Apply post_install script to lua-resty-openssl
This commit is contained in:
parent
09ae6da557
commit
ed234fd63f
|
@ -1,132 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: FIPS mode can be turned on and off
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
if openssl.get_fips_mode() then
|
||||
ngx.say("false\ntrue\nfalse")
|
||||
else
|
||||
ngx.say("BORINGSSL should have fips turned on but actually not")
|
||||
end
|
||||
ngx.exit(200)
|
||||
end
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
myassert(openssl.set_fips_mode(false))
|
||||
ngx.say(openssl.get_fips_mode())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
false
|
||||
true
|
||||
false
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: CIPHER, MD and PKEY provider is directed to fips
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not _G.fips or not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("fips\nfips\nfips")
|
||||
ngx.exit(200)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
ngx.say(myassert(require("resty.openssl.cipher").new("aes256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.digest").new("sha256")):get_provider_name())
|
||||
ngx.say(myassert(require("resty.openssl.pkey").new({ type = "EC" })):get_provider_name())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
fips
|
||||
fips
|
||||
fips
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Non-FIPS compliant algorithms are not allowed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- BORINGSSL doesn't seem to remove non-fips compliant algorithms?
|
||||
if not _G.fips or require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("true\ntrue")
|
||||
ngx.say("invalid cipher type \"chacha20\": unsupported")
|
||||
ngx.say("invalid digest type \"md5\": unsupported")
|
||||
ngx.exit(200)
|
||||
end
|
||||
|
||||
local ok, err
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(not not ok)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(not not ok)
|
||||
|
||||
local openssl = require("resty.openssl")
|
||||
myassert(openssl.set_fips_mode(true))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
ok, err = require("resty.openssl.cipher").new("chacha20")
|
||||
else
|
||||
ok, err = require("resty.openssl.cipher").new("seed")
|
||||
end
|
||||
ngx.say(err)
|
||||
local ok, err = require("resty.openssl.digest").new("md5")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
true
|
||||
.*invalid cipher type.+(?:unsupported|disabled for fips).*
|
||||
.*invalid digest type "md5".+(?:unsupported|disabled for fips).*
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,29 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw
|
||||
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp
|
||||
Z2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIFRMUyBIeWJyaWQgRUNDIFNIQTI1NiAyMDIw
|
||||
IENBMTAeFw0yMTAzMjUwMDAwMDBaFw0yMjAzMzAyMzU5NTlaMGYxCzAJBgNVBAYT
|
||||
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wWTAT
|
||||
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASt9vd1sdNJVApdEHG93CUGSyIcoiNOn6H+
|
||||
udCMvTm8DCPHz5GmkFrYRasDE77BI3q5xMidR/aW4Ll2a1A2ZvcNo4IDOjCCAzYw
|
||||
HwYDVR0jBBgwFoAUUGGmoNI1xBEqII0fD6xC8M0pz0swHQYDVR0OBBYEFCexfp+7
|
||||
JplQ2PPDU1v+MRawux5yMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRo
|
||||
dWIuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
|
||||
BQUHAwIwgbEGA1UdHwSBqTCBpjBRoE+gTYZLaHR0cDovL2NybDMuZGlnaWNlcnQu
|
||||
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZVRMU0h5YnJpZEVDQ1NIQTI1NjIwMjBD
|
||||
QTEuY3JsMFGgT6BNhktodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRI
|
||||
aWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hBMjU2MjAyMENBMS5jcmwwPgYDVR0g
|
||||
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
|
||||
dC5jb20vQ1BTMIGSBggrBgEFBQcBAQSBhTCBgjAkBggrBgEFBQcwAYYYaHR0cDov
|
||||
L29jc3AuZGlnaWNlcnQuY29tMFoGCCsGAQUFBzAChk5odHRwOi8vY2FjZXJ0cy5k
|
||||
aWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hB
|
||||
MjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
|
||||
gfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABeGq/vRoA
|
||||
AAQDAEcwRQIhAJ7miER//DRFnDJNn6uUhgau3WMt4vVfY5dGigulOdjXAiBIVCfR
|
||||
xjK1v4F31+sVaKzyyO7JAa0fzDQM7skQckSYWQB3ACJFRQdZVSRWlj+hL/H3bYbg
|
||||
IyZjrcBLf13Gg1xu4g8CAAABeGq/vTkAAAQDAEgwRgIhAJgAEkoJQRivBlwo7x67
|
||||
3oVsf1ip096WshZqmRCuL/JpAiEA3cX4rb3waLDLq4C48NSoUmcw56PwO/m2uwnQ
|
||||
prb+yh0wCgYIKoZIzj0EAwIDRwAwRAIgK+Kv7G+/KkWkNZg3PcQFp866Z7G6soxo
|
||||
a4etSZ+SRlYCIBSiXS20Wc+yjD111nPzvQUCfsP4+DKZ3K+2GKsERD6d
|
||||
-----END CERTIFICATE-----
|
|
@ -1,21 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
||||
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
||||
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
||||
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
||||
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
||||
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
||||
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
||||
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
||||
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
||||
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
||||
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
||||
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
||||
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
||||
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
||||
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
||||
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,26 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEWjCCA0KgAwIBAgIOR8MQAMBL+oomVLdB7CswDQYJKoZIhvcNAQEFBQAwVzEL
|
||||
MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsT
|
||||
B1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNjAzMTYw
|
||||
MDAwMDBaFw0yNDAzMTYwMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH
|
||||
bG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2ln
|
||||
biAzIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm4HxK
|
||||
0o9gvqhlIWVajpj75hIkZariW6PUj+njWoA5YRqmopnzUc99nUzj9Lj7Go8eqe9F
|
||||
9tT76IeS2MdOAn1bata0FTGQXUZYO72E4YL18SE5ERRLlOjt1TenE4JbRFodris3
|
||||
+NUh9qNOFhyii7zf/nNQMTWDQ3hH5z4qcAemahgS26Ep8VihD70pPleC9Jcy/RVM
|
||||
k+RjqBEzur3dWHPD21wRk3gS29Gs2499Tj59DlLH+RoXSsRjHcJk+fDHzC2zyY4M
|
||||
jNJHgw/RWfhmJqxPDrNvF3jiDchMDrkY/o7oywpJCfVaTZ3ScEd4GnhIsBJi26ci
|
||||
OYfjXmq+vPGumJBTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
|
||||
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4ir34VYTni+RxwhiCZ7AIV++blMwHwYD
|
||||
VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0G
|
||||
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYD
|
||||
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNy
|
||||
bDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
|
||||
Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEFBQADggEBAAMt
|
||||
Z5FskwVr28wgh70YcB0TepVojuiDQwDHilW0dfFnM+tkzwyHKcU7Q36EojXCrMz1
|
||||
SXw2TD8n+BC3dkJdmYf7zPKen5HguBaraPUzcxgZuJCfZmA1fW1+hrJ9sVLp9nBX
|
||||
J3H2g4XDIl1yj/MozwfWfKE04fJZyk7yuAknoFgwK+EGOXnXnjMWldAoPLS0AyFE
|
||||
aM1HU57OUMWPRwJ5Ts/CKf50Nz9ntgGTGVHvyfDvexHEEMGF1Vc9KAs+Z0jPXFom
|
||||
H6wJlHvDM0nVtIbvdkGxVzxEQASkXUdh7qPxR4WpGJn5vMpIi74NglkCp5pPuDJ6
|
||||
i7GsIy4xEeMwq4nuOh8=
|
||||
-----END CERTIFICATE-----
|
Binary file not shown.
Binary file not shown.
|
@ -1,18 +0,0 @@
|
|||
# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0).
|
||||
#
|
||||
# The modulewrapper is not a part of the FIPS module, so it can be patched without
|
||||
# concern about breaking the FIPS validation.
|
||||
--- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
|
||||
@@ -12,9 +12,11 @@
|
||||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
||||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
||||
|
||||
+#include <string>
|
||||
#include <vector>
|
||||
|
||||
#include <assert.h>
|
||||
+#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN X509 CRL-----
|
||||
MIIC2jCBwwIBATANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQIDAJDQTENMAsGA1UE
|
||||
CgwES29uZzENMAsGA1UECwwES29uZzEbMBkGA1UEAwwSd3d3LnN1YmNhLmtvbmcu
|
||||
Y29tFw0yMzA2MDYwNzI3MDBaFw0zMzA2MDMwNzI3MDBaMBUwEwICIAEXDTIzMDYw
|
||||
NjA3MjcwMFqgMDAuMB8GA1UdIwQYMBaAFC8MH19JRurEt8xm/9IGkZIvDBurMAsG
|
||||
A1UdFAQEAgIgADANBgkqhkiG9w0BAQsFAAOCAgEAGX+Tvt+BDU6YUSVc7/bi7OBA
|
||||
KPEQvl/SXu06n3JmjyCRIWUPkB/QruqNHPpxImpvDzoqp/ScfKjB7jNaVqppdkcr
|
||||
yrCN11U26WPgtW6auHsWPOqVm94625+vecL9U+8R5WvjN2Hn8Kkn7EXefwskYleo
|
||||
tGDHeQMRuR3EHzaHu6Bbqn/UfYuTEEC2ZMg/LwGYaG8MBCg79ayAzsBeR4VPSszK
|
||||
CnKHa1CVgfggWQnNcIvkbBFpUAd6OWm6w+YUSA9hxAaEFqYlrOA4UHf/APE7Rnw3
|
||||
xokDissm9yqfVVi0fiVe/HXt6RE5FOayOgjKOfAAj10TogTC9bK0Q05t8Ud1OpEY
|
||||
7YtFHtlBYuHWrmqm0FZBYwhxaFzDRcCRe45HuS6wCmMwb1Btr354kEOj/nSuq2Wq
|
||||
e248ZrTPNf/IXOGthB7FsL+bTOtrHl4l+tniZb+0i3FeeYUHoX+IRhPzWGHXYK9D
|
||||
PDn1QsggNvkXIMpdut8ifDwPXYFoXf5ZW8IAuC7G3zYrwsPFoQALheK4yyqHVaYb
|
||||
WMzuHmeVpxLxVv7zoJtpGPr8X2c2Yn25QtcGpqxcXxesL5g2+pJ2Uu3D7niVp3tM
|
||||
bqP3Nj88eJk1mFVOdRWwSICmp6ReJwTtAYacU5vTUjPdQNOOtht29YmbwyoemMvJ
|
||||
w9wdUeL9yrb5a98bNtI=
|
||||
-----END X509 CRL-----
|
|
@ -1,66 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# run this script in t/fixtures/crl
|
||||
#
|
||||
# root ca
|
||||
mkdir -p rootca/newcerts
|
||||
touch rootca/index.txt
|
||||
echo 1000 > rootca/serial
|
||||
|
||||
# root ca key
|
||||
openssl genrsa -out rootca.key.pem 4096
|
||||
chmod 400 rootca.key.pem
|
||||
|
||||
# root ca cert
|
||||
openssl req -config rootca.cnf -key rootca.key.pem \
|
||||
-new -x509 -days 3650 -sha256 -extensions v3_ca \
|
||||
-out rootca.cert.pem \
|
||||
-subj "/C=US/ST=CA/L=SF/O=Kong/OU=Kong/CN=www.rootca.kong.com"
|
||||
|
||||
|
||||
# sub ca
|
||||
mkdir -p subca/newcerts
|
||||
touch subca/index.txt
|
||||
echo 2000 > subca/serial
|
||||
echo 2000 > subca/crlnumber
|
||||
|
||||
# sub ca key
|
||||
openssl genrsa -out subca.key.pem 4096
|
||||
chmod 400 subca.key.pem
|
||||
|
||||
# sub ca csr
|
||||
openssl req -config subca.cnf -new -sha256 \
|
||||
-key subca.key.pem -out subca.csr.pem \
|
||||
-subj "/C=US/ST=CA/L=SF/O=Kong/OU=Kong/CN=www.subca.kong.com"
|
||||
|
||||
# sub ca cert
|
||||
echo -e "y\ny\n" | openssl ca -config rootca.cnf -extensions v3_sub_ca \
|
||||
-days 3650 -notext -md sha256 \
|
||||
-in subca.csr.pem -out subca.cert.pem
|
||||
|
||||
# ca chain
|
||||
#cat ca/sub/subca.cert.pem ca/root/root.cert.pem > chain.pem
|
||||
|
||||
# leaf certs
|
||||
for name in valid revoked
|
||||
do
|
||||
openssl genrsa -out $name.key.pem 2048
|
||||
chmod 400 $name.key.pem
|
||||
|
||||
openssl req -config subca.cnf -key subca.key.pem \
|
||||
-new -sha256 -out $name.csr.pem \
|
||||
-subj "/C=US/ST=CA/L=SF/O=Kong/OU=Kong/CN=www.$name.kong.com"
|
||||
|
||||
echo -e "y\ny\n" | openssl ca -config subca.cnf -extensions usr_cert \
|
||||
-days 3650 -notext -md sha256 \
|
||||
-in $name.csr.pem -out $name.cert.pem
|
||||
done
|
||||
|
||||
# revoke cert
|
||||
openssl ca -config subca.cnf -revoke revoked.cert.pem
|
||||
|
||||
# generate crl file
|
||||
openssl ca -config subca.cnf -gencrl -out crl.pem -crldays 3650
|
||||
|
||||
# remove unused files
|
||||
rm -rf rootca subca *.csr.pem
|
|
@ -1,36 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIGUzCCBDugAwIBAgICIAEwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UECAwCQ0Ex
|
||||
DTALBgNVBAoMBEtvbmcxDTALBgNVBAsMBEtvbmcxGzAZBgNVBAMMEnd3dy5zdWJj
|
||||
YS5rb25nLmNvbTAeFw0yMzA2MDYwNzI3MDBaFw0zMzA2MDMwNzI3MDBaMGQxCzAJ
|
||||
BgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBEtv
|
||||
bmcxDTALBgNVBAsMBEtvbmcxHTAbBgNVBAMMFHd3dy5yZXZva2VkLmtvbmcuY29t
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzE3ishAB+ODlQRlnbYTu
|
||||
vYkKBMJ+UqCCNIrAUxu6IMJWuK8hxt+KSP0RgB7LNpE/FshUuZP16dZq8A5Hah2u
|
||||
/r7yXEv6kmNUfAQAm3NSFT8WBgjcs3m4TTqstLhPL3sRnVECkUGEq5PHfQxR3Du/
|
||||
FqwYiGH6oOZXusFZzuHx0R/+GKkfkq9qomwIpZzMSIGblfS00CpWAvBYclTeJmfy
|
||||
nDKiDcirvG5su55lwqsqkn2Agm8y7OqQsCcaUFvnMHqxeVzk3bqXjWldfo7dviZH
|
||||
NW17XO5ruUJLseRZE3bCMBePQjQpY6il7K8Cq9gJ0dt3TbR9WSVNS+EUuCB3c9rt
|
||||
UT+qlBrNWCmMz3ZLfXDYjqiHy6jokT8K4Bo2pjoiZ7IlUZQ637xb7TOH5uIcOYsG
|
||||
R6Av843lt0Tv1grgaWbR/kNSOIGREO0SQakw6khpVasTNGqSoBLyFb6+Szw7EAcZ
|
||||
PCBh9ZOz+xXdBcGlCsmEnAwG9BSFBG4ygUdO3OyvZeSGD9BwNZFzqAi/dKJJW5Xn
|
||||
1GHJQUejrrn1GiDl+NaIkprm2SXTOZ622riDb4zYmNXwkC+9pJzV14IN9XZS8MWd
|
||||
ydUeMraa2K5AD5hKHwyPjCLoLvvPk/V50iMOWLIVk+RCk/mBj++gthSgqQexyknE
|
||||
cCTBWS2hiyBimMm8wtJOH/ECAwEAAaOCASkwggElMAkGA1UdEwQCMAAwEQYJYIZI
|
||||
AYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBD
|
||||
bGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFC8MH19JRurEt8xm/9IGkZIvDBur
|
||||
MB8GA1UdIwQYMBaAFC8MH19JRurEt8xm/9IGkZIvDBurMA4GA1UdDwEB/wQEAwIF
|
||||
4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwMgYIKwYBBQUHAQEEJjAk
|
||||
MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcHNlcnZlcjoyNTYwMC0GA1UdHwQmMCQw
|
||||
IqAgoB6GHGh0dHA6Ly9vY3Nwc2VydmVyOjgwL2NybC5wZW0wDQYJKoZIhvcNAQEL
|
||||
BQADggIBALCjaiw5E2MSjCOWHbaJpIeTmspFLceWcFn+Vsee6IDsGfLc4X4bo2lc
|
||||
rTxJKjcaKHCaKBhlGYTGcAOn9aQksFxqPOnCarWhWBu7d/rtwpmS8Az6LLl6kPiq
|
||||
hwNR9ZXEUZubZrigbAEKOvulpCdGzS2K5r+jsyduVfUYNLgK0QQibv5gP77WLEAM
|
||||
UeJFXzvhYOdyd2gCegllfLdkIlt+D/4ZnMmyVYpkAPbYPTh7E1+iM0nzXrpJ68Tg
|
||||
nwQftjsHOGnNWg1EUt6dAGzrXlPaS5LCX5BDFGIZSIWEi0/qtySbroIwSeFiowca
|
||||
TwebLnONPe4cQUmga3OJg9tI6y3NRpChUPkpftmXxwQE1UT2GjecQFnSbkFsFhwv
|
||||
ezJjZ5iOSdpglptxPO7J8HOt32aEX0Y+qR0/QmMYYR3NdVE2aSKjaMl+8R6aIA5a
|
||||
akpIibDNFdOD2FU8eMCQgd+gIdne8YOpUGWIy8X+grw44DSpU7lIPmHHLQEvFiG+
|
||||
MrI34iCg9k9pX5D+/PnMMLMuy92VBwHVNlWe+JSVThGEPQOh7N/Bn1S4Mzv1HLUM
|
||||
kZrM6tTNieaoEUoArmWpwVcyNUgMO9TunNfDTOsDb144j9cK+AFdUFCKwmZyxPsR
|
||||
gSlWtXlcHLLMFjf5q+4jkkvZ4AVzq8NpovDKMIygjYx+BGOdqIuw
|
||||
-----END CERTIFICATE-----
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpQIBAAKCAQEA9Ieaw7RFz9+I8WTKFS8QYzIkduMdh0bYWkDn0M51t74U1YtC
|
||||
NDXaaFRRe7F/SvvP4vsJXTEJWdz6+RjwAtkZwXLUjjIGsHU+sLdlHGAwpnWz12gU
|
||||
p+Y+LBNWbkbvmcUV7BfVTzOzbaZi5fNA3AzUUXBvLPOYj8qFpGeU8ZSGEZiS9wAh
|
||||
yulFPnl8AxYKFqiuTWTIYLa2v/KT395QIcTqcQNpllRmvzQcBX14wTAqrukC3bfA
|
||||
lS/pGu1XE/utx/PkJAgHaxo3oHbirTp9aPGRce/dgUH4/NopuyEQvcaykLC+V75P
|
||||
JyUuPP7DD8UgXs8amBVibL4hbjlIQOLAqonBFQIDAQABAoIBAQDxioF1jzzmeQfs
|
||||
aoKzKiol0gHy7aTdWz2a6UITH91oAnrR9R0QNaHoLGHQrSPwDYzryM0XILj76yx9
|
||||
ogRyy8CFNciALSouY6HpLT7TKLDlvJ5IyKaesu/22aMmiyth2Swuadxqv8cdKJ3I
|
||||
RuBqfMG9MDKhVH3+iy43l5moh+1mskEddAIYEMMcb3HW4CQqb7FDi1EIqJcZNxlY
|
||||
V7o6t0VLUTgiauWTvXisv33Ozga/3vh4PzBvVpSCgn8AE3n+j06pp/wYsuYqeWU4
|
||||
eHreCN9Qh4NL2A9nN197mK98/JrujB0yuBJ/VCJfUKO5uydkgHzLnGsAYachppMe
|
||||
heGQkU6BAoGBAP5u6WXDgnhtA4ZyuvRxF+r8FzFDOKNw6E/QH55g8d/z2zQwrcQb
|
||||
o5BDFLxXeXKlIshy3aphxX8Y1LkFjm9d8+JRJG6ffRbXuKsC+K6CMmaW1vOQ180p
|
||||
Y/OPp0GLgpxA9fimo+EYhpWbdQlDTZUzfzBp1hu8UkP0VZu4XFSml0fPAoGBAPYJ
|
||||
FLYo/Oa1Kv0BSgVH2AZPax7Rl0I/7NWG4e1IaT/hawKzlypM3pMvZSana7gcGccr
|
||||
fGjG8GjliFm2R03H/GldfhXRoO3MCPF9FvWpW5ZRhCU2SSlsrj6SxG1KpCqkG2ft
|
||||
QSHI3f0H1mZdXXiRh3Z4jkb0c87IrCpMcasSjT3bAoGAY/75MeqV83h8wzGCMqHk
|
||||
EZGEF/NgZjPwybV1R8y4Ixl3FFrxYDqwnPkQRDlo3Nr0Aa3LWrRUZ3A94n3Bjhlx
|
||||
yYe0dtmt0vVzeZqQXB2Fa3ZrAozxk4tp4gaaaJNJANozEceEbuoxssjHRZ2y9ymn
|
||||
GkLuSDZKarSzlKDvgMF8gVcCgYEA3n1NxoEAWp1gd5Uv2+ChQOuWwjLk5xspz9p+
|
||||
+nXt/7+YZsQDIlSLPmywuyjRZ5e50/vGMHYet61CBWapynPcFWhfedms/v3w5Hir
|
||||
R5JUaXXj20bhGF3YoGtWyEKkfI8U3YGW0bd0z7nDr6Qkv8BS0NaqSw4Kn+emkUW5
|
||||
0Osg4NsCgYEAxOhcGIseH8e0K7YSsB8sRSOK01p0wTRpMhQ8GVsf4S4Za292B2Wl
|
||||
f2ZIFEj9IrTEwp14s2lOeeSpSMHYndWfHOTua0DSaKP6j0Dl2G3VlbZJsprDqRWX
|
||||
qA0vZ1ZucVFBe3GWtCaO7uQprQbk0NcerqmEdexY2vzGvUNuoQszuRo=
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,33 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFtzCCA5+gAwIBAgIUJWxAqd4rg8B4IoNzVf3VFL0LoKYwDQYJKoZIhvcNAQEL
|
||||
BQAwYzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsG
|
||||
A1UECgwES29uZzENMAsGA1UECwwES29uZzEcMBoGA1UEAwwTd3d3LnJvb3RjYS5r
|
||||
b25nLmNvbTAeFw0yMzA2MDYwNzI2NTlaFw0zMzA2MDMwNzI2NTlaMGMxCzAJBgNV
|
||||
BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBEtvbmcx
|
||||
DTALBgNVBAsMBEtvbmcxHDAaBgNVBAMME3d3dy5yb290Y2Eua29uZy5jb20wggIi
|
||||
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDiCaoWZZdKx0TuKjPCxl91Z5dL
|
||||
S2/5YQpB/96SUc+mXClJvDeE9VOlEdIhLM1+yjsWaSbG5GiiY6+jiVql2GNIJ1U1
|
||||
hr6fR6dWM1J13/Cb1WO/9IGsULn4vwBYnxNOK54wxvKSMfp2lmhf6iNPNy9lxiAd
|
||||
7L7M2nwF0MSl8aYoIg+ULrGJ/kXy/EF6g+1JDrzlgbBsrJso2VQc7h59sFrijpDv
|
||||
3iFaJA5UvYd/s2Y4CAzESN06JgOXDaN+eEk53DBcskcK8+9DdNXcKLuKFXfUL25u
|
||||
als8z0oBfP8aDVBHTZQ2Eh3iSuU3iigpJH6zK8uxQLEqMf43j5XpiG7J485PXPQo
|
||||
jUAgg/YJJDLnBpkSem/f9mWDZ1WsA+cbPUAogwiUOsmdG2joIobXNdY2LgGkA6Xz
|
||||
J9ALdz1I5gvl7waw+cHEKPcX1nGnC1loCLyNri4bTxaAKwSJY8jc9fJcowpBiJy4
|
||||
xOA+0b/2bBY4vdjiRxyq1qADEvsL2/Z4MN+0ecquEYm5LLsmXenCvU7Ecgy3HcZM
|
||||
AHV8m5oI6WJshxmsZ5SJ8EnFrsjWiYqTPtmn3W3c1Hi6la5R0oDieguXcSUNtDCg
|
||||
APmnPXlJYcx0osDL3pyioK+4AMUu1yLrX6r7+Gdg9ghXtwpHrUDeVY3/qv1HOJWi
|
||||
yiT5bztF2gYy2RksjwIDAQABo2MwYTAdBgNVHQ4EFgQUxVbJgvLbara0rOyfJEDc
|
||||
LupTakYwHwYDVR0jBBgwFoAUxVbJgvLbara0rOyfJEDcLupTakYwDwYDVR0TAQH/
|
||||
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAAUNP6BV
|
||||
tpHi38vQ7g/eombH4Q0pk6dAAQ3yf1Ve7bfPXNhHqwg2Dpeefv7+gBi86Ut4WgqU
|
||||
elnblSR/QjB8gkh+fT5dUfRq8kqwaZcXlrsB8FdAr0c/GOxeqARzVWiK6pxjrNRU
|
||||
w+nAUU99Kke54rqrdX0kEQ+CIR69jVGYzqPN00icAj48DrC/Stsih2im7OQtpcmY
|
||||
GiuTsK9XmRbJMqf+hcHyjQxWMkQ+3v3bz9rB2DPpoBVncF94ZIdTGQnzArc64gat
|
||||
2AYHpPRn500d5QAoGxjWLHYQdcXJ/Q8mYa7o+YliwyfCX5dA34jTyttLzRiggljF
|
||||
aqna3MJ1fE4ukj6RInihbxPBxNCH9reKougTYSsTGiqoff4j87K46y7xe/RfmKUw
|
||||
+/7P/5d3COUda56Csy+gDHPK4WR//rhNpqde5Tz9TSrXYHU0HUHwfDVRc3NNrROr
|
||||
trVC6sC1VqXvk6zBz6RNDuSC+4Io7Hp51vU/Bg0fcdAFNYLpKrZm+pWrCLR1lGxr
|
||||
OPQUuvmBX1+XsmRgpMZtYHLTxYf8QuxwqRX6iPgD4Bt90EASo53auDzxh3lL09lB
|
||||
eEpQRvwLpq+VoF8uj2xAHHQM25D50nWDxTbE/gGXs/hMaKBQend/vfU1Abj86kij
|
||||
NehSHV5LPjYikoZm1oig/DEFjAPWQpgPVowG
|
||||
-----END CERTIFICATE-----
|
|
@ -1,91 +0,0 @@
|
|||
# OpenSSL root CA configuration file.
|
||||
# Copy to `/root/ca/openssl.cnf`.
|
||||
|
||||
[ ca ]
|
||||
# `man ca`
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
# Directory and file locations.
|
||||
dir = ./rootca
|
||||
new_certs_dir = $dir/newcerts
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial
|
||||
RANDFILE = $dir/.rand
|
||||
|
||||
# The root key and root certificate.
|
||||
private_key = rootca.key.pem
|
||||
certificate = rootca.cert.pem
|
||||
|
||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||
default_md = sha256
|
||||
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
default_days = 365
|
||||
preserve = no
|
||||
policy = policy_strict
|
||||
|
||||
[ policy_strict ]
|
||||
# The root CA should only sign intermediate certificates that match.
|
||||
# See the POLICY FORMAT section of `man subName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ policy_loose ]
|
||||
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||||
# See the POLICY FORMAT section of the `ca` man page.
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ req ]
|
||||
# Options for the `req` tool (`man req`).
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
string_mask = utf8only
|
||||
|
||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||
default_md = sha256
|
||||
|
||||
# Extension to add when the -x509 option is used.
|
||||
x509_extensions = v3_ca
|
||||
|
||||
[ req_distinguished_name ]
|
||||
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
|
||||
countryName = Country Name (2 letter code)
|
||||
stateOrProvinceName = State or Province Name
|
||||
localityName = Locality Name
|
||||
0.organizationName = Organization Name
|
||||
organizationalUnitName = Organizational Unit Name
|
||||
commonName = Common Name
|
||||
emailAddress = Email Address
|
||||
|
||||
# Optionally, specify some defaults.
|
||||
countryName_default = GB
|
||||
stateOrProvinceName_default = England
|
||||
localityName_default =
|
||||
0.organizationName_default = Alice Ltd
|
||||
organizationalUnitName_default =
|
||||
emailAddress_default =
|
||||
|
||||
[ v3_ca ]
|
||||
# Extensions for a typical CA (`man x509v3_config`).
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
||||
[ v3_sub_ca ]
|
||||
# Extensions for a typical intermediate CA (`man x509v3_config`).
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true, pathlen:0
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
|
@ -1,51 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIJKQIBAAKCAgEA4gmqFmWXSsdE7iozwsZfdWeXS0tv+WEKQf/eklHPplwpSbw3
|
||||
hPVTpRHSISzNfso7FmkmxuRoomOvo4lapdhjSCdVNYa+n0enVjNSdd/wm9Vjv/SB
|
||||
rFC5+L8AWJ8TTiueMMbykjH6dpZoX+ojTzcvZcYgHey+zNp8BdDEpfGmKCIPlC6x
|
||||
if5F8vxBeoPtSQ685YGwbKybKNlUHO4efbBa4o6Q794hWiQOVL2Hf7NmOAgMxEjd
|
||||
OiYDlw2jfnhJOdwwXLJHCvPvQ3TV3Ci7ihV31C9ubmpbPM9KAXz/Gg1QR02UNhId
|
||||
4krlN4ooKSR+syvLsUCxKjH+N4+V6YhuyePOT1z0KI1AIIP2CSQy5waZEnpv3/Zl
|
||||
g2dVrAPnGz1AKIMIlDrJnRto6CKG1zXWNi4BpAOl8yfQC3c9SOYL5e8GsPnBxCj3
|
||||
F9ZxpwtZaAi8ja4uG08WgCsEiWPI3PXyXKMKQYicuMTgPtG/9mwWOL3Y4kccqtag
|
||||
AxL7C9v2eDDftHnKrhGJuSy7Jl3pwr1OxHIMtx3GTAB1fJuaCOlibIcZrGeUifBJ
|
||||
xa7I1omKkz7Zp91t3NR4upWuUdKA4noLl3ElDbQwoAD5pz15SWHMdKLAy96coqCv
|
||||
uADFLtci61+q+/hnYPYIV7cKR61A3lWN/6r9RziVosok+W87RdoGMtkZLI8CAwEA
|
||||
AQKCAgAlZcnxWK+WXK/H482ajS2gBBqhB4MoNGj5EHdnqAd+E8N1AqIA6oIDTpaA
|
||||
jKQXNShfhdg3kfTJ4Upe+Uu5IrsSZgeQCpIhUj6aYXVkMT/i2IRfbvnBY73RLPDG
|
||||
uNL93POYSGI70+8Hjc0JCXj8EzpRUV1g9hl/VSqt36OZfQirnS8MqkkPdrVmBVxk
|
||||
A83Ph5OzOSjSYiBtur9S5ga/bt0qnMHYHd1Qx6RjWtQ/SZRA8vwBwbhwdXekl0oU
|
||||
k5wx6X9K5uggJMnSVFNJ0KduqiygO5S+yfP8dKNe6apfShKdKXW7GHY/SXrxHHeW
|
||||
jwYzaKyT0As/2vOfh68a60rBNmKcqShOh4hwIfhldLQDoHXOEhtuuq+e5+ZxyyY4
|
||||
IlLCCeUFlZu01YLyj3PsSWLoWYnHCe4AUr9JYT/odxyr03qSUZAYoNzKUsq8jJsA
|
||||
x3W6vdob1eXQ6AmTjxrGgPZ77Sz+7T9Tw0Nb4LclSf6pxMJY1cJLqNSSc1OxOIj3
|
||||
mSEvfAmh9A+NGtHuBjX5NTyUnyhiq5XdMqDzIydlBikmfVhRqrIrJbF7gTpg5Wv6
|
||||
OYhNo7zj5zWwW1q7THt3WQUUzskf/1IIU1KNaGYvL0gffsAsJ59Ta1Wl1RTSPGxg
|
||||
HbBMtuK39UIDmlgIMqH/rCEMtnDRL7XBZsAcQwtKXqAAl7NYUQKCAQEA/G591fHR
|
||||
kfakT4quSUxcWNDxtFd+KFopYUDHhWeytxfcuSfJTy/YtDDnR/1OEmhbqudEdb17
|
||||
FmZJ9F7HOVIbKXaTjFCPwRbmjVF5hke3A2u3auJrIpJ+83Cq4jpstLRONXcg2Wrd
|
||||
BcJnFu0QWvPKFRaVfYxIwfTfkVvFXibosj9+6jU0jnWIqSwV3Gas6JMetzqknSNa
|
||||
SlsMa5laE8eKD0h97weuNBWH5JYbWSJ0HOf9thVv3OsmchceoM9G3NKISXLgq7r3
|
||||
TVCKxNUON/8xGd7oBWoCoVhFFl8EO3+YVdkp5eiHL1Ty6cq9nLpbmOUQwUnDm8Ic
|
||||
cDQ1PqrMASjcNwKCAQEA5TuoZ/RW9oSpG4vDn8b/RrkwRJiqko1y99VNu2nE8c8P
|
||||
yrKCSrqU1wiG8/sxtlt7fgABJYh9zvLcr5bnmehLlOHEn0Lk7TdyhmY+TKlXfc9b
|
||||
+2V6cKvAnmw508KWe1u7gXaNBZFnRcTNVBNrNyS1aO/VSreGeNOipDjnbFr04PHp
|
||||
BDXqfD/h70sERtWuAgCZgssxU+x/83SrqYe0furvlW0szVNYgdtetCOT+xfzXg7X
|
||||
BKm0zJGe8Oj6Zizm1azzkb5kqdFVX1jM1rtpv7xFYIe7iQtFQbWBZG/W8YpcjDXl
|
||||
FzU1T70D3GmJYXo2CbNcZPP4YmjuQFGpaS15yRb2aQKCAQEAlmwNJklEVdOAlDmS
|
||||
o/ER8ocIESw17DvV/rMIchGaKIrap6byyfI8Exw1Jevm8wcm4M+RNwwjZfSsSyeT
|
||||
Vi/8KZgUUn/LOge4eSu82+yuPSaaFOI5b0+WwOA5pDemgYQUOr3zYDvS21S986Zu
|
||||
oZQ2rpxXlona7WFLPCZQlUtgTJ+TtGLiH6YgOpcfq8evb6QDoLIcV9syOa7J1vB6
|
||||
AeFc/sB28tJD15ug7/EW+OWUBYmk4TUjBKVHsqLeSHtbwcjfF82R3iO6rGK7XpGL
|
||||
OIkkLENtRZSnXpfoC22xavccwsN2uR74N5dKbVC37sYKQTD27AdVveJM6fviYqaK
|
||||
jIJZvwKCAQAKMGGm5TxsTq85kzfJxU2ZdifIFMUYKINgsrF20Be568s25kJWUf7F
|
||||
pBJji9nE0kIl8pgac/urlC3s/BclRyb84iAcOBv2000a3jaMr8Y8yFe9T+BmW6v/
|
||||
Hq5fVDneF9C4y20vPyxI9JtvzkEovU/27xoa7RdkDXwgMotOzKgvy3DhCAh5J1nC
|
||||
iiIRh/PpEN/B6Ygyw8NYLepnaanDLmwhxy2Dnt3DP93wwdgVBBaEKsKx6V0o7pwS
|
||||
9zgSDJLiEoLtCnps9eoGh+rq7H+hzxuCU+YpDEAy0H+E2FfEerLsZITfSDUraypd
|
||||
xK8fjxAR1FAaCKIUtbdJUpfmHehY4NVpAoIBAQC7/u73K5AbaI89PYy/CWINPPQg
|
||||
HTtnFTR1CEmCYpvRvKFBv5PJ/untuz46y/LlW/rBS3CcNiu9gAGY8O8+pvuZ1YK6
|
||||
pXzYSg5uSvfeHVNvnv2Xh8P+K+vP9o8VrwMhrerLGa6kNRFvSVBHL6q1DaewXnWz
|
||||
SGrTnDLYmDeb5DWUVsigDor805/C0q+salX2zJED0w9PVA5sOcRAcKDVrfgH+KiI
|
||||
/phxW+xwlR0nDXOf1pAcw6huagTfp8eK/P7EdV/gmISiSDTyxztJrc7FNNd3N0Xv
|
||||
c7xRxqQzTFDytUYvewnDazbjpDJhLtTH7dYLI2u8a9HhoYPS5ykal4mcXA7Z
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,32 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFjTCCA3WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
|
||||
CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsGA1UECgwES29uZzENMAsGA1UE
|
||||
CwwES29uZzEcMBoGA1UEAwwTd3d3LnJvb3RjYS5rb25nLmNvbTAeFw0yMzA2MDYw
|
||||
NzI2NTlaFw0zMzA2MDMwNzI2NTlaMEgxCzAJBgNVBAgMAkNBMQ0wCwYDVQQKDARL
|
||||
b25nMQ0wCwYDVQQLDARLb25nMRswGQYDVQQDDBJ3d3cuc3ViY2Eua29uZy5jb20w
|
||||
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMTeKyEAH44OVBGWdthO69
|
||||
iQoEwn5SoII0isBTG7ogwla4ryHG34pI/RGAHss2kT8WyFS5k/Xp1mrwDkdqHa7+
|
||||
vvJcS/qSY1R8BACbc1IVPxYGCNyzebhNOqy0uE8vexGdUQKRQYSrk8d9DFHcO78W
|
||||
rBiIYfqg5le6wVnO4fHRH/4YqR+Sr2qibAilnMxIgZuV9LTQKlYC8FhyVN4mZ/Kc
|
||||
MqINyKu8bmy7nmXCqyqSfYCCbzLs6pCwJxpQW+cwerF5XOTdupeNaV1+jt2+Jkc1
|
||||
bXtc7mu5Qkux5FkTdsIwF49CNCljqKXsrwKr2AnR23dNtH1ZJU1L4RS4IHdz2u1R
|
||||
P6qUGs1YKYzPdkt9cNiOqIfLqOiRPwrgGjamOiJnsiVRlDrfvFvtM4fm4hw5iwZH
|
||||
oC/zjeW3RO/WCuBpZtH+Q1I4gZEQ7RJBqTDqSGlVqxM0apKgEvIVvr5LPDsQBxk8
|
||||
IGH1k7P7Fd0FwaUKyYScDAb0FIUEbjKBR07c7K9l5IYP0HA1kXOoCL90oklblefU
|
||||
YclBR6OuufUaIOX41oiSmubZJdM5nrbauINvjNiY1fCQL72knNXXgg31dlLwxZ3J
|
||||
1R4ytprYrkAPmEofDI+MIugu+8+T9XnSIw5YshWT5EKT+YGP76C2FKCpB7HKScRw
|
||||
JMFZLaGLIGKYybzC0k4f8QIDAQABo2YwZDAdBgNVHQ4EFgQULwwfX0lG6sS3zGb/
|
||||
0gaRki8MG6swHwYDVR0jBBgwFoAUxVbJgvLbara0rOyfJEDcLupTakYwEgYDVR0T
|
||||
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIB
|
||||
AEvdAabcAEPf/TymeslC/zpvclfoED9hiqx/VEaL5Hq5xQdCKUMebgqOSIXPaLTZ
|
||||
VuL+wjcsOdwEH79jSWPtn7zUfEX18qQfcG/WJCaKkKbnr9inbbJp4YEKvyHmV42D
|
||||
UKLxXwLu95NDhZN/J6xh0IrbDsu8gzjiWZKP86PUKZbH7AnLyKwFy3zAJNl4QbwY
|
||||
WtzHb8x3gm6+63QzkJfY3GD19VUqtDDRM4XoEjgnq5hoPEx1mvOg2AHOqlMLQuGG
|
||||
5sMv+sqIf4yOPlm2EeyArFnBf7DJghxqfzxMR5dsp5nzXh6OJHawTt9F3d30MBmC
|
||||
6Q1v+zozfuJ/DSpEbAS0Vg7H7WZbEEDCX5c+Qe+ot6j8p/fVjWZMNrTvn5bQo6gf
|
||||
vrif3KfXd7Ja1dI89jsQHw9ugRk1vPmJVAOKoV+I2lNP2gEUNmmw0A0Q01rQYrXT
|
||||
t5WdMwVgbU/lnF2m3+TRlicWSlORhzJ2BbVklPE1v9D0gogcc7AQNtIYKgdWHlot
|
||||
QFEOewr7ijkEhaTvNHdTBQif3ltLW+rgc9Ts/zrp6NVh1rXt5PNsaUks8pvKF0al
|
||||
ewgHt6+9otWaYb7iF8hAe2lVS8xDo3DAQ1oGBJucnhJ2pXxTza+qG3TqCKlAwFr9
|
||||
AGECqlNMaBDdFjX2cWZuUlYlunKlgpridZPvTp3MffhR
|
||||
-----END CERTIFICATE-----
|
|
@ -1,110 +0,0 @@
|
|||
# OpenSSL intermediate CA configuration file.
|
||||
# Copy to `/root/ca/intermediate/openssl.cnf`.
|
||||
|
||||
[ ca ]
|
||||
# `man ca`
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
# Directory and file locations.
|
||||
dir = ./subca
|
||||
new_certs_dir = $dir/newcerts
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial
|
||||
RANDFILE = $dir/.rand
|
||||
|
||||
# The root key and root certificate.
|
||||
private_key = subca.key.pem
|
||||
certificate = subca.cert.pem
|
||||
|
||||
# For certificate revocation lists.
|
||||
crlnumber = $dir/crlnumber
|
||||
crl = $dir/intermediate.crl.pem
|
||||
crl_extensions = crl_ext
|
||||
default_crl_days = 30
|
||||
|
||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||
default_md = sha256
|
||||
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
default_days = 365
|
||||
preserve = no
|
||||
policy = policy_loose
|
||||
|
||||
[ policy_strict ]
|
||||
# The root CA should only sign intermediate certificates that match.
|
||||
# See the POLICY FORMAT section of `man ca`.
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ policy_loose ]
|
||||
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||||
# See the POLICY FORMAT section of the `ca` man page.
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ req ]
|
||||
# Options for the `req` tool (`man req`).
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
string_mask = utf8only
|
||||
|
||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||
default_md = sha256
|
||||
|
||||
# Extension to add when the -x509 option is used.
|
||||
x509_extensions = v3_ca
|
||||
|
||||
[ req_distinguished_name ]
|
||||
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
|
||||
countryName = Country Name (2 letter code)
|
||||
stateOrProvinceName = State or Province Name
|
||||
localityName = Locality Name
|
||||
0.organizationName = Organization Name
|
||||
organizationalUnitName = Organizational Unit Name
|
||||
commonName = Common Name
|
||||
emailAddress = Email Address
|
||||
|
||||
# Optionally, specify some defaults.
|
||||
countryName_default = GB
|
||||
stateOrProvinceName_default = England
|
||||
localityName_default =
|
||||
0.organizationName_default = Alice Ltd
|
||||
organizationalUnitName_default =
|
||||
emailAddress_default =
|
||||
|
||||
[ v3_ca ]
|
||||
# Extensions for a typical CA (`man x509v3_config`).
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
||||
[ usr_cert ]
|
||||
# Extensions for client certificates (`man x509v3_config`).
|
||||
basicConstraints = CA:FALSE
|
||||
nsCertType = client, email
|
||||
nsComment = "OpenSSL Generated Client Certificate"
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = clientAuth, emailProtection
|
||||
authorityInfoAccess = OCSP;URI:http://ocspserver:2560
|
||||
crlDistributionPoints = @crl_info
|
||||
|
||||
[ crl_ext ]
|
||||
# Extension for CRLs (`man x509v3_config`).
|
||||
authorityKeyIdentifier=keyid:always
|
||||
|
||||
[ crl_info ]
|
||||
URI.0 = http://ocspserver:80/crl.pem
|
|
@ -1,51 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIJKAIBAAKCAgEAzE3ishAB+ODlQRlnbYTuvYkKBMJ+UqCCNIrAUxu6IMJWuK8h
|
||||
xt+KSP0RgB7LNpE/FshUuZP16dZq8A5Hah2u/r7yXEv6kmNUfAQAm3NSFT8WBgjc
|
||||
s3m4TTqstLhPL3sRnVECkUGEq5PHfQxR3Du/FqwYiGH6oOZXusFZzuHx0R/+GKkf
|
||||
kq9qomwIpZzMSIGblfS00CpWAvBYclTeJmfynDKiDcirvG5su55lwqsqkn2Agm8y
|
||||
7OqQsCcaUFvnMHqxeVzk3bqXjWldfo7dviZHNW17XO5ruUJLseRZE3bCMBePQjQp
|
||||
Y6il7K8Cq9gJ0dt3TbR9WSVNS+EUuCB3c9rtUT+qlBrNWCmMz3ZLfXDYjqiHy6jo
|
||||
kT8K4Bo2pjoiZ7IlUZQ637xb7TOH5uIcOYsGR6Av843lt0Tv1grgaWbR/kNSOIGR
|
||||
EO0SQakw6khpVasTNGqSoBLyFb6+Szw7EAcZPCBh9ZOz+xXdBcGlCsmEnAwG9BSF
|
||||
BG4ygUdO3OyvZeSGD9BwNZFzqAi/dKJJW5Xn1GHJQUejrrn1GiDl+NaIkprm2SXT
|
||||
OZ622riDb4zYmNXwkC+9pJzV14IN9XZS8MWdydUeMraa2K5AD5hKHwyPjCLoLvvP
|
||||
k/V50iMOWLIVk+RCk/mBj++gthSgqQexyknEcCTBWS2hiyBimMm8wtJOH/ECAwEA
|
||||
AQKCAgASEk2cHIhgIFyG/p1Edb68azPEqgOMgYAi76cFcu1q2mXbXjppofpUbHYw
|
||||
1Ah7oitnc37zD2BwN7Qr2cd9XnTNOcysV1gpvLmLYrs/BNtc38Ct9fi3s2uXATqn
|
||||
nan7dDJhrPnCKX53wtGhgQZ4qZxEgCKHZctKkjVuYo30G85NBjxup/8P9Y5EIbQ+
|
||||
GfmD7Fr7z7Jyu1vyVJouOs2PriAqqtvkxjxSpZ3elqs/pe5VGN7WKsnhZPo5aqwM
|
||||
MaToh+HM72ebKVcgfhJ0EGUS3cXstutzk+9ZasDRUnaCnz2cDWlxnLWQiCltHyno
|
||||
U2rC8lvCNtXjncYRkS5I/y4xxEq7faLfbIh2QnQq7NAxzadljEGZCQ/0PsASE14N
|
||||
sXCg+UAfebfE5rK2hJQt9WJmQfOq54pgyofbU4KGaPO34SiCOhKTd965x5ARKRly
|
||||
aicErNS1giwXnKRAdPRW6Nn8lwnkF9QDVimIL6zVhQ8J8aOnRnQptbwDmuoF75vV
|
||||
p/UzjxBoagLDJeuNkW84yEQgGTa198Ivg7SEnrUKKGtIiLXoGNGG1iEfW5rf4tQv
|
||||
L2ceMmquPw5ihtGw2YpCNRa9XMGn9BRlaz5iPGkeNEznKYBbDS8VcWzmIHnhTtz4
|
||||
ILFuUSRieJj1DF/1WRWPKMT5LyQjjcB1xfGD54lXASOCcnNdMQKCAQEA6ixCbx/k
|
||||
X9x7oso3o2PiWZuffmcTOgq+4EQDSk9FD4T1h6L85yuwvTKNbNe2t/FcmaCeu/4T
|
||||
hzssFsJlFc7++eh3H1weqEoW/aVGFjSAAu9L6Wa6vdf3UhPEWmvTsmL0UuCwzAo2
|
||||
exTiZExBVEF1tAQMlDnc6hpR7kyP0jThx6lE+AkkE9zG9NSJVRIan8HLoS+5N+TI
|
||||
ZXfLCzDmnL3581G5M+UzxYu8F9CMpnNvCNEv2/pJOnCNfa7ZTFxxiBM/RtyGEnPv
|
||||
wNLoCEcTut95lb5WPvBIt5Y8Tbm6veuSL7+QHhg9nA/f3ljSSmkJm+ExvU/uKKkv
|
||||
hc2zBS+4nHf2jQKCAQEA31jphYcV8y5YdsMW0nszMMxodeOD/ooB5aOhU0K2F+nE
|
||||
Ud7p1W0f1UrcD4yvf+4muMfBD+DBwRGJm1kzIeABP5Lu+2RYqi6LJ28L8o01OjUH
|
||||
Ea7i3wWrBfUIOHUg0U//kXEN7Kz58RIv6Tk2PYFJqu0JmQkpxXgFPAy2IH2g8CEL
|
||||
Npb5yk9RM9rsYlQpt81Oo1vIXUpjpfssT1yehljCIjvNgxaKeaNvobYcBKHFALUv
|
||||
O2cUUhc6PdHlH87ot/Q7E/W9cC74WUBZLkeEY9vxoLiAnVOLeqdnV+bVb0J4piDo
|
||||
K0eClFltX1qvShAYr8W2s+3LtrRbYXiRC9kPEdqX9QKCAQEAraXAZdMKcKN48xBt
|
||||
DbZF5Rjnvr4EnefV/0uv/OynU4jO4ZPVYj8dwk64XNvhXKmYdzuKOfGA3ajdWssw
|
||||
Vmm23e6qVxDikvzN660hOdoYixSUADHzjE+X0L9jvYFz7DZA4yxHLibsm3yzHJkH
|
||||
YMlh1Omjwk7eKKL32nPfuosIWhyFTkDJBgmTZ34rkG/qWklFDPPsryvyBnw8jsHm
|
||||
YJjnvqz9XyQ5reWexzIY+l1jGvC0QrVok/NemLKN5HgwoC1VoOBqc0iRozVCZtD+
|
||||
KncJHCeWoPlhkvHPKfvuJGOJderhnc9v8Eg9RA4tcoxNWdA2KCIbgv9ihCAy/keS
|
||||
6ER1CQKCAQATKNdvgvUZFWK1XWr5x2POzdowMsJB9ajQAEd4kwJ37q/Oria1DlVq
|
||||
wK88Dj+H4/AibdBcAlXcsBpz3yUJxOOWho5Ftof8oV2Cln4Z4o8sXRwsIiqIIz5W
|
||||
lnyMC1AzZH9yBJbDNNuEGKFPin7iq9Kb/RWTsTuKGw+n5RdClkRWFR+XIUBwYHmA
|
||||
z0jz7nBduhkC3n7Dsfv2YyOb80AOGlMdCLBKjIZ4hNKwtqSUqSPzOZfBqsgNerye
|
||||
TQEwx1kjXqoqvivwEbdwQJrl43Cx+E40EV/HH0GZ1f6BheXNU5Bx/+Sqwcmr3DgL
|
||||
tAXRfqv/eCCCMuYE2Ff2dpdKwuYODAh5AoIBAApRNA2CMbnnNSMaCeE26rdxRs+g
|
||||
p6qOW7P0jzJTFJQ6qxnfX70PmBetdlt+zdhvLV8xXe+TXsxeODlcimhARe6ekbwF
|
||||
AnCQ5KjFOb9MCYwg1K9U4+mRNNIlkbqXQRpbGllTDDznha6T32ntXG9+f92O50uS
|
||||
+nBU25CU85nkQAK357bjlzF898V7uveGDHNyYeHyE3IwhiqNPLFMpQt1czyd5TsP
|
||||
L2ZkotyELRVa8yU5iAhq2E2r9iaJc67A1C3MiV/HVr8UJtb+gJ70jneamavXB3OK
|
||||
ZVRUhtfIgtF32Japb2xgo1zfuKQrgHgyQmBn+8fj/siG1xl+ECaE6c/GJY4=
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,36 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIGUTCCBDmgAwIBAgICIAAwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UECAwCQ0Ex
|
||||
DTALBgNVBAoMBEtvbmcxDTALBgNVBAsMBEtvbmcxGzAZBgNVBAMMEnd3dy5zdWJj
|
||||
YS5rb25nLmNvbTAeFw0yMzA2MDYwNzI2NTlaFw0zMzA2MDMwNzI2NTlaMGIxCzAJ
|
||||
BgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBEtv
|
||||
bmcxDTALBgNVBAsMBEtvbmcxGzAZBgNVBAMMEnd3dy52YWxpZC5rb25nLmNvbTCC
|
||||
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxN4rIQAfjg5UEZZ22E7r2J
|
||||
CgTCflKggjSKwFMbuiDCVrivIcbfikj9EYAeyzaRPxbIVLmT9enWavAOR2odrv6+
|
||||
8lxL+pJjVHwEAJtzUhU/FgYI3LN5uE06rLS4Ty97EZ1RApFBhKuTx30MUdw7vxas
|
||||
GIhh+qDmV7rBWc7h8dEf/hipH5KvaqJsCKWczEiBm5X0tNAqVgLwWHJU3iZn8pwy
|
||||
og3Iq7xubLueZcKrKpJ9gIJvMuzqkLAnGlBb5zB6sXlc5N26l41pXX6O3b4mRzVt
|
||||
e1zua7lCS7HkWRN2wjAXj0I0KWOopeyvAqvYCdHbd020fVklTUvhFLggd3Pa7VE/
|
||||
qpQazVgpjM92S31w2I6oh8uo6JE/CuAaNqY6ImeyJVGUOt+8W+0zh+biHDmLBkeg
|
||||
L/ON5bdE79YK4Glm0f5DUjiBkRDtEkGpMOpIaVWrEzRqkqAS8hW+vks8OxAHGTwg
|
||||
YfWTs/sV3QXBpQrJhJwMBvQUhQRuMoFHTtzsr2Xkhg/QcDWRc6gIv3SiSVuV59Rh
|
||||
yUFHo6659Rog5fjWiJKa5tkl0zmettq4g2+M2JjV8JAvvaSc1deCDfV2UvDFncnV
|
||||
HjK2mtiuQA+YSh8Mj4wi6C77z5P1edIjDliyFZPkQpP5gY/voLYUoKkHscpJxHAk
|
||||
wVktoYsgYpjJvMLSTh/xAgMBAAGjggEpMIIBJTAJBgNVHRMEAjAAMBEGCWCGSAGG
|
||||
+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xp
|
||||
ZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQvDB9fSUbqxLfMZv/SBpGSLwwbqzAf
|
||||
BgNVHSMEGDAWgBQvDB9fSUbqxLfMZv/SBpGSLwwbqzAOBgNVHQ8BAf8EBAMCBeAw
|
||||
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDIGCCsGAQUFBwEBBCYwJDAi
|
||||
BggrBgEFBQcwAYYWaHR0cDovL29jc3BzZXJ2ZXI6MjU2MDAtBgNVHR8EJjAkMCKg
|
||||
IKAehhxodHRwOi8vb2NzcHNlcnZlcjo4MC9jcmwucGVtMA0GCSqGSIb3DQEBCwUA
|
||||
A4ICAQCXCJfKCUSHBKdROZKd6udawKcs0kaVN7+yrGQ928YTLlF1KaE/RIlzNdUR
|
||||
66WJx/U4TT7mUGX1otpEkDk3VI2Pdq6jgU+/dVScgnW2VZ41UD4HSdzr82aVPzHP
|
||||
gre1bT31K/dDVLpP/ZANecixmLNFts1rgz6nKN04wFDlBYfiIG0Hr8zGU2KhW4/q
|
||||
d1gnvkg0fZsDquQA9wciSQ1NyCSapKdCj8/AZ5BkQAs4mh/o92yC31N/IocUTv1v
|
||||
KPtP6iglZ3WnIfdpuAd5KXQ3T+ZT7m7sKnX78RcJnXdj3VzePhVgYWsXR5vxpfiF
|
||||
D+COjdS+ANtV9hdAhT0wewFfi3r1lsDdgGlazW4zgh/zKUBR2GBfgf48e6TuQ+YV
|
||||
ZtUwBk02X5veqCNhbVgwDO/xlVq5EfFPh0NjUGPPa4+EKb4YIgg3OZXU4R7/f9tB
|
||||
BqqiiGCQUELxpLOAq2EtPsInca9+tp/MSCUQI/5RM6afs/OyMoPwNe8y1cYVK0SC
|
||||
tLoPvXWB19GMRyPiLqXoHZOZbxTb4op1/h3LqWuFRss7lni3booDheDRmxQgpgXJ
|
||||
tlqsyNRwvWjUqlNgkrwHvrbRDOhXIzUMUbHYBldSQfH3unwyk3JHB26IGYzexTrA
|
||||
H5c03yEn4blZKKShhJ6SzI7AUpiyKSIb0TwKJxkMsiBhr+K0Rg==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEAro5s2capnXcBZHv7EFje783FXbTQ4GoXL41ZnUO1toGArZd+
|
||||
aQGExXAOUVllhVfH62XkW8ebuXar1v7pw9L8RIv13Cl05bsWYaX0LhY3C9Ll2yp/
|
||||
0BTNf/QyBvoIRnsunj3UcdU3n3/9uJWUml30RcZ5iwNHnLlvOQWIV/AsibmseAtu
|
||||
inJGHak1jD7TB561w/s/GhDc2e8HCuRxxt0KuHrXmi06qmJWf0yrOxWRoaiBai5m
|
||||
4Xg7BA+h/zOa42gXZSBsxqwGYesysPjy6FafEuYEnzyZsM7gifr4+cnHw7SbaHAA
|
||||
G748tMkoJ+154T/eZvKmOLpHHZCtoxTRdkwV5QIDAQABAoIBAEqAt6zrwhFXbdy5
|
||||
nhsIE38+0HKCbnSaU3MUXZ9l+vT+qTFua6Hd6BFtFm9aPJ6BLO8n+iPCOpEaOZX2
|
||||
D0hpkQqgwjtJ5n73L0JWVrYk/TGqvjihFxR1DJEEZSXdKhMLGIap1TcQzkDhnCVg
|
||||
kqCgYVY2tEHFEJev/ezUk7EU7a2KQW1kOJPEGDJR7UU0Kwx3RUY0BhBstuDCWPwp
|
||||
cZxw3JFvfxuNThxyqLWX8IbmvTlptLSUpcDyg4BQJ+wM28w4uwQkyc9DnLfoEbO9
|
||||
l4aIjIx7pkZ64JSBppGt203Q7rG/7TQUR/FPU0lFDmuQ470kLn09MYJV0GCmdVAO
|
||||
3O/tCrECgYEA4Khz8wi157a8LkA7gXdjv+dsdWZe5IYodH0swSt2GIHLBlWGwheO
|
||||
23FiovifnNbbSZmRfTHXBuKOdWjxr3gULtO5KD2wdv9cYJnl9uL1FbrwJQI3v9xD
|
||||
1ezHLuGCFjxFmYu+t6SVHYHl21MfT1W6bx+ZrcliDJPJqh368nXF98MCgYEAxuid
|
||||
1ZALHOy+1TmfYFjk88LrljoYL6DlyH2pNqX+7viZVcxHfpkK26kgVtTA0YmKDzt1
|
||||
nG2yOOaRm+j8CUgRw8TW54N6evZM/BTPmITsN1UHrSXixwT0hIZkP92rHcEj+GrK
|
||||
lDrDmjJDLe2rI39nmj5YSU5wsdI8QFbmbX3aCTcCgYBowUOnvJUNoeCndF4K5X/G
|
||||
uQOSzpRK3N+6Sa/3tutPTB4+Kt02XcPIQVusAGB0wp7n98qmZPoOBNBGoROpLUXD
|
||||
/AenYvSI2FPb24cmkveTFWLq7tjOBsg+1TSfgJmnAp21ljrs6Lp7Utm6Zk0AMkpH
|
||||
jKWdKn0kvjjXsTkVm6Me/wKBgGqVCMX/2kSUgykkKEdrOrt3bd9gn8cdsyL8Wqii
|
||||
x/jrEtbLkF/Ax/WuKVr9w5hD18uTs9CvYvlkaw+dBzg9+u7o0bLaW835noTQ7fAv
|
||||
AZggou1fyKWV/SPqE1u5ftCBxrF9H7HPzzIXzrGUkciCo1QeJhaZxn8yRQDAz9ZJ
|
||||
woR/AoGAeO6Eu1wroUchYHQ7VglAJQDVyXukdfgBJWRGG3I9R+wMiHs8iF2MSvBa
|
||||
941DZr6mNXOSrcR3FdO+EHP8FtMpYe6EJPSC8bk2Nl75OVptx+Wcd+VJ6DZQysYZ
|
||||
MgMGpHdHTZAfLDBje9yF0K7XluxaBaY6gqn+xPgqT/AOOE3xZqQ=
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,74AB7E7042FC695A7F267BB416AC24E1
|
||||
|
||||
zNvboWr/ayt4McuSl9h3oirnS7DK5JU5OSGvh3Seyt9E1oVd3SUg4Mcp4BpZP8gv
|
||||
Ei4K6+p3CTDrQfE0mrjIph3C1LKTzQeLdGIvgTjjKVpu91aogU3K3rgcuqKN/zla
|
||||
+sQOAedKEtLiop4J6rIGmKvo9JZonbMsEZnZnXGbz3k=
|
||||
-----END EC PRIVATE KEY-----
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN X509 CRL-----
|
||||
MIICyTCBsgIBATANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEpMCcGA1UE
|
||||
ChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElT
|
||||
UkcgUm9vdCBYMRcNMjIwNTE4MDAwMDAwWhcNMjMwNDE3MjM1OTU5WqAvMC0wHwYD
|
||||
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wCgYDVR0UBAMCAWYwDQYJKoZI
|
||||
hvcNAQELBQADggIBAC2us3ieEcU7NTFjPyXEi/5aOID7IlPBK7ugS7IJrasTyEdH
|
||||
fAMcuoEGHaLoyLqpIKc7U/KIfqysn6l4Mu32aWFB/Ck5qiVufHXFjXIuNo4/drlm
|
||||
kPUjhgX0YcMkrWdbLFbF/mi5R7fCTbCP1ihqiw2AKB2jFShTAcybJpVRY7velN/D
|
||||
EI8ITJsHnGNOx5XZV7HgO1SbXrba7YGMD0YA+NiXc8VaoDlZdoKh8q/gk8y5vnvL
|
||||
UmtsHpdF1zFwDxYdpFLCrV9z8OcPWjguX6bYMWtnN5JPHrlUQrupCIN55ur8ttoq
|
||||
+9mQ/3Y2OFl1qF6UtHxSDHAI5vA8dBlZxQWSWXKGFPGPssNdB7CUJlZeLWPICWU9
|
||||
yANMxG+5ANeXW65GfPexj2DujwDlC46Wdnlvbft+2Bc0SYR72By/1QB3tmgBB//j
|
||||
QuJtAIzvRluvdnoIGRHPGVse0Qk4FC2BK04q8HBRw3UbxV1MDYIFCN9hlC625Q1s
|
||||
VjrqzGMPAwXYXNa/9hFQkdjKycrdsGvIXZa08sqqx4hY4CpjEeUQoka0XkTUmp7Q
|
||||
GDSXFxe4qxQObnU+LAMQ0cEcVb0TNnTC0PCeoSV82n3jRL9QYMe6lvU4pgFMddXz
|
||||
jna557uivEENf58Oh0SH5jux5gSlre177jQvvsfn8FeFXsLijw0tCbfupna/
|
||||
-----END X509 CRL-----
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
config_diagnostics = 1
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
|
||||
[provider_sect]
|
||||
fips = fips_sect
|
||||
default = default_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
# need fipsinstall to populate below section
|
||||
# [fips_sect]
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFU
|
||||
LobnVTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UI
|
||||
THXKLNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLk
|
||||
lYLFchkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTk
|
||||
GgYHWFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkI
|
||||
UQfN9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQABAoIBABQ0rcAvKlvmoyJq
|
||||
bTWAtUm78zTB/xyWrD/MSZ22hPPDgx/aoYIKX8cgRSbThVbfPGdWkdpDp9z0RVWo
|
||||
OSB7QSpxeXd6Q5GNhErt1Q84byQpa2jEIVAGPAfMRP6DSjSxNHBoSKcvxZeIwuZb
|
||||
vlVOxdGtprfawvWMJ8w6C0bb9JZLeHjdLK/O49Nxj4YrUBk+ZvkKa8EQnq/apLMz
|
||||
9RMZiFQ1pvR9Ojfw4O4u0pqW80Iu8alDBxMkvzEUEhuzafrMKToX5GG65Y9/nhDl
|
||||
iIsENEvNY1Nk2WXPMe/VR5LVGBLtXlJ+KIj09KjuJyy5PEkwXxHobyRHEMtQ8SBs
|
||||
C1SE/sECgYEA+Sf1IyhyPfWg3CuGdwiYuwn9CVnZxqQWLwwk+EdIXpNDbHhfeN1Z
|
||||
ZC1/bttz45O4At5KtKAHLeRETuphtgwJ6ZHdNy5K6h4GV0s4ZtBHS8pu95+BAApN
|
||||
pGRPzZ4u4GDTkTCbHRd+A2UY1EnpGe6Owq/+Cbu67jnPJOP0pegmGzkCgYEAzAya
|
||||
v9pEwcDBIrKE3ida46mBAnxBT81pr8Pa5t5pON3DtjsHv3lfa01u9ga8F0GKgMif
|
||||
tet9dFWtFHdrC8HbrpcHwta1dVlDNzr1TSjbyl5TW9/suSbHTQ/iUmXFazbhHVu6
|
||||
p4jgV6DPgqxjI56YLcIqZIf2xDeVgGwbwv7d3d8CgYEAtcIpeTFrTbnfVF5IJJPX
|
||||
3zJlLiomzVssd7vTSG+v4pZpbDrP4vsO2B68xOFAxHchmK4TL3tCYX8ROcSP7V8Q
|
||||
6BwplbSmn+2xUIMmLRKpwCd4Fhp838ukYlVvRh+sMLFSBavArFNT8SQSHeOhMfKu
|
||||
oGYE25LgxiLT8yR8d39INTkCgYEAilnxgyvnesfLLE+Gr2pXwg1oH9tIHWfVxQsz
|
||||
HV6oUZpr3N9hfX46KHM0TTR7y/jwhCmDwMGPKpX86OefeTVUUqis5nrWRl7jqEsd
|
||||
j9eoTyptstm9lDyq3aFrfxrqJKvtLw7HHFk+Y6vxh1SDU99wp3YDcG6P7rMRdyXW
|
||||
HPzaSlkCgYBums2fZgP96/wyburnMhP/86ndLyVB2YbLwXMz+oGlm+XssAawulrM
|
||||
6mxpV63T+/UmEiszCEf3ZOUr1+zkSTe/CMZk5Vev1pYEzfpQ2AnpOsvPw+WGQbWL
|
||||
95dYCSGZKjXQ/UV+zDisZiDzjLRkZ7WfPJsPZ8z1P3nZ2t+8IRNO/Q==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEAxpgb1ESW7DpRvUHd56f1WArwhETylcxu0X02mAnuRgug6pFULobn
|
||||
VTuYdajuvRDdZGUYJHQuGB2Su5FiKGdDBXnuOPa/zQ6BoSz+z9Yqj8Mri0UITHXK
|
||||
LNqPO7/V69wbtFFus//gVozDTmv8Ws1J4lc+GYyfuVL6o8aLyGDhhrB8HoLklYLF
|
||||
chkCsjt8rQ2U2fAtwWNoxlIgw707tpwR5zLe58b/aM71OOMPZlERc4VPmZTkGgYH
|
||||
WFJCWxnp0TQ5CIjGyigewG55Mp8XqSf5cSel/pc3rmrHVq4vrw5cLcxhJNkIUQfN
|
||||
9x6NvkLCBWwOLBx+HAEiLeOqIDIILObrpwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBzCCAe+gAwIBAgIUJ+FXF8zL+pdK8Nl68Eq0aQlZKNMwDQYJKoZIhvcNAQEL
|
||||
BQAwEzERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjAxMjE1MTAwNjIyWhcNMzAxMjEz
|
||||
MTAwNjIyWjATMREwDwYDVQQDDAh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAMEQQC0nyiHOekSs6sTwLBrdiWYvDWC5OQylQZY2pWsBYtWH
|
||||
3rkkt98rRNC3cxLSPwH+AAJrJCnRl4ZIxUrtNF8zPW/NexAaarKMLq8LHnVD+cf5
|
||||
uLzK9xZNt5s8aTQOF8TuHH2Zq/jdfJ9MnAJf1noZ4Oz5IZqOtgJ+1oCDZJc4ZlL1
|
||||
KO5tfDsWZOsRdow6F7wlK1xtCfcakcncL7Yh4xbZYQXnNSliGZF0/+SIqYIGhv2f
|
||||
EBng0yOW6FrXtrxhj/7TplAd2v5ziCsdcqqA+YFu4e6PzFybNErUgNZ8ZsokmP56
|
||||
uU13oKYLIsEf11EmKEX1bwvEvvu+T/V/IB38YV8CAwEAAaNTMFEwHQYDVR0OBBYE
|
||||
FM8D9Qnrg9JPEN5lkpDpkz44TOh8MB8GA1UdIwQYMBaAFM8D9Qnrg9JPEN5lkpDp
|
||||
kz44TOh8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ODar1
|
||||
fVkJ50rLToICvp2zZkLSsZlL13Gy4+FUUl0sctSRbXF6yPZGa3u6/HeF5AWnrFNX
|
||||
eZUVuJgyYa2gmz0K+HGbSrbNFb4Cpnhe7Y722SpSDEj3ybOI3EBeRT3WcwpSsGKa
|
||||
Kfx8NY08J440cn3oNAbZ9XrZOHhyvjkCEr9+ieg1MvMtNg5NbTpHj6Riuvuvvs3s
|
||||
CaOJ1dN5a59hHHvt76lb6Ah3cwJ98CRAObp1bElgL//Tl9faAHAFIpGopvq41Jnn
|
||||
rBd/GtvM6J/LHznZ9eOvMq+uBMyAhzpmi6Ih4SGnwN/i8StRbNvpIUIq2rO6IvCZ
|
||||
61xzxPhcY6bB2KI=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
||||
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
|
||||
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
|
||||
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
|
||||
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
|
||||
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
|
||||
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
|
||||
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
|
||||
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
|
||||
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
|
||||
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
|
||||
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
|
||||
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
|
||||
6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ
|
||||
fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT
|
||||
FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw==
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBEEAtJ8ohznpE
|
||||
rOrE8Cwa3YlmLw1guTkMpUGWNqVrAWLVh965JLffK0TQt3MS0j8B/gACayQp0ZeG
|
||||
SMVK7TRfMz1vzXsQGmqyjC6vCx51Q/nH+bi8yvcWTbebPGk0DhfE7hx9mav43Xyf
|
||||
TJwCX9Z6GeDs+SGajrYCftaAg2SXOGZS9SjubXw7FmTrEXaMOhe8JStcbQn3GpHJ
|
||||
3C+2IeMW2WEF5zUpYhmRdP/kiKmCBob9nxAZ4NMjluha17a8YY/+06ZQHdr+c4gr
|
||||
HXKqgPmBbuHuj8xcmzRK1IDWfGbKJJj+erlNd6CmCyLBH9dRJihF9W8LxL77vk/1
|
||||
fyAd/GFfAgMBAAECggEAG+N4Ec3MoiOMf/0mkLpM9LiJz4v+d7lp50y787IDJTj3
|
||||
CPdukfoe4YsDjs7hPZfHaEdDwxWtDKltJQXAEjm/tfzV5B+fpkzamt4rJDgL906R
|
||||
d3S4XfVHyh4B5tfMLqvWfSkUToRzVijQhsZvRtyHQ+4XEsROOWBiJGwkGj5guoM3
|
||||
4ItEJOXece+4pV0M1KPb3aTqGLw/Iow1IV9k+HCKrxwsBK0xpoEYfvK6N6PsmcRK
|
||||
iPS53D6bCS74HidgXvhPN8hdVvJ+s8rvXDdVF3Ajw/LhrdeYrRjZUtRpB43Z8uLn
|
||||
raMMOid4Q9EEsZNcWG2UO6BHyDibkOzQmPIv0/JIgQKBgQDo1Cmd3ialMZkn9bSX
|
||||
DUNxMZlTk49Abns2rKojRxApU3h3aVuViXPIs3yz0cUPzURGHOOHQwU5cFjMVsxx
|
||||
GffZjNq+ViR1Il0UhxBlYlcRZOou4RSi6VnN8HRjNeBNrzGxo/C+9/U00/APT/z5
|
||||
OBloEoWy22SqTJtQCKspQ60knwKBgQDURvpcMlJE6UBhIy3Q3/7+HUc/AsCj5dMY
|
||||
OafioeuKO+fRcNBaith3bUF3aRplf2jD/pQ/nLvD4+q0tvaEY06jpiVwm5PXGdUy
|
||||
acIcs56ch1BiczP5pkSpEpaG0ap4btW86UU3K+at0iAJqfm9aR8DSOugl+D+EC16
|
||||
RDRKn4TLQQKBgQDA4vPPW7m8ZYiyuDXyZgSXhDW4LakiAeWF+CnDrB3RfttwYhKD
|
||||
oioP/dKzzndpje6f/1LoPjfXzCFkuAwLLy5MRwr5YLg3ak6esP5+X6guOuJgEAxe
|
||||
ot/JYwmpH3tCIIAU4PKT4yx7pZFdvjCf7z/tHlsxP9z30RtihKv4NZ79lQKBgBOL
|
||||
XW2zrGNv3l+TL5q1pPKcm3yvsjDk7iSi2lRBeEBH97YO3wAXHIsSYh6ubKG/s1Oo
|
||||
UtnwglEs4OU2m0fhJNJob7YIfPonBLwZhKfD2eyrgLkvxi9MIbI3ZeiP0VQ5UDCO
|
||||
gbLstdZ3LD/3iGjqDtLsmdU1Zp+9uZIySWY9faqBAoGAa3DJYcGpBQWDlNbojcgv
|
||||
VUNukUrxDQOLR6AbPcYF8EdrSgtkuDQJfb94HpR55u6o+l9SiD2t9uEl/rLqrp1+
|
||||
jOTte0IERqrerKp43G/AHZduw0ks4PPxglZUAQ1/HSTUTUvACoHFB9egElj3zNIX
|
||||
fFBB0c+kqU2aLFq342F0ONU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -1,194 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
my $fips = $ENV{'TEST_NGINX_FIPS'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;$pwd/../lua-resty-hmac/lib/?.lua;$pwd/../lua-resty-string/lib/?.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
|
||||
_G.fips = "$fips" ~= ""
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Load ffi openssl library
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.load_modules()
|
||||
ngx.say(string.format("%x", openssl.version.version_num))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d{6}[0-9a-f][0f]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Luaossl compat pattern
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local openssl = require("resty.openssl")
|
||||
openssl.luaossl_compat()
|
||||
local pkey = require("resty.openssl.pkey")
|
||||
local pok, perr = pcall(pkey.new, "not a key")
|
||||
ngx.say(pok)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
false
|
||||
.+pkey.new.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: List cipher algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"AES\"]")
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"AES-256-GCM @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+AES.+\]
|
||||
\[.+AES-256-GCM @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: List digest algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL then
|
||||
ngx.say("[\"SHA\"]")
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"SHA2-256 @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+SHA.+\]
|
||||
\[.+SHA2-256 @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: List mac algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HMAC @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_mac_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HMAC @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: List kdf algorithms
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if not version.OPENSSL_3X then
|
||||
ngx.say("[\"HKDF @ default\"]")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(require("cjson").encode(openssl.list_kdf_algorithms()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\[.+HKDF @ default.+\]
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: List SSL cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version = require("resty.openssl.version")
|
||||
local openssl = require("resty.openssl")
|
||||
ngx.say(openssl.list_ssl_ciphers())
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.2"))
|
||||
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA", nil, "TLSv1.3"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+:.+
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
.*ECDHE-ECDSA-AES128-SHA
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: asn1_to_unix utctime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579091696"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: asn1_to_unix utctime, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(23) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "200115123456+0102"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1579095416"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: asn1_to_unix generalized time
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456Z"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890438896"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: asn1_to_unix generalized time, offset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_GENERALIZEDTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
local s = "22200115123456-0123"
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
ngx.print(assert(asn1.asn1_to_unix(a)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"7890433916"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: asn1_to_unix error on bad format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local ffi = require("ffi")
|
||||
local asn1 = require("resty.openssl.asn1")
|
||||
local a = ffi.C.ASN1_STRING_type_new(24) -- V_ASN1_UTCTIME
|
||||
ffi.gc(a, ffi.C.ASN1_STRING_free)
|
||||
for _, s in pairs({
|
||||
"201315123456Z",
|
||||
"200132123456Z",
|
||||
"200115243456Z",
|
||||
"200115123461Z",
|
||||
}) do
|
||||
ffi.C.ASN1_STRING_set(a, s, #s)
|
||||
|
||||
local _, err = asn1.asn1_to_unix(a)
|
||||
if err == nil then
|
||||
ngx.say(s, " should fail but didn't")
|
||||
end
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,232 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads JWK RSA key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
d = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
|
||||
p = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
|
||||
q = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
|
||||
dp = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
|
||||
dq = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
|
||||
qi = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new('asdasd', {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "RSA",
|
||||
n = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
|
||||
e = "AQAB",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local s, err = pubkey:encrypt("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local s, err = privkey:decrypt(s)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: error decoding JSON from JWK: Expected value but found invalid token at character 1
|
||||
pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" parameter is required
|
||||
23333
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Loads JWK EC key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
d = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "EC",
|
||||
crv = "P-256",
|
||||
x = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
|
||||
y = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("sha256")
|
||||
d:update("23333")
|
||||
local s, err = privkey:sign(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local ok, err = pubkey:verify(s, d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(ok)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct EC key from JWK: at least "x" and "y" parameter is required
|
||||
true
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads JWK Ed25519 key
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
|
||||
ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
d = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
|
||||
})
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local privkey, err = require("resty.openssl.pkey").new(jwk, {
|
||||
format = "JWK",
|
||||
})
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
-- errors
|
||||
local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
}), {
|
||||
format = "JWK",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
-- pubkey only
|
||||
jwk = require("cjson").encode({
|
||||
kty = "OKP",
|
||||
crv = "Ed25519",
|
||||
x = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
|
||||
})
|
||||
local pubkey, err = require("resty.openssl.pkey").new(jwk)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: New BIGNUM instance correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- error_log
|
||||
bn:to_binary failed
|
||||
|
||||
=== TEST 2: New BIGNUM instance from number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct bignum_st BIGNUM; void BN_free(BIGNUM *a);')
|
||||
local bn, err = require("resty.openssl.bn").new(0x5b25)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local bn2, err = require("resty.openssl.bn").dup(bn.ctx)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
bn = nil
|
||||
collectgarbage("collect")
|
||||
local b, err = bn2:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: from_binary, to_binary
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local d = ngx.decode_base64('WyU=')
|
||||
local bn, err = require("resty.openssl.bn").from_binary(d)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_binary()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
|
||||
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
|
||||
ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0)
|
||||
end
|
||||
|
||||
local b, err = bn:to_binary(10)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(ngx.encode_base64(b))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"WyU=AAAAAAAAAABbJQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: from_hex, to_hex
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_hex("5B25")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_hex()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"5[Bb]25"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: from_dec, to_dec
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").from_dec("23333")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn:to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.print(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: to_number
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local b, err = bn.new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
b, err = bn.from_dec('184467440737095516161844674407370955161618446744073709551616')
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local n, err = b:to_number()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(n),type(n))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23333number
|
||||
1.844674407371e+19number
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: unary minus
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn, err = require("resty.openssl.bn").new(23333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = (-bn):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
local b, err = (-(-bn)):to_dec()
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(b)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-23333
|
||||
23333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: metamethods checks arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local a, err = require("resty.openssl.bn").new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = require("resty.openssl.bn").new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local pok, perr = pcall(function() return a + "233" end)
|
||||
ngx.say(perr)
|
||||
local pok, perr = pcall(function() return "233" - a end)
|
||||
ngx.say(perr)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+cannot add a string to bignum
|
||||
.+cannot substract a string to bignum
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: add, sub, mul, div mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a+b))
|
||||
ngx.say(tostring(a-b))
|
||||
ngx.say(tostring(a*b))
|
||||
ngx.say(tostring(a/b))
|
||||
ngx.say(tostring(a%b))
|
||||
ngx.say(tostring(a*2478652))
|
||||
ngx.say(tostring(23578164761333*b))
|
||||
ngx.say(tostring(bn.mul(23578164761333, b)))
|
||||
ngx.say(tostring(a:mul(b)))
|
||||
ngx.say(tostring(23578164761333*2478652))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"23578167239985
|
||||
23578162282681
|
||||
58442065242007563116
|
||||
9512495
|
||||
4593
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
58442065242007563116
|
||||
5.8442065242008e\+19
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: sqr, exp
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:sqr()))
|
||||
ngx.say(tostring(a:exp(2)))
|
||||
ngx.say(tostring(a:pow(2)))
|
||||
ngx.say(tostring(b:exp(b)))
|
||||
ngx.say(tostring(bn.sqr(a)))
|
||||
ngx.say(tostring(bn.sqr(23578164761333)))
|
||||
ngx.say(tostring(bn.exp(a, 2)))
|
||||
ngx.say(tostring(bn.exp(23578164761333, 2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
5210245939718361468048211048414496022534389576033913164940029913016568215580398296261072019231723279851007241838011659882766685337218633992220688288491655299087016195985205218347711578485744737
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
555929853512565244851936889
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: gcd
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:gcd(b)))
|
||||
ngx.say(tostring(bn.gcd(a, b)))
|
||||
ngx.say(tostring(bn.gcd(a, 97)))
|
||||
ngx.say(tostring(bn.gcd(23578164761333, b)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
1
|
||||
1
|
||||
1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: lshift, rshift
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:lshift(2)))
|
||||
ngx.say(tostring(a:rshift(2)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"94312659045332
|
||||
5894541190333
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: comparasion
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(97)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a == b))
|
||||
ngx.say(tostring(a ~= b))
|
||||
ngx.say(tostring(a >= b))
|
||||
ngx.say(tostring(a > b))
|
||||
ngx.say(tostring(a < b))
|
||||
ngx.say(tostring(a <= b))
|
||||
ngx.say("")
|
||||
ngx.say(tostring(a == a))
|
||||
ngx.say(tostring(a ~= a))
|
||||
ngx.say(tostring(a >= a))
|
||||
ngx.say(tostring(a > a))
|
||||
ngx.say(tostring(a < a))
|
||||
ngx.say(tostring(a <= a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
true
|
||||
true
|
||||
true
|
||||
false
|
||||
false
|
||||
|
||||
true
|
||||
false
|
||||
true
|
||||
false
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: is_one, is_zero, is_odd, is_word
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(0):is_zero()))
|
||||
ngx.say(tostring(bn.new(1):is_zero()))
|
||||
ngx.say(tostring(bn.new(0):is_one()))
|
||||
ngx.say(tostring(bn.new(1):is_one()))
|
||||
ngx.say(tostring(bn.new(0):is_odd()))
|
||||
ngx.say(tostring(bn.new(1):is_odd()))
|
||||
ngx.say(tostring(bn.new(0):is_word(0)))
|
||||
ngx.say(tostring(bn.new(1):is_word(0)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
false
|
||||
true
|
||||
false
|
||||
true
|
||||
true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: is_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
ngx.say(tostring(bn.new(2):is_prime()))
|
||||
ngx.say(tostring(bn.new(15):is_prime()))
|
||||
ngx.say(tostring(bn
|
||||
.from_hex('00d3277434ff7e3d410b3453a5cddc13e834fbdc19f38c580bc05b68dfa179afa4b6e6d34fe2bde9d90390046a86306bd022d4ed8187ccaa21808e189e7b803fd918b7782078f3be6bc8683d71d7d46cb134bc2a74dbe410d2bb068e45af95deef546f6970b83f9386e504b6fbefee6ae804fbf544e6b7cf82aacfff9472c6af07')
|
||||
:is_prime()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: mod_add, mod_sub, mod_mul, mul_exp, mul_sqr mod
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.new(23578164761333)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local b, err = bn.new(2478652)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
local m, err = bn.new(65537)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(a:mod_add(b, m)))
|
||||
ngx.say(tostring(a:mod_sub(b, m)))
|
||||
ngx.say(tostring(a:mod_mul(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, m)))
|
||||
ngx.say(tostring(a:mod_sqr(b, m)))
|
||||
ngx.say(tostring(a:mod_exp(b, 65537)))
|
||||
ngx.say(tostring(bn.mod_exp(a, 2478652, m)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"49755
|
||||
7726
|
||||
27398
|
||||
28353
|
||||
1266433
|
||||
28353
|
||||
28353
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: generate_prime
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local bn = require("resty.openssl.bn")
|
||||
local a, err = bn.generate_prime(10, false)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
local a, err = bn.generate_prime(10, true)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
if not a:is_prime() then
|
||||
ngx.log(ngx.ERR, "not prime")
|
||||
return
|
||||
end
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,517 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates cipher correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(myassert(cipher:final('1'))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects unknown cipher
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher, err = require("resty.openssl.cipher").new("aes257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cipher.new: invalid cipher type \"aes257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Unintialized ctx throw errors
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:update("1")
|
||||
ngx.say(err)
|
||||
local _, err = cipher:final("1")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"cipher:update: cipher not initalized, call cipher:init first
|
||||
cipher:update: cipher not initalized, call cipher:init first
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Encrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1'))
|
||||
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Encrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s, err = cipher:encrypt(string.rep("0", 32), string.rep("0", 16), '1', true)
|
||||
ngx.say(s)
|
||||
-- 1.x: data not multiple of block length
|
||||
-- 3.0: wrong final block length
|
||||
ngx.say(err)
|
||||
local s = myassert(cipher:encrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
'1' .. string.rep(string.char(15), 15), true))
|
||||
ngx.print(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil
|
||||
.+(?:data not multiple of block length|wrong final block length|DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH)
|
||||
VhGyRCcMvlAgUjTYrqiWpg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Decrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg==")))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Decrypt no padding
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local s = myassert(cipher:decrypt(string.rep("0", 32), string.rep("0", 16),
|
||||
ngx.decode_base64("VhGyRCcMvlAgUjTYrqiWpg=="), true))
|
||||
|
||||
ngx.print(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}\x{0f}"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Encrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local sample = 'abcdefghi'
|
||||
local count = 5
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(sample))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(sample))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(s))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nothing
|
||||
SEk81GpcHC9KoZfN14RrNg==
|
||||
nothing
|
||||
L2dVbLMhEigy917CJBXz7g==
|
||||
nothing
|
||||
final
|
||||
dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Decrypt streaming
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = false,
|
||||
}))
|
||||
|
||||
local input = ngx.decode_base64('SEk81GpcHC9KoZfN14RrNg==') ..
|
||||
ngx.decode_base64('L2dVbLMhEigy917CJBXz7g==') ..
|
||||
ngx.decode_base64('dtpklHxY9IbgmSw84+2XMr0Vy/S1392+rvu0A3GW1Wo=')
|
||||
local count = 5 + 1
|
||||
local len = (#input - #input % count) / count
|
||||
for i=0,#input-len,len do
|
||||
local s = myassert(cipher:update(string.sub(input, i+1, i+len)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(s)
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
-- this should throw error since we end in the middle
|
||||
local s, err = cipher:final()
|
||||
ngx.say(err)
|
||||
ngx.say(s)
|
||||
-- feed the last chunk of input
|
||||
local s = myassert(cipher:final(string.sub(input, #input -#input % count + 1, #input)))
|
||||
ngx.say("final")
|
||||
ngx.say(s)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nothing
|
||||
abcdefghiabcdefg
|
||||
nothing
|
||||
hiabcdefghiabcde
|
||||
fghiabcdefghiabc
|
||||
nothing
|
||||
.+(wrong final block length|WRONG_FINAL_BLOCK_LENGTH)
|
||||
nil
|
||||
final
|
||||
defghi
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Derive key and iv
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-ecb"))
|
||||
|
||||
-- openssl enc -aes-256-ecb -pass pass:xxx -S 797979 -P -md md5
|
||||
local key, iv = cipher:derive("xxx", "yyy", 1, "md5")
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex() == "" and "no iv")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
FE91AF7782EDB48F32775BB2B72DD5ED
|
||||
1F94CD004791ECFD50955451ACDA89D2CF1B4BCC6A378E4FC5C5861BDED17F61
|
||||
no iv
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Derive key and iv: salt, count and md is optional
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
function string.tohex(str)
|
||||
return (str:gsub('.', function (c)
|
||||
return string.format('%02X', string.byte(c))
|
||||
end))
|
||||
end
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
-- openssl enc -aes-256-cbc -pass pass:xxx -nosalt -P -md sha1
|
||||
local key, iv = cipher:derive("xxx")
|
||||
|
||||
ngx.say(key:tohex())
|
||||
ngx.say(iv:tohex())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140
|
||||
20578C4FEF1AEE907B1DC95C776F8160
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: AEAD modes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_aead_tag())
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, nil, tag)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local r, err = dec:decrypt(key, iv, d, false, aad, nil)
|
||||
ngx.say(r)
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
nil
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-ivlen-\n-padding-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
local c = myassert(cipher.new("aes256"))
|
||||
ngx.say(require("cjson").encode(myassert(c:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(c:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+ivlen.+
|
||||
.+padding.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("secret\nsecret\nnil")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local myassert = require("helper").myassert
|
||||
local key = string.rep("0", 32)
|
||||
local iv = string.rep("0", 12)
|
||||
local aad = "an aad"
|
||||
local cipher = require("resty.openssl.cipher")
|
||||
|
||||
local enc = myassert(cipher.new("aes-256-gcm"))
|
||||
local d = myassert(enc:encrypt(key, iv, "secret", false, aad))
|
||||
local tag = myassert(enc:get_param("tag", 16))
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
local s = myassert(dec:decrypt(key, iv, d, false, aad, tag))
|
||||
ngx.say(s)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = tag}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
|
||||
local dec = myassert(cipher.new("aes-256-gcm"))
|
||||
myassert(dec:init(key, iv))
|
||||
myassert(dec:set_params({tag = "wrong tag"}))
|
||||
myassert(dec:update_aead_aad(aad))
|
||||
local r, err = dec:final(d)
|
||||
ngx.say(r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"secret
|
||||
secret
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 16: Update with segements larger than 1024
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local cipher = myassert(require("resty.openssl.cipher").new("aes-256-cbc"))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
|
||||
local count = 3
|
||||
for i=1,count,1 do
|
||||
local s = myassert(cipher:update(string.rep(tostring(i), 1024)))
|
||||
|
||||
if s ~= "" then
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
else
|
||||
ngx.say("nothing")
|
||||
end
|
||||
end
|
||||
local s = myassert(cipher:final(string.rep("a", 1024)))
|
||||
|
||||
ngx.say("final")
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16)))
|
||||
|
||||
local ok = myassert(cipher:init(string.rep("0", 32), string.rep("0", 16), {
|
||||
is_encrypt = true,
|
||||
}))
|
||||
local s = myassert(cipher:final(string.rep("1", 1024) ..
|
||||
string.rep("2", 1024) ..
|
||||
string.rep("3", 1024) ..
|
||||
string.rep("a", 1024)))
|
||||
|
||||
ngx.say(ngx.encode_base64(string.sub(s, -16))) -- should be same as above
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"XZElJKMyKzuvbYNf4Y0hAw==
|
||||
59Cw1+C6hHpfqsOn7PZ2Gw==
|
||||
t6oGLYvnjihoi+7tPfyK/A==
|
||||
final
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
QcpC0TXDxiOln2ENZ0aGDA==
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,96 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Can create a ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Can create a ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: Can free ctx in ngx.ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new(true))
|
||||
myassert(ctx.free(true))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Can free ctx in global namespace
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.exit(0)
|
||||
end
|
||||
local ctx = require("resty.openssl.ctx")
|
||||
myassert(ctx.new())
|
||||
myassert(ctx.free())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate digest correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢", "🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(digest:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest, err = require("resty.openssl.digest").new("sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"digest.new: invalid digest type \"sha257\".*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local digest = myassert(require("resty.openssl.digest").new("sha256"))
|
||||
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
|
||||
myassert(digest:reset())
|
||||
myassert(digest:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(digest:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
2iuYqSWdAyVAtQxL/p+AOl2kqp83fN4k+da6ngAt8+s=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("sha256"))
|
||||
ngx.say(myassert(d:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("{}\n-ssl3-ms-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local digest = require("resty.openssl.digest")
|
||||
local d = myassert(digest.new("md5-sha1"))
|
||||
ngx.say(require("cjson").encode(myassert(d:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(d:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{}
|
||||
.+ssl3-ms.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- no good example to test
|
||||
ngx.say("skipped")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"skipped
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,39 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Don't cry if there's no error
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
ngx.print(format_error("fake function"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"fake function failed"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,169 +0,0 @@
|
|||
local pkey = require "resty.openssl.pkey"
|
||||
local x509 = require "resty.openssl.x509"
|
||||
local name = require "resty.openssl.x509.name"
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
local bn = require "resty.openssl.bn"
|
||||
local digest = require "resty.openssl.digest"
|
||||
local BORINGSSL = require "resty.openssl.version".BORINGSSL
|
||||
local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X
|
||||
|
||||
local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name)
|
||||
local key = pkey.new(key_opts or {
|
||||
type = 'RSA',
|
||||
bits = 1024,
|
||||
})
|
||||
|
||||
local cert = x509.new()
|
||||
cert:set_pubkey(key)
|
||||
cert:set_version(3)
|
||||
|
||||
local now = os.time()
|
||||
cert:set_not_before(now)
|
||||
cert:set_not_after(now + 86400)
|
||||
|
||||
local nm = name.new()
|
||||
for k, v in pairs(names or {}) do
|
||||
assert(nm:add(k, v))
|
||||
end
|
||||
|
||||
assert(cert:set_subject_name(nm))
|
||||
assert(cert:set_issuer_name(issuing_name or nm))
|
||||
|
||||
assert(cert:set_basic_constraints { CA = is_ca })
|
||||
assert(cert:set_basic_constraints_critical(true))
|
||||
|
||||
if not is_ca then
|
||||
assert(cert:add_extension(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth")))
|
||||
|
||||
assert(cert:add_extension(assert(extension.new("subjectKeyIdentifier", "hash", {
|
||||
subject = cert,
|
||||
}))))
|
||||
end
|
||||
|
||||
local dgst
|
||||
if BORINGSSL then
|
||||
dgst = digest.new("SHA256")
|
||||
end
|
||||
assert(cert:sign(signing_key or key, dgst))
|
||||
|
||||
return cert, key
|
||||
end
|
||||
|
||||
local function to_hex(bin)
|
||||
local hex, err = bn.from_binary(bin):to_hex()
|
||||
if err then
|
||||
error(err)
|
||||
end
|
||||
return hex:upper()
|
||||
end
|
||||
|
||||
local function myassert(...)
|
||||
local ret = {...}
|
||||
local err = ret[#ret]
|
||||
if #ret > 1 and err then
|
||||
ngx.log(ngx.ERR, tostring(err))
|
||||
ngx.exit(0)
|
||||
end
|
||||
return ...
|
||||
end
|
||||
|
||||
-- https://github.com/openresty/lua-cjson/blob/461c7ef23a49062d4b1bf0e1afb3be294d007861/tests/sort_json.lua
|
||||
|
||||
-- NOTE: This will only work for simple tests. It doesn't parse strings so if
|
||||
-- you put any symbols like {?[], inside of a string literal then it will break
|
||||
-- The point of this function is to test basic structures, and not test JSON
|
||||
-- strings
|
||||
|
||||
local function sort_callback(str)
|
||||
local inside = str:sub(2, -2)
|
||||
|
||||
local parts = {}
|
||||
local buffer = ""
|
||||
local pos = 1
|
||||
|
||||
while true do
|
||||
if pos > #inside then
|
||||
break
|
||||
end
|
||||
|
||||
local append
|
||||
|
||||
local parens = inside:match("^%b{}", pos)
|
||||
if parens then
|
||||
pos = pos + #parens
|
||||
append = sort_callback(parens)
|
||||
else
|
||||
local array = inside:match("^%b[]", pos)
|
||||
if array then
|
||||
pos = pos + #array
|
||||
append = array
|
||||
else
|
||||
local front = inside:sub(pos, pos)
|
||||
pos = pos + 1
|
||||
|
||||
if front == "," then
|
||||
table.insert(parts, buffer)
|
||||
buffer = ""
|
||||
else
|
||||
append = front
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if append then
|
||||
buffer = buffer .. append
|
||||
end
|
||||
end
|
||||
|
||||
if buffer ~= "" then
|
||||
table.insert(parts, buffer)
|
||||
end
|
||||
|
||||
table.sort(parts)
|
||||
|
||||
return "{" .. table.concat(parts, ",") .. "}"
|
||||
end
|
||||
|
||||
local function sort_json(str)
|
||||
return (str:gsub("%b{}", sort_callback))
|
||||
end
|
||||
|
||||
local function encode_sorted_json(tbl)
|
||||
return sort_json(require("cjson").encode(tbl))
|
||||
end
|
||||
|
||||
local function create_cert_chain(depth, key_opts)
|
||||
local last_key, last_cn
|
||||
local certs, keys = {}, {}
|
||||
for i=1, depth do
|
||||
local cn, issuer
|
||||
if last_key then
|
||||
cn = "lua-resty-openssl Test Cert leaf " .. i - 1
|
||||
issuer = name.new()
|
||||
assert(issuer:add("CN", last_cn))
|
||||
else
|
||||
cn = "lua-resty-openssl Test Cert Root CA"
|
||||
end
|
||||
last_cn = cn
|
||||
|
||||
local crt, key = create_self_signed(key_opts,
|
||||
{ CN = cn }, i < depth, last_key, issuer)
|
||||
|
||||
certs[i] = crt
|
||||
keys[i] = key
|
||||
|
||||
last_key = key
|
||||
end
|
||||
|
||||
return certs, keys
|
||||
end
|
||||
|
||||
|
||||
return {
|
||||
create_self_signed = create_self_signed,
|
||||
to_hex = to_hex,
|
||||
myassert = myassert,
|
||||
encode_sorted_json = encode_sorted_json,
|
||||
create_cert_chain = create_cert_chain,
|
||||
}
|
|
@ -1,118 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate hmac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
hmac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(hmac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
|
||||
myassert(hmac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(hmac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac, err = require("resty.openssl.hmac").new("goose", "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"hmac.new:.+(?:invalid|unsupported).*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Can be reused
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local hmac = myassert(require("resty.openssl.hmac").new("goose", "sha256"))
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
|
||||
myassert(hmac:reset())
|
||||
|
||||
myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.say(ngx.encode_base64(myassert(hmac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,457 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: kdf: invalid args are checked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key, err = kdf.derive({
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = "no",
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = 123,
|
||||
})
|
||||
ngx.say(err)
|
||||
local key, err = kdf.derive({
|
||||
type = 19823718236128631,
|
||||
outlen = 16,
|
||||
pass = "123",
|
||||
})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kdf.derive: \"type\" must be set
|
||||
kdf.derive: expect a number as \"type\"
|
||||
kdf.derive: \"outlen\" must be set
|
||||
kdf.derive: except a string as \"pass\"
|
||||
kdf.derive: unknown type 19823718236128632
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: PBKDF2
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
pbkdf2_iter = 1000,
|
||||
md = "md5",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"cDRFLQ7NWt\\+AP4i0TdBzog=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 3: PBKDF2, optional args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.PBKDF2,
|
||||
outlen = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"HkN6HHnXW\\+YekRQdriCv/A=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: HKDF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("aqRd+gO5Ok3YneDEormTcg==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "some info",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_AND_EXPAND,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"aqRd+gO5Ok3YneDEormTcg=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: HKDF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.say("aggdq4eoqRiP0Z3GbpxCjg==")
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local version_num = version.version_num
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_info = "info",
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
|
||||
if not version.OPENSSL_111_or_LATER then
|
||||
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.HKDF,
|
||||
outlen = 16,
|
||||
salt = "salt",
|
||||
hkdf_key = "secret",
|
||||
hkdf_mode = kdf.HKDEF_MODE_EXTRACT_ONLY,
|
||||
}))
|
||||
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"aggdq4eoqRiP0Z3GbpxCjg==
|
||||
W/tSxFnNsHIYwXa13eybYhW9W3Y=
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: TLS1-PRF
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("0xr8qthU+ypv2xRC90la8g==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
md = "md5",
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"0xr8qthU\\+ypv2xRC90la8g=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: TLS1-PRF, optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("XVVDK9/puTqBOsyTKt8PKQ==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.TLS1_PRF,
|
||||
outlen = 16,
|
||||
tls1_prf_secret = "secret",
|
||||
tls1_prf_seed = "seed",
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"XVVDK9/puTqBOsyTKt8PKQ=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 8: scrypt
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
|
||||
ngx.print("9giFtxace5sESmRb8qxuOw==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local key = myassert(kdf.derive({
|
||||
type = kdf.SCRYPT,
|
||||
outlen = 16,
|
||||
pass = "1234567",
|
||||
scrypt_N = 1024,
|
||||
scrypt_r = 8,
|
||||
scrypt_p = 16,
|
||||
}))
|
||||
|
||||
ngx.print(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"9giFtxace5sESmRb8qxuOw=="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: EVP_KDF API: new
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah')
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
myassert(kdf.new("PBKDF2"))
|
||||
local ok, err = kdf.new("UNKNOWNKDF")
|
||||
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+invalid mac type \"UNKNOWNKDF\".+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: EVP_KDF API: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local cipher = require("resty.openssl.kdf")
|
||||
local c = myassert(cipher.new("hkdf"))
|
||||
ngx.say(myassert(c:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 11: EVP_KDF API: derive
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: EVP_KDF API: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
ngx.say(require("cjson").encode(myassert(k:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(k:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: EVP_KDF API: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("cDRFLQ7NWt+AP4i0TdBzog==\n18446744073709551615")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
-- output SIZE_MAX since it's not fixed size, need to find a better test case
|
||||
ngx.say(tostring(k:get_param("size", nil, "bn")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
cDRFLQ7NWt+AP4i0TdBzog==
|
||||
18446744073709551615
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: EVP_KDF API: reset
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-missing salt\ncDRFLQ7NWt+AP4i0TdBzog==")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local kdf = require("resty.openssl.kdf")
|
||||
local k = myassert(kdf.new("PBKDF2"))
|
||||
myassert(k:set_params({
|
||||
iter = 1000,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
myassert(k:reset())
|
||||
local ok, err = k:derive(16, {
|
||||
pass = "1234567",
|
||||
})
|
||||
ngx.say(err)
|
||||
|
||||
myassert(k:set_params({
|
||||
iter = 100,
|
||||
digest = "md5",
|
||||
salt = "",
|
||||
}))
|
||||
local key = myassert(k:derive(16, {
|
||||
iter = 1000,
|
||||
pass = "1234567",
|
||||
}))
|
||||
ngx.say(ngx.encode_base64(key))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+missing salt
|
||||
cDRFLQ7NWt\+AP4i0TdBzog==
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,188 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Calculate mac correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢🦢🦢🦢🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Update accepts vardiac args
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
mac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
|
||||
ngx.print(ngx.encode_base64(mac:final()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Final accepts optional arg
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
|
||||
myassert(mac:update("🦢", "🦢🦢", "🦢🦢"))
|
||||
ngx.print(ngx.encode_base64(myassert(mac:final("🦢"))))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejects unknown hash
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("mac.new: invalid cipher or digest type")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local mac, err = require("resty.openssl.mac").new("goose", "HMAC", nil, "sha257")
|
||||
ngx.print(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"mac.new: invalid cipher or digest type.*"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Returns provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("default")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(myassert(m:get_provider_name()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
default
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Returns gettable, settable params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("-size-\n-digest-")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = require("resty.openssl.mac")
|
||||
local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
|
||||
ngx.say(require("cjson").encode(myassert(m:gettable_params())))
|
||||
ngx.say(require("cjson").encode(myassert(m:settable_params())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.+size.+
|
||||
.+digest.+
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Get params, set params
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\n32")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
|
||||
local s1 = myassert(mac:final("🦢"))
|
||||
|
||||
local mac = myassert(require("resty.openssl.mac").new("notthiskey", "HMAC", nil, "sha256"))
|
||||
myassert(mac:set_params({key = "goose"}))
|
||||
local s2 = myassert(mac:final("🦢"))
|
||||
|
||||
ngx.say(s1 == s2)
|
||||
ngx.say(myassert(mac:get_param("size")))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
32
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,81 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Convert nid to table
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(encode_sorted_json(o.nid2table(87)))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Convert txt to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
local t = {
|
||||
ln = "X509v3 Basic Constraints",
|
||||
sn = "basicConstraints",
|
||||
id = "2.5.29.19"
|
||||
}
|
||||
local r = {}
|
||||
for k, v in pairs(t) do
|
||||
r[k] = o.txt2nid(v)
|
||||
end
|
||||
ngx.print(encode_sorted_json(r))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":87,"ln":87,"sn":87}'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Convert sigid to nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local o = require("resty.openssl.objects")
|
||||
ngx.print(o.find_sigid_algs(795)) -- ecdsa-with-SHA384
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
673
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,38 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Construct
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
ngx.say("TODO")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
TODO
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,262 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads password protected pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r = myassert(pkcs12.decode(pp, "badssl.com"))
|
||||
|
||||
ngx.say(r.key:get_parameters().d:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
55107FB7D6FD8A099E4E5CF24291CF20CBD4BB7B93A66EF8D89996A5C49EEB51405E6843CC89CD74B9C87DB9DBDE9E38923E02A32E4F6F32A59B4D6C6CDC40E0192204F135C9E9F527FD9E53F2C9E90B8D8D18E8F5DAC57D1EF95163D0DF1BBDB89850636AE870B20B5E6BF2EBD1651BE79B4E187C48F6D332D35A4C531BE3B027A64D85AD6F7EAF33ECC1B9253B196CFD20EDEFCBAC46F7C08EC966EF721D0533AB6DC785F86998B37FD25F3D60BB4E692F1636AE10BCA62065AA70FF41B5C16A165B8636FD4A40C59F6B72A4C1592A424820A0C968E23613DB48959F7BFF49D9B71A9C84CB72F08B94F586007CB5C29A3D8811F9EF2ED2FBB612DF28BB9601
|
||||
2B936CE32D82CE8B01FD9A0595AC6366AA014C82
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Errors on bad password
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
|
||||
local pp = io.open("t/fixtures/badssl.com-client.p12"):read("*a")
|
||||
|
||||
local r, err = pkcs12.decode(pp, "wrong password")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
|
||||
local r, err = pkcs12.decode(pp)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Creates pkcs12
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
-- full house
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no name
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- no CA
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
-- empty password
|
||||
local r = myassert(pkcs12.encode({
|
||||
key = key,
|
||||
cert = cert,
|
||||
}))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Uses empty string password when omitted
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local p12 = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
}))
|
||||
|
||||
local r = myassert(pkcs12.decode(p12, nil))
|
||||
ngx.say(#r.key:get_parameters().x:to_hex():upper())
|
||||
ngx.say(r.cert:get_serial_number():to_hex():upper())
|
||||
ngx.say(#r.cacerts)
|
||||
ngx.say(r.friendly_name)
|
||||
-- same as empty string
|
||||
local r = myassert(pkcs12.decode(p12, ""))
|
||||
|
||||
-- password mismatch
|
||||
local r, err = pkcs12.decode(p12, "extrapassword")
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'6\d
|
||||
0
|
||||
2
|
||||
myname
|
||||
true
|
||||
pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Check cert and key mismatch
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
local pro = require "resty.openssl.provider"
|
||||
myassert(pro.load("legacy"))
|
||||
end
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local key2 = require("resty.openssl.pkey").new({ type = 'EC', curve = "prime256v1" })
|
||||
|
||||
local r, err = pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key2,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 }
|
||||
}, "test-pkcs12")
|
||||
ngx.say(r == nil, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'true.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates pkcs12 with newer algorithm
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say("2333")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
-- don't load the legacy provider for this test
|
||||
-- by default nid_key is RC2 and is moved to legacy provider in 3.0
|
||||
|
||||
local pkcs12 = require "resty.openssl.pkcs12"
|
||||
local cert, key = require("helper").create_self_signed({ type = 'EC', curve = "prime256v1" })
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local ca1 = myassert(x509.new(io.open("t/fixtures/GlobalSign.pem"):read("*a")))
|
||||
local ca2 = myassert(x509.new(io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")))
|
||||
|
||||
local r = myassert(pkcs12.encode({
|
||||
friendly_name = "myname",
|
||||
key = key,
|
||||
cert = cert,
|
||||
cacerts = { ca1, ca2 },
|
||||
nid_key = "aes-128-cbc",
|
||||
nid_cert = "aes-128-cbc",
|
||||
mac_iter = 2000,
|
||||
}, "test-pkcs12"))
|
||||
ngx.say(#r)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'\d{3,4}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
File diff suppressed because it is too large
Load Diff
|
@ -1,141 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\nnil\ntrue\nfalse\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local avail, err = pro.is_available(n)
|
||||
ngx.say(avail)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
nil
|
||||
true
|
||||
false
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Self test default and legacy provider
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("nil\ntrue\nnil\ntrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
for _, n in ipairs({"default", "legacy"}) do
|
||||
local p, err = pro.load(n)
|
||||
ngx.say(err)
|
||||
-- after load it's available
|
||||
local ok, err = p:self_test(n)
|
||||
ngx.say(ok)
|
||||
|
||||
myassert(p:unload())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
nil
|
||||
true
|
||||
nil
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Set default search path
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say("true\ncommon libcrypto routines::init fail")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
pro.set_default_search_path("/tmp")
|
||||
local ok, err = pro.load("legacy")
|
||||
ngx.say(ok == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
true
|
||||
.+(?:init fail|common libcrypto routines::reason\(524325\))
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Get parameters
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if not require("resty.openssl.version").OPENSSL_3X then
|
||||
ngx.say('{"buildinfo":"3.0.0-alpha7","name":"OpenSSL Default Provider","status":1,"version":"3.0.0"}')
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local pro = require "resty.openssl.provider"
|
||||
local p = myassert(pro.load("default"))
|
||||
local a = assert(p:get_params("name", "version", "buildinfo", "status"))
|
||||
ngx.say(encode_sorted_json(a))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
{"buildinfo":"3.+","name":"OpenSSL Default Provider","status":1,"version":"3.+"}
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Geneartes random bytes
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b)
|
||||
local b2, err = rand.bytes(233)
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(#b2)
|
||||
ngx.say(b == b2)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"233
|
||||
233
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local rand = require("resty.openssl.rand")
|
||||
local b, err = rand.bytes()
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes(true)
|
||||
ngx.say(err)
|
||||
local b, err = rand.bytes({})
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
rand.bytes: expect a number at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
|
@ -1,281 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (client) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c1.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c1.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (client) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c2.sock ssl;
|
||||
server_name test.com;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c2.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
local crt = chain[1]
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
1
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (client) set cipher suites [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 4: SSL (client) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c4.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-GCM-SHA384.*
|
||||
ECDHE-RSA-AES256-GCM-SHA384
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (client) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c5.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c5.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (client) set_verify and add_client_ca [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (client) set/get/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-c7.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-c7.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_PRIORITIZE_CHACHA))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_NO_QUERY_MTU.+SSL_OP_PRIORITIZE_CHACHA.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (client) set_protocols [skipped]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-sctx1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl_ctx = require "resty.openssl.ssl_ctx"
|
||||
local sc = assert(ssl_ctx.from_request())
|
||||
assert(sc:set_alpns({"h4"}))
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ngx_pipe = require "ngx.pipe"
|
||||
local opts = {
|
||||
merge_stderr = true,
|
||||
buffer_size = 256000,
|
||||
}
|
||||
local proc = ngx_pipe.spawn({'bash', '-c', "echo q | openssl s_client -unix /tmp/nginx-sctx1.sock -alpn h4 && sleep 0.1"}, opts)
|
||||
local data, err, partial = proc:stdout_read_all()
|
||||
if ngx.re.match(data, "ALPN protocol: h4") then
|
||||
ngx.say("ok")
|
||||
else
|
||||
ngx.say(data)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
|
@ -1,375 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
repeat_each(2);
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
add_block_preprocessor(sub {
|
||||
my ($block) = @_;
|
||||
|
||||
my $name = $block->name;
|
||||
|
||||
my $http_config = $block->http_config;
|
||||
|
||||
if (defined $http_config ) {
|
||||
|
||||
my $new_http_config = <<_EOC_;
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
|
||||
ssl_certificate $pwd/t/fixtures/test.crt;
|
||||
ssl_certificate_key $pwd/t/fixtures/test.key;
|
||||
|
||||
lua_ssl_trusted_certificate $pwd/t/fixtures/test.crt;
|
||||
|
||||
$http_config
|
||||
|
||||
_EOC_
|
||||
|
||||
$block->set_value("http_config", $new_http_config);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
|
||||
our $ClientContentBy = qq{
|
||||
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
env_to_nginx("CI_SKIP_NGINX_C");
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: SSL (server) get peer certificate
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s1.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local crt = myassert(sess:get_peer_certificate())
|
||||
ngx.say(myassert(crt:get_subject_name():tostring()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s1.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
CN=test.com
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 2: SSL (server) get peer cert chain
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s2.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
myassert(sess:set_verify(ssl.SSL_VERIFY_PEER, nil))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
|
||||
local chain = myassert(sess:get_peer_cert_chain())
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s2.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
proxy_ssl_certificate ../../../t/fixtures/test.crt;
|
||||
proxy_ssl_certificate_key ../../../t/fixtures/test.key;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
0
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 3: SSL (server) set cipher suites (TLSv1.3 set_ciphersuites not tested)
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s3.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_cipher_list("ECDHE-RSA-AES256-SHA"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
local sock = ngx.socket.tcp()
|
||||
myassert(sock:connect("unix:/tmp/nginx-s3.sock"))
|
||||
myassert(sock:sslhandshake(nil, "test.com"))
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_socket(sock))
|
||||
|
||||
ngx.say(myassert(sess:get_ciphers()))
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES256-SHA.*
|
||||
ECDHE-RSA-AES256-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
|
||||
=== TEST 4: SSL (server) get ciphers
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s4.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_ciphers ECDHE-RSA-AES128-SHA;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local ciphers = myassert(sess:get_ciphers())
|
||||
ngx.say(ciphers)
|
||||
|
||||
local cipher = myassert(sess:get_cipher_name())
|
||||
ngx.say(cipher)
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s4.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
.*ECDHE-RSA-AES128-SHA.*
|
||||
ECDHE-RSA-AES128-SHA$
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 5: SSL (server) get/set timeout
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s5.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
myassert(sess:set_timeout(15))
|
||||
ngx.say(myassert(sess:get_timeout()))
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s5.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
15
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 6: SSL (server) set_verify and add_client_ca [tested in get_peer_cert]
|
||||
--- config
|
||||
location /t {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
||||
--- response_body
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 7: SSL (server) get/set/clear options
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s7.sock ssl;
|
||||
server_name test.com;
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
local orig_options = myassert(sess:get_options())
|
||||
ngx.say(orig_options)
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:set_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:set_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
ngx.say(require("cjson").encode(myassert(sess:get_options(true))))
|
||||
|
||||
myassert(sess:clear_options(ssl.SSL_OP_CIPHER_SERVER_PREFERENCE))
|
||||
myassert(sess:clear_options(ssl.SSL_OP_ALLOW_NO_DHE_KEX, ssl.SSL_OP_NO_QUERY_MTU))
|
||||
local new_options = myassert(sess:get_options())
|
||||
if new_options ~= orig_options then
|
||||
ngx.say("options not correct after clear: " ..
|
||||
require("cjson").encode(myassert(sess:get_options(true))))
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s7.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
\d+
|
||||
\[".+"\]
|
||||
.+SSL_OP_ALLOW_NO_DHE_KEX.+SSL_OP_CIPHER_SERVER_PREFERENCE.+SSL_OP_NO_QUERY_MTU.+
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
|
||||
=== TEST 8: SSL (server) set_protocols [skipped; need clienthello_by]
|
||||
--- http_config
|
||||
server {
|
||||
listen unix:/tmp/nginx-s8.sock ssl;
|
||||
server_name test.com;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
myassert(sess:set_protocols("TLSv1.2"))
|
||||
}
|
||||
|
||||
location /t {
|
||||
content_by_lua_block {
|
||||
local ssl = require "resty.openssl.ssl"
|
||||
local sess = myassert(ssl.from_request())
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
}
|
||||
--- config
|
||||
location /t {
|
||||
proxy_pass https://unix:/tmp/nginx-s8.sock:;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name test.com;
|
||||
proxy_ssl_protocols TLSv1.2;
|
||||
# valgrind be happy
|
||||
proxy_ssl_session_reuse off;
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
ok
|
||||
|
||||
--- no_error_log
|
||||
[error]
|
||||
[emerg]
|
||||
--- skip_nginx
|
||||
2: < 9.9.9
|
|
@ -1,56 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
}
|
||||
};
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Prints version text properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version_text)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Prints version text using version()
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(version.version(version.VERSION))
|
||||
ngx.say(version.version(version.CFLAGS))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like
|
||||
(OpenSSL \d.\d.\d.+|BoringSSL)
|
||||
compiler:.+
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,988 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Rejectes invalid cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local p, err = x509.new(true)
|
||||
ngx.say(err)
|
||||
p, err = x509.new("222")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"expect nil or a string at #1
|
||||
x509.new: .*(not enough data|NOT_ENOUGH_DATA)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Calculates cert digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:digest())
|
||||
|
||||
local h = string.upper(myassert(require("helper").to_hex(dd)))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Calculates pubkey digest
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local dd = myassert(c:pubkey_digest())
|
||||
|
||||
local h, err = string.upper(require("helper").to_hex(dd))
|
||||
ngx.say(h)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"607B661A450D97CA89502F7D04CD34A8FFFCFD4B
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Gets extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ext, pos = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(pos)
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"5
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local c, err = require("resty.openssl.x509").new()
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"extendedKeyUsage", "TLS Web Server Authentication"
|
||||
))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Extended Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ext = myassert(require("resty.openssl.x509.extension").new(
|
||||
"keyUsage", "Digital Signature, Key Encipherment"
|
||||
))
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("X509v3 Key Usage")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"Digital Signature, Key Encipherment
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 10: Reads basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set basic constraints
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c, err = require("resty.openssl.x509").new(f)
|
||||
local ok = myassert(c:set_basic_constraints({
|
||||
CA = false,
|
||||
pathLen = 233,
|
||||
}))
|
||||
|
||||
ngx.say(c:get_basic_constraints("ca"))
|
||||
ngx.say(c:get_basic_constraints("pathlen"))
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"false
|
||||
233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Get authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set authority info access
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local aia = myassert(c:get_info_access())
|
||||
myassert(aia:add("OCSP", "URI", "http://somedomain.com"))
|
||||
|
||||
myassert(c:set_info_access(aia))
|
||||
|
||||
local aia = myassert(c:get_info_access())
|
||||
local ffi = require "ffi"
|
||||
for _, v in ipairs(aia) do
|
||||
ngx.say(ffi.string(ffi.C.OBJ_nid2ln(v[1])), " - ", v[2], ":", v[3])
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
OCSP - URI:http://somedomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Get CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local cdp = myassert(c:get_crl_distribution_points())
|
||||
|
||||
local ffi = require "ffi"
|
||||
for _, altname in pairs(cdp) do
|
||||
for k, v in pairs(altname) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
end
|
||||
collectgarbage("collect")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"URI http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
URI http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: Set CRL distribution points
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
-- NYI
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: Get OCSP url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
|
||||
local ocsp = myassert(c:get_ocsp_url(true))
|
||||
ngx.say(encode_sorted_json(ocsp))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ocsp = myassert(c:get_ocsp_url())
|
||||
ngx.say(ocsp)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://ocsp.digicert.com
|
||||
["http:\/\/ocsp.digicert.com"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: Get CRL url
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
|
||||
local crl = myassert(c:get_crl_url(true))
|
||||
ngx.say(encode_sorted_json(crl))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local crl = myassert(c:get_crl_url())
|
||||
ngx.say(crl)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
'http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
|
||||
["http:\/\/crl3.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl","http:\/\/crl4.digicert.com\/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl"]
|
||||
nil
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: Get non existend extension, return nil, nil
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
ngx.say(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed({ type = "EC", curve = "prime256v1" })
|
||||
local ok, err = cert:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local ok, err = c:check_private_key(key)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = cert:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 20: x509:get_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0E8BF3770D92D196F0BB61F93C4166BE"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509:set_serial_number (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.bn").new(math.random(1, 2333333)))
|
||||
local ok = myassert(c:set_serial_number(toset))
|
||||
|
||||
local get = myassert(c:get_serial_number())
|
||||
get = get:to_hex():upper()
|
||||
toset = toset:to_hex():upper()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509:get_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1616630400"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 23: x509:set_not_before (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_before(toset))
|
||||
|
||||
local get = myassert(c:get_not_before())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509:get_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1648684799"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509:set_not_after (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_not_after(toset))
|
||||
|
||||
local get = myassert(c:get_not_after())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 26: x509:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErfb3dbHTSVQKXRBxvdwlBksiHKIj
|
||||
Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 27: x509:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 28: x509:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=github.com/L=San Francisco/O=GitHub, Inc./ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 29: x509:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 30: x509:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1/O=DigiCert, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 31: x509:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 32: x509:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 33: x509:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 34: x509:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=github.com/DNS=www.github.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 35: x509:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 37: x509:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 38: x509:get/set_basic_constraints_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_basic_constraints_critical())
|
||||
|
||||
local ok, err = myassert(c:set_basic_constraints_critical(not crit))
|
||||
|
||||
ngx.say(c:get_basic_constraints_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 39: x509:get/set_info_access_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_info_access_critical())
|
||||
|
||||
local ok, err = myassert(c:set_info_access_critical(not crit))
|
||||
|
||||
ngx.say(c:get_info_access_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 40: x509:get/set_crl_distribution_points_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local crit = myassert(c:get_crl_distribution_points_critical())
|
||||
|
||||
local ok, err = myassert(c:set_crl_distribution_points_critical(not crit))
|
||||
|
||||
ngx.say(c:get_crl_distribution_points_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 41: x509:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
794
|
||||
ecdsa-with-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,238 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(c:count())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add("DNS", string.format("%d.com", i)))
|
||||
end
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(k, " ", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS 0.com
|
||||
DNS 1.com
|
||||
DNS 2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
local k, v = unpack(c[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
if cc ~= nil then
|
||||
local k, v = unpack(cc)
|
||||
ngx.say(k, " ", v)
|
||||
else
|
||||
ngx.say("incorrectly GC'ed")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
local ok = myassert(c:add("DNS", "example.com"))
|
||||
|
||||
local c2 = myassert(altname.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
local k, v = unpack(c2[1])
|
||||
ngx.say(k, " ", v)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
DNS example.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Unsupported SANs are returned as "unsupported"
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
|
||||
local extension = require "resty.openssl.x509.extension"
|
||||
|
||||
local ext, err = myassert(extension.new("subjectAltName", "otherName:msUPN;UTF8:sb@sb.local,IP.1:255.255.255.255,IP.2:1111:1111:1111:1111:1111:1111:1111:1111,DNS:example.com,email:test@test.com,RID:1.2.3.4"))
|
||||
|
||||
local c = x509.new()
|
||||
|
||||
myassert(c:add_extension(ext))
|
||||
|
||||
local alts = myassert(c:get_subject_alt_name())
|
||||
|
||||
for k, v in pairs(alts) do
|
||||
ngx.say(k, ":", v)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
OtherName:OtherName:<unsupported>
|
||||
IP:255.255.255.255
|
||||
IP:1111:1111:1111:1111:1111:1111:1111:1111
|
||||
DNS:example.com
|
||||
email:test@test.com
|
||||
RID:RID:<unsupported>
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: IP addresses are validated and parsed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname")
|
||||
local c = myassert(altname.new())
|
||||
|
||||
myassert(c:add("IP", "1.2.3.4"))
|
||||
myassert(c:add("IPAddress", "100.100.100.100"))
|
||||
myassert(c:add("IP", "255.255.255.255"))
|
||||
myassert(c:add("IP", "::1"))
|
||||
myassert(c:add("IP", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))
|
||||
for _, v in ipairs({"1", ":::", "ffff:", "256.1.1.1"}) do
|
||||
local _, err = c:add("IP", v)
|
||||
if err == nil then
|
||||
ngx.say("should error on " .. v)
|
||||
end
|
||||
end
|
||||
|
||||
ngx.say(c:tostring())
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
IP=1.2.3.4/IP=100.100.100.100/IP=255.255.255.255/IP=::1/IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,173 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
end
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(#cc:digest())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
20
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
cert = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#c[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(#cc:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
local c = myassert(chain.new())
|
||||
|
||||
local ok = myassert(c:add(cert))
|
||||
|
||||
local c2 = myassert(chain.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(#c2[1]:digest())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
20
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,507 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.crl").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.crl").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.crl.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: x509.crl:add_revoked should add revoked to crl
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
return
|
||||
end
|
||||
|
||||
local ok = myassert(c:add_revoked(r))
|
||||
if ok ~= true then
|
||||
ngx.say("Could not add revoked")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: x509.crl:add_revoked should fail if revoked is not instance of revoked
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local ok, err = c:add_revoked({ctx ={}})
|
||||
if ok ~= false then
|
||||
ngx.say("false")
|
||||
elseif err ~= "x509.crl:add_revoked: expect a revoked instance at #1" then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.crl:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local r = myassert(revoked.new(1234, toset, 1))
|
||||
c:add_revoked(r)
|
||||
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: x509.crl:text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
ngx.say(myassert(c:text()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"Certificate Revocation List.+Revoked Certificates.+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.crl metamethods
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2")
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233")
|
||||
ngx.exit(0)
|
||||
end
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:index(1))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = c[1]
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local r = myassert(revoked.new(0x04D2, 1511122233, 1))
|
||||
myassert(c:add_revoked(r))
|
||||
|
||||
ngx.say(#c, ", ", c:count())
|
||||
for _, rr in ipairs(c) do
|
||||
ngx.say(rr.serial_number:upper(), ", ", rr.revocation_date)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
2, 2
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
04D2, 1511122233
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.crl get_by_serial
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").OPENSSL_10 then
|
||||
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue")
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3"))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
s = myassert(c:get_by_serial(require("resty.openssl.bn").from_hex("09159859CAC0C90203BB34C5A012C2A3")))
|
||||
ngx.say(s.serial_number:upper(), ", ", s.revocation_date)
|
||||
|
||||
local nos, err = c:get_by_serial("111111")
|
||||
ngx.say(nos == nil, err == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
09159859CAC0C90203BB34C5A012C2A3, 1577753344
|
||||
truetrue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: x509.crl doesn't error if revoked is empty (regression)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/no_revoked.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
for k, v in pairs(c) do
|
||||
ngx.say(tostring(k))
|
||||
end
|
||||
-- above should print nothing
|
||||
|
||||
ngx.say(c:get_last_update())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1652832000
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 11: x509.crl:get_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=CN/CN=TrustAsia EV TLS Pro CA G2/O=TrustAsia Technologies, Inc."
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.crl:set_issuer_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_issuer_name(toset))
|
||||
|
||||
local get = myassert(c:get_issuer_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: x509.crl:get_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1580684546"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: x509.crl:set_last_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_last_update(toset))
|
||||
|
||||
local get = myassert(c:get_last_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 15: x509.crl:get_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1581289346"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.crl:set_next_update (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_next_update(toset))
|
||||
|
||||
local get = myassert(c:get_next_update())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.crl:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.crl:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.crl:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.crl").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
668
|
||||
RSA-SHA256
|
||||
SHA256
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,56 +0,0 @@
|
|||
|
||||
local function create_csr(domain_pkey, ...)
|
||||
local domains = {...}
|
||||
|
||||
local subject = require("resty.openssl.x509.name").new()
|
||||
local _, err = subject:add("CN", domains[1])
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local alt, err
|
||||
if #{...} > 1 then
|
||||
alt, err = require("resty.openssl.x509.altname").new()
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
for _, domain in pairs(domains) do
|
||||
_, err = alt:add("DNS", domain)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
local _
|
||||
_, err = csr:set_subject_name(subject)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
if alt then
|
||||
_, err = csr:set_subject_alt_name(alt)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
end
|
||||
|
||||
_, err = csr:set_pubkey(domain_pkey)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
local d = require("resty.openssl.digest").new("SHA256")
|
||||
_, err = csr:sign(domain_pkey, d)
|
||||
if err then
|
||||
return nil, err
|
||||
end
|
||||
|
||||
return csr:tostring("DER"), nil
|
||||
end
|
||||
|
||||
return {
|
||||
create_csr = create_csr,
|
||||
}
|
|
@ -1,623 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Loads a csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Converts and loads PEM format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("PEM"))
|
||||
|
||||
for _, typ in ipairs({"PEM", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "DER")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(nested asn1 error|NESTED_ASN1_ERROR).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Converts and loads DER format
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local pem = myassert(c:tostring("DER"))
|
||||
|
||||
for _, typ in ipairs({"DER", "*", false}) do
|
||||
local c2 = myassert(require("resty.openssl.x509.csr").new(pem, typ))
|
||||
end
|
||||
local c2, err = require("resty.openssl.x509.csr").new(pem, "PEM")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"x509.csr.new.+(no start line|NO_START_LINE).+"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Generates CSR with RSA pkey correctly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new()
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(der)
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -inform der -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
".+CN\\s*=\\s*dns1.com.+rsaEncryption.+2048 bit.+DNS:dns1.com.+DNS:dns2.com.+DNS:dns3.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Rejects invalid arguments
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local csr = require("resty.openssl.x509.csr").new()
|
||||
ok, err = csr:set_subject_name("not a subject")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_subject_alt_name("not an alt")
|
||||
ngx.say(err)
|
||||
ok, err = csr:set_pubkey("not a pkey")
|
||||
ngx.say(err)
|
||||
ok, err = csr:sign("not a pkey")
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"x509.csr:set_subject_name: expect a x509.name instance at #1
|
||||
x509.csr:set_subject_alt_name: expect a x509.altname instance at #1
|
||||
x509.csr:set_pubkey: expect a pkey instance at #1
|
||||
x509.csr:sign: expect a pkey instance at #1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: x509.csr:get_extensions of csr
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local exts = c:get_extensions()
|
||||
if #exts == 0 then
|
||||
ngx.print("0")
|
||||
else
|
||||
ngx.print("4")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"4"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 7: x509.csr:get_extension by nid
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, pos = c:get_extension(83)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
|
||||
local ext = c:get_extension(83, pos)
|
||||
if not ext then
|
||||
ngx.say("nil")
|
||||
else
|
||||
ngx.say(pos)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"2
|
||||
nil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: x509.csr:get_extension by nid name
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext = c:get_extension('basicConstraints')
|
||||
if not ext then
|
||||
ngx.print("nil")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: x509.csr:get_extension should return nil if wrong nid name is given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ext, err = c:get_extension('test')
|
||||
if not ext then
|
||||
ngx.print("ok")
|
||||
else
|
||||
ngx.print(err)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Adds extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:add_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.update_time()
|
||||
local fname = "ci_" .. math.floor(ngx.now() * 1000)
|
||||
local f = io.open(fname, "wb")
|
||||
f:write(c:tostring())
|
||||
f:close()
|
||||
ngx.say(io.popen("openssl req -in " .. fname .. " -noout -text", 'r'):read("*a"))
|
||||
os.remove(fname)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"DNS:example.com.+DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Set extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local ext = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local ok = myassert(c:set_extension(ext))
|
||||
|
||||
local ext, _ = c:get_extension("subjectAltName")
|
||||
|
||||
ngx.say(tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS:test.com, DNS:test2.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: x509.csr:sign should succeed
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local d = myassert(require("resty.openssl.digest").new("SHA256"))
|
||||
local p = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:sign(p, d))
|
||||
if ok == false then
|
||||
ngx.say("false")
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Check private key match
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local util = require("csr")
|
||||
local pkey = require("resty.openssl.pkey").new({ type = "EC", curve = "prime256v1" })
|
||||
local der = myassert(util.create_csr(pkey, "dns1.com", "dns2.com", "dns3.com"))
|
||||
local csr = myassert(require("resty.openssl.x509.csr").new(der))
|
||||
local ok, err = csr:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local ok, err = c:check_private_key(pkey)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
|
||||
local key2 = require("resty.openssl.pkey").new({
|
||||
type = 'EC',
|
||||
curve = "prime256v1",
|
||||
})
|
||||
local ok, err = csr:check_private_key(key2)
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
nil
|
||||
false
|
||||
.+(key type mismatch|KEY_TYPE_MISMATCH)
|
||||
.+(key values mismatch|KEY_VALUES_MISMATCH)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
# START AUTO GENERATED CODE
|
||||
|
||||
|
||||
=== TEST 15: x509.csr:get_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"C=US/CN=example.com/L=Los Angeles/O=SSL Support/OU=SSL Support/ST=California"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 16: x509.csr:set_subject_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.name").new():add('CN', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 17: x509.csr:get_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GD
|
||||
CNL5NhDX2JVUQKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUz
|
||||
KoTt5yLdVIM/HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgD
|
||||
cdbcQ5wsPVOiFHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyf
|
||||
gGS4+XQSsUdwNWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1
|
||||
f3rlwf8H5HIVH3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJE
|
||||
cwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 18: x509.csr:set_pubkey (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.pkey").new())
|
||||
local ok = myassert(c:set_pubkey(toset))
|
||||
|
||||
local get = myassert(c:get_pubkey())
|
||||
get = get:to_PEM()
|
||||
toset = toset:to_PEM()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 19: x509.csr:get_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 20: x509.csr:set_version (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = ngx.time()
|
||||
local ok = myassert(c:set_version(toset))
|
||||
|
||||
local get = myassert(c:get_version())
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 21: x509.csr:get_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
ngx.print(get)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"DNS=example.com"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 22: x509.csr:set_subject_alt_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
local toset = myassert(require("resty.openssl.x509.altname").new():add('DNS', 'earth.galaxy'))
|
||||
local ok = myassert(c:set_subject_alt_name(toset))
|
||||
|
||||
local get = myassert(c:get_subject_alt_name())
|
||||
get = get:tostring()
|
||||
toset = toset:tostring()
|
||||
if get ~= toset then
|
||||
ngx.say(get)
|
||||
ngx.say(toset)
|
||||
else
|
||||
ngx.print("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 24: x509.csr:get/set_subject_alt_name_critical (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local crit = myassert(c:get_subject_alt_name_critical())
|
||||
|
||||
local ok, err = myassert(c:set_subject_alt_name_critical(not crit))
|
||||
|
||||
ngx.say(c:get_subject_alt_name_critical() == not crit)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
true
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 25: x509.csr:get_get_signature_name (AUTOGEN)
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/test.csr"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509.csr").new(f))
|
||||
|
||||
local nid = myassert(c:get_signature_nid())
|
||||
|
||||
ngx.say(nid)
|
||||
|
||||
local name = myassert(c:get_signature_name())
|
||||
|
||||
ngx.say(name)
|
||||
|
||||
local name = myassert(c:get_signature_digest_name())
|
||||
|
||||
ngx.say(name)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body
|
||||
65
|
||||
RSA-SHA1
|
||||
SHA1
|
||||
--- no_error_log
|
||||
[error]
|
||||
# END AUTO GENERATED CODE
|
|
@ -1,379 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
_G.encode_sorted_json = require("helper").encode_sorted_json
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Gets extension object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
|
||||
ngx.say(encode_sorted_json(myassert(c:get_object())))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.37","ln":"X509v3 Extended Key Usage","nid":126,"sn":"extendedKeyUsage"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Gets extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
|
||||
local extension, _, err = c:get_extension("X509v3 Extended Key Usage")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"true
|
||||
false
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Set extension critical
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("extendedKeyUsage",
|
||||
"serverAuth,clientAuth"))
|
||||
myassert(c:set_critical())
|
||||
ngx.say(c:get_critical())
|
||||
|
||||
myassert(c:set_critical(true))
|
||||
ngx.say(c:get_critical())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Prints human readable txt of extension
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(extension:text())
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(tostring(extension))
|
||||
|
||||
-- unknown extension
|
||||
local objects = require("resty.openssl.objects")
|
||||
local id_pe_acmeIdentifier = "1.3.6.1.5.5.7.1.31"
|
||||
local nid = objects.txt2nid(id_pe_acmeIdentifier)
|
||||
if not nid or nid == 0 then
|
||||
nid = objects.create(
|
||||
id_pe_acmeIdentifier, -- nid
|
||||
"pe-acmeIdentifier", -- sn
|
||||
"ACME Identifier" -- ln
|
||||
)
|
||||
end
|
||||
local ext = myassert(require("resty.openssl.x509.extension").from_der("valuevalue", nid, true))
|
||||
ngx.say("ACME Identifier: ", tostring(ext))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
OCSP - URI:http://ocsp.digicert.com
|
||||
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
|
||||
.?ACME Identifier: valuevalue
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Creates extension by X509V3_CTX
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local x509 = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.crt"):read("*a")
|
||||
local ic = myassert(require("resty.openssl.x509").new(f))
|
||||
f = io.open("t/fixtures/test.key"):read("*a")
|
||||
local ik = myassert(require("resty.openssl.pkey").new(f))
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("subjectKeyIdentifier", "hash",
|
||||
{
|
||||
subject = x509,
|
||||
}))
|
||||
|
||||
ngx.say(tostring(c))
|
||||
|
||||
if require("resty.openssl.version").OPENSSL_3X then
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
}))
|
||||
|
||||
if tostring(c) ~= "0." then
|
||||
ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
|
||||
end
|
||||
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = x509,
|
||||
issuer_pkey = ik,
|
||||
}))
|
||||
-- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
|
||||
ngx.print("keyid:")
|
||||
else
|
||||
c = myassert(extension.new("authorityKeyIdentifier", "keyid",
|
||||
{
|
||||
subject = x509,
|
||||
issuer = ic,
|
||||
}))
|
||||
end
|
||||
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
|
||||
keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Creates extension by data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.17","ln":"X509v3 Subject Alternative Name","nid":85,"sn":"subjectAltName"}
|
||||
DNS:test.com, DNS:test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Convert extension to data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local altname = require("resty.openssl.x509.altname").new()
|
||||
myassert(altname:add("DNS", "test.com"))
|
||||
myassert(altname:add("DNS", "test2.com"))
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_data(altname, 85, false))
|
||||
|
||||
local alt2 = myassert(extension.to_data(c, 85))
|
||||
ngx.say(alt2:tostring())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'DNS=test.com/DNS=test2.com
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Creates extension by der
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.from_der("\x00\x01\x02\x03", "basicConstraints"))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.19","ln":"X509v3 Basic Constraints","nid":87,"sn":"basicConstraints"}
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Creates extension by nconf
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
if require("resty.openssl.version").BORINGSSL then
|
||||
ngx.say([[
|
||||
{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
]])
|
||||
ngx.exit(0)
|
||||
end
|
||||
|
||||
local extension = require("resty.openssl.x509.extension")
|
||||
local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
|
||||
[[
|
||||
[polsect]
|
||||
policyIdentifier = 1.3.5.8
|
||||
CPS.1="http://my.host.name/"
|
||||
CPS.2="http://my.your.name/"
|
||||
userNotice.1=@notice
|
||||
|
||||
[notice]
|
||||
explicitText="Explicit Text Here"
|
||||
organization="Organisation Name"
|
||||
noticeNumbers=1,2,3,4
|
||||
]]
|
||||
))
|
||||
|
||||
ngx.say(encode_sorted_json(c:get_object()))
|
||||
ngx.say(tostring(c))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
'{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
|
||||
Policy: 1.2.3.4
|
||||
Policy: 1.5.6.7.8
|
||||
Policy: 1.3.5.8
|
||||
CPS: http://my.host.name/
|
||||
CPS: http://my.your.name/
|
||||
User Notice:
|
||||
Organization: Organisation Name
|
||||
Numbers: 1, 2, 3, 4
|
||||
Explicit Text: Explicit Text Here
|
||||
'
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Returns DER encoded data
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local f = io.open("t/fixtures/Github.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local extension, _, err = c:get_extension("subjectKeyIdentifier")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
|
||||
local extension, _, err = c:get_extension("Authority Information Access")
|
||||
if err then
|
||||
ngx.log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
ngx.say(require("helper").to_hex(extension:to_der()))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"041427B17E9FBB269950D8F3C3535BFE3116B0BB1E72
|
||||
308182302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305A06082B06010505073002864E687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274486967684173737572616E6365544C53487962726964454343534841323536323032304341312E637274
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,180 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
ngx.say(#c)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"0
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Adds elements to stack properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
ngx.say(#c)
|
||||
ngx.say(#c:all())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"3
|
||||
3
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Element can be indexed properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
for i=0,2,1 do
|
||||
local ok = myassert(c:add(ext))
|
||||
end
|
||||
|
||||
collectgarbage()
|
||||
|
||||
for _, cc in ipairs(c) do
|
||||
ngx.say(cc:text())
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Element is duplicated when added to stack
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
ext = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 5: Element is duplicated when returned
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local cc = c[1]
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(cc:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 6: Element is not freed when stack is duplicated
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local extension_lib = require("resty.openssl.x509.extension")
|
||||
local ext = extension_lib.new("extendedKeyUsage", "serverAuth,clientAuth")
|
||||
local extensions = require("resty.openssl.x509.extensions")
|
||||
local c = myassert(extensions.new())
|
||||
|
||||
local ok = myassert(c:add(ext))
|
||||
|
||||
local c2 = myassert(extensions.dup(c.ctx))
|
||||
|
||||
c = nil
|
||||
collectgarbage("collect")
|
||||
ngx.say(c2:count())
|
||||
ngx.say(c2[1]:text())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"1
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,139 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Duplicate the ctx
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
require('ffi').cdef('typedef struct X509_name_st X509_NAME; void X509_NAME_free(X509_NAME *name);')
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local name2 = myassert(require("resty.openssl.x509.name").dup(name.ctx))
|
||||
|
||||
name = nil
|
||||
collectgarbage("collect")
|
||||
-- if name2.ctx is also freed this following will segfault
|
||||
local _ = myassert(name2:add("CN", "example.com"))
|
||||
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2: Rejects invalid NID
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name, err = name:add("whatever", "value")
|
||||
ngx.say(name == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.name:add: invalid NID text whatever
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Finds by text
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
name = myassert(name:add("CN", "example.com"))
|
||||
|
||||
name = myassert(name:add("CN", "anotherdomain.com"))
|
||||
|
||||
local a, b, c = name:find("CN")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("2.5.4.3")
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
local a, b, c = name:find("CM")
|
||||
if not a then
|
||||
ngx.say("not found")
|
||||
end
|
||||
local a, b, c = name:find("CN", 1)
|
||||
if a then
|
||||
ngx.say("found ", b, " ", a.blob)
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"found 1 example.com
|
||||
found 1 example.com
|
||||
not found
|
||||
found 2 anotherdomain.com
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 4: Pairs
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local name = myassert(require("resty.openssl.x509.name").new())
|
||||
|
||||
local CNs = 3
|
||||
for i=1,CNs,1 do
|
||||
name = myassert(name:add("CN", string.format("%d.example.com", i)))
|
||||
end
|
||||
local others = { "L", "ST", "O" }
|
||||
for _, k in ipairs(others) do
|
||||
name = myassert(name:add(k, "Mars"))
|
||||
end
|
||||
ngx.say(#name)
|
||||
for k, v in pairs(name) do
|
||||
ngx.print(v.nid .. ",")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"6
|
||||
13,13,13,15,16,17,"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,69 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
no_long_string();
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1:revoked.new should create new revoked instance
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local time = ngx.time()
|
||||
local r, err = myassert(revoked.new(1234, time, 1))
|
||||
if not revoked.istype(r) then
|
||||
ngx.say("it should be instance of revoked")
|
||||
else
|
||||
ngx.say("ok")
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"ok
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 2:revoked.new should fail when invalid parameters are given
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local revoked = myassert(require("resty.openssl.x509.revoked"))
|
||||
local toset = ngx.time()
|
||||
local r, err = revoked.new("1234", toset, 40)
|
||||
ngx.say(r == nil)
|
||||
ngx.say(err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"true
|
||||
x509.revoked.new: sn should be number or a bn instance
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
|
@ -1,529 +0,0 @@
|
|||
# vim:set ft= ts=4 sw=4 et fdm=marker:
|
||||
|
||||
use Test::Nginx::Socket::Lua 'no_plan';
|
||||
use Cwd qw(cwd);
|
||||
|
||||
|
||||
my $pwd = cwd();
|
||||
|
||||
my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
|
||||
|
||||
our $HttpConfig = qq{
|
||||
lua_package_path "$pwd/t/openssl/?.lua;$pwd/t/openssl/x509/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
|
||||
init_by_lua_block {
|
||||
if "1" == "$use_luacov" then
|
||||
require 'luacov.tick'
|
||||
jit.off()
|
||||
end
|
||||
_G.myassert = require("helper").myassert
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
run_tests();
|
||||
|
||||
__DATA__
|
||||
=== TEST 1: Creates store properly
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local c = myassert(store.new())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 2: Loads a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert, key = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 3: Loads default location
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
myassert(s:use_default())
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
""
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 4: Loads file
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok, err = s:load_file("certnonexistent.pem")
|
||||
ngx.say(ok)
|
||||
ngx.say(err)
|
||||
os.execute("echo > cert4-empty.pem")
|
||||
local ok, err = s:load_file("cert4-empty.pem")
|
||||
ngx.say(ok)
|
||||
-- we only get detailed error for "no certificate found" on >= 1.1.1
|
||||
ngx.say(err)
|
||||
os.remove("cert4-empty.pem")
|
||||
local cert, _ = require("helper").create_self_signed()
|
||||
local f = io.open("cert4.pem", "w")
|
||||
f:write(cert:tostring())
|
||||
f:close()
|
||||
local ok = myassert(s:load_file("cert4.pem"))
|
||||
os.remove("cert4.pem")
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"false
|
||||
x509.store:load_file.+system lib.*
|
||||
false
|
||||
x509.store:load_file.+
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 5: Verifies a x509 object
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local cert1, key1 = require("helper").create_self_signed()
|
||||
local cert2, key2 = require("helper").create_self_signed()
|
||||
local cert3, key3 = require("helper").create_self_signed()
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:add(cert1))
|
||||
|
||||
local ok = myassert(s:add(cert2))
|
||||
|
||||
local chain = myassert(s:verify(cert1, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
local chain, err = s:verify(cert3, nil, true)
|
||||
ngx.say(err)
|
||||
ngx.say(chain == nil)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
(?:self signed|self-signed) certificate
|
||||
true
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
|
||||
=== TEST 6: Using default CAs (skip due to hard to setup on custom-built openssl env)
|
||||
--- SKIP
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:use_default())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 7: Loads directory
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local ok = myassert(s:load_directory("/etc/ssl/certs"))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(require("resty.openssl.x509").new(f))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
ngx.say(#chain)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"1
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 8: Verifies sub cert
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
|
||||
local chain = myassert(s:verify(c, nil, true))
|
||||
|
||||
for _, c in ipairs(chain) do
|
||||
ngx.say(helper.to_hex(c:digest()))
|
||||
end
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body eval
|
||||
"B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
C187B85714202A2941E8EAFB846C39EB1F9C609A
|
||||
B1BC968BD4F49D622AA89A81F2150152A41D829C
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 9: Set purpose
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("crlsign"))
|
||||
|
||||
local ok, err = s:verify(c, nil, false)
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 10: Set depth
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[1]))
|
||||
local ch = chain.new()
|
||||
for i=2, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should be ok
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
-- in openssl < 1.1.0, depth are counted 1 more than later versions
|
||||
-- we set it to be one less than enough to be prune to that case
|
||||
myassert(s:set_depth(1))
|
||||
-- openssl 1.0.2 will emit "unable to get local issuer certificate"
|
||||
-- instead of "certificate chain too long"
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"truenil
|
||||
nil(?:certificate chain too long|unable to get local issuer certificate)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 11: Verify with verify_method
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require("helper")
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local s = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local chain = myassert(s:add(c))
|
||||
|
||||
local f = io.open("t/fixtures/GlobalSign_sub.pem"):read("*a")
|
||||
local c = myassert(x509.new(f))
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "ssl_client")
|
||||
ngx.say(ok, err)
|
||||
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
|
||||
myassert(s:set_purpose("sslclient"))
|
||||
local ok, err = s:verify(c, nil, false, nil, "default")
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:unsupported|unsuitable) certificate purpose
|
||||
truenil
|
||||
nil(?:unsupported|unsuitable) certificate purpose
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 12: Set flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
myassert(s:set_flags(s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 13: Set verify time flags
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local helper = require "t.openssl.helper"
|
||||
local store = require("resty.openssl.x509.store")
|
||||
local chain = require("resty.openssl.x509.chain")
|
||||
|
||||
local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
|
||||
local s = myassert(store.new())
|
||||
myassert(s:add(certs[2]))
|
||||
local ch = chain.new()
|
||||
for i=3, #certs-1 do
|
||||
myassert(ch:add(certs[i]))
|
||||
end
|
||||
-- should not be ok, need root CA
|
||||
ngx.say(s:verify(certs[#certs], ch))
|
||||
|
||||
ngx.say(s:verify(certs[#certs], ch, false, nil, nil, s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nilunable to get issuer certificate
|
||||
truenil
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
|
||||
=== TEST 14: Check revocation
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local crl = require("resty.openssl.x509.crl")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
|
||||
local s1 = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/crl/rootca.cert.pem"):read("*a")
|
||||
local rootca = myassert(x509.new(f))
|
||||
local f = io.open("t/fixtures/crl/subca.cert.pem"):read("*a")
|
||||
local subca = myassert(x509.new(f))
|
||||
|
||||
local f = io.open("t/fixtures/crl/valid.cert.pem"):read("*a")
|
||||
local valid_cert = myassert(x509.new(f))
|
||||
local f = io.open("t/fixtures/crl/revoked.cert.pem"):read("*a")
|
||||
local revoked_cert = myassert(x509.new(f))
|
||||
|
||||
local f = io.open("t/fixtures/crl/crl.pem"):read("*a")
|
||||
local c = myassert(crl.new(f))
|
||||
|
||||
myassert(s1:add(rootca))
|
||||
myassert(s1:add(subca))
|
||||
|
||||
-- add crl to store, but skip setting the flag
|
||||
myassert(s1:add(c, true))
|
||||
|
||||
-- to get the verified_chain first
|
||||
local chain1 = myassert(s1:verify(valid_cert, nil, true))
|
||||
local chain2 = myassert(s1:verify(revoked_cert, nil, true))
|
||||
|
||||
-- no verified_chain
|
||||
local ok, err = s1:check_revocation()
|
||||
ngx.say(ok, err)
|
||||
|
||||
-- should succeed
|
||||
local ok, err = s1:check_revocation(chain1)
|
||||
ngx.say(ok, err)
|
||||
|
||||
-- revoked
|
||||
local ok, err = s1:check_revocation(chain2)
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:x509\.store:check_revocation: expect a x509\.chain instance at #1|x509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
(?:truenil|nilx509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
nil(?:certificate revoked|x509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
--- skip_openssl
|
||||
3: < 1.1.0
|
||||
|
||||
=== TEST 15: Check revocation only supported from OpenSSL 1.1.0
|
||||
--- http_config eval: $::HttpConfig
|
||||
--- config
|
||||
location =/t {
|
||||
content_by_lua_block {
|
||||
local x509 = require("resty.openssl.x509")
|
||||
local crl = require("resty.openssl.x509.crl")
|
||||
local store = require("resty.openssl.x509.store")
|
||||
|
||||
local s1 = myassert(store.new())
|
||||
|
||||
local f = io.open("t/fixtures/crl/rootca.cert.pem"):read("*a")
|
||||
local rootca = myassert(x509.new(f))
|
||||
local f = io.open("t/fixtures/crl/subca.cert.pem"):read("*a")
|
||||
local subca = myassert(x509.new(f))
|
||||
|
||||
local f = io.open("t/fixtures/crl/valid.cert.pem"):read("*a")
|
||||
local valid_cert = myassert(x509.new(f))
|
||||
local f = io.open("t/fixtures/crl/revoked.cert.pem"):read("*a")
|
||||
local revoked_cert = myassert(x509.new(f))
|
||||
|
||||
local f = io.open("t/fixtures/crl/crl.pem"):read("*a")
|
||||
local c = myassert(crl.new(f))
|
||||
|
||||
myassert(s1:add(rootca))
|
||||
myassert(s1:add(subca))
|
||||
|
||||
-- add crl to store, but skip setting the flag
|
||||
myassert(s1:add(c, true))
|
||||
|
||||
-- to get the verified_chain first
|
||||
local chain1 = myassert(s1:verify(valid_cert, nil, true))
|
||||
local chain2 = myassert(s1:verify(revoked_cert, nil, true))
|
||||
|
||||
local ok, err = s1:check_revocation()
|
||||
ngx.say(ok, err)
|
||||
|
||||
local ok, err = s1:check_revocation(chain1)
|
||||
ngx.say(ok, err)
|
||||
|
||||
local ok, err = s1:check_revocation(chain2)
|
||||
ngx.say(ok, err)
|
||||
}
|
||||
}
|
||||
--- request
|
||||
GET /t
|
||||
--- response_body_like eval
|
||||
"nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
|
||||
"
|
||||
--- no_error_log
|
||||
[error]
|
||||
--- skip_openssl
|
||||
3: >= 1.1.0
|
Loading…
Reference in New Issue