librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge branch 'dev' into ui

This commit is contained in:
florian 2023-04-18 20:05:14 +02:00
parent 859343e185 881d3a00d5
commit 860cc1a924
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
70 changed files with 532 additions and 10125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
CODE_OF_CONDUCT.md Normal file
View File

@ -0,0 +1,128 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
contact@bunkerity.com.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.

230
docs/web-ui.md
View File

@ -82,7 +82,7 @@ Because the web UI is a web application, the recommended installation procedure
* replace the `/changeme` URL with a custom one of your choice
* the `bunkerweb.INSTANCE` label is mandatory
The web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
The web UI and the Scheduler will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
To connect the docker socket proxy and the web UI, you will need another network :
```shell
@ -236,7 +236,7 @@ Because the web UI is a web application, the recommended installation procedure
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
* the `bunkerweb.INSTANCE` label is mandatory
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
The Autoconf, the Scheduler and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
To connect the docker socket proxy and the web UI, you will need another network :
```shell
@ -271,6 +271,7 @@ Because the web UI is a web application, the recommended installation procedure
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e AUTOCONF_MODE=yes \
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
docker network connect bw-docker bw-scheduler
```
@ -282,6 +283,7 @@ Because the web UI is a web application, the recommended installation procedure
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e AUTOCONF_MODE=yes \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
@ -320,7 +322,6 @@ Because the web UI is a web application, the recommended installation procedure
- SERVER_NAME=
- MULTISITE=yes
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-services
@ -369,7 +370,7 @@ Because the web UI is a web application, the recommended installation procedure
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
- ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=bwadm.example.com"
- "bunkerweb.USE_UI=yes"
@ -403,27 +404,36 @@ Because the web UI is a web application, the recommended installation procedure
Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
```shell
docker network create --subnet 10.20.30.0/24 bw-universe && \
docker network create bw-services
docker network create -d overlay --attachable --subnet 10.20.30.0/24 bw-universe && \
docker network create -d overlay --attachable bw-services
```
You will also need the data volume, which where BunkerWeb's data will be stored :
Swarm will need a redis instance to work properly, you can use the [official redis image](https://hub.docker.com/_/redis) :
```shell
docker volume create bw-data
docker service create \
--name bw-redis \
--constraint 'node.role == worker' \
--network bw-universe \
redis:7-alpine
```
You can now create the BunkerWeb container, please note the special `bunkerweb.INSTANCE` label which is mandatory for the scheduler as well as the web UI to work properly :
```shell
docker run -d \
--name bunkerweb \
--network bw-universe \
-p 80:8080 \
-p 443:8443 \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.5.0-beta
docker service create \
--name bunkerweb \
--mode global \
--constraint 'node.role == worker' \
--network bw-universe \
--network bw-services \
-p published=80,target=8080,mode=host \
-p published=443,target=8443,mode=host \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e USE_REDIS=yes \
-e REDIS_HOST=bw-redis \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l "bunkerweb.INSTANCE" \
bunkerity/bunkerweb:1.5.0-beta
```
Important things to note :
@ -431,7 +441,7 @@ Because the web UI is a web application, the recommended installation procedure
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
* the `bunkerweb.INSTANCE` label is mandatory
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
Swarm, the Scheduler and the web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
To connect the docker socket proxy and the web UI, you will need another network :
```shell
@ -440,43 +450,72 @@ Because the web UI is a web application, the recommended installation procedure
Once the network is created, you can now create the docker socket proxy container :
```shell
docker run -d \
docker service create \
--name bw-docker \
--constraint 'node.role == manager' \
--network bw-docker \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
-e CONFIGS=1 \
-e CONTAINERS=1 \
-e SERVICES=1 \
-e SWARM=1 \
-e TASKS=1 \
tecnativa/docker-socket-proxy
```
You can then create the autoconf container connected to the docker socket proxy network :
Swarm, the Scheduler and the web UI will also need to share data among them. We recommend using a dedicated database container for that purpose. For this example, we will use a [MariaDB](https://mariadb.org/) container :
```shell
docker run -d \
--name bw-autoconf \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-autoconf:1.5.0-beta && \
docker network connect bw-docker bw-autoconf
docker service create \
--name bw-db \
--network bw-docker \
--mount type=volume,source=bw-data,destination=/var/lib/mysql \
-e MYSQL_RANDOM_ROOT_PASSWORD=yes \
-e MYSQL_DATABASE=db \
-e MYSQL_USER=bunkerweb \
-e MYSQL_PASSWORD=changeme \
mariadb:10.10
```
You can then create the scheduler container with the bw-data volume and the docker socket proxy network :
Important things to note :
* For security purposes the database container should not be on the same network as the BunkerWeb container
* Replace the password `changeme` with strong ones, the same password will be used in the url provided to Swarm, the Scheduler and the web UI
* The URL provided to Swarm, the Scheduler and the web UI will be `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
You can then create the autoconf container connected to the database and the docker socket proxy network :
```shell
docker run -d \
docker service create \
--name bw-autoconf \
--network bw-universe \
--network bw-docker \
-e SWARM_MODE=yes \
-e DOCKER_HOST=tcp://bw-docker:2375
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
bunkerity/bunkerweb-autoconf:1.5.0-beta
```
You can then create the scheduler container connected to the database and the docker socket proxy network :
```shell
docker service create \
--name bw-scheduler \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
docker network connect bw-docker bw-scheduler
--network bw-docker \
-e SWARM_MODE=yes \
-e DOCKER_HOST=tcp://bw-docker:2375
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
bunkerity/bunkerweb-scheduler:1.5.0-beta
```
We can finally create the web UI container :
```shell
docker run -d \
docker service create \
--name bw-ui \
--network bw-universe \
--network bw-docker \
-v bw-data:/data \
-e SWARM_MODE=yes \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
@ -488,8 +527,7 @@ Because the web UI is a web application, the recommended installation procedure
-l "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000" \
-l "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
-l "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504" \
bunkerity/bunkerweb-ui:1.5.0-beta && \
docker network connect bw-docker bw-ui
bunkerity/bunkerweb-ui:1.5.0-beta
```
Important things to note :
@ -507,36 +545,37 @@ Because the web UI is a web application, the recommended installation procedure
bunkerweb:
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE"
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
environment:
- SERVER_NAME=
- MULTISITE=yes
- USE_REDIS=yes
- REDIS_HOST=bw-redis
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-services
deploy:
mode: global
placement:
constraints:
- "node.role == worker"
labels:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
volumes:
- bw-data:/data
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
networks:
- bw-universe
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
networks:
- bw-universe
- bw-docker
@ -546,34 +585,67 @@ Because the web UI is a web application, the recommended installation procedure
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONFIGS=1
- CONTAINERS=1
- SERVICES=1
- SWARM=1
- TASKS=1
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
networks:
- bw-universe
- bw-docker
bw-db:
image: mariadb:10.10
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=db
- MYSQL_USER=bunkerweb
- MYSQL_PASSWORD=changeme
volumes:
- bw-data:/var/lib/mysql
networks:
- bw-docker
bw-redis:
image: redis:7-alpine
networks:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:
aliases:
- bw-ui
volumes:
- bw-data:/data
environment:
- SWARM_MODE=yes
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=bwadm.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504"
- ABSOLUTE_URI=http://bwadm.example.com/changeme
networks:
- bw-universe
- bw-docker
deploy:
labels:
- bunkerweb.SERVER_NAME=bwadm.example.com
- bunkerweb.USE_UI=yes
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/changeme
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bunkerweb.INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504
volumes:
bw-data:
@ -581,15 +653,19 @@ Because the web UI is a web application, the recommended installation procedure
networks:
bw-universe:
name: bw-universe
driver: overlay
attachable: true
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
driver: overlay
attachable: true
bw-docker:
name: bw-docker
driver: overlay
attachable: true
```
=== "Kubernetes"

3
mkdocs.yml
View File

@ -30,6 +30,7 @@ theme:
- navigation.tabs
- navigation.tabs.sticky
- toc.integrate
- content.code.copy
custom_dir: docs/overrides
extra_css:
@ -48,7 +49,7 @@ markdown_extensions:
emoji_index: !!python/name:materialx.emoji.twemoji
emoji_generator: !!python/name:materialx.emoji.to_svg
copyright: Copyright © 2022 Bunkerity
copyright: Copyright &copy; <script>document.write(new Date().getFullYear())</script> Bunkerity
extra:
version:
provider: mike

3
src/autoconf/Dockerfile
View File

@ -53,9 +53,6 @@ RUN apk add --no-cache bash && \
chown root:nginx /var/log/letsencrypt /var/lib/letsencrypt && \
chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
VOLUME /data /etc/nginx
WORKDIR /usr/share/bunkerweb/autoconf

9
src/bw/Dockerfile
View File

@ -42,12 +42,11 @@ COPY src/common/helpers /usr/share/bunkerweb/helpers
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
COPY src/common/utils /usr/share/bunkerweb/utils
COPY src/VERSION /usr/share/bunkerweb/VERSION
COPY misc/*.ascii /usr/share/bunkerweb
COPY misc/*.ascii /usr/share/bunkerweb/
# Install runtime dependencies, pypi packages, move bwcli, create data folders and set permissions
RUN apk add --no-cache pcre bash python3 && \
cp /usr/share/bunkerweb/helpers/bwcli /usr/bin/ && \
echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \
mkdir -p /var/tmp/bunkerweb && \
mkdir -p /var/www/html && \
mkdir -p /etc/bunkerweb && \
@ -71,11 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \
ln -s /proc/1/fd/2 /var/log/nginx/error.log && \
ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log && \
ln -s /proc/1/fd/1 /var/log/nginx/access.log && \
ln -s /proc/1/fd/1 /var/log/nginx/jobs.log && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "curl>=7.83.1-r6" "libcrypto1.1>=1.1.1t-r1" "libcurl>=7.83.1-r6" "libssl1.1>=1.1.1t-r1" "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
ln -s /proc/1/fd/1 /var/log/nginx/jobs.log
VOLUME /data /etc/nginx

10
src/bw/entrypoint.sh
View File

@ -35,14 +35,6 @@ function trap_reload() {
}
trap "trap_reload" HUP
if [ "$SWARM_MODE" == "yes" ] ; then
echo "Swarm" > /usr/share/bunkerweb/INTEGRATION
elif [ "$KUBERNETES_MODE" == "yes" ] ; then
echo "Kubernetes" > /usr/share/bunkerweb/INTEGRATION
elif [ "$AUTOCONF_MODE" == "yes" ] ; then
echo "Autoconf" > /usr/share/bunkerweb/INTEGRATION
fi
if [ -f "/etc/nginx/variables.env" ] ; then
log "ENTRYPOINT" "⚠️ " "Looks like BunkerWeb has already been loaded, will not generate temp config"
else
@ -63,4 +55,4 @@ while [ -f "/var/tmp/bunkerweb/nginx.pid" ] ; do
done
log "ENTRYPOINT" "" "BunkerWeb stopped"
exit 0
exit 0

39
src/bw/lua/bunkerweb/helpers.lua
View File

@ -1,3 +1,4 @@
local utils = require "bunkerweb.utils"
local cjson = require "cjson"
local helpers = {}
@ -84,4 +85,42 @@ helpers.call_plugin = function(plugin, method)
return true, ret
end
helpers.fill_ctx = function()
-- Check if ctx is already filled
if ngx.ctx.bw then
return true, "already filled"
end
-- Return errors as table
local errors = {}
-- Instantiate bw table
local data = {}
-- Common vars
data.kind = "http"
if not ngx.shared.cachestore then
data.kind = "stream"
end
data.ip = ngx.var.remote_addr
data.uri = ngx.var.uri
data.original_uri = ngx.var.original_uri
data.user_agent = ngx.var.http_user_agent
-- IP data : global
local ip_is_global, err = utils.ip_is_global(data.ip)
if ip_is_global == nil then
table.insert(errors, "can't check if IP is global : " .. err)
else
data.ip_is_global = ip_is_global
end
-- IP data : v4 / v6
data.ip_is_ipv4 = utils.is_ipv4(data.ip)
data.ip_is_ipv6 = utils.is_ipv6(data.ip)
-- Misc info
data.integration = utils.get_integration()
data.version = utils.get_version()
-- Plugins
data.plugins = {}
-- Fill ctx
ngx.ctx.bw = data
return true, "ctx filled", errors
end
return helpers

223
src/bw/lua/bunkerweb/utils.lua
View File

@ -1,67 +1,35 @@
local cdatastore = require "bunkerweb.datastore"
local ipmatcher = require "resty.ipmatcher"
local cjson = require "cjson"
local resolver = require "resty.dns.resolver"
local mmdb = require "bunkerweb.mmdb"
local clogger = require "bunkerweb.logger"
local ipmatcher = require "resty.ipmatcher"
local resolver = require "resty.dns.resolver"
local session = require "resty.session"
local cjson = require "cjson"
local logger = clogger:new("UTILS")
local datastore = cdatastore:new()
local logger = clogger:new("UTILS")
local datastore = cdatastore:new()
local utils = {}
utils.set_values = function()
local reserved_ips = {
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"233.252.0.0/24",
"240.0.0.0/4",
"255.255.255.255/32"
}
local ok, err = datastore:set("misc_reserved_ips", cjson.encode({ data = reserved_ips }))
if not ok then
return false, err
end
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
if not var_resolvers then
return false, err
end
local list_resolvers = {}
for str_resolver in var_resolvers:gmatch("%S+") do
table.insert(list_resolvers, str_resolver)
end
ok, err = datastore:set("misc_resolvers", cjson.encode(list_resolvers))
if not ok then
return false, err
end
return true, "success"
end
local utils = {}
utils.get_variable = function(var, site_search)
-- Default site search to true
if site_search == nil then
site_search = true
end
-- Get global value
local value, err = datastore:get("variable_" .. var)
if not value then
return nil, "Can't access variable " .. var .. " from datastore : " .. err
return nil, "can't access variable " .. var .. " from datastore : " .. err
end
-- Site search case
if site_search then
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "Can't access variable MULTISITE from datastore : " .. err
return nil, "can't access variable MULTISITE from datastore : " .. err
end
-- Multisite case
if multisite == "yes" and ngx.var.server_name then
local value_site, err = datastore:get("variable_" .. ngx.var.server_name .. "_" .. var)
if value_site then
@ -73,19 +41,23 @@ utils.get_variable = function(var, site_search)
end
utils.has_variable = function(var, value)
-- Get global variable
local check_value, err = datastore:get("variable_" .. var)
if not value then
return nil, "Can't access variable " .. var .. " from datastore : " .. err
end
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "Can't access variable MULTISITE from datastore : " .. err
end
-- Multisite case
if multisite == "yes" then
local servers, err = datastore:get("variable_SERVER_NAME")
if not servers then
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
end
-- Check each server
for server in servers:gmatch("%S+") do
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
if check_value_site and check_value_site == value then
@ -98,19 +70,23 @@ utils.has_variable = function(var, value)
end
utils.has_not_variable = function(var, value)
-- Get global variable
local check_value, err = datastore:get("variable_" .. var)
if not value then
return nil, "Can't access variable " .. var .. " from datastore : " .. err
end
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "Can't access variable MULTISITE from datastore : " .. err
end
-- Multisite case
if multisite == "yes" then
local servers, err = datastore:get("variable_SERVER_NAME")
if not servers then
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
end
-- Check each server
for server in servers:gmatch("%S+") do
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
if check_value_site and check_value_site ~= value then
@ -122,11 +98,15 @@ utils.has_not_variable = function(var, value)
return check_value ~= value, "success"
end
function utils.get_multiple_variables(vars)
utils.get_multiple_variables = function(vars)
-- Get all keys
local keys = datastore:keys()
local result = {}
-- Loop on keys
for i, key in ipairs(keys) do
-- Loop on vars
for j, var in ipairs(vars) do
-- Filter on good ones
local _, _, server, subvar = key:find("variable_(.*)_?(" .. var .. "_?%d*)")
if subvar then
if not server or server == "" then
@ -149,10 +129,12 @@ function utils.get_multiple_variables(vars)
end
utils.is_ip_in_networks = function(ip, networks)
-- Instantiate ipmatcher
local ipm, err = ipmatcher.new(networks)
if not ipm then
return nil, "can't instantiate ipmatcher : " .. err
end
-- Match
local matched, err = ipm:match(ip)
if err then
return nil, "can't check ip : " .. err
@ -169,18 +151,31 @@ utils.is_ipv6 = function(ip)
end
utils.ip_is_global = function(ip)
local data, err = datastore:get("misc_reserved_ips")
if not data then
return nil, "can't get reserved ips : " .. err
end
local ok, reserved_ips = pcall(cjson.decode, data)
if not ok then
return nil, "can't decode json : " .. reserved_ips
end
-- Reserved, non public IPs
local reserved_ips = {
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"233.252.0.0/24",
"240.0.0.0/4",
"255.255.255.255/32"
}
-- Instantiate ipmatcher
local ipm, err = ipmatcher.new(reserved_ips)
if not ipm then
return nil, "can't instantiate ipmatcher : " .. err
end
-- Match
local matched, err = ipm:match(ip)
if err then
return nil, "can't check ip : " .. err
@ -189,32 +184,49 @@ utils.ip_is_global = function(ip)
end
utils.get_integration = function()
-- Check if already in datastore
local integration, err = datastore:get("misc_integration")
if integration then
return integration
end
-- Swarm
local var, err = datastore:get("variable_SWARM_MODE")
if var == "yes" then
integration = "swarm"
else
-- Kubernetes
local var, err = datastore:get("variable_KUBERNETES_MODE")
if var == "yes" then
integration = "kubernetes"
else
local f, err = io.open("/etc/os-release", "r")
if f then
local data = f:read("*a")
if data:find("Alpine") then
integration = "docker"
else
integration = "unknown"
end
f:close()
-- Autoconf
local var, err = datastore:get("variable_AUTOCONF_MODE")
if var == "yes" then
integration = "autoconf"
else
integration = "unknown"
-- Already present (e.g. : linux)
local f, err = io.open("/usr/share/bunkerweb/INTEGRATION", "r")
if f then
integration = f:read("*a"):gsub("[\n\r]", "")
f:close()
else
local f, err = io.open("/etc/os-release", "r")
if f then
local data = f:read("*a")
f:close()
-- Docker
if data:find("Alpine") then
integration = "docker"
end
-- Strange case ...
else
integration = "unknown"
end
end
end
end
end
-- Save integration
local ok, err = datastore:set("misc_integration", integration)
if not ok then
logger:log(ngx.ERR, "can't cache integration to datastore : " .. err)
@ -223,17 +235,20 @@ utils.get_integration = function()
end
utils.get_version = function()
-- Check if already in datastore
local version, err = datastore:get("misc_version")
if version then
return version
end
-- Read VERSION file
local f, err = io.open("/usr/share/bunkerweb/VERSION", "r")
if not f then
logger:log(ngx.ERR, "can't read VERSION file : " .. err)
return "unknown"
return nil
end
version = f:read("*a")
version = f:read("*a"):gsub("[\n\r]", "")
f:close()
-- Save it to datastore
local ok, err = datastore:set("misc_version", version)
if not ok then
logger:log(ngx.ERR, "can't cache version to datastore : " .. err)
@ -242,28 +257,62 @@ utils.get_version = function()
end
utils.get_reason = function()
-- ngx.ctx
if ngx.ctx.reason then
return ngx.ctx.reason
end
-- ngx.var
if ngx.var.reason and ngx.var.reason ~= "" then
return ngx.var.reason
end
-- os.getenv
if os.getenv("REASON") == "modsecurity" then
return "modsecurity"
end
-- datastore ban
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
if banned then
return banned
end
-- unknown
if ngx.status == utils.get_deny_status() then
return "unknown"
end
return nil
end
utils.get_rdns = function(ip)
utils.get_resolvers = function()
-- Get resolvers from datastore if existing
local str_resolvers, err = datastore:get("misc_resolvers")
if not str_resolvers then
if str_resolvers then
return cjson.decode(str_resolvers)
end
-- Otherwise extract DNS_RESOLVERS variable
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
if not var_resolvers then
logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
return nil, err
end
-- Make table for resolver1 resolver2 ... string
local resolvers = {}
for str_resolver in var_resolvers:gmatch("%S+") do
table.insert(resolvers, str_resolver)
end
-- Add it to the datastore
local ok, err = datastore:set("misc_resolvers", cjson.encode(resolvers))
if not ok then
logger:log(ngx.ERR, "can't save misc_resolvers to datastore : " .. err)
end
return resolvers
end
utils.get_rdns = function(ip)
-- Get resolvers
local resolvers, err = utils.get_resolvers()
if not resolvers then
return false, err
end
local resolvers = cjson.decode(str_resolvers)
-- Instantiate resolver
local rdns, err = resolver:new {
nameservers = resolvers,
retrans = 1,
@ -272,6 +321,7 @@ utils.get_rdns = function(ip)
if not rdns then
return false, err
end
-- Do rDNS query
local answers, err = rdns:reverse_query(ip)
if not answers then
return false, err
@ -279,6 +329,7 @@ utils.get_rdns = function(ip)
if answers.errcode then
return false, answers.errstr
end
-- Return first element
for i, answer in ipairs(answers) do
if answer.ptrdname then
return answer.ptrdname, "success"
@ -288,11 +339,12 @@ utils.get_rdns = function(ip)
end
utils.get_ips = function(fqdn, resolvers)
local str_resolvers, err = datastore:get("misc_resolvers")
if not str_resolvers then
-- Get resolvers
local resolvers, err = utils.get_resolvers()
if not resolvers then
return false, err
end
local resolvers = cjson.decode(str_resolvers)
-- Instantiante resolver
local rdns, err = resolver:new {
nameservers = resolvers,
retrans = 1,
@ -301,6 +353,7 @@ utils.get_ips = function(fqdn, resolvers)
if not rdns then
return false, err
end
-- Query FQDN
local answers, err = rdns:query(fqdn, nil, {})
if not answers then
return false, err
@ -308,6 +361,7 @@ utils.get_ips = function(fqdn, resolvers)
if answers.errcode then
return {}, answers.errstr
end
-- Return all IPs
local ips = {}
for i, answer in ipairs(answers) do
if answer.address then
@ -318,9 +372,11 @@ utils.get_ips = function(fqdn, resolvers)
end
utils.get_country = function(ip)
-- Check if mmdb is loaded
if not mmdb.country_db then
return false, "mmdb country not loaded"
end
-- Perform lookup
local ok, result, err = pcall(mmdb.country_db.lookup, mmdb.country_db, ip)
if not ok then
return nil, result
@ -332,9 +388,11 @@ utils.get_country = function(ip)
end
utils.get_asn = function(ip)
-- Check if mmdp is loaded
if not mmdb.asn_db then
return false, "mmdb asn not loaded"
end
-- Perform lookup
local ok, result, err = pcall(mmdb.asn_db.lookup, mmdb.asn_db, ip)
if not ok then
return nil, result
@ -347,6 +405,7 @@ end
utils.rand = function(nb)
local charset = {}
-- lowers, uppers and numbers
for i = 48, 57 do table.insert(charset, string.char(i)) end
for i = 65, 90 do table.insert(charset, string.char(i)) end
for i = 97, 122 do table.insert(charset, string.char(i)) end
@ -358,9 +417,11 @@ utils.rand = function(nb)
end
utils.get_deny_status = function()
if ngx.var.is_stream == "yes" then
return 403
-- Stream case
if ngx.ctx.bw and ngx.ctx.bw.kind == "stream" then
return 444
end
-- http case
local status, err = datastore:get("variable_DENY_HTTP_STATUS")
if not status then
logger:log(ngx.ERR, "can't get DENY_HTTP_STATUS variable " .. err)
@ -370,13 +431,16 @@ utils.get_deny_status = function()
end
utils.get_session = function()
if ngx.ctx.session then
return ngx.ctx.session, ngx.ctx.session_err, ngx.ctx.session_exists
-- Session already in context
if ngx.ctx.bw.session then
return ngx.ctx.bw.session, ngx.ctx.bw.session_err, ngx.ctx.bw.session_exists
end
-- Open session
local _session, err, exists = session.start()
if err then
logger:log(ngx.ERR, "UTILS", "can't start session : " .. err)
logger:log(ngx.ERR, "can't start session : " .. err)
end
-- Fill ctx
ngx.ctx.session = _session
ngx.ctx.session_err = err
ngx.ctx.session_exists = exists
@ -389,6 +453,7 @@ utils.get_session = function()
end
utils.save_session = function()
-- Check if save is needed
if ngx.ctx.session and not ngx.ctx.session_err and not ngx.ctx.session_saved then
ngx.ctx.session:set_data(ngx.ctx.session_data)
local ok, err = ngx.ctx.session:save()
@ -405,6 +470,7 @@ utils.save_session = function()
end
utils.set_session = function(key, value)
-- Set new data
if ngx.ctx.session and not ngx.ctx.session_err then
ngx.ctx.session_data[key] = value
return true, "value set"
@ -413,6 +479,7 @@ utils.set_session = function(key, value)
end
utils.get_session = function(key)
-- Get data
if ngx.ctx.session and not ngx.ctx.session_err then
return true, "value get", ngx.ctx.session_data[key]
end

41
src/common/confs/init-lua.conf
View File

@ -43,47 +43,6 @@ for line in io.lines("/etc/nginx/variables.env") do
end
init_logger:log(ngx.NOTICE, "saved variables into datastore")
-- Set misc values into the datastore
init_logger:log(ngx.NOTICE, "saving misc values into datastore ...")
local miscs = {
reserved_ips = {
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"233.252.0.0/24",
"240.0.0.0/4",
"255.255.255.255/32"
},
resolvers = {}
}
local var_resolvers, err = ds:get("variable_DNS_RESOLVERS")
if not var_resolvers then
init_logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
return false
end
for str_resolver in var_resolvers:gmatch("%S+") do
table.insert(miscs.resolvers, str_resolver)
end
for k, v in pairs(miscs) do
local ok, err = ds:set("misc_" .. k, cjson.encode(v))
if not ok then
init_logger:log(ngx.ERR, "can't save misc " .. k .. " into datastore : " .. err)
return false
end
init_logger:log(ngx.INFO, "saved misc " .. k .. " into datastore")
end
init_logger:log(ngx.NOTICE, "saved misc values into datastore")
-- Set API values into the datastore
init_logger:log(ngx.NOTICE, "saving API values into datastore ...")
local value, err = ds:get("variable_USE_API")

14
src/common/confs/server-http/access-lua.conf
View File

@ -30,6 +30,18 @@ if not ok then
logger:log(ngx.ERR, "can't update cachestore : " .. err)
end
-- Fill ctx
logger:log(ngx.INFO, "filling ngx.ctx ...")
local ok, ret, errors = helpers.fill_ctx()
if not ok then
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
elseif errors then
for i, error in ipairs(errors) do
logger:log(ngx.ERR, "fill_ctx() error " .. tostring(i) .. " : " .. error)
end
end
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-- Process bans as soon as possible
local ok, reason = datastore:get("bans_ip_" .. ngx.var.remote_addr)
if not ok and reason ~= "not found" then
@ -78,7 +90,7 @@ for i, plugin in ipairs(plugins) do
ngx.ctx.reason = plugin.id
logger:log(ngx.WARN, "denied access from " .. plugin.id .. " : " .. err)
else
logger:log(ngx.NOTICE, plugin.id .. " returned status " .. tostring(ret.status) .. " : " .. err)
logger:log(ngx.NOTICE, plugin.id .. " returned status " .. tostring(ret.status))
end
ngx.ctx.status = ret.status
break

1
src/common/confs/server-http/header-lua.conf
View File

@ -42,6 +42,7 @@ for i, plugin in ipairs(plugins) do
if not ok then
logger:log(ngx.ERR, plugin_obj)
else
local ok, ret = helpers.call_plugin(plugin_obj, "header")
if not ok then
logger:log(ngx.ERR, ret)
elseif not ret.ret then

20
src/common/core/bunkernet/jobs/bunkernet.py
View File

@ -60,15 +60,19 @@ def get_version():
def get_integration():
try:
if getenv("AUTOCONF_MODE") == "yes":
return "autoconf"
if getenv("SWARM_MODE") == "yes":
return "swarm"
elif getenv("KUBERNETES_MODE") == "yes":
if getenv("KUBERNETES_MODE", "no") == "yes":
return "kubernetes"
elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
return f.read().strip().lower()
elif getenv("SWARM_MODE", "no") == "yes":
return "swarm"
elif getenv("AUTOCONF_MODE", "no") == "yes":
return "autoconf"
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
return Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip().lower()
elif (
Path("/etc/os-release").is_file()
and "Alpine" in Path("/etc/os-release").read_text()
):
return "docker"
return "linux"
except:

5
src/common/core/errors/files/error.html
View File

@ -5,6 +5,7 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>{{title}}</title>
{-raw-}
<link
rel="icon"
href="data:image/svg+xml, %3Csvg version='1.0' xmlns='http://www.w3.org/2000/svg' width='96.000000pt' height='96.000000pt' viewBox='0 0 96.000000 96.000000' preserveAspectRatio='xMidYMid meet'%3E%3Cg transform='translate(0.000000,96.000000) scale(0.100000,-0.100000)'%0Afill='%23085577' stroke='none'%3E%3Cpath d='M535 863 c-22 -2 -139 -17 -260 -34 -228 -31 -267 -43 -272 -85 -2%0A-10 23 -181 55 -379 l57 -360 400 0 400 0 20 40 c16 31 20 59 19 125 -1 100%0A-24 165 -73 199 -41 29 -46 57 -22 111 30 67 29 188 -3 256 -13 28 -37 60 -53%0A72 -55 39 -169 62 -268 55z m-15 -348 c30 -16 60 -61 60 -90 0 -10 -8 -33 -17%0A-52 -16 -34 -16 -41 0 -116 9 -44 15 -82 12 -85 -6 -7 -92 -21 -131 -21 l-31%0A-1 -6 85 c-4 75 -8 89 -31 112 -20 20 -26 36 -26 70 0 38 5 50 34 79 39 39 86%0A45 136 19z'/%3E%3C/g%3E%3C/svg%3E"
@ -231,13 +232,14 @@
</div>
<!-- end lottie -->
{-raw-}
<!-- text -->
<div id="text-container" class="-translate-y-12 hidden w-full lg:w-[400px] xl:w-1/3 z-10 flex flex-col justify-center items-center">
<h1 class="uppercase title text-2xl xsm:text-3xl sm:text-4xl 2xl:text-5xl 3xl:text-6xl tracking-wide text-white order-1 text-center">{{error_title}}</h1>
<p class="title text-5xl xsm:text-6xl sm:text-7xl 2xl:text-8xl 3xl:text-9xl tracking-wide text-white order-2 uppercase ">{{error_code}}</p>
<p class="mx-2 mt-4 text text-xs xs:text-sm sm:text-base 2xl:text-lg 3xl:text-xl text-secondary order-3 text-center">
{{error_text}}
{-raw-}
</p>
<a
href="/"
@ -304,3 +306,4 @@
</body>
</html>
{-raw-}

12
src/common/gen/main.py
View File

@ -90,8 +90,13 @@ if __name__ == "__main__":
integration = "Swarm"
elif getenv("AUTOCONF_MODE", "no") == "yes":
integration = "Autoconf"
elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
integration = Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip()
elif (
Path("/etc/os-release").is_file()
and "Alpine" in Path("/etc/os-release").read_text()
):
integration = "Docker"
if args.variables:
logger.info(f"Variables : {args.variables}")
@ -163,7 +168,10 @@ if __name__ == "__main__":
)
templator.render()
if integration == "Linux" and not args.no_linux_reload:
if (
integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker")
and not args.no_linux_reload
):
retries = 0
while not Path("/var/tmp/bunkerweb/nginx.pid").exists():
if retries == 5:

5
src/common/gen/save_config.py
View File

@ -142,6 +142,11 @@ if __name__ == "__main__":
integration = "Autoconf"
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
integration = Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip()
elif (
Path("/etc/os-release").is_file()
and "Alpine" in Path("/etc/os-release").read_text()
):
integration = "Docker"
if args.init:
logger.info(f"Detected {integration} integration")

2
src/common/utils/ApiCaller.py
View File

@ -139,7 +139,7 @@ class ApiCaller:
def _send_files(self, path, url):
ret = True
with BytesIO() as tgz:
with taropen(mode="w:gz", fileobj=tgz, dereference=True) as tf:
with taropen(mode="w:gz", fileobj=tgz, dereference=True, compresslevel=5) as tf:
tf.add(path, arcname=".")
tgz.seek(0, 0)
files = {"archive.tar.gz": tgz}

7
src/deps/clone.sh
View File

@ -267,7 +267,14 @@ fi
# lua-resty-openssl v0.8.21
echo " Downloading lua-resty-openssl"
dopatch="no"
if [ ! -d "deps/src/lua-resty-openssl" ] ; then
dopatch="yes"
fi
git_secure_clone "https://github.com/fffonion/lua-resty-openssl.git" "15bc59b97feb5acf25fbdd9426cf73870cf7c838"
if [ "$dopatch" == "yes" ] ; then
do_and_check_cmd rm -r deps/src/lua-resty-openssl/t
fi
# ModSecurity v3.0.9
echo " Downloading ModSecurity"

132
src/deps/src/lua-resty-openssl/t/fips.t
View File

@ -1,132 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.fips = "$fips" ~= ""
}
};
run_tests();
__DATA__
=== TEST 1: FIPS mode can be turned on and off
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not _G.fips then
ngx.say("false\ntrue\nfalse")
ngx.exit(200)
end
local openssl = require("resty.openssl")
if require("resty.openssl.version").BORINGSSL then
if openssl.get_fips_mode() then
ngx.say("false\ntrue\nfalse")
else
ngx.say("BORINGSSL should have fips turned on but actually not")
end
ngx.exit(200)
end
ngx.say(openssl.get_fips_mode())
myassert(openssl.set_fips_mode(true))
ngx.say(openssl.get_fips_mode())
myassert(openssl.set_fips_mode(false))
ngx.say(openssl.get_fips_mode())
}
}
--- request
GET /t
--- response_body
false
true
false
--- no_error_log
[error]
=== TEST 2: CIPHER, MD and PKEY provider is directed to fips
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not _G.fips or not require("resty.openssl.version").OPENSSL_3X then
ngx.say("fips\nfips\nfips")
ngx.exit(200)
end
local openssl = require("resty.openssl")
myassert(openssl.set_fips_mode(true))
ngx.say(myassert(require("resty.openssl.cipher").new("aes256")):get_provider_name())
ngx.say(myassert(require("resty.openssl.digest").new("sha256")):get_provider_name())
ngx.say(myassert(require("resty.openssl.pkey").new({ type = "EC" })):get_provider_name())
}
}
--- request
GET /t
--- response_body
fips
fips
fips
--- no_error_log
[error]
=== TEST 3: Non-FIPS compliant algorithms are not allowed
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
-- BORINGSSL doesn't seem to remove non-fips compliant algorithms?
if not _G.fips or require("resty.openssl.version").BORINGSSL then
ngx.say("true\ntrue")
ngx.say("invalid cipher type \"chacha20\": unsupported")
ngx.say("invalid digest type \"md5\": unsupported")
ngx.exit(200)
end
local ok, err
if require("resty.openssl.version").OPENSSL_3X then
ok, err = require("resty.openssl.cipher").new("chacha20")
else
ok, err = require("resty.openssl.cipher").new("seed")
end
ngx.say(not not ok)
local ok, err = require("resty.openssl.digest").new("md5")
ngx.say(not not ok)
local openssl = require("resty.openssl")
myassert(openssl.set_fips_mode(true))
if require("resty.openssl.version").OPENSSL_3X then
ok, err = require("resty.openssl.cipher").new("chacha20")
else
ok, err = require("resty.openssl.cipher").new("seed")
end
ngx.say(err)
local ok, err = require("resty.openssl.digest").new("md5")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like
true
true
.*invalid cipher type.+(?:unsupported|disabled for fips).*
.*invalid digest type "md5".+(?:unsupported|disabled for fips).*
--- no_error_log
[error]

29
src/deps/src/lua-resty-openssl/t/fixtures/Github.pem
View File

@ -1,29 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp
Z2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIFRMUyBIeWJyaWQgRUNDIFNIQTI1NiAyMDIw
IENBMTAeFw0yMTAzMjUwMDAwMDBaFw0yMjAzMzAyMzU5NTlaMGYxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASt9vd1sdNJVApdEHG93CUGSyIcoiNOn6H+
udCMvTm8DCPHz5GmkFrYRasDE77BI3q5xMidR/aW4Ll2a1A2ZvcNo4IDOjCCAzYw
HwYDVR0jBBgwFoAUUGGmoNI1xBEqII0fD6xC8M0pz0swHQYDVR0OBBYEFCexfp+7
JplQ2PPDU1v+MRawux5yMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRo
dWIuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwgbEGA1UdHwSBqTCBpjBRoE+gTYZLaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZVRMU0h5YnJpZEVDQ1NIQTI1NjIwMjBD
QTEuY3JsMFGgT6BNhktodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRI
aWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hBMjU2MjAyMENBMS5jcmwwPgYDVR0g
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMIGSBggrBgEFBQcBAQSBhTCBgjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZGlnaWNlcnQuY29tMFoGCCsGAQUFBzAChk5odHRwOi8vY2FjZXJ0cy5k
aWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hB
MjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABeGq/vRoA
AAQDAEcwRQIhAJ7miER//DRFnDJNn6uUhgau3WMt4vVfY5dGigulOdjXAiBIVCfR
xjK1v4F31+sVaKzyyO7JAa0fzDQM7skQckSYWQB3ACJFRQdZVSRWlj+hL/H3bYbg
IyZjrcBLf13Gg1xu4g8CAAABeGq/vTkAAAQDAEgwRgIhAJgAEkoJQRivBlwo7x67
3oVsf1ip096WshZqmRCuL/JpAiEA3cX4rb3waLDLq4C48NSoUmcw56PwO/m2uwnQ
prb+yh0wCgYIKoZIzj0EAwIDRwAwRAIgK+Kv7G+/KkWkNZg3PcQFp866Z7G6soxo
a4etSZ+SRlYCIBSiXS20Wc+yjD111nPzvQUCfsP4+DKZ3K+2GKsERD6d
-----END CERTIFICATE-----

21
src/deps/src/lua-resty-openssl/t/fixtures/GlobalSign.pem
View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

26
src/deps/src/lua-resty-openssl/t/fixtures/GlobalSign_sub.pem
View File

@ -1,26 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEWjCCA0KgAwIBAgIOR8MQAMBL+oomVLdB7CswDQYJKoZIhvcNAQEFBQAwVzEL
MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsT
B1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNjAzMTYw
MDAwMDBaFw0yNDAzMTYwMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH
bG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2ln
biAzIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm4HxK
0o9gvqhlIWVajpj75hIkZariW6PUj+njWoA5YRqmopnzUc99nUzj9Lj7Go8eqe9F
9tT76IeS2MdOAn1bata0FTGQXUZYO72E4YL18SE5ERRLlOjt1TenE4JbRFodris3
+NUh9qNOFhyii7zf/nNQMTWDQ3hH5z4qcAemahgS26Ep8VihD70pPleC9Jcy/RVM
k+RjqBEzur3dWHPD21wRk3gS29Gs2499Tj59DlLH+RoXSsRjHcJk+fDHzC2zyY4M
jNJHgw/RWfhmJqxPDrNvF3jiDchMDrkY/o7oywpJCfVaTZ3ScEd4GnhIsBJi26ci
OYfjXmq+vPGumJBTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4ir34VYTni+RxwhiCZ7AIV++blMwHwYD
VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0G
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYD
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNy
bDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEFBQADggEBAAMt
Z5FskwVr28wgh70YcB0TepVojuiDQwDHilW0dfFnM+tkzwyHKcU7Q36EojXCrMz1
SXw2TD8n+BC3dkJdmYf7zPKen5HguBaraPUzcxgZuJCfZmA1fW1+hrJ9sVLp9nBX
J3H2g4XDIl1yj/MozwfWfKE04fJZyk7yuAknoFgwK+EGOXnXnjMWldAoPLS0AyFE
aM1HU57OUMWPRwJ5Ts/CKf50Nz9ntgGTGVHvyfDvexHEEMGF1Vc9KAs+Z0jPXFom
H6wJlHvDM0nVtIbvdkGxVzxEQASkXUdh7qPxR4WpGJn5vMpIi74NglkCp5pPuDJ6
i7GsIy4xEeMwq4nuOh8=
-----END CERTIFICATE-----

BIN
src/deps/src/lua-resty-openssl/t/fixtures/TrustAsiaEVTLSProCAG2.crl
View File

Binary file not shown.

BIN
src/deps/src/lua-resty-openssl/t/fixtures/badssl.com-client.p12
View File

Binary file not shown.

18
src/deps/src/lua-resty-openssl/t/fixtures/boringssl_fips.patch
View File

@ -1,18 +0,0 @@
# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0).
#
# The modulewrapper is not a part of the FIPS module, so it can be patched without
# concern about breaking the FIPS validation.
--- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -12,9 +12,11 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#include <string>
#include <vector>
#include <assert.h>
+#include <errno.h>
#include <string.h>
#include <sys/uio.h>
#include <unistd.h>

8
src/deps/src/lua-resty-openssl/t/fixtures/ec_key_encrypted.pem
View File

@ -1,8 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,74AB7E7042FC695A7F267BB416AC24E1
zNvboWr/ayt4McuSl9h3oirnS7DK5JU5OSGvh3Seyt9E1oVd3SUg4Mcp4BpZP8gv
Ei4K6+p3CTDrQfE0mrjIph3C1LKTzQeLdGIvgTjjKVpu91aogU3K3rgcuqKN/zla
+sQOAedKEtLiop4J6rIGmKvo9JZonbMsEZnZnXGbz3k=
-----END EC PRIVATE KEY-----

18
src/deps/src/lua-resty-openssl/t/fixtures/no_revoked.crl
View File

@ -1,18 +0,0 @@
-----BEGIN X509 CRL-----
MIICyTCBsgIBATANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEpMCcGA1UE
ChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElT
UkcgUm9vdCBYMRcNMjIwNTE4MDAwMDAwWhcNMjMwNDE3MjM1OTU5WqAvMC0wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wCgYDVR0UBAMCAWYwDQYJKoZI
hvcNAQELBQADggIBAC2us3ieEcU7NTFjPyXEi/5aOID7IlPBK7ugS7IJrasTyEdH
fAMcuoEGHaLoyLqpIKc7U/KIfqysn6l4Mu32aWFB/Ck5qiVufHXFjXIuNo4/drlm
kPUjhgX0YcMkrWdbLFbF/mi5R7fCTbCP1ihqiw2AKB2jFShTAcybJpVRY7velN/D
EI8ITJsHnGNOx5XZV7HgO1SbXrba7YGMD0YA+NiXc8VaoDlZdoKh8q/gk8y5vnvL
UmtsHpdF1zFwDxYdpFLCrV9z8OcPWjguX6bYMWtnN5JPHrlUQrupCIN55ur8ttoq
+9mQ/3Y2OFl1qF6UtHxSDHAI5vA8dBlZxQWSWXKGFPGPssNdB7CUJlZeLWPICWU9
yANMxG+5ANeXW65GfPexj2DujwDlC46Wdnlvbft+2Bc0SYR72By/1QB3tmgBB//j
QuJtAIzvRluvdnoIGRHPGVse0Qk4FC2BK04q8HBRw3UbxV1MDYIFCN9hlC625Q1s
VjrqzGMPAwXYXNa/9hFQkdjKycrdsGvIXZa08sqqx4hY4CpjEeUQoka0XkTUmp7Q
GDSXFxe4qxQObnU+LAMQ0cEcVb0TNnTC0PCeoSV82n3jRL9QYMe6lvU4pgFMddXz
jna557uivEENf58Oh0SH5jux5gSlre177jQvvsfn8FeFXsLijw0tCbfupna/
-----END X509 CRL-----

16
src/deps/src/lua-resty-openssl/t/fixtures/openssl_fips.cnf
View File

@ -1,16 +0,0 @@
config_diagnostics = 1
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
default = default_sect
[default_sect]
activate = 1
# need fipsinstall to populate below section
# [fips_sect]

27
src/deps/src/lua-resty-openssl/t/fixtures/rsa-pkcs1-priv.key
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFU
LobnVTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UI
THXKLNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLk
lYLFchkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTk
GgYHWFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkI
UQfN9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQABAoIBABQ0rcAvKlvmoyJq
bTWAtUm78zTB/xyWrD/MSZ22hPPDgx/aoYIKX8cgRSbThVbfPGdWkdpDp9z0RVWo
OSB7QSpxeXd6Q5GNhErt1Q84byQpa2jEIVAGPAfMRP6DSjSxNHBoSKcvxZeIwuZb
vlVOxdGtprfawvWMJ8w6C0bb9JZLeHjdLK/O49Nxj4YrUBk+ZvkKa8EQnq/apLMz
9RMZiFQ1pvR9Ojfw4O4u0pqW80Iu8alDBxMkvzEUEhuzafrMKToX5GG65Y9/nhDl
iIsENEvNY1Nk2WXPMe/VR5LVGBLtXlJ+KIj09KjuJyy5PEkwXxHobyRHEMtQ8SBs
C1SE/sECgYEA+Sf1IyhyPfWg3CuGdwiYuwn9CVnZxqQWLwwk+EdIXpNDbHhfeN1Z
ZC1/bttz45O4At5KtKAHLeRETuphtgwJ6ZHdNy5K6h4GV0s4ZtBHS8pu95+BAApN
pGRPzZ4u4GDTkTCbHRd+A2UY1EnpGe6Owq/+Cbu67jnPJOP0pegmGzkCgYEAzAya
v9pEwcDBIrKE3ida46mBAnxBT81pr8Pa5t5pON3DtjsHv3lfa01u9ga8F0GKgMif
tet9dFWtFHdrC8HbrpcHwta1dVlDNzr1TSjbyl5TW9/suSbHTQ/iUmXFazbhHVu6
p4jgV6DPgqxjI56YLcIqZIf2xDeVgGwbwv7d3d8CgYEAtcIpeTFrTbnfVF5IJJPX
3zJlLiomzVssd7vTSG+v4pZpbDrP4vsO2B68xOFAxHchmK4TL3tCYX8ROcSP7V8Q
6BwplbSmn+2xUIMmLRKpwCd4Fhp838ukYlVvRh+sMLFSBavArFNT8SQSHeOhMfKu
oGYE25LgxiLT8yR8d39INTkCgYEAilnxgyvnesfLLE+Gr2pXwg1oH9tIHWfVxQsz
HV6oUZpr3N9hfX46KHM0TTR7y/jwhCmDwMGPKpX86OefeTVUUqis5nrWRl7jqEsd
j9eoTyptstm9lDyq3aFrfxrqJKvtLw7HHFk+Y6vxh1SDU99wp3YDcG6P7rMRdyXW
HPzaSlkCgYBums2fZgP96/wyburnMhP/86ndLyVB2YbLwXMz+oGlm+XssAawulrM
6mxpV63T+/UmEiszCEf3ZOUr1+zkSTe/CMZk5Vev1pYEzfpQ2AnpOsvPw+WGQbWL
95dYCSGZKjXQ/UV+zDisZiDzjLRkZ7WfPJsPZ8z1P3nZ2t+8IRNO/Q==
-----END RSA PRIVATE KEY-----

8
src/deps/src/lua-resty-openssl/t/fixtures/rsa-pkcs1-pub.key
View File

@ -1,8 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFULobn
VTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UITHXK
LNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLklYLF
chkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTkGgYH
WFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkIUQfN
9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQAB
-----END RSA PUBLIC KEY-----

19
src/deps/src/lua-resty-openssl/t/fixtures/test.crt
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIUJ+FXF8zL+pdK8Nl68Eq0aQlZKNMwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjAxMjE1MTAwNjIyWhcNMzAxMjEz
MTAwNjIyWjATMREwDwYDVQQDDAh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMEQQC0nyiHOekSs6sTwLBrdiWYvDWC5OQylQZY2pWsBYtWH
3rkkt98rRNC3cxLSPwH+AAJrJCnRl4ZIxUrtNF8zPW/NexAaarKMLq8LHnVD+cf5
uLzK9xZNt5s8aTQOF8TuHH2Zq/jdfJ9MnAJf1noZ4Oz5IZqOtgJ+1oCDZJc4ZlL1
KO5tfDsWZOsRdow6F7wlK1xtCfcakcncL7Yh4xbZYQXnNSliGZF0/+SIqYIGhv2f
EBng0yOW6FrXtrxhj/7TplAd2v5ziCsdcqqA+YFu4e6PzFybNErUgNZ8ZsokmP56
uU13oKYLIsEf11EmKEX1bwvEvvu+T/V/IB38YV8CAwEAAaNTMFEwHQYDVR0OBBYE
FM8D9Qnrg9JPEN5lkpDpkz44TOh8MB8GA1UdIwQYMBaAFM8D9Qnrg9JPEN5lkpDp
kz44TOh8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ODar1
fVkJ50rLToICvp2zZkLSsZlL13Gy4+FUUl0sctSRbXF6yPZGa3u6/HeF5AWnrFNX
eZUVuJgyYa2gmz0K+HGbSrbNFb4Cpnhe7Y722SpSDEj3ybOI3EBeRT3WcwpSsGKa
Kfx8NY08J440cn3oNAbZ9XrZOHhyvjkCEr9+ieg1MvMtNg5NbTpHj6Riuvuvvs3s
CaOJ1dN5a59hHHvt76lb6Ah3cwJ98CRAObp1bElgL//Tl9faAHAFIpGopvq41Jnn
rBd/GtvM6J/LHznZ9eOvMq+uBMyAhzpmi6Ih4SGnwN/i8StRbNvpIUIq2rO6IvCZ
61xzxPhcY6bB2KI=
-----END CERTIFICATE-----

19
src/deps/src/lua-resty-openssl/t/fixtures/test.csr
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ
fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT
FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw==
-----END CERTIFICATE REQUEST-----

28
src/deps/src/lua-resty-openssl/t/fixtures/test.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBEEAtJ8ohznpE
rOrE8Cwa3YlmLw1guTkMpUGWNqVrAWLVh965JLffK0TQt3MS0j8B/gACayQp0ZeG
SMVK7TRfMz1vzXsQGmqyjC6vCx51Q/nH+bi8yvcWTbebPGk0DhfE7hx9mav43Xyf
TJwCX9Z6GeDs+SGajrYCftaAg2SXOGZS9SjubXw7FmTrEXaMOhe8JStcbQn3GpHJ
3C+2IeMW2WEF5zUpYhmRdP/kiKmCBob9nxAZ4NMjluha17a8YY/+06ZQHdr+c4gr
HXKqgPmBbuHuj8xcmzRK1IDWfGbKJJj+erlNd6CmCyLBH9dRJihF9W8LxL77vk/1
fyAd/GFfAgMBAAECggEAG+N4Ec3MoiOMf/0mkLpM9LiJz4v+d7lp50y787IDJTj3
CPdukfoe4YsDjs7hPZfHaEdDwxWtDKltJQXAEjm/tfzV5B+fpkzamt4rJDgL906R
d3S4XfVHyh4B5tfMLqvWfSkUToRzVijQhsZvRtyHQ+4XEsROOWBiJGwkGj5guoM3
4ItEJOXece+4pV0M1KPb3aTqGLw/Iow1IV9k+HCKrxwsBK0xpoEYfvK6N6PsmcRK
iPS53D6bCS74HidgXvhPN8hdVvJ+s8rvXDdVF3Ajw/LhrdeYrRjZUtRpB43Z8uLn
raMMOid4Q9EEsZNcWG2UO6BHyDibkOzQmPIv0/JIgQKBgQDo1Cmd3ialMZkn9bSX
DUNxMZlTk49Abns2rKojRxApU3h3aVuViXPIs3yz0cUPzURGHOOHQwU5cFjMVsxx
GffZjNq+ViR1Il0UhxBlYlcRZOou4RSi6VnN8HRjNeBNrzGxo/C+9/U00/APT/z5
OBloEoWy22SqTJtQCKspQ60knwKBgQDURvpcMlJE6UBhIy3Q3/7+HUc/AsCj5dMY
OafioeuKO+fRcNBaith3bUF3aRplf2jD/pQ/nLvD4+q0tvaEY06jpiVwm5PXGdUy
acIcs56ch1BiczP5pkSpEpaG0ap4btW86UU3K+at0iAJqfm9aR8DSOugl+D+EC16
RDRKn4TLQQKBgQDA4vPPW7m8ZYiyuDXyZgSXhDW4LakiAeWF+CnDrB3RfttwYhKD
oioP/dKzzndpje6f/1LoPjfXzCFkuAwLLy5MRwr5YLg3ak6esP5+X6guOuJgEAxe
ot/JYwmpH3tCIIAU4PKT4yx7pZFdvjCf7z/tHlsxP9z30RtihKv4NZ79lQKBgBOL
XW2zrGNv3l+TL5q1pPKcm3yvsjDk7iSi2lRBeEBH97YO3wAXHIsSYh6ubKG/s1Oo
UtnwglEs4OU2m0fhJNJob7YIfPonBLwZhKfD2eyrgLkvxi9MIbI3ZeiP0VQ5UDCO
gbLstdZ3LD/3iGjqDtLsmdU1Zp+9uZIySWY9faqBAoGAa3DJYcGpBQWDlNbojcgv
VUNukUrxDQOLR6AbPcYF8EdrSgtkuDQJfb94HpR55u6o+l9SiD2t9uEl/rLqrp1+
jOTte0IERqrerKp43G/AHZduw0ks4PPxglZUAQ1/HSTUTUvACoHFB9egElj3zNIX
fFBB0c+kqU2aLFq342F0ONU=
-----END PRIVATE KEY-----

194
src/deps/src/lua-resty-openssl/t/openssl.t
View File

@ -1,194 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;$pwd/../lua-resty-hmac/lib/?.lua;$pwd/../lua-resty-string/lib/?.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.fips = "$fips" ~= ""
}
};
run_tests();
__DATA__
=== TEST 1: Load ffi openssl library
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local openssl = require("resty.openssl")
openssl.load_modules()
ngx.say(string.format("%x", openssl.version.version_num))
}
}
--- request
GET /t
--- response_body_like
\d{6}[0-9a-f][0f]
--- no_error_log
[error]
=== TEST 2: Luaossl compat pattern
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local openssl = require("resty.openssl")
openssl.luaossl_compat()
local pkey = require("resty.openssl.pkey")
local pok, perr = pcall(pkey.new, "not a key")
ngx.say(pok)
ngx.say(perr)
}
}
--- request
GET /t
--- response_body_like
false
.+pkey.new.+
--- no_error_log
[error]
=== TEST 3: List cipher algorithms
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL then
ngx.say("[\"AES\"]")
ngx.say("[\"AES-256-GCM @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
if not version.OPENSSL_3X then
ngx.say("[\"AES-256-GCM @ default\"]")
ngx.exit(0)
end
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
}
}
--- request
GET /t
--- response_body_like
\[.+AES.+\]
\[.+AES-256-GCM @ default.+\]
--- no_error_log
[error]
=== TEST 4: List digest algorithms
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL then
ngx.say("[\"SHA\"]")
ngx.say("[\"SHA2-256 @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
if not version.OPENSSL_3X then
ngx.say("[\"SHA2-256 @ default\"]")
ngx.exit(0)
end
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
}
}
--- request
GET /t
--- response_body_like
\[.+SHA.+\]
\[.+SHA2-256 @ default.+\]
--- no_error_log
[error]
=== TEST 5: List mac algorithms
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_3X then
ngx.say("[\"HMAC @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_mac_algorithms()))
}
}
--- request
GET /t
--- response_body_like
\[.+HMAC @ default.+\]
--- no_error_log
[error]
=== TEST 6: List kdf algorithms
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_3X then
ngx.say("[\"HKDF @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_kdf_algorithms()))
}
}
--- request
GET /t
--- response_body_like
\[.+HKDF @ default.+\]
--- no_error_log
[error]
=== TEST 7: List SSL cipher
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.exit(0)
end
local version = require("resty.openssl.version")
local openssl = require("resty.openssl")
ngx.say(openssl.list_ssl_ciphers())
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA"))
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.2"))
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.3"))
}
}
--- request
GET /t
--- response_body_like
.+:.+
.*ECDHE-ECDSA-AES128-SHA
.*ECDHE-ECDSA-AES128-SHA
.*ECDHE-ECDSA-AES128-SHA
--- no_error_log
[error]

141
src/deps/src/lua-resty-openssl/t/openssl/asn1.t
View File

@ -1,141 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
run_tests();
__DATA__
=== TEST 1: asn1_to_unix utctime
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local ffi = require("ffi")
local asn1 = require("resty.openssl.asn1")
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
ffi.gc(a, ffi.C.ASN1_STRING_free)
local s = "200115123456Z"
ffi.C.ASN1_STRING_set(a, s, #s)
ngx.print(assert(asn1.asn1_to_unix(a)))
}
}
--- request
GET /t
--- response_body eval
"1579091696"
--- no_error_log
[error]
=== TEST 2: asn1_to_unix utctime, offset
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local ffi = require("ffi")
local asn1 = require("resty.openssl.asn1")
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
ffi.gc(a, ffi.C.ASN1_STRING_free)
local s = "200115123456+0102"
ffi.C.ASN1_STRING_set(a, s, #s)
ngx.print(assert(asn1.asn1_to_unix(a)))
}
}
--- request
GET /t
--- response_body eval
"1579095416"
--- no_error_log
[error]
=== TEST 3: asn1_to_unix generalized time
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local ffi = require("ffi")
local asn1 = require("resty.openssl.asn1")
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
ffi.gc(a, ffi.C.ASN1_STRING_free)
local s = "22200115123456Z"
ffi.C.ASN1_STRING_set(a, s, #s)
ngx.print(assert(asn1.asn1_to_unix(a)))
}
}
--- request
GET /t
--- response_body eval
"7890438896"
--- no_error_log
[error]
=== TEST 4: asn1_to_unix generalized time, offset
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local ffi = require("ffi")
local asn1 = require("resty.openssl.asn1")
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
ffi.gc(a, ffi.C.ASN1_STRING_free)
local s = "22200115123456-0123"
ffi.C.ASN1_STRING_set(a, s, #s)
ngx.print(assert(asn1.asn1_to_unix(a)))
}
}
--- request
GET /t
--- response_body eval
"7890433916"
--- no_error_log
[error]
=== TEST 5: asn1_to_unix error on bad format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local ffi = require("ffi")
local asn1 = require("resty.openssl.asn1")
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_UTCTIME
ffi.gc(a, ffi.C.ASN1_STRING_free)
for _, s in pairs({
"201315123456Z",
"200132123456Z",
"200115243456Z",
"200115123461Z",
}) do
ffi.C.ASN1_STRING_set(a, s, #s)
local _, err = asn1.asn1_to_unix(a)
if err == nil then
ngx.say(s, " should fail but didn't")
end
end
}
}
--- request
GET /t
--- response_body eval
""
--- no_error_log
[error]

232
src/deps/src/lua-resty-openssl/t/openssl/aux/jwk.t
View File

@ -1,232 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
no_long_string();
run_tests();
__DATA__
=== TEST 1: Loads JWK RSA key
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local jwk = require("cjson").encode({
kty = "RSA",
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
e = "AQAB",
d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
-- errors
local _, err = require("resty.openssl.pkey").new('asdasd', {
format = "JWK",
})
ngx.say(err)
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
kty = "RSA",
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
}), {
format = "JWK",
})
ngx.say(err)
-- pubkey only
jwk = require("cjson").encode({
kty = "RSA",
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
e = "AQAB",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local s, err = pubkey:encrypt("23333")
if err then
ngx.log(ngx.ERR, err)
return
end
local s, err = privkey:decrypt(s)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(s)
}
}
--- request
GET /t
--- response_body eval
'pkey.new:load_key: error decoding JSON from JWK: Expected value but found invalid token at character 1
pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" parameter is required
23333
'
--- no_error_log
[error]
=== TEST 2: Loads JWK EC key
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local jwk = require("cjson").encode({
kty = "EC",
crv = "P-256",
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
kty = "EC",
crv = "P-256",
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
}), {
format = "JWK",
})
ngx.say(err)
-- pubkey only
jwk = require("cjson").encode({
kty = "EC",
crv = "P-256",
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local d = require("resty.openssl.digest").new("sha256")
d:update("23333")
local s, err = privkey:sign(d)
if err then
ngx.log(ngx.ERR, err)
return
end
local ok, err = pubkey:verify(s, d)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(ok)
}
}
--- request
GET /t
--- response_body eval
'pkey.new:load_key: failed to construct EC key from JWK: at least "x" and "y" parameter is required
true
'
--- no_error_log
[error]
=== TEST 3: Loads JWK Ed25519 key
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required')
ngx.exit(0)
end
local jwk = require("cjson").encode({
kty = "OKP",
crv = "Ed25519",
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
})
local privkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
local privkey, err = require("resty.openssl.pkey").new(jwk, {
format = "JWK",
})
if err then
ngx.log(ngx.ERR, err)
return
end
-- errors
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
kty = "OKP",
crv = "Ed25519",
}), {
format = "JWK",
})
ngx.say(err)
-- pubkey only
jwk = require("cjson").encode({
kty = "OKP",
crv = "Ed25519",
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
})
local pubkey, err = require("resty.openssl.pkey").new(jwk)
if err then
ngx.log(ngx.ERR, err)
return
end
}
}
--- request
GET /t
--- response_body eval
'pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required
'
--- no_error_log
[error]

623
src/deps/src/lua-resty-openssl/t/openssl/bn.t
View File

@ -1,623 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
run_tests();
__DATA__
=== TEST 1: New BIGNUM instance correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn, err = require("resty.openssl.bn").new()
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn:to_binary()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(ngx.encode_base64(b))
}
}
--- request
GET /t
--- response_body eval
""
--- error_log
bn:to_binary failed
=== TEST 2: New BIGNUM instance from number
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn, err = require("resty.openssl.bn").new(0x5b25)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn:to_binary()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(ngx.encode_base64(b))
}
}
--- request
GET /t
--- response_body eval
"WyU="
--- no_error_log
[error]
=== TEST 3: Duplicate the ctx
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
require('ffi').cdef('typedef struct bignum_st BIGNUM; void BN_free(BIGNUM *a);')
local bn, err = require("resty.openssl.bn").new(0x5b25)
if err then
ngx.log(ngx.ERR, err)
return
end
local bn2, err = require("resty.openssl.bn").dup(bn.ctx)
if err then
ngx.log(ngx.ERR, err)
return
end
bn = nil
collectgarbage("collect")
local b, err = bn2:to_binary()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(ngx.encode_base64(b))
}
}
--- request
GET /t
--- response_body eval
"WyU="
--- no_error_log
[error]
=== TEST 4: from_binary, to_binary
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local d = ngx.decode_base64('WyU=')
local bn, err = require("resty.openssl.bn").from_binary(d)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn:to_binary()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(ngx.encode_base64(b))
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0)
end
local b, err = bn:to_binary(10)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(ngx.encode_base64(b))
}
}
--- request
GET /t
--- response_body eval
"WyU=AAAAAAAAAABbJQ=="
--- no_error_log
[error]
=== TEST 5: from_hex, to_hex
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn, err = require("resty.openssl.bn").from_hex("5B25")
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn:to_hex()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(b)
}
}
--- request
GET /t
--- response_body_like eval
"5[Bb]25"
--- no_error_log
[error]
=== TEST 6: from_dec, to_dec
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn, err = require("resty.openssl.bn").from_dec("23333")
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn:to_dec()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.print(b)
}
}
--- request
GET /t
--- response_body eval
"23333"
--- no_error_log
[error]
=== TEST 7: to_number
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local b, err = bn.new(23333)
if err then
ngx.log(ngx.ERR, err)
return
end
local n, err = b:to_number()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(n),type(n))
b, err = bn.from_dec('184467440737095516161844674407370955161618446744073709551616')
if err then
ngx.log(ngx.ERR, err)
return
end
local n, err = b:to_number()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(n),type(n))
}
}
--- request
GET /t
--- response_body eval
"23333number
1.844674407371e+19number
"
--- no_error_log
[error]
=== TEST 8: unary minus
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn, err = require("resty.openssl.bn").new(23333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = (-bn):to_dec()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(b)
local b, err = (-(-bn)):to_dec()
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(b)
}
}
--- request
GET /t
--- response_body eval
"-23333
23333
"
--- no_error_log
[error]
=== TEST 9: metamethods checks arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local a, err = require("resty.openssl.bn").new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = require("resty.openssl.bn").new(2478652)
if err then
ngx.log(ngx.ERR, err)
return
end
local pok, perr = pcall(function() return a + "233" end)
ngx.say(perr)
local pok, perr = pcall(function() return "233" - a end)
ngx.say(perr)
}
}
--- request
GET /t
--- response_body_like eval
".+cannot add a string to bignum
.+cannot substract a string to bignum
"
--- no_error_log
[error]
=== TEST 10: add, sub, mul, div mod
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn.new(2478652)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a+b))
ngx.say(tostring(a-b))
ngx.say(tostring(a*b))
ngx.say(tostring(a/b))
ngx.say(tostring(a%b))
ngx.say(tostring(a*2478652))
ngx.say(tostring(23578164761333*b))
ngx.say(tostring(bn.mul(23578164761333, b)))
ngx.say(tostring(a:mul(b)))
ngx.say(tostring(23578164761333*2478652))
}
}
--- request
GET /t
--- response_body eval
"23578167239985
23578162282681
58442065242007563116
9512495
4593
58442065242007563116
58442065242007563116
58442065242007563116
58442065242007563116
5.8442065242008e\+19
"
--- no_error_log
[error]
=== TEST 11: sqr, exp
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn.new(97)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a:sqr()))
ngx.say(tostring(a:exp(2)))
ngx.say(tostring(a:pow(2)))
ngx.say(tostring(b:exp(b)))
ngx.say(tostring(bn.sqr(a)))
ngx.say(tostring(bn.sqr(23578164761333)))
ngx.say(tostring(bn.exp(a, 2)))
ngx.say(tostring(bn.exp(23578164761333, 2)))
}
}
--- request
GET /t
--- response_body eval
"555929853512565244851936889
555929853512565244851936889
555929853512565244851936889
5210245939718361468048211048414496022534389576033913164940029913016568215580398296261072019231723279851007241838011659882766685337218633992220688288491655299087016195985205218347711578485744737
555929853512565244851936889
555929853512565244851936889
555929853512565244851936889
555929853512565244851936889
"
--- no_error_log
[error]
=== TEST 12: gcd
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn.new(97)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a:gcd(b)))
ngx.say(tostring(bn.gcd(a, b)))
ngx.say(tostring(bn.gcd(a, 97)))
ngx.say(tostring(bn.gcd(23578164761333, b)))
}
}
--- request
GET /t
--- response_body eval
"1
1
1
1
"
--- no_error_log
[error]
=== TEST 13: lshift, rshift
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a:lshift(2)))
ngx.say(tostring(a:rshift(2)))
}
}
--- request
GET /t
--- response_body eval
"94312659045332
5894541190333
"
--- no_error_log
[error]
=== TEST 14: comparasion
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn.new(97)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a == b))
ngx.say(tostring(a ~= b))
ngx.say(tostring(a >= b))
ngx.say(tostring(a > b))
ngx.say(tostring(a < b))
ngx.say(tostring(a <= b))
ngx.say("")
ngx.say(tostring(a == a))
ngx.say(tostring(a ~= a))
ngx.say(tostring(a >= a))
ngx.say(tostring(a > a))
ngx.say(tostring(a < a))
ngx.say(tostring(a <= a))
}
}
--- request
GET /t
--- response_body eval
"false
true
true
true
false
false
true
false
true
false
false
true
"
--- no_error_log
[error]
=== TEST 15: is_one, is_zero, is_odd, is_word
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
ngx.say(tostring(bn.new(0):is_zero()))
ngx.say(tostring(bn.new(1):is_zero()))
ngx.say(tostring(bn.new(0):is_one()))
ngx.say(tostring(bn.new(1):is_one()))
ngx.say(tostring(bn.new(0):is_odd()))
ngx.say(tostring(bn.new(1):is_odd()))
ngx.say(tostring(bn.new(0):is_word(0)))
ngx.say(tostring(bn.new(1):is_word(0)))
}
}
--- request
GET /t
--- response_body eval
"true
false
false
true
false
true
true
false
"
--- no_error_log
[error]
=== TEST 16: is_prime
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
ngx.say(tostring(bn.new(2):is_prime()))
ngx.say(tostring(bn.new(15):is_prime()))
ngx.say(tostring(bn
.from_hex('00d3277434ff7e3d410b3453a5cddc13e834fbdc19f38c580bc05b68dfa179afa4b6e6d34fe2bde9d90390046a86306bd022d4ed8187ccaa21808e189e7b803fd918b7782078f3be6bc8683d71d7d46cb134bc2a74dbe410d2bb068e45af95deef546f6970b83f9386e504b6fbefee6ae804fbf544e6b7cf82aacfff9472c6af07')
:is_prime()))
}
}
--- request
GET /t
--- response_body eval
"true
false
true
"
--- no_error_log
[error]
=== TEST 17: mod_add, mod_sub, mod_mul, mul_exp, mul_sqr mod
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.new(23578164761333)
if err then
ngx.log(ngx.ERR, err)
return
end
local b, err = bn.new(2478652)
if err then
ngx.log(ngx.ERR, err)
return
end
local m, err = bn.new(65537)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(a:mod_add(b, m)))
ngx.say(tostring(a:mod_sub(b, m)))
ngx.say(tostring(a:mod_mul(b, m)))
ngx.say(tostring(a:mod_exp(b, m)))
ngx.say(tostring(a:mod_sqr(b, m)))
ngx.say(tostring(a:mod_exp(b, 65537)))
ngx.say(tostring(bn.mod_exp(a, 2478652, m)))
}
}
--- request
GET /t
--- response_body eval
"49755
7726
27398
28353
1266433
28353
28353
"
--- no_error_log
[error]
=== TEST 18: generate_prime
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local bn = require("resty.openssl.bn")
local a, err = bn.generate_prime(10, false)
if err then
ngx.log(ngx.ERR, err)
return
end
if not a:is_prime() then
ngx.log(ngx.ERR, "not prime")
return
end
local a, err = bn.generate_prime(10, true)
if err then
ngx.log(ngx.ERR, err)
return
end
if not a:is_prime() then
ngx.log(ngx.ERR, "not prime")
return
end
ngx.say("ok")
}
}
--- request
GET /t
--- response_body eval
"ok
"
--- no_error_log
[error]

517
src/deps/src/lua-resty-openssl/t/openssl/cipher.t
View File

@ -1,517 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Creates cipher correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
is_encrypt = true,
}))
ngx.print(ngx.encode_base64(myassert(cipher:final('1'))))
}
}
--- request
GET /t
--- response_body eval
"VhGyRCcMvlAgUjTYrqiWpg=="
--- no_error_log
[error]
=== TEST 2: Rejects unknown cipher
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher, err = require("resty.openssl.cipher").new("aes257")
ngx.print(err)
}
}
--- request
GET /t
--- response_body_like eval
"cipher.new: invalid cipher type \"aes257\".*"
--- no_error_log
[error]
=== TEST 3: Unintialized ctx throw errors
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local s, err = cipher:update("1")
ngx.say(err)
local _, err = cipher:final("1")
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
"cipher:update: cipher not initalized, call cipher:init first
cipher:update: cipher not initalized, call cipher:init first
"
--- no_error_log
[error]
=== TEST 4: Encrypt
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1'))
ngx.print(ngx.encode_base64(s))
}
}
--- request
GET /t
--- response_body eval
"VhGyRCcMvlAgUjTYrqiWpg=="
--- no_error_log
[error]
=== TEST 5: Encrypt no padding
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local s, err = cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1', true)
ngx.say(s)
-- 1.x: data not multiple of block length
-- 3.0: wrong final block length
ngx.say(err)
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16),
'1' .. string.rep(string.char(15), 15), true))
ngx.print(ngx.encode_base64(s))
}
}
--- request
GET /t
--- response_body_like eval
"nil
.+(?:data not multiple of block length|wrong final block length|DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH)
VhGyRCcMvlAgUjTYrqiWpg=="
--- no_error_log
[error]
=== TEST 6: Decrypt
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg==")))
ngx.print(s)
}
}
--- request
GET /t
--- response_body eval
"1"
--- no_error_log
[error]
=== TEST 7: Decrypt no padding
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg=="), true))
ngx.print(s)
}
}
--- request
GET /t
--- response_body eval
"1\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}"
--- no_error_log
[error]
=== TEST 8: Encrypt streaming
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
is_encrypt = true,
}))
local sample = 'abcdefghi'
local count = 5
for i=1,count,1 do
local s = myassert(cipher:update(sample))
if s ~= "" then
ngx.say(ngx.encode_base64(s))
else
ngx.say("nothing")
end
end
local s = myassert(cipher:final(sample))
ngx.say("final")
ngx.say(ngx.encode_base64(s))
}
}
--- request
GET /t
--- response_body eval
"nothing
SEk81GpcHC9KoZfN14RrNg==
nothing
L2dVbLMhEigy917CJBXz7g==
nothing
final
dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=
"
--- no_error_log
[error]
=== TEST 9: Decrypt streaming
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
is_encrypt = false,
}))
local input = ngx.decode_base64('SEk81GpcHC9KoZfN14RrNg==') ..
ngx.decode_base64('L2dVbLMhEigy917CJBXz7g==') ..
ngx.decode_base64('dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=')
local count = 5 + 1
local len = (#input - #input % count) / count
for i=0,#input-len,len do
local s = myassert(cipher:update(string.sub(input, i+1, i+len)))
if s ~= "" then
ngx.say(s)
else
ngx.say("nothing")
end
end
-- this should throw error since we end in the middle
local s, err = cipher:final()
ngx.say(err)
ngx.say(s)
-- feed the last chunk of input
local s = myassert(cipher:final(string.sub(input, #input -#input % count + 1, #input)))
ngx.say("final")
ngx.say(s)
}
}
--- request
GET /t
--- response_body_like eval
"nothing
abcdefghiabcdefg
nothing
hiabcdefghiabcde
fghiabcdefghiabc
nothing
.+(wrong final block length|WRONG_FINAL_BLOCK_LENGTH)
nil
final
defghi
"
--- no_error_log
[error]
=== TEST 10: Derive key and iv
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
function string.tohex(str)
return (str:gsub('.', function (c)
return string.format('%02X', string.byte(c))
end))
end
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
-- openssl enc -aes-256-cbc -pass pass:xxx -S 797979 -P -md md5
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
ngx.say(key:tohex())
ngx.say(iv:tohex())
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-ecb"))
-- openssl enc -aes-256-ecb -pass pass:xxx -S 797979 -P -md md5
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
ngx.say(key:tohex())
ngx.say(iv:tohex() == "" and "no iv")
}
}
--- request
GET /t
--- response_body eval
"1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
FE91AF7782EDB48F32775BB2B72DD5ED
1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
no iv
"
--- no_error_log
[error]
=== TEST 11: Derive key and iv: salt, count and md is optional
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
function string.tohex(str)
return (str:gsub('.', function (c)
return string.format('%02X', string.byte(c))
end))
end
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
-- openssl enc -aes-256-cbc -pass pass:xxx -nosalt -P -md sha1
local key, iv = cipher:derive("xxx")
ngx.say(key:tohex())
ngx.say(iv:tohex())
}
}
--- request
GET /t
--- response_body eval
"B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140
20578C4FEF1AEE907B1DC95C776F8160
"
--- no_error_log
[error]
=== TEST 12: AEAD modes
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local myassert = require("helper").myassert
local key = string.rep("0", 32)
local iv = string.rep("0", 12)
local aad = "an aad"
local cipher = require("resty.openssl.cipher")
local enc = myassert(cipher.new("aes-256-gcm"))
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
local tag = myassert(enc:get_aead_tag())
local dec = myassert(cipher.new("aes-256-gcm"))
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
ngx.say(s)
local dec = myassert(cipher.new("aes-256-gcm"))
local r, err = dec:decrypt(key, iv, d, false, nil, tag)
ngx.say(r)
local dec = myassert(cipher.new("aes-256-gcm"))
local r, err = dec:decrypt(key, iv, d, false, aad, nil)
ngx.say(r)
}
}
--- request
GET /t
--- response_body eval
"secret
nil
nil
"
--- no_error_log
[error]
=== TEST 13: Returns provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("default")
ngx.exit(0)
end
local cipher = require("resty.openssl.cipher")
local c = myassert(cipher.new("aes256"))
ngx.say(myassert(c:get_provider_name()))
}
}
--- request
GET /t
--- response_body
default
--- no_error_log
[error]
=== TEST 14: Returns gettable, settable params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("-ivlen-\n-padding-")
ngx.exit(0)
end
local cipher = require("resty.openssl.cipher")
local c = myassert(cipher.new("aes256"))
ngx.say(require("cjson").encode(myassert(c:gettable_params())))
ngx.say(require("cjson").encode(myassert(c:settable_params())))
}
}
--- request
GET /t
--- response_body_like
.+ivlen.+
.+padding.+
--- no_error_log
[error]
=== TEST 15: Get params, set params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("secret\nsecret\nnil")
ngx.exit(0)
end
local myassert = require("helper").myassert
local key = string.rep("0", 32)
local iv = string.rep("0", 12)
local aad = "an aad"
local cipher = require("resty.openssl.cipher")
local enc = myassert(cipher.new("aes-256-gcm"))
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
local tag = myassert(enc:get_param("tag", 16))
local dec = myassert(cipher.new("aes-256-gcm"))
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
ngx.say(s)
local dec = myassert(cipher.new("aes-256-gcm"))
myassert(dec:init(key, iv))
myassert(dec:set_params({tag = tag}))
myassert(dec:update_aead_aad(aad))
local r, err = dec:final(d)
ngx.say(r)
local dec = myassert(cipher.new("aes-256-gcm"))
myassert(dec:init(key, iv))
myassert(dec:set_params({tag = "wrong tag"}))
myassert(dec:update_aead_aad(aad))
local r, err = dec:final(d)
ngx.say(r)
}
}
--- request
GET /t
--- response_body eval
"secret
secret
nil
"
--- no_error_log
[error]
=== TEST 16: Update with segements larger than 1024
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
is_encrypt = true,
}))
local count = 3
for i=1,count,1 do
local s = myassert(cipher:update(string.rep(tostring(i), 1024)))
if s ~= "" then
ngx.say(ngx.encode_base64(string.sub(s, -16)))
else
ngx.say("nothing")
end
end
local s = myassert(cipher:final(string.rep("a", 1024)))
ngx.say("final")
ngx.say(ngx.encode_base64(string.sub(s, -16)))
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
is_encrypt = true,
}))
local s = myassert(cipher:final(string.rep("1", 1024) ..
string.rep("2", 1024) ..
string.rep("3", 1024) ..
string.rep("a", 1024)))
ngx.say(ngx.encode_base64(string.sub(s, -16))) -- should be same as above
}
}
--- request
GET /t
--- response_body eval
"XZElJKMyKzuvbYNf4Y0hAw==
59Cw1+C6hHpfqsOn7PZ2Gw==
t6oGLYvnjihoi+7tPfyK/A==
final
QcpC0TXDxiOln2ENZ0aGDA==
QcpC0TXDxiOln2ENZ0aGDA==
"
--- no_error_log
[error]

96
src/deps/src/lua-resty-openssl/t/openssl/ctx.t
View File

@ -1,96 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Can create a ctx in ngx.ctx
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.exit(0)
end
local ctx = require("resty.openssl.ctx")
myassert(ctx.new(true))
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 2: Can create a ctx in global namespace
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.exit(0)
end
local ctx = require("resty.openssl.ctx")
myassert(ctx.new())
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 3: Can free ctx in ngx.ctx
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.exit(0)
end
local ctx = require("resty.openssl.ctx")
myassert(ctx.new(true))
myassert(ctx.free(true))
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 4: Can free ctx in global namespace
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.exit(0)
end
local ctx = require("resty.openssl.ctx")
myassert(ctx.new())
myassert(ctx.free())
}
}
--- request
GET /t
--- no_error_log
[error]

180
src/deps/src/lua-resty-openssl/t/openssl/digest.t
View File

@ -1,180 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Calculate digest correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local digest = myassert(require("resty.openssl.digest").new("sha256"))
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
ngx.print(ngx.encode_base64(myassert(digest:final())))
}
}
--- request
GET /t
--- response_body eval
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
--- no_error_log
[error]
=== TEST 2: Update accepts vardiac args
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local digest = myassert(require("resty.openssl.digest").new("sha256"))
myassert(digest:update("🦢", "🦢🦢", "🦢🦢", "🦢"))
ngx.print(ngx.encode_base64(myassert(digest:final())))
}
}
--- request
GET /t
--- response_body eval
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
--- no_error_log
[error]
=== TEST 3: Final accepts optional arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local digest = myassert(require("resty.openssl.digest").new("sha256"))
myassert(digest:update("🦢", "🦢🦢", "🦢🦢"))
ngx.print(ngx.encode_base64(myassert(digest:final("🦢"))))
}
}
--- request
GET /t
--- response_body eval
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
--- no_error_log
[error]
=== TEST 4: Rejects unknown hash
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local digest, err = require("resty.openssl.digest").new("sha257")
ngx.print(err)
}
}
--- request
GET /t
--- response_body_like eval
"digest.new: invalid digest type \"sha257\".*"
--- no_error_log
[error]
=== TEST 5: Can be reused
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local digest = myassert(require("resty.openssl.digest").new("sha256"))
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
ngx.say(ngx.encode_base64(myassert(digest:final())))
myassert(digest:reset())
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
ngx.say(ngx.encode_base64(myassert(digest:final())))
}
}
--- request
GET /t
--- response_body eval
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
"
--- no_error_log
[error]
=== TEST 6: Returns provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("default")
ngx.exit(0)
end
local digest = require("resty.openssl.digest")
local d = myassert(digest.new("sha256"))
ngx.say(myassert(d:get_provider_name()))
}
}
--- request
GET /t
--- response_body
default
--- no_error_log
[error]
=== TEST 7: Returns gettable, settable params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("{}\n-ssl3-ms-")
ngx.exit(0)
end
local digest = require("resty.openssl.digest")
local d = myassert(digest.new("md5-sha1"))
ngx.say(require("cjson").encode(myassert(d:gettable_params())))
ngx.say(require("cjson").encode(myassert(d:settable_params())))
}
}
--- request
GET /t
--- response_body_like
{}
.+ssl3-ms.+
--- no_error_log
[error]
=== TEST 8: Get params, set params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
-- no good example to test
ngx.say("skipped")
}
}
--- request
GET /t
--- response_body eval
"skipped
"
--- no_error_log
[error]

39
src/deps/src/lua-resty-openssl/t/openssl/err.t
View File

@ -1,39 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
run_tests();
__DATA__
=== TEST 1: Don't cry if there's no error
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local format_error = require("resty.openssl.err").format_error
ngx.print(format_error("fake function"))
}
}
--- request
GET /t
--- response_body eval
"fake function failed"
--- no_error_log
[error]

169
src/deps/src/lua-resty-openssl/t/openssl/helper.lua
View File

@ -1,169 +0,0 @@
local pkey = require "resty.openssl.pkey"
local x509 = require "resty.openssl.x509"
local name = require "resty.openssl.x509.name"
local extension = require "resty.openssl.x509.extension"
local bn = require "resty.openssl.bn"
local digest = require "resty.openssl.digest"
local BORINGSSL = require "resty.openssl.version".BORINGSSL
local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X
local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name)
local key = pkey.new(key_opts or {
type = 'RSA',
bits = 1024,
})
local cert = x509.new()
cert:set_pubkey(key)
cert:set_version(3)
local now = os.time()
cert:set_not_before(now)
cert:set_not_after(now + 86400)
local nm = name.new()
for k, v in pairs(names or {}) do
assert(nm:add(k, v))
end
assert(cert:set_subject_name(nm))
assert(cert:set_issuer_name(issuing_name or nm))
assert(cert:set_basic_constraints { CA = is_ca })
assert(cert:set_basic_constraints_critical(true))
if not is_ca then
assert(cert:add_extension(extension.new("extendedKeyUsage",
"serverAuth,clientAuth")))
assert(cert:add_extension(assert(extension.new("subjectKeyIdentifier", "hash", {
subject = cert,
}))))
end
local dgst
if BORINGSSL then
dgst = digest.new("SHA256")
end
assert(cert:sign(signing_key or key, dgst))
return cert, key
end
local function to_hex(bin)
local hex, err = bn.from_binary(bin):to_hex()
if err then
error(err)
end
return hex:upper()
end
local function myassert(...)
local ret = {...}
local err = ret[#ret]
if #ret > 1 and err then
ngx.log(ngx.ERR, tostring(err))
ngx.exit(0)
end
return ...
end
-- https://github.com/openresty/lua-cjson/blob/461c7ef23a49062d4b1bf0e1afb3be294d007861/tests/sort_json.lua
-- NOTE: This will only work for simple tests. It doesn't parse strings so if
-- you put any symbols like {?[], inside of a string literal then it will break
-- The point of this function is to test basic structures, and not test JSON
-- strings
local function sort_callback(str)
local inside = str:sub(2, -2)
local parts = {}
local buffer = ""
local pos = 1
while true do
if pos > #inside then
break
end
local append
local parens = inside:match("^%b{}", pos)
if parens then
pos = pos + #parens
append = sort_callback(parens)
else
local array = inside:match("^%b[]", pos)
if array then
pos = pos + #array
append = array
else
local front = inside:sub(pos, pos)
pos = pos + 1
if front == "," then
table.insert(parts, buffer)
buffer = ""
else
append = front
end
end
end
if append then
buffer = buffer .. append
end
end
if buffer ~= "" then
table.insert(parts, buffer)
end
table.sort(parts)
return "{" .. table.concat(parts, ",") .. "}"
end
local function sort_json(str)
return (str:gsub("%b{}", sort_callback))
end
local function encode_sorted_json(tbl)
return sort_json(require("cjson").encode(tbl))
end
local function create_cert_chain(depth, key_opts)
local last_key, last_cn
local certs, keys = {}, {}
for i=1, depth do
local cn, issuer
if last_key then
cn = "lua-resty-openssl Test Cert leaf " .. i - 1
issuer = name.new()
assert(issuer:add("CN", last_cn))
else
cn = "lua-resty-openssl Test Cert Root CA"
end
last_cn = cn
local crt, key = create_self_signed(key_opts,
{ CN = cn }, i < depth, last_key, issuer)
certs[i] = crt
keys[i] = key
last_key = key
end
return certs, keys
end
return {
create_self_signed = create_self_signed,
to_hex = to_hex,
myassert = myassert,
encode_sorted_json = encode_sorted_json,
create_cert_chain = create_cert_chain,
}

118
src/deps/src/lua-resty-openssl/t/openssl/hmac.t
View File

@ -1,118 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Calculate hmac correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
ngx.print(ngx.encode_base64(myassert(hmac:final())))
}
}
--- request
GET /t
--- response_body eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 2: Update accepts vardiac args
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
hmac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
ngx.print(ngx.encode_base64(hmac:final()))
}
}
--- request
GET /t
--- response_body eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 3: Final accepts optional arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
myassert(hmac:update("🦢", "🦢🦢", "🦢🦢"))
ngx.print(ngx.encode_base64(myassert(hmac:final("🦢"))))
}
}
--- request
GET /t
--- response_body eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 4: Rejects unknown hash
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local hmac, err = require("resty.openssl.hmac").new("goose", "sha257")
ngx.print(err)
}
}
--- request
GET /t
--- response_body_like eval
"hmac.new:.+(?:invalid|unsupported).*"
--- no_error_log
[error]
=== TEST 5: Can be reused
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
ngx.say(ngx.encode_base64(myassert(hmac:final())))
myassert(hmac:reset())
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
ngx.say(ngx.encode_base64(myassert(hmac:final())))
}
}
--- request
GET /t
--- response_body eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
"
--- no_error_log
[error]

457
src/deps/src/lua-resty-openssl/t/openssl/kdf.t
View File

@ -1,457 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: kdf: invalid args are checked
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local kdf = require("resty.openssl.kdf")
local key, err = kdf.derive({
})
ngx.say(err)
local key, err = kdf.derive({
type = "no",
})
ngx.say(err)
local key, err = kdf.derive({
type = kdf.PBKDF2,
})
ngx.say(err)
local key, err = kdf.derive({
type = kdf.PBKDF2,
outlen = 16,
pass = 123,
})
ngx.say(err)
local key, err = kdf.derive({
type = 19823718236128631,
outlen = 16,
pass = "123",
})
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"kdf.derive: \"type\" must be set
kdf.derive: expect a number as \"type\"
kdf.derive: \"outlen\" must be set
kdf.derive: except a string as \"pass\"
kdf.derive: unknown type 19823718236128632
"
--- no_error_log
[error]
=== TEST 2: PBKDF2
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.PBKDF2,
outlen = 16,
pass = "1234567",
pbkdf2_iter = 1000,
md = "md5",
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"cDRFLQ7NWt\\+AP4i0TdBzog=="
--- no_error_log
[error]
=== TEST 3: PBKDF2, optional args
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.PBKDF2,
outlen = 16,
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"HkN6HHnXW\\+YekRQdriCv/A=="
--- no_error_log
[error]
=== TEST 4: HKDF
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("aqRd+gO5Ok3YneDEormTcg==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.HKDF,
outlen = 16,
md = "md5",
salt = "salt",
hkdf_key = "secret",
hkdf_info = "some info",
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_AND_EXPAND,
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body eval
"aqRd+gO5Ok3YneDEormTcg=="
--- no_error_log
[error]
=== TEST 5: HKDF, optional arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.say("aggdq4eoqRiP0Z3GbpxCjg==")
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
ngx.exit(0)
end
local version_num = version.version_num
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.HKDF,
outlen = 16,
salt = "salt",
hkdf_key = "secret",
hkdf_info = "info",
}))
ngx.say(ngx.encode_base64(key))
if not version.OPENSSL_111_or_LATER then
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
ngx.exit(0)
end
local key = myassert(kdf.derive({
type = kdf.HKDF,
outlen = 16,
salt = "salt",
hkdf_key = "secret",
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_ONLY,
}))
ngx.say(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"aggdq4eoqRiP0Z3GbpxCjg==
W/tSxFnNsHIYwXa13eybYhW9W3Y=
"
--- no_error_log
[error]
=== TEST 6: TLS1-PRF
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("0xr8qthU+ypv2xRC90la8g==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.TLS1_PRF,
outlen = 16,
md = "md5",
tls1_prf_secret = "secret",
tls1_prf_seed = "seed",
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"0xr8qthU\\+ypv2xRC90la8g=="
--- no_error_log
[error]
=== TEST 7: TLS1-PRF, optional arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("XVVDK9/puTqBOsyTKt8PKQ==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.TLS1_PRF,
outlen = 16,
tls1_prf_secret = "secret",
tls1_prf_seed = "seed",
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"XVVDK9/puTqBOsyTKt8PKQ=="
--- no_error_log
[error]
=== TEST 8: scrypt
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("9giFtxace5sESmRb8qxuOw==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.SCRYPT,
outlen = 16,
pass = "1234567",
scrypt_N = 1024,
scrypt_r = 8,
scrypt_p = 16,
}))
ngx.print(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like eval
"9giFtxace5sESmRb8qxuOw=="
--- no_error_log
[error]
=== TEST 9: EVP_KDF API: new
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah')
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
myassert(kdf.new("PBKDF2"))
local ok, err = kdf.new("UNKNOWNKDF")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
".+invalid mac type \"UNKNOWNKDF\".+
"
--- no_error_log
[error]
=== TEST 10: EVP_KDF API: Returns provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("default")
ngx.exit(0)
end
local cipher = require("resty.openssl.kdf")
local c = myassert(cipher.new("hkdf"))
ngx.say(myassert(c:get_provider_name()))
}
}
--- request
GET /t
--- response_body
default
--- no_error_log
[error]
=== TEST 11: EVP_KDF API: derive
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local k = myassert(kdf.new("PBKDF2"))
local key = myassert(k:derive(16, {
pass = "1234567",
iter = 1000,
digest = "md5",
salt = "",
}))
ngx.say(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body
cDRFLQ7NWt+AP4i0TdBzog==
--- no_error_log
[error]
=== TEST 12: EVP_KDF API: Returns gettable, settable params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("-size-\n-digest-")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local k = myassert(kdf.new("PBKDF2"))
ngx.say(require("cjson").encode(myassert(k:gettable_params())))
ngx.say(require("cjson").encode(myassert(k:settable_params())))
}
}
--- request
GET /t
--- response_body_like
.+size.+
.+digest.+
--- no_error_log
[error]
=== TEST 13: EVP_KDF API: Get params, set params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==\n18446744073709551615")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local k = myassert(kdf.new("PBKDF2"))
myassert(k:set_params({
iter = 1000,
digest = "md5",
salt = "",
}))
local key = myassert(k:derive(16, {
pass = "1234567",
}))
ngx.say(ngx.encode_base64(key))
-- output SIZE_MAX since it's not fixed size, need to find a better test case
ngx.say(tostring(k:get_param("size", nil, "bn")))
}
}
--- request
GET /t
--- response_body
cDRFLQ7NWt+AP4i0TdBzog==
18446744073709551615
--- no_error_log
[error]
=== TEST 14: EVP_KDF API: reset
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("-missing salt\ncDRFLQ7NWt+AP4i0TdBzog==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local k = myassert(kdf.new("PBKDF2"))
myassert(k:set_params({
iter = 1000,
digest = "md5",
salt = "",
}))
myassert(k:reset())
local ok, err = k:derive(16, {
pass = "1234567",
})
ngx.say(err)
myassert(k:set_params({
iter = 100,
digest = "md5",
salt = "",
}))
local key = myassert(k:derive(16, {
iter = 1000,
pass = "1234567",
}))
ngx.say(ngx.encode_base64(key))
}
}
--- request
GET /t
--- response_body_like
.+missing salt
cDRFLQ7NWt\+AP4i0TdBzog==
--- no_error_log
[error]

188
src/deps/src/lua-resty-openssl/t/openssl/mac.t
View File

@ -1,188 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Calculate mac correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
ngx.exit(0)
end
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
myassert(mac:update("🦢🦢🦢🦢🦢🦢"))
ngx.print(ngx.encode_base64(myassert(mac:final())))
}
}
--- request
GET /t
--- response_body_like eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 2: Update accepts vardiac args
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
ngx.exit(0)
end
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
mac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
ngx.print(ngx.encode_base64(mac:final()))
}
}
--- request
GET /t
--- response_body_like eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 3: Final accepts optional arg
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
ngx.exit(0)
end
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
myassert(mac:update("🦢", "🦢🦢", "🦢🦢"))
ngx.print(ngx.encode_base64(myassert(mac:final("🦢"))))
}
}
--- request
GET /t
--- response_body_like eval
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
--- no_error_log
[error]
=== TEST 4: Rejects unknown hash
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("mac.new: invalid cipher or digest type")
ngx.exit(0)
end
local mac, err = require("resty.openssl.mac").new("goose", "HMAC", nil, "sha257")
ngx.print(err)
}
}
--- request
GET /t
--- response_body_like eval
"mac.new: invalid cipher or digest type.*"
--- no_error_log
[error]
=== TEST 5: Returns provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("default")
ngx.exit(0)
end
local mac = require("resty.openssl.mac")
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
ngx.say(myassert(m:get_provider_name()))
}
}
--- request
GET /t
--- response_body
default
--- no_error_log
[error]
=== TEST 6: Returns gettable, settable params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("-size-\n-digest-")
ngx.exit(0)
end
local mac = require("resty.openssl.mac")
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
ngx.say(require("cjson").encode(myassert(m:gettable_params())))
ngx.say(require("cjson").encode(myassert(m:settable_params())))
}
}
--- request
GET /t
--- response_body_like
.+size.+
.+digest.+
--- no_error_log
[error]
=== TEST 7: Get params, set params
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("true\n32")
ngx.exit(0)
end
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
local s1 = myassert(mac:final("🦢"))
local mac = myassert(require("resty.openssl.mac").new("notthiskey", "HMAC", nil, "sha256"))
myassert(mac:set_params({key = "goose"}))
local s2 = myassert(mac:final("🦢"))
ngx.say(s1 == s2)
ngx.say(myassert(mac:get_param("size")))
}
}
--- request
GET /t
--- response_body eval
"true
32
"
--- no_error_log
[error]

81
src/deps/src/lua-resty-openssl/t/openssl/objects.t
View File

@ -1,81 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
run_tests();
__DATA__
=== TEST 1: Convert nid to table
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local o = require("resty.openssl.objects")
ngx.print(encode_sorted_json(o.nid2table(87)))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}'
--- no_error_log
[error]
=== TEST 2: Convert txt to nid
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local o = require("resty.openssl.objects")
local t = {
ln = "X509v3 Basic Constraints",
sn = "basicConstraints",
id = "2.5.29.19"
}
local r = {}
for k, v in pairs(t) do
r[k] = o.txt2nid(v)
end
ngx.print(encode_sorted_json(r))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":87,"ln":87,"sn":87}'
--- no_error_log
[error]
=== TEST 3: Convert sigid to nid
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local o = require("resty.openssl.objects")
ngx.print(o.find_sigid_algs(795)) -- ecdsa-with-SHA384
}
}
--- request
GET /t
--- response_body eval
673
--- no_error_log
[error]

38
src/deps/src/lua-resty-openssl/t/openssl/param.t
View File

@ -1,38 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
run_tests();
__DATA__
=== TEST 1: Construct
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
ngx.say("TODO")
}
}
--- request
GET /t
--- response_body
TODO
--- no_error_log
[error]

262
src/deps/src/lua-resty-openssl/t/openssl/pkcs12.t
View File

@ -1,262 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
run_tests();
__DATA__
=== TEST 1: Loads password protected pkcs12
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
local r = myassert(pkcs12.decode(pp, "badssl.com"))
ngx.say(r.key:get_parameters().d:to_hex():upper())
ngx.say(r.cert:get_serial_number():to_hex():upper())
}
}
--- request
GET /t
--- response_body
55107FB7D6FD8A099E4E5CF24291CF20CBD4BB7B93A66EF8D89996A5C49EEB51405E6843CC89CD74B9C87DB9DBDE9E38923E02A32E4F6F32A59B4D6C6CDC40E0192204F135C9E9F527FD9E53F2C9E90B8D8D18E8F5DAC57D1EF95163D0DF1BBDB89850636AE870B20B5E6BF2EBD1651BE79B4E187C48F6D332D35A4C531BE3B027A64D85AD6F7EAF33ECC1B9253B196CFD20EDEFCBAC46F7C08EC966EF721D0533AB6DC785F86998B37FD25F3D60BB4E692F1636AE10BCA62065AA70FF41B5C16A165B8636FD4A40C59F6B72A4C1592A424820A0C968E23613DB48959F7BFF49D9B71A9C84CB72F08B94F586007CB5C29A3D8811F9EF2ED2FBB612DF28BB9601
2B936CE32D82CE8B01FD9A0595AC6366AA014C82
--- no_error_log
[error]
=== TEST 2: Errors on bad password
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
local r, err = pkcs12.decode(pp, "wrong password")
ngx.say(r == nil)
ngx.say(err)
local r, err = pkcs12.decode(pp)
ngx.say(r == nil)
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
'true
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
true
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
'
--- no_error_log
[error]
=== TEST 3: Creates pkcs12
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
local x509 = require("resty.openssl.x509")
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
-- full house
local r = myassert(pkcs12.encode({
friendly_name = "myname",
key = key,
cert = cert,
cacerts = { ca1, ca2 }
}, "test-pkcs12"))
ngx.say(#r)
-- no name
local r = myassert(pkcs12.encode({
key = key,
cert = cert,
cacerts = { ca1, ca2 }
}, "test-pkcs12"))
ngx.say(#r)
-- no CA
local r = myassert(pkcs12.encode({
key = key,
cert = cert,
}, "test-pkcs12"))
ngx.say(#r)
-- empty password
local r = myassert(pkcs12.encode({
key = key,
cert = cert,
}))
ngx.say(#r)
}
}
--- request
GET /t
--- response_body_like eval
'\d{3,4}
\d{3,4}
\d{3,4}
\d{3,4}
'
--- no_error_log
[error]
=== TEST 4: Uses empty string password when omitted
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
local x509 = require("resty.openssl.x509")
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
local p12 = myassert(pkcs12.encode({
friendly_name = "myname",
key = key,
cert = cert,
cacerts = { ca1, ca2 },
}))
local r = myassert(pkcs12.decode(p12, nil))
ngx.say(#r.key:get_parameters().x:to_hex():upper())
ngx.say(r.cert:get_serial_number():to_hex():upper())
ngx.say(#r.cacerts)
ngx.say(r.friendly_name)
-- same as empty string
local r = myassert(pkcs12.decode(p12, ""))
-- password mismatch
local r, err = pkcs12.decode(p12, "extrapassword")
ngx.say(r == nil)
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
'6\d
0
2
myname
true
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
'
--- no_error_log
[error]
=== TEST 5: Check cert and key mismatch
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
local key2 = require("resty.openssl.pkey").new({ type = 'EC', curve = "prime256v1" })
local r, err = pkcs12.encode({
friendly_name = "myname",
key = key2,
cert = cert,
cacerts = { ca1, ca2 }
}, "test-pkcs12")
ngx.say(r == nil, err)
}
}
--- request
GET /t
--- response_body_like eval
'true.+(key values mismatch|KEY_VALUES_MISMATCH)
'
--- no_error_log
[error]
=== TEST 6: Creates pkcs12 with newer algorithm
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("2333")
ngx.exit(0)
end
-- don't load the legacy provider for this test
-- by default nid_key is RC2 and is moved to legacy provider in 3.0
local pkcs12 = require "resty.openssl.pkcs12"
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
local x509 = require("resty.openssl.x509")
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
local r = myassert(pkcs12.encode({
friendly_name = "myname",
key = key,
cert = cert,
cacerts = { ca1, ca2 },
nid_key = "aes-128-cbc",
nid_cert = "aes-128-cbc",
mac_iter = 2000,
}, "test-pkcs12"))
ngx.say(#r)
}
}
--- request
GET /t
--- response_body_like eval
'\d{3,4}
'
--- no_error_log
[error]

1372
src/deps/src/lua-resty-openssl/t/openssl/pkey.t
View File

File diff suppressed because it is too large Load Diff

141
src/deps/src/lua-resty-openssl/t/openssl/provider.t
View File

@ -1,141 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
run_tests();
__DATA__
=== TEST 1: Loads default and legacy provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("true\nnil\ntrue\nfalse\nnil\ntrue")
ngx.exit(0)
end
local pro = require "resty.openssl.provider"
for _, n in ipairs({"default", "legacy"}) do
local avail, err = pro.is_available(n)
ngx.say(avail)
local p, err = pro.load(n)
ngx.say(err)
-- after load it's available
local avail, err = pro.is_available(n)
ngx.say(avail)
myassert(p:unload())
end
}
}
--- request
GET /t
--- response_body
true
nil
true
false
nil
true
--- no_error_log
[error]
=== TEST 2: Self test default and legacy provider
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("nil\ntrue\nnil\ntrue")
ngx.exit(0)
end
local pro = require "resty.openssl.provider"
for _, n in ipairs({"default", "legacy"}) do
local p, err = pro.load(n)
ngx.say(err)
-- after load it's available
local ok, err = p:self_test(n)
ngx.say(ok)
myassert(p:unload())
end
}
}
--- request
GET /t
--- response_body
nil
true
nil
true
--- no_error_log
[error]
=== TEST 3: Set default search path
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say("true\ncommon libcrypto routines::init fail")
ngx.exit(0)
end
local pro = require "resty.openssl.provider"
pro.set_default_search_path("/tmp")
local ok, err = pro.load("legacy")
ngx.say(ok == nil)
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like
true
.+(?:init fail|common libcrypto routines::reason\(524325\))
--- no_error_log
[error]
=== TEST 4: Get parameters
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_3X then
ngx.say('{"buildinfo":"3.0.0-alpha7","name":"OpenSSL Default Provider","status":1,"version":"3.0.0"}')
ngx.exit(0)
end
local pro = require "resty.openssl.provider"
local p = myassert(pro.load("default"))
local a = assert(p:get_params("name", "version", "buildinfo", "status"))
ngx.say(encode_sorted_json(a))
}
}
--- request
GET /t
--- response_body_like
{"buildinfo":"3.+","name":"OpenSSL Default Provider","status":1,"version":"3.+"}
--- no_error_log
[error]

80
src/deps/src/lua-resty-openssl/t/openssl/rand.t
View File

@ -1,80 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
run_tests();
__DATA__
=== TEST 1: Geneartes random bytes
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local rand = require("resty.openssl.rand")
local b, err = rand.bytes(233)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(#b)
local b2, err = rand.bytes(233)
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(#b2)
ngx.say(b == b2)
}
}
--- request
GET /t
--- response_body eval
"233
233
false
"
--- no_error_log
[error]
=== TEST 2: Rejects invalid arguments
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local rand = require("resty.openssl.rand")
local b, err = rand.bytes()
ngx.say(err)
local b, err = rand.bytes(true)
ngx.say(err)
local b, err = rand.bytes({})
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
"rand.bytes: expect a number at #1
rand.bytes: expect a number at #1
rand.bytes: expect a number at #1
"
--- no_error_log
[error]

281
src/deps/src/lua-resty-openssl/t/openssl/ssl/ssl_client.t
View File

@ -1,281 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
repeat_each(2);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
add_block_preprocessor(sub {
my ($block) = @_;
my $name = $block->name;
my $http_config = $block->http_config;
if (defined $http_config ) {
my $new_http_config = <<_EOC_;
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
ssl_certificate $pwd/t/fixtures/test.crt;
ssl_certificate_key $pwd/t/fixtures/test.key;
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
$http_config
_EOC_
$block->set_value("http_config", $new_http_config);
}
});
our $ClientContentBy = qq{
};
no_long_string();
env_to_nginx("CI_SKIP_NGINX_C");
run_tests();
__DATA__
=== TEST 1: SSL (client) get peer certificate
--- http_config
server {
listen unix:/tmp/nginx-c1.sock ssl;
server_name test.com;
}
--- config
location /t {
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-c1.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
local crt = myassert(sess:get_peer_certificate())
ngx.say(myassert(crt:get_subject_name():tostring()))
}
}
--- request
GET /t
--- response_body
CN=test.com
--- no_error_log
[error]
[emerg]
=== TEST 2: SSL (client) get peer cert chain
--- http_config
server {
listen unix:/tmp/nginx-c2.sock ssl;
server_name test.com;
}
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-c2.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
local chain = myassert(sess:get_peer_cert_chain())
ngx.say(#chain)
local crt = chain[1]
ngx.say(myassert(crt:get_subject_name():tostring()))
}
}
--- request
GET /t
--- response_body
1
CN=test.com
--- no_error_log
[error]
[emerg]
=== TEST 3: SSL (client) set cipher suites [skipped]
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
}
}
--- request
GET /t
--- skip_nginx
2: < 9.9.9
--- response_body
--- no_error_log
[error]
[emerg]
=== TEST 4: SSL (client) get ciphers
--- http_config
server {
listen unix:/tmp/nginx-c4.sock ssl;
server_name test.com;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
}
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-c4.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
ngx.say(myassert(sess:get_ciphers()))
local cipher = myassert(sess:get_cipher_name())
ngx.say(cipher)
}
}
--- request
GET /t
--- response_body_like
.*ECDHE-RSA-AES256-GCM-SHA384.*
ECDHE-RSA-AES256-GCM-SHA384
--- no_error_log
[error]
[emerg]
=== TEST 5: SSL (client) get/set timeout
--- http_config
server {
listen unix:/tmp/nginx-c5.sock ssl;
server_name test.com;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
}
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-c5.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
ngx.say(myassert(sess:get_timeout()))
myassert(sess:set_timeout(15))
ngx.say(myassert(sess:get_timeout()))
}
}
--- request
GET /t
--- response_body_like
\d+
15
--- no_error_log
[error]
[emerg]
=== TEST 6: SSL (client) set_verify and add_client_ca [skipped]
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
}
}
--- request
GET /t
--- skip_nginx
2: < 9.9.9
--- response_body
--- no_error_log
[error]
[emerg]
=== TEST 7: SSL (client) set/get/clear options
--- http_config
server {
listen unix:/tmp/nginx-c7.sock ssl;
server_name test.com;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
}
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-c7.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
local orig_options = myassert(sess:get_options())
ngx.say(orig_options)
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
myassert(sess:set_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
myassert(sess:clear_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
local new_options = myassert(sess:get_options())
if new_options ~= orig_options then
ngx.say("options not correct after clear: " ..
require("cjson").encode(myassert(sess:get_options(true))))
else
ngx.say("ok")
end
}
}
--- request
GET /t
--- response_body_like
\d+
\[".+"\]
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_NO_QUERY_MTU.+SSL_OP_PRIORITIZE_CHACHA.+
ok
--- no_error_log
[error]
[emerg]
=== TEST 8: SSL (client) set_protocols [skipped]
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
}
}
--- request
GET /t
--- skip_nginx
2: < 9.9.9
--- response_body
--- no_error_log
[error]
[emerg]

97
src/deps/src/lua-resty-openssl/t/openssl/ssl/ssl_ctx_server.t
View File

@ -1,97 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
repeat_each(2);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
add_block_preprocessor(sub {
my ($block) = @_;
my $name = $block->name;
my $http_config = $block->http_config;
if (defined $http_config ) {
my $new_http_config = <<_EOC_;
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
ssl_certificate $pwd/t/fixtures/test.crt;
ssl_certificate_key $pwd/t/fixtures/test.key;
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
$http_config
_EOC_
$block->set_value("http_config", $new_http_config);
}
});
our $ClientContentBy = qq{
};
no_long_string();
env_to_nginx("CI_SKIP_NGINX_C");
run_tests();
__DATA__
=== TEST 1: SSL (server) get peer certificate
--- http_config
server {
listen unix:/tmp/nginx-sctx1.sock ssl;
server_name test.com;
ssl_certificate_by_lua_block {
local ssl_ctx = require "resty.openssl.ssl_ctx"
local sc = assert(ssl_ctx.from_request())
assert(sc:set_alpns({"h4"}))
}
}
--- config
location /t {
content_by_lua_block {
local ngx_pipe = require "ngx.pipe"
local opts = {
merge_stderr = true,
buffer_size = 256000,
}
local proc = ngx_pipe.spawn({'bash', '-c', "echo q | openssl s_client -unix /tmp/nginx-sctx1.sock -alpn h4 && sleep 0.1"}, opts)
local data, err, partial = proc:stdout_read_all()
if ngx.re.match(data, "ALPN protocol: h4") then
ngx.say("ok")
else
ngx.say(data)
end
}
}
--- request
GET /t
--- response_body
ok
--- no_error_log
[error]
[emerg]

375
src/deps/src/lua-resty-openssl/t/openssl/ssl/ssl_server.t
View File

@ -1,375 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
repeat_each(2);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
add_block_preprocessor(sub {
my ($block) = @_;
my $name = $block->name;
my $http_config = $block->http_config;
if (defined $http_config ) {
my $new_http_config = <<_EOC_;
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
ssl_certificate $pwd/t/fixtures/test.crt;
ssl_certificate_key $pwd/t/fixtures/test.key;
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
$http_config
_EOC_
$block->set_value("http_config", $new_http_config);
}
});
our $ClientContentBy = qq{
};
no_long_string();
env_to_nginx("CI_SKIP_NGINX_C");
run_tests();
__DATA__
=== TEST 1: SSL (server) get peer certificate
--- http_config
server {
listen unix:/tmp/nginx-s1.sock ssl;
server_name test.com;
ssl_certificate_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
}
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
local crt = myassert(sess:get_peer_certificate())
ngx.say(myassert(crt:get_subject_name():tostring()))
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s1.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
proxy_ssl_certificate ../../../t/fixtures/test.crt;
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
}
--- request
GET /t
--- response_body
CN=test.com
--- no_error_log
[error]
[emerg]
=== TEST 2: SSL (server) get peer cert chain
--- http_config
server {
listen unix:/tmp/nginx-s2.sock ssl;
server_name test.com;
ssl_certificate_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
}
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
local ciphers = myassert(sess:get_ciphers())
local chain = myassert(sess:get_peer_cert_chain())
ngx.say(#chain)
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s2.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
proxy_ssl_certificate ../../../t/fixtures/test.crt;
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
}
--- request
GET /t
--- response_body
0
--- no_error_log
[error]
[emerg]
=== TEST 3: SSL (server) set cipher suites (TLSv1.3 set_ciphersuites not tested)
--- http_config
server {
listen unix:/tmp/nginx-s3.sock ssl;
server_name test.com;
ssl_ciphers ECDHE-RSA-AES128-SHA;
ssl_certificate_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
myassert(sess:set_cipher_list("ECDHE-RSA-AES256-SHA"))
}
location /t {
content_by_lua_block {
ngx.say("ok")
}
}
}
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
local sock = ngx.socket.tcp()
myassert(sock:connect("unix:/tmp/nginx-s3.sock"))
myassert(sock:sslhandshake(nil, "test.com"))
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_socket(sock))
ngx.say(myassert(sess:get_ciphers()))
local cipher = myassert(sess:get_cipher_name())
ngx.say(cipher)
}
}
--- request
GET /t
--- response_body_like
.*ECDHE-RSA-AES256-SHA.*
ECDHE-RSA-AES256-SHA$
--- no_error_log
[error]
[emerg]
=== TEST 4: SSL (server) get ciphers
--- http_config
server {
listen unix:/tmp/nginx-s4.sock ssl;
server_name test.com;
ssl_ciphers ECDHE-RSA-AES128-SHA;
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
local ciphers = myassert(sess:get_ciphers())
ngx.say(ciphers)
local cipher = myassert(sess:get_cipher_name())
ngx.say(cipher)
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s4.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
}
--- request
GET /t
--- response_body_like
.*ECDHE-RSA-AES128-SHA.*
ECDHE-RSA-AES128-SHA$
--- no_error_log
[error]
[emerg]
=== TEST 5: SSL (server) get/set timeout
--- http_config
server {
listen unix:/tmp/nginx-s5.sock ssl;
server_name test.com;
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
ngx.say(myassert(sess:get_timeout()))
myassert(sess:set_timeout(15))
ngx.say(myassert(sess:get_timeout()))
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s5.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
}
--- request
GET /t
--- response_body_like
\d+
15
--- no_error_log
[error]
[emerg]
=== TEST 6: SSL (server) set_verify and add_client_ca [tested in get_peer_cert]
--- config
location /t {
default_type 'text/plain';
content_by_lua_block {
}
}
--- request
GET /t
--- skip_nginx
2: < 9.9.9
--- response_body
--- no_error_log
[error]
[emerg]
=== TEST 7: SSL (server) get/set/clear options
--- http_config
server {
listen unix:/tmp/nginx-s7.sock ssl;
server_name test.com;
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
local orig_options = myassert(sess:get_options())
ngx.say(orig_options)
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
myassert(sess:set_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
myassert(sess:clear_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
local new_options = myassert(sess:get_options())
if new_options ~= orig_options then
ngx.say("options not correct after clear: " ..
require("cjson").encode(myassert(sess:get_options(true))))
else
ngx.say("ok")
end
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s7.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
}
--- request
GET /t
--- response_body_like
\d+
\[".+"\]
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_CIPHER_SERVER_PREFERENCE.+SSL_OP_NO_QUERY_MTU.+
ok
--- no_error_log
[error]
[emerg]
=== TEST 8: SSL (server) set_protocols [skipped; need clienthello_by]
--- http_config
server {
listen unix:/tmp/nginx-s8.sock ssl;
server_name test.com;
ssl_protocols TLSv1.3;
ssl_certificate_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
myassert(sess:set_protocols("TLSv1.2"))
}
location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())
ngx.say("ok")
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s8.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
proxy_ssl_protocols TLSv1.2;
# valgrind be happy
proxy_ssl_session_reuse off;
}
--- request
GET /t
--- response_body_like
ok
--- no_error_log
[error]
[emerg]
--- skip_nginx
2: < 9.9.9

56
src/deps/src/lua-resty-openssl/t/openssl/version.t
View File

@ -1,56 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
}
};
run_tests();
__DATA__
=== TEST 1: Prints version text properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
ngx.say(version.version_text)
}
}
--- request
GET /t
--- response_body_like
(OpenSSL \d.\d.\d.+|BoringSSL)
--- no_error_log
[error]
=== TEST 2: Prints version text using version()
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
ngx.say(version.version(version.VERSION))
ngx.say(version.version(version.CFLAGS))
}
}
--- request
GET /t
--- response_body_like
(OpenSSL \d.\d.\d.+|BoringSSL)
compiler:.+
--- no_error_log
[error]

988
src/deps/src/lua-resty-openssl/t/openssl/x509.t
View File

@ -1,988 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
no_long_string();
run_tests();
__DATA__
=== TEST 1: Loads a cert
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
ngx.say("ok")
}
}
--- request
GET /t
--- response_body eval
"ok
"
--- no_error_log
[error]
=== TEST 2: Converts and loads PEM format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local pem = myassert(c:tostring("PEM"))
for _, typ in ipairs({"PEM", "*", false}) do
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
end
local c2, err = require("resty.openssl.x509").new(pem, "DER")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
--- no_error_log
[error]
=== TEST 3: Converts and loads DER format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local pem = myassert(c:tostring("DER"))
for _, typ in ipairs({"DER", "*", false}) do
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
end
local c2, err = require("resty.openssl.x509").new(pem, "PEM")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.new.+(no start line|NO_START_LINE).+"
--- no_error_log
[error]
=== TEST 4: Rejectes invalid cert
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local x509 = require("resty.openssl.x509")
local p, err = x509.new(true)
ngx.say(err)
p, err = x509.new("222")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"expect nil or a string at #1
x509.new: .*(not enough data|NOT_ENOUGH_DATA)
"
--- no_error_log
[error]
=== TEST 5: Calculates cert digest
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local dd = myassert(c:digest())
local h = string.upper(myassert(require("helper").to_hex(dd)))
ngx.say(h)
}
}
--- request
GET /t
--- response_body eval
"B1BC968BD4F49D622AA89A81F2150152A41D829C
"
--- no_error_log
[error]
=== TEST 6: Calculates pubkey digest
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local dd = myassert(c:pubkey_digest())
local h, err = string.upper(require("helper").to_hex(dd))
ngx.say(h)
}
}
--- request
GET /t
--- response_body eval
"607B661A450D97CA89502F7D04CD34A8FFFCFD4B
"
--- no_error_log
[error]
=== TEST 7: Gets extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c, err = require("resty.openssl.x509").new(f)
local ext, pos = c:get_extension("X509v3 Extended Key Usage")
ngx.say(pos)
ngx.say(tostring(ext))
}
}
--- request
GET /t
--- response_body eval
"5
TLS Web Server Authentication, TLS Web Client Authentication
"
--- no_error_log
[error]
=== TEST 8: Adds extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local c, err = require("resty.openssl.x509").new()
local ext = myassert(require("resty.openssl.x509.extension").new(
"extendedKeyUsage", "TLS Web Server Authentication"
))
local ok = myassert(c:add_extension(ext))
local ext, _ = c:get_extension("X509v3 Extended Key Usage")
ngx.say(tostring(ext))
}
}
--- request
GET /t
--- response_body eval
"TLS Web Server Authentication
"
--- no_error_log
[error]
=== TEST 9: Set extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local ext = myassert(require("resty.openssl.x509.extension").new(
"keyUsage", "Digital Signature, Key Encipherment"
))
local ok = myassert(c:set_extension(ext))
local ext, _ = c:get_extension("X509v3 Key Usage")
ngx.say(tostring(ext))
}
}
--- request
GET /t
--- response_body eval
"Digital Signature, Key Encipherment
"
--- no_error_log
[error]
=== TEST 10: Reads basic constraints
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
ngx.say(c:get_basic_constraints("ca"))
ngx.say(c:get_basic_constraints("pathlen"))
collectgarbage("collect")
}
}
--- request
GET /t
--- response_body eval
"true
0
"
--- no_error_log
[error]
=== TEST 11: Set basic constraints
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c, err = require("resty.openssl.x509").new(f)
local ok = myassert(c:set_basic_constraints({
CA = false,
pathLen = 233,
}))
ngx.say(c:get_basic_constraints("ca"))
ngx.say(c:get_basic_constraints("pathlen"))
collectgarbage("collect")
}
}
--- request
GET /t
--- response_body eval
"false
233
"
--- no_error_log
[error]
=== TEST 12: Get authority info access
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local aia = myassert(c:get_info_access())
local ffi = require "ffi"
for _, v in ipairs(aia) do
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
end
collectgarbage("collect")
}
}
--- request
GET /t
--- response_body eval
"OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
"
--- no_error_log
[error]
=== TEST 13: Set authority info access
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local aia = myassert(c:get_info_access())
myassert(aia:add("OCSP", "URI", "http://somedomain.com"))
myassert(c:set_info_access(aia))
local aia = myassert(c:get_info_access())
local ffi = require "ffi"
for _, v in ipairs(aia) do
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
end
collectgarbage("collect")
}
}
--- request
GET /t
--- response_body eval
"OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
OCSP - URI:http://somedomain.com
"
--- no_error_log
[error]
=== TEST 14: Get CRL distribution points
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local cdp = myassert(c:get_crl_distribution_points())
local ffi = require "ffi"
for _, altname in pairs(cdp) do
for k, v in pairs(altname) do
ngx.say(k, " ", v)
end
end
collectgarbage("collect")
}
}
--- request
GET /t
--- response_body eval
"URI http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
URI http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
"
--- no_error_log
[error]
=== TEST 15: Set CRL distribution points
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
-- NYI
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 16: Get OCSP url
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local ocsp = myassert(c:get_ocsp_url())
ngx.say(ocsp)
local ocsp = myassert(c:get_ocsp_url(true))
ngx.say(encode_sorted_json(ocsp))
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local ocsp = myassert(c:get_ocsp_url())
ngx.say(ocsp)
}
}
--- request
GET /t
--- response_body eval
'http://ocsp.digicert.com
["http:\/\/ocsp.digicert.com"]
nil
'
--- no_error_log
[error]
=== TEST 17: Get CRL url
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crl = myassert(c:get_crl_url())
ngx.say(crl)
local crl = myassert(c:get_crl_url(true))
ngx.say(encode_sorted_json(crl))
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crl = myassert(c:get_crl_url())
ngx.say(crl)
}
}
--- request
GET /t
--- response_body eval
'http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
["http:\/\/crl3.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl","http:\/\/crl4.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl"]
nil
'
--- no_error_log
[error]
=== TEST 18: Get non existend extension, return nil, nil
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_subject_alt_name())
ngx.say(get)
}
}
--- request
GET /t
--- response_body eval
"nil
"
--- no_error_log
[error]
=== TEST 19: Check private key match
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed({ type = "EC", curve = "prime256v1" })
local ok, err = cert:check_private_key(key)
ngx.say(ok)
ngx.say(err)
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local ok, err = c:check_private_key(key)
ngx.say(ok)
ngx.say(err)
local key2 = require("resty.openssl.pkey").new({
type = 'EC',
curve = "prime256v1",
})
local ok, err = cert:check_private_key(key2)
ngx.say(ok)
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"true
nil
false
.+(key type mismatch|KEY_TYPE_MISMATCH)
.+(key values mismatch|KEY_VALUES_MISMATCH)
"
--- no_error_log
[error]
# START AUTO GENERATED CODE
=== TEST 20: x509:get_serial_number (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_serial_number())
get = get:to_hex():upper()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"0E8BF3770D92D196F0BB61F93C4166BE"
--- no_error_log
[error]
=== TEST 21: x509:set_serial_number (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = myassert(require("resty.openssl.bn").new(math.random(1, 2333333)))
local ok = myassert(c:set_serial_number(toset))
local get = myassert(c:get_serial_number())
get = get:to_hex():upper()
toset = toset:to_hex():upper()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 22: x509:get_not_before (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_not_before())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"1616630400"
--- no_error_log
[error]
=== TEST 23: x509:set_not_before (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = ngx.time()
local ok = myassert(c:set_not_before(toset))
local get = myassert(c:get_not_before())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 24: x509:get_not_after (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_not_after())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"1648684799"
--- no_error_log
[error]
=== TEST 25: x509:set_not_after (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = ngx.time()
local ok = myassert(c:set_not_after(toset))
local get = myassert(c:get_not_after())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 26: x509:get_pubkey (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_pubkey())
get = get:to_PEM()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErfb3dbHTSVQKXRBxvdwlBksiHKIj
Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
-----END PUBLIC KEY-----
"
--- no_error_log
[error]
=== TEST 27: x509:set_pubkey (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = myassert(require("resty.openssl.pkey").new())
local ok = myassert(c:set_pubkey(toset))
local get = myassert(c:get_pubkey())
get = get:to_PEM()
toset = toset:to_PEM()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 28: x509:get_subject_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_subject_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"C=US/CN=github.com/L=San Francisco/O=GitHub, Inc./ST=California"
--- no_error_log
[error]
=== TEST 29: x509:set_subject_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
local ok = myassert(c:set_subject_name(toset))
local get = myassert(c:get_subject_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 30: x509:get_issuer_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_issuer_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"C=US/CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1/O=DigiCert, Inc."
--- no_error_log
[error]
=== TEST 31: x509:set_issuer_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
local ok = myassert(c:set_issuer_name(toset))
local get = myassert(c:get_issuer_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 32: x509:get_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_version())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"3"
--- no_error_log
[error]
=== TEST 33: x509:set_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = ngx.time()
local ok = myassert(c:set_version(toset))
local get = myassert(c:get_version())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 34: x509:get_subject_alt_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local get = myassert(c:get_subject_alt_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"DNS=github.com/DNS=www.github.com"
--- no_error_log
[error]
=== TEST 35: x509:set_subject_alt_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
local ok = myassert(c:set_subject_alt_name(toset))
local get = myassert(c:get_subject_alt_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 37: x509:get/set_subject_alt_name_critical (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crit = myassert(c:get_subject_alt_name_critical())
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
ngx.say(c:get_subject_alt_name_critical() == not crit)
}
}
--- request
GET /t
--- response_body
true
--- no_error_log
[error]
=== TEST 38: x509:get/set_basic_constraints_critical (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crit = myassert(c:get_basic_constraints_critical())
local ok, err = myassert(c:set_basic_constraints_critical(not crit))
ngx.say(c:get_basic_constraints_critical() == not crit)
}
}
--- request
GET /t
--- response_body
true
--- no_error_log
[error]
=== TEST 39: x509:get/set_info_access_critical (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crit = myassert(c:get_info_access_critical())
local ok, err = myassert(c:set_info_access_critical(not crit))
ngx.say(c:get_info_access_critical() == not crit)
}
}
--- request
GET /t
--- response_body
true
--- no_error_log
[error]
=== TEST 40: x509:get/set_crl_distribution_points_critical (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local crit = myassert(c:get_crl_distribution_points_critical())
local ok, err = myassert(c:set_crl_distribution_points_critical(not crit))
ngx.say(c:get_crl_distribution_points_critical() == not crit)
}
}
--- request
GET /t
--- response_body
true
--- no_error_log
[error]
=== TEST 41: x509:get_get_signature_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local nid = myassert(c:get_signature_nid())
ngx.say(nid)
local name = myassert(c:get_signature_name())
ngx.say(name)
local name = myassert(c:get_signature_digest_name())
ngx.say(name)
}
}
--- request
GET /t
--- response_body
794
ecdsa-with-SHA256
SHA256
--- no_error_log
[error]
# END AUTO GENERATED CODE

238
src/deps/src/lua-resty-openssl/t/openssl/x509/altname.t
View File

@ -1,238 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Creates stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
ngx.say(#c)
}
}
--- request
GET /t
--- response_body eval
"0
"
--- no_error_log
[error]
=== TEST 2: Adds elements to stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
for i=0,2,1 do
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
end
ngx.say(#c)
ngx.say(c:count())
}
}
--- request
GET /t
--- response_body eval
"3
3
"
--- no_error_log
[error]
=== TEST 3: Element can be indexed properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
for i=0,2,1 do
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
end
for k, v in pairs(c) do
ngx.say(k, " ", v)
end
}
}
--- request
GET /t
--- response_body eval
"DNS 0.com
DNS 1.com
DNS 2.com
"
--- no_error_log
[error]
=== TEST 4: Element is duplicated when added to stack
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
local ok = myassert(c:add("DNS", "example.com"))
cert = nil
collectgarbage("collect")
local k, v = unpack(c[1])
ngx.say(k, " ", v)
}
}
--- request
GET /t
--- response_body eval
"DNS example.com
"
--- no_error_log
[error]
=== TEST 5: Element is duplicated when returned
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
local ok = myassert(c:add("DNS", "example.com"))
local cc = c[1]
c = nil
collectgarbage("collect")
if cc ~= nil then
local k, v = unpack(cc)
ngx.say(k, " ", v)
else
ngx.say("incorrectly GC'ed")
end
}
}
--- request
GET /t
--- response_body eval
"DNS example.com
"
--- no_error_log
[error]
=== TEST 6: Element is not freed when stack is duplicated
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
local ok = myassert(c:add("DNS", "example.com"))
local c2 = myassert(altname.dup(c.ctx))
c = nil
collectgarbage("collect")
ngx.say(c2:count())
local k, v = unpack(c2[1])
ngx.say(k, " ", v)
}
}
--- request
GET /t
--- response_body eval
"1
DNS example.com
"
--- no_error_log
[error]
=== TEST 7: Unsupported SANs are returned as "unsupported"
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local x509 = require("resty.openssl.x509")
local extension = require "resty.openssl.x509.extension"
local ext, err = myassert(extension.new("subjectAltName", "otherName:msUPN;UTF8:sb@sb.local,IP.1:255.255.255.255,IP.2:1111:1111:1111:1111:1111:1111:1111:1111,DNS:example.com,email:test@test.com,RID:1.2.3.4"))
local c = x509.new()
myassert(c:add_extension(ext))
local alts = myassert(c:get_subject_alt_name())
for k, v in pairs(alts) do
ngx.say(k, ":", v)
end
}
}
--- request
GET /t
--- response_body
OtherName:OtherName:<unsupported>
IP:255.255.255.255
IP:1111:1111:1111:1111:1111:1111:1111:1111
DNS:example.com
email:test@test.com
RID:RID:<unsupported>
--- no_error_log
[error]
=== TEST 8: IP addresses are validated and parsed
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname")
local c = myassert(altname.new())
myassert(c:add("IP", "1.2.3.4"))
myassert(c:add("IPAddress", "100.100.100.100"))
myassert(c:add("IP", "255.255.255.255"))
myassert(c:add("IP", "::1"))
myassert(c:add("IP", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))
for _, v in ipairs({"1", ":::", "ffff:", "256.1.1.1"}) do
local _, err = c:add("IP", v)
if err == nil then
ngx.say("should error on " .. v)
end
end
ngx.say(c:tostring())
}
}
--- request
GET /t
--- response_body
IP=1.2.3.4/IP=100.100.100.100/IP=255.255.255.255/IP=::1/IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
--- no_error_log
[error]

173
src/deps/src/lua-resty-openssl/t/openssl/x509/chain.t
View File

@ -1,173 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Creates stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
ngx.say(#c)
}
}
--- request
GET /t
--- response_body eval
"0
"
--- no_error_log
[error]
=== TEST 2: Adds elements to stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
for i=0,2,1 do
local ok = myassert(c:add(cert))
end
ngx.say(#c)
ngx.say(#c:all())
}
}
--- request
GET /t
--- response_body eval
"3
3
"
--- no_error_log
[error]
=== TEST 3: Element can be indexed properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
for i=0,2,1 do
local ok = myassert(c:add(cert))
end
for _, cc in ipairs(c) do
ngx.say(#cc:digest())
end
}
}
--- request
GET /t
--- response_body eval
"20
20
20
"
--- no_error_log
[error]
=== TEST 4: Element is duplicated when added to stack
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
local ok = myassert(c:add(cert))
cert = nil
collectgarbage("collect")
ngx.say(#c[1]:digest())
}
}
--- request
GET /t
--- response_body eval
"20
"
--- no_error_log
[error]
=== TEST 5: Element is duplicated when returned
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
local ok = myassert(c:add(cert))
local cc = c[1]
c = nil
collectgarbage("collect")
ngx.say(#cc:digest())
}
}
--- request
GET /t
--- response_body eval
"20
"
--- no_error_log
[error]
=== TEST 6: Element is not freed when stack is duplicated
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local chain = require("resty.openssl.x509.chain")
local c = myassert(chain.new())
local ok = myassert(c:add(cert))
local c2 = myassert(chain.dup(c.ctx))
c = nil
collectgarbage("collect")
ngx.say(c2:count())
ngx.say(#c2[1]:digest())
}
}
--- request
GET /t
--- response_body eval
"1
20
"
--- no_error_log
[error]

507
src/deps/src/lua-resty-openssl/t/openssl/x509/crl.t
View File

@ -1,507 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
no_long_string();
run_tests();
__DATA__
=== TEST 1: Loads a crl
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
ngx.say("ok")
}
}
--- request
GET /t
--- response_body eval
"ok
"
--- no_error_log
[error]
=== TEST 2: Converts and loads PEM format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local pem = myassert(c:tostring("PEM"))
for _, typ in ipairs({"PEM", "*", false}) do
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
end
local c2, err = require("resty.openssl.x509.crl").new(pem, "DER")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.crl.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
--- no_error_log
[error]
=== TEST 3: Converts and loads DER format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local pem = myassert(c:tostring("DER"))
for _, typ in ipairs({"DER", "*", false}) do
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
end
local c2, err = require("resty.openssl.x509.crl").new(pem, "PEM")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.crl.new.+(no start line|NO_START_LINE).+"
--- no_error_log
[error]
=== TEST 4: x509.crl:add_revoked should add revoked to crl
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local revoked = myassert(require("resty.openssl.x509.revoked"))
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = ngx.time()
local r = myassert(revoked.new(1234, toset, 1))
if not revoked.istype(r) then
ngx.say("it should be instance of revoked")
return
end
local ok = myassert(c:add_revoked(r))
if ok ~= true then
ngx.say("Could not add revoked")
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 5: x509.crl:add_revoked should fail if revoked is not instance of revoked
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local revoked = myassert(require("resty.openssl.x509.revoked"))
local c = myassert(require("resty.openssl.x509.crl").new(f))
local ok, err = c:add_revoked({ctx ={}})
if ok ~= false then
ngx.say("false")
elseif err ~= "x509.crl:add_revoked: expect a revoked instance at #1" then
ngx.say("false")
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 6: x509.crl:sign should succeed
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local revoked = myassert(require("resty.openssl.x509.revoked"))
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = ngx.time()
local r = myassert(revoked.new(1234, toset, 1))
c:add_revoked(r)
local d = myassert(require("resty.openssl.digest").new("SHA256"))
local p = myassert(require("resty.openssl.pkey").new())
local ok = myassert(c:sign(p, d))
if ok == false then
ngx.say("false")
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 7: x509.crl:text
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
ngx.say(myassert(c:text()))
}
}
--- request
GET /t
--- response_body_like eval
"Certificate Revocation List.+Revoked Certificates.+"
--- no_error_log
[error]
=== TEST 8: x509.crl metamethods
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_10 then
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2")
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233")
ngx.exit(0)
end
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local s = myassert(c:index(1))
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
s = c[1]
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
local revoked = myassert(require("resty.openssl.x509.revoked"))
local r = myassert(revoked.new(0x04D2, 1511122233, 1))
myassert(c:add_revoked(r))
ngx.say(#c, ", ", c:count())
for _, rr in ipairs(c) do
ngx.say(rr.serial_number:upper(), ", ", rr.revocation_date)
end
}
}
--- request
GET /t
--- response_body_like eval
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
09159859CAC0C90203BB34C5A012C2A3, 1577753344
2, 2
09159859CAC0C90203BB34C5A012C2A3, 1577753344
04D2, 1511122233
"
--- no_error_log
[error]
=== TEST 9: x509.crl get_by_serial
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_10 then
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue")
ngx.exit(0)
end
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3"))
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
s = myassert(c:get_by_serial(require("resty.openssl.bn").from_hex("09159859CAC0C90203BB34C5A012C2A3")))
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
local nos, err = c:get_by_serial("111111")
ngx.say(nos == nil, err == nil)
}
}
--- request
GET /t
--- response_body_like eval
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
09159859CAC0C90203BB34C5A012C2A3, 1577753344
truetrue
"
--- no_error_log
[error]
=== TEST 10: x509.crl doesn't error if revoked is empty (regression)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/no_revoked.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
for k, v in pairs(c) do
ngx.say(tostring(k))
end
-- above should print nothing
ngx.say(c:get_last_update())
}
}
--- request
GET /t
--- response_body_like eval
"1652832000
"
--- no_error_log
[error]
# START AUTO GENERATED CODE
=== TEST 11: x509.crl:get_issuer_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local get = myassert(c:get_issuer_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"C=CN/CN=TrustAsia EV TLS Pro CA G2/O=TrustAsia Technologies, Inc."
--- no_error_log
[error]
=== TEST 12: x509.crl:set_issuer_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
local ok = myassert(c:set_issuer_name(toset))
local get = myassert(c:get_issuer_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 13: x509.crl:get_last_update (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local get = myassert(c:get_last_update())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"1580684546"
--- no_error_log
[error]
=== TEST 14: x509.crl:set_last_update (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = ngx.time()
local ok = myassert(c:set_last_update(toset))
local get = myassert(c:get_last_update())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 15: x509.crl:get_next_update (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local get = myassert(c:get_next_update())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"1581289346"
--- no_error_log
[error]
=== TEST 16: x509.crl:set_next_update (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = ngx.time()
local ok = myassert(c:set_next_update(toset))
local get = myassert(c:get_next_update())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 17: x509.crl:get_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local get = myassert(c:get_version())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"2"
--- no_error_log
[error]
=== TEST 18: x509.crl:set_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local toset = ngx.time()
local ok = myassert(c:set_version(toset))
local get = myassert(c:get_version())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 20: x509.crl:get_get_signature_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local nid = myassert(c:get_signature_nid())
ngx.say(nid)
local name = myassert(c:get_signature_name())
ngx.say(name)
local name = myassert(c:get_signature_digest_name())
ngx.say(name)
}
}
--- request
GET /t
--- response_body
668
RSA-SHA256
SHA256
--- no_error_log
[error]
# END AUTO GENERATED CODE

56
src/deps/src/lua-resty-openssl/t/openssl/x509/csr.lua
View File

@ -1,56 +0,0 @@
local function create_csr(domain_pkey, ...)
local domains = {...}
local subject = require("resty.openssl.x509.name").new()
local _, err = subject:add("CN", domains[1])
if err then
return nil, err
end
local alt, err
if #{...} > 1 then
alt, err = require("resty.openssl.x509.altname").new()
if err then
return nil, err
end
for _, domain in pairs(domains) do
_, err = alt:add("DNS", domain)
if err then
return nil, err
end
end
end
local csr = require("resty.openssl.x509.csr").new()
local _
_, err = csr:set_subject_name(subject)
if err then
return nil, err
end
if alt then
_, err = csr:set_subject_alt_name(alt)
if err then
return nil, err
end
end
_, err = csr:set_pubkey(domain_pkey)
if err then
return nil, err
end
local d = require("resty.openssl.digest").new("SHA256")
_, err = csr:sign(domain_pkey, d)
if err then
return nil, err
end
return csr:tostring("DER"), nil
end
return {
create_csr = create_csr,
}

623
src/deps/src/lua-resty-openssl/t/openssl/x509/csr.t
View File

@ -1,623 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
no_long_string();
run_tests();
__DATA__
=== TEST 1: Loads a csr
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
ngx.say("ok")
}
}
--- request
GET /t
--- response_body eval
"ok
"
--- no_error_log
[error]
=== TEST 2: Converts and loads PEM format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local pem = myassert(c:tostring("PEM"))
for _, typ in ipairs({"PEM", "*", false}) do
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
end
local c2, err = require("resty.openssl.x509.csr").new(pem, "DER")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.csr.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
--- no_error_log
[error]
=== TEST 3: Converts and loads DER format
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local pem = myassert(c:tostring("DER"))
for _, typ in ipairs({"DER", "*", false}) do
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
end
local c2, err = require("resty.openssl.x509.csr").new(pem, "PEM")
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"x509.csr.new.+(no start line|NO_START_LINE).+"
--- no_error_log
[error]
=== TEST 4: Generates CSR with RSA pkey correctly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local util = require("csr")
local pkey = require("resty.openssl.pkey").new()
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
ngx.update_time()
local fname = "ci_" .. math.floor(ngx.now() * 1000)
local f = io.open(fname, "wb")
f:write(der)
f:close()
ngx.say(io.popen("openssl req -inform der -in " .. fname .. " -noout -text", 'r'):read("*a"))
os.remove(fname)
}
}
--- request
GET /t
--- response_body_like eval
".+CN\\s*=\\s*dns1.com.+rsaEncryption.+2048 bit.+DNS:dns1.com.+DNS:dns2.com.+DNS:dns3.com"
--- no_error_log
[error]
=== TEST 5: Rejects invalid arguments
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local csr = require("resty.openssl.x509.csr").new()
ok, err = csr:set_subject_name("not a subject")
ngx.say(err)
ok, err = csr:set_subject_alt_name("not an alt")
ngx.say(err)
ok, err = csr:set_pubkey("not a pkey")
ngx.say(err)
ok, err = csr:sign("not a pkey")
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
"x509.csr:set_subject_name: expect a x509.name instance at #1
x509.csr:set_subject_alt_name: expect a x509.altname instance at #1
x509.csr:set_pubkey: expect a pkey instance at #1
x509.csr:sign: expect a pkey instance at #1
"
--- no_error_log
[error]
=== TEST 6: x509.csr:get_extensions of csr
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local exts = c:get_extensions()
if #exts == 0 then
ngx.print("0")
else
ngx.print("4")
end
}
}
--- request
GET /t
--- response_body eval
"4"
--- no_error_log
[error]
=== TEST 7: x509.csr:get_extension by nid
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local ext, pos = c:get_extension(83)
if not ext then
ngx.say("nil")
else
ngx.say(pos)
end
local ext = c:get_extension(83, pos)
if not ext then
ngx.say("nil")
else
ngx.say(pos)
end
}
}
--- request
GET /t
--- response_body eval
"2
nil
"
--- no_error_log
[error]
=== TEST 8: x509.csr:get_extension by nid name
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local ext = c:get_extension('basicConstraints')
if not ext then
ngx.print("nil")
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 9: x509.csr:get_extension should return nil if wrong nid name is given
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local ext, err = c:get_extension('test')
if not ext then
ngx.print("ok")
else
ngx.print(err)
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 10: Adds extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local altname = require("resty.openssl.x509.altname").new()
myassert(altname:add("DNS", "test.com"))
myassert(altname:add("DNS", "test2.com"))
local extension = require("resty.openssl.x509.extension")
local ext = myassert(extension.from_data(altname, 85, false))
local ok = myassert(c:add_extension(ext))
local ext, _ = c:get_extension("subjectAltName")
ngx.update_time()
local fname = "ci_" .. math.floor(ngx.now() * 1000)
local f = io.open(fname, "wb")
f:write(c:tostring())
f:close()
ngx.say(io.popen("openssl req -in " .. fname .. " -noout -text", 'r'):read("*a"))
os.remove(fname)
}
}
--- request
GET /t
--- response_body_like eval
"DNS:example.com.+DNS:test.com, DNS:test2.com
"
--- no_error_log
[error]
=== TEST 11: Set extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local altname = require("resty.openssl.x509.altname").new()
myassert(altname:add("DNS", "test.com"))
myassert(altname:add("DNS", "test2.com"))
local extension = require("resty.openssl.x509.extension")
local ext = myassert(extension.from_data(altname, 85, false))
local ok = myassert(c:set_extension(ext))
local ext, _ = c:get_extension("subjectAltName")
ngx.say(tostring(ext))
}
}
--- request
GET /t
--- response_body eval
"DNS:test.com, DNS:test2.com
"
--- no_error_log
[error]
=== TEST 12: x509.csr:sign should succeed
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local d = myassert(require("resty.openssl.digest").new("SHA256"))
local p = myassert(require("resty.openssl.pkey").new())
local ok = myassert(c:sign(p, d))
if ok == false then
ngx.say("false")
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 14: Check private key match
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local util = require("csr")
local pkey = require("resty.openssl.pkey").new({ type = "EC", curve = "prime256v1" })
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
local csr = myassert(require("resty.openssl.x509.csr").new(der))
local ok, err = csr:check_private_key(pkey)
ngx.say(ok)
ngx.say(err)
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local ok, err = c:check_private_key(pkey)
ngx.say(ok)
ngx.say(err)
local key2 = require("resty.openssl.pkey").new({
type = 'EC',
curve = "prime256v1",
})
local ok, err = csr:check_private_key(key2)
ngx.say(ok)
ngx.say(err)
}
}
--- request
GET /t
--- response_body_like eval
"true
nil
false
.+(key type mismatch|KEY_TYPE_MISMATCH)
.+(key values mismatch|KEY_VALUES_MISMATCH)
"
--- no_error_log
[error]
# START AUTO GENERATED CODE
=== TEST 15: x509.csr:get_subject_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local get = myassert(c:get_subject_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"C=US/CN=example.com/L=Los Angeles/O=SSL Support/OU=SSL Support/ST=California"
--- no_error_log
[error]
=== TEST 16: x509.csr:set_subject_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
local ok = myassert(c:set_subject_name(toset))
local get = myassert(c:get_subject_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 17: x509.csr:get_pubkey (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local get = myassert(c:get_pubkey())
get = get:to_PEM()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GD
CNL5NhDX2JVUQKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUz
KoTt5yLdVIM/HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgD
cdbcQ5wsPVOiFHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyf
gGS4+XQSsUdwNWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1
f3rlwf8H5HIVH3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJE
cwIDAQAB
-----END PUBLIC KEY-----
"
--- no_error_log
[error]
=== TEST 18: x509.csr:set_pubkey (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local toset = myassert(require("resty.openssl.pkey").new())
local ok = myassert(c:set_pubkey(toset))
local get = myassert(c:get_pubkey())
get = get:to_PEM()
toset = toset:to_PEM()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 19: x509.csr:get_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local get = myassert(c:get_version())
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"1"
--- no_error_log
[error]
=== TEST 20: x509.csr:set_version (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local toset = ngx.time()
local ok = myassert(c:set_version(toset))
local get = myassert(c:get_version())
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 21: x509.csr:get_subject_alt_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local get = myassert(c:get_subject_alt_name())
get = get:tostring()
ngx.print(get)
}
}
--- request
GET /t
--- response_body eval
"DNS=example.com"
--- no_error_log
[error]
=== TEST 22: x509.csr:set_subject_alt_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
local ok = myassert(c:set_subject_alt_name(toset))
local get = myassert(c:get_subject_alt_name())
get = get:tostring()
toset = toset:tostring()
if get ~= toset then
ngx.say(get)
ngx.say(toset)
else
ngx.print("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok"
--- no_error_log
[error]
=== TEST 24: x509.csr:get/set_subject_alt_name_critical (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local crit = myassert(c:get_subject_alt_name_critical())
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
ngx.say(c:get_subject_alt_name_critical() == not crit)
}
}
--- request
GET /t
--- response_body
true
--- no_error_log
[error]
=== TEST 25: x509.csr:get_get_signature_name (AUTOGEN)
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/test.csr"):read("*a")
local c = myassert(require("resty.openssl.x509.csr").new(f))
local nid = myassert(c:get_signature_nid())
ngx.say(nid)
local name = myassert(c:get_signature_name())
ngx.say(name)
local name = myassert(c:get_signature_digest_name())
ngx.say(name)
}
}
--- request
GET /t
--- response_body
65
RSA-SHA1
SHA1
--- no_error_log
[error]
# END AUTO GENERATED CODE

379
src/deps/src/lua-resty-openssl/t/openssl/x509/extension.t
View File

@ -1,379 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
_G.encode_sorted_json = require("helper").encode_sorted_json
}
};
run_tests();
__DATA__
=== TEST 1: Creates extension by nconf
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("extendedKeyUsage",
"serverAuth,clientAuth"))
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 2: Gets extension object
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("extendedKeyUsage",
"serverAuth,clientAuth"))
ngx.say(encode_sorted_json(myassert(c:get_object())))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":"2.5.29.37","ln":"X509v3 Extended Key Usage","nid":126,"sn":"extendedKeyUsage"}
'
--- no_error_log
[error]
=== TEST 3: Gets extension critical
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local extension, _, err = c:get_extension("X509v3 Key Usage")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(extension:get_critical())
local extension, _, err = c:get_extension("X509v3 Extended Key Usage")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(extension:get_critical())
}
}
--- request
GET /t
--- response_body_like eval
"true
false
"
--- no_error_log
[error]
=== TEST 4: Set extension critical
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("extendedKeyUsage",
"serverAuth,clientAuth"))
myassert(c:set_critical())
ngx.say(c:get_critical())
myassert(c:set_critical(true))
ngx.say(c:get_critical())
}
}
--- request
GET /t
--- response_body_like eval
"false
true
"
--- no_error_log
[error]
=== TEST 5: Prints human readable txt of extension
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local extension, _, err = c:get_extension("subjectKeyIdentifier")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(extension:text())
local extension, _, err = c:get_extension("Authority Information Access")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(tostring(extension))
-- unknown extension
local objects = require("resty.openssl.objects")
local id_pe_acmeIdentifier = "1.3.6.1.5.5.7.1.31"
local nid = objects.txt2nid(id_pe_acmeIdentifier)
if not nid or nid == 0 then
nid = objects.create(
id_pe_acmeIdentifier, -- nid
"pe-acmeIdentifier", -- sn
"ACME Identifier" -- ln
)
end
local ext = myassert(require("resty.openssl.x509.extension").from_der("valuevalue", nid, true))
ngx.say("ACME Identifier: ", tostring(ext))
}
}
--- request
GET /t
--- response_body_like eval
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
.?ACME Identifier: valuevalue
"
--- no_error_log
[error]
=== TEST 6: Creates extension by X509V3_CTX
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local x509 = myassert(require("resty.openssl.x509").new(f))
f = io.open("t/fixtures/test.crt"):read("*a")
local ic = myassert(require("resty.openssl.x509").new(f))
f = io.open("t/fixtures/test.key"):read("*a")
local ik = myassert(require("resty.openssl.pkey").new(f))
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("subjectKeyIdentifier", "hash",
{
subject = x509,
}))
ngx.say(tostring(c))
if require("resty.openssl.version").OPENSSL_3X then
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = x509,
}))
if tostring(c) ~= "0." then
ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
end
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = x509,
issuer_pkey = ik,
}))
-- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
ngx.print("keyid:")
else
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
{
subject = x509,
issuer = ic,
}))
end
ngx.say(tostring(c))
}
}
--- request
GET /t
--- response_body_like eval
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
"
--- no_error_log
[error]
=== TEST 7: Creates extension by data
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname").new()
myassert(altname:add("DNS", "test.com"))
myassert(altname:add("DNS", "test2.com"))
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.from_data(altname, 85, false))
ngx.say(encode_sorted_json(c:get_object()))
ngx.say(tostring(c))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":"2.5.29.17","ln":"X509v3 Subject Alternative Name","nid":85,"sn":"subjectAltName"}
DNS:test.com, DNS:test2.com
'
--- no_error_log
[error]
=== TEST 8: Convert extension to data
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local altname = require("resty.openssl.x509.altname").new()
myassert(altname:add("DNS", "test.com"))
myassert(altname:add("DNS", "test2.com"))
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.from_data(altname, 85, false))
local alt2 = myassert(extension.to_data(c, 85))
ngx.say(alt2:tostring())
}
}
--- request
GET /t
--- response_body_like eval
'DNS=test.com/DNS=test2.com
'
--- no_error_log
[error]
=== TEST 9: Creates extension by der
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.from_der("\x00\x01\x02\x03", "basicConstraints"))
ngx.say(encode_sorted_json(c:get_object()))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}
'
--- no_error_log
[error]
=== TEST 10: Creates extension by nconf
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say([[
{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
Policy: 1.2.3.4
Policy: 1.5.6.7.8
Policy: 1.3.5.8
CPS: http://my.host.name/
CPS: http://my.your.name/
User Notice:
Organization: Organisation Name
Numbers: 1, 2, 3, 4
Explicit Text: Explicit Text Here
]])
ngx.exit(0)
end
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
[[
[polsect]
policyIdentifier = 1.3.5.8
CPS.1="http://my.host.name/"
CPS.2="http://my.your.name/"
userNotice.1=@notice
[notice]
explicitText="Explicit Text Here"
organization="Organisation Name"
noticeNumbers=1,2,3,4
]]
))
ngx.say(encode_sorted_json(c:get_object()))
ngx.say(tostring(c))
}
}
--- request
GET /t
--- response_body_like eval
'{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
Policy: 1.2.3.4
Policy: 1.5.6.7.8
Policy: 1.3.5.8
CPS: http://my.host.name/
CPS: http://my.your.name/
User Notice:
Organization: Organisation Name
Numbers: 1, 2, 3, 4
Explicit Text: Explicit Text Here
'
--- no_error_log
[error]
=== TEST 11: Returns DER encoded data
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local f = io.open("t/fixtures/Github.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local extension, _, err = c:get_extension("subjectKeyIdentifier")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(require("helper").to_hex(extension:to_der()))
local extension, _, err = c:get_extension("Authority Information Access")
if err then
ngx.log(ngx.ERR, err)
return
end
ngx.say(require("helper").to_hex(extension:to_der()))
}
}
--- request
GET /t
--- response_body_like eval
"041427B17E9FBB269950D8F3C3535BFE3116B0BB1E72
308182302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305A06082B06010505073002864E687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274486967684173737572616E6365544C53487962726964454343534841323536323032304341312E637274
"
--- no_error_log
[error]

180
src/deps/src/lua-resty-openssl/t/openssl/x509/extensions.t
View File

@ -1,180 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Creates stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
ngx.say(#c)
}
}
--- request
GET /t
--- response_body eval
"0
"
--- no_error_log
[error]
=== TEST 2: Adds elements to stack properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension_lib = require("resty.openssl.x509.extension")
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
for i=0,2,1 do
local ok = myassert(c:add(ext))
end
ngx.say(#c)
ngx.say(#c:all())
}
}
--- request
GET /t
--- response_body eval
"3
3
"
--- no_error_log
[error]
=== TEST 3: Element can be indexed properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension_lib = require("resty.openssl.x509.extension")
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
for i=0,2,1 do
local ok = myassert(c:add(ext))
end
collectgarbage()
for _, cc in ipairs(c) do
ngx.say(cc:text())
end
}
}
--- request
GET /t
--- response_body eval
"TLS Web Server Authentication, TLS Web Client Authentication
TLS Web Server Authentication, TLS Web Client Authentication
TLS Web Server Authentication, TLS Web Client Authentication
"
--- no_error_log
[error]
=== TEST 4: Element is duplicated when added to stack
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension_lib = require("resty.openssl.x509.extension")
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
local ok = myassert(c:add(ext))
ext = nil
collectgarbage("collect")
ngx.say(c[1]:text())
}
}
--- request
GET /t
--- response_body eval
"TLS Web Server Authentication, TLS Web Client Authentication
"
--- no_error_log
[error]
=== TEST 5: Element is duplicated when returned
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension_lib = require("resty.openssl.x509.extension")
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
local ok = myassert(c:add(ext))
local cc = c[1]
c = nil
collectgarbage("collect")
ngx.say(cc:text())
}
}
--- request
GET /t
--- response_body eval
"TLS Web Server Authentication, TLS Web Client Authentication
"
--- no_error_log
[error]
=== TEST 6: Element is not freed when stack is duplicated
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local extension_lib = require("resty.openssl.x509.extension")
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
local extensions = require("resty.openssl.x509.extensions")
local c = myassert(extensions.new())
local ok = myassert(c:add(ext))
local c2 = myassert(extensions.dup(c.ctx))
c = nil
collectgarbage("collect")
ngx.say(c2:count())
ngx.say(c2[1]:text())
}
}
--- request
GET /t
--- response_body eval
"1
TLS Web Server Authentication, TLS Web Client Authentication
"
--- no_error_log
[error]

139
src/deps/src/lua-resty-openssl/t/openssl/x509/name.t
View File

@ -1,139 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Duplicate the ctx
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
require('ffi').cdef('typedef struct X509_name_st X509_NAME; void X509_NAME_free(X509_NAME *name);')
local name = myassert(require("resty.openssl.x509.name").new())
local name2 = myassert(require("resty.openssl.x509.name").dup(name.ctx))
name = nil
collectgarbage("collect")
-- if name2.ctx is also freed this following will segfault
local _ = myassert(name2:add("CN", "example.com"))
}
}
--- request
GET /t
--- response_body eval
""
--- no_error_log
[error]
=== TEST 2: Rejects invalid NID
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local name = myassert(require("resty.openssl.x509.name").new())
name, err = name:add("whatever", "value")
ngx.say(name == nil)
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
"true
x509.name:add: invalid NID text whatever
"
--- no_error_log
[error]
=== TEST 3: Finds by text
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local name = myassert(require("resty.openssl.x509.name").new())
name = myassert(name:add("CN", "example.com"))
name = myassert(name:add("CN", "anotherdomain.com"))
local a, b, c = name:find("CN")
if a then
ngx.say("found ", b, " ", a.blob)
end
local a, b, c = name:find("2.5.4.3")
if a then
ngx.say("found ", b, " ", a.blob)
end
local a, b, c = name:find("CM")
if not a then
ngx.say("not found")
end
local a, b, c = name:find("CN", 1)
if a then
ngx.say("found ", b, " ", a.blob)
end
}
}
--- request
GET /t
--- response_body_like eval
"found 1 example.com
found 1 example.com
not found
found 2 anotherdomain.com
"
--- no_error_log
[error]
=== TEST 4: Pairs
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local name = myassert(require("resty.openssl.x509.name").new())
local CNs = 3
for i=1,CNs,1 do
name = myassert(name:add("CN", string.format("%d.example.com", i)))
end
local others = { "L", "ST", "O" }
for _, k in ipairs(others) do
name = myassert(name:add(k, "Mars"))
end
ngx.say(#name)
for k, v in pairs(name) do
ngx.print(v.nid .. ",")
end
}
}
--- request
GET /t
--- response_body eval
"6
13,13,13,15,16,17,"
--- no_error_log
[error]

69
src/deps/src/lua-resty-openssl/t/openssl/x509/revoked.t
View File

@ -1,69 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
no_long_string();
run_tests();
__DATA__
=== TEST 1:revoked.new should create new revoked instance
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local revoked = myassert(require("resty.openssl.x509.revoked"))
local time = ngx.time()
local r, err = myassert(revoked.new(1234, time, 1))
if not revoked.istype(r) then
ngx.say("it should be instance of revoked")
else
ngx.say("ok")
end
}
}
--- request
GET /t
--- response_body eval
"ok
"
--- no_error_log
[error]
=== TEST 2:revoked.new should fail when invalid parameters are given
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local revoked = myassert(require("resty.openssl.x509.revoked"))
local toset = ngx.time()
local r, err = revoked.new("1234", toset, 40)
ngx.say(r == nil)
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
"true
x509.revoked.new: sn should be number or a bn instance
"
--- no_error_log
[error]

414
src/deps/src/lua-resty-openssl/t/openssl/x509/store.t
View File

@ -1,414 +0,0 @@
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua 'no_plan';
use Cwd qw(cwd);
my $pwd = cwd();
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
our $HttpConfig = qq{
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
init_by_lua_block {
if "1" == "$use_luacov" then
require 'luacov.tick'
jit.off()
end
_G.myassert = require("helper").myassert
}
};
run_tests();
__DATA__
=== TEST 1: Creates store properly
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local store = require("resty.openssl.x509.store")
local c = myassert(store.new())
}
}
--- request
GET /t
--- response_body eval
""
--- no_error_log
[error]
=== TEST 2: Loads a x509 object
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert, key = require("helper").create_self_signed()
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local ok = myassert(s:add(cert))
}
}
--- request
GET /t
--- response_body eval
""
--- no_error_log
[error]
=== TEST 3: Loads default location
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
myassert(s:use_default())
}
}
--- request
GET /t
--- response_body eval
""
--- no_error_log
[error]
=== TEST 4: Loads file
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local ok, err = s:load_file("certnonexistent.pem")
ngx.say(ok)
ngx.say(err)
os.execute("echo > cert4-empty.pem")
local ok, err = s:load_file("cert4-empty.pem")
ngx.say(ok)
-- we only get detailed error for "no certificate found" on >= 1.1.1
ngx.say(err)
os.remove("cert4-empty.pem")
local cert, _ = require("helper").create_self_signed()
local f = io.open("cert4.pem", "w")
f:write(cert:tostring())
f:close()
local ok = myassert(s:load_file("cert4.pem"))
os.remove("cert4.pem")
}
}
--- request
GET /t
--- response_body_like eval
"false
x509.store:load_file.+system lib.*
false
x509.store:load_file.+
"
--- no_error_log
[error]
=== TEST 5: Verifies a x509 object
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local cert1, key1 = require("helper").create_self_signed()
local cert2, key2 = require("helper").create_self_signed()
local cert3, key3 = require("helper").create_self_signed()
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local ok = myassert(s:add(cert1))
local ok = myassert(s:add(cert2))
local chain = myassert(s:verify(cert1, nil, true))
ngx.say(#chain)
local chain, err = s:verify(cert3, nil, true)
ngx.say(err)
ngx.say(chain == nil)
}
}
--- request
GET /t
--- response_body_like eval
"1
(?:self signed|self-signed) certificate
true
"
--- no_error_log
[error]
=== TEST 6: Using default CAs (skip due to hard to setup on custom-built openssl env)
--- SKIP
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local ok = myassert(s:use_default())
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local chain = myassert(s:verify(c, nil, true))
ngx.say(#chain)
}
}
--- request
GET /t
--- response_body_like eval
"1
"
--- no_error_log
[error]
=== TEST 7: Loads directory
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local ok = myassert(s:load_directory("/etc/ssl/certs"))
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(require("resty.openssl.x509").new(f))
local chain = myassert(s:verify(c, nil, true))
ngx.say(#chain)
}
}
--- request
GET /t
--- response_body_like eval
"1
"
--- no_error_log
[error]
=== TEST 8: Verifies sub cert
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require("helper")
local x509 = require("resty.openssl.x509")
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(x509.new(f))
ngx.say(helper.to_hex(c:digest()))
local chain = myassert(s:add(c))
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
local c = myassert(x509.new(f))
ngx.say(helper.to_hex(c:digest()))
local chain = myassert(s:verify(c, nil, true))
for _, c in ipairs(chain) do
ngx.say(helper.to_hex(c:digest()))
end
}
}
--- request
GET /t
--- response_body eval
"B1BC968BD4F49D622AA89A81F2150152A41D829C
C187B85714202A2941E8EAFB846C39EB1F9C609A
C187B85714202A2941E8EAFB846C39EB1F9C609A
B1BC968BD4F49D622AA89A81F2150152A41D829C
"
--- no_error_log
[error]
=== TEST 9: Set purpose
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require("helper")
local x509 = require("resty.openssl.x509")
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(x509.new(f))
local chain = myassert(s:add(c))
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
local c = myassert(x509.new(f))
myassert(s:set_purpose("sslclient"))
local ok, err = s:verify(c, nil, false)
ngx.say(ok, err)
myassert(s:set_purpose("crlsign"))
local ok, err = s:verify(c, nil, false)
ngx.say(ok, err)
}
}
--- request
GET /t
--- response_body_like eval
"nil(?:unsupported|unsuitable) certificate purpose
truenil
"
--- no_error_log
[error]
=== TEST 10: Set depth
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require "t.openssl.helper"
local store = require("resty.openssl.x509.store")
local chain = require("resty.openssl.x509.chain")
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
local s = myassert(store.new())
myassert(s:add(certs[1]))
local ch = chain.new()
for i=2, #certs-1 do
myassert(ch:add(certs[i]))
end
-- should be ok
ngx.say(s:verify(certs[#certs], ch))
-- in openssl < 1.1.0, depth are counted 1 more than later versions
-- we set it to be one less than enough to be prune to that case
myassert(s:set_depth(1))
-- openssl 1.0.2 will emit "unable to get local issuer certificate"
-- instead of "certificate chain too long"
ngx.say(s:verify(certs[#certs], ch))
}
}
--- request
GET /t
--- response_body_like eval
"truenil
nil(?:certificate chain too long|unable to get local issuer certificate)
"
--- no_error_log
[error]
=== TEST 11: Verify with verify_method
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require("helper")
local x509 = require("resty.openssl.x509")
local store = require("resty.openssl.x509.store")
local s = myassert(store.new())
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
local c = myassert(x509.new(f))
local chain = myassert(s:add(c))
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
local c = myassert(x509.new(f))
local ok, err = s:verify(c, nil, false, nil, "ssl_client")
ngx.say(ok, err)
local ok, err = s:verify(c, nil, false, nil, "default")
ngx.say(ok, err)
myassert(s:set_purpose("sslclient"))
local ok, err = s:verify(c, nil, false, nil, "default")
ngx.say(ok, err)
}
}
--- request
GET /t
--- response_body_like eval
"nil(?:unsupported|unsuitable) certificate purpose
truenil
nil(?:unsupported|unsuitable) certificate purpose
"
--- no_error_log
[error]
=== TEST 12: Set flags
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require "t.openssl.helper"
local store = require("resty.openssl.x509.store")
local chain = require("resty.openssl.x509.chain")
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
local s = myassert(store.new())
myassert(s:add(certs[2]))
local ch = chain.new()
for i=3, #certs-1 do
myassert(ch:add(certs[i]))
end
-- should not be ok, need root CA
ngx.say(s:verify(certs[#certs], ch))
myassert(s:set_flags(s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
ngx.say(s:verify(certs[#certs], ch))
}
}
--- request
GET /t
--- response_body_like eval
"nilunable to get issuer certificate
truenil
"
--- no_error_log
[error]
=== TEST 13: Set verify time flags
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local helper = require "t.openssl.helper"
local store = require("resty.openssl.x509.store")
local chain = require("resty.openssl.x509.chain")
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
local s = myassert(store.new())
myassert(s:add(certs[2]))
local ch = chain.new()
for i=3, #certs-1 do
myassert(ch:add(certs[i]))
end
-- should not be ok, need root CA
ngx.say(s:verify(certs[#certs], ch))
ngx.say(s:verify(certs[#certs], ch, false, nil, nil, s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
}
}
--- request
GET /t
--- response_body_like eval
"nilunable to get issuer certificate
truenil
"
--- no_error_log
[error]

3
src/scheduler/Dockerfile
View File

@ -63,9 +63,6 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
ln -s /proc/1/fd/1 /var/log/letsencrypt/letsencrypt.log && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
VOLUME /data /etc/nginx
WORKDIR /usr/share/bunkerweb/scheduler

2
src/scheduler/JobScheduler.py
View File

@ -76,7 +76,7 @@ class JobScheduler(ApiCaller):
def __reload(self):
reload = True
if self.__integration == "Linux":
if self.__integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
self.__logger.info("Reloading nginx ...")
proc = run(
["nginx", "-s", "reload"], stdin=DEVNULL, stderr=PIPE, env=self.__env

22
src/scheduler/main.py
View File

@ -6,6 +6,7 @@ from glob import glob
from os import (
_exit,
chmod,
environ,
getenv,
getpid,
listdir,
@ -105,7 +106,7 @@ def generate_custom_configs(
Path(dirname(tmp_path)).mkdir(parents=True, exist_ok=True)
Path(tmp_path).write_bytes(custom_config["data"])
if integration != "Linux":
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
logger.info("Sending custom configs to BunkerWeb")
ret = api_caller._send_files("/data/configs", "/custom_configs")
@ -136,7 +137,7 @@ def generate_external_plugins(
st = stat(job_file)
chmod(job_file, st.st_mode | S_IEXEC)
if integration != "Linux":
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
logger.info("Sending plugins to BunkerWeb")
ret = api_caller._send_files("/data/plugins", "/plugins")
@ -214,13 +215,6 @@ if __name__ == "__main__":
"Kubernetes",
"Autoconf",
):
# err = db.set_autoconf_load(False)
# if err:
# success = False
# logger.error(
# f"Can't set autoconf loaded metadata to false in database: {err}",
# )
while not db.is_autoconf_loaded():
logger.warning(
"Autoconf is not loaded yet in the database, retrying in 5s ...",
@ -327,7 +321,7 @@ if __name__ == "__main__":
while True:
# Instantiate scheduler
scheduler = JobScheduler(
env=deepcopy(env),
env=deepcopy(env) | environ,
apis=api_caller._get_apis(),
logger=logger,
integration=integration,
@ -383,7 +377,7 @@ if __name__ == "__main__":
logger.info("Successfully sent /data/cache folder")
# restart nginx
if integration == "Linux":
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
# Stop temp nginx
logger.info("Stopping temp nginx ...")
proc = subprocess_run(
@ -467,7 +461,7 @@ if __name__ == "__main__":
# reload nginx
logger.info("Reloading nginx ...")
if integration == "Linux":
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
# Reloading the nginx server.
proc = subprocess_run(
# Reload nginx
@ -484,10 +478,6 @@ if __name__ == "__main__":
)
else:
need_reload = True
# if api_caller._send_to_apis("POST", "/reload"):
# logger.info("Successfully reloaded nginx")
# else:
# logger.error("Error while reloading nginx")
# check if the plugins have changed since last time
tmp_external_plugins = db.get_plugins(external=True)

3
src/ui/Dockerfile
View File

@ -49,9 +49,6 @@ RUN apk add --no-cache bash && \
chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
VOLUME /data /etc/nginx
EXPOSE 7000

3
src/ui/templates/home.html
View File

@ -3,6 +3,7 @@
<a
href="https://github.com/bunkerity/bunkerweb"
class="dark:brightness-110 max-h-none sm:max-h-28 hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border"
target="_blank"
>
<!-- text -->
<div>
@ -139,7 +140,7 @@
<!-- stats card-->
<a
href="{% if current_endpoint == 'services' %}javascript:void(0){% else %}loading?next={{ url_for('services') }}{% endif %}"
href="{% if current_endpoint == 'services' %}javascript:void(0){% else %}loading?next={{ url_for('plugins') }}{% endif %}"
class="dark:brightness-110 max-h-none sm:max-h-28 h-full hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border"
>
<!-- text -->