Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Squashed 'src/deps/src/lua-resty-openssl/' changes from 79b9c2f78..643956d99

Browse source 
643956d99 release: 1.3.1
ad18b3c18 fix(aux/nginx) fix the typo of get_socket_ssl in the stream module
232352676 fix(aux/nginx) remove extra sanity test that prevent usage of lua-kong-nginx-module
195a8b7b4 Update tests.yml
eb0069a7d tests(ci) add more versions to test lua-kong-nginx-module
9d34ff8fd fix(aux/jwk) remove ecx.d if exporting as public key

git-subtree-dir: src/deps/src/lua-resty-openssl
git-subtree-split: 643956d990b3ef4d9b52d0b77ba4d69d7e912dcc
This commit is contained in:
Théophile Diot 2024-04-23 12:15:14 +02:00
parent c0515d7989
commit 2d8549ef17
8 changed files with 108 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/lint.yml vendored
View file

@ -1,13 +1,17 @@
name: Lint
on:
push:
pull_request:
paths:
- lib/**.lua
pull_request:
push:
branches:
- master
- release/*
paths:
- lib/**.lua
jobs:
tests:
name: Lint

4
.github/workflows/tests.yml vendored
View file

@ -50,14 +50,14 @@ jobs:
- nginx: "1.25.3"
openssl: "3.0.13"
openssl_fips: "3.0.8"
extras: "valgrind perf"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "3.1.5"
openssl_fips: "3.0.8"
extras: "valgrind perf"
extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"

11
CHANGELOG.md
View file

@ -2,6 +2,14 @@
## [Unreleased]
<a name="1.3.1"></a>
## [1.3.1] - 2024-04-22
### bug fixes
- **aux/jwk:** remove ecx.d if exporting as public key [9d34ff8](https://github.com/fffonion/lua-resty-openssl/commit/9d34ff8fd79debbcf155f74af0b161083b6a8385)
- **aux/nginx:** fix the typo of get_socket_ssl in the stream module [0aa315e](https://github.com/fffonion/lua-resty-openssl/commit/0aa315efe3d98d38d8d77dedf687958b62d8b184)
- **aux/nginx:** remove extra sanity test that prevent usage of lua-kong-nginx-module [7bd2d0a](https://github.com/fffonion/lua-resty-openssl/commit/7bd2d0aabe82219071fe9fd1b30e49ff88bd5472)
<a name="1.3.0"></a>
## [1.3.0] - 2024-04-15
### features
@ -583,7 +591,8 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...HEAD
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.1...HEAD
[1.3.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...1.3.1
[1.3.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...1.3.0
[1.2.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.0...1.2.1
[1.2.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.1.0...1.2.0

2
lib/resty/openssl.lua
View file

@ -24,7 +24,7 @@ try_require_modules()
local _M = {
_VERSION = '1.3.0',
_VERSION = '1.3.1',
}
function _M.load_modules()

4
lib/resty/openssl/auxiliary/jwk.lua
View file

@ -245,9 +245,11 @@ function _M.dump_jwk(pkey, is_priv)
jwk = {
kty = "OKP",
crv = ecx_curves_reverse[pkey.key_type],
d = encode_base64url(params.private),
x = encode_base64url(params.public),
}
if is_priv then
jwk.d = encode_base64url(params.private)
end
else
return nil, "jwk.dump_jwk: not implemented for this key type"
end

6
lib/resty/openssl/auxiliary/nginx_c.lua
View file

@ -56,14 +56,12 @@ if ngx.config.subsystem == "stream" then
void **ssl_conn);
]]
-- sanity test
local _ = C.ngx_stream_lua_resty_openssl_aux_get_request_ssl
local success
if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then
success, get_sock_ssl = pcall(function() return C.ngx_stream_lua_kong_get_socket_ssl end)
end
if not success or get_sock_ssl == nil then
get_sock_ssl = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl_ctx
get_sock_ssl = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl
end
else
@ -87,8 +85,6 @@ else
void **ssl_conn);
]]
-- sanity test
local _ = C.ngx_http_lua_resty_openssl_aux_get_request_ssl
local success
if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then
success, get_sock_ssl = pcall(function() return C.ngx_http_lua_kong_ffi_get_socket_ssl end)

4
lua-resty-openssl-1.3.0-1.rockspec → lua-resty-openssl-1.3.1-1.rockspec
View file

@ -1,8 +1,8 @@
package = "lua-resty-openssl"
version = "1.3.0-1"
version = "1.3.1-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
tag = "1.3.0"
tag = "1.3.1"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",

167
t/openssl/aux/jwk.t
View file

@ -9,12 +9,13 @@ my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
@ -39,18 +40,10 @@ __DATA__
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
}))
-- errors
local _, err = require("resty.openssl.pkey").new('asdasd', {
@ -71,22 +64,10 @@ __DATA__
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
e = "AQAB",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
local s, err = pubkey:encrypt("23333")
if err then
ngx.log(ngx.ERR, err)
return
end
local s, err = privkey:decrypt(s)
if err then
ngx.log(ngx.ERR, err)
return
end
local s = myassert(pubkey:encrypt("23333"))
local s = myassert(privkey:decrypt(s))
ngx.say(s)
}
}
@ -112,18 +93,10 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
}))
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@ -142,24 +115,12 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
local d = require("resty.openssl.digest").new("sha256")
d:update("23333")
local s, err = privkey:sign(d)
if err then
ngx.log(ngx.ERR, err)
return
end
local ok, err = pubkey:verify(s, d)
if err then
ngx.log(ngx.ERR, err)
return
end
local s = myassert(privkey:sign(d))
local ok = myassert(pubkey:verify(s, d))
ngx.say(ok)
}
}
@ -183,18 +144,10 @@ true
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
}))
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@ -211,11 +164,7 @@ true
crv = "Ed25519",
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
}
}
@ -232,23 +181,11 @@ true
--- config
location =/t {
content_by_lua_block {
local privkey, err = require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'})
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey = myassert(require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'}))
local pem, err = privkey:tostring("public")
if err then
ngx.log(ngx.ERR, err)
return
end
local pem = myassert(privkey:tostring("public"))
local pubkey, err = require("resty.openssl.pkey").new(pem)
if err then
ngx.log(ngx.ERR, err)
return
end
local pubkey = myassert(require("resty.openssl.pkey").new(pem))
local _, err = pubkey:tostring("private", "JWK")
ngx.say(err)
@ -261,3 +198,65 @@ true
'
--- no_error_log
[error]
=== TEST 5: Dump pubkey from privkey doesn't contain private part
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local jwk = require("cjson").encode({
kty = "RSA",
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
e = "AQAB",
d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
})
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
for k, _ in pairs(jwk) do
if k ~= "kty" and k ~= "kid" and k ~= "n" and k ~="e" then
ngx.say("RSA JWK pubkey contains private part: " .. k)
end
end
local jwk = require("cjson").encode({
kty = "EC",
crv = "P-256",
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
})
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
for k, _ in pairs(jwk) do
if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" and k ~="y" then
ngx.say("EC JWK pubkey contains private part: " .. k)
end
end
local jwk = require("cjson").encode({
kty = "OKP",
crv = "Ed25519",
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
})
local privkey = myassert(require("resty.openssl.pkey").new(jwk))
local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
for k, _ in pairs(jwk) do
if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" then
ngx.say("ECX JWK pubkey contains private part: " .. k)
end
end
}
}
--- request
GET /t
--- response_body eval
''
--- no_error_log
[error]