feature: add ssl trusted certificate.

theweakgod · web-flow · commit 45c63cda4170 · 2024-07-09T12:10:49.000+08:00
diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c
@@ -1468,8 +1468,8 @@ ngx_http_lua_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
 
 
 int
-ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs,
-    int depth, char **err)
+ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *client_certs,
+    void *trusted_certs, int depth, char **err)
 {
 #ifdef LIBRESSL_VERSION_NUMBER
 
@@ -1481,7 +1481,8 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs,
     ngx_http_lua_ctx_t          *ctx;
     ngx_ssl_conn_t              *ssl_conn;
     ngx_http_ssl_srv_conf_t     *sscf;
-    STACK_OF(X509)              *chain = ca_certs;
+    STACK_OF(X509)              *client_chain = client_certs;
+    STACK_OF(X509)              *trusted_chain = trusted_certs;
     STACK_OF(X509_NAME)         *name_chain = NULL;
     X509                        *x509 = NULL;
     X509_NAME                   *subject = NULL;
@@ -1535,54 +1536,75 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs,
 
     /* set CA chain */
 
-    if (chain != NULL) {
+    if (client_chain != NULL || trusted_chain != NULL) {
+
         ca_store = X509_STORE_new();
         if (ca_store == NULL) {
             *err = "X509_STORE_new() failed";
             return NGX_ERROR;
         }
 
-        /* construct name chain */
+        if (client_chain != NULL) {
 
-        name_chain = sk_X509_NAME_new_null();
-        if (name_chain == NULL) {
-            *err = "sk_X509_NAME_new_null() failed";
-            goto failed;
-        }
-
-        for (i = 0; i < sk_X509_num(chain); i++) {
-            x509 = sk_X509_value(chain, i);
-            if (x509 == NULL) {
-                *err = "sk_X509_value() failed";
+            /* construct name chain */
+            name_chain = sk_X509_NAME_new_null();
+            if (name_chain == NULL) {
+                *err = "sk_X509_NAME_new_null() failed";
                 goto failed;
             }
 
-            /* add subject to name chain, which will be sent to client */
-            subject = X509_NAME_dup(X509_get_subject_name(x509));
-            if (subject == NULL) {
-                *err = "X509_get_subject_name() failed";
-                goto failed;
+            for (i = 0; i < sk_X509_num(client_chain); i++) {
+                x509 = sk_X509_value(client_chain, i);
+                if (x509 == NULL) {
+                    *err = "sk_X509_value() failed";
+                    goto failed;
+                }
+
+                /* add subject to name chain, which will be sent to client */
+                subject = X509_NAME_dup(X509_get_subject_name(x509));
+                if (subject == NULL) {
+                    *err = "X509_get_subject_name() failed";
+                    goto failed;
+                }
+
+                if (!sk_X509_NAME_push(name_chain, subject)) {
+                    *err = "sk_X509_NAME_push() failed";
+                    X509_NAME_free(subject);
+                    goto failed;
+                }
+
+                /* add to trusted CA store */
+                if (X509_STORE_add_cert(ca_store, x509) == 0) {
+                    *err = "X509_STORE_add_cert() failed";
+                    goto failed;
+                }
             }
 
-            if (!sk_X509_NAME_push(name_chain, subject)) {
-                *err = "sk_X509_NAME_push() failed";
-                X509_NAME_free(subject);
-                goto failed;
-            }
+            /* clean subject name list, and set it for send to client */
+            SSL_set_client_CA_list(ssl_conn, name_chain);
+        }
 
-            /* add to trusted CA store */
-            if (X509_STORE_add_cert(ca_store, x509) == 0) {
-                *err = "X509_STORE_add_cert() failed";
-                goto failed;
+        if (trusted_chain != NULL) {
+            for (i = 0; i < sk_X509_num(trusted_chain); i++) {
+                x509 = sk_X509_value(trusted_chain, i);
+                if (x509 == NULL) {
+                    *err = "sk_X509_value() failed";
+                    goto failed;
+                }
+
+                /* add to trusted CA store */
+                if (X509_STORE_add_cert(ca_store, x509) == 0) {
+                    *err = "X509_STORE_add_cert() failed";
+                    goto failed;
+                }
             }
         }
 
+        /* clean ca_store, and store new ca_store */
         if (SSL_set0_verify_cert_store(ssl_conn, ca_store) == 0) {
             *err = "SSL_set0_verify_cert_store() failed";
             goto failed;
         }
-
-        SSL_set_client_CA_list(ssl_conn, name_chain);
     }
 
     return NGX_OK;
diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t
@@ -12,7 +12,7 @@ if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) {
     plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1");
 
 } else {
-    plan tests => repeat_each() * (blocks() * 5 + 1);
+    plan tests => repeat_each() * (blocks() * 5 - 1);
 }
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
@@ -72,7 +72,7 @@ ffi.cdef[[
     void ngx_http_lua_ffi_free_priv_key(void *cdata);
 
     int ngx_http_lua_ffi_ssl_verify_client(void *r, void *cdata,
-        int depth, char **err);
+        void *cdata, int depth, char **err);
 
     int ngx_http_lua_ffi_ssl_client_random(ngx_http_request_t *r,
         unsigned char *out, size_t *outlen, char **err);
@@ -853,21 +853,21 @@ lua ssl server name: "test.com"
             local cert_data = f:read("*all")
             f:close()
 
-            local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
-            if not cert then
-                ngx.log(ngx.ERR, "failed to parse PEM cert: ",
+            local client_cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_cert then
+                ngx.log(ngx.ERR, "failed to parse PEM client cert: ",
                         ffi.string(errmsg[0]))
                 return
             end
 
-            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, cert, 1, errmsg)
+            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, client_cert, nil, 1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to verify client: ",
                         ffi.string(errmsg[0]))
                 return
             end
 
-            ffi.C.ngx_http_lua_ffi_free_cert(cert)
+            ffi.C.ngx_http_lua_ffi_free_cert(client_cert)
         }
 
         ssl_certificate ../../cert/test2.crt;
@@ -924,7 +924,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com
                 return
             end
 
-            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
+            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, nil, nil, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to verify client: ",
                         ffi.string(errmsg[0]))
@@ -990,21 +990,21 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com
             local cert_data = f:read("*all")
             f:close()
 
-            local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
-            if not cert then
-                ngx.log(ngx.ERR, "failed to parse PEM cert: ",
+            local client_cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_cert then
+                ngx.log(ngx.ERR, "failed to parse PEM client cert: ",
                         ffi.string(errmsg[0]))
                 return
             end
 
-            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, cert, 1, errmsg)
+            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, client_cert, nil, 1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to verify client: ",
                         ffi.string(errmsg[0]))
                 return
             end
 
-            ffi.C.ngx_http_lua_ffi_free_cert(cert)
+            ffi.C.ngx_http_lua_ffi_free_cert(client_cert)
         }
 
         ssl_certificate ../../cert/test2.crt;
@@ -1623,3 +1623,157 @@ lua ssl server name: "test.com"
 --- no_error_log
 [error]
 [alert]
+
+
+
+=== TEST 13: verify client, but server don't trust root ca
+--- http_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name   example.com;
+
+        ssl_certificate_by_lua_block {
+            collectgarbage()
+
+            require "defines"
+            local ffi = require "ffi"
+
+            local errmsg = ffi.new("char *[1]")
+
+            local r = require "resty.core.base" .get_request()
+            if r == nil then
+                ngx.log(ngx.ERR, "no request found")
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_server.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local client_cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_cert then
+                ngx.log(ngx.ERR, "failed to parse PEM client cert: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, client_cert, nil, 2, errmsg)
+            if rc ~= 0 then
+                ngx.log(ngx.ERR, "failed to verify client: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            ffi.C.ngx_http_lua_ffi_free_cert(client_cert)
+        }
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        location / {
+            default_type 'text/plain';
+            content_by_lua_block {
+                ngx.say(ngx.var.ssl_client_verify)
+            }
+            more_clear_headers Date;
+        }
+    }
+--- config
+    location /t {
+        proxy_pass                  https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+        proxy_ssl_certificate       ../../cert/mtls_client.crt;
+        proxy_ssl_certificate_key   ../../cert/mtls_client.key;
+        proxy_ssl_session_reuse     off;
+    }
+
+--- request
+GET /t
+--- response_body
+FAILED:unable to verify the first certificate
+
+--- no_error_log
+[error]
+[alert]
+
+
+
+=== TEST 14: verify client and server trust root ca
+--- http_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name   example.com;
+
+        ssl_certificate_by_lua_block {
+            collectgarbage()
+
+            require "defines"
+            local ffi = require "ffi"
+
+            local errmsg = ffi.new("char *[1]")
+
+            local r = require "resty.core.base" .get_request()
+            if r == nil then
+                ngx.log(ngx.ERR, "no request found")
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_server.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local client_cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not client_cert then
+                ngx.log(ngx.ERR, "failed to parse PEM client cert: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local f = assert(io.open("t/cert/mtls_ca.crt", "rb"))
+            local cert_data = f:read("*all")
+            f:close()
+
+            local trusted_cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg)
+            if not trusted_cert then
+                ngx.log(ngx.ERR, "failed to parse PEM trusted cert: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            local rc = ffi.C.ngx_http_lua_ffi_ssl_verify_client(r, cert, trusted_cert, 2, errmsg)
+            if rc ~= 0 then
+                ngx.log(ngx.ERR, "failed to verify client: ",
+                        ffi.string(errmsg[0]))
+                return
+            end
+
+            ffi.C.ngx_http_lua_ffi_free_cert(client_cert)
+            ffi.C.ngx_http_lua_ffi_free_cert(trusted_cert)
+        }
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        location / {
+            default_type 'text/plain';
+            content_by_lua_block {
+                ngx.say(ngx.var.ssl_client_verify)
+            }
+            more_clear_headers Date;
+        }
+    }
+--- config
+    location /t {
+        proxy_pass                  https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+        proxy_ssl_certificate       ../../cert/mtls_client.crt;
+        proxy_ssl_certificate_key   ../../cert/mtls_client.key;
+        proxy_ssl_session_reuse     off;
+    }
+
+--- request
+GET /t
+--- response_body
+SUCCESS
+
+--- no_error_log
+[error]
+[alert]
