(buf, sizep[0]), "truncated" + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.create_ocsp_request(data, maxlen) + + local buf_size = maxlen + if not buf_size then + buf_size = get_string_buf_size() + end + local buf = get_string_buf(buf_size) + + local sizep = get_size_ptr() + sizep[0] = buf_size + + local rc = C.ngx_http_lua_ffi_ssl_create_ocsp_request(data, + #data, buf, sizep, + errmsg) + + if rc == FFI_OK then + return ffi_str(buf, sizep[0]) + end + + if rc == FFI_BUSY then + return nil, ffi_str(errmsg[0]) .. ": " .. tonumber(sizep[0]) + .. " > " .. buf_size + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.validate_ocsp_response(resp, chain, max_errmsg_len) + + local errbuf_size = max_errmsg_len + if not errbuf_size then + errbuf_size = get_string_buf_size() + end + local errbuf = get_string_buf(errbuf_size) + + local sizep = get_size_ptr() + sizep[0] = errbuf_size + + local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( + resp, #resp, chain, #chain, errbuf, sizep) + + if rc == FFI_OK then + return true + end + + -- rc == FFI_ERROR + + return nil, ffi_str(errbuf, sizep[0]) +end + + +function _M.set_ocsp_status_resp(data) + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_ssl_set_ocsp_status_resp(r, data, #data, + errmsg) + + if rc == FFI_DECLINED then + -- no client status req + return true, "no status req" + end + + if rc == FFI_OK then + return true + end + + -- rc == FFI_ERROR + + return nil, ffi_str(errmsg[0]) +end + + +return _M diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua index 8e328a7acf..cd40058520 100644 --- a/lua/ngx/ssl.lua +++ b/lua/ngx/ssl.lua @@ -10,12 +10,9 @@ local ffi_str = ffi.string local getfenv = getfenv local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf -local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK -local FFI_BUSY = base.FFI_BUSY -local FFI_DECLINED = base.FFI_DECLINED ffi.cdef[[ @@ -40,25 +37,11 @@ int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, unsigned char *der, char **err); -int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, char *out, size_t *out_size, - char **err); - -int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, - size_t chain_len, unsigned char *out, size_t *out_size, char **err); - -int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, - size_t resp_len, const char *chain_data, size_t chain_len, - unsigned char *errbuf, size_t *errbuf_size); - -int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, - const unsigned char *resp, size_t resp_len, char **err); - int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err); ]] -local _M = {} +local _M = { version = base.version } local charpp = ffi.new("char*[1]") @@ -179,112 +162,6 @@ function _M.cert_pem_to_der(pem) end -function _M.get_ocsp_responder_from_der_chain(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain(data, - #data, buf, sizep, errmsg) - - if rc == FFI_DECLINED then - return nil - end - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return ffi_str(buf, sizep[0]), "truncated" - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.create_ocsp_request(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_create_ocsp_request(data, - #data, buf, sizep, - errmsg) - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return nil, ffi_str(errmsg[0]) .. ": " .. tonumber(sizep[0]) - .. " > " .. buf_size - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.validate_ocsp_response(resp, chain, max_errmsg_len) - - local errbuf_size = max_errmsg_len - if not errbuf_size then - errbuf_size = get_string_buf_size() - end - local errbuf = get_string_buf(errbuf_size) - - local sizep = get_size_ptr() - sizep[0] = errbuf_size - - local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( - resp, #resp, chain, #chain, errbuf, sizep) - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errbuf, sizep[0]) -end - - -function _M.set_ocsp_status_resp(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_ocsp_status_resp(r, data, #data, - errmsg) - - if rc == FFI_DECLINED then - -- no client status req - return true, "no status req" - end - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errmsg[0]) -end - - local function get_tls1_version() local r = getfenv(0).__ngx_req diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 290ac8c5d6..4f08cc1bef 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -1516,6 +1516,7 @@ lua ssl server name: "test.com" server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -1527,7 +1528,7 @@ lua ssl server name: "test.com" return end - local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) if not url then ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) return @@ -1606,6 +1607,7 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/chain/chain.pem")) local cert_data = f:read("*a") @@ -1617,7 +1619,7 @@ OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, return end - local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) if not url then if err then ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) @@ -1700,6 +1702,7 @@ OCSP responder not found server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/test-com.crt")) local cert_data = f:read("*a") @@ -1711,7 +1714,7 @@ OCSP responder not found return end - local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) if not url then if err then ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) @@ -1793,6 +1796,7 @@ failed to get OCSP responder: no issuer certificate in chain server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/wrong-issuer-order-chain.pem")) local cert_data = f:read("*a") @@ -1804,7 +1808,7 @@ failed to get OCSP responder: no issuer certificate in chain return end - local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data) + local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) if not url then if err then ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) @@ -1886,6 +1890,7 @@ failed to get OCSP responder: issuer certificate not next to leaf server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -1897,8 +1902,7 @@ failed to get OCSP responder: issuer certificate not next to leaf return end - local url, err = ssl.get_ocsp_responder_from_der_chain(cert_data, - 6) + local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data, 6) if not url then if err then ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) @@ -1986,6 +1990,7 @@ still get an error: truncated server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -1997,7 +2002,7 @@ still get an error: truncated return end - local req, err = ssl.create_ocsp_request(cert_data) + local req, err = ocsp.create_ocsp_request(cert_data) if not req then ngx.log(ngx.ERR, "failed to create OCSP request: ", err) return @@ -2083,6 +2088,7 @@ OCSP request created with length 68 server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -2094,7 +2100,7 @@ OCSP request created with length 68 return end - local req, err = ssl.create_ocsp_request(cert_data, 67) + local req, err = ocsp.create_ocsp_request(cert_data, 67) if not req then ngx.log(ngx.ERR, "failed to create OCSP request: ", err) return @@ -2177,9 +2183,10 @@ failed to create OCSP request: output buffer too small: 68 > 67 server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local cert_data = "" - local req, err = ssl.create_ocsp_request(cert_data, 67) + local req, err = ocsp.create_ocsp_request(cert_data, 67) if not req then ngx.log(ngx.ERR, "failed to create OCSP request: ", err) return ngx.exit(ngx.ERROR) @@ -2262,6 +2269,7 @@ failed to create OCSP request: d2i_X509_bio() failed server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/test-com.crt")) local cert_data = f:read("*a") @@ -2273,7 +2281,7 @@ failed to create OCSP request: d2i_X509_bio() failed return end - local req, err = ssl.create_ocsp_request(cert_data, 67) + local req, err = ocsp.create_ocsp_request(cert_data, 67) if not req then ngx.log(ngx.ERR, "failed to create OCSP request: ", err) return @@ -2356,6 +2364,7 @@ failed to create OCSP request: no issuer certificate in chain server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -2371,7 +2380,7 @@ failed to create OCSP request: no issuer certificate in chain local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return @@ -2450,6 +2459,7 @@ OCSP response validation ok server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/test-com.crt")) local cert_data = f:read("*a") @@ -2465,7 +2475,7 @@ OCSP response validation ok local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return @@ -2544,6 +2554,7 @@ OCSP response validation ok server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -2559,7 +2570,7 @@ OCSP response validation ok local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return @@ -2641,6 +2652,7 @@ FIXME: we should complain in this case. server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -2656,7 +2668,7 @@ FIXME: we should complain in this case. local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return @@ -2736,6 +2748,7 @@ OCSP response validation ok server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/chain.pem")) local cert_data = f:read("*a") @@ -2751,7 +2764,7 @@ OCSP response validation ok local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return @@ -2830,6 +2843,7 @@ OCSP response validation ok server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/revoked-chain.pem")) local cert_data = f:read("*a") @@ -2845,7 +2859,7 @@ OCSP response validation ok local resp = f:read("*a") f:close() - local req, err = ssl.validate_ocsp_response(resp, cert_data) + local req, err = ocsp.validate_ocsp_response(resp, cert_data) if not req then ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) return ngx.exit(ngx.ERROR) @@ -2925,6 +2939,7 @@ FIXME: check the OCSP staple actually received by the ssl client server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) local resp = assert(f:read("*a")) @@ -2932,7 +2947,7 @@ FIXME: check the OCSP staple actually received by the ssl client print("resp len: ", #resp) - local ok, err = ssl.set_ocsp_status_resp(resp) + local ok, err = ocsp.set_ocsp_status_resp(resp) if not ok then ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) return @@ -3010,6 +3025,7 @@ ocsp status resp set ok: nil, server_name test.com; ssl_certificate_by_lua_block { local ssl = require "ngx.ssl" + local ocsp = require "ngx.ocsp" local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) local resp = assert(f:read("*a")) @@ -3017,7 +3033,7 @@ ocsp status resp set ok: nil, print("resp len: ", #resp) - local ok, err = ssl.set_ocsp_status_resp(resp) + local ok, err = ocsp.set_ocsp_status_resp(resp) if not ok then ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) return From 29523de4a9c25399717e11b77cf1c36b8787618f Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 09:56:16 -0800 Subject: [PATCH 43/56] resolved issues due to the most recent merge. --- t/139-ssl-cert-by.t | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 4f08cc1bef..98dc6592e4 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -4191,7 +4191,7 @@ a.lua:1: ssl cert by lua is running! server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { local cc, cr, cy = coroutine.create, coroutine.resume, coroutine.yield local function f() @@ -4208,14 +4208,14 @@ a.lua:1: ssl cert by lua is running! print("co resume, status: ", coroutine.status(c)) cr(c) end - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } more_clear_headers Date; } } @@ -4228,7 +4228,7 @@ a.lua:1: ssl cert by lua is running! #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4250,7 +4250,7 @@ a.lua:1: ssl cert by lua is running! ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -4273,7 +4273,7 @@ a.lua:1: ssl cert by lua is running! ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request @@ -4316,7 +4316,7 @@ lua ssl server name: "test.com" server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_certificate_by_lua ' + ssl_certificate_by_lua_block { function f() ngx.sleep(0.01) print("uthread: hello in thread") @@ -4338,14 +4338,14 @@ lua ssl server name: "test.com" end print("uthread: ", res) - '; + } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua 'ngx.status = 201 ngx.say("foo") ngx.exit(201)'; + content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } more_clear_headers Date; } } @@ -4358,7 +4358,7 @@ lua ssl server name: "test.com" #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua ' + content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4380,7 +4380,7 @@ lua ssl server name: "test.com" ngx.say("ssl handshake: ", type(sess)) - local req = "GET /foo HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -4403,7 +4403,7 @@ lua ssl server name: "test.com" ngx.say("close: ", ok, " ", err) end -- do -- collectgarbage() - '; + } } --- request From ed9663d5cf46d2252dd7dab6ad161e275daa9330 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 10:30:37 -0800 Subject: [PATCH 44/56] refactor: removed the Lua modules ngx.ssl and ngx.ocsp and their related tests since they are now going to lua-resty-core. --- lua/ngx/ocsp.lua | 146 - lua/ngx/ssl.lua | 210 - t/139-ssl-cert-by.t | 3483 +---------------- t/cert/chain/chain.der | Bin 1903 -> 0 bytes t/cert/chain/chain.pem | 172 - t/cert/chain/root-ca.crt | 16 - t/cert/chain/test-com.key.der | Bin 608 -> 0 bytes t/cert/ocsp/chain.pem | 183 - t/cert/ocsp/ocsp-req.der | Bin 68 -> 0 bytes t/cert/ocsp/ocsp-resp-no-certs.der | Bin 388 -> 0 bytes .../ocsp-resp-signed-by-orphaned-no-certs.der | Bin 384 -> 0 bytes t/cert/ocsp/ocsp-resp-signed-by-orphaned.der | Bin 1044 -> 0 bytes t/cert/ocsp/ocsp-resp.der | Bin 1056 -> 0 bytes t/cert/ocsp/revoked-chain.pem | 183 - t/cert/ocsp/revoked-ocsp-resp.der | Bin 1073 -> 0 bytes t/cert/ocsp/test-com.crt | 69 - t/cert/ocsp/wrong-issuer-order-chain.pem | 183 - t/cert/test.crt.der | Bin 685 -> 0 bytes t/cert/test.key.der | Bin 610 -> 0 bytes t/cert/test2.crt | 16 - t/cert/test2.key | 15 - 21 files changed, 213 insertions(+), 4463 deletions(-) delete mode 100644 lua/ngx/ocsp.lua delete mode 100644 lua/ngx/ssl.lua delete mode 100644 t/cert/chain/chain.der delete mode 100644 t/cert/chain/chain.pem delete mode 100644 t/cert/chain/root-ca.crt delete mode 100644 t/cert/chain/test-com.key.der delete mode 100644 t/cert/ocsp/chain.pem delete mode 100644 t/cert/ocsp/ocsp-req.der delete mode 100644 t/cert/ocsp/ocsp-resp-no-certs.der delete mode 100644 t/cert/ocsp/ocsp-resp-signed-by-orphaned-no-certs.der delete mode 100644 t/cert/ocsp/ocsp-resp-signed-by-orphaned.der delete mode 100644 t/cert/ocsp/ocsp-resp.der delete mode 100644 t/cert/ocsp/revoked-chain.pem delete mode 100644 t/cert/ocsp/revoked-ocsp-resp.der delete mode 100644 t/cert/ocsp/test-com.crt delete mode 100644 t/cert/ocsp/wrong-issuer-order-chain.pem delete mode 100644 t/cert/test.crt.der delete mode 100644 t/cert/test.key.der delete mode 100644 t/cert/test2.crt delete mode 100644 t/cert/test2.key diff --git a/lua/ngx/ocsp.lua b/lua/ngx/ocsp.lua deleted file mode 100644 index b43debe048..0000000000 --- a/lua/ngx/ocsp.lua +++ /dev/null @@ -1,146 +0,0 @@ --- Copyright (C) Yichun Zhang (agentzh) - - -local ffi = require "ffi" -local base = require "resty.core.base" - - -local C = ffi.C -local ffi_str = ffi.string -local getfenv = getfenv -local errmsg = base.get_errmsg_ptr() -local get_string_buf = base.get_string_buf -local get_string_buf_size = base.get_string_buf_size -local get_size_ptr = base.get_size_ptr -local FFI_DECLINED = base.FFI_DECLINED -local FFI_OK = base.FFI_OK -local FFI_BUSY = base.FFI_BUSY - - -ffi.cdef[[ -int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, char *out, size_t *out_size, - char **err); - -int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, - size_t chain_len, unsigned char *out, size_t *out_size, char **err); - -int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, - size_t resp_len, const char *chain_data, size_t chain_len, - unsigned char *errbuf, size_t *errbuf_size); - -int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, - const unsigned char *resp, size_t resp_len, char **err); -]] - - -local _M = { version = base.version } - - -function _M.get_ocsp_responder_from_der_chain(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain(data, - #data, buf, sizep, errmsg) - - if rc == FFI_DECLINED then - return nil - end - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return ffi_str(buf, sizep[0]), "truncated" - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.create_ocsp_request(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_create_ocsp_request(data, - #data, buf, sizep, - errmsg) - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return nil, ffi_str(errmsg[0]) .. ": " .. tonumber(sizep[0]) - .. " > " .. buf_size - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.validate_ocsp_response(resp, chain, max_errmsg_len) - - local errbuf_size = max_errmsg_len - if not errbuf_size then - errbuf_size = get_string_buf_size() - end - local errbuf = get_string_buf(errbuf_size) - - local sizep = get_size_ptr() - sizep[0] = errbuf_size - - local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( - resp, #resp, chain, #chain, errbuf, sizep) - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errbuf, sizep[0]) -end - - -function _M.set_ocsp_status_resp(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_ocsp_status_resp(r, data, #data, - errmsg) - - if rc == FFI_DECLINED then - -- no client status req - return true, "no status req" - end - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errmsg[0]) -end - - -return _M diff --git a/lua/ngx/ssl.lua b/lua/ngx/ssl.lua deleted file mode 100644 index cd40058520..0000000000 --- a/lua/ngx/ssl.lua +++ /dev/null @@ -1,210 +0,0 @@ --- Copyright (C) Yichun Zhang (agentzh) - - -local ffi = require "ffi" -local base = require "resty.core.base" - - -local C = ffi.C -local ffi_str = ffi.string -local getfenv = getfenv -local errmsg = base.get_errmsg_ptr() -local get_string_buf = base.get_string_buf -local get_size_ptr = base.get_size_ptr -local FFI_DECLINED = base.FFI_DECLINED -local FFI_OK = base.FFI_OK - - -ffi.cdef[[ - -struct ngx_ssl_conn_s; -typedef struct ngx_ssl_conn_s ngx_ssl_conn_t; - -int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, - const char *data, size_t len, char **err); - -int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err); - -int ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, - const char *data, size_t len, char **err); - -int ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, - size_t *addrlen, int *addrtype, char **err); - -int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, - size_t *namelen, char **err); - -int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, - unsigned char *der, char **err); - -int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err); -]] - - -local _M = { version = base.version } - - -local charpp = ffi.new("char*[1]") -local intp = ffi.new("int[1]") - - -function _M.clear_certs(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_clear_certs(r, errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.set_der_cert(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, - errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.set_der_priv_key(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, - errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -local addr_types = { - [1] = "unix", - [2] = "inet", - [10] = "inet6", -} - - -function _M.raw_server_addr() - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local sizep = get_size_ptr() - - local rc = C.ngx_http_lua_ffi_ssl_raw_server_addr(r, charpp, sizep, - intp, errmsg) - if rc == FFI_OK then - local typ = addr_types[intp[0]] - if not typ then - return nil, nil, "unknown address type: " .. intp[0] - end - return ffi_str(charpp[0], sizep[0]), typ - end - - return nil, nil, ffi_str(errmsg[0]) -end - - -function _M.server_name() - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local sizep = get_size_ptr() - - local rc = C.ngx_http_lua_ffi_ssl_server_name(r, charpp, sizep, errmsg) - if rc == FFI_OK then - return ffi_str(charpp[0], sizep[0]) - end - - if rc == FFI_DECLINED then - return nil - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.cert_pem_to_der(pem) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local outbuf = get_string_buf(#pem) - - local sz = C.ngx_http_lua_ffi_cert_pem_to_der(pem, #pem, outbuf, errmsg) - if sz > 0 then - return ffi_str(outbuf, sz) - end - - return nil, ffi_str(errmsg[0]) -end - - -local function get_tls1_version() - - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local ver = C.ngx_http_lua_ffi_ssl_get_tls1_version(r, errmsg) - - ver = tonumber(ver) - - if ver >= 0 then - return ver - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errmsg[0]) -end -_M.get_tls1_version = get_tls1_version - - -do - _M.SSL3_VERSION = 0x0300 - _M.TLS1_VERSION = 0x0301 - _M.TLS1_1_VERSION = 0x0302 - _M.TLS1_2_VERSION = 0x0303 - - local map = { - [_M.SSL3_VERSION] = "SSLv3", - [_M.TLS1_VERSION] = "TLSv1", - [_M.TLS1_1_VERSION] = "TLSv1.1", - [_M.TLS1_2_VERSION] = "TLSv1.2", - } - - function _M.get_tls1_version_str() - local ver, err = get_tls1_version() - if not ver then - return nil, err - end - return map[ver] - end -end - - -return _M diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t index 98dc6592e4..5e19838a8c 100644 --- a/t/139-ssl-cert-by.t +++ b/t/139-ssl-cert-by.t @@ -4,12 +4,10 @@ use Test::Nginx::Socket::Lua; repeat_each(3); -plan tests => repeat_each() * (blocks() * 6 + 22); +plan tests => repeat_each() * (blocks() * 6 + 10); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); - $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211; -$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8'; #log_level 'warn'; log_level 'debug'; @@ -23,3131 +21,32 @@ __DATA__ === TEST 1: simple logging --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { print("ssl cert by lua is running!") } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -ssl_certificate_by_lua:1: ssl cert by lua is running! - ---- no_error_log -[error] -[alert] - - - -=== TEST 2: sleep ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local begin = ngx.now() - ngx.sleep(0.1) - print("elapsed in ssl cert by lua: ", ngx.now() - begin) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log eval -[ -'lua ssl server name: "test.com"', -qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, -] - ---- no_error_log -[error] -[alert] - - - -=== TEST 3: timer ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local function f() - print("my timer run!") - end - local ok, err = ngx.timer.at(0, f) - if not ok then - ngx.log(ngx.ERR, "failed to create timer: ", err) - return - end - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -my timer run! - ---- no_error_log -[error] -[alert] - - - -=== TEST 4: cosocket ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_MEMCACHED_PORT) - if not ok then - ngx.log(ngx.ERR, "failed to connect to memc: ", err) - return - end - - local bytes, err = sock:send("flush_all\r\n") - if not bytes then - ngx.log(ngx.ERR, "failed to send flush_all command: ", err) - return - end - - local res, err = sock:receive() - if not res then - ngx.log(ngx.ERR, "failed to receive memc reply: ", err) - return - end - - print("received memc reply: ", res) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -received memc reply: OK - ---- no_error_log -[error] -[alert] - - - -=== TEST 5: clear certs ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - ssl.clear_certs() - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -failed to do SSL handshake: handshake failed - ---- error_log -lua ssl server name: "test.com" -sslv3 alert handshake failure - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 6: set DER cert and private key ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - ssl.clear_certs() - - local f = assert(io.open("t/cert/test.crt.der")) - local cert_data = f:read("*a") - f:close() - - local ok, err = ssl.set_der_cert(cert_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - - local f = assert(io.open("t/cert/test.key.der")) - local pkey_data = f:read("*a") - f:close() - - local ok, err = ssl.set_der_priv_key(pkey_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - } - ssl_certificate ../../cert/test2.crt; - ssl_certificate_key ../../cert/test2.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 7: read SNI name via ssl.server_name() ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - print("read SNI name from Lua: ", ssl.server_name()) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -read SNI name from Lua: test.com - ---- no_error_log -[error] -[alert] - - - -=== TEST 8: read SNI name via ssl.server_name() when no SNI name specified ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local name = ssl.server_name(), - print("read SNI name from Lua: ", name, ", type: ", type(name)) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, nil, true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -read SNI name from Lua: nil, type: nil - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 9: read raw server addr via ssl.raw_server_addr() (unix domain socket) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local addr, addrtyp, err = ssl.raw_server_addr() - if not addr then - ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) - return - end - if addrtyp == "inet" then -- IPv4 - ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), - byte(addr, 3), byte(addr, 4)) - print("Using IPv4 address: ", ip) - - elseif addrtyp == "inet6" then -- IPv6 - ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), - byte(addr, 15), byte(addr, 16)) - print("Using IPv6 address: ", ip) - - else -- unix - print("Using unix socket file ", addr) - end - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log eval -[ -'lua ssl server name: "test.com"', -qr/Using unix socket file .*?nginx\.sock/ -] - ---- no_error_log -[error] -[alert] - - - -=== TEST 10: read raw server addr via ssl.raw_server_addr() (IPv4) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen 127.0.0.1:12345 ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local byte = string.byte - - local addr, addrtyp, err = ssl.raw_server_addr() - if not addr then - ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) - return - end - if addrtyp == "inet" then -- IPv4 - ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), - byte(addr, 3), byte(addr, 4)) - print("Using IPv4 address: ", ip) - - elseif addrtyp == "inet6" then -- IPv6 - ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), - byte(addr, 15), byte(addr, 16)) - print("Using IPv6 address: ", ip) - - else -- unix - print("Using unix socket file ", addr) - end - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("127.0.0.1", 12345) - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -Using IPv4 address: 127.0.0.1 - ---- no_error_log -[error] -[alert] - - - -=== TEST 11: read raw server addr via ssl.raw_server_addr() (IPv6) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen [::1]:12345 ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local byte = string.byte - - local addr, addrtyp, err = ssl.raw_server_addr() - if not addr then - ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err) - return - end - if addrtyp == "inet" then -- IPv4 - ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2), - byte(addr, 3), byte(addr, 4)) - print("Using IPv4 address: ", ip) - - elseif addrtyp == "inet6" then -- IPv6 - ip = string.format("%d.%d.%d.%d", byte(addr, 13), byte(addr, 14), - byte(addr, 15), byte(addr, 16)) - print("Using IPv6 address: ", ip) - - else -- unix - print("Using unix socket file ", addr) - end - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("[::1]", 12345) - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" -Using IPv6 address: 0.0.0.1 - ---- no_error_log -[error] -[alert] - - - -=== TEST 12: set DER cert chain ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - ssl.clear_certs() - - local f = assert(io.open("t/cert/chain/chain.der")) - local cert_data = f:read("*a") - f:close() - - local ok, err = ssl.set_der_cert(cert_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - - local f = assert(io.open("t/cert/chain/test-com.key.der")) - local pkey_data = f:read("*a") - f:close() - - local ok, err = ssl.set_der_priv_key(pkey_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - } - ssl_certificate ../../cert/test2.crt; - ssl_certificate_key ../../cert/test2.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 13: read PEM cert chain but set DER cert chain ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - ssl.clear_certs() - - local f = assert(io.open("t/cert/chain/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local ok, err = ssl.set_der_cert(cert_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - - local f = assert(io.open("t/cert/chain/test-com.key.der")) - local pkey_data = f:read("*a") - f:close() - - local ok, err = ssl.set_der_priv_key(pkey_data) - if not ok then - ngx.log(ngx.ERR, "failed to set DER cert: ", err) - return - end - } - ssl_certificate ../../cert/test2.crt; - ssl_certificate_key ../../cert/test2.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - - local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) - return - end - - ngx.say("sent http request: ", bytes, " bytes.") - - while true do - local line, err = sock:receive() - if not line then - -- ngx.say("failed to recieve response status line: ", err) - break - end - - ngx.say("received: ", line) - end - - local ok, err = sock:close() - ngx.say("close: ", ok, " ", err) - end -- do - -- collectgarbage() - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata -sent http request: 56 bytes. -received: HTTP/1.1 201 Created -received: Server: nginx -received: Content-Type: text/plain -received: Content-Length: 4 -received: Connection: close -received: -received: foo -close: 1 nil - ---- error_log -lua ssl server name: "test.com" - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 14: get OCSP responder (good case) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) - if not url then - ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP url found: ", url) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP url found: http://127.0.0.1:8888/ocsp?foo=1, - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 15: get OCSP responder (not found) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/chain/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) - if not url then - if err then - ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) - else - ngx.log(ngx.WARN, "OCSP responder not found") - end - return - end - - ngx.log(ngx.WARN, "OCSP url found: ", url) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP responder not found - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 16: get OCSP responder (no issuer cert at all) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/test-com.crt")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) - if not url then - if err then - ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) - else - ngx.log(ngx.WARN, "OCSP responder not found") - end - return - end - - ngx.log(ngx.WARN, "OCSP url found: ", url) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to get OCSP responder: no issuer certificate in chain - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 17: get OCSP responder (issuer cert not next to the leaf cert) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/wrong-issuer-order-chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data) - if not url then - if err then - ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) - else - ngx.log(ngx.WARN, "OCSP responder not found") - end - return - end - - ngx.log(ngx.WARN, "OCSP url found: ", url) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to get OCSP responder: issuer certificate not next to leaf - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 18: get OCSP responder (truncated) ---- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local url, err = ocsp.get_ocsp_responder_from_der_chain(cert_data, 6) - if not url then - if err then - ngx.log(ngx.ERR, "failed to get OCSP responder: ", err) - else - ngx.log(ngx.WARN, "OCSP responder not found") - end - return - end - - if err then - ngx.log(ngx.WARN, "still get an error: ", err) - end - - ngx.log(ngx.WARN, "OCSP url found: ", url) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP url found: http:/, -still get an error: truncated - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 19: create OCSP request (good) ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local req, err = ocsp.create_ocsp_request(cert_data) - if not req then - ngx.log(ngx.ERR, "failed to create OCSP request: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP request created with length ", #req) - - local f = assert(io.open("t/cert/ocsp/ocsp-req.der", "r")) - local expected = assert(f:read("*a")) - f:close() - if req ~= expected then - ngx.log(ngx.ERR, "ocsp responder: got unexpected OCSP request") - end - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP request created with length 68 - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 20: create OCSP request (buffer too small) ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local req, err = ocsp.create_ocsp_request(cert_data, 67) - if not req then - ngx.log(ngx.ERR, "failed to create OCSP request: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP request created with length ", #req) - local bytes = {string.byte(req, 1, #req)} - for i, byte in ipairs(bytes) do - bytes[i] = string.format("%02x", byte) - end - ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to create OCSP request: output buffer too small: 68 > 67 - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 21: create OCSP request (empty string cert chain) ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local cert_data = "" - local req, err = ocsp.create_ocsp_request(cert_data, 67) - if not req then - ngx.log(ngx.ERR, "failed to create OCSP request: ", err) - return ngx.exit(ngx.ERROR) - end - - ngx.log(ngx.WARN, "OCSP request created with length ", #req) - local bytes = {string.byte(req, 1, #req)} - for i, byte in ipairs(bytes) do - bytes[i] = string.format("%02x", byte) - end - ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -failed to do SSL handshake: handshake failed - ---- error_log -lua ssl server name: "test.com" -failed to create OCSP request: d2i_X509_bio() failed - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 22: create OCSP request (no issuer cert in the chain) ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/test-com.crt")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local req, err = ocsp.create_ocsp_request(cert_data, 67) - if not req then - ngx.log(ngx.ERR, "failed to create OCSP request: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP request created with length ", #req) - local bytes = {string.byte(req, 1, #req)} - for i, byte in ipairs(bytes) do - bytes[i] = string.format("%02x", byte) - end - ngx.log(ngx.WARN, "OCSP request content: ", table.concat(bytes, " ")) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to create OCSP request: no issuer certificate in chain - ---- no_error_log -[alert] -[emerg] - - - -=== TEST 23: validate good OCSP response ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP response validation ok - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 24: fail to validate OCSP response - no issuer cert ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/test-com.crt")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to validate OCSP response: no issuer certificate in chain - ---- no_error_log -OCSP response validation ok -[alert] -[emerg] - - - -=== TEST 25: validate good OCSP response - no certs in response ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local f = assert(io.open("t/cert/ocsp/ocsp-resp-no-certs.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP response validation ok - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 26: validate OCSP response - OCSP response signed by an unknown cert and the OCSP response contains the unknown cert - -FIXME: we should complain in this case. - ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local f = assert(io.open("t/cert/ocsp/ocsp-resp-signed-by-orphaned.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -OCSP response validation ok - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 27: fail to validate OCSP response - OCSP response signed by an unknown cert and the OCSP response does not contain the unknown cert - ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return - end - - local f = assert(io.open("t/cert/ocsp/ocsp-resp-signed-by-orphaned-no-certs.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -failed to validate OCSP response: OCSP_basic_verify() failed - ---- no_error_log -OCSP response validation ok -[alert] -[emerg] - - - -=== TEST 28: fail to validate OCSP response - OCSP response returns revoked status ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/revoked-chain.pem")) - local cert_data = f:read("*a") - f:close() - - cert_data, err = ssl.cert_pem_to_der(cert_data) - if not cert_data then - ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err) - return ngx.exit(ngx.ERROR) - end - - local f = assert(io.open("t/cert/ocsp/revoked-ocsp-resp.der")) - local resp = f:read("*a") - f:close() - - local req, err = ocsp.validate_ocsp_response(resp, cert_data) - if not req then - ngx.log(ngx.ERR, "failed to validate OCSP response: ", err) - return ngx.exit(ngx.ERROR) - end - - ngx.log(ngx.WARN, "OCSP response validation ok") - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -failed to do SSL handshake: handshake failed - ---- error_log -lua ssl server name: "test.com" -failed to validate OCSP response: certificate status "revoked" in the OCSP response - ---- no_error_log -OCSP response validation ok -[alert] -[emerg] - - - -=== TEST 29: good status req from client -FIXME: check the OCSP staple actually received by the ssl client ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) - local resp = assert(f:read("*a")) - f:close() - - print("resp len: ", #resp) - - local ok, err = ocsp.set_ocsp_status_resp(resp) - if not ok then - ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) - return - end - ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("127.0.0.2", 8080) - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true, true) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -ocsp status resp set ok: nil, - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 30: no status req from client ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - local ocsp = require "ngx.ocsp" - - local f = assert(io.open("t/cert/ocsp/ocsp-resp.der")) - local resp = assert(f:read("*a")) - f:close() - - print("resp len: ", #resp) - - local ok, err = ocsp.set_ocsp_status_resp(resp) - if not ok then - ngx.log(ngx.ERR, "failed to set ocsp status resp: ", err) - return - end - ngx.log(ngx.WARN, "ocsp status resp set ok: ", err) - } - ssl_certificate ../../cert/test.crt; - ssl_certificate_key ../../cert/test.key; - - server_tokens off; - location /foo { - default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} - more_clear_headers Date; - } - } ---- config - server_tokens off; - resolver $TEST_NGINX_RESOLVER; - lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - - location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - - content_by_lua_block { - do - local sock = ngx.socket.tcp() - - sock:settimeout(2000) - - local ok, err = sock:connect("127.0.0.2", 8080) - if not ok then - ngx.say("failed to connect: ", err) - return - end - - ngx.say("connected: ", ok) - - local sess, err = sock:sslhandshake(nil, "test.com", true, false) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end - - ngx.say("ssl handshake: ", type(sess)) - end -- do - } - } - ---- request -GET /t ---- response_body -connected: 1 -ssl handshake: userdata - ---- error_log -lua ssl server name: "test.com" -ocsp status resp set ok: no status req, - ---- no_error_log -[error] -[alert] -[emerg] - - - -=== TEST 31: tls version - SSLv3 ---- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; - ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - local ver, err = ssl.get_tls1_version_str(resp) - if not ver then - ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) - return - end - ngx.log(ngx.WARN, "got TLS1 version: ", ver) - } + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; + ssl_certificate_by_lua_block { print("ssl cert by lua is running!") } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; - ssl_protocols SSLv3; server_tokens off; location /foo { default_type 'text/plain'; - content_by_lua_block {ngx.status = 201 ngx.say("foo") ngx.exit(201)} + content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } more_clear_headers Date; } } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - lua_ssl_protocols SSLv3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.2", 8080) + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") if not ok then ngx.say("failed to connect: ", err) return @@ -3155,14 +54,37 @@ ocsp status resp set ok: no status req, ngx.say("connected: ", ok) - local sess, err = sock:sslhandshake(false, nil, true, false) + local sess, err = sock:sslhandshake(nil, "test.com", true) if not sess then ngx.say("failed to do SSL handshake: ", err) return end ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) end -- do + -- collectgarbage() } } @@ -3170,38 +92,39 @@ ocsp status resp set ok: no status req, GET /t --- response_body connected: 1 -ssl handshake: boolean +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil --- error_log -got TLS1 version: SSLv3, +lua ssl server name: "test.com" +ssl_certificate_by_lua:1: ssl cert by lua is running! --- no_error_log [error] [alert] -[emerg] -=== TEST 32: tls version - TLSv1 +=== TEST 2: sleep --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - local ver, err = ssl.get_tls1_version_str(resp) - if not ver then - ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) - return - end - ngx.log(ngx.WARN, "got TLS1 version: ", ver) + local begin = ngx.now() + ngx.sleep(0.1) + print("elapsed in ssl cert by lua: ", ngx.now() - begin) } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; - ssl_protocols TLSv1; server_tokens off; location /foo { @@ -3212,22 +135,16 @@ got TLS1 version: SSLv3, } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - lua_ssl_protocols TLSv1; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.2", 8080) + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") if not ok then ngx.say("failed to connect: ", err) return @@ -3235,14 +152,37 @@ got TLS1 version: SSLv3, ngx.say("connected: ", ok) - local sess, err = sock:sslhandshake(false, nil, true, false) + local sess, err = sock:sslhandshake(nil, "test.com", true) if not sess then ngx.say("failed to do SSL handshake: ", err) return end ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) end -- do + -- collectgarbage() } } @@ -3250,38 +190,46 @@ got TLS1 version: SSLv3, GET /t --- response_body connected: 1 -ssl handshake: boolean +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil ---- error_log -got TLS1 version: TLSv1, +--- error_log eval +[ +'lua ssl server name: "test.com"', +qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, +] --- no_error_log [error] [alert] -[emerg] -=== TEST 33: tls version - TLSv1.1 +=== TEST 3: timer --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" - - local ver, err = ssl.get_tls1_version_str(resp) - if not ver then - ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + local function f() + print("my timer run!") + end + local ok, err = ngx.timer.at(0, f) + if not ok then + ngx.log(ngx.ERR, "failed to create timer: ", err) return end - ngx.log(ngx.WARN, "got TLS1 version: ", ver) } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; - ssl_protocols TLSv1.1; server_tokens off; location /foo { @@ -3292,22 +240,16 @@ got TLS1 version: TLSv1, } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - lua_ssl_protocols TLSv1.1; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.2", 8080) + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") if not ok then ngx.say("failed to connect: ", err) return @@ -3315,14 +257,37 @@ got TLS1 version: TLSv1, ngx.say("connected: ", ok) - local sess, err = sock:sslhandshake(false, nil, true, false) + local sess, err = sock:sslhandshake(nil, "test.com", true) if not sess then ngx.say("failed to do SSL handshake: ", err) return end ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) end -- do + -- collectgarbage() } } @@ -3330,38 +295,59 @@ got TLS1 version: TLSv1, GET /t --- response_body connected: 1 -ssl handshake: boolean +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil --- error_log -got TLS1 version: TLSv1.1, +lua ssl server name: "test.com" +my timer run! --- no_error_log [error] [alert] -[emerg] -=== TEST 34: tls version - TLSv1.2 +=== TEST 4: cosocket --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { - listen 127.0.0.2:8080 ssl; - server_name test.com; + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name test.com; ssl_certificate_by_lua_block { - local ssl = require "ngx.ssl" + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_MEMCACHED_PORT) + if not ok then + ngx.log(ngx.ERR, "failed to connect to memc: ", err) + return + end + + local bytes, err = sock:send("flush_all\r\n") + if not bytes then + ngx.log(ngx.ERR, "failed to send flush_all command: ", err) + return + end - local ver, err = ssl.get_tls1_version_str(resp) - if not ver then - ngx.log(ngx.ERR, "failed to get TLS1 version: ", err) + local res, err = sock:receive() + if not res then + ngx.log(ngx.ERR, "failed to receive memc reply: ", err) return end - ngx.log(ngx.WARN, "got TLS1 version: ", ver) + + print("received memc reply: ", res) } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; - ssl_protocols TLSv1.2; server_tokens off; location /foo { @@ -3372,22 +358,16 @@ got TLS1 version: TLSv1.1, } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; - lua_ssl_verify_depth 3; - lua_ssl_protocols TLSv1.2; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.2", 8080) + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") if not ok then ngx.say("failed to connect: ", err) return @@ -3395,14 +375,37 @@ got TLS1 version: TLSv1.1, ngx.say("connected: ", ok) - local sess, err = sock:sslhandshake(false, nil, true, false) + local sess, err = sock:sslhandshake(nil, "test.com", true) if not sess then ngx.say("failed to do SSL handshake: ", err) return end ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to recieve response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) end -- do + -- collectgarbage() } } @@ -3410,22 +413,29 @@ got TLS1 version: TLSv1.1, GET /t --- response_body connected: 1 -ssl handshake: boolean +ssl handshake: userdata +sent http request: 56 bytes. +received: HTTP/1.1 201 Created +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 4 +received: Connection: close +received: +received: foo +close: 1 nil --- error_log -got TLS1 version: TLSv1.2, +lua ssl server name: "test.com" +received memc reply: OK --- no_error_log [error] [alert] -[emerg] -=== TEST 35: ngx.exit(0) - no yield +=== TEST 5: ngx.exit(0) - no yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3445,14 +455,10 @@ got TLS1 version: TLSv1.2, } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3495,10 +501,8 @@ should never reached here -=== TEST 36: ngx.exit(ngx.ERROR) - no yield +=== TEST 6: ngx.exit(ngx.ERROR) - no yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3518,14 +522,10 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3571,10 +571,8 @@ should never reached here -=== TEST 37: ngx.exit(0) - yield +=== TEST 7: ngx.exit(0) - yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3596,14 +594,10 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3646,10 +640,8 @@ should never reached here -=== TEST 38: ngx.exit(ngx.ERROR) - yield +=== TEST 8: ngx.exit(ngx.ERROR) - yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3671,14 +663,10 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3724,10 +712,8 @@ should never reached here -=== TEST 39: lua exception - no yield +=== TEST 9: lua exception - no yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3747,14 +733,10 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3801,10 +783,8 @@ should never reached here -=== TEST 40: lua exception - yield +=== TEST 10: lua exception - yield --- http_config - lua_package_path "t/lib/?.lua;lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen 127.0.0.2:8080 ssl; server_name test.com; @@ -3825,14 +805,10 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; lua_ssl_verify_depth 3; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3878,10 +854,8 @@ should never reached here -=== TEST 41: get phase +=== TEST 11: get phase --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; @@ -3898,13 +872,9 @@ should never reached here } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -3947,17 +917,16 @@ get_phase: ssl_cert -=== TEST 42: connection aborted prematurely +=== TEST 12: connection aborted prematurely --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; ssl_certificate_by_lua_block { - ngx.sleep(0.4) - local ssl = require "ngx.ssl" - ssl.clear_certs() + ngx.sleep(0.3) + -- local ssl = require "ngx.ssl" + -- ssl.clear_certs() + print("ssl-cert-by-lua: after sleeping") } ssl_certificate ../../cert/test.crt; ssl_certificate_key ../../cert/test.key; @@ -3966,18 +935,14 @@ get_phase: ssl_cert } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() - sock:settimeout(300) + sock:settimeout(150) local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") if not ok then @@ -4008,17 +973,17 @@ failed to do SSL handshake: timeout --- error_log lua ssl server name: "test.com" +ssl-cert-by-lua: after sleeping --- no_error_log [error] [alert] +--- wait: 0.3 -=== TEST 43: subrequests disabled +=== TEST 13: subrequests disabled --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; @@ -4028,13 +993,9 @@ lua ssl server name: "test.com" } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4079,10 +1040,8 @@ qr/\[crit\] .*?cert cb error/, -=== TEST 44: simple logging (by_lua_file) +=== TEST 14: simple logging (by_lua_file) --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; @@ -4104,13 +1063,9 @@ print("ssl cert by lua is running!") --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4184,10 +1139,8 @@ a.lua:1: ssl cert by lua is running! -=== TEST 45: coroutine API +=== TEST 15: coroutine API --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; @@ -4221,13 +1174,9 @@ a.lua:1: ssl cert by lua is running! } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() @@ -4309,10 +1258,8 @@ lua ssl server name: "test.com" -=== TEST 46: simple user thread wait with yielding +=== TEST 16: simple user thread wait with yielding --- http_config - lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; - server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; @@ -4351,13 +1298,9 @@ lua ssl server name: "test.com" } --- config server_tokens off; - resolver $TEST_NGINX_RESOLVER; lua_ssl_trusted_certificate ../../cert/test.crt; location /t { - #set $port 5000; - set $port $TEST_NGINX_MEMCACHED_PORT; - content_by_lua_block { do local sock = ngx.socket.tcp() diff --git a/t/cert/chain/chain.der b/t/cert/chain/chain.der deleted file mode 100644 index ee6d9bad2655d9b5491d78fa40e231ec805ea1e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1903 zcmXqLV(KzzV*I>-nTe5!iAjLPfR~L^tIebBJ1-+6D=UM6uOYVqCmVAp3!5-gXt1HM zfgp&(!NcX8n3I{7UzC@bXeeYL021Wl;q)&^%?nB`E~zvWH4p}gG4t>QXQt<6=B4X8 zJL(!4D2VeKniyCb85o!vnVXnJN$?vP0tGCL%%K7Xo@81mXuuD#kfQ|X0KMe=T!Y5> z$i87@WngaXWiV*$WNK_=xDmW&O^p4|h85GiH$>cyYP)yJfa#{>iEkoD9ZovF-d%O^ z;m>K-Ay;4QUlS1JDR^sUg3ANd3B@71FkNh^adE>!wz=DggEVb%1IqANx2Ow5c7 zjEk!cD#4*EE6l=Vz+j-m#+lIO!Pxf0iIJB@UQ8AgoWa393ht?SsYQt;sVNH1sYNB3 zX_?7Dj)5%Dzp{KRVk{!^w-4O3@h)F6YmKpdb-|JIyH2p*HIN5ME3-%#h&6~zhw%RnN=sSd|>Xyz^F&(~p08g=hNjshOO;6;oxM!Y-k{ zFmYRi(KLbSpXwQoxHxa0`^YfU|IpN45< zI=)ulpou9Nm>SQ(QX?~(8>yQb4N+2~seuV}=jyx@`pOfh znL7K-?DTvGmFq75uiWdsVkYy@T>Jk2Ow(L$|8=v(p07Nna=CBGVSUvbpVNx_TKeWJ zJO1-r&-S?qYOOx~U!29)&z&OmRk2z|d(OLmUZ--8pMR&tq#>UtJf+n>U@^1A-khIX z=bG@ zfCrTFgjrY(m>C)WqeUSonOS>pGYl-6_1-BVZbm}kbu}-yk9_hR`<_Y1Kl-Z?(!22} zXFkj6%sZBG=?^B(7nrigbb?pvzlgmr=SqCobVMhQm0?M8WLE2WJ`Jn2CNgq89Ou_m zN<7mR^PI!YnHHcKT){HWR^8zUPtmoWYa8c${q&<}4ma;Z@7Zrort--BQ)izBOlD=k zWOg5x%$U&JXplfe86;*P0xECVd3b{p^Ay~Q67!NXi<9%Q7KQ=_d?2;VJnTXF`6UX@ zj>sv`z|z1JCFOwysGIT(@us|;vuw8+-rd&qaeks|Wx=;s-dX%SMXy}{_y(T;TG%mV z&QBJHnSXV~MXm0|7kIH%3jc2OTzf0hMX0f4?hQ#hzZb_D-u;}`Shb(?S;vOQn_irH zT%`P@t=aL^X3qm(%et;_{j*p|TAO=IxPZ!Zhkd8TpC7$9Svqpce-rz&z9MCue4nwU zJgf-|Ipu|=p6pHyRo7cB@rMea*B_eGnOVPApB| za;xEg39Ti4BIVVKbV9s8EY)ciI&xLUE56!L?QQa|tIdzL${zk~vS8QUckS;A3fD;= Ooj#jm*_^cp4gmmuYmdJG diff --git a/t/cert/chain/chain.pem b/t/cert/chain/chain.pem deleted file mode 100644 index 21b704f2fc..0000000000 --- a/t/cert/chain/chain.pem +++ /dev/null @@ -1,172 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4100 (0x1004) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-2 - Validity - Not Before: Sep 20 05:27:46 2014 GMT - Not After : Aug 27 05:27:46 2114 GMT - Subject: C=US, ST=California, O=OpenResty, CN=test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:d8:53:ac:ac:5c:3f:f9:80:a8:96:4b:b0:58:db: - 5a:86:de:ca:30:02:d9:19:c8:f6:14:c5:40:c9:41: - eb:bb:7a:d1:e1:f9:96:3b:54:d5:e8:bf:ac:50:5a: - 49:11:da:99:60:44:e0:25:68:40:36:7c:f6:ce:b4: - 9c:b9:58:d6:ea:e7:44:98:63:eb:a2:72:f8:e9:69: - b4:4a:4d:68:86:41:ca:67:58:61:e6:70:e8:08:fe: - ad:c2:75:59:24:0e:f0:2f:1a:70:83:8c:a3:77:64: - e8:4d:d5:c5:28:62:a9:53:d1:a1:22:f5:36:43:a7: - 46:00:aa:97:54:72:d4:72:47 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 1F:DB:C0:D9:3C:4B:77:A8:9A:AC:33:1F:7B:70:C4:CF:BA:C8:07:DD - X509v3 Authority Key Identifier: - keyid:39:77:77:A3:4E:92:8B:E2:25:20:72:64:35:0A:7A:87:A8:58:A9:F8 - - Signature Algorithm: sha1WithRSAEncryption - 1e:cd:83:66:b1:db:ea:5c:37:7e:bc:31:44:52:72:03:ae:9b: - 44:20:2c:ad:00:20:a5:dc:cf:9d:c8:c8:8f:df:cf:24:26:9c: - 43:83:f4:d2:ff:eb:d9:e4:7d:25:cf:1f:b8:aa:63:58:03:b9: - da:52:42:f8:fe:2e:71:cc:8f:de:26:34:cd:da:5c:7a:3b:64: - 07:18:27:a1:61:b6:58:32:96:10:97:f2:7f:00:c4:44:43:b7: - 9d:e2:31:69:4f:c2:95:c5:a3:32:d1:c0:00:c6:ef:58:b9:0f: - e6:08:3a:0d:c9:c0:14:f7:26:8c:43:13:55:1b:93:71:72:c7: - ad:2f ------BEGIN CERTIFICATE----- -MIICijCCAfOgAwIBAgICEAQwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMx -EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UE -AwwMU2lnbmluZy1DQS0yMCAXDTE0MDkyMDA1Mjc0NloYDzIxMTQwODI3MDUyNzQ2 -WjBJMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJ -T3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB -jQAwgYkCgYEA2FOsrFw/+YColkuwWNtaht7KMALZGcj2FMVAyUHru3rR4fmWO1TV -6L+sUFpJEdqZYETgJWhANnz2zrScuVjW6udEmGPronL46Wm0Sk1ohkHKZ1hh5nDo -CP6twnVZJA7wLxpwg4yjd2ToTdXFKGKpU9GhIvU2Q6dGAKqXVHLUckcCAwEAAaN7 -MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg -Q2VydGlmaWNhdGUwHQYDVR0OBBYEFB/bwNk8S3eomqwzH3twxM+6yAfdMB8GA1Ud -IwQYMBaAFDl3d6NOkoviJSByZDUKeoeoWKn4MA0GCSqGSIb3DQEBBQUAA4GBAB7N -g2ax2+pcN368MURScgOum0QgLK0AIKXcz53IyI/fzyQmnEOD9NL/69nkfSXPH7iq -Y1gDudpSQvj+LnHMj94mNM3aXHo7ZAcYJ6FhtlgylhCX8n8AxERDt53iMWlPwpXF -ozLRwADG71i5D+YIOg3JwBT3JoxDE1Ubk3Fyx60v ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4098 (0x1002) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=San Francisco, O=OpenResty, CN=Root CA - Validity - Not Before: Sep 20 05:09:05 2014 GMT - Not After : Aug 27 05:09:05 2114 GMT - Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:b9:9a:3d:b6:31:dd:b6:8a:f1:9f:61:25:79:70: - f6:ea:4b:6a:0f:0c:72:ea:45:fc:4d:51:cf:f5:71: - 88:94:9c:f9:04:40:99:fd:2d:17:15:3a:de:5f:70: - 4a:06:79:13:fb:81:49:ad:da:59:44:12:81:74:9d: - d8:19:3e:4e:e8:c7:00:ee:f9:96:81:7a:bf:09:e6: - 88:b0:e3:b2:e8:ca:e3:72:23:e4:86:83:41:ca:b3: - 49:c0:f5:76:8a:d7:b5:fc:a3:12:1b:2b:0b:b4:57: - 10:24:97:40:be:cb:17:e7:c5:de:93:1b:59:94:ff: - 34:3f:cd:4d:14:76:09:0e:f3 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 12:57:8E:2C:9B:CA:C9:8D:F8:88:B1:4D:EE:A6:6D:F3:99:C3:AF:E1 - X509v3 Authority Key Identifier: - keyid:56:65:C9:8B:65:55:27:2E:AB:14:F0:26:46:BD:BB:9E:A1:2B:41:58 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 1e:fb:6f:3e:12:bd:45:11:59:52:d5:60:ff:7c:73:9e:32:ce: - 76:fa:0b:b6:4a:58:68:db:92:a4:a0:d2:63:24:27:9c:6a:c5: - 6c:fa:84:d4:b5:80:93:b0:79:8f:33:c6:06:99:49:81:99:f4: - 52:ba:bd:ff:6e:f5:69:3f:65:e0:59:51:ce:16:66:2f:39:b5: - 31:ff:18:2a:a4:8e:14:77:7b:a2:2c:54:4b:f0:a5:2c:83:12: - c4:d5:1c:4a:5f:7b:31:26:ed:63:ba:d5:83:e2:b5:1d:c3:f3: - 34:a0:ba:dd:ee:87:ee:70:71:ae:1b:c5:97:9b:08:a6:9c:ad: - c0:c2 ------BEGIN CERTIFICATE----- -MIICdjCCAd+gAwIBAgICEAIwDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCVVMx -EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEjAQ -BgNVBAoMCU9wZW5SZXN0eTEQMA4GA1UEAwwHUm9vdCBDQTAgFw0xNDA5MjAwNTA5 -MDVaGA8yMTE0MDgyNzA1MDkwNVowTTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh -bGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UEAwwMU2lnbmluZy1D -QS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5mj22Md22ivGfYSV5cPbq -S2oPDHLqRfxNUc/1cYiUnPkEQJn9LRcVOt5fcEoGeRP7gUmt2llEEoF0ndgZPk7o -xwDu+ZaBer8J5oiw47LoyuNyI+SGg0HKs0nA9XaK17X8oxIbKwu0VxAkl0C+yxfn -xd6TG1mU/zQ/zU0UdgkO8wIDAQABo1AwTjAdBgNVHQ4EFgQUEleOLJvKyY34iLFN -7qZt85nDr+EwHwYDVR0jBBgwFoAUVmXJi2VVJy6rFPAmRr27nqErQVgwDAYDVR0T -BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAe+28+Er1FEVlS1WD/fHOeMs52+gu2 -Slho25KkoNJjJCecasVs+oTUtYCTsHmPM8YGmUmBmfRSur3/bvVpP2XgWVHOFmYv -ObUx/xgqpI4Ud3uiLFRL8KUsgxLE1RxKX3sxJu1jutWD4rUdw/M0oLrd7ofucHGu -G8WXmwimnK3Awg== ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4099 (0x1003) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, O=OpenResty, CN=Signing-CA-1 - Validity - Not Before: Sep 20 05:25:04 2014 GMT - Not After : Aug 27 05:25:04 2114 GMT - Subject: C=US, ST=California, O=OpenResty, CN=Signing-CA-2 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:a4:d0:ae:16:a8:8f:9d:2c:ee:12:f5:0c:5e:29: - 65:9b:cc:9b:67:6f:40:24:d7:44:ff:d4:de:8d:d4: - 36:1c:e1:37:2b:df:ff:69:35:6d:0b:4f:ae:9a:16: - e7:a9:c6:24:d3:8e:a4:c3:2f:25:d8:f3:66:73:8e: - 84:8e:9c:a6:c7:f9:ce:8c:b7:9d:60:26:85:4c:8f: - f4:43:17:af:9d:94:1a:f5:21:7b:1c:2b:9c:ee:fe: - 4a:ca:6d:c7:cf:ee:2a:02:28:1f:6e:13:94:85:3f: - 50:a3:03:18:bd:6c:f9:b5:9d:37:b9:27:61:29:75: - d3:39:77:5e:83:41:aa:8c:21 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 39:77:77:A3:4E:92:8B:E2:25:20:72:64:35:0A:7A:87:A8:58:A9:F8 - X509v3 Authority Key Identifier: - keyid:12:57:8E:2C:9B:CA:C9:8D:F8:88:B1:4D:EE:A6:6D:F3:99:C3:AF:E1 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 3b:4b:b6:31:51:72:9a:ef:42:60:5e:98:60:71:d7:26:4a:46: - f1:0e:1f:08:be:e6:1b:5f:e2:fd:28:54:8d:b1:c5:09:6f:04: - cb:69:dc:39:5e:67:e0:91:9f:10:94:bc:35:90:4a:65:fe:58: - bd:e9:9d:18:f0:b2:c4:2c:6e:05:00:a4:63:59:6a:85:cf:0e: - 28:3a:ad:34:1c:1e:8c:08:cf:ac:79:18:e6:2b:16:49:9c:0b: - 09:66:50:29:53:78:04:9e:3d:27:40:c4:0c:72:d6:8c:d6:b1: - 9c:f5:f2:f8:8c:9c:0b:0d:e1:4b:9b:ec:c9:65:0c:1e:fe:27: - 07:96 ------BEGIN CERTIFICATE----- -MIICYzCCAcygAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMx -EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoMCU9wZW5SZXN0eTEVMBMGA1UE -AwwMU2lnbmluZy1DQS0xMCAXDTE0MDkyMDA1MjUwNFoYDzIxMTQwODI3MDUyNTA0 -WjBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJ -T3BlblJlc3R5MRUwEwYDVQQDDAxTaWduaW5nLUNBLTIwgZ8wDQYJKoZIhvcNAQEB -BQADgY0AMIGJAoGBAKTQrhaoj50s7hL1DF4pZZvMm2dvQCTXRP/U3o3UNhzhNyvf -/2k1bQtPrpoW56nGJNOOpMMvJdjzZnOOhI6cpsf5zoy3nWAmhUyP9EMXr52UGvUh -exwrnO7+Ssptx8/uKgIoH24TlIU/UKMDGL1s+bWdN7knYSl10zl3XoNBqowhAgMB -AAGjUDBOMB0GA1UdDgQWBBQ5d3ejTpKL4iUgcmQ1CnqHqFip+DAfBgNVHSMEGDAW -gBQSV44sm8rJjfiIsU3upm3zmcOv4TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB -BQUAA4GBADtLtjFRcprvQmBemGBx1yZKRvEOHwi+5htf4v0oVI2xxQlvBMtp3Dle -Z+CRnxCUvDWQSmX+WL3pnRjwssQsbgUApGNZaoXPDig6rTQcHowIz6x5GOYrFkmc -CwlmUClTeASePSdAxAxy1ozWsZz18viMnAsN4Uub7MllDB7+JweW ------END CERTIFICATE----- diff --git a/t/cert/chain/root-ca.crt b/t/cert/chain/root-ca.crt deleted file mode 100644 index d2f3c8fa07..0000000000 --- a/t/cert/chain/root-ca.crt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICkDCCAfmgAwIBAgIJAK3s1yAQ5tdfMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV -BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp -c2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTQw -OTIwMDM1NTU0WhgPMjExNDA4MjcwMzU1NTRaMGAxCzAJBgNVBAYTAlVTMRMwEQYD -VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQK -DAlPcGVuUmVzdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBAN7CcpCjiafBdl1KaExRcuutAF0/eq4/ht7L4/i0nPDzikscFJ/O -aVyH3UpUF/KMq+72vom2bEbUeRROr1rL/JRe9raGlQtvdovHZt6f4c3/Coihtupp -9BXYrBCU4P+Bxai5gtTXGFvLC2a72qKcXDNeH+NxpIaemfPxSvemCYUXAgMBAAGj -UDBOMB0GA1UdDgQWBBRWZcmLZVUnLqsU8CZGvbueoStBWDAfBgNVHSMEGDAWgBRW -ZcmLZVUnLqsU8CZGvbueoStBWDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAGjMH6qkY+61311DERFhDuYzMSSZjH53qzFseq/chlIMGjrgJIMy6rl7T0AU -2hjvW+FOyhf5NqRrAQDTTuLbtXZ/ygiUformE8lR/SNRY/DVj1yarQkWUC5UpqOs -GWG1VW9DHQAMFVkYwPO3XKeTXpEFOxPLHtXBYcVemCT4zo42 ------END CERTIFICATE----- diff --git a/t/cert/chain/test-com.key.der b/t/cert/chain/test-com.key.der deleted file mode 100644 index 3a19bbc15f54965569b9cdbc364ad802fcf0f98d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 608 zcmV-m0-yabf&yFu0RRGlfdJT3tgKu=`GBaFOR!kmT87@rFap^b$o3S)K*>StyL!># z`Ib9W)#$&hP+Cb5+L>TP;3a54HhlKZw4AwE*6Qa(m}Bdra`@?Kv`S5AhC#|_SYhUH z=m`F;!gX0B4)8A;aD$AacVy^I)x{`csZ-IRBK0;yr$zv(msE1paz_FK0RRC4fq?*t zf92^&S%HN;qY6m$vA967t6~W4Wo}NpwFMC8O{T=sQwRxdeCFCAx~%v%DVqS2C^ayV zs{Z#s2=mkm8)d$Yo3z7esA00!r09uLV5cKpP;N8z6yR-lD?i_a)mxVRoC<$Jk>t%f z^VyApSHt%>UQybzFw8O^67zID)80V>K>+)z56noCvD!IBe?!nkep3Dj4^Jba5}R?C zMsCV}nvah|(3m<=I_(Dvf5Lbkost%6yPA~my)MPH58Bym39|x00Nf42!fShU4<=$l z1Ocofv+Kj!#VELw)Apmv6#I~;#^D@2x1Lg!k5xQVu>g^MlsY&sB5 z9RfgDd2tkAZ!#B#3h1)#g@5C%YbW-qkWczm^w`cCVrTRaX~yfll+hxCS1pq;r;@$N zBfQX?i>&s^F$}`CmCj$vYktvGYO=0Rlii=bg|=440CE0a7HV8PO6s^wmc3 u;gLyx|KBGYtFNts;fU>EZ-g=UjMGcIpF7wAU?L2S1S;VG diff --git a/t/cert/ocsp/chain.pem b/t/cert/ocsp/chain.pem deleted file mode 100644 index 4743a36020..0000000000 --- a/t/cert/ocsp/chain.pem +++ /dev/null @@ -1,183 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4 (0x4) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: - 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: - bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: - 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: - 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: - 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: - 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: - a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: - b1:ef:6b:e9:f5:ad:29:87:45 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 - X509v3 Authority Key Identifier: - keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 - serial:03 - - Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 - - Signature Algorithm: sha1WithRSAEncryption - 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: - 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: - 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: - 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: - ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: - 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: - cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: - e3:e8 ------BEGIN CERTIFICATE----- -MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 -AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E -418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw -ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD -VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC -VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI -KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv -b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt -+LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm -hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF -bC7VKgqN84joJkjj6A== ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: - a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: - dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: - d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: - ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: - f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: - 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: - e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: - 9a:c1:64:e0:9b:dd:67:e5:f1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - X509v3 Authority Key Identifier: - keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: - 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: - f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: - 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: - f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: - d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: - 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: - 99:b7 ------BEGIN CERTIFICATE----- -MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk -VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 -vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj -UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS -MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C -7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh -boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: - ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: - 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: - 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: - d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: - 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: - 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: - 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: - 8e:34:fe:93:e4:d2:fc:97:57 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - X509v3 Authority Key Identifier: - keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: - e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: - a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: - 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: - 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: - c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: - 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: - 37:a2 ------BEGIN CERTIFICATE----- -MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 -WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp -Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 -eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb -fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C -Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd -BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk -6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm -Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m -fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 -7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== ------END CERTIFICATE----- diff --git a/t/cert/ocsp/ocsp-req.der b/t/cert/ocsp/ocsp-req.der deleted file mode 100644 index f125311ac88017de061a5b2b40721988c93423f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 68 zcmXqTGH@`kGq5qRGT>xm)#hVnl450G5xMqCO|dz*uTQkk?G0x|`Kg3`s>fJFHgkWi Y4HOHk(=b20h+kG;;6UKw%}k6e0CkEKt^fc4 diff --git a/t/cert/ocsp/ocsp-resp-no-certs.der b/t/cert/ocsp/ocsp-resp-no-certs.der deleted file mode 100644 index 01a45cf9f3b8fd8c6e613efceea716e67f3492cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 388 zcmXqLVr<}IWLVI|SZUD2Sjxt!&Bn;e%5K2O$kN1^1{6v%Xgsqp%^<~)+klgeIh2J> zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVo;^b!aT*9>3NxX>AJ~@x<(TGMh1o^h6aXa2F6C_29{98tRzQnc zwfUHtq*xhPM6SJ3Q*6%d>l5vBd&5~#ekx&~>M<6P&D>vW1H}UCG|Ue#;+NGII1spa zGZQ0A0|Ta!ylk9WZ60mkc^QEoWngY>WY9Vl#AhPE63>5UVWF4* zb_?B!5Loi1aI&vi^4cRel; zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVuA+zATefPj{Ks6jKsXu6bXJK149!-14Am9S6s7>mee?yt3hVu5uU=7$&Y%jydp2wc3G ziIJs&0nrEx7#f^yM?|2@*T|XLaY2k IVOHZ>0M{jgYXATM diff --git a/t/cert/ocsp/ocsp-resp-signed-by-orphaned.der b/t/cert/ocsp/ocsp-resp-signed-by-orphaned.der deleted file mode 100644 index 506dbd2d967ec204e9bdd89deb4cbcf3f1e0d8e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1044 zcmXqLViDkCWLVI|!fDXN!pg>}&Bn;e%5K2O$kN38&7g_-lR@K&g-HephTI06Y|No7 zY{E>T!G^*Hf*=luFqd;;PG(wuQC?=Ep{Ri{NRVBa$0ao_u{5Vd!8x;}(oo1i03^&M z%;{f{nirH>3=|VI;0K8@3v=Wb6=WplrKU*m8yOgy7#bLw85kRx8(2me1RD4oSOG0% z)#hVnl450G5xMqCO|dz*uTQkk?G0x|`Kg3`s>fJFHgkWi4HOHk(=b20h+kG;;6UKw z%}k6e4Gfq@^0IMiwRyCC=Vb(Xl7YFgks;Y3V1Dq0LX%Go+pfPUQf4`#*Y(BINI(0C zW$g3m4IY|4TJuxBUf6r1++@{F>!{)}aZixg**~j0&+gpf zZw#{<*Dh#cnqbhx)C0sF22G3~7cet1GBGi78lXCr_Tg`!AkK>t{=m>PG&C`=G%|uk z2+h-gLF0U6e=~xjsF%T@v6BfHQ#BlDdU&0BHPe&y z@ADTgRa7X_eIu-R+;nx-^SsYOtVatN|KyNHb^X89p$m zU0LC6CJ&Jiunr!oS*mANu(ZLSJZZ7@ms0Qmd1z7ubuG>`nqEJjj$)0 zOw5c7jEe&d{0wA)NmrJSMT|ux>(EM5p`|xJC@41UoZ(d_<$h*Ey@5PPTA4+{K&%0~ z0v?b8VHQ>cW=6*U$R38KN#Xzekq;PUCNJRc$vw4xcSKm^7O%*g201m|QZoNyUZ1_k zARg&D@9*+&WvAp$ZkuXwH1S)*rqcp%j81$^w{>bxWY_KEel4N-Z?fBqb3YgrviB^V zyLivdOdiE4J4`@~97dByYITR9V0p-GA A%>V!Z diff --git a/t/cert/ocsp/ocsp-resp.der b/t/cert/ocsp/ocsp-resp.der deleted file mode 100644 index 1fe910f4ff053b55062d38b85bf002bb35872a60..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1056 zcmXqLVv*ruWLVI|B5KgYBFM(6&Bn;e%5K2O$kN2ZWYEO?&!F+l!Zd>vLv903Hs(+k zHesgFU_)U8K@f*Sn9DgaCo?U-C@(Y7P}D#eB*-qzm8(0A? zX4U3nW|CrMU=g|YN=>mjx35pM&+QFoMfs_OeX7S;L^gAOtql|ltkW<*yog^`U*JIC z;>}EqEDa2pM)I<8YPET^edlEadX#~=v5`URR1lxZd>8*mWlv|Hc&8AwG4FIy$eyk@ zd3Q@VwSLq!SjTXk=J@kB=~H~eCuf&}E{i-5se2Dtb|1M>J0s;Ce~(bh<4HXKorQ&7 z{@X2dCqiJ!m%_=uX31-h+)$pgRQmVt??T&8uS)*B^F?0G9rlO!@2ov^JHX|k9{0Rh z`Fo!^K4dItVwz#l#54tnCm1v_{#?M!#K^?N$ZUY>RJz20p@D)pFG?H$L(tIB#K6+X z2o@=HNec#z^O60}2#Ts+27|^JtBe-rc)qsL)oi$y+AVJN z!TSzR`0uNR8B3ppw1xhZUU9wFh|&6djD_~sJ(s&rY+GHHYV^$e>XW}0C!H|PD*1f; z&Gf^^=Rdg`TDoJeC)WBYPN{HhB^c92Y$F!SX}dTz}^)6GG(GY(s3z;}2~1IwZYK z;*wCWif`Fhc5V?nab2f(tp>Lr`!=RWPUqUZ`>6V>%wz9n#<-XT+Z}Pw`0?*pu*L7^ zvv_QBDkf`Q@~qXokeJsv``R0+M|Md`j(c)_jVG2V#2FQE*r^o#+t}3{&LX+>^vvx5 D%^+kP diff --git a/t/cert/ocsp/revoked-chain.pem b/t/cert/ocsp/revoked-chain.pem deleted file mode 100644 index 3f98b7c2fa..0000000000 --- a/t/cert/ocsp/revoked-chain.pem +++ /dev/null @@ -1,183 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 8 (0x8) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=revoked-test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:ca:50:23:9a:59:70:ea:00:47:ff:72:05:29:9b: - 5d:6d:4b:73:37:a4:ff:38:20:4b:5b:ac:1f:3b:34: - f5:12:f8:8b:0e:02:bc:bd:14:34:39:6f:7d:5b:1f: - d4:15:e7:64:2e:65:fb:b1:a8:aa:f6:96:d3:e6:2b: - 00:0e:f3:8a:ef:99:ab:3e:e6:5d:eb:6d:a6:4a:d0: - aa:ff:a9:d6:9a:41:f0:66:22:0a:38:9c:28:4f:1f: - 0d:cf:a2:79:96:f9:fc:3d:1e:83:70:f5:97:6e:07: - cf:a2:17:87:0d:2a:41:19:3a:44:96:89:e7:0d:cb: - 88:20:86:e1:de:08:8b:0d:db - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - FB:98:2B:56:90:69:E1:B4:2B:C2:DB:25:7C:13:87:D5:D7:BC:70:B6 - X509v3 Authority Key Identifier: - keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 - serial:03 - - Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 - - Signature Algorithm: sha1WithRSAEncryption - 43:77:33:e9:cc:b1:42:35:94:0a:57:a5:dd:94:21:c0:cc:42: - 04:81:bd:b2:ac:4d:10:68:f3:fe:33:0a:8e:b9:3e:e9:f2:44: - aa:1c:e7:3e:e8:e0:57:40:41:ef:4a:b1:32:b0:f2:75:7c:aa: - 77:d2:64:9d:ba:a1:12:ea:f9:83:31:ba:9f:83:58:1c:38:e9: - d0:a6:dd:04:72:85:d1:2d:c7:3b:b2:71:ef:e4:f6:57:0c:6a: - b6:fc:e5:13:2d:be:a6:c1:f4:4b:4d:c8:69:cc:7c:2e:25:c1: - 8e:80:9e:19:c3:17:b2:21:a7:af:e8:2f:f1:d4:bb:8c:a3:39: - be:49 ------BEGIN CERTIFICATE----- -MIIDcTCCAtqgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MRkwFwYDVQQDExByZXZva2VkLXRlc3QuY29tMIGfMA0GCSqGSIb3DQEB -AQUAA4GNADCBiQKBgQDKUCOaWXDqAEf/cgUpm11tS3M3pP84IEtbrB87NPUS+IsO -Ary9FDQ5b31bH9QV52QuZfuxqKr2ltPmKwAO84rvmas+5l3rbaZK0Kr/qdaaQfBm -Igo4nChPHw3PonmW+fw9HoNw9ZduB8+iF4cNKkEZOkSWiecNy4gghuHeCIsN2wID -AQABo4IBKzCCAScwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH -ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPuYK1aQaeG0K8LbJXwTh9XX -vHC2MIGOBgNVHSMEgYYwgYOAFLML9X1RFlF+KDfDog8dLxDAUaOzoWikZjBkMQsw -CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVs -dCBDaXR5MRIwEAYDVQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2Et -MYIBAzA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly8xMjcuMC4w -LjE6ODg4OC9vY3NwP2Zvbz0xMA0GCSqGSIb3DQEBBQUAA4GBAEN3M+nMsUI1lApX -pd2UIcDMQgSBvbKsTRBo8/4zCo65PunyRKoc5z7o4FdAQe9KsTKw8nV8qnfSZJ26 -oRLq+YMxup+DWBw46dCm3QRyhdEtxzuyce/k9lcMarb85RMtvqbB9EtNyGnMfC4l -wY6AnhnDF7Ihp6/oL/HUu4yjOb5J ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: - a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: - dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: - d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: - ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: - f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: - 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: - e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: - 9a:c1:64:e0:9b:dd:67:e5:f1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - X509v3 Authority Key Identifier: - keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: - 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: - f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: - 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: - f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: - d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: - 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: - 99:b7 ------BEGIN CERTIFICATE----- -MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk -VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 -vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj -UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS -MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C -7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh -boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: - ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: - 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: - 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: - d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: - 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: - 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: - 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: - 8e:34:fe:93:e4:d2:fc:97:57 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - X509v3 Authority Key Identifier: - keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: - e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: - a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: - 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: - 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: - c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: - 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: - 37:a2 ------BEGIN CERTIFICATE----- -MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 -WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp -Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 -eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb -fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C -Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd -BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk -6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm -Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m -fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 -7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== ------END CERTIFICATE----- diff --git a/t/cert/ocsp/revoked-ocsp-resp.der b/t/cert/ocsp/revoked-ocsp-resp.der deleted file mode 100644 index 71d41a77fd2f3bb2a36146472750afa746da6f87..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1073 zcmXqLV$tPdWLVI|qGr&4xwXuP{H%^<~)+klgeIh2J> zm?<>aP}o2a#NiO;a!$<2Ov^9I%S<#BH4p{~vJ3OLq^2d7=9DNnXO>hN3K${ z{R>j_f>MitVo;^b!aT*9>3NxX>AJ~@x<(TGMh1o^h6aXa2F6C_29{9l5vBd&5~#ekx&~>M<6P&D>vW1H}UCG|Ue#;+NGII1spa zGZQ1nLO~28F$4^F**LY@JlekVG6H?hz}(o#;Gvy$Y*(1tX*T<-6aNJKmaM%x=it^q zCmM>_TJ%J2S5|C1zT>S~oa>UnxVIt4{xDo_7F$!>TTo}OT`#lYfzG3BKm7v#L}jKa zRkCuj@h=}uU6i!7D5XyQ?Goj?4tZxz9u1rpyrFB_H2H_Ft}_;}=zp>LCek*)fPK%e z^-Hc99$QznpowXQK@-yyAf8~*#Q1XoGZP~d6C*R4Q|S^Zh6W1ayeN?Z3_(Lf69Y>l zBUmiaC2<%u&PVn?BPgnR84MabnSe2NSw&{j(%lRD{!eg?9@v@XlXB8ELp8pwmBm02VV#2Q2{85D*EEZd`abm79)g3CFg zUt29vH{by&5N2UDU}j|ekL+P++T=+*a9r@v2g?s-bN!vKObC%zvkkE=k3X>4>yY#| ziAzGgD!yf3*||mR#C4tCwHn-h?Aw?gIh||s?xX6jGLOBR8RKFWY}zkN9@!-&Iqu2zHJ(_e5NA}tVW(2`Z(~<;IE&=g(=)dN E0NZk6z5oCK diff --git a/t/cert/ocsp/test-com.crt b/t/cert/ocsp/test-com.crt deleted file mode 100644 index d34cb6b9e7..0000000000 --- a/t/cert/ocsp/test-com.crt +++ /dev/null @@ -1,69 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4 (0x4) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: - 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: - bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: - 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: - 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: - 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: - 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: - a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: - b1:ef:6b:e9:f5:ad:29:87:45 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 - X509v3 Authority Key Identifier: - keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 - serial:03 - - Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 - - Signature Algorithm: sha1WithRSAEncryption - 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: - 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: - 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: - 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: - ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: - 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: - cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: - e3:e8 ------BEGIN CERTIFICATE----- -MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 -AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E -418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw -ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD -VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC -VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI -KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv -b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt -+LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm -hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF -bC7VKgqN84joJkjj6A== ------END CERTIFICATE----- diff --git a/t/cert/ocsp/wrong-issuer-order-chain.pem b/t/cert/ocsp/wrong-issuer-order-chain.pem deleted file mode 100644 index 098e862bae..0000000000 --- a/t/cert/ocsp/wrong-issuer-order-chain.pem +++ /dev/null @@ -1,183 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4 (0x4) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:c7:bd:50:99:71:46:af:93:22:85:ab:74:8b:5b: - 19:74:af:3e:ad:d2:e1:17:3e:cb:5b:36:9c:8a:38: - bd:1b:47:2d:8b:92:55:1d:fe:a6:72:92:78:00:de: - 30:cb:a3:10:b5:92:aa:b8:e0:7b:44:9a:f5:99:89: - 36:f4:84:20:81:e3:5c:76:00:9d:76:e7:b9:41:ab: - 74:b6:14:9f:b2:94:b3:b6:48:a8:92:dc:09:e3:3d: - 04:e3:5f:0f:5b:50:ad:0c:59:3a:88:06:39:2d:34: - a6:52:2f:58:6f:53:1b:df:9f:98:ea:82:8d:52:60: - b1:ef:6b:e9:f5:ad:29:87:45 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 67:DF:28:25:D1:F8:83:36:28:EE:DB:41:63:E4:E0:3A:32:0D:EA:30 - X509v3 Authority Key Identifier: - keyid:B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - DirName:/C=US/ST=California/L=Default City/O=OpenResty/CN=signing-ca-1 - serial:03 - - Authority Information Access: - OCSP - URI:http://127.0.0.1:8888/ocsp?foo=1 - - Signature Algorithm: sha1WithRSAEncryption - 37:29:3f:ed:d9:47:9a:51:36:a3:5b:00:85:66:de:51:4d:48: - 2d:f8:bc:f1:5e:b4:fd:30:48:f0:25:ee:77:57:9c:f1:4b:0a: - 4f:7e:96:1a:f8:48:76:23:46:8d:d6:f2:5e:1e:08:52:12:53: - 08:07:9f:75:db:77:22:2e:7e:89:c2:2c:66:85:6b:df:e9:77: - ca:23:6d:9a:af:87:8a:8c:27:37:1e:9e:55:92:8e:8a:a9:93: - 24:41:a8:96:01:c0:65:93:8e:3d:7a:6c:bf:ed:c8:2a:f8:26: - cc:00:17:b7:27:ca:85:6c:2e:d5:2a:0a:8d:f3:88:e8:26:48: - e3:e8 ------BEGIN CERTIFICATE----- -MIIDaTCCAtKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMjAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MREwDwYDVQQDEwh0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAx71QmXFGr5Mihat0i1sZdK8+rdLhFz7LWzaciji9G0cti5JVHf6mcpJ4 -AN4wy6MQtZKquOB7RJr1mYk29IQggeNcdgCddue5Qat0thSfspSztkioktwJ4z0E -418PW1CtDFk6iAY5LTSmUi9Yb1Mb35+Y6oKNUmCx72vp9a0ph0UCAwEAAaOCASsw -ggEnMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk -IENlcnRpZmljYXRlMB0GA1UdDgQWBBRn3ygl0fiDNiju20Fj5OA6Mg3qMDCBjgYD -VR0jBIGGMIGDgBSzC/V9URZRfig3w6IPHS8QwFGjs6FopGYwZDELMAkGA1UEBhMC -VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTES -MBAGA1UEChMJT3BlblJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTGCAQMwPAYI -KwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vMTI3LjAuMC4xOjg4ODgv -b2NzcD9mb289MTANBgkqhkiG9w0BAQUFAAOBgQA3KT/t2UeaUTajWwCFZt5RTUgt -+LzxXrT9MEjwJe53V5zxSwpPfpYa+Eh2I0aN1vJeHghSElMIB59123ciLn6Jwixm -hWvf6XfKI22ar4eKjCc3Hp5Vko6KqZMkQaiWAcBlk449emy/7cgq+CbMABe3J8qF -bC7VKgqN84joJkjj6A== ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=root-ca - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:a0:3e:1a:4f:6c:b9:3d:ab:0f:02:de:da:82:92: - ee:a2:69:88:80:ed:f2:b6:98:bc:c6:ee:d3:47:82: - 4a:e7:d3:7f:55:68:5c:6d:9e:aa:ba:59:e3:5b:7f: - 32:4f:79:44:4a:4f:13:e4:2e:3f:1f:98:10:a4:72: - d5:f0:e7:44:8e:d4:a7:b9:fb:54:be:b6:fa:f7:dc: - 9c:29:93:d4:9f:a1:5b:18:6e:68:93:91:1b:8c:a0: - 4f:02:52:e9:9d:e8:98:f3:fd:67:da:78:4b:4f:d8: - 2d:90:83:5c:0b:e5:fe:48:27:e4:ec:bb:99:26:06: - 8e:34:fe:93:e4:d2:fc:97:57 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - X509v3 Authority Key Identifier: - keyid:1D:2F:09:60:EB:E4:EA:B5:0B:52:A9:5C:5E:09:2B:DD:34:70:CF:BA - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - a6:16:2f:fc:13:67:5e:ce:0e:79:cb:b0:91:52:9b:9e:b5:9f: - e1:fa:7d:78:f4:2a:93:f3:94:62:45:17:87:b9:0a:59:b9:a3: - a9:75:51:ca:f0:04:6c:01:d1:3a:a9:dd:66:7d:27:7b:1e:4f: - 48:3a:25:ea:a5:01:32:fc:87:4b:08:da:f8:f5:62:88:e8:b9: - 94:c7:cb:ee:33:08:ab:2f:52:f4:4a:14:4f:ac:2d:a2:f8:de: - c9:6f:95:b7:91:23:b9:ec:95:90:de:86:21:f5:6f:1b:cf:13: - 47:77:78:dd:7a:16:e9:8b:cc:df:3d:45:8a:76:af:15:d1:9a: - 37:a2 ------BEGIN CERTIFICATE----- -MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxEDAOBgNVBAMTB3Jvb3QtY2EwIBcNMTQxMDE2MDMyNzA5 -WhgPMjExNDA5MjIwMzI3MDlaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp -Zm9ybmlhMRUwEwYDVQQHEwxEZWZhdWx0IENpdHkxEjAQBgNVBAoTCU9wZW5SZXN0 -eTEVMBMGA1UEAxMMc2lnbmluZy1jYS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQCgPhpPbLk9qw8C3tqCku6iaYiA7fK2mLzG7tNHgkrn039VaFxtnqq6WeNb -fzJPeURKTxPkLj8fmBCkctXw50SO1Ke5+1S+tvr33Jwpk9SfoVsYbmiTkRuMoE8C -Uumd6Jjz/WfaeEtP2C2Qg1wL5f5IJ+Tsu5kmBo40/pPk0vyXVwIDAQABo1AwTjAd -BgNVHQ4EFgQU0jBxVlCmvCHFoaGrEacIW+s6pCcwHwYDVR0jBBgwFoAUHS8JYOvk -6rULUqlcXgkr3TRwz7owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm -Fi/8E2dezg55y7CRUpuetZ/h+n149CqT85RiRReHuQpZuaOpdVHK8ARsAdE6qd1m -fSd7Hk9IOiXqpQEy/IdLCNr49WKI6LmUx8vuMwirL1L0ShRPrC2i+N7Jb5W3kSO5 -7JWQ3oYh9W8bzxNHd3jdehbpi8zfPUWKdq8V0Zo3og== ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-1 - Validity - Not Before: Oct 16 03:27:09 2014 GMT - Not After : Sep 22 03:27:09 2114 GMT - Subject: C=US, ST=California, L=Default City, O=OpenResty, CN=signing-ca-2 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) - Modulus: - 00:d3:24:1c:92:a5:bb:00:d9:b1:fb:2b:1d:7a:32: - a1:6c:49:eb:3c:2d:29:80:d6:65:8b:17:3a:f0:4b: - dc:0c:57:fb:d5:31:68:a5:e4:54:86:55:f9:1b:a8: - d7:7d:32:01:3b:cf:5c:38:2b:f5:bc:d3:8b:c8:b6: - ab:76:65:32:e6:4b:d5:e4:fd:d1:92:c8:33:6a:74: - f3:c7:ec:97:c3:c7:9f:e4:d5:55:75:b8:bd:39:ec: - 2d:1f:c6:54:c8:2b:2d:17:e0:05:77:28:44:f7:dd: - e1:6e:f0:59:05:51:f5:b9:b4:fe:be:ad:40:a6:d5: - 9a:c1:64:e0:9b:dd:67:e5:f1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - B3:0B:F5:7D:51:16:51:7E:28:37:C3:A2:0F:1D:2F:10:C0:51:A3:B3 - X509v3 Authority Key Identifier: - keyid:D2:30:71:56:50:A6:BC:21:C5:A1:A1:AB:11:A7:08:5B:EB:3A:A4:27 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0c:61:c0:c7:11:c2:f0:39:f0:76:9d:4f:43:d4:90:54:1f:26: - 3d:54:3d:77:5f:c0:b3:4a:c2:1b:b6:18:d2:12:8d:24:4d:76: - f5:07:0b:14:3e:17:2d:42:ee:85:30:db:e3:4d:81:67:59:97: - 0a:b3:bb:c5:27:ea:69:c6:ee:99:5c:44:36:53:3e:c4:47:68: - f8:fe:c6:53:38:fb:e7:9a:0c:3c:6c:78:93:29:d2:49:7d:29: - d0:61:6e:81:9b:d6:ec:1a:e2:3e:62:62:41:bc:6d:4d:33:91: - 76:20:5e:32:70:08:3e:24:72:fe:b1:8a:83:57:04:19:b5:cb: - 99:b7 ------BEGIN CERTIFICATE----- -MIICkDCCAfmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzET -MBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMRGVmYXVsdCBDaXR5MRIwEAYD -VQQKEwlPcGVuUmVzdHkxFTATBgNVBAMTDHNpZ25pbmctY2EtMTAgFw0xNDEwMTYw -MzI3MDlaGA8yMTE0MDkyMjAzMjcwOVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExFTATBgNVBAcTDERlZmF1bHQgQ2l0eTESMBAGA1UEChMJT3Bl -blJlc3R5MRUwEwYDVQQDEwxzaWduaW5nLWNhLTIwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBANMkHJKluwDZsfsrHXoyoWxJ6zwtKYDWZYsXOvBL3AxX+9UxaKXk -VIZV+Ruo130yATvPXDgr9bzTi8i2q3ZlMuZL1eT90ZLIM2p088fsl8PHn+TVVXW4 -vTnsLR/GVMgrLRfgBXcoRPfd4W7wWQVR9bm0/r6tQKbVmsFk4JvdZ+XxAgMBAAGj -UDBOMB0GA1UdDgQWBBSzC/V9URZRfig3w6IPHS8QwFGjszAfBgNVHSMEGDAWgBTS -MHFWUKa8IcWhoasRpwhb6zqkJzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAAxhwMcRwvA58HadT0PUkFQfJj1UPXdfwLNKwhu2GNISjSRNdvUHCxQ+Fy1C -7oUw2+NNgWdZlwqzu8Un6mnG7plcRDZTPsRHaPj+xlM4++eaDDxseJMp0kl9KdBh -boGb1uwa4j5iYkG8bU0zkXYgXjJwCD4kcv6xioNXBBm1y5m3 ------END CERTIFICATE----- diff --git a/t/cert/test.crt.der b/t/cert/test.crt.der deleted file mode 100644 index 0b6ef6344989954d7fe0d3413cb94317e7179a1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 685 zcmXqLVp?g?#3aPT$*`0!H*C`OX^#we**LY@JlekVGBUEVG8i;YH{>?pWMd9xVH0Kw z4K@@u5Cm~Jc(|Msb28KNi}ErP4aE#ZK!WT%yupci3T{P-dC8f@$@zvt1_B^)E*?(* zg4DdA)Z&s#m>4&*n4keaNF6f|M+s1kUUGh}p@M-N+##HdVuFe3sd*(;84l^WiJ3Vd z6$T38yoM$Q=0=7F#zw{_=1~&-Muw(_24;rFP=P`0_Qv_h;mpX&z}(mi4C_v&#zux0 ze{0Tqzn!^gf_6@vy}o2ljL=D=55G)zZNEMv6Fs0ykJ+lE#)8{Y% diff --git a/t/cert/test.key.der b/t/cert/test.key.der deleted file mode 100644 index 537a4f1b32630ed8b73a53eb18f99af542d0b11e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 610 zcmV-o0-gOZf&yLw0RRGlfdJ_Je9cSknWB&@Y+gSv8Ejk<$ujWzHM+OgnQA27bH(?G zvwd0VtHgZdO&Fxa{oDZx2u&NAi3`Qy4#PXF43j_G(>x!6er|cus?(0ZB>t!VY$Xin z#z@*G1iBYPIy<#jy3#2Gn|5*yN~a|9Ot*MQnC@3fig+;dE@iJ)gjWIs0RRC4fq?+n z0qd&@G6uFtqj{YNM@w?U3P-OB>u%KLjOCXb2ZElDnF8m$Y=7%>KGvIhXNXj2LOkFA zE}(c}#Qs9l7x%8{GgBjQR_!0VBIb&^QH-hHEe7={x{QhyA3gr_Ba~{a3T&^NMSm4b zMl2nffw1zquOoTVB`~o~Je}#N1Kt4wK>+k*y+f0acv%dzTx=l?U)WTvWDAY|S1D!! zYGdXa0N%_<@snF8-R^aU{g@=&W4-@qp@)bt!|uUOjXfGkmf-?H0Q3$VEtUG+lLOyA z=(zg%HZX8uB!uA&eOgD`nUMNL;1~TtcdEdiixbtiKx5>mnPuBc4vN2!w$MqwY(@N9 zHv&K;kw!RdMb%CXwwCpt&w%6_^k@QYX6Xex&=E1Rz>I=M6Yr8~MuBJVrmgOmG>X z&}cSw`3puBNks~+?}99m&sE_Xc%PwqZKC)t9en~p0P2=mdc7ora Date: Sat, 2 Jan 2016 11:47:14 -0800 Subject: [PATCH 45/56] refactor: now we no longer rely on the lua_ctx field added by patching the nginx core. yay! --- src/ngx_http_lua_ssl_certby.c | 24 ++++++++++++++++++++++-- src/ngx_http_lua_util.c | 8 +++++--- src/ngx_http_lua_util.h | 4 ++++ 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 8013c0427b..bf9d44a6eb 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -30,6 +30,9 @@ static ngx_int_t ngx_http_lua_ssl_cert_by_chunk(lua_State *L, ngx_http_request_t *r); +int ngx_http_lua_ssl_ctx_index = -1; + + ngx_int_t ngx_http_lua_ssl_cert_handler_file(ngx_http_request_t *r, ngx_http_lua_srv_conf_t *lscf, lua_State *L) @@ -119,6 +122,17 @@ ngx_http_lua_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return "is duplicate"; } + if (ngx_http_lua_ssl_ctx_index == -1) { + ngx_http_lua_ssl_ctx_index = SSL_get_ex_new_index(0, NULL, NULL, + NULL, NULL); + + if (ngx_ssl_connection_index == -1) { + ngx_ssl_error(NGX_LOG_ALERT, cf->log, 0, + "lua: SSL_get_ex_new_index() failed"); + return NGX_CONF_ERROR; + } + } + value = cf->args->elts; lscf->ssl.cert_handler = (ngx_http_lua_srv_conf_handler_pt) cmd->post; @@ -185,7 +199,7 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) dd("c = %p", c); - cctx = c->ssl->lua_ctx; + cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection); dd("ssl cert handler, cert-ctx=%p", cctx); @@ -245,7 +259,13 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) dd("setting cctx"); - c->ssl->lua_ctx = cctx; + if (SSL_set_ex_data(c->ssl->connection, ngx_http_lua_ssl_ctx_index, cctx) + == 0) + { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); + goto failed; + return NGX_ERROR; + } lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module); diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index ac6ae8452f..8167fe23c7 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -3569,9 +3569,11 @@ ngx_http_lua_finalize_fake_request(ngx_http_request_t *r, ngx_int_t rc) if (ssl_conn) { c = ngx_ssl_get_connection(ssl_conn); - if (c && c->ssl && c->ssl->lua_ctx) { - cctx = c->ssl->lua_ctx; - cctx->exit_code = 0; + if (c && c->ssl) { + cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection); + if (cctx != NULL) { + cctx->exit_code = 0; + } } } } diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index 12bab873ae..8b0ed11792 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -129,6 +129,9 @@ ngx_http_lua_ffi_check_context(ngx_http_lua_ctx_t *ctx, unsigned flags, } +#define ngx_http_lua_ssl_get_ctx(ssl_conn) \ + SSL_get_ex_data(ssl_conn, ngx_http_lua_ssl_ctx_index) + lua_State *ngx_http_lua_init_vm(lua_State *parent_vm, ngx_cycle_t *cycle, ngx_pool_t *pool, ngx_http_lua_main_conf_t *lmcf, ngx_log_t *log, ngx_pool_cleanup_t **pcln); @@ -429,6 +432,7 @@ ngx_http_lua_get_flush_chain(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx) extern ngx_uint_t ngx_http_lua_location_hash; extern ngx_uint_t ngx_http_lua_content_length_hash; +extern int ngx_http_lua_ssl_ctx_index; #endif /* _NGX_HTTP_LUA_UTIL_H_INCLUDED_ */ From 0659a97fcadd08924f601357d6116977ced8919c Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 21:30:30 -0800 Subject: [PATCH 46/56] minor coding style tweaks. --- src/ngx_http_lua_util.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index 8b0ed11792..f0e8923c24 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -132,6 +132,7 @@ ngx_http_lua_ffi_check_context(ngx_http_lua_ctx_t *ctx, unsigned flags, #define ngx_http_lua_ssl_get_ctx(ssl_conn) \ SSL_get_ex_data(ssl_conn, ngx_http_lua_ssl_ctx_index) + lua_State *ngx_http_lua_init_vm(lua_State *parent_vm, ngx_cycle_t *cycle, ngx_pool_t *pool, ngx_http_lua_main_conf_t *lmcf, ngx_log_t *log, ngx_pool_cleanup_t **pcln); From fd56abdfb12664705dc6fa531c4380f29795784b Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 21:42:57 -0800 Subject: [PATCH 47/56] feature: enabled the ngx.semaphore API in the ssl_certificate_by_lua* context. --- src/ngx_http_lua_semaphore.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_semaphore.c b/src/ngx_http_lua_semaphore.c index 3a4eddc23b..3754b6efec 100644 --- a/src/ngx_http_lua_semaphore.c +++ b/src/ngx_http_lua_semaphore.c @@ -336,7 +336,8 @@ ngx_http_lua_ffi_semaphore_wait(ngx_http_request_t *r, rc = ngx_http_lua_ffi_check_context(ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER, + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT, err, errlen); if (rc != NGX_OK) { From 4d02c3fafdfbb2ccd1a227f7dce68dbbebcc3e39 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sat, 2 Jan 2016 22:47:30 -0800 Subject: [PATCH 48/56] feature: enabled the datagram-typed cosocket API in the context of ssl_certificate_by_lua*. --- src/ngx_http_lua_socket_udp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_socket_udp.c b/src/ngx_http_lua_socket_udp.c index 827cee2f77..bfb122f778 100644 --- a/src/ngx_http_lua_socket_udp.c +++ b/src/ngx_http_lua_socket_udp.c @@ -140,7 +140,8 @@ ngx_http_lua_socket_udp(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); lua_createtable(L, 3 /* narr */, 1 /* nrec */); lua_pushlightuserdata(L, &ngx_http_lua_socket_udp_metatable_key); @@ -200,7 +201,8 @@ ngx_http_lua_socket_udp_setpeername(lua_State *L) ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE | NGX_HTTP_LUA_CONTEXT_ACCESS | NGX_HTTP_LUA_CONTEXT_CONTENT - | NGX_HTTP_LUA_CONTEXT_TIMER); + | NGX_HTTP_LUA_CONTEXT_TIMER + | NGX_HTTP_LUA_CONTEXT_SSL_CERT); luaL_checktype(L, 1, LUA_TTABLE); From 34596e17ae93074b4833569a3d48d14f5590b27e Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 10:16:40 -0800 Subject: [PATCH 49/56] documented the ssl_certificate_by_lua* directives. --- README.markdown | 159 +++++++++++++++++++++++++++++++++-------- doc/HttpLuaModule.wiki | 150 ++++++++++++++++++++++++++++++-------- 2 files changed, 247 insertions(+), 62 deletions(-) diff --git a/README.markdown b/README.markdown index c646dbe403..8928944313 100644 --- a/README.markdown +++ b/README.markdown @@ -1031,6 +1031,8 @@ Directives * [balancer_by_lua_block](#balancer_by_lua_block) * [balancer_by_lua_file](#balancer_by_lua_file) * [lua_need_request_body](#lua_need_request_body) +* [ssl_certificate_by_lua_block](#ssl_certificate_by_lua_block) +* [ssl_certificate_by_lua_file](#ssl_certificate_by_lua_file) * [lua_shared_dict](#lua_shared_dict) * [lua_socket_connect_timeout](#lua_socket_connect_timeout) * [lua_socket_send_timeout](#lua_socket_send_timeout) @@ -2324,6 +2326,101 @@ This also applies to [access_by_lua](#access_by_lua) and [access_by_lua_file](#a [Back to TOC](#directives) +ssl_certificate_by_lua_block +---------------------------- + +**syntax:** *ssl_certificate_by_lua_block { lua-script }* + +**context:** *server* + +**phase:** *right-before-SSL-handshake* + +This directive runs user Lua code when NGINX is about to start the SSL handshake for the downstream +SSL (https) connections. + +It is particularly useful for setting the SSL certificate chain and the corresponding private key on a per-request +basis. It is also useful to load such handshake configurations nonblockingly from the remote (for example, +with the [#ngx.socket.tcp](http://wiki.nginx.org/cosocket) API). And one can also do per-request OCSP stapling handling in pure +Lua here as well. + +Another typical use case is to do SSL handshake traffic control nonblockingly in this context, +with the help of the [lua-resty-limit-traffic](https://github.com/openresty/lua-resty-limit-traffic) library, for example. + +One can also do interesting things with the SSL handshake requests from the client side, like +rejecting old SSL clients using the SSLv3 protocol or even below selectively. + +The [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) +and [ngx.ocsp](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md) Lua modules +provided by the [lua-resty-core](https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2) +library are particularly useful in this context. You can use the Lua API offered by these two Lua modules +to manipulate the SSL certificate chain and private key for the current SSL connection +being initiated. + +This Lua handler does not run at all, however, when NGINX/OpenSSL successfully resumes +the SSL session via SSL session IDs or TLS session tickets for the current SSL connection. In +other words, this Lua handler only runs when NGINX has to initiate a full SSL handshake. + +Below is a trivial example using the +[ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) module +at the same time: + +```nginx + + server { + listen 443 ssl; + server_name test.com; + + ssl_certificate_by_lua_block { + print("About to initiate a new SSL handshake!") + } + + location / { + root html; + } + } +``` + +See more complicated examples in the [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) +and [ngx.ocsp](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md) +Lua modules' official documentation. + +Uncaught Lua exceptions in the user Lua code immediately abort the current SSL session, so does the +[ngx.exit](#ngxexit) call with an error code like `ngx.ERROR`. + +This Lua code execution context *does* support yielding, so Lua APIs that may yield +(like cosockets, sleeping, and "light threads") +are enabled in this context. + +This directive currently requires the following NGINX core patch to work correctly: + + + +The bundled version of hte NGINX core in OpenResty 1.9.7.2 or above already has this +patch applied. + +Furthermore, one needs at least OpenSSL 1.0.2e for this directive to work. + +This directive was first introduced in the `v0.10.0` release. + +[Back to TOC](#directives) + +ssl_certificate_by_lua_file +--------------------------- + +**syntax:** *ssl_certificate_by_lua_file <path-to-lua-script-file>* + +**context:** *server* + +**phase:** *right-before-SSL-handshake* + +Equivalent to [ssl_certificate_by_lua_block](#ssl_certificate_by_lua_block), except that the file specified by `` contains the Lua code, or, as from the `v0.5.0rc32` release, the [Lua/LuaJIT bytecode](#lualuajit-bytecode-support) to be executed. + +When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server. + +This directive was first introduced in the `v0.10.0` release. + +[Back to TOC](#directives) + lua_shared_dict --------------- @@ -3108,7 +3205,7 @@ print ----- **syntax:** *print(...)* -**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua, log_by_lua*, ngx.timer.*, ngx.balancer_by_lua** +**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua, log_by_lua*, ngx.timer.*, balancer_by_lua*, certificate_by_lua** Writes argument values into the nginx `error.log` file with the `ngx.NOTICE` log level. @@ -4805,7 +4902,7 @@ ngx.log ------- **syntax:** *ngx.log(log_level, ...)* -**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua** +**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua** Log arguments concatenated to error.log with the given logging level. @@ -4841,7 +4938,7 @@ ngx.exit -------- **syntax:** *ngx.exit(status)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, ngx.timer.*, balancer_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua** When `status >= 200` (i.e., `ngx.HTTP_OK` and above), it will interrupt the execution of the current request and return status code to nginx. @@ -4929,7 +5026,7 @@ ngx.sleep --------- **syntax:** *ngx.sleep(seconds)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Sleeps for the specified seconds without blocking. One can specify time resolution up to 0.001 seconds (i.e., one milliseconds). @@ -6056,7 +6153,7 @@ ngx.socket.udp -------------- **syntax:** *udpsock = ngx.socket.udp()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Creates and returns a UDP or datagram-oriented unix domain socket object (also known as one type of the "cosocket" objects). The following methods are supported on this object: @@ -6080,7 +6177,7 @@ udpsock:setpeername **syntax:** *ok, err = udpsock:setpeername("unix:/path/to/unix-domain.socket")* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Attempts to connect a UDP socket object to a remote server or to a datagram unix domain socket file. Because the datagram protocol is actually connection-less, this method does not really establish a "connection", but only just set the name of the remote peer for subsequent read/write operations. @@ -6139,7 +6236,7 @@ udpsock:send ------------ **syntax:** *ok, err = udpsock:send(data)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Sends data on the current UDP or datagram unix domain socket object. @@ -6155,7 +6252,7 @@ udpsock:receive --------------- **syntax:** *data, err = udpsock:receive(size?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Receives data from the UDP or datagram unix domain socket object with an optional receive buffer size argument, `size`. @@ -6190,7 +6287,7 @@ udpsock:close ------------- **syntax:** *ok, err = udpsock:close()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Closes the current UDP or datagram unix domain socket. It returns the `1` in case of success and returns `nil` with a string describing the error otherwise. @@ -6204,7 +6301,7 @@ udpsock:settimeout ------------------ **syntax:** *udpsock:settimeout(time)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Set the timeout value in milliseconds for subsequent socket operations (like [receive](#udpsockreceive)). @@ -6218,7 +6315,7 @@ ngx.socket.tcp -------------- **syntax:** *tcpsock = ngx.socket.tcp()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Creates and returns a TCP or stream-oriented unix domain socket object (also known as one type of the "cosocket" objects). The following methods are supported on this object: @@ -6264,7 +6361,7 @@ tcpsock:connect **syntax:** *ok, err = tcpsock:connect("unix:/path/to/unix-domain.socket", options_table?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Attempts to connect a TCP socket object to a remote server or to a stream unix domain socket file without blocking. @@ -6343,7 +6440,7 @@ tcpsock:sslhandshake -------------------- **syntax:** *session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Does SSL/TLS handshake on the currently established connection. @@ -6385,7 +6482,7 @@ tcpsock:send ------------ **syntax:** *bytes, err = tcpsock:send(data)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Sends data without blocking on the current TCP or Unix Domain Socket connection. @@ -6417,7 +6514,7 @@ tcpsock:receive **syntax:** *data, err, partial = tcpsock:receive(pattern?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Receives data from the connected socket according to the reading pattern or size. @@ -6459,7 +6556,7 @@ tcpsock:receiveuntil -------------------- **syntax:** *iterator = tcpsock:receiveuntil(pattern, options?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** This method returns an iterator Lua function that can be called to read the data stream until it sees the specified pattern or an error occurs. @@ -6558,7 +6655,7 @@ tcpsock:close ------------- **syntax:** *ok, err = tcpsock:close()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Closes the current TCP or stream unix domain socket. It returns the `1` in case of success and returns `nil` with a string describing the error otherwise. @@ -6574,7 +6671,7 @@ tcpsock:settimeout ------------------ **syntax:** *tcpsock:settimeout(time)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Set the timeout value in milliseconds for subsequent socket operations ([connect](#tcpsockconnect), [receive](#tcpsockreceive), and iterators returned from [receiveuntil](#tcpsockreceiveuntil)). @@ -6590,7 +6687,7 @@ tcpsock:setoption ----------------- **syntax:** *tcpsock:setoption(option, value?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** This function is added for [LuaSocket](http://w3.impa.br/~diego/software/luasocket/tcp.html) API compatibility and does nothing for now. Its functionality will be implemented in future. @@ -6602,7 +6699,7 @@ tcpsock:setkeepalive -------------------- **syntax:** *ok, err = tcpsock:setkeepalive(timeout?, size?)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Puts the current socket's connection immediately into the cosocket built-in connection pool and keep it alive until other [connect](#tcpsockconnect) method calls request it or the associated maximal idle timeout is expired. @@ -6630,7 +6727,7 @@ tcpsock:getreusedtimes ---------------------- **syntax:** *count, err = tcpsock:getreusedtimes()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** This method returns the (successfully) reused times for the current connection. In case of error, it returns `nil` and a string describing the error. @@ -6670,7 +6767,7 @@ ngx.get_phase ------------- **syntax:** *str = ngx.get_phase()* -**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.** +**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua** Retrieves the current running phase name. Possible return values are @@ -6703,7 +6800,7 @@ ngx.thread.spawn ---------------- **syntax:** *co = ngx.thread.spawn(func, arg1, arg2, ...)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Spawns a new user "light thread" with the Lua function `func` as well as those optional arguments `arg1`, `arg2`, and etc. Returns a Lua thread (or Lua coroutine) object represents this "light thread". @@ -6841,7 +6938,7 @@ ngx.thread.wait --------------- **syntax:** *ok, res1, res2, ... = ngx.thread.wait(thread1, thread2, ...)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** Waits on one or more child "light threads" and returns the results of the first "light thread" that terminates (either successfully or with an error). @@ -7355,7 +7452,7 @@ coroutine.create ---------------- **syntax:** *co = coroutine.create(f)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** Creates a user Lua coroutines with a Lua function, and returns a coroutine object. @@ -7371,7 +7468,7 @@ coroutine.resume ---------------- **syntax:** *ok, ... = coroutine.resume(co, ...)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** Resumes the executation of a user Lua coroutine object previously yielded or just created. @@ -7387,9 +7484,9 @@ coroutine.yield --------------- **syntax:** *... = coroutine.yield(...)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** -Yields the executation of the current user Lua coroutine. +Yields the execution of the current user Lua coroutine. Similar to the standard Lua [coroutine.yield](http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.yield) API, but works in the context of the Lua coroutines created by ngx_lua. @@ -7403,7 +7500,7 @@ coroutine.wrap -------------- **syntax:** *co = coroutine.wrap(f)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** Similar to the standard Lua [coroutine.wrap](http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.wrap) API, but works in the context of the Lua coroutines created by ngx_lua. @@ -7417,7 +7514,7 @@ coroutine.running ----------------- **syntax:** *co = coroutine.running()* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** Identical to the standard Lua [coroutine.running](http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.running) API. @@ -7431,7 +7528,7 @@ coroutine.status ---------------- **syntax:** *status = coroutine.status(co)* -**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua** +**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua** Identical to the standard Lua [coroutine.status](http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.status) API. diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index 446594e9ba..2adc9702e0 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -1948,6 +1948,94 @@ It is recommended however, to use the [[#ngx.req.read_body|ngx.req.read_body]] a This also applies to [[#access_by_lua|access_by_lua]] and [[#access_by_lua_file|access_by_lua_file]]. +== ssl_certificate_by_lua_block == + +'''syntax:''' ''ssl_certificate_by_lua_block { lua-script }'' + +'''context:''' ''server'' + +'''phase:''' ''right-before-SSL-handshake'' + +This directive runs user Lua code when NGINX is about to start the SSL handshake for the downstream +SSL (https) connections. + +It is particularly useful for setting the SSL certificate chain and the corresponding private key on a per-request +basis. It is also useful to load such handshake configurations nonblockingly from the remote (for example, +with the [[cosocket|#ngx.socket.tcp]] API). And one can also do per-request OCSP stapling handling in pure +Lua here as well. + +Another typical use case is to do SSL handshake traffic control nonblockingly in this context, +with the help of the [https://github.com/openresty/lua-resty-limit-traffic lua-resty-limit-traffic] library, for example. + +One can also do interesting things with the SSL handshake requests from the client side, like +rejecting old SSL clients using the SSLv3 protocol or even below selectively. + +The [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md ngx.ssl] +and [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md ngx.ocsp] Lua modules +provided by the [https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2 lua-resty-core] +library are particularly useful in this context. You can use the Lua API offered by these two Lua modules +to manipulate the SSL certificate chain and private key for the current SSL connection +being initiated. + +This Lua handler does not run at all, however, when NGINX/OpenSSL successfully resumes +the SSL session via SSL session IDs or TLS session tickets for the current SSL connection. In +other words, this Lua handler only runs when NGINX has to initiate a full SSL handshake. + +Below is a trivial example using the +[https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md ngx.ssl] module +at the same time: + + + server { + listen 443 ssl; + server_name test.com; + + ssl_certificate_by_lua_block { + print("About to initiate a new SSL handshake!") + } + + location / { + root html; + } + } + + +See more complicated examples in the [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md ngx.ssl] +and [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md ngx.ocsp] +Lua modules' official documentation. + +Uncaught Lua exceptions in the user Lua code immediately abort the current SSL session, so does the +[[#ngx.exit|ngx.exit]] call with an error code like ngx.ERROR. + +This Lua code execution context *does* support yielding, so Lua APIs that may yield +(like cosockets, sleeping, and "light threads") +are enabled in this context. + +This directive currently requires the following NGINX core patch to work correctly: + +http://mailman.nginx.org/pipermail/nginx-devel/2016-January/007748.html + +The bundled version of hte NGINX core in OpenResty 1.9.7.2 or above already has this +patch applied. + +Furthermore, one needs at least OpenSSL 1.0.2e for this directive to work. + +This directive was first introduced in the v0.10.0 release. + +== ssl_certificate_by_lua_file == + +'''syntax:''' ''ssl_certificate_by_lua_file '' + +'''context:''' ''server'' + +'''phase:''' ''right-before-SSL-handshake'' + +Equivalent to [[#ssl_certificate_by_lua_block|ssl_certificate_by_lua_block]], except that the file specified by contains the Lua code, or, as from the v0.5.0rc32 release, the [[#Lua/LuaJIT bytecode support|Lua/LuaJIT bytecode]] to be executed. + +When a relative path like foo/bar.lua is given, they will be turned into the absolute path relative to the server prefix path determined by the -p PATH command-line option while starting the Nginx server. + +This directive was first introduced in the v0.10.0 release. + == lua_shared_dict == '''syntax:''' ''lua_shared_dict '' @@ -2497,7 +2585,7 @@ These constants are usually used by the [[#ngx.log|ngx.log]] method. == print == '''syntax:''' ''print(...)'' -'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua, log_by_lua*, ngx.timer.*, ngx.balancer_by_lua*'' +'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua, log_by_lua*, ngx.timer.*, balancer_by_lua*, certificate_by_lua*'' Writes argument values into the nginx error.log file with the ngx.NOTICE log level. @@ -3989,7 +4077,7 @@ Just as [[#ngx.print|ngx.print]] but also emit a trailing newline. == ngx.log == '''syntax:''' ''ngx.log(log_level, ...)'' -'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*'' +'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*'' Log arguments concatenated to error.log with the given logging level. @@ -4019,7 +4107,7 @@ Since v0.8.3 this function returns 1 on success, or re == ngx.exit == '''syntax:''' ''ngx.exit(status)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, ngx.timer.*, balancer_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*'' When status >= 200 (i.e., ngx.HTTP_OK and above), it will interrupt the execution of the current request and return status code to nginx. @@ -4096,7 +4184,7 @@ Since v0.8.3 this function returns 1 on success, or re == ngx.sleep == '''syntax:''' ''ngx.sleep(seconds)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Sleeps for the specified seconds without blocking. One can specify time resolution up to 0.001 seconds (i.e., one milliseconds). @@ -5063,7 +5151,7 @@ This feature was first introduced in the v0.7.3 release. == ngx.socket.udp == '''syntax:''' ''udpsock = ngx.socket.udp()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Creates and returns a UDP or datagram-oriented unix domain socket object (also known as one type of the "cosocket" objects). The following methods are supported on this object: @@ -5084,7 +5172,7 @@ See also [[#ngx.socket.tcp|ngx.socket.tcp]]. '''syntax:''' ''ok, err = udpsock:setpeername("unix:/path/to/unix-domain.socket")'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Attempts to connect a UDP socket object to a remote server or to a datagram unix domain socket file. Because the datagram protocol is actually connection-less, this method does not really establish a "connection", but only just set the name of the remote peer for subsequent read/write operations. @@ -5137,7 +5225,7 @@ This method was first introduced in the v0.5.7 release. == udpsock:send == '''syntax:''' ''ok, err = udpsock:send(data)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Sends data on the current UDP or datagram unix domain socket object. @@ -5150,7 +5238,7 @@ This feature was first introduced in the v0.5.7 release. == udpsock:receive == '''syntax:''' ''data, err = udpsock:receive(size?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Receives data from the UDP or datagram unix domain socket object with an optional receive buffer size argument, size. @@ -5181,7 +5269,7 @@ This feature was first introduced in the v0.5.7 release. == udpsock:close == '''syntax:''' ''ok, err = udpsock:close()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Closes the current UDP or datagram unix domain socket. It returns the 1 in case of success and returns nil with a string describing the error otherwise. @@ -5192,7 +5280,7 @@ This feature was first introduced in the v0.5.7 release. == udpsock:settimeout == '''syntax:''' ''udpsock:settimeout(time)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Set the timeout value in milliseconds for subsequent socket operations (like [[#udpsock:receive|receive]]). @@ -5203,7 +5291,7 @@ This feature was first introduced in the v0.5.7 release. == ngx.socket.tcp == '''syntax:''' ''tcpsock = ngx.socket.tcp()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Creates and returns a TCP or stream-oriented unix domain socket object (also known as one type of the "cosocket" objects). The following methods are supported on this object: @@ -5246,7 +5334,7 @@ See also [[#ngx.socket.udp|ngx.socket.udp]]. '''syntax:''' ''ok, err = tcpsock:connect("unix:/path/to/unix-domain.socket", options_table?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Attempts to connect a TCP socket object to a remote server or to a stream unix domain socket file without blocking. @@ -5318,7 +5406,7 @@ This method was first introduced in the v0.5.0rc1 release. == tcpsock:sslhandshake == '''syntax:''' ''session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Does SSL/TLS handshake on the currently established connection. @@ -5357,7 +5445,7 @@ This method was first introduced in the v0.9.11 release. == tcpsock:send == '''syntax:''' ''bytes, err = tcpsock:send(data)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Sends data without blocking on the current TCP or Unix Domain Socket connection. @@ -5385,7 +5473,7 @@ This feature was first introduced in the v0.5.0rc1 release. '''syntax:''' ''data, err, partial = tcpsock:receive(pattern?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Receives data from the connected socket according to the reading pattern or size. @@ -5423,7 +5511,7 @@ This feature was first introduced in the v0.5.0rc1 release. == tcpsock:receiveuntil == '''syntax:''' ''iterator = tcpsock:receiveuntil(pattern, options?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' This method returns an iterator Lua function that can be called to read the data stream until it sees the specified pattern or an error occurs. @@ -5515,7 +5603,7 @@ This method was first introduced in the v0.5.0rc1 release. == tcpsock:close == '''syntax:''' ''ok, err = tcpsock:close()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Closes the current TCP or stream unix domain socket. It returns the 1 in case of success and returns nil with a string describing the error otherwise. @@ -5528,7 +5616,7 @@ This feature was first introduced in the v0.5.0rc1 release. == tcpsock:settimeout == '''syntax:''' ''tcpsock:settimeout(time)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Set the timeout value in milliseconds for subsequent socket operations ([[#tcpsock:connect|connect]], [[#tcpsock:receive|receive]], and iterators returned from [[#tcpsock:receiveuntil|receiveuntil]]). @@ -5541,7 +5629,7 @@ This feature was first introduced in the v0.5.0rc1 release. == tcpsock:setoption == '''syntax:''' ''tcpsock:setoption(option, value?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' This function is added for [http://w3.impa.br/~diego/software/luasocket/tcp.html LuaSocket] API compatibility and does nothing for now. Its functionality will be implemented in future. @@ -5550,7 +5638,7 @@ This feature was first introduced in the v0.5.0rc1 release. == tcpsock:setkeepalive == '''syntax:''' ''ok, err = tcpsock:setkeepalive(timeout?, size?)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Puts the current socket's connection immediately into the cosocket built-in connection pool and keep it alive until other [[#tcpsock:connect|connect]] method calls request it or the associated maximal idle timeout is expired. @@ -5575,7 +5663,7 @@ This feature was first introduced in the v0.5.0rc1 release. == tcpsock:getreusedtimes == '''syntax:''' ''count, err = tcpsock:getreusedtimes()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' This method returns the (successfully) reused times for the current connection. In case of error, it returns nil and a string describing the error. @@ -5608,7 +5696,7 @@ This feature was first introduced in the v0.5.0rc1 release. == ngx.get_phase == '''syntax:''' ''str = ngx.get_phase()'' -'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*'' +'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*'' Retrieves the current running phase name. Possible return values are @@ -5638,7 +5726,7 @@ This API was first introduced in the v0.5.10 release. == ngx.thread.spawn == '''syntax:''' ''co = ngx.thread.spawn(func, arg1, arg2, ...)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Spawns a new user "light thread" with the Lua function func as well as those optional arguments arg1, arg2, and etc. Returns a Lua thread (or Lua coroutine) object represents this "light thread". @@ -5771,7 +5859,7 @@ This API was first enabled in the v0.7.0 release. == ngx.thread.wait == '''syntax:''' ''ok, res1, res2, ... = ngx.thread.wait(thread1, thread2, ...)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' Waits on one or more child "light threads" and returns the results of the first "light thread" that terminates (either successfully or with an error). @@ -6225,7 +6313,7 @@ This feature requires the [https://github.com/simpl/ngx_devel_kit ngx_devel_kit] == coroutine.create == '''syntax:''' ''co = coroutine.create(f)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' Creates a user Lua coroutines with a Lua function, and returns a coroutine object. @@ -6238,7 +6326,7 @@ This API was first introduced in the v0.6.0 release. == coroutine.resume == '''syntax:''' ''ok, ... = coroutine.resume(co, ...)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' Resumes the executation of a user Lua coroutine object previously yielded or just created. @@ -6251,9 +6339,9 @@ This API was first introduced in the v0.6.0 release. == coroutine.yield == '''syntax:''' ''... = coroutine.yield(...)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' -Yields the executation of the current user Lua coroutine. +Yields the execution of the current user Lua coroutine. Similar to the standard Lua [http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.yield coroutine.yield] API, but works in the context of the Lua coroutines created by ngx_lua. @@ -6264,7 +6352,7 @@ This API was first introduced in the v0.6.0 release. == coroutine.wrap == '''syntax:''' ''co = coroutine.wrap(f)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' Similar to the standard Lua [http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.wrap coroutine.wrap] API, but works in the context of the Lua coroutines created by ngx_lua. @@ -6275,7 +6363,7 @@ This API was first introduced in the v0.6.0 release. == coroutine.running == '''syntax:''' ''co = coroutine.running()'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' Identical to the standard Lua [http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.running coroutine.running] API. @@ -6286,7 +6374,7 @@ This API was first enabled in the v0.6.0 release. == coroutine.status == '''syntax:''' ''status = coroutine.status(co)'' -'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*'' +'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, init_by_lua*, ngx.timer.*, header_filter_by_lua*, body_filter_by_lua*, ssl_certificate_by_lua*'' Identical to the standard Lua [http://www.lua.org/manual/5.1/manual.html#pdf-coroutine.status coroutine.status] API. From d014f9ab5b4367b51e6d508b292c4643b76de2dc Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 11:06:54 -0800 Subject: [PATCH 50/56] added pure C API function, ngx_http_lua_ffi_priv_key_pem_to_der. thanks yejingx for the patch in #537. --- src/ngx_http_lua_ssl_certby.c | 47 +++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index bf9d44a6eb..3b1c8e2e6c 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -879,6 +879,53 @@ ngx_http_lua_ffi_cert_pem_to_der(const u_char *pem, size_t pem_len, u_char *der, return total; } + +int +ngx_http_lua_ffi_priv_key_pem_to_der(const u_char *pem, size_t pem_len, + u_char *der, char **err) +{ + int len; + BIO *in; + RSA *rsa; + EVP_PKEY *pkey; + + in = BIO_new_mem_buf((char *) pem, (int) pem_len); + if (in == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NGX_ERROR; + } + + pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); + if (pkey == NULL) { + BIO_free(in); + *err = "PEM_read_bio_PrivateKey failed"; + return NGX_ERROR; + } + + BIO_free(in); + + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + EVP_PKEY_free(pkey); + *err = "EVP_PKEY_get1_RSA failed"; + return NGX_ERROR; + } + + EVP_PKEY_free(pkey); + + len = i2d_RSAPrivateKey(rsa, &der); + if (len < 0) { + RSA_free(rsa); + *err = "i2d_RSAPrivateKey failed"; + return NGX_ERROR; + } + + RSA_free(rsa); + + return len; +} + + #endif /* NGX_LUA_NO_FFI_API */ From acd0109001d881feb8bf1ee2a6418da7c7b8539c Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 11:23:07 -0800 Subject: [PATCH 51/56] doc: updated TODO to reflect recent changes. --- README.markdown | 1 - doc/HttpLuaModule.wiki | 1 - 2 files changed, 2 deletions(-) diff --git a/README.markdown b/README.markdown index d93b5d5158..1883f9e60b 100644 --- a/README.markdown +++ b/README.markdown @@ -859,7 +859,6 @@ TODO } } ``` -* ssl: implement directives `ssl_certificate_by_lua` and `ssl_certificate_by_lua_file` to allow using Lua to dynamically serve SSL certificates and keys for downstream SSL handshake. (already done in CloudFlare's private branch and powering CloudFlare's SSL gateway of its global network. expected to be opensourced in March 2015.) * shm: implement a "shared queue API" to complement the existing [shared dict](#lua_shared_dict) API. * cosocket: add support in the context of [init_by_lua*](#init_by_lua). * cosocket: implement the `bind()` method for stream-typed cosockets. diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index 2adc9702e0..38117c54ad 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -696,7 +696,6 @@ phases. } } -* ssl: implement directives ssl_certificate_by_lua and ssl_certificate_by_lua_file to allow using Lua to dynamically serve SSL certificates and keys for downstream SSL handshake. (already done in CloudFlare's private branch and powering CloudFlare's SSL gateway of its global network. expected to be opensourced in March 2015.) * shm: implement a "shared queue API" to complement the existing [[#lua_shared_dict|shared dict]] API. * cosocket: add support in the context of [[#init_by_lua|init_by_lua*]]. * cosocket: implement the bind() method for stream-typed cosockets. From 3ab6105647ac432b50dd82b13a518e6be75957b9 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 15:39:34 -0800 Subject: [PATCH 52/56] doc: fixed links for ssl_certificate_by_lua*. --- README.markdown | 7 ++++--- doc/HttpLuaModule.wiki | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.markdown b/README.markdown index 1883f9e60b..cf3ddae1d5 100644 --- a/README.markdown +++ b/README.markdown @@ -2339,18 +2339,19 @@ SSL (https) connections. It is particularly useful for setting the SSL certificate chain and the corresponding private key on a per-request basis. It is also useful to load such handshake configurations nonblockingly from the remote (for example, -with the [#ngx.socket.tcp](http://wiki.nginx.org/cosocket) API). And one can also do per-request OCSP stapling handling in pure +with the [cosocket](#ngxsockettcp) API). And one can also do per-request OCSP stapling handling in pure Lua here as well. Another typical use case is to do SSL handshake traffic control nonblockingly in this context, -with the help of the [lua-resty-limit-traffic](https://github.com/openresty/lua-resty-limit-traffic) library, for example. +with the help of the [lua-resty-limit-traffic#readme](https://github.com/openresty/lua-resty-limit-traffic) +library, for example. One can also do interesting things with the SSL handshake requests from the client side, like rejecting old SSL clients using the SSLv3 protocol or even below selectively. The [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) and [ngx.ocsp](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md) Lua modules -provided by the [lua-resty-core](https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2) +provided by the [lua-resty-core](https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2#readme) library are particularly useful in this context. You can use the Lua API offered by these two Lua modules to manipulate the SSL certificate chain and private key for the current SSL connection being initiated. diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index 38117c54ad..7b3793fd9b 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -1960,18 +1960,19 @@ SSL (https) connections. It is particularly useful for setting the SSL certificate chain and the corresponding private key on a per-request basis. It is also useful to load such handshake configurations nonblockingly from the remote (for example, -with the [[cosocket|#ngx.socket.tcp]] API). And one can also do per-request OCSP stapling handling in pure +with the [[#ngx.socket.tcp|cosocket]] API). And one can also do per-request OCSP stapling handling in pure Lua here as well. Another typical use case is to do SSL handshake traffic control nonblockingly in this context, -with the help of the [https://github.com/openresty/lua-resty-limit-traffic lua-resty-limit-traffic] library, for example. +with the help of the [https://github.com/openresty/lua-resty-limit-traffic lua-resty-limit-traffic#readme] +library, for example. One can also do interesting things with the SSL handshake requests from the client side, like rejecting old SSL clients using the SSLv3 protocol or even below selectively. The [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md ngx.ssl] and [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ocsp.md ngx.ocsp] Lua modules -provided by the [https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2 lua-resty-core] +provided by the [https://github.com/openresty/lua-resty-core/tree/ssl-cert-by-lua-2#readme lua-resty-core] library are particularly useful in this context. You can use the Lua API offered by these two Lua modules to manipulate the SSL certificate chain and private key for the current SSL connection being initiated. From f8200c441f6bbceb6ddd1220c5c099e72a70c107 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 15:53:17 -0800 Subject: [PATCH 53/56] doc: mentioned ngx.ssl and ngx.ocsp in the Lua API section. --- README.markdown | 42 ++++++++++++++++++++++++++++++++++++++++++ doc/HttpLuaModule.wiki | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/README.markdown b/README.markdown index cf3ddae1d5..9c45f72d82 100644 --- a/README.markdown +++ b/README.markdown @@ -2940,6 +2940,8 @@ Nginx API for Lua * [ngx.worker.id](#ngxworkerid) * [ngx.semaphore](#ngxsemaphore) * [ngx.balancer](#ngxbalancer) +* [ngx.ssl](#ngxssl) +* [ngx.ocsp](#ngxocsp) * [ndk.set_var.DIRECTIVE](#ndkset_vardirective) * [coroutine.create](#coroutinecreate) * [coroutine.resume](#coroutineresume) @@ -7407,6 +7409,46 @@ This feature requires at least ngx_lua `v0.10.0`. [Back to TOC](#nginx-api-for-lua) +ngx.ssl +------- +**syntax:** *local ssl = require "ngx.ssl"* + +This Lua module provides API functions to control the SSL handshake process in contexts like +[ssl_certificate_by_lua*](https://github.com/openresty/lua-nginx-module/tree/ssl-cert-by-lua-2/#ssl_certificate_by_lua_block). + +This Lua module does not ship with this ngx_lua module itself rather it is shipped with +the +[lua-resty-core](https://github.com/openresty/lua-resty-core) library. + +Please refer to the [documentation](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) +for this `ngx.ssl` Lua module for more details. + +This feature requires at least ngx_lua `v0.10.0`. + +[Back to TOC](#nginx-api-for-lua) + +ngx.ocsp +-------- +**syntax:** *local ocsp = require "ngx.ocsp"* + +This Lua module provides API to perform OCSP queries, OCSP response validations, and +OCSP stapling planting. + +Usually, this module is used together with the [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) +module in the +context of [ssl_certificate_by_lua*](https://github.com/openresty/lua-nginx-module/tree/ssl-cert-by-lua-2/#ssl_certificate_by_lua_block). + +This Lua module does not ship with this ngx_lua module itself rather it is shipped with +the +[lua-resty-core](https://github.com/openresty/lua-resty-core) library. + +Please refer to the [documentation](https://github.com/openresty/lua-resty-core/blob/ocsp-cert-by-lua-2/lib/ngx/ocsp.md) +for this `ngx.ocsp` Lua module for more details. + +This feature requires at least ngx_lua `v0.10.0`. + +[Back to TOC](#nginx-api-for-lua) + ndk.set_var.DIRECTIVE --------------------- **syntax:** *res = ndk.set_var.DIRECTIVE_NAME* diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index 7b3793fd9b..caf017919a 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -6273,6 +6273,40 @@ for more details. This feature requires at least ngx_lua v0.10.0. +== ngx.ssl == +'''syntax:''' ''local ssl = require "ngx.ssl"'' + +This Lua module provides API functions to control the SSL handshake process in contexts like +[ssl_certificate_by_lua*](https://github.com/openresty/lua-nginx-module/tree/ssl-cert-by-lua-2/#ssl_certificate_by_lua_block). + +This Lua module does not ship with this ngx_lua module itself rather it is shipped with +the +[https://github.com/openresty/lua-resty-core lua-resty-core] library. + +Please refer to the [https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md documentation] +for this ngx.ssl Lua module for more details. + +This feature requires at least ngx_lua v0.10.0. + +== ngx.ocsp == +'''syntax:''' ''local ocsp = require "ngx.ocsp"'' + +This Lua module provides API to perform OCSP queries, OCSP response validations, and +OCSP stapling planting. + +Usually, this module is used together with the [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/ssl-cert-by-lua-2/lib/ngx/ssl.md) +module in the +context of [ssl_certificate_by_lua*](https://github.com/openresty/lua-nginx-module/tree/ssl-cert-by-lua-2/#ssl_certificate_by_lua_block). + +This Lua module does not ship with this ngx_lua module itself rather it is shipped with +the +[https://github.com/openresty/lua-resty-core lua-resty-core] library. + +Please refer to the [https://github.com/openresty/lua-resty-core/blob/ocsp-cert-by-lua-2/lib/ngx/ocsp.md documentation] +for this ngx.ocsp Lua module for more details. + +This feature requires at least ngx_lua v0.10.0. + == ndk.set_var.DIRECTIVE == '''syntax:''' ''res = ndk.set_var.DIRECTIVE_NAME'' From 76a4fa966e32494ae3d40d077ac667f8e094c1c7 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Sun, 3 Jan 2016 16:08:56 -0800 Subject: [PATCH 54/56] doc: documented the optional "send_status_req" argument of sslhandshake(). --- README.markdown | 5 ++++- doc/HttpLuaModule.wiki | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.markdown b/README.markdown index 9c45f72d82..42ba548871 100644 --- a/README.markdown +++ b/README.markdown @@ -6440,7 +6440,7 @@ This method was first introduced in the `v0.5.0rc1` release. tcpsock:sslhandshake -------------------- -**syntax:** *session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)* +**syntax:** *session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?, send_status_req?)* **context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua** @@ -6473,6 +6473,9 @@ Also, when the `ssl_verify` argument is true and the `server_name` argument is also specified, the latter will be used to validate the server name in the server certificate. +The optional `send_status_req` argument takes a boolean that controls whether to send +the OCSP status request in the SSL handshake request (which is for requesting OCSP stapling). + For connections that have already done SSL/TLS handshake, this method returns immediately. diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index caf017919a..504279bff7 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -5404,7 +5404,7 @@ The support for the options table argument was first introduced in the v0. This method was first introduced in the v0.5.0rc1 release. == tcpsock:sslhandshake == -'''syntax:''' ''session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)'' +'''syntax:''' ''session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?, send_status_req?)'' '''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*'' @@ -5437,6 +5437,9 @@ Also, when the ssl_verify argument is true and the server_name argument is also specified, the latter will be used to validate the server name in the server certificate. +The optional send_status_req argument takes a boolean that controls whether to send +the OCSP status request in the SSL handshake request (which is for requesting OCSP stapling). + For connections that have already done SSL/TLS handshake, this method returns immediately. From ec10995742dd8e1d0a84952fffe0df0d09e527ba Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Mon, 4 Jan 2016 09:54:34 -0800 Subject: [PATCH 55/56] removed patches/nginx-ssl-cert.patch which is now obsolete. --- patches/nginx-ssl-cert.patch | 37 ------------------------------------ 1 file changed, 37 deletions(-) delete mode 100644 patches/nginx-ssl-cert.patch diff --git a/patches/nginx-ssl-cert.patch b/patches/nginx-ssl-cert.patch deleted file mode 100644 index 94ffd8b756..0000000000 --- a/patches/nginx-ssl-cert.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c 2014-08-05 04:13:07.000000000 -0700 -+++ b/src/event/ngx_event_openssl.c 2014-09-12 12:17:33.034582693 -0700 -@@ -1121,6 +1121,21 @@ ngx_ssl_handshake(ngx_connection_t *c) - return NGX_AGAIN; - } - -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; -diff --exclude '*~' '--exclude=*.swp' -upr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h ---- a/src/event/ngx_event_openssl.h 2014-08-05 04:13:07.000000000 -0700 -+++ b/src/event/ngx_event_openssl.h 2014-09-12 12:16:32.016208272 -0700 -@@ -56,6 +56,8 @@ typedef struct { - ngx_event_handler_pt saved_read_handler; - ngx_event_handler_pt saved_write_handler; - -+ void *lua_ctx; /* used by 3rd-party modules */ -+ - unsigned handshaked:1; - unsigned renegotiation:1; - unsigned buffer:1; From d03fd00bd5710ad86e73b72577d1980a9a25d408 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Mon, 4 Jan 2016 11:46:02 -0800 Subject: [PATCH 56/56] bugfix: ssl.raw_server_addr: avoided using constants like AF_INET6 in the ABI, which is not portable. thanks Aapo Talvensaari for the report. --- src/ngx_http_lua_ssl_certby.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 3b1c8e2e6c..ff36550dc9 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -22,6 +22,13 @@ #include "ngx_http_lua_directive.h" +enum { + NGX_HTTP_LUA_ADDR_TYPE_UNIX = 0, + NGX_HTTP_LUA_ADDR_TYPE_INET = 1, + NGX_HTTP_LUA_ADDR_TYPE_INET6 = 2 +}; + + static void ngx_http_lua_ssl_cert_done(void *data); static void ngx_http_lua_ssl_cert_aborted(void *data); static u_char *ngx_http_lua_log_ssl_cert_error(ngx_log_t *log, u_char *buf, @@ -734,7 +741,7 @@ ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, sin6 = (struct sockaddr_in6 *) c->local_sockaddr; *addrlen = 16; *addr = (char *) &sin6->sin6_addr.s6_addr; - *addrtype = AF_INET6; + *addrtype = NGX_HTTP_LUA_ADDR_TYPE_INET6; break; #endif @@ -755,7 +762,7 @@ ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, *addrlen = ngx_strlen(saun->sun_path); } - *addrtype = AF_UNIX; + *addrtype = NGX_HTTP_LUA_ADDR_TYPE_UNIX; break; #endif @@ -763,7 +770,7 @@ ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, sin = (struct sockaddr_in *) c->local_sockaddr; *addr = (char *) &sin->sin_addr.s_addr; *addrlen = 4; - *addrtype = AF_INET; + *addrtype = NGX_HTTP_LUA_ADDR_TYPE_INET; break; }