You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sh...@apache.org on 2021/05/09 19:54:32 UTC
[apisix] branch master updated: feat: validate ssl certificate and
more in the DP (#4202)
This is an automated email from the ASF dual-hosted git repository.
shuyangw pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 1e944bf feat: validate ssl certificate and more in the DP (#4202)
1e944bf is described below
commit 1e944bfde80f73ced7b059df75dd1fe2ca0136c4
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Mon May 10 03:54:24 2021 +0800
feat: validate ssl certificate and more in the DP (#4202)
Signed-off-by: spacewander <sp...@gmail.com>
---
apisix/admin/ssl.lua | 30 +----------------
apisix/ssl.lua | 47 ++++++++++++++++++++++++--
apisix/ssl/router/radixtree_sni.lua | 9 +++--
t/config-center-yaml/ssl.t | 66 ++++++++++++++++++++++++++++++++++++-
4 files changed, 117 insertions(+), 35 deletions(-)
diff --git a/apisix/admin/ssl.lua b/apisix/admin/ssl.lua
index aec6b84..b24d014 100644
--- a/apisix/admin/ssl.lua
+++ b/apisix/admin/ssl.lua
@@ -47,40 +47,12 @@ local function check_conf(id, conf, need_id)
core.log.info("schema: ", core.json.delay_encode(core.schema.ssl))
core.log.info("conf : ", core.json.delay_encode(conf))
- local ok, err = core.schema.check(core.schema.ssl, conf)
- if not ok then
- return nil, {error_msg = "invalid configuration: " .. err}
- end
- local ok, err = apisix_ssl.validate(conf.cert, conf.key)
+ local ok, err = apisix_ssl.check_ssl_conf(false, conf)
if not ok then
return nil, {error_msg = err}
end
- local numcerts = conf.certs and #conf.certs or 0
- local numkeys = conf.keys and #conf.keys or 0
- if numcerts ~= numkeys then
- return nil, {error_msg = "mismatched number of certs and keys"}
- end
-
- for i = 1, numcerts do
- local ok, err = apisix_ssl.validate(conf.certs[i], conf.keys[i])
- if not ok then
- return nil, {error_msg = "failed to handle cert-key pair[" .. i .. "]: " .. err}
- end
- end
-
- if conf.client then
- if not apisix_ssl.support_client_verification() then
- return nil, {error_msg = "client tls verify unsupported"}
- end
-
- local ok, err = apisix_ssl.validate(conf.client.ca, nil)
- if not ok then
- return nil, {error_msg = "failed to validate client_cert: " .. err}
- end
- end
-
return need_id and id or true
end
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index c48f563..1dc9cb3 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -95,7 +95,7 @@ local function aes_decrypt_pkey(origin)
end
-function _M.validate(cert, key)
+local function validate(cert, key)
local parsed_cert, err = ngx_ssl.parse_pem_cert(cert)
if not parsed_cert then
return nil, "failed to parse cert: " .. err
@@ -119,6 +119,7 @@ function _M.validate(cert, key)
-- TODO: check if key & cert match
return true
end
+_M.validate = validate
local function parse_pem_cert(sni, cert)
@@ -157,9 +158,51 @@ function _M.fetch_pkey(sni, pkey)
end
-function _M.support_client_verification()
+local function support_client_verification()
return ngx_ssl.verify_client ~= nil
end
+_M.support_client_verification = support_client_verification
+
+
+function _M.check_ssl_conf(in_dp, conf)
+ if not in_dp then
+ local ok, err = core.schema.check(core.schema.ssl, conf)
+ if not ok then
+ return nil, "invalid configuration: " .. err
+ end
+ end
+
+ local ok, err = validate(conf.cert, conf.key)
+ if not ok then
+ return nil, err
+ end
+
+ local numcerts = conf.certs and #conf.certs or 0
+ local numkeys = conf.keys and #conf.keys or 0
+ if numcerts ~= numkeys then
+ return nil, "mismatched number of certs and keys"
+ end
+
+ for i = 1, numcerts do
+ local ok, err = validate(conf.certs[i], conf.keys[i])
+ if not ok then
+ return nil, "failed to handle cert-key pair[" .. i .. "]: " .. err
+ end
+ end
+
+ if conf.client then
+ if not support_client_verification() then
+ return nil, "client tls verify unsupported"
+ end
+
+ local ok, err = validate(conf.client.ca, nil)
+ if not ok then
+ return nil, "failed to validate client_cert: " .. err
+ end
+ end
+
+ return true
+end
return _M
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index e94b504..6f44a2f 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -229,9 +229,12 @@ end
function _M.init_worker()
local err
ssl_certificates, err = core.config.new("/ssl", {
- automatic = true,
- item_schema = core.schema.ssl,
- })
+ automatic = true,
+ item_schema = core.schema.ssl,
+ checker = function (item, schema_type)
+ return apisix_ssl.check_ssl_conf(true, item)
+ end,
+ })
if not ssl_certificates then
error("failed to create etcd instance for fetching ssl certificates: "
.. err)
diff --git a/t/config-center-yaml/ssl.t b/t/config-center-yaml/ssl.t
index 961b625..d4745a2 100644
--- a/t/config-center-yaml/ssl.t
+++ b/t/config-center-yaml/ssl.t
@@ -50,7 +50,7 @@ _EOC_
$block->set_value("request", "GET /t");
}
- if (!$block->no_error_log) {
+ if (!$block->no_error_log && !$block->error_log) {
$block->set_value("no_error_log", "[error]\n[alert]");
}
@@ -247,3 +247,67 @@ received: HTTP/1.1 200 OK
close: 1 nil
--- error_log
server name: "test.com"
+
+
+
+=== TEST 3: bad cert
+--- apisix_yaml
+ssl:
+ -
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIDrzCCApegAwIBAgIJAI3Meu/gJVTLMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
+ BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxDTAL
+ BgNVBAoMBHRlc3QxDTALBgNVBAsMBHRlc3QxGzAZBgNVBAMMEmV0Y2QuY2x1c3Rl
+ ci5sb2NhbDAeFw0yMDEwMjgwMzMzMDJaFw0yMTEwMjgwMzMzMDJaMG4xCzAJBgNV
+ BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxDTAL
+ BgNVBAoMBHRlc3QxDTALBgNVBAsMBHRlc3QxGzAZBgNVBAMMEmV0Y2QuY2x1c3Rl
+ ci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/qwxCR7g5S
+ s9+VleopkLi5pAszEkHYOBpwF/hDeRdxU0I0e1zZTdTlwwPy2vf8m3kwoq6fmNCt
+ tdUUXh5Wvgi/2OA8HBBzaQFQL1Av9qWwyES5cx6p0ZBwIrcXQIsl1XfNSUpQNTSS
+ D44TGduXUIdeshukPvMvLWLezynf2/WlgVh/haWtDG99r/Gj3uBdjl0m/xGvKvIv
+ quDmvxteXWdlsz8o5kQT6a4DUtWhpPIfNj9oZfPRs3LhBFQ74N70kVxMOCdec1lU
+ bnFzLIMGlz0CAwEAAaNQME4wHQYDVR0OBBYEFFHeljijrr+SPxlH5fjHRPcC7bv2
+ MB8GA1UdIwQYMBaAFFHeljijrr+SPxlH5fjHRPcC7bv2MAwGA1UdEwQFMAMBAf8w
+ DQYJKoZIhvcNAQELBQADggEBAG6NNTK7sl9nJxeewVuogCdMtkcdnx9onGtCOeiQ
+ qvh5Xwn9akZtoLMVEdceU0ihO4wILlcom3OqHs9WOd6VbgW5a19Thh2toxKidHz5
+ rAaBMyZsQbFb6+vFshZwoCtOLZI/eIZfUUMFqMXlEPrKru1nSddNdai2+zi5rEnM
+ HCot43+3XYuqkvWlOjoi9cP+C4epFYrxpykVbcrtbd7TK+wZNiK3xtDPnVzjdNWL
+ geAEl9xrrk0ss4nO/EreTQgS46gVU+tLC+b23m2dU7dcKZ7RDoiA9bdVc4a2IsaS
+ 2MvLL4NZ2nUh8hAEHiLtGMAV3C6xNbEyM07hEpDW6vk6tqk=
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCf6sMQke4OUrPf
+ lZXqKZC4uaQLMxJB2DgacBf4Q3kXcVNCNHtc2U3U5cMD8tr3/Jt5MKKun5jQrbXV
+ FF4eVr4Iv9jgPBwQc2kBUC9QL/alsMhEuXMeqdGQcCK3F0CLJdV3zUlKUDU0kg+O
+ Exnbl1CHXrIbpD7zLy1i3s8p39v1pYFYf4WlrQxvfa/xo97gXY5dJv8RryryLzRc
+ uhHYBvX5MHCGpbrY61JxpfZqBo8CmLuHl1tmbeXpdHdQB11LKiuL6HtKflNjc6rg
+ 5r8bXl1nZbM/KOZEE+muA1LVoaTyHzY/aGXz0bNy4QRUO+De9JFcTDgnXnNZVG5x
+ cyyDBpc9AgMBAAECggEAatcEtehZPJaCeClPPF/Cwbe9YoIfe4BCk186lHI3z7K1
+ 5nB7zt+bwVY0AUpagv3wvXoB5lrYVOsJpa9y5iAb3GqYMc/XDCKfD/KLea5hwfcn
+ BctEn0LjsPVKLDrLs2t2gBDWG2EU+udunwQh7XTdp2Nb6V3FdOGbGAg2LgrSwP1g
+ 0r4z14F70oWGYyTQ5N8UGuyryVrzQH525OYl38Yt7R6zJ/44FVi/2TvdfHM5ss39
+ SXWi00Q30fzaBEf4AdHVwVCRKctwSbrIOyM53kiScFDmBGRblCWOxXbiFV+d3bjX
+ gf2zxs7QYZrFOzOO7kLtHGua4itEB02497v+1oKDwQKBgQDOBvCVGRe2WpItOLnj
+ SF8iz7Sm+jJGQz0D9FhWyGPvrN7IXGrsXavA1kKRz22dsU8xdKk0yciOB13Wb5y6
+ yLsr/fPBjAhPb4h543VHFjpAQcxpsH51DE0b2oYOWMmz+rXGB5Jy8EkP7Q4njIsc
+ 2wLod1dps8OT8zFx1jX3Us6iUQKBgQDGtKkfsvWi3HkwjFTR+/Y0oMz7bSruE5Z8
+ g0VOHPkSr4XiYgLpQxjbNjq8fwsa/jTt1B57+By4xLpZYD0BTFuf5po+igSZhH8s
+ QS5XnUnbM7d6Xr/da7ZkhSmUbEaMeHONSIVpYNgtRo4bB9Mh0l1HWdoevw/w5Ryt
+ L/OQiPhfLQKBgQCh1iG1fPh7bbnVe/HI71iL58xoPbCwMLEFIjMiOFcINirqCG6V
+ LR91Ytj34JCihl1G4/TmWnsH1hGIGDRtJLCiZeHL70u32kzCMkI1jOhFAWqoutMa
+ 7obDkmwraONIVW/kFp6bWtSJhhTQTD4adI9cPCKWDXdcCHSWj0Xk+U8HgQKBgBng
+ t1HYhaLzIZlP/U/nh3XtJyTrX7bnuCZ5FhKJNWrYjxAfgY+NXHRYCKg5x2F5j70V
+ be7pLhxmCnrPTMKZhik56AaTBOxVVBaYWoewhUjV4GRAaK5Wc8d9jB+3RizPFwVk
+ V3OU2DJ1SNZ+W2HBOsKrEfwFF/dgby6i2w6MuAP1AoGBAIxvxUygeT/6P0fHN22P
+ zAHFI4v2925wYdb7H//D8DIADyBwv18N6YH8uH7L+USZN7e4p2k8MGGyvTXeC6aX
+ IeVtU6fH57Ddn59VPbF20m8RCSkmBvSdcbyBmqlZSBE+fKwCliKl6u/GH0BNAWKz
+ r8yiEiskqRmy7P7MY9hDmEbG
+ -----END PRIVATE KEY-----
+ snis:
+ - "t.com"
+ - "test.com"
+--- error_log
+failed to parse cert
+--- error_code: 404