From 8ab1a31daf823ad4dc8d64d3009a8e307af25060 Mon Sep 17 00:00:00 2001
From: Dayang Shen <dayshen@microsoft.com>
Date: Wed, 23 Feb 2022 22:42:09 +0800
Subject: [PATCH] Fix OCSP stapling

---
 rootfs/etc/nginx/lua/certificate.lua           | 11 +++++++++--
 rootfs/etc/nginx/lua/test/certificate_test.lua | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua
index ebf160bf8..63245073d 100644
--- a/rootfs/etc/nginx/lua/certificate.lua
+++ b/rootfs/etc/nginx/lua/certificate.lua
@@ -247,7 +247,7 @@ function _M.call()
     hostname = DEFAULT_CERT_HOSTNAME
   end
 
-  local cert, priv_key, get_err
+  local cert, priv_key, get_err, der_cert, der_cert_err
   local pem_cert_uid = get_pem_cert_uid(hostname)
   if not pem_cert_uid then
     pem_cert_uid = get_pem_cert_uid(DEFAULT_CERT_HOSTNAME)
@@ -262,6 +262,7 @@ function _M.call()
   if cached_entry then
     cert = cached_entry.cert
     priv_key = cached_entry.priv_key
+    der_cert = cached_entry.der_cert
   else
     local pem_cert = certificate_data:get(pem_cert_uid)
     if not pem_cert then
@@ -270,13 +271,19 @@ function _M.call()
       return
     end
 
+    der_cert, der_cert_err = ssl.cert_pem_to_der(pem_cert)
+    if not der_cert then
+      ngx.log(ngx.ERR, "failed to convert certificate chain from PEM to DER: " .. der_cert_err)
+      return ngx.exit(ngx.ERROR)
+    end
+
     cert, priv_key, get_err = get_cert_and_priv_key(pem_cert)
     if get_err then
       ngx.log(ngx.ERR, get_err)
       return ngx.exit(ngx.ERROR)
     end
 
-    cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key })
+    cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key, der_cert = der_cert })
   end
 
   local clear_ok, clear_err = ssl.clear_certs()
diff --git a/rootfs/etc/nginx/lua/test/certificate_test.lua b/rootfs/etc/nginx/lua/test/certificate_test.lua
index 685201e03..ced4b80b7 100644
--- a/rootfs/etc/nginx/lua/test/certificate_test.lua
+++ b/rootfs/etc/nginx/lua/test/certificate_test.lua
@@ -64,7 +64,14 @@ describe("Certificate", function()
           return nil, "bad format"
         else
           return "priv_key", nil
+        end
       end
+      ssl.cert_pem_to_der = function(cert)
+        if cert == "invalid" then
+          return nil, "bad format"
+        else
+          return "der_cert", nil
+        end
       end
       ssl.set_cert = function(cert) return true, "" end
       ssl.set_priv_key = function(priv_key) return true, "" end
@@ -121,7 +128,7 @@ describe("Certificate", function()
       spy.on(ngx, "log")
 
       refute_certificate_is_set()
-      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format")
+      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
     end)
 
     it("uses default certificate when there's none found for given hostname", function()
@@ -141,7 +148,7 @@ describe("Certificate", function()
       spy.on(ngx, "log")
 
       refute_certificate_is_set()
-      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format")
+      assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
     end)
 
     describe("OCSP stapling", function()