feat: support pass cert and priv key content (#79)

Sn0rt · web-flow · commit f66d3f8bb016 · 2023-08-28T15:56:54.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,10 +8,17 @@ on:
 
 jobs:
   build:
+    strategy:
+      matrix:
+        op_version:
+          - "1.21.4.1"
+          - "1.21.4.2"
+
     runs-on: "ubuntu-20.04"
+
     env:
+      OPENRESTY_VERSION: ${{ matrix.op_version }}
       OPENRESTY_PREFIX: "/usr/local/openresty"
-      OPENRESTY_VERSION: "1.21.4.2"
 
     steps:
       - name: Check out code
diff --git a/patch/1.21.4.1/lua-resty-core-tlshandshake.patch b/patch/1.21.4.1/lua-resty-core-tlshandshake.patch
@@ -16,10 +16,10 @@ index 3caabe2..6361a23 100644
  	$(INSTALL) lib/ngx/ssl/*.lua $(DESTDIR)$(LUA_LIB_DIR)/ngx/ssl/
  
 diff --git lib/resty/core.lua lib/resty/core.lua
-index 5472230..7d3ab16 100644
+index e92084c..fd823ce 100644
 --- lib/resty/core.lua
 +++ lib/resty/core.lua
-@@ -23,6 +23,7 @@ if subsystem == 'http' then
+@@ -25,6 +25,7 @@ if subsystem == 'http' then
  end
  
  
@@ -29,10 +29,10 @@ index 5472230..7d3ab16 100644
  
 diff --git lib/resty/core/socket/tcp.lua lib/resty/core/socket/tcp.lua
 new file mode 100644
-index 0000000..89454ad
+index 0000000..b6e009c
 --- /dev/null
 +++ lib/resty/core/socket/tcp.lua
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,305 @@
 +-- Copyright (C) by OpenResty Inc.
 +
 +
@@ -178,44 +178,65 @@ index 0000000..89454ad
 +
 +    local client_cert, client_pkey
 +
-+    local client_cert_path = options.client_cert_path
-+    local client_pkey_path = options.client_priv_key_path
-+    if client_cert_path then
-+        if not client_pkey_path then
++    if options.client_cert_path or options.client_cert then
++        if options.client_cert_path and options.client_cert then
++            error("client client_cert_path and client_cert both setting ", 2)
++        end
++
++        if not options.client_priv_key_path and not options.client_priv_key then
 +            error("client certificate supplied without corresponding " ..
-+                  "private key", 2)
++                    "private key", 2)
 +        end
 +
-+        if type(client_cert_path) ~= "string" then
-+            error("bad client_cert option type", 2)
++        if options.client_priv_key_path and options.client_priv_key then
++            error("client certificate private key supplied with " ..
++                    "client_priv_key and client_priv_key_path", 2)
 +        end
 +
-+        if type(client_pkey_path) ~= "string" then
-+            error("bad client_priv_key option type", 2)
++        if options.client_cert then
++            if type(options.client_cert) ~= "string" then
++                error("bad client_cert option type", 2)
++            end
++        else
++            if type(options.client_cert_path) ~= "string" then
++                error("bad client_cert option type", 2)
++            end
++
++            local txt, err = read_file(options.client_cert_path)
++            if not txt then
++                return nil, err
++            end
++
++            options.client_cert = txt
 +        end
 +
-+        local txt, err = read_file(client_cert_path)
-+        if not txt then
-+            return nil, err
++        if options.client_priv_key then
++            if type(options.client_priv_key) ~= "string" then
++                error("bad client_priv_key option type", 2)
++            end
++        else
++            if type(options.client_priv_key_path) ~= "string" then
++                error("bad client_priv_key_path option type", 2)
++            end
++
++            local txt, err = read_file(options.client_priv_key_path)
++            if not txt then
++                return nil, err
++            end
++
++            options.client_priv_key = txt
 +        end
 +
-+        local cert, err = ssl.parse_pem_cert(txt)
++        local cert, err = ssl.parse_pem_cert(options.client_cert)
 +        if not cert then
 +            return nil, err
 +        end
-+
 +        client_cert = cert
 +
-+        local txt, err = read_file(client_pkey_path)
-+        if not txt then
-+            return nil, err
-+        end
-+
-+        local pkey, err = ssl.parse_pem_priv_key(txt)
++        local pkey, err = ssl.parse_pem_priv_key(options.client_priv_key)
 +        if not pkey then
 +            return nil, err
 +        end
-+
 +        client_pkey = pkey
 +    end
 +
diff --git a/patch/1.21.4/lua-resty-core-tlshandshake.patch b/patch/1.21.4/lua-resty-core-tlshandshake.patch
@@ -16,10 +16,10 @@ index 3caabe2..6361a23 100644
  	$(INSTALL) lib/ngx/ssl/*.lua $(DESTDIR)$(LUA_LIB_DIR)/ngx/ssl/
  
 diff --git lib/resty/core.lua lib/resty/core.lua
-index 5472230..7d3ab16 100644
+index e92084c..fd823ce 100644
 --- lib/resty/core.lua
 +++ lib/resty/core.lua
-@@ -23,6 +23,7 @@ if subsystem == 'http' then
+@@ -25,6 +25,7 @@ if subsystem == 'http' then
  end
  
  
@@ -29,10 +29,10 @@ index 5472230..7d3ab16 100644
  
 diff --git lib/resty/core/socket/tcp.lua lib/resty/core/socket/tcp.lua
 new file mode 100644
-index 0000000..89454ad
+index 0000000..f66f51f
 --- /dev/null
 +++ lib/resty/core/socket/tcp.lua
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,305 @@
 +-- Copyright (C) by OpenResty Inc.
 +
 +
@@ -178,44 +178,65 @@ index 0000000..89454ad
 +
 +    local client_cert, client_pkey
 +
-+    local client_cert_path = options.client_cert_path
-+    local client_pkey_path = options.client_priv_key_path
-+    if client_cert_path then
-+        if not client_pkey_path then
++    if options.client_cert_path or options.client_cert then
++        if options.client_cert_path and options.client_cert then
++            error("client client_cert_path and client_cert both setting ", 2)
++        end
++
++        if not options.client_priv_key_path and not options.client_priv_key then
 +            error("client certificate supplied without corresponding " ..
-+                  "private key", 2)
++                    "private key", 2)
 +        end
 +
-+        if type(client_cert_path) ~= "string" then
-+            error("bad client_cert option type", 2)
++        if options.client_priv_key_path and options.client_priv_key then
++            error("client certificate private key supplied with " ..
++                    "client_priv_key and client_priv_key_path", 2)
 +        end
 +
-+        if type(client_pkey_path) ~= "string" then
-+            error("bad client_priv_key option type", 2)
++        if options.client_cert then
++            if type(options.client_cert) ~= "string" then
++                error("bad client_cert option type", 2)
++            end
++        else
++            if type(options.client_cert_path) ~= "string" then
++                error("bad client_cert option type", 2)
++            end
++
++            local txt, err = read_file(options.client_cert_path)
++            if not txt then
++                return nil, err
++            end
++
++            options.client_cert = txt
 +        end
 +
-+        local txt, err = read_file(client_cert_path)
-+        if not txt then
-+            return nil, err
++        if options.client_priv_key then
++            if type(options.client_priv_key) ~= "string" then
++                error("bad client_priv_key option type", 2)
++            end
++        else
++            if type(options.client_priv_key_path) ~= "string" then
++                error("bad client_priv_key_path option type", 2)
++            end
++
++            local txt, err = read_file(options.client_priv_key_path)
++            if not txt then
++                return nil, err
++            end
++
++            options.client_priv_key = txt
 +        end
 +
-+        local cert, err = ssl.parse_pem_cert(txt)
++        local cert, err = ssl.parse_pem_cert(options.client_cert)
 +        if not cert then
 +            return nil, err
 +        end
-+
 +        client_cert = cert
 +
-+        local txt, err = read_file(client_pkey_path)
-+        if not txt then
-+            return nil, err
-+        end
-+
-+        local pkey, err = ssl.parse_pem_priv_key(txt)
++        local pkey, err = ssl.parse_pem_priv_key(options.client_priv_key)
 +        if not pkey then
 +            return nil, err
 +        end
-+
 +        client_pkey = pkey
 +    end
 +
diff --git a/t/cosocket_mtls.t b/t/cosocket_mtls.t
@@ -51,3 +51,74 @@ __DATA__
 closed
 --- error_log
 [error]
+
+
+
+=== TEST 2: avoid using stale openssl error code with cert content
+--- config
+    location /t {
+        access_by_lua_block {
+            local sock = ngx.socket.tcp()
+            sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            for i = 1, 2 do
+                local ok, err = sock:tlshandshake({
+                    verify = true,
+                    client_cert = [[-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICAwD6zzANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJjbjESMBAG
+A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx
+DDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0yMDA2MjAx
+MzE1MDBaFw0zMDA3MDgxMzE1MDBaMF0xCzAJBgNVBAYTAmNuMRIwEAYDVQQIDAlH
+dWFuZ0RvbmcxDTALBgNVBAoMBGFwaTcxDzANBgNVBAcMBlpodUhhaTEaMBgGA1UE
+AwwRY2xpZW50LmFwaXNpeC5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCfKI8uiEH/ifZikSnRa3/E2B4ohVWRwjo/IxyDEWomgR4tLk1pSJhP/4SC
+LWuMQTFWTbSqt1IFYy4ZbVSHHyGoNPmJGrHRJCGE+sgpfzn0GjV4lXQPJD0k6GR1
+CX2Mo1TWdFqSJ/Hc5AQwcQFnPfoLAwsBy4yqrlmf96ZAUytl/7Zkjf4P7mJkJHtM
+/WgSR0pGhjZTAGRf5DJWoO51ki3i3JI+15mOhmnnCpnksnGVPfl92q92Hz/4v3iq
+E+UThPYRpcGbnddzMvPaCXiavg8B/u2LVbn4l0adamqQGepOAjD/1xraOVP2W22W
+0PztDXJ4rLe+capNS4oGuSUfkIENAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHKn
+HxUhuk/nL2Sg5UB84OoJe5XPgNBvVMKN0c/NAPKVIPninvUcG/mHeKexPzE0sMga
+RNos75N2199EXydqUcsJ8jL0cNtQ2k5JQXXg0ntNC4tuCgIKAOnO879y5hSG36e5
+7wmAoVKnabgjej09zG1kkXvAmpgqoxeVCu7h7fK+AurLbsGCTaHoA5pG1tcHDxJQ
+fpVcbBfwQDSBW3SQjiRqX453/01nw6kbOeLKYraJysaG8ZU2K8+WpW6JDubciHjw
+fQnpU2U16XKivhxeuKYrV/INL0sxj/fZraNYErvJWzh5llvIdNLmeSPmvb50JUIs
++lDqn1MobTXzDpuCFXA=
+-----END CERTIFICATE-----]],
+                    client_priv_key = [[-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAnyiPLohB/4n2YpEp0Wt/xNgeKIVVkcI6PyMcgxFqJoEeLS5N
+aUiYT/+Egi1rjEExVk20qrdSBWMuGW1Uhx8hqDT5iRqx0SQhhPrIKX859Bo1eJV0
+DyQ9JOhkdQl9jKNU1nRakifx3OQEMHEBZz36CwMLAcuMqq5Zn/emQFMrZf+2ZI3+
+D+5iZCR7TP1oEkdKRoY2UwBkX+QyVqDudZIt4tySPteZjoZp5wqZ5LJxlT35fdqv
+dh8/+L94qhPlE4T2EaXBm53XczLz2gl4mr4PAf7ti1W5+JdGnWpqkBnqTgIw/9ca
+2jlT9lttltD87Q1yeKy3vnGqTUuKBrklH5CBDQIDAQABAoIBAHDe5bPdQ9jCcW3z
+fpGax/DER5b6//UvpfkSoGy/E+Wcmdb2yEVLC2FoVwOuzF+Z+DA5SU/sVAmoDZBQ
+vapZxJeygejeeo5ULkVNSFhNdr8LOzJ54uW+EHK1MFDj2xq61jaEK5sNIvRA7Eui
+SJl8FXBrxwmN3gNJRBwzF770fImHUfZt0YU3rWKw5Qin7QnlUzW2KPUltnSEq/xB
+kIzyWpuj7iAm9wTjH9Vy06sWCmxj1lzTTXlanjPb1jOTaOhbQMpyaAzRgQN8PZiE
+YKCarzVj7BJr7/vZYpnQtQDY12UL5n33BEqMP0VNHVqv+ZO3bktfvlwBru5ZJ7Cf
+URLsSc0CgYEAyz7FzV7cZYgjfUFD67MIS1HtVk7SX0UiYCsrGy8zA19tkhe3XVpc
+CZSwkjzjdEk0zEwiNAtawrDlR1m2kverbhhCHqXUOHwEpujMBjeJCNUVEh3OABr8
+vf2WJ6D1IRh8FA5CYLZP7aZ41fcxAnvIPAEThemLQL3C4H5H5NG2WFsCgYEAyHhP
+onpS/Eo/OXKYFLR/mvjizRVSomz1lVVL+GWMUYQsmgsPyBJgyAOX3Pqt9catgxhM
+DbEr7EWTxth3YeVzamiJPNVK0HvCax9gQ0KkOmtbrfN54zBHOJ+ieYhsieZLMgjx
+iu7Ieo6LDGV39HkvekzutZpypiCpKlMaFlCFiLcCgYEAmAgRsEj4Nh665VPvuZzH
+ZIgZMAlwBgHR7/v6l7AbybcVYEXLTNJtrGEEH6/aOL8V9ogwwZuIvb/TEidCkfcf
+zg/pTcGf2My0MiJLk47xO6EgzNdso9mMG5ZYPraBBsuo7NupvWxCp7NyCiOJDqGH
+K5NmhjInjzsjTghIQRq5+qcCgYEAxnm/NjjvslL8F69p/I3cDJ2/RpaG0sMXvbrO
+VWaMryQyWGz9OfNgGIbeMu2Jj90dar6ChcfUmb8lGOi2AZl/VGmc/jqaMKFnElHl
+J5JyMFicUzPMiG8DBH+gB71W4Iy+BBKwugHBQP2hkytewQ++PtKuP+RjADEz6vCN
+0mv0WS8CgYBnbMRP8wIOLJPRMw/iL9BdMf606X4xbmNn9HWVp2mH9D3D51kDFvls
+7y2vEaYkFv3XoYgVN9ZHDUbM/YTUozKjcAcvz0syLQb8wRwKeo+XSmo09+360r18
+zRugoE7bPl39WdGWaW3td0qf1r9z3sE2iWUTJPRQ3DYpsLOYIgyKmw==
+-----END RSA PRIVATE KEY-----]],
+                })
+                if not ok then
+                    ngx.say(err)
+                end
+            end
+        }
+    }
+--- response_body
+20: unable to get local issuer certificate
+closed
+--- error_log
+[error]
diff --git a/t/ssl.t b/t/ssl.t
