add test case and add mtls crt

openresty · Jul 9, 2024 · 10a9005 · 10a9005
1 parent e4defda
commit 10a9005
Show file tree

Hide file tree

Showing 13 changed files with 581 additions and 5 deletions.
diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t
@@ -10,7 +10,7 @@ my $openssl_version = eval { `$NginxBinary -V 2>&1` };
 if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) {
     plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1");
 } else {
-    plan tests => repeat_each() * (blocks() * 5 + 1);
+    plan tests => repeat_each() * (blocks() * 5 - 1);
 }
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
@@ -67,7 +67,7 @@ ffi.cdef[[
 
     void ngx_stream_lua_ffi_free_priv_key(void *cdata);
 
-    int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err);
+    int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, void *cdata, int depth, char **err);
 
     int ngx_stream_lua_ffi_ssl_client_random(ngx_stream_lua_request_t *r,
         unsigned char *out, size_t *outlen, char **err);
@@ -722,7 +722,7 @@ lua ssl server name: "test.com"
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, -1, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, nil, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))
@@ -778,7 +778,7 @@ client certificate subject: [email protected],CN=test.com
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, nil, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))
@@ -843,7 +843,7 @@ client certificate subject: [email protected],CN=test.com
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, 1, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, nil, 1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))
@@ -1236,3 +1236,139 @@ lua ssl server name: "test.com"
 --- no_error_log
 [error]
 [alert]
+
+
+=== TEST 12: verify client, but server don't trust root ca
+--- stream_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        ssl_certificate_by_lua_block {
+            collectgarbage()
+
+            local ffi = require "ffi"
+            require "defines"
+
+            local errmsg = ffi.new("char *[1]")
+
+            local r = require "resty.core.base" .get_request()
+            if not r then
+                ngx.log(ngx.ERR, "no request found")
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_server.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local client_certs = ffi.C.ngx_stream_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_certs then
+                ngx.log(ngx.ERR, "failed to parse PEM client certs: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, client_certs, nil, 1, errmsg)
+            if rc ~= 0 then
+                ngx.log(ngx.ERR, "failed to set cdata cert: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            ffi.C.ngx_stream_lua_ffi_free_cert(client_certs)
+        }
+
+        content_by_lua_block {
+            ngx.say(ngx.var.ssl_client_verify)
+        }
+    }
+--- stream_server_config
+    proxy_pass                  unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+    proxy_ssl                   on;
+    proxy_ssl_certificate       ../../cert/mtls_client.crt;
+    proxy_ssl_certificate_key   ../../cert/mtls_client.key;
+    proxy_ssl_session_reuse     off;
+
+--- stream_response
+FAILED:unable to verify the first certificate
+
+--- no_error_log
+[error]
+[alert]
+
+
+=== TEST 12: verify client and server trust root ca
+--- stream_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        ssl_certificate_by_lua_block {
+            collectgarbage()
+
+            local ffi = require "ffi"
+            require "defines"
+
+            local errmsg = ffi.new("char *[1]")
+
+            local r = require "resty.core.base" .get_request()
+            if not r then
+                ngx.log(ngx.ERR, "no request found")
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_server.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local client_certs = ffi.C.ngx_stream_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_certs then
+                ngx.log(ngx.ERR, "failed to parse PEM client certs: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_ca.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local trusted_certs = ffi.C.ngx_stream_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not trusted_certs then
+                ngx.log(ngx.ERR, "failed to parse PEM trusted certs: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, client_certs, trusted_certs, 1, errmsg)
+            if rc ~= 0 then
+                ngx.log(ngx.ERR, "failed to set cdata cert: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            ffi.C.ngx_stream_lua_ffi_free_cert(client_certs)
+            ffi.C.ngx_stream_lua_ffi_free_cert(trusted_certs)
+        }
+
+        content_by_lua_block {
+            ngx.say(ngx.var.ssl_client_verify)
+        }
+    }
+--- stream_server_config
+    proxy_pass                  unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+    proxy_ssl                   on;
+    proxy_ssl_certificate       ../../cert/mtls_client.crt;
+    proxy_ssl_certificate_key   ../../cert/mtls_client.key;
+    proxy_ssl_session_reuse     off;
+
+--- stream_response
+SUCCESS
+
+--- no_error_log
+[error]
+[alert]
diff --git a/t/cert/mtls_ca.crt b/t/cert/mtls_ca.crt
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            32:ed:21:56:d8:4e:aa:03:89:a9:4a:a4:e2:85:2d:8a:3b:2b:89:22
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = California, O = OpenResty, CN = OpenResty Testing Root CA
+        Validity
+            Not Before: Mar 13 15:49:00 2022 GMT
+            Not After : Mar  8 15:49:00 2042 GMT
+        Subject: C = US, ST = California, O = OpenResty, CN = OpenResty Testing Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:e6:37:d2:c6:17:36:c7:b2:7f:7d:cf:d0:62:87:
+                    99:d9:21:b8:de:ff:d8:e2:3a:1c:68:90:8f:ce:17:
+                    68:22:b0:60:30:cc:29:e8:34:ee:ff:b2:25:de:6e:
+                    1a:d4:df:10:19:11:4b:40:61:d3:a9:4d:80:ed:97:
+                    81:4e:c5:74:e8:4d:63:e3:5f:21:bc:5a:6e:22:a0:
+                    17:91:c1:cb:25:53:9b:9d:4e:e1:51:5b:f6:52:e7:
+                    0a:27:f6:16:c2:31:cb:6c:47:f4:89:51:15:cc:06:
+                    be:31:3e:1c:ea:ee:81:9b:c4:97:96:fd:e5:1c:95:
+                    9e:c0:65:cd:a9:9a:cb:68:67:f2:62:a0:21:eb:5a:
+                    c5:a1:92:ed:32:41:28:f9:47:34:eb:44:ae:d6:e7:
+                    76:71:11:98:c9:2e:ce:6c:7c:10:1b:c7:4c:c3:14:
+                    89:4e:d9:4c:d9:c7:43:e9:3c:29:ca:62:a9:91:b3:
+                    87:e7:d7:b4:18:ab:65:f9:6b:ed:82:ca:a1:36:35:
+                    18:05:cb:5c:24:26:13:13:f8:99:ac:99:be:9b:a6:
+                    73:df:0d:16:95:b1:dc:be:fe:7a:c2:b6:dc:c8:93:
+                    cf:10:e0:29:03:0e:28:78:18:84:ee:14:92:ab:be:
+                    5a:a0:14:a2:4a:2f:d3:d0:b8:0e:00:d2:5a:cd:e4:
+                    bd:a1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                F0:D7:4B:14:73:E1:67:00:6B:54:B4:19:20:76:12:9F:9D:8E:C8:09
+    Signature Algorithm: sha256WithRSAEncryption
+         6d:52:21:6d:6e:8c:e5:4a:28:07:65:6d:d8:7c:23:2e:c6:c1:
+         d0:ec:27:b3:b0:c3:d3:e8:fa:72:b9:de:32:4e:ff:97:8d:86:
+         a9:6d:b3:a9:b4:2d:77:ca:28:97:6a:3d:7b:a2:15:ed:34:dc:
+         72:9f:6f:e7:01:0c:d3:28:6a:80:1b:50:09:fd:d7:2c:d8:92:
+         d5:10:c4:73:15:20:7d:99:dc:de:30:7b:3c:6e:e9:66:b2:0e:
+         4e:1a:c1:51:57:6e:5b:b0:a9:f6:ff:0b:8f:07:67:31:40:5b:
+         11:a9:06:d3:d3:76:c5:d2:56:95:9a:9e:4a:16:44:4b:32:e5:
+         af:dd:4b:4d:5d:57:b8:85:69:36:93:2a:c6:0c:8f:e1:42:35:
+         be:8e:f3:e7:35:d3:2c:3a:03:31:40:75:8e:e8:dd:57:35:20:
+         5e:18:a9:76:ce:85:be:7e:3a:cf:6e:08:58:5b:47:d5:e9:c4:
+         ec:0e:e9:8e:3c:2d:5c:7b:59:20:5b:24:92:a0:e0:1e:a3:5a:
+         67:d8:ff:7f:a5:82:f1:df:db:05:65:79:88:b1:3c:e6:01:d1:
+         5a:c7:d2:6e:9a:e6:a2:da:4a:c7:19:78:d9:14:71:6e:1f:70:
+         f3:41:e5:b3:78:31:d5:22:0e:7c:1a:b2:43:d9:86:ff:53:ea:
+         2b:ba:d2:27
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIUMu0hVthOqgOJqUqk4oUtijsriSIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoT
+CU9wZW5SZXN0eTEiMCAGA1UEAxMZT3BlblJlc3R5IFRlc3RpbmcgUm9vdCBDQTAe
+Fw0yMjAzMTMxNTQ5MDBaFw00MjAzMDgxNTQ5MDBaMFoxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlPcGVuUmVzdHkxIjAgBgNVBAMT
+GU9wZW5SZXN0eSBUZXN0aW5nIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmN9LGFzbHsn99z9Bih5nZIbje/9jiOhxokI/OF2gisGAwzCno
+NO7/siXebhrU3xAZEUtAYdOpTYDtl4FOxXToTWPjXyG8Wm4ioBeRwcslU5udTuFR
+W/ZS5won9hbCMctsR/SJURXMBr4xPhzq7oGbxJeW/eUclZ7AZc2pmstoZ/JioCHr
+WsWhku0yQSj5RzTrRK7W53ZxEZjJLs5sfBAbx0zDFIlO2UzZx0PpPCnKYqmRs4fn
+17QYq2X5a+2CyqE2NRgFy1wkJhMT+Jmsmb6bpnPfDRaVsdy+/nrCttzIk88Q4CkD
+Dih4GITuFJKrvlqgFKJKL9PQuA4A0lrN5L2hAgMBAAGjQjBAMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw10sUc+FnAGtUtBkgdhKf
+nY7ICTANBgkqhkiG9w0BAQsFAAOCAQEAbVIhbW6M5UooB2Vt2HwjLsbB0Owns7DD
+0+j6crneMk7/l42GqW2zqbQtd8ool2o9e6IV7TTccp9v5wEM0yhqgBtQCf3XLNiS
+1RDEcxUgfZnc3jB7PG7pZrIOThrBUVduW7Cp9v8LjwdnMUBbEakG09N2xdJWlZqe
+ShZESzLlr91LTV1XuIVpNpMqxgyP4UI1vo7z5zXTLDoDMUB1jujdVzUgXhipds6F
+vn46z24IWFtH1enE7A7pjjwtXHtZIFskkqDgHqNaZ9j/f6WC8d/bBWV5iLE85gHR
+WsfSbprmotpKxxl42RRxbh9w80Hls3gx1SIOfBqyQ9mG/1PqK7rSJw==
+-----END CERTIFICATE-----
diff --git a/t/cert/mtls_ca.key b/t/cert/mtls_ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA5jfSxhc2x7J/fc/QYoeZ2SG43v/Y4jocaJCPzhdoIrBgMMwp
+6DTu/7Il3m4a1N8QGRFLQGHTqU2A7ZeBTsV06E1j418hvFpuIqAXkcHLJVObnU7h
+UVv2UucKJ/YWwjHLbEf0iVEVzAa+MT4c6u6Bm8SXlv3lHJWewGXNqZrLaGfyYqAh
+61rFoZLtMkEo+Uc060Su1ud2cRGYyS7ObHwQG8dMwxSJTtlM2cdD6TwpymKpkbOH
+59e0GKtl+WvtgsqhNjUYBctcJCYTE/iZrJm+m6Zz3w0WlbHcvv56wrbcyJPPEOAp
+Aw4oeBiE7hSSq75aoBSiSi/T0LgOANJazeS9oQIDAQABAoIBAQDhH9+uNE8uUv/X
+MNvvLfklWpOlBf25o+fZ3NuzRjJgEafOsCee2fyI8FWVwIfeeE8OpFm5GLDZk1+r
+dwdM10xuSheO5Z1gyfF/TJwfvamA09SNrPArFkm3YhUNZNl2hykMtwSLL06oWEOu
+dbXjit4VS9aNIbTlEe7O5/6Ih0W3zmr1yvUua2swmAZMx3GFA4kbjZZ9vDs27sdu
+K+VY3DYRbq1HkiNFT0otfke5bObFBCG7Yp8JLyhYaIkGYFoBXuZ6JNY8EuU2+YyP
+6r40tJ7StR1Q6eZJh9/1leaYGZLCh5oFyKpilTuxHbRbr5A28RJKjKvPsdDgTtQn
+yHGg70FRAoGBAOhC3TQlFcT2WCCZHHql9JEEHnHVBWnL3Jg7VJuL1i6pEIz7qQkW
+AtBEIY/nnTcVNfJ6eXznYtutYvvRSgQTUsBNRoj3s1z9wKOo4uw4LoIUXDEmHCr+
+49DiQyIO21SNMHA+dVxvGRDDjLI9Uc+Scb64QOodoX75HLRZG++24mtdAoGBAP2/
+gCjga2p8Jx9UnhIcrEIIGANyxEQeBdhF56Nt9CJy/Iwi3a6qQ/GkbeoDm5FhXnXo
+xcBaHyv2lwi4uO/hONY8eRnYxAWMwAKMZe6VnU1hWI2Ytkh+OcMPMh7NIGQf6X1o
+JZrBtnTms060TuuDjLeIlaubDR/xDrMWTMKjKbsVAoGAVLuYAZ8J6xpIGlRhbGlA
+6OrMxJCHcgpahvsWKc0BLXKmRBjHmTX7fslsSRihZWgKj1SZH7U2fpgpxV6cFxKJ
+nPhUJEHhoKo+bjZ92tnANdqBq7iQjCsDJ8Bz52fuIlGD+1795+PsDA6bNKdkQkrV
+zlNf80kuEqmFDFJ5+6EHx00CgYAf+jkpbZa71aeMgDpnZ+uhaqm0DYuEVhBAgBa/
+9sRUbw86jc5IC7cCRcmAOzIosQ+ZZls9cV4KSUohVD4iJMzn2rkcM8AIPwOXjp/t
+4DbxoHnrZjpaimW3Gjwju5AAbjEbl7tddFoNA2HHYlurvGlIW9MYzDJsOxGyKfZE
+dRF2PQKBgQDUKNHgDYEjLJ99S5Fm5zN/64bKzzDtktGdqOxik5pBKcs/BvOdLM0i
+eCjGz/3qrEoenFIBwF/IRz3ug90Zr8bWOu6DudReflAKI/N13dZ2gOTAfaX4ljJF
+w0ohSi6xs+mu1GmtipGtNxHi/J3na2BeSnSRFSUg6Zd+oh8BZQKmNg==
+-----END RSA PRIVATE KEY-----
diff --git a/t/cert/mtls_cert_gen/.gitignore b/t/cert/mtls_cert_gen/.gitignore
@@ -0,0 +1,4 @@
+*.pem
+*.csr
+cfssl
+cfssljson
diff --git a/t/cert/mtls_cert_gen/generate.sh b/t/cert/mtls_cert_gen/generate.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+rm *.pem *.csr cfssl cfssljson
+
+wget -O cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
+wget -O cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
+chmod +x cfssl cfssljson
+
+./cfssl gencert -initca -config profile.json mtls_ca.json | ./cfssljson -bare mtls_ca
+
+./cfssl gencert -ca mtls_ca.pem -ca-key mtls_ca-key.pem -config profile.json -profile=client mtls_client.json | ./cfssljson -bare mtls_client
+./cfssl gencert -ca mtls_ca.pem -ca-key mtls_ca-key.pem -config profile.json -profile=server mtls_server.json | ./cfssljson -bare mtls_server
+
+openssl x509 -in mtls_ca.pem -text > ../mtls_ca.crt
+mv mtls_ca-key.pem ../mtls_ca.key
+
+openssl x509 -in mtls_client.pem -text > ../mtls_client.crt
+mv mtls_client-key.pem ../mtls_client.key
+
+openssl x509 -in mtls_server.pem -text > ../mtls_server.crt
+mv mtls_server-key.pem ../mtls_server.key
+
+rm *.pem *.csr cfssl cfssljson
diff --git a/t/cert/mtls_cert_gen/mtls_ca.json b/t/cert/mtls_cert_gen/mtls_ca.json
@@ -0,0 +1,18 @@
+{
+  "CA": {
+    "expiry": "175200h",
+    "pathlen": 0
+  },
+  "CN": "OpenResty Testing Root CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+ ]
+}
diff --git a/t/cert/mtls_cert_gen/mtls_client.json b/t/cert/mtls_cert_gen/mtls_client.json
@@ -0,0 +1,18 @@
+{
+  "CN": "[email protected]",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+  ],
+  "hosts": [
+    "[email protected]",
+    "[email protected]"
+  ]
+}
diff --git a/t/cert/mtls_cert_gen/mtls_server.json b/t/cert/mtls_cert_gen/mtls_server.json
@@ -0,0 +1,17 @@
+{
+  "CN": "example.com",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+  ],
+  "hosts": [
+    "example.com"
+  ]
+}