DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix OCSP stapling

Browse source
This commit is contained in:
Dayang Shen 2022-02-23 22:42:09 +08:00
parent e3e8df6aff
commit 8ab1a31daf
2 changed files with 18 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
rootfs/etc/nginx/lua/certificate.lua
View file

@ -247,7 +247,7 @@ function _M.call()
hostname = DEFAULT_CERT_HOSTNAME hostname = DEFAULT_CERT_HOSTNAME
end end
local cert, priv_key, get_err local cert, priv_key, get_err, der_cert, der_cert_err
local pem_cert_uid = get_pem_cert_uid(hostname) local pem_cert_uid = get_pem_cert_uid(hostname)
if not pem_cert_uid then if not pem_cert_uid then
pem_cert_uid = get_pem_cert_uid(DEFAULT_CERT_HOSTNAME) pem_cert_uid = get_pem_cert_uid(DEFAULT_CERT_HOSTNAME)
@ -262,6 +262,7 @@ function _M.call()
if cached_entry then if cached_entry then
cert = cached_entry.cert cert = cached_entry.cert
priv_key = cached_entry.priv_key priv_key = cached_entry.priv_key
der_cert = cached_entry.der_cert
else else
local pem_cert = certificate_data:get(pem_cert_uid) local pem_cert = certificate_data:get(pem_cert_uid)
if not pem_cert then if not pem_cert then
@ -270,13 +271,19 @@ function _M.call()
return return
end end
der_cert, der_cert_err = ssl.cert_pem_to_der(pem_cert)
if not der_cert then
ngx.log(ngx.ERR, "failed to convert certificate chain from PEM to DER: " .. der_cert_err)
return ngx.exit(ngx.ERROR)
end
cert, priv_key, get_err = get_cert_and_priv_key(pem_cert) cert, priv_key, get_err = get_cert_and_priv_key(pem_cert)
if get_err then if get_err then
ngx.log(ngx.ERR, get_err) ngx.log(ngx.ERR, get_err)
return ngx.exit(ngx.ERROR) return ngx.exit(ngx.ERROR)
end end
cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key }) cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key, der_cert = der_cert })
end end
local clear_ok, clear_err = ssl.clear_certs() local clear_ok, clear_err = ssl.clear_certs()

11
rootfs/etc/nginx/lua/test/certificate_test.lua
View file

@ -64,7 +64,14 @@ describe("Certificate", function()
return nil, "bad format" return nil, "bad format"
else else
return "priv_key", nil return "priv_key", nil
end
end end
ssl.cert_pem_to_der = function(cert)
if cert == "invalid" then
return nil, "bad format"
else
return "der_cert", nil
end
end end
ssl.set_cert = function(cert) return true, "" end ssl.set_cert = function(cert) return true, "" end
ssl.set_priv_key = function(priv_key) return true, "" end ssl.set_priv_key = function(priv_key) return true, "" end
@ -121,7 +128,7 @@ describe("Certificate", function()
spy.on(ngx, "log") spy.on(ngx, "log")
refute_certificate_is_set() refute_certificate_is_set()
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format") assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
end) end)
it("uses default certificate when there's none found for given hostname", function() it("uses default certificate when there's none found for given hostname", function()
@ -141,7 +148,7 @@ describe("Certificate", function()
spy.on(ngx, "log") spy.on(ngx, "log")
refute_certificate_is_set() refute_certificate_is_set()
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format") assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
end) end)
describe("OCSP stapling", function() describe("OCSP stapling", function()