diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 86f54e5cd..2d9d267aa 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,13 +1,17 @@
name: Lint
on:
- push:
+ pull_request:
paths:
- lib/**.lua
- pull_request:
+ push:
+ branches:
+ - master
+ - release/*
paths:
- lib/**.lua
+
jobs:
tests:
name: Lint
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 27529bfaf..07aac9b19 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -50,14 +50,14 @@ jobs:
- nginx: "1.25.3"
openssl: "3.0.13"
openssl_fips: "3.0.8"
- extras: "valgrind perf"
+ extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
- nginx: "1.25.3"
openssl: "3.1.5"
openssl_fips: "3.0.8"
- extras: "valgrind perf"
+ extras: "valgrind perf lua-kong-nginx-module"
lua_nginx_module: "v0.10.26"
lua_resty_core: "v0.1.28"
nginx_cc_opts: "-Wno-error"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index fae52720d..ca7c91254 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@
## [Unreleased]
+
+## [1.3.1] - 2024-04-22
+### bug fixes
+- **aux/jwk:** remove ecx.d if exporting as public key [9d34ff8](https://github.com/fffonion/lua-resty-openssl/commit/9d34ff8fd79debbcf155f74af0b161083b6a8385)
+- **aux/nginx:** fix the typo of get_socket_ssl in the stream module [0aa315e](https://github.com/fffonion/lua-resty-openssl/commit/0aa315efe3d98d38d8d77dedf687958b62d8b184)
+- **aux/nginx:** remove extra sanity test that prevent usage of lua-kong-nginx-module [7bd2d0a](https://github.com/fffonion/lua-resty-openssl/commit/7bd2d0aabe82219071fe9fd1b30e49ff88bd5472)
+
+
## [1.3.0] - 2024-04-15
### features
@@ -583,7 +591,8 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
-[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...HEAD
+[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.1...HEAD
+[1.3.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...1.3.1
[1.3.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...1.3.0
[1.2.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.0...1.2.1
[1.2.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.1.0...1.2.0
diff --git a/lib/resty/openssl.lua b/lib/resty/openssl.lua
index d6f08507c..ff5507daa 100644
--- a/lib/resty/openssl.lua
+++ b/lib/resty/openssl.lua
@@ -24,7 +24,7 @@ try_require_modules()
local _M = {
- _VERSION = '1.3.0',
+ _VERSION = '1.3.1',
}
function _M.load_modules()
diff --git a/lib/resty/openssl/auxiliary/jwk.lua b/lib/resty/openssl/auxiliary/jwk.lua
index 8d81ebff3..f9bfad5b7 100644
--- a/lib/resty/openssl/auxiliary/jwk.lua
+++ b/lib/resty/openssl/auxiliary/jwk.lua
@@ -245,9 +245,11 @@ function _M.dump_jwk(pkey, is_priv)
jwk = {
kty = "OKP",
crv = ecx_curves_reverse[pkey.key_type],
- d = encode_base64url(params.private),
x = encode_base64url(params.public),
}
+ if is_priv then
+ jwk.d = encode_base64url(params.private)
+ end
else
return nil, "jwk.dump_jwk: not implemented for this key type"
end
diff --git a/lib/resty/openssl/auxiliary/nginx_c.lua b/lib/resty/openssl/auxiliary/nginx_c.lua
index 767e89efc..e5d3b27cf 100644
--- a/lib/resty/openssl/auxiliary/nginx_c.lua
+++ b/lib/resty/openssl/auxiliary/nginx_c.lua
@@ -56,14 +56,12 @@ if ngx.config.subsystem == "stream" then
void **ssl_conn);
]]
- -- sanity test
- local _ = C.ngx_stream_lua_resty_openssl_aux_get_request_ssl
local success
if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then
success, get_sock_ssl = pcall(function() return C.ngx_stream_lua_kong_get_socket_ssl end)
end
if not success or get_sock_ssl == nil then
- get_sock_ssl = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl_ctx
+ get_sock_ssl = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl
end
else
@@ -87,8 +85,6 @@ else
void **ssl_conn);
]]
- -- sanity test
- local _ = C.ngx_http_lua_resty_openssl_aux_get_request_ssl
local success
if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then
success, get_sock_ssl = pcall(function() return C.ngx_http_lua_kong_ffi_get_socket_ssl end)
diff --git a/lua-resty-openssl-1.3.0-1.rockspec b/lua-resty-openssl-1.3.1-1.rockspec
similarity index 99%
rename from lua-resty-openssl-1.3.0-1.rockspec
rename to lua-resty-openssl-1.3.1-1.rockspec
index de1591350..6e2853fea 100644
--- a/lua-resty-openssl-1.3.0-1.rockspec
+++ b/lua-resty-openssl-1.3.1-1.rockspec
@@ -1,8 +1,8 @@
package = "lua-resty-openssl"
-version = "1.3.0-1"
+version = "1.3.1-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
- tag = "1.3.0"
+ tag = "1.3.1"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",
diff --git a/t/openssl/aux/jwk.t b/t/openssl/aux/jwk.t
index e0e3c209c..d8bb3828f 100644
--- a/t/openssl/aux/jwk.t
+++ b/t/openssl/aux/jwk.t
@@ -9,12 +9,13 @@ my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
- lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
+ lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
+ _G.myassert = require("helper").myassert
}
};
@@ -39,18 +40,10 @@ __DATA__
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
})
- local privkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
- local privkey, err = require("resty.openssl.pkey").new(jwk, {
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
- })
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ }))
-- errors
local _, err = require("resty.openssl.pkey").new('asdasd', {
@@ -71,22 +64,10 @@ __DATA__
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
e = "AQAB",
})
- local pubkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
- local s, err = pubkey:encrypt("23333")
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
- local s, err = privkey:decrypt(s)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local s = myassert(pubkey:encrypt("23333"))
+ local s = myassert(privkey:decrypt(s))
ngx.say(s)
}
}
@@ -112,18 +93,10 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
})
- local privkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
- local privkey, err = require("resty.openssl.pkey").new(jwk, {
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
- })
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ }))
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@@ -142,24 +115,12 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
})
- local pubkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
local d = require("resty.openssl.digest").new("sha256")
d:update("23333")
- local s, err = privkey:sign(d)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
- local ok, err = pubkey:verify(s, d)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local s = myassert(privkey:sign(d))
+ local ok = myassert(pubkey:verify(s, d))
ngx.say(ok)
}
}
@@ -183,18 +144,10 @@ true
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
})
- local privkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
- local privkey, err = require("resty.openssl.pkey").new(jwk, {
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
format = "JWK",
- })
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ }))
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@@ -211,11 +164,7 @@ true
crv = "Ed25519",
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
})
- local pubkey, err = require("resty.openssl.pkey").new(jwk)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
}
}
@@ -232,23 +181,11 @@ true
--- config
location =/t {
content_by_lua_block {
- local privkey, err = require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'})
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local privkey = myassert(require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'}))
- local pem, err = privkey:tostring("public")
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local pem = myassert(privkey:tostring("public"))
- local pubkey, err = require("resty.openssl.pkey").new(pem)
- if err then
- ngx.log(ngx.ERR, err)
- return
- end
+ local pubkey = myassert(require("resty.openssl.pkey").new(pem))
local _, err = pubkey:tostring("private", "JWK")
ngx.say(err)
@@ -261,3 +198,65 @@ true
'
--- no_error_log
[error]
+
+
+=== TEST 5: Dump pubkey from privkey doesn't contain private part
+--- http_config eval: $::HttpConfig
+--- config
+ location =/t {
+ content_by_lua_block {
+ local jwk = require("cjson").encode({
+ kty = "RSA",
+ n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
+ e = "AQAB",
+ d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
+ p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
+ q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
+ dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
+ dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
+ qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
+ })
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+ for k, _ in pairs(jwk) do
+ if k ~= "kty" and k ~= "kid" and k ~= "n" and k ~="e" then
+ ngx.say("RSA JWK pubkey contains private part: " .. k)
+ end
+ end
+
+ local jwk = require("cjson").encode({
+ kty = "EC",
+ crv = "P-256",
+ x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
+ y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
+ d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
+ })
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+ for k, _ in pairs(jwk) do
+ if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" and k ~="y" then
+ ngx.say("EC JWK pubkey contains private part: " .. k)
+ end
+ end
+
+ local jwk = require("cjson").encode({
+ kty = "OKP",
+ crv = "Ed25519",
+ x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
+ d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
+ })
+ local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+ local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+ for k, _ in pairs(jwk) do
+ if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" then
+ ngx.say("ECX JWK pubkey contains private part: " .. k)
+ end
+ end
+ }
+ }
+--- request
+ GET /t
+--- response_body eval
+''
+--- no_error_log
+[error]