feat: add GM C API set cert/priv_key (#67)

Author: spacewander

.github/workflows/gm.yml

@@ -0,0 +1,61 @@
+name: Test GM SSL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: "ubuntu-latest"
+    env:
+      OPENRESTY_PREFIX: "/usr/local/openresty"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Set up Clang
+        uses: egor-tensin/setup-clang@v1
+
+      - name: Get dependencies
+        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl
+
+      - name: Before install
+        run: |
+          sudo cpanm --notest Test::Nginx > build.log 2>&1 || (cat build.log && exit 1)
+          git clone https://github.com/iresty/test-nginx.git test-nginx
+
+      - name: Install SSL lib
+        run: |
+          # TODO: use a fixed release once they have created one.
+          # See https://github.com/Tongsuo-Project/Tongsuo/issues/318
+          git clone https://github.com/api7/tongsuo --depth 1
+          pushd tongsuo
+          ./config shared enable-ntls -g --prefix=/usr/local/tongsuo
+          make -j2
+          sudo make install_sw
+          # build binary
+          ./config enable-ntls -static
+          make -j2
+          mv apps/openssl ..
+          popd
+
+      - name: Install
+        run: |
+          ls /usr/local/tongsuo/lib64
+          wget https://raw.githubusercontent.com/api7/apisix-build-tools/master/build-apisix-base.sh
+          chmod +x build-apisix-base.sh
+          export openssl_prefix=/usr/local/tongsuo
+
+          export cc_opt="-I${openssl_prefix}/include -Werror"
+          export ld_opt="-L${openssl_prefix}/lib64 -Wl,-rpath,${openssl_prefix}/lib64"
+          OR_PREFIX=$OPENRESTY_PREFIX CC="clang -fsanitize=address -fcolor-diagnostics -Qunused-arguments" \
+              ./build-apisix-base.sh latest
+
+      - name: Script
+        run: |
+          export PATH=$OPENRESTY_PREFIX/nginx/sbin:$PATH
+          nginx -V
+          PATH=$PWD:$PATH prove -I. -Itest-nginx/lib -r t/gm.t

.gitignore

@@ -1 +1,2 @@
 t/servroot
+/openssl

lib/resty/apisix/ssl.lua

@@ -0,0 +1,65 @@
+local ffi = require("ffi")
+local base = require("resty.core.base")
+local errmsg = base.get_errmsg_ptr()
+local get_request = base.get_request
+local FFI_OK = base.FFI_OK
+local C = ffi.C
+local ffi_str = ffi.string
+
+
+base.allows_subsystem("http")
+
+
+ffi.cdef[[
+    typedef intptr_t        ngx_flag_t;
+    int ngx_http_apisix_set_gm_cert(void *r, void *cdata, char **err, ngx_flag_t type);
+    int ngx_http_apisix_set_gm_priv_key(void *r, void *cdata, char **err, ngx_flag_t type);
+]]
+
+
+local NGX_HTTP_APISIX_SSL_ENC = 1
+local NGX_HTTP_APISIX_SSL_SIGN = 2
+local _M = {}
+
+
+function _M.set_gm_cert(enc_cert, sign_cert)
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    local rc = C.ngx_http_apisix_set_gm_cert(r, enc_cert, errmsg, NGX_HTTP_APISIX_SSL_ENC)
+    if rc ~= FFI_OK then
+        return nil, ffi_str(errmsg[0])
+    end
+
+    local rc = C.ngx_http_apisix_set_gm_cert(r, sign_cert, errmsg, NGX_HTTP_APISIX_SSL_SIGN)
+    if rc ~= FFI_OK then
+        return nil, ffi_str(errmsg[0])
+    end
+
+    return true
+end
+
+
+function _M.set_gm_priv_key(enc_pkey, sign_pkey)
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    local rc = C.ngx_http_apisix_set_gm_priv_key(r, enc_pkey, errmsg, NGX_HTTP_APISIX_SSL_ENC)
+    if rc ~= FFI_OK then
+        return nil, ffi_str(errmsg[0])
+    end
+
+    local rc = C.ngx_http_apisix_set_gm_priv_key(r, sign_pkey, errmsg, NGX_HTTP_APISIX_SSL_SIGN)
+    if rc ~= FFI_OK then
+        return nil, ffi_str(errmsg[0])
+    end
+
+    return true
+end
+
+
+return _M

patch/1.21.4/nginx-enable_ntls.patch

@@ -0,0 +1,16 @@
+diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c
+index 013b715..a729693 100644
+--- src/http/ngx_http_request.c
++++ src/http/ngx_http_request.c
+@@ -754,6 +754,11 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
+                 return;
+             }
+ 
++#if (TONGSUO_VERSION_NUMBER && NGX_HTTP_APISIX)
++            // FIXME: add option later
++            SSL_enable_ntls(c->ssl->connection);
++#endif
++
+             ngx_reusable_connection(c, 0);
+ 
+             rc = ngx_ssl_handshake(c);

src/ngx_http_apisix_module.c

@@ -5,6 +5,10 @@
 #include "ngx_http_apisix_module.h"
 
 
+#define NGX_HTTP_APISIX_SSL_ENC     1
+#define NGX_HTTP_APISIX_SSL_SIGN    2
+
+
 static ngx_str_t remote_addr = ngx_string("remote_addr");
 static ngx_str_t remote_port = ngx_string("remote_port");
 static ngx_str_t realip_remote_addr = ngx_string("realip_remote_addr");
@@ -640,3 +644,137 @@ ngx_http_apisix_is_body_filter_by_lua_skipped(ngx_http_request_t *r)
 
     return 0;
 }
+
+
+int
+ngx_http_apisix_set_gm_cert(ngx_http_request_t *r, void *cdata, char **err, ngx_flag_t type)
+{
+#ifndef TONGSUO_VERSION_NUMBER
+
+    *err = "only Tongsuo supported";
+    return NGX_ERROR;
+
+#else
+    int                i;
+    X509              *x509 = NULL;
+    ngx_ssl_conn_t    *ssl_conn;
+    STACK_OF(X509)    *chain = cdata;
+
+    if (r->connection == NULL || r->connection->ssl == NULL) {
+        *err = "bad request";
+        return NGX_ERROR;
+    }
+
+    ssl_conn = r->connection->ssl->connection;
+    if (ssl_conn == NULL) {
+        *err = "bad ssl conn";
+        return NGX_ERROR;
+    }
+
+    if (sk_X509_num(chain) < 1) {
+        *err = "invalid certificate chain";
+        goto failed;
+    }
+
+    x509 = sk_X509_value(chain, 0);
+    if (x509 == NULL) {
+        *err = "sk_X509_value() failed";
+        goto failed;
+    }
+
+    if (type == NGX_HTTP_APISIX_SSL_ENC) {
+        if (SSL_use_enc_certificate(ssl_conn, x509) == 0) {
+            *err = "SSL_use_enc_certificate() failed";
+            goto failed;
+        }
+    } else {
+        if (SSL_use_sign_certificate(ssl_conn, x509) == 0) {
+            *err = "SSL_use_sign_certificate() failed";
+            goto failed;
+        }
+    }
+
+    x509 = NULL;
+
+    /* read rest of the chain */
+
+    for (i = 1; i < sk_X509_num(chain); i++) {
+
+        x509 = sk_X509_value(chain, i);
+        if (x509 == NULL) {
+            *err = "sk_X509_value() failed";
+            goto failed;
+        }
+
+        if (SSL_add1_chain_cert(ssl_conn, x509) == 0) {
+            *err = "SSL_add1_chain_cert() failed";
+            goto failed;
+        }
+    }
+
+    *err = NULL;
+    return NGX_OK;
+
+failed:
+
+    ERR_clear_error();
+
+    return NGX_ERROR;
+
+#endif
+}
+
+
+int
+ngx_http_apisix_set_gm_priv_key(ngx_http_request_t *r,
+    void *cdata, char **err, ngx_flag_t type)
+{
+#ifndef TONGSUO_VERSION_NUMBER
+
+    *err = "only Tongsuo supported";
+    return NGX_ERROR;
+
+#else
+
+    EVP_PKEY          *pkey = NULL;
+    ngx_ssl_conn_t    *ssl_conn;
+
+    if (r->connection == NULL || r->connection->ssl == NULL) {
+        *err = "bad request";
+        return NGX_ERROR;
+    }
+
+    ssl_conn = r->connection->ssl->connection;
+    if (ssl_conn == NULL) {
+        *err = "bad ssl conn";
+        return NGX_ERROR;
+    }
+
+    pkey = cdata;
+    if (pkey == NULL) {
+        *err = "invalid private key failed";
+        goto failed;
+    }
+
+    if (type == NGX_HTTP_APISIX_SSL_ENC) {
+        if (SSL_use_enc_PrivateKey(ssl_conn, pkey) == 0) {
+            *err = "SSL_use_enc_PrivateKey() failed";
+            goto failed;
+        }
+    } else {
+        if (SSL_use_sign_PrivateKey(ssl_conn, pkey) == 0) {
+            *err = "SSL_use_sign_PrivateKey() failed";
+            goto failed;
+        }
+    }
+
+    return NGX_OK;
+
+failed:
+
+    ERR_clear_error();
+
+    return NGX_ERROR;
+
+#endif
+}

t/certs/client_enc.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2TCCAX6gAwIBAgIBBTAKBggqgRzPVQGDdTBFMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQkIxCzAJBgNVBAoMAkNDMQswCQYDVQQLDAJERDEPMA0GA1UEAwwGc3Vi
+IGNhMB4XDTIyMTEwMjAzMTkzNloXDTMyMTAzMDAzMTkzNlowSTELMAkGA1UEBhMC
+QUExCzAJBgNVBAgMAkJCMQswCQYDVQQKDAJDQzELMAkGA1UECwwCREQxEzARBgNV
+BAMMCmNsaWVudCBlbmMwWjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAEYYuPPz5e
+0QMSGPeBfVbK02GwYhSieSCuc12WsNw+ZQEiaN3NJ2Mh0EAH95eWVutKAeMwKwQZ
+q7QgnSoo3io8hKNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCAzgwHQYDVR0OBBYE
+FEL0AwvahirH+kdK5Poq+e0yhii1MB8GA1UdIwQYMBaAFCTrpmbUig3JfveqAIGJ
+6n+vAk2AMAoGCCqBHM9VAYN1A0kAMEYCIQDx+KxdaJ7YX5gR492EgiGn7//HsjOU
+B7+jyTVvkNzN2AIhAIbDKNJQ2i5Edcw/nDIWJQLec7NZui3QfC/gr9AuCfHN
+-----END CERTIFICATE-----

t/certs/client_enc.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQgq7+Y1ql10Uvv2vTf
+AHR26o4B3RJTJO5XTh0BNLdtB7OhRANCAARhi48/Pl7RAxIY94F9VsrTYbBiFKJ5
+IK5zXZaw3D5lASJo3c0nYyHQQAf3l5ZW60oB4zArBBmrtCCdKijeKjyE
+-----END PRIVATE KEY-----

t/certs/client_sign.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2TCCAX+gAwIBAgIBBDAKBggqgRzPVQGDdTBFMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQkIxCzAJBgNVBAoMAkNDMQswCQYDVQQLDAJERDEPMA0GA1UEAwwGc3Vi
+IGNhMB4XDTIyMTEwMjAzMTkzNloXDTMyMTAzMDAzMTkzNlowSjELMAkGA1UEBhMC
+QUExCzAJBgNVBAgMAkJCMQswCQYDVQQKDAJDQzELMAkGA1UECwwCREQxFDASBgNV
+BAMMC2NsaWVudCBzaWduMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABFZcc94m
+hTZRKis639AnlAbS0cKQv73GP5RzBdNlLpAaUwi4hqAh0ZUIcTH/5ZbOTal9MvHA
+gOLjVxv197o+fNejWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgbAMB0GA1UdDgQW
+BBTkdzyphRCxqD6m6j/AUhMSEBASRDAfBgNVHSMEGDAWgBQk66Zm1IoNyX73qgCB
+iep/rwJNgDAKBggqgRzPVQGDdQNIADBFAiB2rcm1UI84yPYT5q6vjucBNPw01cHM
+3/Hc9fhiuYPyHwIhAIiPPPj4XI2l98C+DBaqoZtSiwDK2IA6Q8lf9SmHdFPN
+-----END CERTIFICATE-----

t/certs/client_sign.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQgIsAr+s4TL7K4AQWO
+PbXrJfHoO5yE2V7oYQxUBsieOQOhRANCAARWXHPeJoU2USorOt/QJ5QG0tHCkL+9
+xj+UcwXTZS6QGlMIuIagIdGVCHEx/+WWzk2pfTLxwIDi41cb9fe6PnzX
+-----END PRIVATE KEY-----

t/certs/gm_ca.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB3zCCAYWgAwIBAgIBADAKBggqgRzPVQGDdTBGMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQkIxCzAJBgNVBAoMAkNDMQswCQYDVQQLDAJERDEQMA4GA1UEAwwHcm9v
+dCBjYTAeFw0yMjExMDIwMzE5MzZaFw0zMjEwMzAwMzE5MzZaMEYxCzAJBgNVBAYT
+AkFBMQswCQYDVQQIDAJCQjELMAkGA1UECgwCQ0MxCzAJBgNVBAsMAkREMRAwDgYD
+VQQDDAdyb290IGNhMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABB+V1+bwQsP4
+IMZEVCu3LSekz9SIhxWVVtlqdQYZG55S46PmAqICzrO3KFJ/IPtMx9wKn3L6V5M8
+hAc/UwOAnKCjYzBhMB0GA1UdDgQWBBRV7bTJ6vT1fliZR42/+E+fEBfTSjAfBgNV
+HSMEGDAWgBRV7bTJ6vT1fliZR42/+E+fEBfTSjAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBhjAKBggqgRzPVQGDdQNIADBFAiEA1SGACV1wj158Spgh+HOW
+oOr7rTO2fR4cK9Zx7eUvmAECIHbKbsw5szaC/EH7CdsHdFgrj2tWaXiQUnx/rxM/
+upAQ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAYegAwIBAgIBATAKBggqgRzPVQGDdTBGMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQkIxCzAJBgNVBAoMAkNDMQswCQYDVQQLDAJERDEQMA4GA1UEAwwHcm9v
+dCBjYTAeFw0yMjExMDIwMzE5MzZaFw0zMjEwMzAwMzE5MzZaMEUxCzAJBgNVBAYT
+AkFBMQswCQYDVQQIDAJCQjELMAkGA1UECgwCQ0MxCzAJBgNVBAsMAkREMQ8wDQYD
+VQQDDAZzdWIgY2EwWjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAElA5ey1dYWNkT
+zfvwcKEhX1vHL+Kjil+egM6QssbNrts2S0M07L77XDe1q2zPpHjo0MR05x862/tZ
+j87OgmEE0KNmMGQwHQYDVR0OBBYEFCTrpmbUig3JfveqAIGJ6n+vAk2AMB8GA1Ud
+IwQYMBaAFFXttMnq9PV+WJlHjb/4T58QF9NKMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+DgYDVR0PAQH/BAQDAgGGMAoGCCqBHM9VAYN1A0gAMEUCIArKNHWYLmd3thQmJv89
+o0wr6O2q26WJuy6y7Eu14rdFAiEA7XNZ0JGMXPKiG5Hl7nmL8ooTrVhrmRrvs9No
+Y8rH88Y=
+-----END CERTIFICATE-----