Merge branch 'dev' into ui
This commit is contained in:
commit
860cc1a924
|
@ -0,0 +1,128 @@
|
|||
# Contributor Covenant Code of Conduct
|
||||
|
||||
## Our Pledge
|
||||
|
||||
We as members, contributors, and leaders pledge to make participation in our
|
||||
community a harassment-free experience for everyone, regardless of age, body
|
||||
size, visible or invisible disability, ethnicity, sex characteristics, gender
|
||||
identity and expression, level of experience, education, socio-economic status,
|
||||
nationality, personal appearance, race, religion, or sexual identity
|
||||
and orientation.
|
||||
|
||||
We pledge to act and interact in ways that contribute to an open, welcoming,
|
||||
diverse, inclusive, and healthy community.
|
||||
|
||||
## Our Standards
|
||||
|
||||
Examples of behavior that contributes to a positive environment for our
|
||||
community include:
|
||||
|
||||
* Demonstrating empathy and kindness toward other people
|
||||
* Being respectful of differing opinions, viewpoints, and experiences
|
||||
* Giving and gracefully accepting constructive feedback
|
||||
* Accepting responsibility and apologizing to those affected by our mistakes,
|
||||
and learning from the experience
|
||||
* Focusing on what is best not just for us as individuals, but for the
|
||||
overall community
|
||||
|
||||
Examples of unacceptable behavior include:
|
||||
|
||||
* The use of sexualized language or imagery, and sexual attention or
|
||||
advances of any kind
|
||||
* Trolling, insulting or derogatory comments, and personal or political attacks
|
||||
* Public or private harassment
|
||||
* Publishing others' private information, such as a physical or email
|
||||
address, without their explicit permission
|
||||
* Other conduct which could reasonably be considered inappropriate in a
|
||||
professional setting
|
||||
|
||||
## Enforcement Responsibilities
|
||||
|
||||
Community leaders are responsible for clarifying and enforcing our standards of
|
||||
acceptable behavior and will take appropriate and fair corrective action in
|
||||
response to any behavior that they deem inappropriate, threatening, offensive,
|
||||
or harmful.
|
||||
|
||||
Community leaders have the right and responsibility to remove, edit, or reject
|
||||
comments, commits, code, wiki edits, issues, and other contributions that are
|
||||
not aligned to this Code of Conduct, and will communicate reasons for moderation
|
||||
decisions when appropriate.
|
||||
|
||||
## Scope
|
||||
|
||||
This Code of Conduct applies within all community spaces, and also applies when
|
||||
an individual is officially representing the community in public spaces.
|
||||
Examples of representing our community include using an official e-mail address,
|
||||
posting via an official social media account, or acting as an appointed
|
||||
representative at an online or offline event.
|
||||
|
||||
## Enforcement
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported to the community leaders responsible for enforcement at
|
||||
contact@bunkerity.com.
|
||||
All complaints will be reviewed and investigated promptly and fairly.
|
||||
|
||||
All community leaders are obligated to respect the privacy and security of the
|
||||
reporter of any incident.
|
||||
|
||||
## Enforcement Guidelines
|
||||
|
||||
Community leaders will follow these Community Impact Guidelines in determining
|
||||
the consequences for any action they deem in violation of this Code of Conduct:
|
||||
|
||||
### 1. Correction
|
||||
|
||||
**Community Impact**: Use of inappropriate language or other behavior deemed
|
||||
unprofessional or unwelcome in the community.
|
||||
|
||||
**Consequence**: A private, written warning from community leaders, providing
|
||||
clarity around the nature of the violation and an explanation of why the
|
||||
behavior was inappropriate. A public apology may be requested.
|
||||
|
||||
### 2. Warning
|
||||
|
||||
**Community Impact**: A violation through a single incident or series
|
||||
of actions.
|
||||
|
||||
**Consequence**: A warning with consequences for continued behavior. No
|
||||
interaction with the people involved, including unsolicited interaction with
|
||||
those enforcing the Code of Conduct, for a specified period of time. This
|
||||
includes avoiding interactions in community spaces as well as external channels
|
||||
like social media. Violating these terms may lead to a temporary or
|
||||
permanent ban.
|
||||
|
||||
### 3. Temporary Ban
|
||||
|
||||
**Community Impact**: A serious violation of community standards, including
|
||||
sustained inappropriate behavior.
|
||||
|
||||
**Consequence**: A temporary ban from any sort of interaction or public
|
||||
communication with the community for a specified period of time. No public or
|
||||
private interaction with the people involved, including unsolicited interaction
|
||||
with those enforcing the Code of Conduct, is allowed during this period.
|
||||
Violating these terms may lead to a permanent ban.
|
||||
|
||||
### 4. Permanent Ban
|
||||
|
||||
**Community Impact**: Demonstrating a pattern of violation of community
|
||||
standards, including sustained inappropriate behavior, harassment of an
|
||||
individual, or aggression toward or disparagement of classes of individuals.
|
||||
|
||||
**Consequence**: A permanent ban from any sort of public interaction within
|
||||
the community.
|
||||
|
||||
## Attribution
|
||||
|
||||
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
||||
version 2.0, available at
|
||||
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
|
||||
|
||||
Community Impact Guidelines were inspired by [Mozilla's code of conduct
|
||||
enforcement ladder](https://github.com/mozilla/diversity).
|
||||
|
||||
[homepage]: https://www.contributor-covenant.org
|
||||
|
||||
For answers to common questions about this code of conduct, see the FAQ at
|
||||
https://www.contributor-covenant.org/faq. Translations are available at
|
||||
https://www.contributor-covenant.org/translations.
|
230
docs/web-ui.md
230
docs/web-ui.md
|
@ -82,7 +82,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
* replace the `/changeme` URL with a custom one of your choice
|
||||
* the `bunkerweb.INSTANCE` label is mandatory
|
||||
|
||||
The web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
The web UI and the Scheduler will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
|
||||
To connect the docker socket proxy and the web UI, you will need another network :
|
||||
```shell
|
||||
|
@ -236,7 +236,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
|
||||
* the `bunkerweb.INSTANCE` label is mandatory
|
||||
|
||||
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
The Autoconf, the Scheduler and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
|
||||
To connect the docker socket proxy and the web UI, you will need another network :
|
||||
```shell
|
||||
|
@ -271,6 +271,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
--network bw-universe \
|
||||
-v bw-data:/data \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375 \
|
||||
-e AUTOCONF_MODE=yes \
|
||||
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
|
||||
docker network connect bw-docker bw-scheduler
|
||||
```
|
||||
|
@ -282,6 +283,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
--network bw-universe \
|
||||
-v bw-data:/data \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375 \
|
||||
-e AUTOCONF_MODE=yes \
|
||||
-e ADMIN_USERNAME=admin \
|
||||
-e ADMIN_PASSWORD=changeme \
|
||||
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
|
||||
|
@ -320,7 +322,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- SERVER_NAME=
|
||||
- MULTISITE=yes
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
- AUTOCONF_MODE=yes
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
@ -369,7 +370,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
|
||||
- ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=bwadm.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
|
@ -403,27 +404,36 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
|
||||
```shell
|
||||
docker network create --subnet 10.20.30.0/24 bw-universe && \
|
||||
docker network create bw-services
|
||||
docker network create -d overlay --attachable --subnet 10.20.30.0/24 bw-universe && \
|
||||
docker network create -d overlay --attachable bw-services
|
||||
```
|
||||
|
||||
You will also need the data volume, which where BunkerWeb's data will be stored :
|
||||
Swarm will need a redis instance to work properly, you can use the [official redis image](https://hub.docker.com/_/redis) :
|
||||
```shell
|
||||
docker volume create bw-data
|
||||
docker service create \
|
||||
--name bw-redis \
|
||||
--constraint 'node.role == worker' \
|
||||
--network bw-universe \
|
||||
redis:7-alpine
|
||||
```
|
||||
|
||||
You can now create the BunkerWeb container, please note the special `bunkerweb.INSTANCE` label which is mandatory for the scheduler as well as the web UI to work properly :
|
||||
```shell
|
||||
docker run -d \
|
||||
--name bunkerweb \
|
||||
--network bw-universe \
|
||||
-p 80:8080 \
|
||||
-p 443:8443 \
|
||||
-e SERVER_NAME= \
|
||||
-e MULTISITE=yes \
|
||||
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
|
||||
-l bunkerweb.INSTANCE \
|
||||
bunkerity/bunkerweb:1.5.0-beta
|
||||
docker service create \
|
||||
--name bunkerweb \
|
||||
--mode global \
|
||||
--constraint 'node.role == worker' \
|
||||
--network bw-universe \
|
||||
--network bw-services \
|
||||
-p published=80,target=8080,mode=host \
|
||||
-p published=443,target=8443,mode=host \
|
||||
-e SERVER_NAME= \
|
||||
-e MULTISITE=yes \
|
||||
-e USE_REDIS=yes \
|
||||
-e REDIS_HOST=bw-redis \
|
||||
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
|
||||
-l "bunkerweb.INSTANCE" \
|
||||
bunkerity/bunkerweb:1.5.0-beta
|
||||
```
|
||||
|
||||
Important things to note :
|
||||
|
@ -431,7 +441,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
|
||||
* the `bunkerweb.INSTANCE` label is mandatory
|
||||
|
||||
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
Swarm, the Scheduler and the web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
|
||||
|
||||
To connect the docker socket proxy and the web UI, you will need another network :
|
||||
```shell
|
||||
|
@ -440,43 +450,72 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
Once the network is created, you can now create the docker socket proxy container :
|
||||
```shell
|
||||
docker run -d \
|
||||
docker service create \
|
||||
--name bw-docker \
|
||||
--constraint 'node.role == manager' \
|
||||
--network bw-docker \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
|
||||
-e CONFIGS=1 \
|
||||
-e CONTAINERS=1 \
|
||||
-e SERVICES=1 \
|
||||
-e SWARM=1 \
|
||||
-e TASKS=1 \
|
||||
tecnativa/docker-socket-proxy
|
||||
```
|
||||
|
||||
You can then create the autoconf container connected to the docker socket proxy network :
|
||||
Swarm, the Scheduler and the web UI will also need to share data among them. We recommend using a dedicated database container for that purpose. For this example, we will use a [MariaDB](https://mariadb.org/) container :
|
||||
```shell
|
||||
docker run -d \
|
||||
--name bw-autoconf \
|
||||
--network bw-universe \
|
||||
-v bw-data:/data \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375 \
|
||||
bunkerity/bunkerweb-autoconf:1.5.0-beta && \
|
||||
docker network connect bw-docker bw-autoconf
|
||||
docker service create \
|
||||
--name bw-db \
|
||||
--network bw-docker \
|
||||
--mount type=volume,source=bw-data,destination=/var/lib/mysql \
|
||||
-e MYSQL_RANDOM_ROOT_PASSWORD=yes \
|
||||
-e MYSQL_DATABASE=db \
|
||||
-e MYSQL_USER=bunkerweb \
|
||||
-e MYSQL_PASSWORD=changeme \
|
||||
mariadb:10.10
|
||||
```
|
||||
|
||||
You can then create the scheduler container with the bw-data volume and the docker socket proxy network :
|
||||
Important things to note :
|
||||
|
||||
* For security purposes the database container should not be on the same network as the BunkerWeb container
|
||||
* Replace the password `changeme` with strong ones, the same password will be used in the url provided to Swarm, the Scheduler and the web UI
|
||||
* The URL provided to Swarm, the Scheduler and the web UI will be `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
|
||||
|
||||
You can then create the autoconf container connected to the database and the docker socket proxy network :
|
||||
```shell
|
||||
docker run -d \
|
||||
docker service create \
|
||||
--name bw-autoconf \
|
||||
--network bw-universe \
|
||||
--network bw-docker \
|
||||
-e SWARM_MODE=yes \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375
|
||||
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
|
||||
bunkerity/bunkerweb-autoconf:1.5.0-beta
|
||||
```
|
||||
|
||||
You can then create the scheduler container connected to the database and the docker socket proxy network :
|
||||
```shell
|
||||
docker service create \
|
||||
--name bw-scheduler \
|
||||
--network bw-universe \
|
||||
-v bw-data:/data \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375 \
|
||||
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
|
||||
docker network connect bw-docker bw-scheduler
|
||||
--network bw-docker \
|
||||
-e SWARM_MODE=yes \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375
|
||||
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
|
||||
bunkerity/bunkerweb-scheduler:1.5.0-beta
|
||||
```
|
||||
|
||||
We can finally create the web UI container :
|
||||
```shell
|
||||
docker run -d \
|
||||
docker service create \
|
||||
--name bw-ui \
|
||||
--network bw-universe \
|
||||
--network bw-docker \
|
||||
-v bw-data:/data \
|
||||
-e SWARM_MODE=yes \
|
||||
-e DOCKER_HOST=tcp://bw-docker:2375 \
|
||||
-e DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db \
|
||||
-e ADMIN_USERNAME=admin \
|
||||
-e ADMIN_PASSWORD=changeme \
|
||||
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
|
||||
|
@ -488,8 +527,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
-l "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000" \
|
||||
-l "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
|
||||
-l "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504" \
|
||||
bunkerity/bunkerweb-ui:1.5.0-beta && \
|
||||
docker network connect bw-docker bw-ui
|
||||
bunkerity/bunkerweb-ui:1.5.0-beta
|
||||
```
|
||||
|
||||
Important things to note :
|
||||
|
@ -507,36 +545,37 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0-beta
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE"
|
||||
- published: 80
|
||||
target: 8080
|
||||
mode: host
|
||||
protocol: tcp
|
||||
- published: 443
|
||||
target: 8443
|
||||
mode: host
|
||||
protocol: tcp
|
||||
environment:
|
||||
- SERVER_NAME=
|
||||
- MULTISITE=yes
|
||||
- USE_REDIS=yes
|
||||
- REDIS_HOST=bw-redis
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
- AUTOCONF_MODE=yes
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
deploy:
|
||||
mode: global
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role == worker"
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
|
||||
volumes:
|
||||
- bw-data:/data
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
|
||||
volumes:
|
||||
- bw-data:/data
|
||||
environment:
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- AUTOCONF_MODE=yes
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -546,34 +585,67 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONFIGS=1
|
||||
- CONTAINERS=1
|
||||
- SERVICES=1
|
||||
- SWARM=1
|
||||
- TASKS=1
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-db:
|
||||
image: mariadb:10.10
|
||||
environment:
|
||||
- MYSQL_RANDOM_ROOT_PASSWORD=yes
|
||||
- MYSQL_DATABASE=db
|
||||
- MYSQL_USER=bunkerweb
|
||||
- MYSQL_PASSWORD=changeme
|
||||
volumes:
|
||||
- bw-data:/var/lib/mysql
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-redis:
|
||||
image: redis:7-alpine
|
||||
networks:
|
||||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0-beta
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
aliases:
|
||||
- bw-ui
|
||||
volumes:
|
||||
- bw-data:/data
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=bwadm.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504"
|
||||
- ABSOLUTE_URI=http://bwadm.example.com/changeme
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
deploy:
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=bwadm.example.com
|
||||
- bunkerweb.USE_UI=yes
|
||||
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/changeme
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
- bunkerweb.INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
@ -581,15 +653,19 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
networks:
|
||||
bw-universe:
|
||||
name: bw-universe
|
||||
driver: overlay
|
||||
attachable: true
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
name: bw-services
|
||||
driver: overlay
|
||||
attachable: true
|
||||
bw-docker:
|
||||
name: bw-docker
|
||||
|
||||
driver: overlay
|
||||
attachable: true
|
||||
```
|
||||
|
||||
=== "Kubernetes"
|
||||
|
|
|
@ -30,6 +30,7 @@ theme:
|
|||
- navigation.tabs
|
||||
- navigation.tabs.sticky
|
||||
- toc.integrate
|
||||
- content.code.copy
|
||||
custom_dir: docs/overrides
|
||||
|
||||
extra_css:
|
||||
|
@ -48,7 +49,7 @@ markdown_extensions:
|
|||
emoji_index: !!python/name:materialx.emoji.twemoji
|
||||
emoji_generator: !!python/name:materialx.emoji.to_svg
|
||||
|
||||
copyright: Copyright © 2022 Bunkerity
|
||||
copyright: Copyright © <script>document.write(new Date().getFullYear())</script> Bunkerity
|
||||
extra:
|
||||
version:
|
||||
provider: mike
|
||||
|
|
|
@ -53,9 +53,6 @@ RUN apk add --no-cache bash && \
|
|||
chown root:nginx /var/log/letsencrypt /var/lib/letsencrypt && \
|
||||
chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
WORKDIR /usr/share/bunkerweb/autoconf
|
||||
|
|
|
@ -42,12 +42,11 @@ COPY src/common/helpers /usr/share/bunkerweb/helpers
|
|||
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
|
||||
COPY src/common/utils /usr/share/bunkerweb/utils
|
||||
COPY src/VERSION /usr/share/bunkerweb/VERSION
|
||||
COPY misc/*.ascii /usr/share/bunkerweb
|
||||
COPY misc/*.ascii /usr/share/bunkerweb/
|
||||
|
||||
# Install runtime dependencies, pypi packages, move bwcli, create data folders and set permissions
|
||||
RUN apk add --no-cache pcre bash python3 && \
|
||||
cp /usr/share/bunkerweb/helpers/bwcli /usr/bin/ && \
|
||||
echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \
|
||||
mkdir -p /var/tmp/bunkerweb && \
|
||||
mkdir -p /var/www/html && \
|
||||
mkdir -p /etc/bunkerweb && \
|
||||
|
@ -71,11 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \
|
|||
ln -s /proc/1/fd/2 /var/log/nginx/error.log && \
|
||||
ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log && \
|
||||
ln -s /proc/1/fd/1 /var/log/nginx/access.log && \
|
||||
ln -s /proc/1/fd/1 /var/log/nginx/jobs.log && \
|
||||
chmod 660 /usr/share/bunkerweb/INTEGRATION
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "curl>=7.83.1-r6" "libcrypto1.1>=1.1.1t-r1" "libcurl>=7.83.1-r6" "libssl1.1>=1.1.1t-r1" "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
|
||||
ln -s /proc/1/fd/1 /var/log/nginx/jobs.log
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
|
|
|
@ -35,14 +35,6 @@ function trap_reload() {
|
|||
}
|
||||
trap "trap_reload" HUP
|
||||
|
||||
if [ "$SWARM_MODE" == "yes" ] ; then
|
||||
echo "Swarm" > /usr/share/bunkerweb/INTEGRATION
|
||||
elif [ "$KUBERNETES_MODE" == "yes" ] ; then
|
||||
echo "Kubernetes" > /usr/share/bunkerweb/INTEGRATION
|
||||
elif [ "$AUTOCONF_MODE" == "yes" ] ; then
|
||||
echo "Autoconf" > /usr/share/bunkerweb/INTEGRATION
|
||||
fi
|
||||
|
||||
if [ -f "/etc/nginx/variables.env" ] ; then
|
||||
log "ENTRYPOINT" "⚠️ " "Looks like BunkerWeb has already been loaded, will not generate temp config"
|
||||
else
|
||||
|
@ -63,4 +55,4 @@ while [ -f "/var/tmp/bunkerweb/nginx.pid" ] ; do
|
|||
done
|
||||
|
||||
log "ENTRYPOINT" "ℹ️" "BunkerWeb stopped"
|
||||
exit 0
|
||||
exit 0
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
local utils = require "bunkerweb.utils"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local helpers = {}
|
||||
|
@ -84,4 +85,42 @@ helpers.call_plugin = function(plugin, method)
|
|||
return true, ret
|
||||
end
|
||||
|
||||
helpers.fill_ctx = function()
|
||||
-- Check if ctx is already filled
|
||||
if ngx.ctx.bw then
|
||||
return true, "already filled"
|
||||
end
|
||||
-- Return errors as table
|
||||
local errors = {}
|
||||
-- Instantiate bw table
|
||||
local data = {}
|
||||
-- Common vars
|
||||
data.kind = "http"
|
||||
if not ngx.shared.cachestore then
|
||||
data.kind = "stream"
|
||||
end
|
||||
data.ip = ngx.var.remote_addr
|
||||
data.uri = ngx.var.uri
|
||||
data.original_uri = ngx.var.original_uri
|
||||
data.user_agent = ngx.var.http_user_agent
|
||||
-- IP data : global
|
||||
local ip_is_global, err = utils.ip_is_global(data.ip)
|
||||
if ip_is_global == nil then
|
||||
table.insert(errors, "can't check if IP is global : " .. err)
|
||||
else
|
||||
data.ip_is_global = ip_is_global
|
||||
end
|
||||
-- IP data : v4 / v6
|
||||
data.ip_is_ipv4 = utils.is_ipv4(data.ip)
|
||||
data.ip_is_ipv6 = utils.is_ipv6(data.ip)
|
||||
-- Misc info
|
||||
data.integration = utils.get_integration()
|
||||
data.version = utils.get_version()
|
||||
-- Plugins
|
||||
data.plugins = {}
|
||||
-- Fill ctx
|
||||
ngx.ctx.bw = data
|
||||
return true, "ctx filled", errors
|
||||
end
|
||||
|
||||
return helpers
|
|
@ -1,67 +1,35 @@
|
|||
local cdatastore = require "bunkerweb.datastore"
|
||||
local ipmatcher = require "resty.ipmatcher"
|
||||
local cjson = require "cjson"
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local mmdb = require "bunkerweb.mmdb"
|
||||
local clogger = require "bunkerweb.logger"
|
||||
|
||||
local ipmatcher = require "resty.ipmatcher"
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local session = require "resty.session"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local logger = clogger:new("UTILS")
|
||||
local datastore = cdatastore:new()
|
||||
local logger = clogger:new("UTILS")
|
||||
local datastore = cdatastore:new()
|
||||
|
||||
local utils = {}
|
||||
|
||||
utils.set_values = function()
|
||||
local reserved_ips = {
|
||||
"0.0.0.0/8",
|
||||
"10.0.0.0/8",
|
||||
"100.64.0.0/10",
|
||||
"127.0.0.0/8",
|
||||
"169.254.0.0/16",
|
||||
"172.16.0.0/12",
|
||||
"192.0.0.0/24",
|
||||
"192.88.99.0/24",
|
||||
"192.168.0.0/16",
|
||||
"198.18.0.0/15",
|
||||
"198.51.100.0/24",
|
||||
"203.0.113.0/24",
|
||||
"224.0.0.0/4",
|
||||
"233.252.0.0/24",
|
||||
"240.0.0.0/4",
|
||||
"255.255.255.255/32"
|
||||
}
|
||||
local ok, err = datastore:set("misc_reserved_ips", cjson.encode({ data = reserved_ips }))
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
|
||||
if not var_resolvers then
|
||||
return false, err
|
||||
end
|
||||
local list_resolvers = {}
|
||||
for str_resolver in var_resolvers:gmatch("%S+") do
|
||||
table.insert(list_resolvers, str_resolver)
|
||||
end
|
||||
ok, err = datastore:set("misc_resolvers", cjson.encode(list_resolvers))
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
return true, "success"
|
||||
end
|
||||
local utils = {}
|
||||
|
||||
utils.get_variable = function(var, site_search)
|
||||
-- Default site search to true
|
||||
if site_search == nil then
|
||||
site_search = true
|
||||
end
|
||||
-- Get global value
|
||||
local value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "Can't access variable " .. var .. " from datastore : " .. err
|
||||
return nil, "can't access variable " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Site search case
|
||||
if site_search then
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "Can't access variable MULTISITE from datastore : " .. err
|
||||
return nil, "can't access variable MULTISITE from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" and ngx.var.server_name then
|
||||
local value_site, err = datastore:get("variable_" .. ngx.var.server_name .. "_" .. var)
|
||||
if value_site then
|
||||
|
@ -73,19 +41,23 @@ utils.get_variable = function(var, site_search)
|
|||
end
|
||||
|
||||
utils.has_variable = function(var, value)
|
||||
-- Get global variable
|
||||
local check_value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "Can't access variable " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "Can't access variable MULTISITE from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" then
|
||||
local servers, err = datastore:get("variable_SERVER_NAME")
|
||||
if not servers then
|
||||
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
|
||||
end
|
||||
-- Check each server
|
||||
for server in servers:gmatch("%S+") do
|
||||
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
|
||||
if check_value_site and check_value_site == value then
|
||||
|
@ -98,19 +70,23 @@ utils.has_variable = function(var, value)
|
|||
end
|
||||
|
||||
utils.has_not_variable = function(var, value)
|
||||
-- Get global variable
|
||||
local check_value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "Can't access variable " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "Can't access variable MULTISITE from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" then
|
||||
local servers, err = datastore:get("variable_SERVER_NAME")
|
||||
if not servers then
|
||||
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
|
||||
end
|
||||
-- Check each server
|
||||
for server in servers:gmatch("%S+") do
|
||||
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
|
||||
if check_value_site and check_value_site ~= value then
|
||||
|
@ -122,11 +98,15 @@ utils.has_not_variable = function(var, value)
|
|||
return check_value ~= value, "success"
|
||||
end
|
||||
|
||||
function utils.get_multiple_variables(vars)
|
||||
utils.get_multiple_variables = function(vars)
|
||||
-- Get all keys
|
||||
local keys = datastore:keys()
|
||||
local result = {}
|
||||
-- Loop on keys
|
||||
for i, key in ipairs(keys) do
|
||||
-- Loop on vars
|
||||
for j, var in ipairs(vars) do
|
||||
-- Filter on good ones
|
||||
local _, _, server, subvar = key:find("variable_(.*)_?(" .. var .. "_?%d*)")
|
||||
if subvar then
|
||||
if not server or server == "" then
|
||||
|
@ -149,10 +129,12 @@ function utils.get_multiple_variables(vars)
|
|||
end
|
||||
|
||||
utils.is_ip_in_networks = function(ip, networks)
|
||||
-- Instantiate ipmatcher
|
||||
local ipm, err = ipmatcher.new(networks)
|
||||
if not ipm then
|
||||
return nil, "can't instantiate ipmatcher : " .. err
|
||||
end
|
||||
-- Match
|
||||
local matched, err = ipm:match(ip)
|
||||
if err then
|
||||
return nil, "can't check ip : " .. err
|
||||
|
@ -169,18 +151,31 @@ utils.is_ipv6 = function(ip)
|
|||
end
|
||||
|
||||
utils.ip_is_global = function(ip)
|
||||
local data, err = datastore:get("misc_reserved_ips")
|
||||
if not data then
|
||||
return nil, "can't get reserved ips : " .. err
|
||||
end
|
||||
local ok, reserved_ips = pcall(cjson.decode, data)
|
||||
if not ok then
|
||||
return nil, "can't decode json : " .. reserved_ips
|
||||
end
|
||||
-- Reserved, non public IPs
|
||||
local reserved_ips = {
|
||||
"0.0.0.0/8",
|
||||
"10.0.0.0/8",
|
||||
"100.64.0.0/10",
|
||||
"127.0.0.0/8",
|
||||
"169.254.0.0/16",
|
||||
"172.16.0.0/12",
|
||||
"192.0.0.0/24",
|
||||
"192.88.99.0/24",
|
||||
"192.168.0.0/16",
|
||||
"198.18.0.0/15",
|
||||
"198.51.100.0/24",
|
||||
"203.0.113.0/24",
|
||||
"224.0.0.0/4",
|
||||
"233.252.0.0/24",
|
||||
"240.0.0.0/4",
|
||||
"255.255.255.255/32"
|
||||
}
|
||||
-- Instantiate ipmatcher
|
||||
local ipm, err = ipmatcher.new(reserved_ips)
|
||||
if not ipm then
|
||||
return nil, "can't instantiate ipmatcher : " .. err
|
||||
end
|
||||
-- Match
|
||||
local matched, err = ipm:match(ip)
|
||||
if err then
|
||||
return nil, "can't check ip : " .. err
|
||||
|
@ -189,32 +184,49 @@ utils.ip_is_global = function(ip)
|
|||
end
|
||||
|
||||
utils.get_integration = function()
|
||||
-- Check if already in datastore
|
||||
local integration, err = datastore:get("misc_integration")
|
||||
if integration then
|
||||
return integration
|
||||
end
|
||||
-- Swarm
|
||||
local var, err = datastore:get("variable_SWARM_MODE")
|
||||
if var == "yes" then
|
||||
integration = "swarm"
|
||||
else
|
||||
-- Kubernetes
|
||||
local var, err = datastore:get("variable_KUBERNETES_MODE")
|
||||
if var == "yes" then
|
||||
integration = "kubernetes"
|
||||
else
|
||||
local f, err = io.open("/etc/os-release", "r")
|
||||
if f then
|
||||
local data = f:read("*a")
|
||||
if data:find("Alpine") then
|
||||
integration = "docker"
|
||||
else
|
||||
integration = "unknown"
|
||||
end
|
||||
f:close()
|
||||
-- Autoconf
|
||||
local var, err = datastore:get("variable_AUTOCONF_MODE")
|
||||
if var == "yes" then
|
||||
integration = "autoconf"
|
||||
else
|
||||
integration = "unknown"
|
||||
-- Already present (e.g. : linux)
|
||||
local f, err = io.open("/usr/share/bunkerweb/INTEGRATION", "r")
|
||||
if f then
|
||||
integration = f:read("*a"):gsub("[\n\r]", "")
|
||||
f:close()
|
||||
else
|
||||
local f, err = io.open("/etc/os-release", "r")
|
||||
if f then
|
||||
local data = f:read("*a")
|
||||
f:close()
|
||||
-- Docker
|
||||
if data:find("Alpine") then
|
||||
integration = "docker"
|
||||
end
|
||||
-- Strange case ...
|
||||
else
|
||||
integration = "unknown"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
-- Save integration
|
||||
local ok, err = datastore:set("misc_integration", integration)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't cache integration to datastore : " .. err)
|
||||
|
@ -223,17 +235,20 @@ utils.get_integration = function()
|
|||
end
|
||||
|
||||
utils.get_version = function()
|
||||
-- Check if already in datastore
|
||||
local version, err = datastore:get("misc_version")
|
||||
if version then
|
||||
return version
|
||||
end
|
||||
-- Read VERSION file
|
||||
local f, err = io.open("/usr/share/bunkerweb/VERSION", "r")
|
||||
if not f then
|
||||
logger:log(ngx.ERR, "can't read VERSION file : " .. err)
|
||||
return "unknown"
|
||||
return nil
|
||||
end
|
||||
version = f:read("*a")
|
||||
version = f:read("*a"):gsub("[\n\r]", "")
|
||||
f:close()
|
||||
-- Save it to datastore
|
||||
local ok, err = datastore:set("misc_version", version)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't cache version to datastore : " .. err)
|
||||
|
@ -242,28 +257,62 @@ utils.get_version = function()
|
|||
end
|
||||
|
||||
utils.get_reason = function()
|
||||
-- ngx.ctx
|
||||
if ngx.ctx.reason then
|
||||
return ngx.ctx.reason
|
||||
end
|
||||
-- ngx.var
|
||||
if ngx.var.reason and ngx.var.reason ~= "" then
|
||||
return ngx.var.reason
|
||||
end
|
||||
-- os.getenv
|
||||
if os.getenv("REASON") == "modsecurity" then
|
||||
return "modsecurity"
|
||||
end
|
||||
-- datastore ban
|
||||
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
|
||||
if banned then
|
||||
return banned
|
||||
end
|
||||
-- unknown
|
||||
if ngx.status == utils.get_deny_status() then
|
||||
return "unknown"
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
utils.get_rdns = function(ip)
|
||||
utils.get_resolvers = function()
|
||||
-- Get resolvers from datastore if existing
|
||||
local str_resolvers, err = datastore:get("misc_resolvers")
|
||||
if not str_resolvers then
|
||||
if str_resolvers then
|
||||
return cjson.decode(str_resolvers)
|
||||
end
|
||||
-- Otherwise extract DNS_RESOLVERS variable
|
||||
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
|
||||
if not var_resolvers then
|
||||
logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
|
||||
return nil, err
|
||||
end
|
||||
-- Make table for resolver1 resolver2 ... string
|
||||
local resolvers = {}
|
||||
for str_resolver in var_resolvers:gmatch("%S+") do
|
||||
table.insert(resolvers, str_resolver)
|
||||
end
|
||||
-- Add it to the datastore
|
||||
local ok, err = datastore:set("misc_resolvers", cjson.encode(resolvers))
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save misc_resolvers to datastore : " .. err)
|
||||
end
|
||||
return resolvers
|
||||
end
|
||||
|
||||
utils.get_rdns = function(ip)
|
||||
-- Get resolvers
|
||||
local resolvers, err = utils.get_resolvers()
|
||||
if not resolvers then
|
||||
return false, err
|
||||
end
|
||||
local resolvers = cjson.decode(str_resolvers)
|
||||
-- Instantiate resolver
|
||||
local rdns, err = resolver:new {
|
||||
nameservers = resolvers,
|
||||
retrans = 1,
|
||||
|
@ -272,6 +321,7 @@ utils.get_rdns = function(ip)
|
|||
if not rdns then
|
||||
return false, err
|
||||
end
|
||||
-- Do rDNS query
|
||||
local answers, err = rdns:reverse_query(ip)
|
||||
if not answers then
|
||||
return false, err
|
||||
|
@ -279,6 +329,7 @@ utils.get_rdns = function(ip)
|
|||
if answers.errcode then
|
||||
return false, answers.errstr
|
||||
end
|
||||
-- Return first element
|
||||
for i, answer in ipairs(answers) do
|
||||
if answer.ptrdname then
|
||||
return answer.ptrdname, "success"
|
||||
|
@ -288,11 +339,12 @@ utils.get_rdns = function(ip)
|
|||
end
|
||||
|
||||
utils.get_ips = function(fqdn, resolvers)
|
||||
local str_resolvers, err = datastore:get("misc_resolvers")
|
||||
if not str_resolvers then
|
||||
-- Get resolvers
|
||||
local resolvers, err = utils.get_resolvers()
|
||||
if not resolvers then
|
||||
return false, err
|
||||
end
|
||||
local resolvers = cjson.decode(str_resolvers)
|
||||
-- Instantiante resolver
|
||||
local rdns, err = resolver:new {
|
||||
nameservers = resolvers,
|
||||
retrans = 1,
|
||||
|
@ -301,6 +353,7 @@ utils.get_ips = function(fqdn, resolvers)
|
|||
if not rdns then
|
||||
return false, err
|
||||
end
|
||||
-- Query FQDN
|
||||
local answers, err = rdns:query(fqdn, nil, {})
|
||||
if not answers then
|
||||
return false, err
|
||||
|
@ -308,6 +361,7 @@ utils.get_ips = function(fqdn, resolvers)
|
|||
if answers.errcode then
|
||||
return {}, answers.errstr
|
||||
end
|
||||
-- Return all IPs
|
||||
local ips = {}
|
||||
for i, answer in ipairs(answers) do
|
||||
if answer.address then
|
||||
|
@ -318,9 +372,11 @@ utils.get_ips = function(fqdn, resolvers)
|
|||
end
|
||||
|
||||
utils.get_country = function(ip)
|
||||
-- Check if mmdb is loaded
|
||||
if not mmdb.country_db then
|
||||
return false, "mmdb country not loaded"
|
||||
end
|
||||
-- Perform lookup
|
||||
local ok, result, err = pcall(mmdb.country_db.lookup, mmdb.country_db, ip)
|
||||
if not ok then
|
||||
return nil, result
|
||||
|
@ -332,9 +388,11 @@ utils.get_country = function(ip)
|
|||
end
|
||||
|
||||
utils.get_asn = function(ip)
|
||||
-- Check if mmdp is loaded
|
||||
if not mmdb.asn_db then
|
||||
return false, "mmdb asn not loaded"
|
||||
end
|
||||
-- Perform lookup
|
||||
local ok, result, err = pcall(mmdb.asn_db.lookup, mmdb.asn_db, ip)
|
||||
if not ok then
|
||||
return nil, result
|
||||
|
@ -347,6 +405,7 @@ end
|
|||
|
||||
utils.rand = function(nb)
|
||||
local charset = {}
|
||||
-- lowers, uppers and numbers
|
||||
for i = 48, 57 do table.insert(charset, string.char(i)) end
|
||||
for i = 65, 90 do table.insert(charset, string.char(i)) end
|
||||
for i = 97, 122 do table.insert(charset, string.char(i)) end
|
||||
|
@ -358,9 +417,11 @@ utils.rand = function(nb)
|
|||
end
|
||||
|
||||
utils.get_deny_status = function()
|
||||
if ngx.var.is_stream == "yes" then
|
||||
return 403
|
||||
-- Stream case
|
||||
if ngx.ctx.bw and ngx.ctx.bw.kind == "stream" then
|
||||
return 444
|
||||
end
|
||||
-- http case
|
||||
local status, err = datastore:get("variable_DENY_HTTP_STATUS")
|
||||
if not status then
|
||||
logger:log(ngx.ERR, "can't get DENY_HTTP_STATUS variable " .. err)
|
||||
|
@ -370,13 +431,16 @@ utils.get_deny_status = function()
|
|||
end
|
||||
|
||||
utils.get_session = function()
|
||||
if ngx.ctx.session then
|
||||
return ngx.ctx.session, ngx.ctx.session_err, ngx.ctx.session_exists
|
||||
-- Session already in context
|
||||
if ngx.ctx.bw.session then
|
||||
return ngx.ctx.bw.session, ngx.ctx.bw.session_err, ngx.ctx.bw.session_exists
|
||||
end
|
||||
-- Open session
|
||||
local _session, err, exists = session.start()
|
||||
if err then
|
||||
logger:log(ngx.ERR, "UTILS", "can't start session : " .. err)
|
||||
logger:log(ngx.ERR, "can't start session : " .. err)
|
||||
end
|
||||
-- Fill ctx
|
||||
ngx.ctx.session = _session
|
||||
ngx.ctx.session_err = err
|
||||
ngx.ctx.session_exists = exists
|
||||
|
@ -389,6 +453,7 @@ utils.get_session = function()
|
|||
end
|
||||
|
||||
utils.save_session = function()
|
||||
-- Check if save is needed
|
||||
if ngx.ctx.session and not ngx.ctx.session_err and not ngx.ctx.session_saved then
|
||||
ngx.ctx.session:set_data(ngx.ctx.session_data)
|
||||
local ok, err = ngx.ctx.session:save()
|
||||
|
@ -405,6 +470,7 @@ utils.save_session = function()
|
|||
end
|
||||
|
||||
utils.set_session = function(key, value)
|
||||
-- Set new data
|
||||
if ngx.ctx.session and not ngx.ctx.session_err then
|
||||
ngx.ctx.session_data[key] = value
|
||||
return true, "value set"
|
||||
|
@ -413,6 +479,7 @@ utils.set_session = function(key, value)
|
|||
end
|
||||
|
||||
utils.get_session = function(key)
|
||||
-- Get data
|
||||
if ngx.ctx.session and not ngx.ctx.session_err then
|
||||
return true, "value get", ngx.ctx.session_data[key]
|
||||
end
|
||||
|
|
|
@ -43,47 +43,6 @@ for line in io.lines("/etc/nginx/variables.env") do
|
|||
end
|
||||
init_logger:log(ngx.NOTICE, "saved variables into datastore")
|
||||
|
||||
-- Set misc values into the datastore
|
||||
init_logger:log(ngx.NOTICE, "saving misc values into datastore ...")
|
||||
local miscs = {
|
||||
reserved_ips = {
|
||||
"0.0.0.0/8",
|
||||
"10.0.0.0/8",
|
||||
"100.64.0.0/10",
|
||||
"127.0.0.0/8",
|
||||
"169.254.0.0/16",
|
||||
"172.16.0.0/12",
|
||||
"192.0.0.0/24",
|
||||
"192.88.99.0/24",
|
||||
"192.168.0.0/16",
|
||||
"198.18.0.0/15",
|
||||
"198.51.100.0/24",
|
||||
"203.0.113.0/24",
|
||||
"224.0.0.0/4",
|
||||
"233.252.0.0/24",
|
||||
"240.0.0.0/4",
|
||||
"255.255.255.255/32"
|
||||
},
|
||||
resolvers = {}
|
||||
}
|
||||
local var_resolvers, err = ds:get("variable_DNS_RESOLVERS")
|
||||
if not var_resolvers then
|
||||
init_logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
for str_resolver in var_resolvers:gmatch("%S+") do
|
||||
table.insert(miscs.resolvers, str_resolver)
|
||||
end
|
||||
for k, v in pairs(miscs) do
|
||||
local ok, err = ds:set("misc_" .. k, cjson.encode(v))
|
||||
if not ok then
|
||||
init_logger:log(ngx.ERR, "can't save misc " .. k .. " into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
init_logger:log(ngx.INFO, "saved misc " .. k .. " into datastore")
|
||||
end
|
||||
init_logger:log(ngx.NOTICE, "saved misc values into datastore")
|
||||
|
||||
-- Set API values into the datastore
|
||||
init_logger:log(ngx.NOTICE, "saving API values into datastore ...")
|
||||
local value, err = ds:get("variable_USE_API")
|
||||
|
|
|
@ -30,6 +30,18 @@ if not ok then
|
|||
logger:log(ngx.ERR, "can't update cachestore : " .. err)
|
||||
end
|
||||
|
||||
-- Fill ctx
|
||||
logger:log(ngx.INFO, "filling ngx.ctx ...")
|
||||
local ok, ret, errors = helpers.fill_ctx()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
|
||||
elseif errors then
|
||||
for i, error in ipairs(errors) do
|
||||
logger:log(ngx.ERR, "fill_ctx() error " .. tostring(i) .. " : " .. error)
|
||||
end
|
||||
end
|
||||
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
|
||||
|
||||
-- Process bans as soon as possible
|
||||
local ok, reason = datastore:get("bans_ip_" .. ngx.var.remote_addr)
|
||||
if not ok and reason ~= "not found" then
|
||||
|
@ -78,7 +90,7 @@ for i, plugin in ipairs(plugins) do
|
|||
ngx.ctx.reason = plugin.id
|
||||
logger:log(ngx.WARN, "denied access from " .. plugin.id .. " : " .. err)
|
||||
else
|
||||
logger:log(ngx.NOTICE, plugin.id .. " returned status " .. tostring(ret.status) .. " : " .. err)
|
||||
logger:log(ngx.NOTICE, plugin.id .. " returned status " .. tostring(ret.status))
|
||||
end
|
||||
ngx.ctx.status = ret.status
|
||||
break
|
||||
|
|
|
@ -42,6 +42,7 @@ for i, plugin in ipairs(plugins) do
|
|||
if not ok then
|
||||
logger:log(ngx.ERR, plugin_obj)
|
||||
else
|
||||
local ok, ret = helpers.call_plugin(plugin_obj, "header")
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, ret)
|
||||
elseif not ret.ret then
|
||||
|
|
|
@ -60,15 +60,19 @@ def get_version():
|
|||
|
||||
def get_integration():
|
||||
try:
|
||||
if getenv("AUTOCONF_MODE") == "yes":
|
||||
return "autoconf"
|
||||
if getenv("SWARM_MODE") == "yes":
|
||||
return "swarm"
|
||||
elif getenv("KUBERNETES_MODE") == "yes":
|
||||
if getenv("KUBERNETES_MODE", "no") == "yes":
|
||||
return "kubernetes"
|
||||
elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
|
||||
with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
|
||||
return f.read().strip().lower()
|
||||
elif getenv("SWARM_MODE", "no") == "yes":
|
||||
return "swarm"
|
||||
elif getenv("AUTOCONF_MODE", "no") == "yes":
|
||||
return "autoconf"
|
||||
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
|
||||
return Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip().lower()
|
||||
elif (
|
||||
Path("/etc/os-release").is_file()
|
||||
and "Alpine" in Path("/etc/os-release").read_text()
|
||||
):
|
||||
return "docker"
|
||||
|
||||
return "linux"
|
||||
except:
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>{{title}}</title>
|
||||
{-raw-}
|
||||
<link
|
||||
rel="icon"
|
||||
href="data:image/svg+xml, %3Csvg version='1.0' xmlns='http://www.w3.org/2000/svg' width='96.000000pt' height='96.000000pt' viewBox='0 0 96.000000 96.000000' preserveAspectRatio='xMidYMid meet'%3E%3Cg transform='translate(0.000000,96.000000) scale(0.100000,-0.100000)'%0Afill='%23085577' stroke='none'%3E%3Cpath d='M535 863 c-22 -2 -139 -17 -260 -34 -228 -31 -267 -43 -272 -85 -2%0A-10 23 -181 55 -379 l57 -360 400 0 400 0 20 40 c16 31 20 59 19 125 -1 100%0A-24 165 -73 199 -41 29 -46 57 -22 111 30 67 29 188 -3 256 -13 28 -37 60 -53%0A72 -55 39 -169 62 -268 55z m-15 -348 c30 -16 60 -61 60 -90 0 -10 -8 -33 -17%0A-52 -16 -34 -16 -41 0 -116 9 -44 15 -82 12 -85 -6 -7 -92 -21 -131 -21 l-31%0A-1 -6 85 c-4 75 -8 89 -31 112 -20 20 -26 36 -26 70 0 38 5 50 34 79 39 39 86%0A45 136 19z'/%3E%3C/g%3E%3C/svg%3E"
|
||||
|
@ -231,13 +232,14 @@
|
|||
</div>
|
||||
|
||||
<!-- end lottie -->
|
||||
|
||||
{-raw-}
|
||||
<!-- text -->
|
||||
<div id="text-container" class="-translate-y-12 hidden w-full lg:w-[400px] xl:w-1/3 z-10 flex flex-col justify-center items-center">
|
||||
<h1 class="uppercase title text-2xl xsm:text-3xl sm:text-4xl 2xl:text-5xl 3xl:text-6xl tracking-wide text-white order-1 text-center">{{error_title}}</h1>
|
||||
<p class="title text-5xl xsm:text-6xl sm:text-7xl 2xl:text-8xl 3xl:text-9xl tracking-wide text-white order-2 uppercase ">{{error_code}}</p>
|
||||
<p class="mx-2 mt-4 text text-xs xs:text-sm sm:text-base 2xl:text-lg 3xl:text-xl text-secondary order-3 text-center">
|
||||
{{error_text}}
|
||||
{-raw-}
|
||||
</p>
|
||||
<a
|
||||
href="/"
|
||||
|
@ -304,3 +306,4 @@
|
|||
|
||||
</body>
|
||||
</html>
|
||||
{-raw-}
|
|
@ -90,8 +90,13 @@ if __name__ == "__main__":
|
|||
integration = "Swarm"
|
||||
elif getenv("AUTOCONF_MODE", "no") == "yes":
|
||||
integration = "Autoconf"
|
||||
elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
|
||||
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
|
||||
integration = Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip()
|
||||
elif (
|
||||
Path("/etc/os-release").is_file()
|
||||
and "Alpine" in Path("/etc/os-release").read_text()
|
||||
):
|
||||
integration = "Docker"
|
||||
|
||||
if args.variables:
|
||||
logger.info(f"Variables : {args.variables}")
|
||||
|
@ -163,7 +168,10 @@ if __name__ == "__main__":
|
|||
)
|
||||
templator.render()
|
||||
|
||||
if integration == "Linux" and not args.no_linux_reload:
|
||||
if (
|
||||
integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker")
|
||||
and not args.no_linux_reload
|
||||
):
|
||||
retries = 0
|
||||
while not Path("/var/tmp/bunkerweb/nginx.pid").exists():
|
||||
if retries == 5:
|
||||
|
|
|
@ -142,6 +142,11 @@ if __name__ == "__main__":
|
|||
integration = "Autoconf"
|
||||
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
|
||||
integration = Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip()
|
||||
elif (
|
||||
Path("/etc/os-release").is_file()
|
||||
and "Alpine" in Path("/etc/os-release").read_text()
|
||||
):
|
||||
integration = "Docker"
|
||||
|
||||
if args.init:
|
||||
logger.info(f"Detected {integration} integration")
|
||||
|
|
|
@ -139,7 +139,7 @@ class ApiCaller:
|
|||
def _send_files(self, path, url):
|
||||
ret = True
|
||||
with BytesIO() as tgz:
|
||||
with taropen(mode="w:gz", fileobj=tgz, dereference=True) as tf:
|
||||
with taropen(mode="w:gz", fileobj=tgz, dereference=True, compresslevel=5) as tf:
|
||||
tf.add(path, arcname=".")
|
||||
tgz.seek(0, 0)
|
||||
files = {"archive.tar.gz": tgz}
|
||||
|
|
|
@ -267,7 +267,14 @@ fi
|
|||
|
||||
# lua-resty-openssl v0.8.21
|
||||
echo "ℹ️ Downloading lua-resty-openssl"
|
||||
dopatch="no"
|
||||
if [ ! -d "deps/src/lua-resty-openssl" ] ; then
|
||||
dopatch="yes"
|
||||
fi
|
||||
git_secure_clone "https://github.com/fffonion/lua-resty-openssl.git" "15bc59b97feb5acf25fbdd9426cf73870cf7c838"
|
||||
if [ "$dopatch" == "yes" ] ; then
|
||||
do_and_check_cmd rm -r deps/src/lua-resty-openssl/t
|
||||
fi
|
||||
|
||||
# ModSecurity v3.0.9
|
||||
echo "ℹ️ Downloading ModSecurity"
|
||||
|
|
|
@ -1,132 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: FIPS mode can be turned on and off
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
if openssl.get_fips_mode() then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
else
|
||||
ngx.say("BORINGSSL should have fips turned on but actually not")
|
||||
end
|
||||
ngx.exit(200)
|
||||
end
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(false))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
false
|
||||
true
|
||||
false
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: CIPHER, MD and PKEY provider is directed to fips
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips or not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("fips\nfips\nfips")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
ngx.say(myassert(require("resty.openssl.cipher").new("aes256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.digest").new("sha256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.pkey").new({ type = "EC" })):get_provider_name())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
fips
|
||||
fips
|
||||
fips
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Non-FIPS compliant algorithms are not allowed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- BORINGSSL doesn't seem to remove non-fips compliant algorithms?
|
||||
if not _G.fips or require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("true\ntrue")
|
||||
ngx.say("invalid cipher type \"chacha20\": unsupported")
|
||||
ngx.say("invalid digest type \"md5\": unsupported")
|
||||
ngx.exit(200)
|
||||
end
|
||||
|
||||
local ok, err
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(not not ok)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(not not ok)
|
||||
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(err)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
true
|
||||
.*invalid cipher type.+(?:unsupported|disabled for fips).*
|
||||
.*invalid digest type "md5".+(?:unsupported|disabled for fips).*
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,29 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw
|
||||
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp
|
||||
Z2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIFRMUyBIeWJyaWQgRUNDIFNIQTI1NiAyMDIw
|
||||
IENBMTAeFw0yMTAzMjUwMDAwMDBaFw0yMjAzMzAyMzU5NTlaMGYxCzAJBgNVBAYT
|
||||
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wWTAT
|
||||
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASt9vd1sdNJVApdEHG93CUGSyIcoiNOn6H+
|
||||
udCMvTm8DCPHz5GmkFrYRasDE77BI3q5xMidR/aW4Ll2a1A2ZvcNo4IDOjCCAzYw
|
||||
HwYDVR0jBBgwFoAUUGGmoNI1xBEqII0fD6xC8M0pz0swHQYDVR0OBBYEFCexfp+7
|
||||
JplQ2PPDU1v+MRawux5yMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRo
|
||||
dWIuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
|
||||
BQUHAwIwgbEGA1UdHwSBqTCBpjBRoE+gTYZLaHR0cDovL2NybDMuZGlnaWNlcnQu
|
||||
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZVRMU0h5YnJpZEVDQ1NIQTI1NjIwMjBD
|
||||
QTEuY3JsMFGgT6BNhktodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRI
|
||||
aWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hBMjU2MjAyMENBMS5jcmwwPgYDVR0g
|
||||
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
|
||||
dC5jb20vQ1BTMIGSBggrBgEFBQcBAQSBhTCBgjAkBggrBgEFBQcwAYYYaHR0cDov
|
||||
L29jc3AuZGlnaWNlcnQuY29tMFoGCCsGAQUFBzAChk5odHRwOi8vY2FjZXJ0cy5k
|
||||
aWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hB
|
||||
MjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
|
||||
gfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABeGq/vRoA
|
||||
AAQDAEcwRQIhAJ7miER//DRFnDJNn6uUhgau3WMt4vVfY5dGigulOdjXAiBIVCfR
|
||||
xjK1v4F31+sVaKzyyO7JAa0fzDQM7skQckSYWQB3ACJFRQdZVSRWlj+hL/H3bYbg
|
||||
IyZjrcBLf13Gg1xu4g8CAAABeGq/vTkAAAQDAEgwRgIhAJgAEkoJQRivBlwo7x67
|
||||
3oVsf1ip096WshZqmRCuL/JpAiEA3cX4rb3waLDLq4C48NSoUmcw56PwO/m2uwnQ
|
||||
prb+yh0wCgYIKoZIzj0EAwIDRwAwRAIgK+Kv7G+/KkWkNZg3PcQFp866Z7G6soxo
|
||||
a4etSZ+SRlYCIBSiXS20Wc+yjD111nPzvQUCfsP4+DKZ3K+2GKsERD6d
|
||||
-----END CERTIFICATE-----
|
|
@ -1,21 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
||||
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
||||
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
||||
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
||||
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
||||
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
||||
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
||||
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
||||
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
||||
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
||||
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
||||
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
||||
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
||||
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
||||
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
||||
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,26 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEWjCCA0KgAwIBAgIOR8MQAMBL+oomVLdB7CswDQYJKoZIhvcNAQEFBQAwVzEL
|
||||
MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsT
|
||||
B1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNjAzMTYw
|
||||
MDAwMDBaFw0yNDAzMTYwMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH
|
||||
bG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2ln
|
||||
biAzIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm4HxK
|
||||
0o9gvqhlIWVajpj75hIkZariW6PUj+njWoA5YRqmopnzUc99nUzj9Lj7Go8eqe9F
|
||||
9tT76IeS2MdOAn1bata0FTGQXUZYO72E4YL18SE5ERRLlOjt1TenE4JbRFodris3
|
||||
+NUh9qNOFhyii7zf/nNQMTWDQ3hH5z4qcAemahgS26Ep8VihD70pPleC9Jcy/RVM
|
||||
k+RjqBEzur3dWHPD21wRk3gS29Gs2499Tj59DlLH+RoXSsRjHcJk+fDHzC2zyY4M
|
||||
jNJHgw/RWfhmJqxPDrNvF3jiDchMDrkY/o7oywpJCfVaTZ3ScEd4GnhIsBJi26ci
|
||||
OYfjXmq+vPGumJBTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
|
||||
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4ir34VYTni+RxwhiCZ7AIV++blMwHwYD
|
||||
VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0G
|
||||
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYD
|
||||
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNy
|
||||
bDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
|
||||
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEFBQADggEBAAMt
|
||||
Z5FskwVr28wgh70YcB0TepVojuiDQwDHilW0dfFnM+tkzwyHKcU7Q36EojXCrMz1
|
||||
SXw2TD8n+BC3dkJdmYf7zPKen5HguBaraPUzcxgZuJCfZmA1fW1+hrJ9sVLp9nBX
|
||||
J3H2g4XDIl1yj/MozwfWfKE04fJZyk7yuAknoFgwK+EGOXnXnjMWldAoPLS0AyFE
|
||||
aM1HU57OUMWPRwJ5Ts/CKf50Nz9ntgGTGVHvyfDvexHEEMGF1Vc9KAs+Z0jPXFom
|
||||
H6wJlHvDM0nVtIbvdkGxVzxEQASkXUdh7qPxR4WpGJn5vMpIi74NglkCp5pPuDJ6
|
||||
i7GsIy4xEeMwq4nuOh8=
|
||||
-----END CERTIFICATE-----
|
Binary file not shown.
Binary file not shown.
|
@ -1,18 +0,0 @@
|
|||
# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0).
|
||||
#
|
||||
# The modulewrapper is not a part of the FIPS module, so it can be patched without
|
||||
# concern about breaking the FIPS validation.
|
||||
--- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
@@ -12,9 +12,11 @@
|
||||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
||||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
||||
|
||||
+#include <string>
|
||||
#include <vector>
|
||||
|
||||
#include <assert.h>
|
||||
+#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,74AB7E7042FC695A7F267BB416AC24E1
|
||||
|
||||
zNvboWr/ayt4McuSl9h3oirnS7DK5JU5OSGvh3Seyt9E1oVd3SUg4Mcp4BpZP8gv
|
||||
Ei4K6+p3CTDrQfE0mrjIph3C1LKTzQeLdGIvgTjjKVpu91aogU3K3rgcuqKN/zla
|
||||
+sQOAedKEtLiop4J6rIGmKvo9JZonbMsEZnZnXGbz3k=
|
||||
-----END EC PRIVATE KEY-----
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN X509 CRL-----
|
||||
MIICyTCBsgIBATANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEpMCcGA1UE
|
||||
ChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElT
|
||||
UkcgUm9vdCBYMRcNMjIwNTE4MDAwMDAwWhcNMjMwNDE3MjM1OTU5WqAvMC0wHwYD
|
||||
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wCgYDVR0UBAMCAWYwDQYJKoZI
|
||||
hvcNAQELBQADggIBAC2us3ieEcU7NTFjPyXEi/5aOID7IlPBK7ugS7IJrasTyEdH
|
||||
fAMcuoEGHaLoyLqpIKc7U/KIfqysn6l4Mu32aWFB/Ck5qiVufHXFjXIuNo4/drlm
|
||||
kPUjhgX0YcMkrWdbLFbF/mi5R7fCTbCP1ihqiw2AKB2jFShTAcybJpVRY7velN/D
|
||||
EI8ITJsHnGNOx5XZV7HgO1SbXrba7YGMD0YA+NiXc8VaoDlZdoKh8q/gk8y5vnvL
|
||||
UmtsHpdF1zFwDxYdpFLCrV9z8OcPWjguX6bYMWtnN5JPHrlUQrupCIN55ur8ttoq
|
||||
+9mQ/3Y2OFl1qF6UtHxSDHAI5vA8dBlZxQWSWXKGFPGPssNdB7CUJlZeLWPICWU9
|
||||
yANMxG+5ANeXW65GfPexj2DujwDlC46Wdnlvbft+2Bc0SYR72By/1QB3tmgBB//j
|
||||
QuJtAIzvRluvdnoIGRHPGVse0Qk4FC2BK04q8HBRw3UbxV1MDYIFCN9hlC625Q1s
|
||||
VjrqzGMPAwXYXNa/9hFQkdjKycrdsGvIXZa08sqqx4hY4CpjEeUQoka0XkTUmp7Q
|
||||
GDSXFxe4qxQObnU+LAMQ0cEcVb0TNnTC0PCeoSV82n3jRL9QYMe6lvU4pgFMddXz
|
||||
jna557uivEENf58Oh0SH5jux5gSlre177jQvvsfn8FeFXsLijw0tCbfupna/
|
||||
-----END X509 CRL-----
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
config_diagnostics = 1
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
|
||||
[provider_sect]
|
||||
fips = fips_sect
|
||||
default = default_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
# need fipsinstall to populate below section
|
||||
# [fips_sect]
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFU
|
||||
LobnVTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UI
|
||||
THXKLNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLk
|
||||
lYLFchkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTk
|
||||
GgYHWFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkI
|
||||
UQfN9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQABAoIBABQ0rcAvKlvmoyJq
|
||||
bTWAtUm78zTB/xyWrD/MSZ22hPPDgx/aoYIKX8cgRSbThVbfPGdWkdpDp9z0RVWo
|
||||
OSB7QSpxeXd6Q5GNhErt1Q84byQpa2jEIVAGPAfMRP6DSjSxNHBoSKcvxZeIwuZb
|
||||
vlVOxdGtprfawvWMJ8w6C0bb9JZLeHjdLK/O49Nxj4YrUBk+ZvkKa8EQnq/apLMz
|
||||
9RMZiFQ1pvR9Ojfw4O4u0pqW80Iu8alDBxMkvzEUEhuzafrMKToX5GG65Y9/nhDl
|
||||
iIsENEvNY1Nk2WXPMe/VR5LVGBLtXlJ+KIj09KjuJyy5PEkwXxHobyRHEMtQ8SBs
|
||||
C1SE/sECgYEA+Sf1IyhyPfWg3CuGdwiYuwn9CVnZxqQWLwwk+EdIXpNDbHhfeN1Z
|
||||
ZC1/bttz45O4At5KtKAHLeRETuphtgwJ6ZHdNy5K6h4GV0s4ZtBHS8pu95+BAApN
|
||||
pGRPzZ4u4GDTkTCbHRd+A2UY1EnpGe6Owq/+Cbu67jnPJOP0pegmGzkCgYEAzAya
|
||||
v9pEwcDBIrKE3ida46mBAnxBT81pr8Pa5t5pON3DtjsHv3lfa01u9ga8F0GKgMif
|
||||
tet9dFWtFHdrC8HbrpcHwta1dVlDNzr1TSjbyl5TW9/suSbHTQ/iUmXFazbhHVu6
|
||||
p4jgV6DPgqxjI56YLcIqZIf2xDeVgGwbwv7d3d8CgYEAtcIpeTFrTbnfVF5IJJPX
|
||||
3zJlLiomzVssd7vTSG+v4pZpbDrP4vsO2B68xOFAxHchmK4TL3tCYX8ROcSP7V8Q
|
||||
6BwplbSmn+2xUIMmLRKpwCd4Fhp838ukYlVvRh+sMLFSBavArFNT8SQSHeOhMfKu
|
||||
oGYE25LgxiLT8yR8d39INTkCgYEAilnxgyvnesfLLE+Gr2pXwg1oH9tIHWfVxQsz
|
||||
HV6oUZpr3N9hfX46KHM0TTR7y/jwhCmDwMGPKpX86OefeTVUUqis5nrWRl7jqEsd
|
||||
j9eoTyptstm9lDyq3aFrfxrqJKvtLw7HHFk+Y6vxh1SDU99wp3YDcG6P7rMRdyXW
|
||||
HPzaSlkCgYBums2fZgP96/wyburnMhP/86ndLyVB2YbLwXMz+oGlm+XssAawulrM
|
||||
6mxpV63T+/UmEiszCEf3ZOUr1+zkSTe/CMZk5Vev1pYEzfpQ2AnpOsvPw+WGQbWL
|
||||
95dYCSGZKjXQ/UV+zDisZiDzjLRkZ7WfPJsPZ8z1P3nZ2t+8IRNO/Q==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFULobn
|
||||
VTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UITHXK
|
||||
LNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLklYLF
|
||||
chkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTkGgYH
|
||||
WFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkIUQfN
|
||||
9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBzCCAe+gAwIBAgIUJ+FXF8zL+pdK8Nl68Eq0aQlZKNMwDQYJKoZIhvcNAQEL
|
||||
BQAwEzERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjAxMjE1MTAwNjIyWhcNMzAxMjEz
|
||||
MTAwNjIyWjATMREwDwYDVQQDDAh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAMEQQC0nyiHOekSs6sTwLBrdiWYvDWC5OQylQZY2pWsBYtWH
|
||||
3rkkt98rRNC3cxLSPwH+AAJrJCnRl4ZIxUrtNF8zPW/NexAaarKMLq8LHnVD+cf5
|
||||
uLzK9xZNt5s8aTQOF8TuHH2Zq/jdfJ9MnAJf1noZ4Oz5IZqOtgJ+1oCDZJc4ZlL1
|
||||
KO5tfDsWZOsRdow6F7wlK1xtCfcakcncL7Yh4xbZYQXnNSliGZF0/+SIqYIGhv2f
|
||||
EBng0yOW6FrXtrxhj/7TplAd2v5ziCsdcqqA+YFu4e6PzFybNErUgNZ8ZsokmP56
|
||||
uU13oKYLIsEf11EmKEX1bwvEvvu+T/V/IB38YV8CAwEAAaNTMFEwHQYDVR0OBBYE
|
||||
FM8D9Qnrg9JPEN5lkpDpkz44TOh8MB8GA1UdIwQYMBaAFM8D9Qnrg9JPEN5lkpDp
|
||||
kz44TOh8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ODar1
|
||||
fVkJ50rLToICvp2zZkLSsZlL13Gy4+FUUl0sctSRbXF6yPZGa3u6/HeF5AWnrFNX
|
||||
eZUVuJgyYa2gmz0K+HGbSrbNFb4Cpnhe7Y722SpSDEj3ybOI3EBeRT3WcwpSsGKa
|
||||
Kfx8NY08J440cn3oNAbZ9XrZOHhyvjkCEr9+ieg1MvMtNg5NbTpHj6Riuvuvvs3s
|
||||
CaOJ1dN5a59hHHvt76lb6Ah3cwJ98CRAObp1bElgL//Tl9faAHAFIpGopvq41Jnn
|
||||
rBd/GtvM6J/LHznZ9eOvMq+uBMyAhzpmi6Ih4SGnwN/i8StRbNvpIUIq2rO6IvCZ
|
||||
61xzxPhcY6bB2KI=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
||||
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
|
||||
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
|
||||
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
|
||||
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
|
||||
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
|
||||
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
|
||||
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
|
||||
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
|
||||
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
|
||||
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
|
||||
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
|
||||
6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ
|
||||
fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT
|
||||
FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw==
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBEEAtJ8ohznpE
|
||||
rOrE8Cwa3YlmLw1guTkMpUGWNqVrAWLVh965JLffK0TQt3MS0j8B/gACayQp0ZeG
|
||||
SMVK7TRfMz1vzXsQGmqyjC6vCx51Q/nH+bi8yvcWTbebPGk0DhfE7hx9mav43Xyf
|
||||
TJwCX9Z6GeDs+SGajrYCftaAg2SXOGZS9SjubXw7FmTrEXaMOhe8JStcbQn3GpHJ
|
||||
3C+2IeMW2WEF5zUpYhmRdP/kiKmCBob9nxAZ4NMjluha17a8YY/+06ZQHdr+c4gr
|
||||
HXKqgPmBbuHuj8xcmzRK1IDWfGbKJJj+erlNd6CmCyLBH9dRJihF9W8LxL77vk/1
|
||||
fyAd/GFfAgMBAAECggEAG+N4Ec3MoiOMf/0mkLpM9LiJz4v+d7lp50y787IDJTj3
|
||||
CPdukfoe4YsDjs7hPZfHaEdDwxWtDKltJQXAEjm/tfzV5B+fpkzamt4rJDgL906R
|
||||
d3S4XfVHyh4B5tfMLqvWfSkUToRzVijQhsZvRtyHQ+4XEsROOWBiJGwkGj5guoM3
|
||||
4ItEJOXece+4pV0M1KPb3aTqGLw/Iow1IV9k+HCKrxwsBK0xpoEYfvK6N6PsmcRK
|
||||
iPS53D6bCS74HidgXvhPN8hdVvJ+s8rvXDdVF3Ajw/LhrdeYrRjZUtRpB43Z8uLn
|
||||
raMMOid4Q9EEsZNcWG2UO6BHyDibkOzQmPIv0/JIgQKBgQDo1Cmd3ialMZkn9bSX
|
||||
DUNxMZlTk49Abns2rKojRxApU3h3aVuViXPIs3yz0cUPzURGHOOHQwU5cFjMVsxx
|
||||
GffZjNq+ViR1Il0UhxBlYlcRZOou4RSi6VnN8HRjNeBNrzGxo/C+9/U00/APT/z5
|
||||
OBloEoWy22SqTJtQCKspQ60knwKBgQDURvpcMlJE6UBhIy3Q3/7+HUc/AsCj5dMY
|
||||
OafioeuKO+fRcNBaith3bUF3aRplf2jD/pQ/nLvD4+q0tvaEY06jpiVwm5PXGdUy
|
||||
acIcs56ch1BiczP5pkSpEpaG0ap4btW86UU3K+at0iAJqfm9aR8DSOugl+D+EC16
|
||||
RDRKn4TLQQKBgQDA4vPPW7m8ZYiyuDXyZgSXhDW4LakiAeWF+CnDrB3RfttwYhKD
|
||||
oioP/dKzzndpje6f/1LoPjfXzCFkuAwLLy5MRwr5YLg3ak6esP5+X6guOuJgEAxe
|
||||
ot/JYwmpH3tCIIAU4PKT4yx7pZFdvjCf7z/tHlsxP9z30RtihKv4NZ79lQKBgBOL
|
||||
XW2zrGNv3l+TL5q1pPKcm3yvsjDk7iSi2lRBeEBH97YO3wAXHIsSYh6ubKG/s1Oo
|
||||
UtnwglEs4OU2m0fhJNJob7YIfPonBLwZhKfD2eyrgLkvxi9MIbI3ZeiP0VQ5UDCO
|
||||
gbLstdZ3LD/3iGjqDtLsmdU1Zp+9uZIySWY9faqBAoGAa3DJYcGpBQWDlNbojcgv
|
||||
VUNukUrxDQOLR6AbPcYF8EdrSgtkuDQJfb94HpR55u6o+l9SiD2t9uEl/rLqrp1+
|
||||
jOTte0IERqrerKp43G/AHZduw0ks4PPxglZUAQ1/HSTUTUvACoHFB9egElj3zNIX
|
||||
fFBB0c+kqU2aLFq342F0ONU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -1,194 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;$pwd/../lua-resty-hmac/lib/?.lua;$pwd/../lua-resty-string/lib/?.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Load ffi openssl library
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.load_modules()
|
||||
ngx.say(string.format("%x", openssl.version.version_num))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d{6}[0-9a-f][0f]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Luaossl compat pattern
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.luaossl_compat()
|
||||
local pkey = require("resty.openssl.pkey")
|
||||
local pok, perr = pcall(pkey.new, "not a key")
|
||||
ngx.say(pok)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
false
|
||||
.+pkey.new.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: List cipher algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"AES\"]")
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+AES.+\]
|
||||
\[.+AES-256-GCM @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: List digest algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"SHA\"]")
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+SHA.+\]
|
||||
\[.+SHA2-256 @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: List mac algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HMAC @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_mac_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HMAC @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: List kdf algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HKDF @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_kdf_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HKDF @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: List SSL cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version = require("resty.openssl.version")
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(openssl.list_ssl_ciphers())
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.2"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.3"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+:.+
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: asn1_to_unix utctime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579091696"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: asn1_to_unix utctime, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456+0102"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579095416"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: asn1_to_unix generalized time
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890438896"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: asn1_to_unix generalized time, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456-0123"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890433916"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: asn1_to_unix error on bad format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
for _, s in pairs({
|
||||
"201315123456Z",
|
||||
"200132123456Z",
|
||||
"200115243456Z",
|
||||
"200115123461Z",
|
||||
}) do
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
local _, err = asn1.asn1_to_unix(a)
|
||||
if err == nil then
|
||||
ngx.say(s, " should fail but didn't")
|
||||
end
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,232 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads JWK RSA key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
|
||||
p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
|
||||
q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
|
||||
dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
|
||||
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
|
||||
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new('asdasd', {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local s, err = pubkey:encrypt("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local s, err = privkey:decrypt(s)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: error decoding JSON from JWK: Expected value but found invalid token at character 1
|
||||
pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" parameter is required
|
||||
23333
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Loads JWK EC key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("sha256")
|
||||
d:update("23333")
|
||||
local s, err = privkey:sign(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local ok, err = pubkey:verify(s, d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(ok)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct EC key from JWK: at least "x" and "y" parameter is required
|
||||
true
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads JWK Ed25519 key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
|
||||
ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: New BIGNUM instance correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- error_log
|
||||
bn:to_binary failed
|
||||
|
||||
=== TEST 2: New BIGNUM instance from number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct bignum_st BIGNUM; void BN_free(BIGNUM *a);')
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local bn2, err = require("resty.openssl.bn").dup(bn.ctx)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
bn = nil
|
||||
collectgarbage("collect")
|
||||
local b, err = bn2:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: from_binary, to_binary
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local d = ngx.decode_base64('WyU=')
|
||||
local bn, err = require("resty.openssl.bn").from_binary(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
|
||||
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
|
||||
ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0)
|
||||
end
|
||||
|
||||
local b, err = bn:to_binary(10)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU=AAAAAAAAAABbJQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: from_hex, to_hex
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_hex("5B25")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_hex()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"5[Bb]25"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: from_dec, to_dec
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_dec("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: to_number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local b, err = bn.new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
b, err = bn.from_dec('184467440737095516161844674407370955161618446744073709551616')
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333number
|
||||
1.844674407371e+19number
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: unary minus
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = (-bn):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
local b, err = (-(-bn)):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-23333
|
||||
23333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: metamethods checks arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local a, err = require("resty.openssl.bn").new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = require("resty.openssl.bn").new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local pok, perr = pcall(function() return a + "233" end)
|
||||
ngx.say(perr)
|
||||
local pok, perr = pcall(function() return "233" - a end)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+cannot add a string to bignum
|
||||
.+cannot substract a string to bignum
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: add, sub, mul, div mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a+b))
|
||||
ngx.say(tostring(a-b))
|
||||
ngx.say(tostring(a*b))
|
||||
ngx.say(tostring(a/b))
|
||||
ngx.say(tostring(a%b))
|
||||
ngx.say(tostring(a*2478652))
|
||||
ngx.say(tostring(23578164761333*b))
|
||||
ngx.say(tostring(bn.mul(23578164761333, b)))
|
||||
ngx.say(tostring(a:mul(b)))
|
||||
ngx.say(tostring(23578164761333*2478652))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23578167239985
|
||||
23578162282681
|
||||
58442065242007563116
|
||||
9512495
|
||||
4593
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
5.8442065242008e\+19
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: sqr, exp
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:sqr()))
|
||||
ngx.say(tostring(a:exp(2)))
|
||||
ngx.say(tostring(a:pow(2)))
|
||||
ngx.say(tostring(b:exp(b)))
|
||||
ngx.say(tostring(bn.sqr(a)))
|
||||
ngx.say(tostring(bn.sqr(23578164761333)))
|
||||
ngx.say(tostring(bn.exp(a, 2)))
|
||||
ngx.say(tostring(bn.exp(23578164761333, 2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
5210245939718361468048211048414496022534389576033913164940029913016568215580398296261072019231723279851007241838011659882766685337218633992220688288491655299087016195985205218347711578485744737
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: gcd
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:gcd(b)))
|
||||
ngx.say(tostring(bn.gcd(a, b)))
|
||||
ngx.say(tostring(bn.gcd(a, 97)))
|
||||
ngx.say(tostring(bn.gcd(23578164761333, b)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
1
|
||||
1
|
||||
1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: lshift, rshift
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:lshift(2)))
|
||||
ngx.say(tostring(a:rshift(2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"94312659045332
|
||||
5894541190333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: comparasion
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a == b))
|
||||
ngx.say(tostring(a ~= b))
|
||||
ngx.say(tostring(a >= b))
|
||||
ngx.say(tostring(a > b))
|
||||
ngx.say(tostring(a < b))
|
||||
ngx.say(tostring(a <= b))
|
||||
ngx.say("")
|
||||
ngx.say(tostring(a == a))
|
||||
ngx.say(tostring(a ~= a))
|
||||
ngx.say(tostring(a >= a))
|
||||
ngx.say(tostring(a > a))
|
||||
ngx.say(tostring(a < a))
|
||||
ngx.say(tostring(a <= a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
true
|
||||
true
|
||||
true
|
||||
false
|
||||
false
|
||||
|
||||
true
|
||||
false
|
||||
true
|
||||
false
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: is_one, is_zero, is_odd, is_word
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(0):is_zero()))
|
||||
ngx.say(tostring(bn.new(1):is_zero()))
|
||||
ngx.say(tostring(bn.new(0):is_one()))
|
||||
ngx.say(tostring(bn.new(1):is_one()))
|
||||
ngx.say(tostring(bn.new(0):is_odd()))
|
||||
ngx.say(tostring(bn.new(1):is_odd()))
|
||||
ngx.say(tostring(bn.new(0):is_word(0)))
|
||||
ngx.say(tostring(bn.new(1):is_word(0)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
false
|
||||
true
|
||||
false
|
||||
true
|
||||
true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: is_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(2):is_prime()))
|
||||
ngx.say(tostring(bn.new(15):is_prime()))
|
||||
ngx.say(tostring(bn
|
||||
.from_hex('00d3277434ff7e3d410b3453a5cddc13e834fbdc19f38c580bc05b68dfa179afa4b6e6d34fe2bde9d90390046a86306bd022d4ed8187ccaa21808e189e7b803fd918b7782078f3be6bc8683d71d7d46cb134bc2a74dbe410d2bb068e45af95deef546f6970b83f9386e504b6fbefee6ae804fbf544e6b7cf82aacfff9472c6af07')
|
||||
:is_prime()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: mod_add, mod_sub, mod_mul, mul_exp, mul_sqr mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local m, err = bn.new(65537)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:mod_add(b, m)))
|
||||
ngx.say(tostring(a:mod_sub(b, m)))
|
||||
ngx.say(tostring(a:mod_mul(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, m)))
|
||||
ngx.say(tostring(a:mod_sqr(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, 65537)))
|
||||
ngx.say(tostring(bn.mod_exp(a, 2478652, m)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"49755
|
||||
7726
|
||||
27398
|
||||
28353
|
||||
1266433
|
||||
28353
|
||||
28353
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: generate_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.generate_prime(10, false)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
local a, err = bn.generate_prime(10, true)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,517 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates cipher correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(myassert(cipher:final('1'))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects unknown cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher, err = require("resty.openssl.cipher").new("aes257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cipher.new: invalid cipher type \"aes257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Unintialized ctx throw errors
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:update("1")
|
||||
ngx.say(err)
|
||||
local _, err = cipher:final("1")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"cipher:update: cipher not initalized, call cipher:init first
|
||||
cipher:update: cipher not initalized, call cipher:init first
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Encrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1'))
|
||||
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Encrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1', true)
|
||||
ngx.say(s)
|
||||
-- 1.x: data not multiple of block length
|
||||
-- 3.0: wrong final block length
|
||||
ngx.say(err)
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
'1' .. string.rep(string.char(15), 15), true))
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil
|
||||
.+(?:data not multiple of block length|wrong final block length|DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH)
|
||||
VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Decrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg==")))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Decrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg=="), true))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Encrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local sample = 'abcdefghi'
|
||||
local count = 5
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(sample))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(sample))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nothing
|
||||
SEk81GpcHC9KoZfN14RrNg==
|
||||
nothing
|
||||
L2dVbLMhEigy917CJBXz7g==
|
||||
nothing
|
||||
final
|
||||
dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Decrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = false,
|
||||
}))
|
||||
|
||||
local input = ngx.decode_base64('SEk81GpcHC9KoZfN14RrNg==') ..
|
||||
ngx.decode_base64('L2dVbLMhEigy917CJBXz7g==') ..
|
||||
ngx.decode_base64('dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=')
|
||||
local count = 5 + 1
|
||||
local len = (#input - #input % count) / count
|
||||
for i=0,#input-len,len do
|
||||
local s = myassert(cipher:update(string.sub(input, i+1, i+len)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(s)
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
-- this should throw error since we end in the middle
|
||||
local s, err = cipher:final()
|
||||
ngx.say(err)
|
||||
ngx.say(s)
|
||||
-- feed the last chunk of input
|
||||
local s = myassert(cipher:final(string.sub(input, #input -#input % count + 1, #input)))
|
||||
ngx.say("final")
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nothing
|
||||
abcdefghiabcdefg
|
||||
nothing
|
||||
hiabcdefghiabcde
|
||||
fghiabcdefghiabc
|
||||
nothing
|
||||
.+(wrong final block length|WRONG_FINAL_BLOCK_LENGTH)
|
||||
nil
|
||||
final
|
||||
defghi
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Derive key and iv
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-ecb"))
|
||||
|
||||
-- openssl enc -aes-256-ecb -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex() == "" and "no iv")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
FE91AF7782EDB48F32775BB2B72DD5ED
|
||||
1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
no iv
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Derive key and iv: salt, count and md is optional
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -nosalt -P -md sha1
|
||||
local key, iv = cipher:derive("xxx")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140
|
||||
20578C4FEF1AEE907B1DC95C776F8160
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: AEAD modes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_aead_tag())
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, nil, tag)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, aad, nil)
|
||||
ngx.say(r)
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
nil
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-ivlen-\n-padding-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(require("cjson").encode(myassert(c:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(c:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+ivlen.+
|
||||
.+padding.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("secret\nsecret\nnil")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_param("tag", 16))
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = tag}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = "wrong tag"}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
secret
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 16: Update with segements larger than 1024
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local count = 3
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(string.rep(tostring(i), 1024)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(string.rep("a", 1024)))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
local s = myassert(cipher:final(string.rep("1", 1024) ..
|
||||
string.rep("2", 1024) ..
|
||||
string.rep("3", 1024) ..
|
||||
string.rep("a", 1024)))
|
||||
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16))) -- should be same as above
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"XZElJKMyKzuvbYNf4Y0hAw==
|
||||
59Cw1+C6hHpfqsOn7PZ2Gw==
|
||||
t6oGLYvnjihoi+7tPfyK/A==
|
||||
final
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,96 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Can create a ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Can create a ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: Can free ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
myassert(ctx.free(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Can free ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
myassert(ctx.free())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate digest correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢", "🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest, err = require("resty.openssl.digest").new("sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"digest.new: invalid digest type \"sha257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
|
||||
myassert(digest:reset())
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("sha256"))
|
||||
ngx.say(myassert(d:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("{}\n-ssl3-ms-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("md5-sha1"))
|
||||
ngx.say(require("cjson").encode(myassert(d:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(d:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{}
|
||||
.+ssl3-ms.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- no good example to test
|
||||
ngx.say("skipped")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"skipped
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,39 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Don't cry if there's no error
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
ngx.print(format_error("fake function"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"fake function failed"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,169 +0,0 @@
|
|||
local pkey = require "resty.openssl.pkey"
|
||||
local x509 = require "resty.openssl.x509"
|
||||
local name = require "resty.openssl.x509.name"
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
local bn = require "resty.openssl.bn"
|
||||
local digest = require "resty.openssl.digest"
|
||||
local BORINGSSL = require "resty.openssl.version".BORINGSSL
|
||||
local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X
|
||||
|
||||
local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name)
|
||||
local key = pkey.new(key_opts or {
|
||||
type = 'RSA',
|
||||
bits = 1024,
|
||||
})
|
||||
|
||||
local cert = x509.new()
|
||||
cert:set_pubkey(key)
|
||||
cert:set_version(3)
|
||||
|
||||
local now = os.time()
|
||||
cert:set_not_before(now)
|
||||
cert:set_not_after(now + 86400)
|
||||
|
||||
local nm = name.new()
|
||||
for k, v in pairs(names or {}) do
|
||||
assert(nm:add(k, v))
|
||||
end
|
||||
|
||||
assert(cert:set_subject_name(nm))
|
||||
assert(cert:set_issuer_name(issuing_name or nm))
|
||||
|
||||
assert(cert:set_basic_constraints { CA = is_ca })
|
||||
assert(cert:set_basic_constraints_critical(true))
|
||||
|
||||
if not is_ca then
|
||||
assert(cert:add_extension(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth")))
|
||||
|
||||
assert(cert:add_extension(assert(extension.new("subjectKeyIdentifier", "hash", {
|
||||
subject = cert,
|
||||
}))))
|
||||
end
|
||||
|
||||
local dgst
|
||||
if BORINGSSL then
|
||||
dgst = digest.new("SHA256")
|
||||
end
|
||||
assert(cert:sign(signing_key or key, dgst))
|
||||
|
||||
return cert, key
|
||||
end
|
||||
|
||||
local function to_hex(bin)
|
||||
local hex, err = bn.from_binary(bin):to_hex()
|
||||
if err then
|
||||
error(err)
|
||||
end
|
||||
return hex:upper()
|
||||
end
|
||||
|
||||
local function myassert(...)
|
||||
local ret = {...}
|
||||
local err = ret[#ret]
|
||||
if #ret > 1 and err then
|
||||
ngx.log(ngx.ERR, tostring(err))
|
||||
ngx.exit(0)
|
||||
end
|
||||
return ...
|
||||
end
|
||||
|
||||
-- https://github.com/openresty/lua-cjson/blob/461c7ef23a49062d4b1bf0e1afb3be294d007861/tests/sort_json.lua
|
||||
|
||||
-- NOTE: This will only work for simple tests. It doesn't parse strings so if
|
||||
-- you put any symbols like {?[], inside of a string literal then it will break
|
||||
-- The point of this function is to test basic structures, and not test JSON
|
||||
-- strings
|
||||
|
||||
local function sort_callback(str)
|
||||
local inside = str:sub(2, -2)
|
||||
|
||||
local parts = {}
|
||||
local buffer = ""
|
||||
local pos = 1
|
||||
|
||||
while true do
|
||||
if pos > #inside then
|
||||
break
|
||||
end
|
||||
|
||||
local append
|
||||
|
||||
local parens = inside:match("^%b{}", pos)
|
||||
if parens then
|
||||
pos = pos + #parens
|
||||
append = sort_callback(parens)
|
||||
else
|
||||
local array = inside:match("^%b[]", pos)
|
||||
if array then
|
||||
pos = pos + #array
|
||||
append = array
|
||||
else
|
||||
local front = inside:sub(pos, pos)
|
||||
pos = pos + 1
|
||||
|
||||
if front == "," then
|
||||
table.insert(parts, buffer)
|
||||
buffer = ""
|
||||
else
|
||||
append = front
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if append then
|
||||
buffer = buffer .. append
|
||||
end
|
||||
end
|
||||
|
||||
if buffer ~= "" then
|
||||
table.insert(parts, buffer)
|
||||
end
|
||||
|
||||
table.sort(parts)
|
||||
|
||||
return "{" .. table.concat(parts, ",") .. "}"
|
||||
end
|
||||
|
||||
local function sort_json(str)
|
||||
return (str:gsub("%b{}", sort_callback))
|
||||
end
|
||||
|
||||
local function encode_sorted_json(tbl)
|
||||
return sort_json(require("cjson").encode(tbl))
|
||||
end
|
||||
|
||||
local function create_cert_chain(depth, key_opts)
|
||||
local last_key, last_cn
|
||||
local certs, keys = {}, {}
|
||||
for i=1, depth do
|
||||
local cn, issuer
|
||||
if last_key then
|
||||
cn = "lua-resty-openssl Test Cert leaf " .. i - 1
|
||||
issuer = name.new()
|
||||
assert(issuer:add("CN", last_cn))
|
||||
else
|
||||
cn = "lua-resty-openssl Test Cert Root CA"
|
||||
end
|
||||
last_cn = cn
|
||||
|
||||
local crt, key = create_self_signed(key_opts,
|
||||
{ CN = cn }, i < depth, last_key, issuer)
|
||||
|
||||
certs[i] = crt
|
||||
keys[i] = key
|
||||
|
||||
last_key = key
|
||||
end
|
||||
|
||||
return certs, keys
|
||||
end
|
||||
|
||||
|
||||
return {
|
||||
create_self_signed = create_self_signed,
|
||||
to_hex = to_hex,
|
||||
myassert = myassert,
|
||||
encode_sorted_json = encode_sorted_json,
|
||||
create_cert_chain = create_cert_chain,
|
||||
}
|
|
@ -1,118 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate hmac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
hmac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(hmac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac, err = require("resty.openssl.hmac").new("goose", "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"hmac.new:.+(?:invalid|unsupported).*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
|
||||
myassert(hmac:reset())
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,457 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: kdf: invalid args are checked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key, err = kdf.derive({
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = "no",
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = 123,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = 19823718236128631,
|
||||
outlen = 16,
|
||||
pass = "123",
|
||||
})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kdf.derive: \"type\" must be set
|
||||
kdf.derive: expect a number as \"type\"
|
||||
kdf.derive: \"outlen\" must be set
|
||||
kdf.derive: except a string as \"pass\"
|
||||
kdf.derive: unknown type 19823718236128632
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: PBKDF2
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
pbkdf2_iter = 1000,
|
||||
md = "md5",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cDRFLQ7NWt\\+AP4i0TdBzog=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: PBKDF2, optional args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"HkN6HHnXW\\+YekRQdriCv/A=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: HKDF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("aqRd+gO5Ok3YneDEormTcg==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "some info",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_AND_EXPAND,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"aqRd+gO5Ok3YneDEormTcg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: HKDF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.say("aggdq4eoqRiP0Z3GbpxCjg==")
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version_num = version.version_num
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "info",
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
|
||||
if not version.OPENSSL_111_or_LATER then
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_ONLY,
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"aggdq4eoqRiP0Z3GbpxCjg==
|
||||
W/tSxFnNsHIYwXa13eybYhW9W3Y=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: TLS1-PRF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("0xr8qthU+ypv2xRC90la8g==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"0xr8qthU\\+ypv2xRC90la8g=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: TLS1-PRF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("XVVDK9/puTqBOsyTKt8PKQ==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"XVVDK9/puTqBOsyTKt8PKQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 8: scrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("9giFtxace5sESmRb8qxuOw==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.SCRYPT,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
scrypt_N = 1024,
|
||||
scrypt_r = 8,
|
||||
scrypt_p = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"9giFtxace5sESmRb8qxuOw=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: EVP_KDF API: new
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
myassert(kdf.new("PBKDF2"))
|
||||
local ok, err = kdf.new("UNKNOWNKDF")
|
||||
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+invalid mac type \"UNKNOWNKDF\".+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: EVP_KDF API: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.kdf")
|
||||
local c = myassert(cipher.new("hkdf"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 11: EVP_KDF API: derive
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: EVP_KDF API: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
ngx.say(require("cjson").encode(myassert(k:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(k:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: EVP_KDF API: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==\n18446744073709551615")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
-- output SIZE_MAX since it's not fixed size, need to find a better test case
|
||||
ngx.say(tostring(k:get_param("size", nil, "bn")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
18446744073709551615
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: EVP_KDF API: reset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-missing salt\ncDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
myassert(k:reset())
|
||||
local ok, err = k:derive(16, {
|
||||
pass = "1234567",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
myassert(k:set_params({
|
||||
iter = 100,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
iter = 1000,
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+missing salt
|
||||
cDRFLQ7NWt\+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,188 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate mac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
mac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(mac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("mac.new: invalid cipher or digest type")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local mac, err = require("resty.openssl.mac").new("goose", "HMAC", nil, "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"mac.new: invalid cipher or digest type.*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(myassert(m:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(require("cjson").encode(myassert(m:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(m:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\n32")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
local s1 = myassert(mac:final("🦢"))
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("notthiskey", "HMAC", nil, "sha256"))
|
||||
myassert(mac:set_params({key = "goose"}))
|
||||
local s2 = myassert(mac:final("🦢"))
|
||||
|
||||
ngx.say(s1 == s2)
|
||||
ngx.say(myassert(mac:get_param("size")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
32
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,81 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Convert nid to table
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(encode_sorted_json(o.nid2table(87)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Convert txt to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
local t = {
|
||||
ln = "X509v3 Basic Constraints",
|
||||
sn = "basicConstraints",
|
||||
id = "2.5.29.19"
|
||||
}
|
||||
local r = {}
|
||||
for k, v in pairs(t) do
|
||||
r[k] = o.txt2nid(v)
|
||||
end
|
||||
ngx.print(encode_sorted_json(r))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":87,"ln":87,"sn":87}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Convert sigid to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(o.find_sigid_algs(795)) -- ecdsa-with-SHA384
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
673
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,38 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Construct
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
ngx.say("TODO")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
TODO
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,262 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads password protected pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r = myassert(pkcs12.decode(pp, "badssl.com"))
|
||||
|
||||
ngx.say(r.key:get_parameters().d:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
55107FB7D6FD8A099E4E5CF24291CF20CBD4BB7B93A66EF8D89996A5C49EEB51405E6843CC89CD74B9C87DB9DBDE9E38923E02A32E4F6F32A59B4D6C6CDC40E0192204F135C9E9F527FD9E53F2C9E90B8D8D18E8F5DAC57D1EF95163D0DF1BBDB89850636AE870B20B5E6BF2EBD1651BE79B4E187C48F6D332D35A4C531BE3B027A64D85AD6F7EAF33ECC1B9253B196CFD20EDEFCBAC46F7C08EC966EF721D0533AB6DC785F86998B37FD25F3D60BB4E692F1636AE10BCA62065AA70FF41B5C16A165B8636FD4A40C59F6B72A4C1592A424820A0C968E23613DB48959F7BFF49D9B71A9C84CB72F08B94F586007CB5C29A3D8811F9EF2ED2FBB612DF28BB9601
|
||||
2B936CE32D82CE8B01FD9A0595AC6366AA014C82
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Errors on bad password
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r, err = pkcs12.decode(pp, "wrong password")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
|
||||
local r, err = pkcs12.decode(pp)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Creates pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
-- full house
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no name
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no CA
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- empty password
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Uses empty string password when omitted
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local p12 = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
}))
|
||||
|
||||
local r = myassert(pkcs12.decode(p12, nil))
|
||||
ngx.say(#r.key:get_parameters().x:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
ngx.say(#r.cacerts)
|
||||
ngx.say(r.friendly_name)
|
||||
-- same as empty string
|
||||
local r = myassert(pkcs12.decode(p12, ""))
|
||||
|
||||
-- password mismatch
|
||||
local r, err = pkcs12.decode(p12, "extrapassword")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'6\d
|
||||
0
|
||||
2
|
||||
myname
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Check cert and key mismatch
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local key2 = require("resty.openssl.pkey").new({ type = 'EC', curve = "prime256v1" })
|
||||
|
||||
local r, err = pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key2,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12")
|
||||
ngx.say(r == nil, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates pkcs12 with newer algorithm
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("2333")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
-- don't load the legacy provider for this test
|
||||
-- by default nid_key is RC2 and is moved to legacy provider in 3.0
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
nid_key = "aes-128-cbc",
|
||||
nid_cert = "aes-128-cbc",
|
||||
mac_iter = 2000,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
File diff suppressed because it is too large
Load Diff
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\nnil\ntrue\nfalse\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
nil
|
||||
true
|
||||
false
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Self test default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("nil\ntrue\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local ok, err = p:self_test(n)
|
||||
ngx.say(ok)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
nil
|
||||
true
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Set default search path
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\ncommon libcrypto routines::init fail")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
pro.set_default_search_path("/tmp")
|
||||
local ok, err = pro.load("legacy")
|
||||
ngx.say(ok == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
.+(?:init fail|common libcrypto routines::reason\(524325\))
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Get parameters
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('{"buildinfo":"3.0.0-alpha7","name":"OpenSSL Default Provider","status":1,"version":"3.0.0"}')
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
local p = myassert(pro.load("default"))
|
||||
local a = assert(p:get_params("name", "version", "buildinfo", "status"))
|
||||
ngx.say(encode_sorted_json(a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{"buildinfo":"3.+","name":"OpenSSL Default Provider","status":1,"version":"3.+"}
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Geneartes random bytes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b)
|
||||
local b2, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b2)
|
||||
ngx.say(b == b2)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"233
|
||||
233
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes()
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes(true)
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes({})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
|
@ -1,281 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (client) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c1.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c1.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (client) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c2.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c2.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
local crt = chain[1]
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
1
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (client) set cipher suites [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 4: SSL (client) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c4.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-GCM-SHA384.*
|
||||
ECDHE-RSA-AES256-GCM-SHA384
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (client) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c5.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c5.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (client) set_verify and add_client_ca [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (client) set/get/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c7.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c7.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_NO_QUERY_MTU.+SSL_OP_PRIORITIZE_CHACHA.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (client) set_protocols [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-sctx1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl_ctx = require "resty.openssl.ssl_ctx"
|
||||
local sc = assert(ssl_ctx.from_request())
|
||||
assert(sc:set_alpns({"h4"}))
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ngx_pipe = require "ngx.pipe"
|
||||
local opts = {
|
||||
merge_stderr = true,
|
||||
buffer_size = 256000,
|
||||
}
|
||||
local proc = ngx_pipe.spawn({'bash', '-c', "echo q | openssl s_client -unix /tmp/nginx-sctx1.sock -alpn h4 && sleep 0.1"}, opts)
|
||||
local data, err, partial = proc:stdout_read_all()
|
||||
if ngx.re.match(data, "ALPN protocol: h4") then
|
||||
ngx.say("ok")
|
||||
else
|
||||
ngx.say(data)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,375 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s1.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (server) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s2.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s2.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
0
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (server) set cipher suites (TLSv1.3 set_ciphersuites not tested)
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s3.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_cipher_list("ECDHE-RSA-AES256-SHA"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-s3.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-SHA.*
|
||||
ECDHE-RSA-AES256-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 4: SSL (server) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
ngx.say(ciphers)
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s4.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES128-SHA.*
|
||||
ECDHE-RSA-AES128-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (server) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s5.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s5.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (server) set_verify and add_client_ca [tested in get_peer_cert]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (server) get/set/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s7.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s7.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_CIPHER_SERVER_PREFERENCE.+SSL_OP_NO_QUERY_MTU.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (server) set_protocols [skipped; need clienthello_by]
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s8.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_protocols("TLSv1.2"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s8.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
proxy_ssl_protocols TLSv1.2;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
|
@ -1,56 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Prints version text properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version_text)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Prints version text using version()
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version(version.VERSION))
|
||||
ngx.say(version.version(version.CFLAGS))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
compiler:.+
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,988 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejectes invalid cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local p, err = x509.new(true)
|
||||
ngx.say(err)
|
||||
p, err = x509.new("222")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"expect nil or a string at #1
|
||||
x509.new: .*(not enough data|NOT_ENOUGH_DATA)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Calculates cert digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:digest())
|
||||
|
||||
local h = string.upper(myassert(require("helper").to_hex(dd)))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Calculates pubkey digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:pubkey_digest())
|
||||
|
||||
local h, err = string.upper(require("helper").to_hex(dd))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"607B661A450D97CA89502F7D04CD34A8FFFCFD4B
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Gets extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ext, pos = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(pos)
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"5
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local c, err = require("resty.openssl.x509").new()
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"extendedKeyUsage", "TLS Web Server Authentication"
|
||||
))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"keyUsage", "Digital Signature, Key Encipherment"
|
||||
))
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"Digital Signature, Key Encipherment
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Reads basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ok = myassert(c:set_basic_constraints({
|
||||
CA = false,
|
||||
pathLen = 233,
|
||||
}))
|
||||
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Get authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
myassert(aia:add("OCSP", "URI", "http://somedomain.com"))
|
||||
|
||||
myassert(c:set_info_access(aia))
|
||||
|
||||
local aia = myassert(c:get_info_access())
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
OCSP - URI:http://somedomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Get CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local cdp = myassert(c:get_crl_distribution_points())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, altname in pairs(cdp) do
|
||||
for k, v in pairs(altname) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"URI http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
URI http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Set CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- NYI
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: Get OCSP url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url(true))
|
||||
ngx.say(encode_sorted_json(ocsp))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://ocsp.digicert.com
|
||||
["http:\/\/ocsp.digicert.com"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: Get CRL url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
|
||||
local crl = myassert(c:get_crl_url(true))
|
||||
ngx.say(encode_sorted_json(crl))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
["http:\/\/crl3.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl","http:\/\/crl4.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: Get non existend extension, return nil, nil
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
ngx.say(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed({ type = "EC", curve = "prime256v1" })
|
||||
local ok, err = cert:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ok, err = c:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = cert:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 20: x509:get_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0E8BF3770D92D196F0BB61F93C4166BE"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509:set_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.bn").new(math.random(1, 2333333)))
|
||||
local ok = myassert(c:set_serial_number(toset))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
toset = toset:to_hex():upper()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509:get_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1616630400"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 23: x509:set_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_before(toset))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509:get_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1648684799"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509:set_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_after(toset))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 26: x509:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErfb3dbHTSVQKXRBxvdwlBksiHKIj
|
||||
Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 27: x509:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 28: x509:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=github.com/L=San Francisco/O=GitHub, Inc./ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 29: x509:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 30: x509:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1/O=DigiCert, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 31: x509:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 32: x509:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 33: x509:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 34: x509:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=github.com/DNS=www.github.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 35: x509:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 37: x509:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 38: x509:get/set_basic_constraints_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_basic_constraints_critical())
|
||||
|
||||
local ok, err = myassert(c:set_basic_constraints_critical(not crit))
|
||||
|
||||
ngx.say(c:get_basic_constraints_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 39: x509:get/set_info_access_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_info_access_critical())
|
||||
|
||||
local ok, err = myassert(c:set_info_access_critical(not crit))
|
||||
|
||||
ngx.say(c:get_info_access_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 40: x509:get/set_crl_distribution_points_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_crl_distribution_points_critical())
|
||||
|
||||
local ok, err = myassert(c:set_crl_distribution_points_critical(not crit))
|
||||
|
||||
ngx.say(c:get_crl_distribution_points_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 41: x509:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
794
|
||||
ecdsa-with-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,238 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(c:count())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS 0.com
|
||||
DNS 1.com
|
||||
DNS 2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
local k, v = unpack(c[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
if cc ~= nil then
|
||||
local k, v = unpack(cc)
|
||||
ngx.say(k, " ", v)
|
||||
else
|
||||
ngx.say("incorrectly GC'ed")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local c2 = myassert(altname.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
local k, v = unpack(c2[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Unsupported SANs are returned as "unsupported"
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
|
||||
local ext, err = myassert(extension.new("subjectAltName", "otherName:msUPN;UTF8:sb@sb.local,IP.1:255.255.255.255,IP.2:1111:1111:1111:1111:1111:1111:1111:1111,DNS:example.com,email:test@test.com,RID:1.2.3.4"))
|
||||
|
||||
local c = x509.new()
|
||||
|
||||
myassert(c:add_extension(ext))
|
||||
|
||||
local alts = myassert(c:get_subject_alt_name())
|
||||
|
||||
for k, v in pairs(alts) do
|
||||
ngx.say(k, ":", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
OtherName:OtherName:<unsupported>
|
||||
IP:255.255.255.255
|
||||
IP:1111:1111:1111:1111:1111:1111:1111:1111
|
||||
DNS:example.com
|
||||
email:test@test.com
|
||||
RID:RID:<unsupported>
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: IP addresses are validated and parsed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
myassert(c:add("IP", "1.2.3.4"))
|
||||
myassert(c:add("IPAddress", "100.100.100.100"))
|
||||
myassert(c:add("IP", "255.255.255.255"))
|
||||
myassert(c:add("IP", "::1"))
|
||||
myassert(c:add("IP", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))
|
||||
for _, v in ipairs({"1", ":::", "ffff:", "256.1.1.1"}) do
|
||||
local _, err = c:add("IP", v)
|
||||
if err == nil then
|
||||
ngx.say("should error on " .. v)
|
||||
end
|
||||
end
|
||||
|
||||
ngx.say(c:tostring())
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
IP=1.2.3.4/IP=100.100.100.100/IP=255.255.255.255/IP=::1/IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,173 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
end
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(#cc:digest())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
20
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#c[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#cc:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local c2 = myassert(chain.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(#c2[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,507 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: x509.crl:add_revoked should add revoked to crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
return
|
||||
end
|
||||
|
||||
local ok = myassert(c:add_revoked(r))
|
||||
if ok ~= true then
|
||||
ngx.say("Could not add revoked")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: x509.crl:add_revoked should fail if revoked is not instance of revoked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local ok, err = c:add_revoked({ctx ={}})
|
||||
if ok ~= false then
|
||||
ngx.say("false")
|
||||
elseif err ~= "x509.crl:add_revoked: expect a revoked instance at #1" then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.crl:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
c:add_revoked(r)
|
||||
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: x509.crl:text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
ngx.say(myassert(c:text()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"Certificate Revocation List.+Revoked Certificates.+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.crl metamethods
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2")
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:index(1))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = c[1]
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local r = myassert(revoked.new(0x04D2, 1511122233, 1))
|
||||
myassert(c:add_revoked(r))
|
||||
|
||||
ngx.say(#c, ", ", c:count())
|
||||
for _, rr in ipairs(c) do
|
||||
ngx.say(rr.serial_number:upper(), ", ", rr.revocation_date)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
2, 2
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
04D2, 1511122233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.crl get_by_serial
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3"))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = myassert(c:get_by_serial(require("resty.openssl.bn").from_hex("09159859CAC0C90203BB34C5A012C2A3")))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local nos, err = c:get_by_serial("111111")
|
||||
ngx.say(nos == nil, err == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
truetrue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: x509.crl doesn't error if revoked is empty (regression)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/no_revoked.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(tostring(k))
|
||||
end
|
||||
-- above should print nothing
|
||||
|
||||
ngx.say(c:get_last_update())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1652832000
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 11: x509.crl:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=CN/CN=TrustAsia EV TLS Pro CA G2/O=TrustAsia Technologies, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.crl:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: x509.crl:get_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1580684546"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: x509.crl:set_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_last_update(toset))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: x509.crl:get_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1581289346"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.crl:set_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_next_update(toset))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.crl:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.crl:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.crl:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
668
|
||||
RSA-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,56 +0,0 @@
|
|||
|
||||
local function create_csr(domain_pkey, ...)
|
||||
local domains = {...}
|
||||
|
||||
local subject = require("resty.openssl.x509.name").new()
|
||||
local _, err = subject:add("CN", domains[1])
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local alt, err
|
||||
if #{...} > 1 then
|
||||
alt, err = require("resty.openssl.x509.altname").new()
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
for _, domain in pairs(domains) do
|
||||
_, err = alt:add("DNS", domain)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
local _
|
||||
_, err = csr:set_subject_name(subject)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
if alt then
|
||||
_, err = csr:set_subject_alt_name(alt)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
|
||||
_, err = csr:set_pubkey(domain_pkey)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("SHA256")
|
||||
_, err = csr:sign(domain_pkey, d)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
return csr:tostring("DER"), nil
|
||||
end
|
||||
|
||||
return {
|
||||
create_csr = create_csr,
|
||||
}
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Generates CSR with RSA pkey correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new()
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(der)
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -inform der -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+CN\\s*=\\s*dns1.com.+rsaEncryption.+2048 bit.+DNS:dns1.com.+DNS:dns2.com.+DNS:dns3.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
ok, err = csr:set_subject_name("not a subject")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_subject_alt_name("not an alt")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_pubkey("not a pkey")
|
||||
ngx.say(err)
|
||||
ok, err = csr:sign("not a pkey")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"x509.csr:set_subject_name: expect a x509.name instance at #1
|
||||
x509.csr:set_subject_alt_name: expect a x509.altname instance at #1
|
||||
x509.csr:set_pubkey: expect a pkey instance at #1
|
||||
x509.csr:sign: expect a pkey instance at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.csr:get_extensions of csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local exts = c:get_extensions()
|
||||
if #exts == 0 then
|
||||
ngx.print("0")
|
||||
else
|
||||
ngx.print("4")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"4"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: x509.csr:get_extension by nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, pos = c:get_extension(83)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
|
||||
local ext = c:get_extension(83, pos)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.csr:get_extension by nid name
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext = c:get_extension('basicConstraints')
|
||||
if not ext then
|
||||
ngx.print("nil")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.csr:get_extension should return nil if wrong nid name is given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, err = c:get_extension('test')
|
||||
if not ext then
|
||||
ngx.print("ok")
|
||||
else
|
||||
ngx.print(err)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(c:tostring())
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"DNS:example.com.+DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.csr:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new({ type = "EC", curve = "prime256v1" })
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
local csr = myassert(require("resty.openssl.x509.csr").new(der))
|
||||
local ok, err = csr:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ok, err = c:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = csr:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 15: x509.csr:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=example.com/L=Los Angeles/O=SSL Support/OU=SSL Support/ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.csr:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.csr:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GD
|
||||
CNL5NhDX2JVUQKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUz
|
||||
KoTt5yLdVIM/HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgD
|
||||
cdbcQ5wsPVOiFHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyf
|
||||
gGS4+XQSsUdwNWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1
|
||||
f3rlwf8H5HIVH3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJE
|
||||
cwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.csr:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: x509.csr:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.csr:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509.csr:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=example.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509.csr:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509.csr:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509.csr:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
65
|
||||
RSA-SHA1
|
||||
SHA1
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,379 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Gets extension object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
|
||||
ngx.say(encode_sorted_json(myassert(c:get_object())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.37","ln":"X509v3 Extended Key Usage","nid":126,"sn":"extendedKeyUsage"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Gets extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Extended Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Set extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
myassert(c:set_critical())
|
||||
ngx.say(c:get_critical())
|
||||
|
||||
myassert(c:set_critical(true))
|
||||
ngx.say(c:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Prints human readable txt of extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:text())
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(extension))
|
||||
|
||||
-- unknown extension
|
||||
local objects = require("resty.openssl.objects")
|
||||
local id_pe_acmeIdentifier = "1.3.6.1.5.5.7.1.31"
|
||||
local nid = objects.txt2nid(id_pe_acmeIdentifier)
|
||||
if not nid or nid == 0 then
|
||||
nid = objects.create(
|
||||
id_pe_acmeIdentifier, -- nid
|
||||
"pe-acmeIdentifier", -- sn
|
||||
"ACME Identifier" -- ln
|
||||
)
|
||||
end
|
||||
local ext = myassert(require("resty.openssl.x509.extension").from_der("valuevalue", nid, true))
|
||||
ngx.say("ACME Identifier: ", tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
.?ACME Identifier: valuevalue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates extension by X509V3_CTX
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local x509 = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.crt"):read("*a")
|
||||
local ic = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.key"):read("*a")
|
||||
local ik = myassert(require("resty.openssl.pkey").new(f))
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("subjectKeyIdentifier", "hash",
|
||||
{
|
||||
subject = x509,
|
||||
}))
|
||||
|
||||
ngx.say(tostring(c))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
}))
|
||||
|
||||
if tostring(c) ~= "0." then
|
||||
ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
|
||||
end
|
||||
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
issuer_pkey = ik,
|
||||
}))
|
||||
-- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
|
||||
ngx.print("keyid:")
|
||||
else
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = ic,
|
||||
}))
|
||||
end
|
||||
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Creates extension by data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.17","ln":"X509v3 Subject Alternative Name","nid":85,"sn":"subjectAltName"}
|
||||
DNS:test.com, DNS:test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Convert extension to data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local alt2 = myassert(extension.to_data(c, 85))
|
||||
ngx.say(alt2:tostring())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'DNS=test.com/DNS=test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Creates extension by der
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_der("\x00\x01\x02\x03", "basicConstraints"))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say([[
|
||||
{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
]])
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
|
||||
[[
|
||||
[polsect]
|
||||
policyIdentifier = 1.3.5.8
|
||||
CPS.1="http://my.host.name/"
|
||||
CPS.2="http://my.your.name/"
|
||||
userNotice.1=@notice
|
||||
|
||||
[notice]
|
||||
explicitText="Explicit Text Here"
|
||||
organization="Organisation Name"
|
||||
noticeNumbers=1,2,3,4
|
||||
]]
|
||||
))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Returns DER encoded data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"041427B17E9FBB269950D8F3C3535BFE3116B0BB1E72
|
||||
308182302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305A06082B06010505073002864E687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274486967684173737572616E6365544C53487962726964454343534841323536323032304341312E637274
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
|
||||
collectgarbage()
|
||||
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(cc:text())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
ext = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(cc:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local c2 = myassert(extensions.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(c2[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,139 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct X509_name_st X509_NAME; void X509_NAME_free(X509_NAME *name);')
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local name2 = myassert(require("resty.openssl.x509.name").dup(name.ctx))
|
||||
|
||||
name = nil
|
||||
collectgarbage("collect")
|
||||
-- if name2.ctx is also freed this following will segfault
|
||||
local _ = myassert(name2:add("CN", "example.com"))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Rejects invalid NID
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name, err = name:add("whatever", "value")
|
||||
ngx.say(name == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.name:add: invalid NID text whatever
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Finds by text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name = myassert(name:add("CN", "example.com"))
|
||||
|
||||
name = myassert(name:add("CN", "anotherdomain.com"))
|
||||
|
||||
local a, b, c = name:find("CN")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("2.5.4.3")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("CM")
|
||||
if not a then
|
||||
ngx.say("not found")
|
||||
end
|
||||
local a, b, c = name:find("CN", 1)
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"found 1 example.com
|
||||
found 1 example.com
|
||||
not found
|
||||
found 2 anotherdomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Pairs
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local CNs = 3
|
||||
for i=1,CNs,1 do
|
||||
name = myassert(name:add("CN", string.format("%d.example.com", i)))
|
||||
end
|
||||
local others = { "L", "ST", "O" }
|
||||
for _, k in ipairs(others) do
|
||||
name = myassert(name:add(k, "Mars"))
|
||||
end
|
||||
ngx.say(#name)
|
||||
for k, v in pairs(name) do
|
||||
ngx.print(v.nid .. ",")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"6
|
||||
13,13,13,15,16,17,"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,69 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1:revoked.new should create new revoked instance
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local time = ngx.time()
|
||||
local r, err = myassert(revoked.new(1234, time, 1))
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2:revoked.new should fail when invalid parameters are given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local toset = ngx.time()
|
||||
local r, err = revoked.new("1234", toset, 40)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.revoked.new: sn should be number or a bn instance
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,414 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates store properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local c = myassert(store.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Loads a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads default location
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
myassert(s:use_default())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Loads file
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok, err = s:load_file("certnonexistent.pem")
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
os.execute("echo > cert4-empty.pem")
|
||||
local ok, err = s:load_file("cert4-empty.pem")
|
||||
ngx.say(ok)
|
||||
-- we only get detailed error for "no certificate found" on >= 1.1.1
|
||||
ngx.say(err)
|
||||
os.remove("cert4-empty.pem")
|
||||
local cert, _ = require("helper").create_self_signed()
|
||||
local f = io.open("cert4.pem", "w")
|
||||
f:write(cert:tostring())
|
||||
f:close()
|
||||
local ok = myassert(s:load_file("cert4.pem"))
|
||||
os.remove("cert4.pem")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
x509.store:load_file.+system lib.*
|
||||
false
|
||||
x509.store:load_file.+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Verifies a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert1, key1 = require("helper").create_self_signed()
|
||||
local cert2, key2 = require("helper").create_self_signed()
|
||||
local cert3, key3 = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert1))
|
||||
|
||||
local ok = myassert(s:add(cert2))
|
||||
|
||||
local chain = myassert(s:verify(cert1, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
local chain, err = s:verify(cert3, nil, true)
|
||||
ngx.say(err)
|
||||
ngx.say(chain == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
(?:self signed|self-signed) certificate
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: Using default CAs (skip due to hard to setup on custom-built openssl env)
|
||||
--- SKIP
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:use_default())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Loads directory
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:load_directory("/etc/ssl/certs"))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Verifies sub cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
for _, c in ipairs(chain) do
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set purpose
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("crlsign"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Set depth
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[1]))
|
||||
local ch = chain.new()
|
||||
for i=2, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should be ok
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
-- in openssl < 1.1.0, depth are counted 1 more than later versions
|
||||
-- we set it to be one less than enough to be prune to that case
|
||||
myassert(s:set_depth(1))
|
||||
-- openssl 1.0.2 will emit "unable to get local issuer certificate"
|
||||
-- instead of "certificate chain too long"
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"truenil
|
||||
nil(?:certificate chain too long|unable to get local issuer certificate)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Verify with verify_method
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "ssl_client")
|
||||
ngx.say(ok, err)
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
nil(?:unsupported|unsuitable) certificate purpose
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Set flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
myassert(s:set_flags(s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set verify time flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
ngx.say(s:verify(certs[#certs], ch, false, nil, nil, s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -63,9 +63,6 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
|
|||
ln -s /proc/1/fd/1 /var/log/letsencrypt/letsencrypt.log && \
|
||||
chmod 660 /usr/share/bunkerweb/INTEGRATION
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
WORKDIR /usr/share/bunkerweb/scheduler
|
||||
|
|
|
@ -76,7 +76,7 @@ class JobScheduler(ApiCaller):
|
|||
|
||||
def __reload(self):
|
||||
reload = True
|
||||
if self.__integration == "Linux":
|
||||
if self.__integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
|
||||
self.__logger.info("Reloading nginx ...")
|
||||
proc = run(
|
||||
["nginx", "-s", "reload"], stdin=DEVNULL, stderr=PIPE, env=self.__env
|
||||
|
|
|
@ -6,6 +6,7 @@ from glob import glob
|
|||
from os import (
|
||||
_exit,
|
||||
chmod,
|
||||
environ,
|
||||
getenv,
|
||||
getpid,
|
||||
listdir,
|
||||
|
@ -105,7 +106,7 @@ def generate_custom_configs(
|
|||
Path(dirname(tmp_path)).mkdir(parents=True, exist_ok=True)
|
||||
Path(tmp_path).write_bytes(custom_config["data"])
|
||||
|
||||
if integration != "Linux":
|
||||
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
|
||||
logger.info("Sending custom configs to BunkerWeb")
|
||||
ret = api_caller._send_files("/data/configs", "/custom_configs")
|
||||
|
||||
|
@ -136,7 +137,7 @@ def generate_external_plugins(
|
|||
st = stat(job_file)
|
||||
chmod(job_file, st.st_mode | S_IEXEC)
|
||||
|
||||
if integration != "Linux":
|
||||
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
|
||||
logger.info("Sending plugins to BunkerWeb")
|
||||
ret = api_caller._send_files("/data/plugins", "/plugins")
|
||||
|
||||
|
@ -214,13 +215,6 @@ if __name__ == "__main__":
|
|||
"Kubernetes",
|
||||
"Autoconf",
|
||||
):
|
||||
# err = db.set_autoconf_load(False)
|
||||
# if err:
|
||||
# success = False
|
||||
# logger.error(
|
||||
# f"Can't set autoconf loaded metadata to false in database: {err}",
|
||||
# )
|
||||
|
||||
while not db.is_autoconf_loaded():
|
||||
logger.warning(
|
||||
"Autoconf is not loaded yet in the database, retrying in 5s ...",
|
||||
|
@ -327,7 +321,7 @@ if __name__ == "__main__":
|
|||
while True:
|
||||
# Instantiate scheduler
|
||||
scheduler = JobScheduler(
|
||||
env=deepcopy(env),
|
||||
env=deepcopy(env) | environ,
|
||||
apis=api_caller._get_apis(),
|
||||
logger=logger,
|
||||
integration=integration,
|
||||
|
@ -383,7 +377,7 @@ if __name__ == "__main__":
|
|||
logger.info("Successfully sent /data/cache folder")
|
||||
|
||||
# restart nginx
|
||||
if integration == "Linux":
|
||||
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
|
||||
# Stop temp nginx
|
||||
logger.info("Stopping temp nginx ...")
|
||||
proc = subprocess_run(
|
||||
|
@ -467,7 +461,7 @@ if __name__ == "__main__":
|
|||
|
||||
# reload nginx
|
||||
logger.info("Reloading nginx ...")
|
||||
if integration == "Linux":
|
||||
if integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
|
||||
# Reloading the nginx server.
|
||||
proc = subprocess_run(
|
||||
# Reload nginx
|
||||
|
@ -484,10 +478,6 @@ if __name__ == "__main__":
|
|||
)
|
||||
else:
|
||||
need_reload = True
|
||||
# if api_caller._send_to_apis("POST", "/reload"):
|
||||
# logger.info("Successfully reloaded nginx")
|
||||
# else:
|
||||
# logger.error("Error while reloading nginx")
|
||||
|
||||
# check if the plugins have changed since last time
|
||||
tmp_external_plugins = db.get_plugins(external=True)
|
||||
|
|
|
@ -49,9 +49,6 @@ RUN apk add --no-cache bash && \
|
|||
chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \
|
||||
chmod 660 /usr/share/bunkerweb/INTEGRATION
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r2" "libssl3>=3.0.8-r2"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
EXPOSE 7000
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
<a
|
||||
href="https://github.com/bunkerity/bunkerweb"
|
||||
class="dark:brightness-110 max-h-none sm:max-h-28 hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border"
|
||||
target="_blank"
|
||||
>
|
||||
<!-- text -->
|
||||
<div>
|
||||
|
@ -139,7 +140,7 @@
|
|||
|
||||
<!-- stats card-->
|
||||
<a
|
||||
href="{% if current_endpoint == 'services' %}javascript:void(0){% else %}loading?next={{ url_for('services') }}{% endif %}"
|
||||
href="{% if current_endpoint == 'services' %}javascript:void(0){% else %}loading?next={{ url_for('plugins') }}{% endif %}"
|
||||
class="dark:brightness-110 max-h-none sm:max-h-28 h-full hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border"
|
||||
>
|
||||
<!-- text -->
|
||||
|
|
Loading…
Reference in New Issue