From c0515d7989c6ad77f99bb0684ac09859319b8027 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Wed, 17 Apr 2024 17:58:01 +0200 Subject: [PATCH] Squashed 'src/deps/src/lua-resty-openssl/' changes from 58c6ce688..79b9c2f78 79b9c2f78 release: 1.3.0 48c510774 feat(aux/nginx) use lua-kong-nginx-module's get_socket_ssl when available (#3) e08f7f06c chore(tests) put commentary text before PEM certs fixtures 9ac51f328 chore(tests) swap a expired sub cert fixture c155a3a9a chore(ci) update openssl versions git-subtree-dir: src/deps/src/lua-resty-openssl git-subtree-split: 79b9c2f787febd03b9741ef9fad084a39a888d7c --- .github/workflows/tests.yml | 22 ++-- CHANGELOG.md | 11 +- lib/resty/openssl.lua | 2 +- lib/resty/openssl/auxiliary/nginx_c.lua | 33 +++-- ...spec => lua-resty-openssl-1.3.0-1.rockspec | 4 +- t/fixtures/Github.pem | 77 ++++++++++++ t/fixtures/GlobalSign.pem | 58 +++++++++ t/fixtures/GlobalSign_sub.pem | 113 ++++++++++++++---- t/openssl/ssl/ssl_client.t | 1 + t/openssl/ssl/ssl_ctx_server.t | 1 + t/openssl/ssl/ssl_server.t | 1 + t/openssl/x509/store.t | 4 +- 12 files changed, 282 insertions(+), 45 deletions(-) rename lua-resty-openssl-1.2.1-1.rockspec => lua-resty-openssl-1.3.0-1.rockspec (99%) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2513bdda5..27529bfaf 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,14 +29,14 @@ jobs: # TODO: arm64 # latest and one version older for valgrind and perf test - nginx: "1.19.9" - openssl: "3.1.4" + openssl: "3.1.5" openssl_fips: "3.0.8" extras: "valgrind" lua_nginx_module: "v0.10.20" lua_resty_core: "v0.1.22" nginx_cc_opts: "-Wno-error" - nginx: "1.21.4" - openssl: "3.1.4" + openssl: "3.1.5" openssl_fips: "3.0.8" extras: "valgrind" lua_nginx_module: "v0.10.25" @@ -48,23 +48,23 @@ jobs: lua_nginx_module: "v0.10.26" lua_resty_core: "v0.1.28" - nginx: "1.25.3" - openssl: "3.0.12" + openssl: "3.0.13" openssl_fips: "3.0.8" extras: "valgrind perf" lua_nginx_module: "v0.10.26" lua_resty_core: "v0.1.28" nginx_cc_opts: "-Wno-error" - nginx: "1.25.3" - openssl: "3.1.4" + openssl: "3.1.5" openssl_fips: "3.0.8" extras: "valgrind perf" lua_nginx_module: "v0.10.26" lua_resty_core: "v0.1.28" nginx_cc_opts: "-Wno-error" - nginx: "1.25.3" - openssl: "3.2.0" + openssl: "3.2.1" openssl_fips: "3.0.8" - extras: "valgrind perf" + extras: "valgrind perf lua-kong-nginx-module" lua_nginx_module: "v0.10.26" lua_resty_core: "v0.1.28" nginx_cc_opts: "-Wno-error" @@ -115,6 +115,7 @@ jobs: git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b ${{ matrix.lua_nginx_module }} git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module + git clone https://github.com/Kong/lua-kong-nginx-module.git ./lua-kong-nginx-module # lua libraries at parent directory of current repository popd git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b ${{ matrix.lua_resty_core }} @@ -170,15 +171,17 @@ jobs: - name: Build Nginx env: NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }} + NGINX_MODULES: "" run: | if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi + if [[ "${{ matrix.extras }}" == *lua-kong-nginx-module* ]]; then NGINX_MODULES="$NGINX_MODULES --add-module=../lua-kong-nginx-module"; fi export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module export cd $BASE_PATH - if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi + if [ ! -e work ]; then ngx-build ${{ matrix.nginx }} --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module $NGINX_MODULES --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi nginx -V ldd `which nginx`|grep -E 'luajit|ssl|pcre' @@ -191,6 +194,8 @@ jobs: echo "Nginx SSL plain FFI" export CI_SKIP_NGINX_C=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1 + export CI_SKIP_KONG_SSL_FUNCS=1 + TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1 - name: Run Valgrind if: contains(matrix.extras, 'valgrind') @@ -205,6 +210,9 @@ jobs: export CI_SKIP_NGINX_C=1 stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi + export CI_SKIP_KONG_SSL_FUNCS=1 + stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log + if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi - name: Run FIPS Test run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index 3630d3390..fae52720d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] + +## [1.3.0] - 2024-04-15 +### features +- **aux/nginx:** use lua-kong-nginx-module's get_socket_ssl when available ([#3](https://github.com/fffonion/lua-resty-openssl/issues/3)) [48c5107](https://github.com/fffonion/lua-resty-openssl/commit/48c51077444e375b2cdd5155693b49d92a82d4a1) + + ## [1.2.1] - 2024-02-27 ### bug fixes @@ -488,8 +494,8 @@ - **autogen:** generate tests for x509, csr and crl [1392428](https://github.com/fffonion/lua-resty-openssl/commit/1392428352164d2a1a6e0c03075ff65b55aecdee) - **objects:** add helper function for ASN1_OBJECT [d037706](https://github.com/fffonion/lua-resty-openssl/commit/d037706c11d716afe3616bdaf4658afc1763081d) - **pkey:** asymmetric encryption and decryption [6d60451](https://github.com/fffonion/lua-resty-openssl/commit/6d60451157edbf9cefb634f888dfa3e6d9be302f) -- **x509:** getter/setters for extensions [243f40d](https://github.com/fffonion/lua-resty-openssl/commit/243f40d35562a516f404188a5c7eb8f5134d9b30) - **x509:** add get_ocsp_url and get_crl_url [6141b6f](https://github.com/fffonion/lua-resty-openssl/commit/6141b6f5aed38706b477a71d8c4383bf55da7eee) +- **x509:** getter/setters for extensions [243f40d](https://github.com/fffonion/lua-resty-openssl/commit/243f40d35562a516f404188a5c7eb8f5134d9b30) - **x509.altname:** support iterate and decode over the stack [083a201](https://github.com/fffonion/lua-resty-openssl/commit/083a201746e02d51f6c5c640ad9bf8c6730ebe0b) - **x509.crl:** add crl module [242f8cb](https://github.com/fffonion/lua-resty-openssl/commit/242f8cb45d6c2df5918f26540c92a430d42feb5d) - **x509.csr:** autogen some csr functions as well [9800e36](https://github.com/fffonion/lua-resty-openssl/commit/9800e36c2ff8a299b88f24091cc722940a8652bb) @@ -577,7 +583,8 @@ - **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8) -[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...HEAD +[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...HEAD +[1.3.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...1.3.0 [1.2.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.0...1.2.1 [1.2.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.1.0...1.2.0 [1.1.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.2...1.1.0 diff --git a/lib/resty/openssl.lua b/lib/resty/openssl.lua index 99748812a..d6f08507c 100644 --- a/lib/resty/openssl.lua +++ b/lib/resty/openssl.lua @@ -24,7 +24,7 @@ try_require_modules() local _M = { - _VERSION = '1.2.1', + _VERSION = '1.3.0', } function _M.load_modules() diff --git a/lib/resty/openssl/auxiliary/nginx_c.lua b/lib/resty/openssl/auxiliary/nginx_c.lua index f50db365a..767e89efc 100644 --- a/lib/resty/openssl/auxiliary/nginx_c.lua +++ b/lib/resty/openssl/auxiliary/nginx_c.lua @@ -1,5 +1,6 @@ local ffi = require "ffi" local C = ffi.C +local os = os local SOCKET_CTX_INDEX = 1 local NGX_OK = ngx.OK @@ -30,6 +31,8 @@ end local stream_subsystem = false +local get_sock_ssl + if ngx.config.subsystem == "stream" then stream_subsystem = true @@ -48,10 +51,21 @@ if ngx.config.subsystem == "stream" then int ngx_stream_lua_resty_openssl_aux_get_socket_ssl_ctx(ngx_stream_lua_socket_tcp_upstream_t *u, void **_sess); + + int ngx_stream_lua_kong_get_socket_ssl(ngx_stream_lua_socket_tcp_upstream_t *u, + void **ssl_conn); ]] -- sanity test local _ = C.ngx_stream_lua_resty_openssl_aux_get_request_ssl + local success + if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then + success, get_sock_ssl = pcall(function() return C.ngx_stream_lua_kong_get_socket_ssl end) + end + if not success or get_sock_ssl == nil then + get_sock_ssl = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl_ctx + end + else ffi.cdef [[ typedef struct ngx_http_request_s ngx_http_request_t; @@ -68,10 +82,20 @@ else int ngx_http_lua_resty_openssl_aux_get_socket_ssl_ctx(ngx_http_lua_socket_tcp_upstream_t *u, void **_sess); + + int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u, + void **ssl_conn); ]] -- sanity test local _ = C.ngx_http_lua_resty_openssl_aux_get_request_ssl + local success + if not os.getenv("CI_SKIP_KONG_SSL_FUNCS") then + success, get_sock_ssl = pcall(function() return C.ngx_http_lua_kong_ffi_get_socket_ssl end) + end + if not success or get_sock_ssl == nil then + get_sock_ssl = C.ngx_http_lua_resty_openssl_aux_get_socket_ssl + end end local void_pp = ffi.new("void *[1]") @@ -115,12 +139,7 @@ end get_socket_ssl = function(sock) local u = sock[SOCKET_CTX_INDEX] - local ret - if stream_subsystem then - ret = C.ngx_stream_lua_resty_openssl_aux_get_socket_ssl(u, void_pp) - else - ret = C.ngx_http_lua_resty_openssl_aux_get_socket_ssl(u, void_pp) - end + local ret = get_sock_ssl(u, void_pp) if ret ~= NGX_OK then return nil, "cannot read u->peer.connection->ssl->connection" @@ -151,4 +170,4 @@ return { get_req_ssl_ctx = get_req_ssl_ctx, get_socket_ssl = get_socket_ssl, get_socket_ssl_ctx = get_socket_ssl_ctx, -} \ No newline at end of file +} diff --git a/lua-resty-openssl-1.2.1-1.rockspec b/lua-resty-openssl-1.3.0-1.rockspec similarity index 99% rename from lua-resty-openssl-1.2.1-1.rockspec rename to lua-resty-openssl-1.3.0-1.rockspec index 37a67ceab..de1591350 100644 --- a/lua-resty-openssl-1.2.1-1.rockspec +++ b/lua-resty-openssl-1.3.0-1.rockspec @@ -1,8 +1,8 @@ package = "lua-resty-openssl" -version = "1.2.1-1" +version = "1.3.0-1" source = { url = "git+https://github.com/fffonion/lua-resty-openssl.git", - tag = "1.2.1" + tag = "1.3.0" } description = { detailed = "FFI-based OpenSSL binding for LuaJIT.", diff --git a/t/fixtures/Github.pem b/t/fixtures/Github.pem index fe50833b6..cd1f8e6b8 100644 --- a/t/fixtures/Github.pem +++ b/t/fixtures/Github.pem @@ -1,3 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0e:8b:f3:77:0d:92:d1:96:f0:bb:61:f9:3c:41:66:be + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 + Validity + Not Before: Mar 25 00:00:00 2021 GMT + Not After : Mar 30 23:59:59 2022 GMT + Subject: C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:ad:f6:f7:75:b1:d3:49:54:0a:5d:10:71:bd:dc: + 25:06:4b:22:1c:a2:23:4e:9f:a1:fe:b9:d0:8c:bd: + 39:bc:0c:23:c7:cf:91:a6:90:5a:d8:45:ab:03:13: + be:c1:23:7a:b9:c4:c8:9d:47:f6:96:e0:b9:76:6b: + 50:36:66:f7:0d + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Authority Key Identifier: + 50:61:A6:A0:D2:35:C4:11:2A:20:8D:1F:0F:AC:42:F0:CD:29:CF:4B + X509v3 Subject Key Identifier: + 27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72 + X509v3 Subject Alternative Name: + DNS:github.com, DNS:www.github.com + X509v3 Key Usage: critical + Digital Signature + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + Full Name: + URI:http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl + Full Name: + URI:http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + CPS: http://www.digicert.com/CPS + Authority Information Access: + OCSP - URI:http://ocsp.digicert.com + CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt + X509v3 Basic Constraints: critical + CA:FALSE + CT Precertificate SCTs: + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: + BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 + Timestamp : Mar 25 18:57:33.978 2021 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:21:00:9E:E6:88:44:7F:FC:34:45:9C:32:4D: + 9F:AB:94:86:06:AE:DD:63:2D:E2:F5:5F:63:97:46:8A: + 0B:A5:39:D8:D7:02:20:48:54:27:D1:C6:32:B5:BF:81: + 77:D7:EB:15:68:AC:F2:C8:EE:C9:01:AD:1F:CC:34:0C: + EE:C9:10:72:44:98:59 + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86: + E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02 + Timestamp : Mar 25 18:57:34.009 2021 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:46:02:21:00:98:00:12:4A:09:41:18:AF:06:5C:28: + EF:1E:BB:DE:85:6C:7F:58:A9:D3:DE:96:B2:16:6A:99: + 10:AE:2F:F2:69:02:21:00:DD:C5:F8:AD:BD:F0:68:B0: + CB:AB:80:B8:F0:D4:A8:52:67:30:E7:A3:F0:3B:F9:B6: + BB:09:D0:A6:B6:FE:CA:1D + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:44:02:20:2b:e2:af:ec:6f:bf:2a:45:a4:35:98:37:3d:c4: + 05:a7:ce:ba:67:b1:ba:b2:8c:68:6b:87:ad:49:9f:92:46:56: + 02:20:14:a2:5d:2d:b4:59:cf:b2:8c:3d:75:d6:73:f3:bd:05: + 02:7e:c3:f8:f8:32:99:dc:af:b6:18:ab:04:44:3e:9d -----BEGIN CERTIFICATE----- MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp diff --git a/t/fixtures/GlobalSign.pem b/t/fixtures/GlobalSign.pem index f4ce4ca43..3145cd19f 100644 --- a/t/fixtures/GlobalSign.pem +++ b/t/fixtures/GlobalSign.pem @@ -1,3 +1,61 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:15:4b:5a:c3:94 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA + Validity + Not Before: Sep 1 12:00:00 1998 GMT + Not After : Jan 28 12:00:00 2028 GMT + Subject: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: + 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0: + 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89: + 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c: + 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50: + 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0: + 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2: + 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7: + 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c: + 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2: + 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9: + c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b: + bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91: + ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51: + 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa: + 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a: + 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93: + 90:cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + Signature Algorithm: sha1WithRSAEncryption + Signature Value: + d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5: + 7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5: + 08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b: + f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50: + 56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f: + 94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86: + 8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48: + 64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69: + 2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a: + c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6: + 5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a: + e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b: + e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f: + a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9: + 29:26:69:e0 -----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv diff --git a/t/fixtures/GlobalSign_sub.pem b/t/fixtures/GlobalSign_sub.pem index 8e463e380..a34aaea0b 100644 --- a/t/fixtures/GlobalSign_sub.pem +++ b/t/fixtures/GlobalSign_sub.pem @@ -1,26 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:2f:4e:e1:3d:6b + Signature Algorithm: sha1WithRSAEncryption + Issuer: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA + Validity + Not Before: Apr 13 10:00:00 2011 GMT + Not After : Jan 28 12:00:00 2028 GMT + Subject: C = BE, O = GlobalSign nv-sa, CN = GlobalSign PersonalSign Partners CA - G2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9f:e7:7d:d4:0d:99:89:d7:1d:b6:25:1f:45:8e: + 4d:70:e4:71:ed:68:35:43:17:67:53:c3:eb:c4:49: + aa:9b:2f:dd:5c:24:1a:84:5a:82:c8:62:fd:99:16: + e6:48:61:9b:c1:6a:c9:7a:df:ce:f6:5c:00:33:48: + 0c:77:a1:e5:d8:09:e4:33:b7:a8:bf:85:b2:b1:ae: + af:df:db:1e:df:2b:c3:ac:b1:2f:27:72:9c:d7:7c: + e5:1d:5c:01:a0:2d:72:d0:8f:c9:94:13:be:3c:93: + c4:20:0d:72:90:52:da:2e:1d:a7:8a:ee:9a:7a:b4: + 34:61:43:81:d3:55:6c:2c:18:4b:97:7b:c9:1e:cc: + be:b8:b0:a9:b3:b2:89:4a:bb:12:38:57:7e:ee:44: + 7a:4c:bd:e8:ae:48:88:36:1a:05:32:9c:92:f3:eb: + 50:f9:7d:b1:2b:17:af:ae:9b:68:b8:17:a0:fc:58: + c3:ea:0a:06:f2:a6:99:12:95:9f:c8:c8:a3:da:a4: + 75:59:58:f6:cf:1d:3b:bc:f9:ee:3c:f4:44:27:76: + 1a:b0:33:6f:0f:49:04:83:cb:34:5f:a1:1b:d4:02: + 28:0c:0a:3b:fd:fc:57:de:f0:b2:d2:22:c4:dd:a9: + 05:31:37:a4:ae:a4:68:3b:89:66:b4:40:7c:e2:61: + ea:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 + X509v3 Subject Key Identifier: + C5:7D:DA:83:E5:47:57:AA:C5:77:12:A7:CE:D9:0A:07:41:67:DF:39 + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://www.globalsign.com/repository/ + X509v3 CRL Distribution Points: + Full Name: + URI:http://crl.globalsign.net/root.crl + X509v3 Authority Key Identifier: + 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + Signature Algorithm: sha1WithRSAEncryption + Signature Value: + 43:4c:1b:01:22:79:fb:d9:79:00:cb:a7:31:19:b9:11:cb:3d: + d2:1d:0a:cb:d2:06:ac:e3:df:a6:05:1d:61:79:6a:9b:7f:a2: + ee:c2:05:20:dd:d0:9c:c5:e5:0a:57:d4:28:91:eb:0e:4d:6f: + da:60:3f:6b:6b:0d:18:92:b2:23:52:b4:4a:37:b7:ad:11:e3: + de:89:4c:8b:b0:b4:be:5c:5b:80:71:c3:dc:2a:77:ea:37:c7: + 03:95:19:59:26:e5:0a:46:f6:7c:03:9a:a5:42:96:11:16:99: + 06:ac:85:a9:55:b9:7c:0b:80:94:bd:59:19:15:16:6b:62:b7: + 6e:1b:32:da:64:74:7a:5e:a1:95:80:3f:e2:78:82:09:b2:09: + fd:d1:d0:b9:b7:39:f6:dc:be:d8:e1:40:57:73:9a:d2:48:b5: + fd:25:b1:3a:46:42:2a:52:22:01:1b:93:27:32:93:e8:b6:bc: + 8f:c8:2d:e9:31:c6:ff:bd:47:85:cb:53:9e:dc:be:a3:e8:ea: + 86:ba:c2:1a:8c:f7:c3:c1:db:c2:69:9f:d7:a6:48:a9:7a:51: + 84:5f:8a:03:93:29:da:71:25:4b:65:eb:5a:3d:e4:3c:3d:50: + 5b:ac:3a:71:cb:61:6a:e3:81:82:de:69:7c:0a:5f:94:dd:6b: + 8a:88:a6:39 -----BEGIN CERTIFICATE----- -MIIEWjCCA0KgAwIBAgIOR8MQAMBL+oomVLdB7CswDQYJKoZIhvcNAQEFBQAwVzEL -MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsT -B1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNjAzMTYw -MDAwMDBaFw0yNDAzMTYwMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH -bG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2ln -biAzIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm4HxK -0o9gvqhlIWVajpj75hIkZariW6PUj+njWoA5YRqmopnzUc99nUzj9Lj7Go8eqe9F -9tT76IeS2MdOAn1bata0FTGQXUZYO72E4YL18SE5ERRLlOjt1TenE4JbRFodris3 -+NUh9qNOFhyii7zf/nNQMTWDQ3hH5z4qcAemahgS26Ep8VihD70pPleC9Jcy/RVM -k+RjqBEzur3dWHPD21wRk3gS29Gs2499Tj59DlLH+RoXSsRjHcJk+fDHzC2zyY4M -jNJHgw/RWfhmJqxPDrNvF3jiDchMDrkY/o7oywpJCfVaTZ3ScEd4GnhIsBJi26ci -OYfjXmq+vPGumJBTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T -AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4ir34VYTni+RxwhiCZ7AIV++blMwHwYD -VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0G -CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYD -VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNy -bDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu -Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEFBQADggEBAAMt -Z5FskwVr28wgh70YcB0TepVojuiDQwDHilW0dfFnM+tkzwyHKcU7Q36EojXCrMz1 -SXw2TD8n+BC3dkJdmYf7zPKen5HguBaraPUzcxgZuJCfZmA1fW1+hrJ9sVLp9nBX -J3H2g4XDIl1yj/MozwfWfKE04fJZyk7yuAknoFgwK+EGOXnXnjMWldAoPLS0AyFE -aM1HU57OUMWPRwJ5Ts/CKf50Nz9ntgGTGVHvyfDvexHEEMGF1Vc9KAs+Z0jPXFom -H6wJlHvDM0nVtIbvdkGxVzxEQASkXUdh7qPxR4WpGJn5vMpIi74NglkCp5pPuDJ6 -i7GsIy4xEeMwq4nuOh8= +MIIEHTCCAwWgAwIBAgILBAAAAAABL07hPWswDQYJKoZIhvcNAQEFBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw +MDBaFw0yODAxMjgxMjAwMDBaMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i +YWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiBQ +YXJ0bmVycyBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +n+d91A2ZidcdtiUfRY5NcORx7Wg1QxdnU8PrxEmqmy/dXCQahFqCyGL9mRbmSGGb +wWrJet/O9lwAM0gMd6Hl2AnkM7eov4Wysa6v39se3yvDrLEvJ3Kc13zlHVwBoC1y +0I/JlBO+PJPEIA1ykFLaLh2niu6aerQ0YUOB01VsLBhLl3vJHsy+uLCps7KJSrsS +OFd+7kR6TL3orkiINhoFMpyS8+tQ+X2xKxevrptouBeg/FjD6goG8qaZEpWfyMij +2qR1WVj2zx07vPnuPPREJ3YasDNvD0kEg8s0X6Eb1AIoDAo7/fxX3vCy0iLE3akF +MTekrqRoO4lmtEB84mHqIwIDAQABo4HlMIHiMA4GA1UdDwEB/wQEAwIBBjASBgNV +HRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBTFfdqD5UdXqsV3EqfO2QoHQWffOTBH +BgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv +YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDov +L2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDAfBgNVHSMEGDAWgBRge2YaRQ2X +yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOCAQEAQ0wbASJ5+9l5AMunMRm5 +Ecs90h0Ky9IGrOPfpgUdYXlqm3+i7sIFIN3QnMXlClfUKJHrDk1v2mA/a2sNGJKy +I1K0Sje3rRHj3olMi7C0vlxbgHHD3Cp36jfHA5UZWSblCkb2fAOapUKWERaZBqyF +qVW5fAuAlL1ZGRUWa2K3bhsy2mR0el6hlYA/4niCCbIJ/dHQubc59ty+2OFAV3Oa +0ki1/SWxOkZCKlIiARuTJzKT6La8j8gt6THG/71HhctTnty+o+jqhrrCGoz3w8Hb +wmmf16ZIqXpRhF+KA5Mp2nElS2XrWj3kPD1QW6w6ccthauOBgt5pfApflN1rioim +OQ== -----END CERTIFICATE----- diff --git a/t/openssl/ssl/ssl_client.t b/t/openssl/ssl/ssl_client.t index cb410b77d..d447b0e0e 100644 --- a/t/openssl/ssl/ssl_client.t +++ b/t/openssl/ssl/ssl_client.t @@ -53,6 +53,7 @@ our $ClientContentBy = qq{ no_long_string(); env_to_nginx("CI_SKIP_NGINX_C"); +env_to_nginx("CI_SKIP_KONG_SSL_FUNCS"); run_tests(); diff --git a/t/openssl/ssl/ssl_ctx_server.t b/t/openssl/ssl/ssl_ctx_server.t index 6e7d08667..a23567853 100644 --- a/t/openssl/ssl/ssl_ctx_server.t +++ b/t/openssl/ssl/ssl_ctx_server.t @@ -53,6 +53,7 @@ our $ClientContentBy = qq{ no_long_string(); env_to_nginx("CI_SKIP_NGINX_C"); +env_to_nginx("CI_SKIP_KONG_SSL_FUNCS"); run_tests(); diff --git a/t/openssl/ssl/ssl_server.t b/t/openssl/ssl/ssl_server.t index fb2a9f104..4577c37fd 100644 --- a/t/openssl/ssl/ssl_server.t +++ b/t/openssl/ssl/ssl_server.t @@ -53,6 +53,7 @@ our $ClientContentBy = qq{ no_long_string(); env_to_nginx("CI_SKIP_NGINX_C"); +env_to_nginx("CI_SKIP_KONG_SSL_FUNCS"); run_tests(); diff --git a/t/openssl/x509/store.t b/t/openssl/x509/store.t index 9f1618d09..2ae36215a 100644 --- a/t/openssl/x509/store.t +++ b/t/openssl/x509/store.t @@ -242,8 +242,8 @@ true GET /t --- response_body eval "B1BC968BD4F49D622AA89A81F2150152A41D829C -C187B85714202A2941E8EAFB846C39EB1F9C609A -C187B85714202A2941E8EAFB846C39EB1F9C609A +9EB54DF0722B3D50AFC50AE8CC74AA3696D33218 +9EB54DF0722B3D50AFC50AE8CC74AA3696D33218 B1BC968BD4F49D622AA89A81F2150152A41D829C " --- no_error_log