-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
ssl.lua
242 lines (187 loc) · 6.33 KB
/
ssl.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local core = require("apisix.core")
local ngx_ssl = require("ngx.ssl")
local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
local aes = require("resty.aes")
local str_lower = string.lower
local assert = assert
local type = type
local ipairs = ipairs
local cert_cache = core.lrucache.new {
ttl = 3600, count = 1024,
}
local pkey_cache = core.lrucache.new {
ttl = 3600, count = 1024,
}
local _M = {}
function _M.server_name()
local sni, err = ngx_ssl.server_name()
if err then
return nil, err
end
if not sni then
local local_conf = core.config.local_conf()
sni = core.table.try_read_attr(local_conf, "apisix", "ssl", "fallback_sni")
if not sni then
return nil
end
end
sni = str_lower(sni)
return sni
end
local _aes_128_cbc_with_iv_tbl
local function get_aes_128_cbc_with_iv()
if _aes_128_cbc_with_iv_tbl == nil then
_aes_128_cbc_with_iv_tbl = core.table.new(2, 0)
local local_conf = core.config.local_conf()
local ivs = core.table.try_read_attr(local_conf, "apisix", "ssl", "key_encrypt_salt")
local type_ivs = type(ivs)
if type_ivs == "table" then
for _, iv in ipairs(ivs) do
local aes_with_iv = assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv = iv}))
core.table.insert(_aes_128_cbc_with_iv_tbl, aes_with_iv)
end
elseif type_ivs == "string" then
local aes_with_iv = assert(aes:new(ivs, nil, aes.cipher(128, "cbc"), {iv = ivs}))
core.table.insert(_aes_128_cbc_with_iv_tbl, aes_with_iv)
end
end
return _aes_128_cbc_with_iv_tbl
end
function _M.aes_encrypt_pkey(origin)
local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv()
local aes_128_cbc_with_iv = aes_128_cbc_with_iv_tbl[1]
if aes_128_cbc_with_iv ~= nil and core.string.has_prefix(origin, "---") then
local encrypted = aes_128_cbc_with_iv:encrypt(origin)
if encrypted == nil then
core.log.error("failed to encrypt key[", origin, "] ")
return origin
end
return ngx_encode_base64(encrypted)
end
return origin
end
local function aes_decrypt_pkey(origin)
if core.string.has_prefix(origin, "---") then
return origin
end
local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv()
if #aes_128_cbc_with_iv_tbl == 0 then
return origin
end
local decoded_key = ngx_decode_base64(origin)
if not decoded_key then
core.log.error("base64 decode ssl key failed. key[", origin, "] ")
return nil
end
for _, aes_128_cbc_with_iv in ipairs(aes_128_cbc_with_iv_tbl) do
local decrypted = aes_128_cbc_with_iv:decrypt(decoded_key)
if decrypted then
return decrypted
end
end
core.log.error("decrypt ssl key failed")
return nil
end
local function validate(cert, key)
local parsed_cert, err = ngx_ssl.parse_pem_cert(cert)
if not parsed_cert then
return nil, "failed to parse cert: " .. err
end
if key == nil then
-- sometimes we only need to validate the cert
return true
end
key = aes_decrypt_pkey(key)
if not key then
return nil, "failed to decrypt previous encrypted key"
end
local parsed_key, err = ngx_ssl.parse_pem_priv_key(key)
if not parsed_key then
return nil, "failed to parse key: " .. err
end
-- TODO: check if key & cert match
return true
end
_M.validate = validate
local function parse_pem_cert(sni, cert)
core.log.debug("parsing cert for sni: ", sni)
local parsed, err = ngx_ssl.parse_pem_cert(cert)
return parsed, err
end
function _M.fetch_cert(sni, cert)
local parsed_cert, err = cert_cache(cert, nil, parse_pem_cert, sni, cert)
if not parsed_cert then
return false, err
end
return parsed_cert
end
local function parse_pem_priv_key(sni, pkey)
core.log.debug("parsing priv key for sni: ", sni)
local parsed, err = ngx_ssl.parse_pem_priv_key(aes_decrypt_pkey(pkey))
return parsed, err
end
function _M.fetch_pkey(sni, pkey)
local parsed_pkey, err = pkey_cache(pkey, nil, parse_pem_priv_key, sni, pkey)
if not parsed_pkey then
return false, err
end
return parsed_pkey
end
local function support_client_verification()
return ngx_ssl.verify_client ~= nil
end
_M.support_client_verification = support_client_verification
function _M.check_ssl_conf(in_dp, conf)
if not in_dp then
local ok, err = core.schema.check(core.schema.ssl, conf)
if not ok then
return nil, "invalid configuration: " .. err
end
end
local ok, err = validate(conf.cert, conf.key)
if not ok then
return nil, err
end
if conf.type == "client" then
return true
end
local numcerts = conf.certs and #conf.certs or 0
local numkeys = conf.keys and #conf.keys or 0
if numcerts ~= numkeys then
return nil, "mismatched number of certs and keys"
end
for i = 1, numcerts do
local ok, err = validate(conf.certs[i], conf.keys[i])
if not ok then
return nil, "failed to handle cert-key pair[" .. i .. "]: " .. err
end
end
if conf.client then
if not support_client_verification() then
return nil, "client tls verify unsupported"
end
local ok, err = validate(conf.client.ca, nil)
if not ok then
return nil, "failed to validate client_cert: " .. err
end
end
return true
end
return _M