fix git issue on windows
This commit is contained in:
parent
76a2ff6563
commit
881d3a00d5
|
@ -1,3 +1,4 @@
|
|||
local utils = require "bunkerweb.utils"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local helpers = {}
|
||||
|
|
|
@ -9,7 +9,6 @@ local cjson = require "cjson"
|
|||
|
||||
local logger = clogger:new("UTILS")
|
||||
local datastore = cdatastore:new()
|
||||
local cachestore = ccachestore:new()
|
||||
|
||||
local utils = {}
|
||||
|
||||
|
|
|
@ -267,7 +267,14 @@ fi
|
|||
|
||||
# lua-resty-openssl v0.8.21
|
||||
echo "ℹ️ Downloading lua-resty-openssl"
|
||||
dopatch="no"
|
||||
if [ ! -d "deps/src/lua-resty-openssl" ] ; then
|
||||
dopatch="yes"
|
||||
fi
|
||||
git_secure_clone "https://github.com/fffonion/lua-resty-openssl.git" "15bc59b97feb5acf25fbdd9426cf73870cf7c838"
|
||||
if [ "$dopatch" == "yes" ] ; then
|
||||
do_and_check_cmd rm -r deps/src/lua-resty-openssl/t
|
||||
fi
|
||||
|
||||
# ModSecurity v3.0.9
|
||||
echo "ℹ️ Downloading ModSecurity"
|
||||
|
|
|
@ -1,132 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: FIPS mode can be turned on and off
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
if openssl.get_fips_mode() then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
else
|
||||
ngx.say("BORINGSSL should have fips turned on but actually not")
|
||||
end
|
||||
ngx.exit(200)
|
||||
end
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(false))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
false
|
||||
true
|
||||
false
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: CIPHER, MD and PKEY provider is directed to fips
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips or not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("fips\nfips\nfips")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
ngx.say(myassert(require("resty.openssl.cipher").new("aes256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.digest").new("sha256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.pkey").new({ type = "EC" })):get_provider_name())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
fips
|
||||
fips
|
||||
fips
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Non-FIPS compliant algorithms are not allowed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- BORINGSSL doesn't seem to remove non-fips compliant algorithms?
|
||||
if not _G.fips or require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("true\ntrue")
|
||||
ngx.say("invalid cipher type \"chacha20\": unsupported")
|
||||
ngx.say("invalid digest type \"md5\": unsupported")
|
||||
ngx.exit(200)
|
||||
end
|
||||
|
||||
local ok, err
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(not not ok)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(not not ok)
|
||||
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(err)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
true
|
||||
.*invalid cipher type.+(?:unsupported|disabled for fips).*
|
||||
.*invalid digest type "md5".+(?:unsupported|disabled for fips).*
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,29 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw
|
||||
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp
|
||||
Z2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIFRMUyBIeWJyaWQgRUNDIFNIQTI1NiAyMDIw
|
||||
IENBMTAeFw0yMTAzMjUwMDAwMDBaFw0yMjAzMzAyMzU5NTlaMGYxCzAJBgNVBAYT
|
||||
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wWTAT
|
||||
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASt9vd1sdNJVApdEHG93CUGSyIcoiNOn6H+
|
||||
udCMvTm8DCPHz5GmkFrYRasDE77BI3q5xMidR/aW4Ll2a1A2ZvcNo4IDOjCCAzYw
|
||||
HwYDVR0jBBgwFoAUUGGmoNI1xBEqII0fD6xC8M0pz0swHQYDVR0OBBYEFCexfp+7
|
||||
JplQ2PPDU1v+MRawux5yMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRo
|
||||
dWIuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
|
||||
BQUHAwIwgbEGA1UdHwSBqTCBpjBRoE+gTYZLaHR0cDovL2NybDMuZGlnaWNlcnQu
|
||||
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZVRMU0h5YnJpZEVDQ1NIQTI1NjIwMjBD
|
||||
QTEuY3JsMFGgT6BNhktodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRI
|
||||
aWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hBMjU2MjAyMENBMS5jcmwwPgYDVR0g
|
||||
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
|
||||
dC5jb20vQ1BTMIGSBggrBgEFBQcBAQSBhTCBgjAkBggrBgEFBQcwAYYYaHR0cDov
|
||||
L29jc3AuZGlnaWNlcnQuY29tMFoGCCsGAQUFBzAChk5odHRwOi8vY2FjZXJ0cy5k
|
||||
aWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hB
|
||||
MjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
|
||||
gfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABeGq/vRoA
|
||||
AAQDAEcwRQIhAJ7miER//DRFnDJNn6uUhgau3WMt4vVfY5dGigulOdjXAiBIVCfR
|
||||
xjK1v4F31+sVaKzyyO7JAa0fzDQM7skQckSYWQB3ACJFRQdZVSRWlj+hL/H3bYbg
|
||||
IyZjrcBLf13Gg1xu4g8CAAABeGq/vTkAAAQDAEgwRgIhAJgAEkoJQRivBlwo7x67
|
||||
3oVsf1ip096WshZqmRCuL/JpAiEA3cX4rb3waLDLq4C48NSoUmcw56PwO/m2uwnQ
|
||||
prb+yh0wCgYIKoZIzj0EAwIDRwAwRAIgK+Kv7G+/KkWkNZg3PcQFp866Z7G6soxo
|
||||
a4etSZ+SRlYCIBSiXS20Wc+yjD111nPzvQUCfsP4+DKZ3K+2GKsERD6d
|
||||
-----END CERTIFICATE-----
|
|
@ -1,21 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
||||
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
||||
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
||||
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
||||
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
||||
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
||||
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
||||
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
||||
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
||||
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
||||
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
||||
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
||||
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
||||
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
||||
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
||||
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,26 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEWjCCA0KgAwIBAgIOR8MQAMBL+oomVLdB7CswDQYJKoZIhvcNAQEFBQAwVzEL
|
||||
MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsT
|
||||
B1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNjAzMTYw
|
||||
MDAwMDBaFw0yNDAzMTYwMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH
|
||||
bG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2ln
|
||||
biAzIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm4HxK
|
||||
0o9gvqhlIWVajpj75hIkZariW6PUj+njWoA5YRqmopnzUc99nUzj9Lj7Go8eqe9F
|
||||
9tT76IeS2MdOAn1bata0FTGQXUZYO72E4YL18SE5ERRLlOjt1TenE4JbRFodris3
|
||||
+NUh9qNOFhyii7zf/nNQMTWDQ3hH5z4qcAemahgS26Ep8VihD70pPleC9Jcy/RVM
|
||||
k+RjqBEzur3dWHPD21wRk3gS29Gs2499Tj59DlLH+RoXSsRjHcJk+fDHzC2zyY4M
|
||||
jNJHgw/RWfhmJqxPDrNvF3jiDchMDrkY/o7oywpJCfVaTZ3ScEd4GnhIsBJi26ci
|
||||
OYfjXmq+vPGumJBTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
|
||||
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4ir34VYTni+RxwhiCZ7AIV++blMwHwYD
|
||||
VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0G
|
||||
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYD
|
||||
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNy
|
||||
bDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
|
||||
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEFBQADggEBAAMt
|
||||
Z5FskwVr28wgh70YcB0TepVojuiDQwDHilW0dfFnM+tkzwyHKcU7Q36EojXCrMz1
|
||||
SXw2TD8n+BC3dkJdmYf7zPKen5HguBaraPUzcxgZuJCfZmA1fW1+hrJ9sVLp9nBX
|
||||
J3H2g4XDIl1yj/MozwfWfKE04fJZyk7yuAknoFgwK+EGOXnXnjMWldAoPLS0AyFE
|
||||
aM1HU57OUMWPRwJ5Ts/CKf50Nz9ntgGTGVHvyfDvexHEEMGF1Vc9KAs+Z0jPXFom
|
||||
H6wJlHvDM0nVtIbvdkGxVzxEQASkXUdh7qPxR4WpGJn5vMpIi74NglkCp5pPuDJ6
|
||||
i7GsIy4xEeMwq4nuOh8=
|
||||
-----END CERTIFICATE-----
|
Binary file not shown.
Binary file not shown.
|
@ -1,18 +0,0 @@
|
|||
# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0).
|
||||
#
|
||||
# The modulewrapper is not a part of the FIPS module, so it can be patched without
|
||||
# concern about breaking the FIPS validation.
|
||||
--- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
@@ -12,9 +12,11 @@
|
||||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
||||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
||||
|
||||
+#include <string>
|
||||
#include <vector>
|
||||
|
||||
#include <assert.h>
|
||||
+#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,74AB7E7042FC695A7F267BB416AC24E1
|
||||
|
||||
zNvboWr/ayt4McuSl9h3oirnS7DK5JU5OSGvh3Seyt9E1oVd3SUg4Mcp4BpZP8gv
|
||||
Ei4K6+p3CTDrQfE0mrjIph3C1LKTzQeLdGIvgTjjKVpu91aogU3K3rgcuqKN/zla
|
||||
+sQOAedKEtLiop4J6rIGmKvo9JZonbMsEZnZnXGbz3k=
|
||||
-----END EC PRIVATE KEY-----
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN X509 CRL-----
|
||||
MIICyTCBsgIBATANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEpMCcGA1UE
|
||||
ChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElT
|
||||
UkcgUm9vdCBYMRcNMjIwNTE4MDAwMDAwWhcNMjMwNDE3MjM1OTU5WqAvMC0wHwYD
|
||||
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wCgYDVR0UBAMCAWYwDQYJKoZI
|
||||
hvcNAQELBQADggIBAC2us3ieEcU7NTFjPyXEi/5aOID7IlPBK7ugS7IJrasTyEdH
|
||||
fAMcuoEGHaLoyLqpIKc7U/KIfqysn6l4Mu32aWFB/Ck5qiVufHXFjXIuNo4/drlm
|
||||
kPUjhgX0YcMkrWdbLFbF/mi5R7fCTbCP1ihqiw2AKB2jFShTAcybJpVRY7velN/D
|
||||
EI8ITJsHnGNOx5XZV7HgO1SbXrba7YGMD0YA+NiXc8VaoDlZdoKh8q/gk8y5vnvL
|
||||
UmtsHpdF1zFwDxYdpFLCrV9z8OcPWjguX6bYMWtnN5JPHrlUQrupCIN55ur8ttoq
|
||||
+9mQ/3Y2OFl1qF6UtHxSDHAI5vA8dBlZxQWSWXKGFPGPssNdB7CUJlZeLWPICWU9
|
||||
yANMxG+5ANeXW65GfPexj2DujwDlC46Wdnlvbft+2Bc0SYR72By/1QB3tmgBB//j
|
||||
QuJtAIzvRluvdnoIGRHPGVse0Qk4FC2BK04q8HBRw3UbxV1MDYIFCN9hlC625Q1s
|
||||
VjrqzGMPAwXYXNa/9hFQkdjKycrdsGvIXZa08sqqx4hY4CpjEeUQoka0XkTUmp7Q
|
||||
GDSXFxe4qxQObnU+LAMQ0cEcVb0TNnTC0PCeoSV82n3jRL9QYMe6lvU4pgFMddXz
|
||||
jna557uivEENf58Oh0SH5jux5gSlre177jQvvsfn8FeFXsLijw0tCbfupna/
|
||||
-----END X509 CRL-----
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
config_diagnostics = 1
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
|
||||
[provider_sect]
|
||||
fips = fips_sect
|
||||
default = default_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
# need fipsinstall to populate below section
|
||||
# [fips_sect]
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFU
|
||||
LobnVTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UI
|
||||
THXKLNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLk
|
||||
lYLFchkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTk
|
||||
GgYHWFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkI
|
||||
UQfN9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQABAoIBABQ0rcAvKlvmoyJq
|
||||
bTWAtUm78zTB/xyWrD/MSZ22hPPDgx/aoYIKX8cgRSbThVbfPGdWkdpDp9z0RVWo
|
||||
OSB7QSpxeXd6Q5GNhErt1Q84byQpa2jEIVAGPAfMRP6DSjSxNHBoSKcvxZeIwuZb
|
||||
vlVOxdGtprfawvWMJ8w6C0bb9JZLeHjdLK/O49Nxj4YrUBk+ZvkKa8EQnq/apLMz
|
||||
9RMZiFQ1pvR9Ojfw4O4u0pqW80Iu8alDBxMkvzEUEhuzafrMKToX5GG65Y9/nhDl
|
||||
iIsENEvNY1Nk2WXPMe/VR5LVGBLtXlJ+KIj09KjuJyy5PEkwXxHobyRHEMtQ8SBs
|
||||
C1SE/sECgYEA+Sf1IyhyPfWg3CuGdwiYuwn9CVnZxqQWLwwk+EdIXpNDbHhfeN1Z
|
||||
ZC1/bttz45O4At5KtKAHLeRETuphtgwJ6ZHdNy5K6h4GV0s4ZtBHS8pu95+BAApN
|
||||
pGRPzZ4u4GDTkTCbHRd+A2UY1EnpGe6Owq/+Cbu67jnPJOP0pegmGzkCgYEAzAya
|
||||
v9pEwcDBIrKE3ida46mBAnxBT81pr8Pa5t5pON3DtjsHv3lfa01u9ga8F0GKgMif
|
||||
tet9dFWtFHdrC8HbrpcHwta1dVlDNzr1TSjbyl5TW9/suSbHTQ/iUmXFazbhHVu6
|
||||
p4jgV6DPgqxjI56YLcIqZIf2xDeVgGwbwv7d3d8CgYEAtcIpeTFrTbnfVF5IJJPX
|
||||
3zJlLiomzVssd7vTSG+v4pZpbDrP4vsO2B68xOFAxHchmK4TL3tCYX8ROcSP7V8Q
|
||||
6BwplbSmn+2xUIMmLRKpwCd4Fhp838ukYlVvRh+sMLFSBavArFNT8SQSHeOhMfKu
|
||||
oGYE25LgxiLT8yR8d39INTkCgYEAilnxgyvnesfLLE+Gr2pXwg1oH9tIHWfVxQsz
|
||||
HV6oUZpr3N9hfX46KHM0TTR7y/jwhCmDwMGPKpX86OefeTVUUqis5nrWRl7jqEsd
|
||||
j9eoTyptstm9lDyq3aFrfxrqJKvtLw7HHFk+Y6vxh1SDU99wp3YDcG6P7rMRdyXW
|
||||
HPzaSlkCgYBums2fZgP96/wyburnMhP/86ndLyVB2YbLwXMz+oGlm+XssAawulrM
|
||||
6mxpV63T+/UmEiszCEf3ZOUr1+zkSTe/CMZk5Vev1pYEzfpQ2AnpOsvPw+WGQbWL
|
||||
95dYCSGZKjXQ/UV+zDisZiDzjLRkZ7WfPJsPZ8z1P3nZ2t+8IRNO/Q==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFULobn
|
||||
VTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UITHXK
|
||||
LNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLklYLF
|
||||
chkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTkGgYH
|
||||
WFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkIUQfN
|
||||
9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBzCCAe+gAwIBAgIUJ+FXF8zL+pdK8Nl68Eq0aQlZKNMwDQYJKoZIhvcNAQEL
|
||||
BQAwEzERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjAxMjE1MTAwNjIyWhcNMzAxMjEz
|
||||
MTAwNjIyWjATMREwDwYDVQQDDAh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAMEQQC0nyiHOekSs6sTwLBrdiWYvDWC5OQylQZY2pWsBYtWH
|
||||
3rkkt98rRNC3cxLSPwH+AAJrJCnRl4ZIxUrtNF8zPW/NexAaarKMLq8LHnVD+cf5
|
||||
uLzK9xZNt5s8aTQOF8TuHH2Zq/jdfJ9MnAJf1noZ4Oz5IZqOtgJ+1oCDZJc4ZlL1
|
||||
KO5tfDsWZOsRdow6F7wlK1xtCfcakcncL7Yh4xbZYQXnNSliGZF0/+SIqYIGhv2f
|
||||
EBng0yOW6FrXtrxhj/7TplAd2v5ziCsdcqqA+YFu4e6PzFybNErUgNZ8ZsokmP56
|
||||
uU13oKYLIsEf11EmKEX1bwvEvvu+T/V/IB38YV8CAwEAAaNTMFEwHQYDVR0OBBYE
|
||||
FM8D9Qnrg9JPEN5lkpDpkz44TOh8MB8GA1UdIwQYMBaAFM8D9Qnrg9JPEN5lkpDp
|
||||
kz44TOh8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ODar1
|
||||
fVkJ50rLToICvp2zZkLSsZlL13Gy4+FUUl0sctSRbXF6yPZGa3u6/HeF5AWnrFNX
|
||||
eZUVuJgyYa2gmz0K+HGbSrbNFb4Cpnhe7Y722SpSDEj3ybOI3EBeRT3WcwpSsGKa
|
||||
Kfx8NY08J440cn3oNAbZ9XrZOHhyvjkCEr9+ieg1MvMtNg5NbTpHj6Riuvuvvs3s
|
||||
CaOJ1dN5a59hHHvt76lb6Ah3cwJ98CRAObp1bElgL//Tl9faAHAFIpGopvq41Jnn
|
||||
rBd/GtvM6J/LHznZ9eOvMq+uBMyAhzpmi6Ih4SGnwN/i8StRbNvpIUIq2rO6IvCZ
|
||||
61xzxPhcY6bB2KI=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
||||
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
|
||||
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
|
||||
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
|
||||
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
|
||||
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
|
||||
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
|
||||
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
|
||||
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
|
||||
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
|
||||
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
|
||||
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
|
||||
6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ
|
||||
fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT
|
||||
FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw==
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBEEAtJ8ohznpE
|
||||
rOrE8Cwa3YlmLw1guTkMpUGWNqVrAWLVh965JLffK0TQt3MS0j8B/gACayQp0ZeG
|
||||
SMVK7TRfMz1vzXsQGmqyjC6vCx51Q/nH+bi8yvcWTbebPGk0DhfE7hx9mav43Xyf
|
||||
TJwCX9Z6GeDs+SGajrYCftaAg2SXOGZS9SjubXw7FmTrEXaMOhe8JStcbQn3GpHJ
|
||||
3C+2IeMW2WEF5zUpYhmRdP/kiKmCBob9nxAZ4NMjluha17a8YY/+06ZQHdr+c4gr
|
||||
HXKqgPmBbuHuj8xcmzRK1IDWfGbKJJj+erlNd6CmCyLBH9dRJihF9W8LxL77vk/1
|
||||
fyAd/GFfAgMBAAECggEAG+N4Ec3MoiOMf/0mkLpM9LiJz4v+d7lp50y787IDJTj3
|
||||
CPdukfoe4YsDjs7hPZfHaEdDwxWtDKltJQXAEjm/tfzV5B+fpkzamt4rJDgL906R
|
||||
d3S4XfVHyh4B5tfMLqvWfSkUToRzVijQhsZvRtyHQ+4XEsROOWBiJGwkGj5guoM3
|
||||
4ItEJOXece+4pV0M1KPb3aTqGLw/Iow1IV9k+HCKrxwsBK0xpoEYfvK6N6PsmcRK
|
||||
iPS53D6bCS74HidgXvhPN8hdVvJ+s8rvXDdVF3Ajw/LhrdeYrRjZUtRpB43Z8uLn
|
||||
raMMOid4Q9EEsZNcWG2UO6BHyDibkOzQmPIv0/JIgQKBgQDo1Cmd3ialMZkn9bSX
|
||||
DUNxMZlTk49Abns2rKojRxApU3h3aVuViXPIs3yz0cUPzURGHOOHQwU5cFjMVsxx
|
||||
GffZjNq+ViR1Il0UhxBlYlcRZOou4RSi6VnN8HRjNeBNrzGxo/C+9/U00/APT/z5
|
||||
OBloEoWy22SqTJtQCKspQ60knwKBgQDURvpcMlJE6UBhIy3Q3/7+HUc/AsCj5dMY
|
||||
OafioeuKO+fRcNBaith3bUF3aRplf2jD/pQ/nLvD4+q0tvaEY06jpiVwm5PXGdUy
|
||||
acIcs56ch1BiczP5pkSpEpaG0ap4btW86UU3K+at0iAJqfm9aR8DSOugl+D+EC16
|
||||
RDRKn4TLQQKBgQDA4vPPW7m8ZYiyuDXyZgSXhDW4LakiAeWF+CnDrB3RfttwYhKD
|
||||
oioP/dKzzndpje6f/1LoPjfXzCFkuAwLLy5MRwr5YLg3ak6esP5+X6guOuJgEAxe
|
||||
ot/JYwmpH3tCIIAU4PKT4yx7pZFdvjCf7z/tHlsxP9z30RtihKv4NZ79lQKBgBOL
|
||||
XW2zrGNv3l+TL5q1pPKcm3yvsjDk7iSi2lRBeEBH97YO3wAXHIsSYh6ubKG/s1Oo
|
||||
UtnwglEs4OU2m0fhJNJob7YIfPonBLwZhKfD2eyrgLkvxi9MIbI3ZeiP0VQ5UDCO
|
||||
gbLstdZ3LD/3iGjqDtLsmdU1Zp+9uZIySWY9faqBAoGAa3DJYcGpBQWDlNbojcgv
|
||||
VUNukUrxDQOLR6AbPcYF8EdrSgtkuDQJfb94HpR55u6o+l9SiD2t9uEl/rLqrp1+
|
||||
jOTte0IERqrerKp43G/AHZduw0ks4PPxglZUAQ1/HSTUTUvACoHFB9egElj3zNIX
|
||||
fFBB0c+kqU2aLFq342F0ONU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -1,194 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;$pwd/../lua-resty-hmac/lib/?.lua;$pwd/../lua-resty-string/lib/?.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Load ffi openssl library
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.load_modules()
|
||||
ngx.say(string.format("%x", openssl.version.version_num))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d{6}[0-9a-f][0f]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Luaossl compat pattern
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.luaossl_compat()
|
||||
local pkey = require("resty.openssl.pkey")
|
||||
local pok, perr = pcall(pkey.new, "not a key")
|
||||
ngx.say(pok)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
false
|
||||
.+pkey.new.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: List cipher algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"AES\"]")
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+AES.+\]
|
||||
\[.+AES-256-GCM @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: List digest algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"SHA\"]")
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+SHA.+\]
|
||||
\[.+SHA2-256 @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: List mac algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HMAC @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_mac_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HMAC @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: List kdf algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HKDF @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_kdf_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HKDF @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: List SSL cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version = require("resty.openssl.version")
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(openssl.list_ssl_ciphers())
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.2"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.3"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+:.+
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: asn1_to_unix utctime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579091696"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: asn1_to_unix utctime, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456+0102"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579095416"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: asn1_to_unix generalized time
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890438896"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: asn1_to_unix generalized time, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456-0123"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890433916"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: asn1_to_unix error on bad format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
for _, s in pairs({
|
||||
"201315123456Z",
|
||||
"200132123456Z",
|
||||
"200115243456Z",
|
||||
"200115123461Z",
|
||||
}) do
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
local _, err = asn1.asn1_to_unix(a)
|
||||
if err == nil then
|
||||
ngx.say(s, " should fail but didn't")
|
||||
end
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,232 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads JWK RSA key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
|
||||
p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
|
||||
q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
|
||||
dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
|
||||
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
|
||||
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new('asdasd', {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local s, err = pubkey:encrypt("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local s, err = privkey:decrypt(s)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: error decoding JSON from JWK: Expected value but found invalid token at character 1
|
||||
pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" parameter is required
|
||||
23333
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Loads JWK EC key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("sha256")
|
||||
d:update("23333")
|
||||
local s, err = privkey:sign(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local ok, err = pubkey:verify(s, d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(ok)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct EC key from JWK: at least "x" and "y" parameter is required
|
||||
true
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads JWK Ed25519 key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
|
||||
ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: New BIGNUM instance correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- error_log
|
||||
bn:to_binary failed
|
||||
|
||||
=== TEST 2: New BIGNUM instance from number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct bignum_st BIGNUM; void BN_free(BIGNUM *a);')
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local bn2, err = require("resty.openssl.bn").dup(bn.ctx)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
bn = nil
|
||||
collectgarbage("collect")
|
||||
local b, err = bn2:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: from_binary, to_binary
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local d = ngx.decode_base64('WyU=')
|
||||
local bn, err = require("resty.openssl.bn").from_binary(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
|
||||
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
|
||||
ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0)
|
||||
end
|
||||
|
||||
local b, err = bn:to_binary(10)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU=AAAAAAAAAABbJQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: from_hex, to_hex
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_hex("5B25")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_hex()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"5[Bb]25"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: from_dec, to_dec
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_dec("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: to_number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local b, err = bn.new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
b, err = bn.from_dec('184467440737095516161844674407370955161618446744073709551616')
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333number
|
||||
1.844674407371e+19number
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: unary minus
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = (-bn):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
local b, err = (-(-bn)):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-23333
|
||||
23333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: metamethods checks arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local a, err = require("resty.openssl.bn").new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = require("resty.openssl.bn").new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local pok, perr = pcall(function() return a + "233" end)
|
||||
ngx.say(perr)
|
||||
local pok, perr = pcall(function() return "233" - a end)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+cannot add a string to bignum
|
||||
.+cannot substract a string to bignum
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: add, sub, mul, div mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a+b))
|
||||
ngx.say(tostring(a-b))
|
||||
ngx.say(tostring(a*b))
|
||||
ngx.say(tostring(a/b))
|
||||
ngx.say(tostring(a%b))
|
||||
ngx.say(tostring(a*2478652))
|
||||
ngx.say(tostring(23578164761333*b))
|
||||
ngx.say(tostring(bn.mul(23578164761333, b)))
|
||||
ngx.say(tostring(a:mul(b)))
|
||||
ngx.say(tostring(23578164761333*2478652))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23578167239985
|
||||
23578162282681
|
||||
58442065242007563116
|
||||
9512495
|
||||
4593
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
5.8442065242008e\+19
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: sqr, exp
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:sqr()))
|
||||
ngx.say(tostring(a:exp(2)))
|
||||
ngx.say(tostring(a:pow(2)))
|
||||
ngx.say(tostring(b:exp(b)))
|
||||
ngx.say(tostring(bn.sqr(a)))
|
||||
ngx.say(tostring(bn.sqr(23578164761333)))
|
||||
ngx.say(tostring(bn.exp(a, 2)))
|
||||
ngx.say(tostring(bn.exp(23578164761333, 2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
5210245939718361468048211048414496022534389576033913164940029913016568215580398296261072019231723279851007241838011659882766685337218633992220688288491655299087016195985205218347711578485744737
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: gcd
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:gcd(b)))
|
||||
ngx.say(tostring(bn.gcd(a, b)))
|
||||
ngx.say(tostring(bn.gcd(a, 97)))
|
||||
ngx.say(tostring(bn.gcd(23578164761333, b)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
1
|
||||
1
|
||||
1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: lshift, rshift
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:lshift(2)))
|
||||
ngx.say(tostring(a:rshift(2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"94312659045332
|
||||
5894541190333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: comparasion
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a == b))
|
||||
ngx.say(tostring(a ~= b))
|
||||
ngx.say(tostring(a >= b))
|
||||
ngx.say(tostring(a > b))
|
||||
ngx.say(tostring(a < b))
|
||||
ngx.say(tostring(a <= b))
|
||||
ngx.say("")
|
||||
ngx.say(tostring(a == a))
|
||||
ngx.say(tostring(a ~= a))
|
||||
ngx.say(tostring(a >= a))
|
||||
ngx.say(tostring(a > a))
|
||||
ngx.say(tostring(a < a))
|
||||
ngx.say(tostring(a <= a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
true
|
||||
true
|
||||
true
|
||||
false
|
||||
false
|
||||
|
||||
true
|
||||
false
|
||||
true
|
||||
false
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: is_one, is_zero, is_odd, is_word
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(0):is_zero()))
|
||||
ngx.say(tostring(bn.new(1):is_zero()))
|
||||
ngx.say(tostring(bn.new(0):is_one()))
|
||||
ngx.say(tostring(bn.new(1):is_one()))
|
||||
ngx.say(tostring(bn.new(0):is_odd()))
|
||||
ngx.say(tostring(bn.new(1):is_odd()))
|
||||
ngx.say(tostring(bn.new(0):is_word(0)))
|
||||
ngx.say(tostring(bn.new(1):is_word(0)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
false
|
||||
true
|
||||
false
|
||||
true
|
||||
true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: is_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(2):is_prime()))
|
||||
ngx.say(tostring(bn.new(15):is_prime()))
|
||||
ngx.say(tostring(bn
|
||||
.from_hex('00d3277434ff7e3d410b3453a5cddc13e834fbdc19f38c580bc05b68dfa179afa4b6e6d34fe2bde9d90390046a86306bd022d4ed8187ccaa21808e189e7b803fd918b7782078f3be6bc8683d71d7d46cb134bc2a74dbe410d2bb068e45af95deef546f6970b83f9386e504b6fbefee6ae804fbf544e6b7cf82aacfff9472c6af07')
|
||||
:is_prime()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: mod_add, mod_sub, mod_mul, mul_exp, mul_sqr mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local m, err = bn.new(65537)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:mod_add(b, m)))
|
||||
ngx.say(tostring(a:mod_sub(b, m)))
|
||||
ngx.say(tostring(a:mod_mul(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, m)))
|
||||
ngx.say(tostring(a:mod_sqr(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, 65537)))
|
||||
ngx.say(tostring(bn.mod_exp(a, 2478652, m)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"49755
|
||||
7726
|
||||
27398
|
||||
28353
|
||||
1266433
|
||||
28353
|
||||
28353
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: generate_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.generate_prime(10, false)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
local a, err = bn.generate_prime(10, true)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,517 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates cipher correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(myassert(cipher:final('1'))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects unknown cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher, err = require("resty.openssl.cipher").new("aes257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cipher.new: invalid cipher type \"aes257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Unintialized ctx throw errors
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:update("1")
|
||||
ngx.say(err)
|
||||
local _, err = cipher:final("1")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"cipher:update: cipher not initalized, call cipher:init first
|
||||
cipher:update: cipher not initalized, call cipher:init first
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Encrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1'))
|
||||
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Encrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1', true)
|
||||
ngx.say(s)
|
||||
-- 1.x: data not multiple of block length
|
||||
-- 3.0: wrong final block length
|
||||
ngx.say(err)
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
'1' .. string.rep(string.char(15), 15), true))
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil
|
||||
.+(?:data not multiple of block length|wrong final block length|DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH)
|
||||
VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Decrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg==")))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Decrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg=="), true))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Encrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local sample = 'abcdefghi'
|
||||
local count = 5
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(sample))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(sample))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nothing
|
||||
SEk81GpcHC9KoZfN14RrNg==
|
||||
nothing
|
||||
L2dVbLMhEigy917CJBXz7g==
|
||||
nothing
|
||||
final
|
||||
dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Decrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = false,
|
||||
}))
|
||||
|
||||
local input = ngx.decode_base64('SEk81GpcHC9KoZfN14RrNg==') ..
|
||||
ngx.decode_base64('L2dVbLMhEigy917CJBXz7g==') ..
|
||||
ngx.decode_base64('dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=')
|
||||
local count = 5 + 1
|
||||
local len = (#input - #input % count) / count
|
||||
for i=0,#input-len,len do
|
||||
local s = myassert(cipher:update(string.sub(input, i+1, i+len)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(s)
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
-- this should throw error since we end in the middle
|
||||
local s, err = cipher:final()
|
||||
ngx.say(err)
|
||||
ngx.say(s)
|
||||
-- feed the last chunk of input
|
||||
local s = myassert(cipher:final(string.sub(input, #input -#input % count + 1, #input)))
|
||||
ngx.say("final")
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nothing
|
||||
abcdefghiabcdefg
|
||||
nothing
|
||||
hiabcdefghiabcde
|
||||
fghiabcdefghiabc
|
||||
nothing
|
||||
.+(wrong final block length|WRONG_FINAL_BLOCK_LENGTH)
|
||||
nil
|
||||
final
|
||||
defghi
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Derive key and iv
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-ecb"))
|
||||
|
||||
-- openssl enc -aes-256-ecb -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex() == "" and "no iv")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
FE91AF7782EDB48F32775BB2B72DD5ED
|
||||
1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
no iv
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Derive key and iv: salt, count and md is optional
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -nosalt -P -md sha1
|
||||
local key, iv = cipher:derive("xxx")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140
|
||||
20578C4FEF1AEE907B1DC95C776F8160
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: AEAD modes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_aead_tag())
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, nil, tag)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, aad, nil)
|
||||
ngx.say(r)
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
nil
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-ivlen-\n-padding-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(require("cjson").encode(myassert(c:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(c:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+ivlen.+
|
||||
.+padding.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("secret\nsecret\nnil")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_param("tag", 16))
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = tag}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = "wrong tag"}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
secret
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 16: Update with segements larger than 1024
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local count = 3
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(string.rep(tostring(i), 1024)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(string.rep("a", 1024)))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
local s = myassert(cipher:final(string.rep("1", 1024) ..
|
||||
string.rep("2", 1024) ..
|
||||
string.rep("3", 1024) ..
|
||||
string.rep("a", 1024)))
|
||||
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16))) -- should be same as above
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"XZElJKMyKzuvbYNf4Y0hAw==
|
||||
59Cw1+C6hHpfqsOn7PZ2Gw==
|
||||
t6oGLYvnjihoi+7tPfyK/A==
|
||||
final
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,96 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Can create a ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Can create a ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: Can free ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
myassert(ctx.free(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Can free ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
myassert(ctx.free())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate digest correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢", "🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest, err = require("resty.openssl.digest").new("sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"digest.new: invalid digest type \"sha257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
|
||||
myassert(digest:reset())
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("sha256"))
|
||||
ngx.say(myassert(d:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("{}\n-ssl3-ms-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("md5-sha1"))
|
||||
ngx.say(require("cjson").encode(myassert(d:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(d:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{}
|
||||
.+ssl3-ms.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- no good example to test
|
||||
ngx.say("skipped")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"skipped
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,39 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Don't cry if there's no error
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
ngx.print(format_error("fake function"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"fake function failed"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,169 +0,0 @@
|
|||
local pkey = require "resty.openssl.pkey"
|
||||
local x509 = require "resty.openssl.x509"
|
||||
local name = require "resty.openssl.x509.name"
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
local bn = require "resty.openssl.bn"
|
||||
local digest = require "resty.openssl.digest"
|
||||
local BORINGSSL = require "resty.openssl.version".BORINGSSL
|
||||
local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X
|
||||
|
||||
local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name)
|
||||
local key = pkey.new(key_opts or {
|
||||
type = 'RSA',
|
||||
bits = 1024,
|
||||
})
|
||||
|
||||
local cert = x509.new()
|
||||
cert:set_pubkey(key)
|
||||
cert:set_version(3)
|
||||
|
||||
local now = os.time()
|
||||
cert:set_not_before(now)
|
||||
cert:set_not_after(now + 86400)
|
||||
|
||||
local nm = name.new()
|
||||
for k, v in pairs(names or {}) do
|
||||
assert(nm:add(k, v))
|
||||
end
|
||||
|
||||
assert(cert:set_subject_name(nm))
|
||||
assert(cert:set_issuer_name(issuing_name or nm))
|
||||
|
||||
assert(cert:set_basic_constraints { CA = is_ca })
|
||||
assert(cert:set_basic_constraints_critical(true))
|
||||
|
||||
if not is_ca then
|
||||
assert(cert:add_extension(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth")))
|
||||
|
||||
assert(cert:add_extension(assert(extension.new("subjectKeyIdentifier", "hash", {
|
||||
subject = cert,
|
||||
}))))
|
||||
end
|
||||
|
||||
local dgst
|
||||
if BORINGSSL then
|
||||
dgst = digest.new("SHA256")
|
||||
end
|
||||
assert(cert:sign(signing_key or key, dgst))
|
||||
|
||||
return cert, key
|
||||
end
|
||||
|
||||
local function to_hex(bin)
|
||||
local hex, err = bn.from_binary(bin):to_hex()
|
||||
if err then
|
||||
error(err)
|
||||
end
|
||||
return hex:upper()
|
||||
end
|
||||
|
||||
local function myassert(...)
|
||||
local ret = {...}
|
||||
local err = ret[#ret]
|
||||
if #ret > 1 and err then
|
||||
ngx.log(ngx.ERR, tostring(err))
|
||||
ngx.exit(0)
|
||||
end
|
||||
return ...
|
||||
end
|
||||
|
||||
-- https://github.com/openresty/lua-cjson/blob/461c7ef23a49062d4b1bf0e1afb3be294d007861/tests/sort_json.lua
|
||||
|
||||
-- NOTE: This will only work for simple tests. It doesn't parse strings so if
|
||||
-- you put any symbols like {?[], inside of a string literal then it will break
|
||||
-- The point of this function is to test basic structures, and not test JSON
|
||||
-- strings
|
||||
|
||||
local function sort_callback(str)
|
||||
local inside = str:sub(2, -2)
|
||||
|
||||
local parts = {}
|
||||
local buffer = ""
|
||||
local pos = 1
|
||||
|
||||
while true do
|
||||
if pos > #inside then
|
||||
break
|
||||
end
|
||||
|
||||
local append
|
||||
|
||||
local parens = inside:match("^%b{}", pos)
|
||||
if parens then
|
||||
pos = pos + #parens
|
||||
append = sort_callback(parens)
|
||||
else
|
||||
local array = inside:match("^%b[]", pos)
|
||||
if array then
|
||||
pos = pos + #array
|
||||
append = array
|
||||
else
|
||||
local front = inside:sub(pos, pos)
|
||||
pos = pos + 1
|
||||
|
||||
if front == "," then
|
||||
table.insert(parts, buffer)
|
||||
buffer = ""
|
||||
else
|
||||
append = front
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if append then
|
||||
buffer = buffer .. append
|
||||
end
|
||||
end
|
||||
|
||||
if buffer ~= "" then
|
||||
table.insert(parts, buffer)
|
||||
end
|
||||
|
||||
table.sort(parts)
|
||||
|
||||
return "{" .. table.concat(parts, ",") .. "}"
|
||||
end
|
||||
|
||||
local function sort_json(str)
|
||||
return (str:gsub("%b{}", sort_callback))
|
||||
end
|
||||
|
||||
local function encode_sorted_json(tbl)
|
||||
return sort_json(require("cjson").encode(tbl))
|
||||
end
|
||||
|
||||
local function create_cert_chain(depth, key_opts)
|
||||
local last_key, last_cn
|
||||
local certs, keys = {}, {}
|
||||
for i=1, depth do
|
||||
local cn, issuer
|
||||
if last_key then
|
||||
cn = "lua-resty-openssl Test Cert leaf " .. i - 1
|
||||
issuer = name.new()
|
||||
assert(issuer:add("CN", last_cn))
|
||||
else
|
||||
cn = "lua-resty-openssl Test Cert Root CA"
|
||||
end
|
||||
last_cn = cn
|
||||
|
||||
local crt, key = create_self_signed(key_opts,
|
||||
{ CN = cn }, i < depth, last_key, issuer)
|
||||
|
||||
certs[i] = crt
|
||||
keys[i] = key
|
||||
|
||||
last_key = key
|
||||
end
|
||||
|
||||
return certs, keys
|
||||
end
|
||||
|
||||
|
||||
return {
|
||||
create_self_signed = create_self_signed,
|
||||
to_hex = to_hex,
|
||||
myassert = myassert,
|
||||
encode_sorted_json = encode_sorted_json,
|
||||
create_cert_chain = create_cert_chain,
|
||||
}
|
|
@ -1,118 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate hmac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
hmac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(hmac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac, err = require("resty.openssl.hmac").new("goose", "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"hmac.new:.+(?:invalid|unsupported).*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
|
||||
myassert(hmac:reset())
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,457 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: kdf: invalid args are checked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key, err = kdf.derive({
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = "no",
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = 123,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = 19823718236128631,
|
||||
outlen = 16,
|
||||
pass = "123",
|
||||
})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kdf.derive: \"type\" must be set
|
||||
kdf.derive: expect a number as \"type\"
|
||||
kdf.derive: \"outlen\" must be set
|
||||
kdf.derive: except a string as \"pass\"
|
||||
kdf.derive: unknown type 19823718236128632
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: PBKDF2
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
pbkdf2_iter = 1000,
|
||||
md = "md5",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cDRFLQ7NWt\\+AP4i0TdBzog=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: PBKDF2, optional args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"HkN6HHnXW\\+YekRQdriCv/A=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: HKDF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("aqRd+gO5Ok3YneDEormTcg==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "some info",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_AND_EXPAND,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"aqRd+gO5Ok3YneDEormTcg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: HKDF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.say("aggdq4eoqRiP0Z3GbpxCjg==")
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version_num = version.version_num
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "info",
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
|
||||
if not version.OPENSSL_111_or_LATER then
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_ONLY,
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"aggdq4eoqRiP0Z3GbpxCjg==
|
||||
W/tSxFnNsHIYwXa13eybYhW9W3Y=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: TLS1-PRF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("0xr8qthU+ypv2xRC90la8g==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"0xr8qthU\\+ypv2xRC90la8g=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: TLS1-PRF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("XVVDK9/puTqBOsyTKt8PKQ==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"XVVDK9/puTqBOsyTKt8PKQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 8: scrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("9giFtxace5sESmRb8qxuOw==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.SCRYPT,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
scrypt_N = 1024,
|
||||
scrypt_r = 8,
|
||||
scrypt_p = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"9giFtxace5sESmRb8qxuOw=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: EVP_KDF API: new
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
myassert(kdf.new("PBKDF2"))
|
||||
local ok, err = kdf.new("UNKNOWNKDF")
|
||||
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+invalid mac type \"UNKNOWNKDF\".+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: EVP_KDF API: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.kdf")
|
||||
local c = myassert(cipher.new("hkdf"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 11: EVP_KDF API: derive
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: EVP_KDF API: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
ngx.say(require("cjson").encode(myassert(k:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(k:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: EVP_KDF API: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==\n18446744073709551615")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
-- output SIZE_MAX since it's not fixed size, need to find a better test case
|
||||
ngx.say(tostring(k:get_param("size", nil, "bn")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
18446744073709551615
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: EVP_KDF API: reset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-missing salt\ncDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
myassert(k:reset())
|
||||
local ok, err = k:derive(16, {
|
||||
pass = "1234567",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
myassert(k:set_params({
|
||||
iter = 100,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
iter = 1000,
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+missing salt
|
||||
cDRFLQ7NWt\+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,188 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate mac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
mac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(mac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("mac.new: invalid cipher or digest type")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local mac, err = require("resty.openssl.mac").new("goose", "HMAC", nil, "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"mac.new: invalid cipher or digest type.*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(myassert(m:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(require("cjson").encode(myassert(m:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(m:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\n32")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
local s1 = myassert(mac:final("🦢"))
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("notthiskey", "HMAC", nil, "sha256"))
|
||||
myassert(mac:set_params({key = "goose"}))
|
||||
local s2 = myassert(mac:final("🦢"))
|
||||
|
||||
ngx.say(s1 == s2)
|
||||
ngx.say(myassert(mac:get_param("size")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
32
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,81 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Convert nid to table
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(encode_sorted_json(o.nid2table(87)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Convert txt to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
local t = {
|
||||
ln = "X509v3 Basic Constraints",
|
||||
sn = "basicConstraints",
|
||||
id = "2.5.29.19"
|
||||
}
|
||||
local r = {}
|
||||
for k, v in pairs(t) do
|
||||
r[k] = o.txt2nid(v)
|
||||
end
|
||||
ngx.print(encode_sorted_json(r))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":87,"ln":87,"sn":87}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Convert sigid to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(o.find_sigid_algs(795)) -- ecdsa-with-SHA384
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
673
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,38 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Construct
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
ngx.say("TODO")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
TODO
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,262 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads password protected pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r = myassert(pkcs12.decode(pp, "badssl.com"))
|
||||
|
||||
ngx.say(r.key:get_parameters().d:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
55107FB7D6FD8A099E4E5CF24291CF20CBD4BB7B93A66EF8D89996A5C49EEB51405E6843CC89CD74B9C87DB9DBDE9E38923E02A32E4F6F32A59B4D6C6CDC40E0192204F135C9E9F527FD9E53F2C9E90B8D8D18E8F5DAC57D1EF95163D0DF1BBDB89850636AE870B20B5E6BF2EBD1651BE79B4E187C48F6D332D35A4C531BE3B027A64D85AD6F7EAF33ECC1B9253B196CFD20EDEFCBAC46F7C08EC966EF721D0533AB6DC785F86998B37FD25F3D60BB4E692F1636AE10BCA62065AA70FF41B5C16A165B8636FD4A40C59F6B72A4C1592A424820A0C968E23613DB48959F7BFF49D9B71A9C84CB72F08B94F586007CB5C29A3D8811F9EF2ED2FBB612DF28BB9601
|
||||
2B936CE32D82CE8B01FD9A0595AC6366AA014C82
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Errors on bad password
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r, err = pkcs12.decode(pp, "wrong password")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
|
||||
local r, err = pkcs12.decode(pp)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Creates pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
-- full house
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no name
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no CA
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- empty password
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Uses empty string password when omitted
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local p12 = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
}))
|
||||
|
||||
local r = myassert(pkcs12.decode(p12, nil))
|
||||
ngx.say(#r.key:get_parameters().x:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
ngx.say(#r.cacerts)
|
||||
ngx.say(r.friendly_name)
|
||||
-- same as empty string
|
||||
local r = myassert(pkcs12.decode(p12, ""))
|
||||
|
||||
-- password mismatch
|
||||
local r, err = pkcs12.decode(p12, "extrapassword")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'6\d
|
||||
0
|
||||
2
|
||||
myname
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Check cert and key mismatch
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local key2 = require("resty.openssl.pkey").new({ type = 'EC', curve = "prime256v1" })
|
||||
|
||||
local r, err = pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key2,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12")
|
||||
ngx.say(r == nil, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates pkcs12 with newer algorithm
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("2333")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
-- don't load the legacy provider for this test
|
||||
-- by default nid_key is RC2 and is moved to legacy provider in 3.0
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
nid_key = "aes-128-cbc",
|
||||
nid_cert = "aes-128-cbc",
|
||||
mac_iter = 2000,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
File diff suppressed because it is too large
Load Diff
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\nnil\ntrue\nfalse\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
nil
|
||||
true
|
||||
false
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Self test default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("nil\ntrue\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local ok, err = p:self_test(n)
|
||||
ngx.say(ok)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
nil
|
||||
true
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Set default search path
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\ncommon libcrypto routines::init fail")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
pro.set_default_search_path("/tmp")
|
||||
local ok, err = pro.load("legacy")
|
||||
ngx.say(ok == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
.+(?:init fail|common libcrypto routines::reason\(524325\))
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Get parameters
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('{"buildinfo":"3.0.0-alpha7","name":"OpenSSL Default Provider","status":1,"version":"3.0.0"}')
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
local p = myassert(pro.load("default"))
|
||||
local a = assert(p:get_params("name", "version", "buildinfo", "status"))
|
||||
ngx.say(encode_sorted_json(a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{"buildinfo":"3.+","name":"OpenSSL Default Provider","status":1,"version":"3.+"}
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Geneartes random bytes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b)
|
||||
local b2, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b2)
|
||||
ngx.say(b == b2)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"233
|
||||
233
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes()
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes(true)
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes({})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
|
@ -1,281 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (client) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c1.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c1.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (client) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c2.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c2.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
local crt = chain[1]
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
1
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (client) set cipher suites [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 4: SSL (client) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c4.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-GCM-SHA384.*
|
||||
ECDHE-RSA-AES256-GCM-SHA384
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (client) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c5.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c5.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (client) set_verify and add_client_ca [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (client) set/get/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c7.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c7.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_NO_QUERY_MTU.+SSL_OP_PRIORITIZE_CHACHA.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (client) set_protocols [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-sctx1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl_ctx = require "resty.openssl.ssl_ctx"
|
||||
local sc = assert(ssl_ctx.from_request())
|
||||
assert(sc:set_alpns({"h4"}))
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ngx_pipe = require "ngx.pipe"
|
||||
local opts = {
|
||||
merge_stderr = true,
|
||||
buffer_size = 256000,
|
||||
}
|
||||
local proc = ngx_pipe.spawn({'bash', '-c', "echo q | openssl s_client -unix /tmp/nginx-sctx1.sock -alpn h4 && sleep 0.1"}, opts)
|
||||
local data, err, partial = proc:stdout_read_all()
|
||||
if ngx.re.match(data, "ALPN protocol: h4") then
|
||||
ngx.say("ok")
|
||||
else
|
||||
ngx.say(data)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,375 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s1.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (server) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s2.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s2.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
0
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (server) set cipher suites (TLSv1.3 set_ciphersuites not tested)
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s3.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_cipher_list("ECDHE-RSA-AES256-SHA"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-s3.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-SHA.*
|
||||
ECDHE-RSA-AES256-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 4: SSL (server) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
ngx.say(ciphers)
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s4.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES128-SHA.*
|
||||
ECDHE-RSA-AES128-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (server) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s5.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s5.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (server) set_verify and add_client_ca [tested in get_peer_cert]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (server) get/set/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s7.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s7.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_CIPHER_SERVER_PREFERENCE.+SSL_OP_NO_QUERY_MTU.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (server) set_protocols [skipped; need clienthello_by]
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s8.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_protocols("TLSv1.2"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s8.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
proxy_ssl_protocols TLSv1.2;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
|
@ -1,56 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Prints version text properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version_text)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Prints version text using version()
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version(version.VERSION))
|
||||
ngx.say(version.version(version.CFLAGS))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
compiler:.+
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,988 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejectes invalid cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local p, err = x509.new(true)
|
||||
ngx.say(err)
|
||||
p, err = x509.new("222")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"expect nil or a string at #1
|
||||
x509.new: .*(not enough data|NOT_ENOUGH_DATA)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Calculates cert digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:digest())
|
||||
|
||||
local h = string.upper(myassert(require("helper").to_hex(dd)))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Calculates pubkey digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:pubkey_digest())
|
||||
|
||||
local h, err = string.upper(require("helper").to_hex(dd))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"607B661A450D97CA89502F7D04CD34A8FFFCFD4B
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Gets extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ext, pos = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(pos)
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"5
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local c, err = require("resty.openssl.x509").new()
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"extendedKeyUsage", "TLS Web Server Authentication"
|
||||
))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"keyUsage", "Digital Signature, Key Encipherment"
|
||||
))
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"Digital Signature, Key Encipherment
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Reads basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ok = myassert(c:set_basic_constraints({
|
||||
CA = false,
|
||||
pathLen = 233,
|
||||
}))
|
||||
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Get authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
myassert(aia:add("OCSP", "URI", "http://somedomain.com"))
|
||||
|
||||
myassert(c:set_info_access(aia))
|
||||
|
||||
local aia = myassert(c:get_info_access())
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
OCSP - URI:http://somedomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Get CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local cdp = myassert(c:get_crl_distribution_points())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, altname in pairs(cdp) do
|
||||
for k, v in pairs(altname) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"URI http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
URI http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Set CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- NYI
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: Get OCSP url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url(true))
|
||||
ngx.say(encode_sorted_json(ocsp))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://ocsp.digicert.com
|
||||
["http:\/\/ocsp.digicert.com"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: Get CRL url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
|
||||
local crl = myassert(c:get_crl_url(true))
|
||||
ngx.say(encode_sorted_json(crl))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
["http:\/\/crl3.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl","http:\/\/crl4.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: Get non existend extension, return nil, nil
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
ngx.say(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed({ type = "EC", curve = "prime256v1" })
|
||||
local ok, err = cert:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ok, err = c:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = cert:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 20: x509:get_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0E8BF3770D92D196F0BB61F93C4166BE"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509:set_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.bn").new(math.random(1, 2333333)))
|
||||
local ok = myassert(c:set_serial_number(toset))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
toset = toset:to_hex():upper()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509:get_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1616630400"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 23: x509:set_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_before(toset))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509:get_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1648684799"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509:set_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_after(toset))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 26: x509:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErfb3dbHTSVQKXRBxvdwlBksiHKIj
|
||||
Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 27: x509:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 28: x509:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=github.com/L=San Francisco/O=GitHub, Inc./ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 29: x509:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 30: x509:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1/O=DigiCert, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 31: x509:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 32: x509:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 33: x509:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 34: x509:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=github.com/DNS=www.github.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 35: x509:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 37: x509:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 38: x509:get/set_basic_constraints_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_basic_constraints_critical())
|
||||
|
||||
local ok, err = myassert(c:set_basic_constraints_critical(not crit))
|
||||
|
||||
ngx.say(c:get_basic_constraints_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 39: x509:get/set_info_access_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_info_access_critical())
|
||||
|
||||
local ok, err = myassert(c:set_info_access_critical(not crit))
|
||||
|
||||
ngx.say(c:get_info_access_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 40: x509:get/set_crl_distribution_points_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_crl_distribution_points_critical())
|
||||
|
||||
local ok, err = myassert(c:set_crl_distribution_points_critical(not crit))
|
||||
|
||||
ngx.say(c:get_crl_distribution_points_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 41: x509:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
794
|
||||
ecdsa-with-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,238 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(c:count())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS 0.com
|
||||
DNS 1.com
|
||||
DNS 2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
local k, v = unpack(c[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
if cc ~= nil then
|
||||
local k, v = unpack(cc)
|
||||
ngx.say(k, " ", v)
|
||||
else
|
||||
ngx.say("incorrectly GC'ed")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local c2 = myassert(altname.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
local k, v = unpack(c2[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Unsupported SANs are returned as "unsupported"
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
|
||||
local ext, err = myassert(extension.new("subjectAltName", "otherName:msUPN;UTF8:sb@sb.local,IP.1:255.255.255.255,IP.2:1111:1111:1111:1111:1111:1111:1111:1111,DNS:example.com,email:test@test.com,RID:1.2.3.4"))
|
||||
|
||||
local c = x509.new()
|
||||
|
||||
myassert(c:add_extension(ext))
|
||||
|
||||
local alts = myassert(c:get_subject_alt_name())
|
||||
|
||||
for k, v in pairs(alts) do
|
||||
ngx.say(k, ":", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
OtherName:OtherName:<unsupported>
|
||||
IP:255.255.255.255
|
||||
IP:1111:1111:1111:1111:1111:1111:1111:1111
|
||||
DNS:example.com
|
||||
email:test@test.com
|
||||
RID:RID:<unsupported>
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: IP addresses are validated and parsed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
myassert(c:add("IP", "1.2.3.4"))
|
||||
myassert(c:add("IPAddress", "100.100.100.100"))
|
||||
myassert(c:add("IP", "255.255.255.255"))
|
||||
myassert(c:add("IP", "::1"))
|
||||
myassert(c:add("IP", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))
|
||||
for _, v in ipairs({"1", ":::", "ffff:", "256.1.1.1"}) do
|
||||
local _, err = c:add("IP", v)
|
||||
if err == nil then
|
||||
ngx.say("should error on " .. v)
|
||||
end
|
||||
end
|
||||
|
||||
ngx.say(c:tostring())
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
IP=1.2.3.4/IP=100.100.100.100/IP=255.255.255.255/IP=::1/IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,173 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
end
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(#cc:digest())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
20
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#c[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#cc:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local c2 = myassert(chain.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(#c2[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,507 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: x509.crl:add_revoked should add revoked to crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
return
|
||||
end
|
||||
|
||||
local ok = myassert(c:add_revoked(r))
|
||||
if ok ~= true then
|
||||
ngx.say("Could not add revoked")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: x509.crl:add_revoked should fail if revoked is not instance of revoked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local ok, err = c:add_revoked({ctx ={}})
|
||||
if ok ~= false then
|
||||
ngx.say("false")
|
||||
elseif err ~= "x509.crl:add_revoked: expect a revoked instance at #1" then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.crl:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
c:add_revoked(r)
|
||||
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: x509.crl:text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
ngx.say(myassert(c:text()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"Certificate Revocation List.+Revoked Certificates.+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.crl metamethods
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2")
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:index(1))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = c[1]
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local r = myassert(revoked.new(0x04D2, 1511122233, 1))
|
||||
myassert(c:add_revoked(r))
|
||||
|
||||
ngx.say(#c, ", ", c:count())
|
||||
for _, rr in ipairs(c) do
|
||||
ngx.say(rr.serial_number:upper(), ", ", rr.revocation_date)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
2, 2
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
04D2, 1511122233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.crl get_by_serial
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3"))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = myassert(c:get_by_serial(require("resty.openssl.bn").from_hex("09159859CAC0C90203BB34C5A012C2A3")))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local nos, err = c:get_by_serial("111111")
|
||||
ngx.say(nos == nil, err == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
truetrue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: x509.crl doesn't error if revoked is empty (regression)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/no_revoked.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(tostring(k))
|
||||
end
|
||||
-- above should print nothing
|
||||
|
||||
ngx.say(c:get_last_update())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1652832000
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 11: x509.crl:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=CN/CN=TrustAsia EV TLS Pro CA G2/O=TrustAsia Technologies, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.crl:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: x509.crl:get_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1580684546"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: x509.crl:set_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_last_update(toset))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: x509.crl:get_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1581289346"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.crl:set_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_next_update(toset))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.crl:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.crl:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.crl:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
668
|
||||
RSA-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,56 +0,0 @@
|
|||
|
||||
local function create_csr(domain_pkey, ...)
|
||||
local domains = {...}
|
||||
|
||||
local subject = require("resty.openssl.x509.name").new()
|
||||
local _, err = subject:add("CN", domains[1])
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local alt, err
|
||||
if #{...} > 1 then
|
||||
alt, err = require("resty.openssl.x509.altname").new()
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
for _, domain in pairs(domains) do
|
||||
_, err = alt:add("DNS", domain)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
local _
|
||||
_, err = csr:set_subject_name(subject)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
if alt then
|
||||
_, err = csr:set_subject_alt_name(alt)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
|
||||
_, err = csr:set_pubkey(domain_pkey)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("SHA256")
|
||||
_, err = csr:sign(domain_pkey, d)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
return csr:tostring("DER"), nil
|
||||
end
|
||||
|
||||
return {
|
||||
create_csr = create_csr,
|
||||
}
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Generates CSR with RSA pkey correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new()
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(der)
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -inform der -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+CN\\s*=\\s*dns1.com.+rsaEncryption.+2048 bit.+DNS:dns1.com.+DNS:dns2.com.+DNS:dns3.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
ok, err = csr:set_subject_name("not a subject")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_subject_alt_name("not an alt")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_pubkey("not a pkey")
|
||||
ngx.say(err)
|
||||
ok, err = csr:sign("not a pkey")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"x509.csr:set_subject_name: expect a x509.name instance at #1
|
||||
x509.csr:set_subject_alt_name: expect a x509.altname instance at #1
|
||||
x509.csr:set_pubkey: expect a pkey instance at #1
|
||||
x509.csr:sign: expect a pkey instance at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.csr:get_extensions of csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local exts = c:get_extensions()
|
||||
if #exts == 0 then
|
||||
ngx.print("0")
|
||||
else
|
||||
ngx.print("4")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"4"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: x509.csr:get_extension by nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, pos = c:get_extension(83)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
|
||||
local ext = c:get_extension(83, pos)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.csr:get_extension by nid name
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext = c:get_extension('basicConstraints')
|
||||
if not ext then
|
||||
ngx.print("nil")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.csr:get_extension should return nil if wrong nid name is given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, err = c:get_extension('test')
|
||||
if not ext then
|
||||
ngx.print("ok")
|
||||
else
|
||||
ngx.print(err)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(c:tostring())
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"DNS:example.com.+DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.csr:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new({ type = "EC", curve = "prime256v1" })
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
local csr = myassert(require("resty.openssl.x509.csr").new(der))
|
||||
local ok, err = csr:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ok, err = c:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = csr:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 15: x509.csr:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=example.com/L=Los Angeles/O=SSL Support/OU=SSL Support/ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.csr:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.csr:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GD
|
||||
CNL5NhDX2JVUQKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUz
|
||||
KoTt5yLdVIM/HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgD
|
||||
cdbcQ5wsPVOiFHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyf
|
||||
gGS4+XQSsUdwNWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1
|
||||
f3rlwf8H5HIVH3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJE
|
||||
cwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.csr:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: x509.csr:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.csr:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509.csr:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=example.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509.csr:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509.csr:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509.csr:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
65
|
||||
RSA-SHA1
|
||||
SHA1
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,379 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Gets extension object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
|
||||
ngx.say(encode_sorted_json(myassert(c:get_object())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.37","ln":"X509v3 Extended Key Usage","nid":126,"sn":"extendedKeyUsage"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Gets extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Extended Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Set extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
myassert(c:set_critical())
|
||||
ngx.say(c:get_critical())
|
||||
|
||||
myassert(c:set_critical(true))
|
||||
ngx.say(c:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Prints human readable txt of extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:text())
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(extension))
|
||||
|
||||
-- unknown extension
|
||||
local objects = require("resty.openssl.objects")
|
||||
local id_pe_acmeIdentifier = "1.3.6.1.5.5.7.1.31"
|
||||
local nid = objects.txt2nid(id_pe_acmeIdentifier)
|
||||
if not nid or nid == 0 then
|
||||
nid = objects.create(
|
||||
id_pe_acmeIdentifier, -- nid
|
||||
"pe-acmeIdentifier", -- sn
|
||||
"ACME Identifier" -- ln
|
||||
)
|
||||
end
|
||||
local ext = myassert(require("resty.openssl.x509.extension").from_der("valuevalue", nid, true))
|
||||
ngx.say("ACME Identifier: ", tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
.?ACME Identifier: valuevalue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates extension by X509V3_CTX
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local x509 = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.crt"):read("*a")
|
||||
local ic = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.key"):read("*a")
|
||||
local ik = myassert(require("resty.openssl.pkey").new(f))
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("subjectKeyIdentifier", "hash",
|
||||
{
|
||||
subject = x509,
|
||||
}))
|
||||
|
||||
ngx.say(tostring(c))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
}))
|
||||
|
||||
if tostring(c) ~= "0." then
|
||||
ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
|
||||
end
|
||||
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
issuer_pkey = ik,
|
||||
}))
|
||||
-- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
|
||||
ngx.print("keyid:")
|
||||
else
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = ic,
|
||||
}))
|
||||
end
|
||||
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Creates extension by data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.17","ln":"X509v3 Subject Alternative Name","nid":85,"sn":"subjectAltName"}
|
||||
DNS:test.com, DNS:test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Convert extension to data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local alt2 = myassert(extension.to_data(c, 85))
|
||||
ngx.say(alt2:tostring())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'DNS=test.com/DNS=test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Creates extension by der
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_der("\x00\x01\x02\x03", "basicConstraints"))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say([[
|
||||
{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
]])
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
|
||||
[[
|
||||
[polsect]
|
||||
policyIdentifier = 1.3.5.8
|
||||
CPS.1="http://my.host.name/"
|
||||
CPS.2="http://my.your.name/"
|
||||
userNotice.1=@notice
|
||||
|
||||
[notice]
|
||||
explicitText="Explicit Text Here"
|
||||
organization="Organisation Name"
|
||||
noticeNumbers=1,2,3,4
|
||||
]]
|
||||
))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Returns DER encoded data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"041427B17E9FBB269950D8F3C3535BFE3116B0BB1E72
|
||||
308182302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305A06082B06010505073002864E687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274486967684173737572616E6365544C53487962726964454343534841323536323032304341312E637274
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
|
||||
collectgarbage()
|
||||
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(cc:text())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
ext = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(cc:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local c2 = myassert(extensions.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(c2[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,139 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct X509_name_st X509_NAME; void X509_NAME_free(X509_NAME *name);')
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local name2 = myassert(require("resty.openssl.x509.name").dup(name.ctx))
|
||||
|
||||
name = nil
|
||||
collectgarbage("collect")
|
||||
-- if name2.ctx is also freed this following will segfault
|
||||
local _ = myassert(name2:add("CN", "example.com"))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Rejects invalid NID
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name, err = name:add("whatever", "value")
|
||||
ngx.say(name == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.name:add: invalid NID text whatever
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Finds by text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name = myassert(name:add("CN", "example.com"))
|
||||
|
||||
name = myassert(name:add("CN", "anotherdomain.com"))
|
||||
|
||||
local a, b, c = name:find("CN")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("2.5.4.3")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("CM")
|
||||
if not a then
|
||||
ngx.say("not found")
|
||||
end
|
||||
local a, b, c = name:find("CN", 1)
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"found 1 example.com
|
||||
found 1 example.com
|
||||
not found
|
||||
found 2 anotherdomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Pairs
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local CNs = 3
|
||||
for i=1,CNs,1 do
|
||||
name = myassert(name:add("CN", string.format("%d.example.com", i)))
|
||||
end
|
||||
local others = { "L", "ST", "O" }
|
||||
for _, k in ipairs(others) do
|
||||
name = myassert(name:add(k, "Mars"))
|
||||
end
|
||||
ngx.say(#name)
|
||||
for k, v in pairs(name) do
|
||||
ngx.print(v.nid .. ",")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"6
|
||||
13,13,13,15,16,17,"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,69 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1:revoked.new should create new revoked instance
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local time = ngx.time()
|
||||
local r, err = myassert(revoked.new(1234, time, 1))
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2:revoked.new should fail when invalid parameters are given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local toset = ngx.time()
|
||||
local r, err = revoked.new("1234", toset, 40)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.revoked.new: sn should be number or a bn instance
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,414 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates store properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local c = myassert(store.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Loads a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads default location
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
myassert(s:use_default())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Loads file
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok, err = s:load_file("certnonexistent.pem")
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
os.execute("echo > cert4-empty.pem")
|
||||
local ok, err = s:load_file("cert4-empty.pem")
|
||||
ngx.say(ok)
|
||||
-- we only get detailed error for "no certificate found" on >= 1.1.1
|
||||
ngx.say(err)
|
||||
os.remove("cert4-empty.pem")
|
||||
local cert, _ = require("helper").create_self_signed()
|
||||
local f = io.open("cert4.pem", "w")
|
||||
f:write(cert:tostring())
|
||||
f:close()
|
||||
local ok = myassert(s:load_file("cert4.pem"))
|
||||
os.remove("cert4.pem")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
x509.store:load_file.+system lib.*
|
||||
false
|
||||
x509.store:load_file.+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Verifies a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert1, key1 = require("helper").create_self_signed()
|
||||
local cert2, key2 = require("helper").create_self_signed()
|
||||
local cert3, key3 = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert1))
|
||||
|
||||
local ok = myassert(s:add(cert2))
|
||||
|
||||
local chain = myassert(s:verify(cert1, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
local chain, err = s:verify(cert3, nil, true)
|
||||
ngx.say(err)
|
||||
ngx.say(chain == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
(?:self signed|self-signed) certificate
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: Using default CAs (skip due to hard to setup on custom-built openssl env)
|
||||
--- SKIP
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:use_default())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Loads directory
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:load_directory("/etc/ssl/certs"))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Verifies sub cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
for _, c in ipairs(chain) do
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set purpose
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("crlsign"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Set depth
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[1]))
|
||||
local ch = chain.new()
|
||||
for i=2, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should be ok
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
-- in openssl < 1.1.0, depth are counted 1 more than later versions
|
||||
-- we set it to be one less than enough to be prune to that case
|
||||
myassert(s:set_depth(1))
|
||||
-- openssl 1.0.2 will emit "unable to get local issuer certificate"
|
||||
-- instead of "certificate chain too long"
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"truenil
|
||||
nil(?:certificate chain too long|unable to get local issuer certificate)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Verify with verify_method
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "ssl_client")
|
||||
ngx.say(ok, err)
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
nil(?:unsupported|unsuitable) certificate purpose
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Set flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
myassert(s:set_flags(s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set verify time flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
ngx.say(s:verify(certs[#certs], ch, false, nil, nil, s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
Loading…
Reference in New Issue