Skip to content

Commit

Permalink
feat(x509.extension) add X509V3_set_issuer_pkey in OpenSSL 3.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@fffonion
fffonion committed Apr 14, 2022
1 parent 0946c59 commit dbd3f74
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 3 deletions.
4 changes: 4 additions & 0 deletions README.md
View file
Expand Up @@ -3262,9 +3262,13 @@ data = {
subject = resty.openssl.x509 instance,
request = resty.openssl.x509.csr instance,
crl = resty.openssl.x509.crl instance,
issuer_pkey = resty.openssl.pkey instance, -- >= OpenSSL 3.0
}
```

From OpenSSL 3.0, `issuer_pkey` can be specified as a fallback source for
generating the authority key identifier extension when `issuer` is same as `subject`.

When `data` is a string, it's the full nconf string. Using section lookup from `value` to
`data` is also supported.

Expand Down
12 changes: 12 additions & 0 deletions lib/resty/openssl/x509/extension.lua
View file
Expand Up @@ -15,6 +15,7 @@ local objects_lib = require "resty.openssl.objects"
local stack_lib = require("resty.openssl.stack")
local util = require "resty.openssl.util"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
local BORINGSSL = require("resty.openssl.version").BORINGSSL

local _M = {}
Expand All @@ -29,6 +30,10 @@ local extension_types = {
crl = "resty.openssl.x509.crl",
}

if OPENSSL_30 then
extension_types["issuer_pkey"] = "resty.openssl.pkey"
end

local nconf_load
if BORINGSSL then
nconf_load = function()
Expand Down Expand Up @@ -87,6 +92,13 @@ function _M.new(txtnid, value, data)
end
end
C.X509V3_set_ctx(x509_ctx_ptr[0], args.issuer, args.subject, args.request, args.crl, 0)

if OPENSSL_30 and args.issuer_pkey then
if C.X509V3_set_issuer_pkey(x509_ctx_ptr[0], args.issuer_pkey) ~= 1 then
return nil, format_error("x509.extension.new: X509V3_set_issuer_pkey")
end
end

elseif type(data) == 'string' then
err = nconf_load(conf, data)
if err then
Expand Down
40 changes: 37 additions & 3 deletions t/openssl/x509/extension.t
View file
Expand Up @@ -170,12 +170,45 @@ CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSH
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local x509 = myassert(require("resty.openssl.x509").new(f))
f = io.open("t/fixtures/test.crt"):read("*a")
local ic = myassert(require("resty.openssl.x509").new(f))
f = io.open("t/fixtures/test.key"):read("*a")
local ik = myassert(require("resty.openssl.pkey").new(f))
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("subjectKeyIdentifier", "hash",
{
subject = x509,
}))
{
subject = x509,
}))
ngx.say(tostring(c))
if require("resty.openssl.version").OPENSSL_30 then
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = x509,
}))
if tostring(c) ~= "0." then
ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
end
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = x509,
issuer_pkey = ik,
}))
-- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
ngx.print("keyid:")
else
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = ic,
}))
end
ngx.say(tostring(c))
}
Expand All @@ -184,6 +217,7 @@ CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSH
GET /t
--- response_body_like eval
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
"
--- no_error_log
[error]
Expand Down

0 comments on commit dbd3f74

Please sign in to comment.