Add support for X509 signature algorithms such as RSA-SHA1 and ECDSA-with-SHA384

Gabor Simko · leafo · commit e65af32295ca · 2022-10-17T13:26:54.000-07:00
diff --git a/pgmoon/init.lua b/pgmoon/init.lua
@@ -402,7 +402,12 @@ do
               pem, signature = server_cert:pem(), server_cert:getsignaturename()
             end
             signature = signature:lower()
-            if signature:match("^md5") or signature:match("^sha1") then
+            local _, with_sig
+            _, _, with_sig = signature:find("%-with%-(.*)")
+            if with_sig then
+              signature = with_sig
+            end
+            if signature:match("^md5") or signature:match("^sha1") or signature:match("sha1$") then
               signature = "sha256"
             end
             cbind_data = assert(x509_digest(pem, signature))
diff --git a/pgmoon/init.moon b/pgmoon/init.moon
@@ -406,8 +406,13 @@ class Postgres
 
           signature = signature\lower!
 
-          -- upgrade the signature if necessary
-          if signature\match("^md5") or signature\match("^sha1")
+          -- Handle the case when the signature is e.g. ECDSA-with-SHA384
+          _, _, with_sig = signature\find("%-with%-(.*)")
+          if with_sig
+            signature = with_sig
+
+          -- upgrade the signature if necessary (also handle the case of s/RSA-SHA1/sha256)
+          if signature\match("^md5") or signature\match("^sha1") or signature\match("sha1$")
             signature = "sha256"
 
           assert x509_digest(pem, signature)
diff --git a/spec/docker_enable_ssl.sh b/spec/docker_enable_ssl.sh
@@ -11,7 +11,7 @@ ls -lah >&2
 openssl req -new -passout pass:itchzone -text -out server.req -subj "/C=US/ST=Leafo/L=Leafo/O=Leafo/CN=itch.zone"
 openssl rsa -passin pass:itchzone -in privkey.pem -out server.key
 rm privkey.pem
-openssl req -x509 -in server.req -text -key server.key -out server.crt
+openssl req -x509 -sha1 -in server.req -text -key server.key -out server.crt
 chmod og-rwx server.key
 
 # TLSv1 min version to mimic older versions of postgres
diff --git a/spec/pgmoon_spec.moon b/spec/pgmoon_spec.moon
@@ -174,6 +174,7 @@ describe "pgmoon with server", ->
         errors = {
           "timeout": true
           "Connection timed out": true
+          "Operation timed out": true
         }
 
         assert.true errors[err]
diff --git a/spec/postgres.sh b/spec/postgres.sh
@@ -14,7 +14,7 @@ function makecerts {
     openssl req -new -passout pass:itchzone -text -out server.req -subj "/C=US/ST=Leafo/L=Leafo/O=Leafo/CN=itch.zone"
     openssl rsa -passin pass:itchzone -in privkey.pem -out server.key
     rm privkey.pem
-    openssl req -x509 -in server.req -text -key server.key -out server.crt
+    openssl req -x509 -sha1 -in server.req -text -key server.key -out server.crt
     chmod og-rwx server.key
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,7 @@ describe "pgmoon with server", ->`
`174`	`174`	`errors = {`
`175`	`175`	`"timeout": true`
`176`	`176`	`"Connection timed out": true`
	`177`	`+ "Operation timed out": true`
`177`	`178`	`}`
`178`	`179`
`179`	`180`	`assert.true errors[err]`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ function makecerts {`
`14`	`14`	`openssl req -new -passout pass:itchzone -text -out server.req -subj "/C=US/ST=Leafo/L=Leafo/O=Leafo/CN=itch.zone"`
`15`	`15`	`openssl rsa -passin pass:itchzone -in privkey.pem -out server.key`
`16`	`16`	`rm privkey.pem`
`17`		`- openssl req -x509 -in server.req -text -key server.key -out server.crt`
	`17`	`+ openssl req -x509 -sha1 -in server.req -text -key server.key -out server.crt`
`18`	`18`	`chmod og-rwx server.key`
`19`	`19`	`)`
`20`	`20`	`}`