Fix OCSP stapling
This commit is contained in:
Dayang Shen
parent
e3e8df6aff
commit
8ab1a31daf
2 changed files with 18 additions and 4 deletions
|
|
@ -247,7 +247,7 @@ function _M.call()
|
|||
hostname = DEFAULT_CERT_HOSTNAME
|
||||
end
|
||||
|
||||
local cert, priv_key, get_err
|
||||
local cert, priv_key, get_err, der_cert, der_cert_err
|
||||
local pem_cert_uid = get_pem_cert_uid(hostname)
|
||||
if not pem_cert_uid then
|
||||
pem_cert_uid = get_pem_cert_uid(DEFAULT_CERT_HOSTNAME)
|
||||
|
|
@ -262,6 +262,7 @@ function _M.call()
|
|||
if cached_entry then
|
||||
cert = cached_entry.cert
|
||||
priv_key = cached_entry.priv_key
|
||||
der_cert = cached_entry.der_cert
|
||||
else
|
||||
local pem_cert = certificate_data:get(pem_cert_uid)
|
||||
if not pem_cert then
|
||||
|
|
@ -270,13 +271,19 @@ function _M.call()
|
|||
return
|
||||
end
|
||||
|
||||
der_cert, der_cert_err = ssl.cert_pem_to_der(pem_cert)
|
||||
if not der_cert then
|
||||
ngx.log(ngx.ERR, "failed to convert certificate chain from PEM to DER: " .. der_cert_err)
|
||||
return ngx.exit(ngx.ERROR)
|
||||
end
|
||||
|
||||
cert, priv_key, get_err = get_cert_and_priv_key(pem_cert)
|
||||
if get_err then
|
||||
ngx.log(ngx.ERR, get_err)
|
||||
return ngx.exit(ngx.ERROR)
|
||||
end
|
||||
|
||||
cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key })
|
||||
cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key, der_cert = der_cert })
|
||||
end
|
||||
|
||||
local clear_ok, clear_err = ssl.clear_certs()
|
||||
|
|
|
|||
|
|
@ -66,6 +66,13 @@ describe("Certificate", function()
|
|||
return "priv_key", nil
|
||||
end
|
||||
end
|
||||
ssl.cert_pem_to_der = function(cert)
|
||||
if cert == "invalid" then
|
||||
return nil, "bad format"
|
||||
else
|
||||
return "der_cert", nil
|
||||
end
|
||||
end
|
||||
ssl.set_cert = function(cert) return true, "" end
|
||||
ssl.set_priv_key = function(priv_key) return true, "" end
|
||||
|
||||
|
|
@ -121,7 +128,7 @@ describe("Certificate", function()
|
|||
spy.on(ngx, "log")
|
||||
|
||||
refute_certificate_is_set()
|
||||
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format")
|
||||
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
|
||||
end)
|
||||
|
||||
it("uses default certificate when there's none found for given hostname", function()
|
||||
|
|
@ -141,7 +148,7 @@ describe("Certificate", function()
|
|||
spy.on(ngx, "log")
|
||||
|
||||
refute_certificate_is_set()
|
||||
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to parse PEM certificate chain: bad format")
|
||||
assert.spy(ngx.log).was_called_with(ngx.ERR, "failed to convert certificate chain from PEM to DER: bad format")
|
||||
end)
|
||||
|
||||
describe("OCSP stapling", function()
|
||||
|
|
|
|||
Loading…
Reference in a new issue