fffonion / lua-resty-openssl Goto Github PK
View Code? Open in Web Editor NEWFFI-based OpenSSL binding for OpenResty
License: BSD 2-Clause "Simplified" License
lua-resty-openssl's Issues
x509:get_extension("subjectKeyIdentifier"):text() is in weird format
For some reason, when doing x509:get_extension("subjectKeyIdentifier"):text(), I am getting a "keyid:" prefix, the actual keyid and a line return at the end.
When doing x509:get_extension("authorityKeyIdentifier"):text() I am getting only the keyid without any prefixes and line returns at the end.
I am using it to detect if a certificate is self-signed, so I filter theese weirdnesses out with gsub, but it is still strange that the keyid outputting is different for the similar use case.
PKCS1 error
want to use my own CA certificate for self-signing. Then have my clients import my CA certificate to become their root certificate. Then let it access my nginx.
At this time, nginx can proxy any https domain name, similar to a man-in-the-middle attack, which is very useful for intranet caching such as game content.
Certificates for these domain names will automatically generate corresponding SSL certificates based on the domain names when requested. So I first generated a self-signed CA certificate and CA key, as follows.
openssl genpkey -algorithm RSA -out www.test.com.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key www.test.com.key -out www.test.com.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Corp/CN=www.test.com"
openssl x509 -req -in www.test.com.csr -CA ../ssl_cert/nginx-self-signed.pem -CAkey ../ssl_cert/nginx-self-signed.key -CAcreateserial -out www.test.com.crt -days 365 -sha256 -extfile test.cnf Then I used the openssl command to test
openssl verify -verbose -CAfile ../ssl_cert/nginx-self-signed.crt www.test.com.crt
www.test.com.crt: OKthis is test.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = Beijing
L = Beijing
O = Example Corp
CN = www.test.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.test.com
DNS.2 = test.com
I use lua-resty-openssl to achieve the same function, the code is as follows
local openssl_pkey = require("resty.openssl.pkey")
local openssl_x509 = require("resty.openssl.x509")
local openssl_x509_name = require("resty.openssl.x509.name")
local openssl_digest = require("resty.openssl.digest")
local function readFile(path)
local file, err = io.open(path, "r")
if not file then
return nil, "Failed to open file: " .. (err or "unknown error")
end
local content = file:read("*a")
file:close()
return content, nil
end
local ca_cert_pem, err = readFile("nginx-self-signed.pem")
if not ca_cert_pem then
error(err)
end
local ca_key_pem, err = readFile("nginx-self-signed.key")
if not ca_key_pem then
error(err)
end
local ca_cert, err = openssl_x509.new(ca_cert_pem, "PEM")
if not ca_cert then
error("Failed to parse CA certificate: " .. err)
end
local ca_key, err = openssl_pkey.new({ pem = ca_key_pem, format = "PEM" })
if not ca_key then
error("Failed to parse CA private key: " .. err)
end
local function generateCert(domain)
local key, err = openssl_pkey.new({
type = 'RSA',
bits = 2048
})
if err then
ngx.log(ngx.ERR, "Failed to new private key: ", err)
end
local cert = openssl_x509.new()
local name = openssl_x509_name.new()
name:add("CN", domain)
cert:set_subject_name(name)
cert:set_pubkey(key)
cert:set_issuer_name(ca_cert:get_subject_name())
cert:set_not_before(ngx.time())
cert:set_not_after(ngx.time() + 365 * 24 * 60 * 60)
local digest = openssl_digest.new("sha256")
local ok, err = cert:sign(ca_key)
if not ok then
ngx.log(ngx.ERR, "Error signing certificate: ", err)
end
local ok, err = cert:verify(ca_key)
if not ok then
ngx.log(ngx.ERR, "Error verify certificate: ", err)
end
local cert_pem, err = cert:to_PEM()
if not cert_pem then
ngx.log(ngx.ERR, "Failed to convert certificate to PEM: ", err)
end
local key_pem, err = key:to_PEM("private")
ngx.log(ngx.ERR, "Key type is ", key:is_private())
if not key_pem then
ngx.log(ngx.ERR, "Failed to convert private key to PEM: ", err)
end
return cert_pem, key_pem
end
local cert_pem, key_pem = generateCert("www.test.com")
-- Save to files
local cert_file = io.open("generated_cert1.pem", "w")
cert_file:write(cert_pem)
cert_file:close()
local key_file = io.open("generated_key2.pem", "w")
key_file:write(key_pem)
key_file:close()
-- print("Certificate PEM:\n" .. cert_pem)
-- print("Private Key PEM:\n" .. key_pem)Report the following error
openssl verify -verbose -CAfile ../ssl_cert/nginx-self-signed.crt generated_cert1.pem
error 7 at 0 depth lookup: certificate signature failure
error generated_cert1.pem: verification failed
800BDEBAC17F0000:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:79:
800BDEBAC17F0000:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:697:
800BDEBAC17F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
800BDEBAC17F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:I don’t know much about openssl. Why does PKCS1 report an error?
about the return value of store:verify
resty.openssl.cipher - EVP_get_cipherbyname' (cannot convert 'table' to 'const char *')
Hi,
I'm developing a lib requiring aes ciphers and I stumbled upon this error while creating unit tests with prove.
Full test case to reproduce in openresty:
use Test::Nginx::Socket::Lua;
repeat_each(1);
plan tests => repeat_each() * 3 * blocks();
no_shuffle();
no_long_string();
run_tests();
__DATA__
=== TEST 1: DEMO
--- config
location = /t {
content_by_lua_block {
-- local version_text = require("resty.openssl.version").version_text
-- version_text is "OpenSSL 1.1.1w 11 Sep 2023"
local cipher = require("resty.openssl.cipher")
cipher:new("aes128-wrap") -- error
ngx.say("SUCCESS")
}
}
--- request
GET /t
--- response_body
SUCCESS
--- error_code: 200
--- no_error_log
[error]
The error I get:
# Failed test 't/demo.t TEST 1: DEMO - status code ok'
# at /usr/local/share/perl/5.36.0/Test/Nginx/Socket.pm line 936.
# got: '500'
# expected: '200'
# Failed test 't/demo.t TEST 1: DEMO - response_body - response is expected (repeated req 0, req 0)'
# at /usr/local/share/perl/5.36.0/Test/Nginx/Socket.pm line 1660.
# got: '<html>
# <head><title>500 Internal Server Error</title></head>
# <body>
# <center><h1>500 Internal Server Error</h1></center>
# <hr><center>openresty/1.25.3.1</center>
# </body>
# </html>
# '
# expected: 'SUCCESS
# '
# Failed test 't/demo.t TEST 1: DEMO - pattern "[error]" should not match any line in error.log but matches line "2024/05/31 19:26:13 [error] 79662#79662: *1 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/resty/openssl/cipher.lua:44: bad argument #1 to 'EVP_get_cipherbyname' (cannot convert 'table' to 'const char *')" (req 0)
# stack traceback:
# coroutine 0:
# [C]: in function 'EVP_get_cipherbyname'
# /usr/local/share/lua/5.1/resty/openssl/cipher.lua:44: in function 'new'
# '
# at /usr/local/share/perl/5.36.0/Test/Nginx/Socket.pm line 1351.
# Looks like you failed 3 tests of 3.
t/demo.t .. Dubious, test returned 3 (wstat 768, 0x300)
Failed 3/3 subtests
Test Summary Report
-------------------
t/demo.t (Wstat: 768 (exited 3) Tests: 3 Failed: 3)
Failed tests: 1-3
Non-zero exit status: 3
Files=1, Tests=3, 0 wallclock secs ( 0.02 usr 0.01 sys + 0.17 cusr 0.03 csys = 0.23 CPU)
Result: FAIL
Looking at the code, it seemed to be an openssl compatibility problem:
if OPENSSL_3X then
ctyp = C.EVP_CIPHER_fetch(ctx_lib.get_libctx(), typ, properties)
else
ctyp = C.EVP_get_cipherbyname(typ) -- breaks here
endSo I tried with openssl 3 in a standalone lua file without openresty:
#!/usr/bin/env luajit
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
print(OPENSSL_3X)
local version_text = require("resty.openssl.version").version_text
print(version_text)
local cipher = require("resty.openssl.cipher")
cipher:new("aes256") -- errorBut I still get the error, though in the openssl 3 branch now!
true
OpenSSL 3.0.11 19 Sep 2023
luajit: /usr/local/share/lua/5.1/resty/openssl/cipher.lua:42: bad argument #2 to 'EVP_CIPHER_fetch' (cannot convert 'table' to 'const char *')
stack traceback:
[C]: in function 'EVP_CIPHER_fetch'
/usr/local/share/lua/5.1/resty/openssl/cipher.lua:42: in function 'new'
./test.lua:10: in main chunk
[C]: at 0x55e5a333c380Where /usr/local/share/lua/5.1/resty/openssl/cipher.lua:42: in function 'new' is here:
if OPENSSL_3X then
ctyp = C.EVP_CIPHER_fetch(ctx_lib.get_libctx(), typ, properties) -- now breaks here
else
ctyp = C.EVP_get_cipherbyname(typ)
endAm I missing something?
Thanks.
lua-resty-openssl install info (from luarocks):
lua-resty-openssl
1.3.1-1 (installed) - /usr/local/lib/luarocks/rocks-5.1
I'm using debian 12.
nginx: [warn] [lua] http_connect.lua:21: failed to load module `resty.openssl.*`, mTLS isn't supported without lua-resty-openssl
It seems like there's an issue with loading the required Lua modules resty.acme.autossl, and it's indicating that resty.openssl.* modules are not found, which implies that mTLS isn't supported due to the absence of lua-resty-openssl.
Considering that both lua-resty-acme and lua-resty-openssl are installed and located in /usr/local/lib/resty/, and the lua_package_path is correctly set to include this directory, it's perplexing why the modules cannot be found.
https://github.com/openresty/luajit2/archive/refs/tags/v2.1-20240314.tar.gz
https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v0.3.3.tar.gz
https://github.com/openresty/lua-nginx-module/archive/refs/tags/v0.10.26.tar.gz
https://github.com/openresty/lua-resty-core/archive/refs/tags/v0.1.28.tar.gz
https://github.com/fffonion/lua-resty-acme/archive/refs/tags/0.13.0.tar.gz
https://github.com/fffonion/lua-resty-openssl/archive/refs/tags/1.3.1.tar.gz
https://freenginx.org/download/freenginx-1.26.0.tar.gz
user www-data;
worker_processes 1;
events {
worker_connections 500;
}
http {
lua_package_cpath '/usr/local/lua/?.so;';
lua_package_path '/usr/local/lib/?.lua;/usr/local/lib/resty/?.lua;';
init_by_lua_block {
require("resty.acme.autossl").init({
-- the ACME v2 API endpoint to use
api_uri = "https://acme-v02.api.letsencrypt.org/directory",
-- setting the following to true
-- implies that you read and accepted https://letsencrypt.org/repository/
tos_accepted = true,
-- uncomment following for first time setup
staging = true,
-- uncomment following to enable RSA + ECC double cert
domain_key_types = {'ecc'},
-- uncomment following to enable tls-alpn-01 challenge
-- enabled_challenge_handlers = { 'http-01', 'tls-alpn-01' },
account_key_path = "/etc/nginx/ssl/account.key",
account_email = "[email protected]",
domain_whitelist = {"domain.com", "www.domain.com"}
})
}
server {
listen 400;
location / {
content_by_lua_block {
require("cjson")
require("resty.http")
ngx.say(package.path)
}
}
}
}
| | nginx: [warn] [lua] http_connect.lua:21: failed to load module `resty.openssl.*`, mTLS isn't supported without lua-resty-openssl:
| | /usr/local/lib/resty/openssl/x509/chain.lua:6: module 'resty.openssl.x509' not found:
| | no field package.preload['resty.openssl.x509']
| | no file '/usr/local/lib/resty/openssl/x509.lua'
| | no file '/usr/local/lib/resty/resty/openssl/x509.lua'
| | no file '/usr/local/lua/resty/openssl/x509.so'
| | no file '/usr/local/lua/resty.so'
| | stack traceback:
| | [C]: in function 'require'
| | /usr/local/lib/resty/openssl/x509/chain.lua:6: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/http_connect.lua:15: in function </usr/local/lib/resty/http_connect.lua:14>
| | [C]: in function 'xpcall'
| | /usr/local/lib/resty/http_connect.lua:14: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/http.lua:166: in main chunk
| | [C]: in function 'require'
| | init_by_lua(nginx.conf:9):3: in main chunk
| | nginx: [error] init_by_lua error: /usr/local/lib/resty/openssl/pkey.lua:13: module 'resty.openssl.include.x509' not found:
| | no field package.preload['resty.openssl.include.x509']
| | no file '/usr/local/lib/resty/openssl/include/x509.lua'
| | no file '/usr/local/lib/resty/resty/openssl/include/x509.lua'
| | no file '/usr/local/lua/resty/openssl/include/x509.so'
| | no file '/usr/local/lua/resty.so'
| | stack traceback:
| | [C]: in function 'require'
| | /usr/local/lib/resty/openssl/pkey.lua:13: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/acme/openssl.lua:8: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/acme/util.lua:4: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/acme/client.lua:3: in main chunk
| | [C]: in function 'require'
| | /usr/local/lib/resty/acme/autossl.lua:2: in main chunk
| | [C]: in function 'require'
| | init_by_lua(nginx.conf:9):4: in main chunk
OpenSSL Version Compatibility Question
Is there a way to get mac.lua to work without OpenSSL v3? That file depends on EVP_MAC_CTX which seems to only exist in v3.
EVP_PKEY_derive error on 32-bit systems due to incorrect type casting
When running OpenResty on a 32-bit system, I encountered an error originating from lua-resty-sessions, which originated from lua-resty-openssl. The specific error message is:
/usr/local/openresty/site/lualib/resty/openssl/kdf.lua:281: bad argument #3 to 'EVP_PKEY_derive' (cannot convert 'uint64_t' to 'unsigned int *')
The error occurs on invokation of EVP_PKEY_derive
After tracing the parameters, I found that the issue is caused by the outlen variable in kdf.lua being initialized as
local outlen = ctypes.ptr_of_uint64()
However, the target FFI function EVP_PKEY_derive expects a size_t* argument, which is 32-bit on a 32-bit machine.
The problem arises because size_t is architecture-dependent, and the current implementation assumes a 64-bit system. To ensure cross-compatibility, the outlen variable should be initialized as
local outlen = ctypes.ptr_of_size_t()
since there is already a ptr_of_size_t() in ctypes definitions.
Steps to reproduce:
- Run OpenResty on a 32-bit system.
- Use lua-resty-session, which depends on lua-resty-openssl.
- Run this example from lua-resty-session documentation.
worker_processes 1;
events {
worker_connections 1024;
}
http {
init_by_lua_block {
require "resty.session".init({
remember = true,
audience = "demo",
secret = "RaJKp8UQW1",
storage = "cookie",
})
}
server {
listen 8080;
server_name localhost;
default_type text/html;
location /start {
content_by_lua_block {
local session = require "resty.session".new()
session:set_subject("OpenResty Fan")
session:set("quote", "The quick brown fox jumps over the lazy dog")
local ok, err = session:save()
ngx.say(string.format([[
<html>
<body>
<p>Session started (%s)</p>
<p><a href=/started>Check if it really was</a></p>
</body>
</html>
]], err or "no error"))
}
}
}
}Expected behavior:
The code should run without errors on 32-bit systems.
Proposed fix:
Change the initialization of outlen to local outlen = ctypes.ptr_of_size_t() in kdf.lua
Info
$ openresty -V 2>&1 | sed s/--/\\n--/g
nginx version: openresty/1.25.3.2
built by gcc 12.2.0 (Debian 12.2.0-14)
built with OpenSSL 3.0.9 30 May 2023
TLS SNI support enabled
configure arguments:
--prefix=/usr/local/openresty/nginx
--with-cc-opt=-O2
--add-module=../ngx_devel_kit-0.3.3
--add-module=../echo-nginx-module-0.63
--add-module=../xss-nginx-module-0.06
--add-module=../ngx_coolkit-0.2
--add-module=../set-misc-nginx-module-0.33
--add-module=../form-input-nginx-module-0.12
--add-module=../encrypted-session-nginx-module-0.09
--add-module=../srcache-nginx-module-0.33
--add-module=../ngx_lua-0.10.26
--add-module=../ngx_lua_upstream-0.07
--add-module=../headers-more-nginx-module-0.37
--add-module=../array-var-nginx-module-0.06
--add-module=../memc-nginx-module-0.20
--add-module=../redis2-nginx-module-0.15
--add-module=../redis-nginx-module-0.3.9
--add-module=../rds-json-nginx-module-0.16
--add-module=../rds-csv-nginx-module-0.09
--add-module=../ngx_stream_lua-0.0.14
--with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib
--with-stream
--without-pcre2
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-http_ssl_module$ lscpu
Architecture: armv8l
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A53
Model: 4
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 2
Stepping: r0p4
CPU(s) scaling MHz: 82%
CPU max MHz: 2301.0000
CPU min MHz: 400.0000
BogoMIPS: 26.00
Flags: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt lpae evtstrm aes pmull sha1 sha2 crc32$ ldd $(which openresty)
libcrypt.so.1 => /lib/arm-linux-gnueabihf/libcrypt.so.1 (0xec880000)
libluajit-5.1.so.2 => /usr/local/openresty/luajit/lib/libluajit-5.1.so.2 (0xec82d000)
libm.so.6 => /lib/arm-linux-gnueabihf/libm.so.6 (0xec7ec000)
libpcre.so.3 => /lib/arm-linux-gnueabihf/libpcre.so.3 (0xec770000)
libssl.so.3 => /lib/arm-linux-gnueabihf/libssl.so.3 (0xec706000)
libcrypto.so.3 => /lib/arm-linux-gnueabihf/libcrypto.so.3 (0xec47e000)
libz.so.1 => /lib/arm-linux-gnueabihf/libz.so.1 (0xec440000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xec329000)
/lib/ld-linux-armhf.so.3 (0x0f000000)
libgcc_s.so.1 => /lib/arm-linux-gnueabihf/libgcc_s.so.1 (0xec2f0000)Note
I know little about cryptography but I am a c dev and I believe this was not the intended behaviour. I tried to patch my copy and it worked but restrained myself from making a pull request to avoid breaking stuff.
"u.peer.connection.ssl is nil" after a successful sslhandshake on ARMv7
Hello!
I am trying to get the server certificate from a tcp socket.
I do (roughly):
local openssl = require("resty.openssl");
openssl.load_modules();
local serv = ngx.socket.tcp();
local ok, err=serv:connect(dest_addr, dest_port);
local session, err = serv:sslhandshake(nil, "example.com");
local sslsess, err = openssl.ssl.from_socket(serv);
local cert = sslsess:get_peer_certificate();And at the last stage I am getting "u.peer.connection.ssl is nil" and sslsess is actually nil. I've checked all the other errors - and there are no errors before the "from_socket" call. What am I doing wrong?
Remove private part from OKP keys when dumping as public JWK
This parameter should be removed / not be set if is_priv is false.
API change in OpenSSL 3.x
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
-
Library context (for non-global provider)
-
EVP_PKEY_get_x_params to replace TYPE_get0_PRARM, EVP_PKEY_fromdata to replace TYPE_set0_x (pkey:get_parameters/pkey:set_parameters)
- RSA_get0_x, RSA_set0_x
- DH_get0_x
- EC_KEY_get0_x, EC_KEY_set0_x
-
EVP_PKEY_new to replace TYPE_new (load_jwk)
- RSA_new
- EC_KEY_new
- DH_new_by_id
-
EVP_PKEY_from_data to replace EVP_PKEY_assign (load_jwk)
-
BN_check_prime to replace BN_is_prime_ex
-
EC_POINT_bn2point, EC_POINT_point2bn were not particularly useful, since EC point serialization formats are not individual big-endian integers. (load_jwk)
-
EC_POINT_get_affine_coordinates to replace EC_POINT_get_affine_coordinates_x (dump_jwk)
-
ERR_get_error_line, ERR_peek_last_error_line?
Documentation for pkey:verify inconsistent
Hi,
I stumbled upon the pkey:verify method.
The documentation states that in case of a verification failure of the signature, it will return false and no error. The documentation and the code are inconsistent because an error is also returned for invalid signatures.
I think either the documentation or code needs to be updated.
Kind regards,
Manuel
Manuel Gugel <manuel_sebastian.gugel@mercedes-benz.com>, Mercedes-Benz Tech Innovation GmbH, imprint
Gregor Gebhardt <gregor.gebhardt@mercedes-benz.com>, Mercedes-Benz Tech Innovation GmbH, imprint
module 'resty.openssl.include.x509' not found
I installed the lua code with opm -cwd get fffonion/lua-resty-openssl, the installed version is 0.8.1.
Expected:
Module loading should work.
Actual:
I don't know why, but it seems that it ignores the x509/init.lua file on manually included files, even though it tries them on all the default paths.
I get following exception during startup:
nginx: [error] init_by_lua error: ...ects/project/resty_modules/lualib/resty/openssl/pkey.lua:13: module 'resty.openssl.include.x509' not found:
no field package.preload['resty.openssl.include.x509']
no file '/home/me/projects/project/resty_modules/lualib/resty/openssl/include/x509.ljbc'
no file '/home/me/projects/project/resty_modules/lualib/resty/openssl/include/x509.lua'
no file '/home/me/projects/project/lua/resty/openssl/include/x509.ljbc'
no file '/home/me/projects/project/lua/resty/openssl/include/x509.lua'
no file '/opt/openresty/site/lualib/resty/openssl/include/x509.ljbc'
no file '/opt/openresty/site/lualib/resty/openssl/include/x509/init.ljbc'
no file '/opt/openresty/lualib/resty/openssl/include/x509.ljbc'
no file '/opt/openresty/lualib/resty/openssl/include/x509/init.ljbc'
no file '/opt/openresty/site/lualib/resty/openssl/include/x509.lua'
no file '/opt/openresty/site/lualib/resty/openssl/include/x509/init.lua'
no file '/opt/openresty/lualib/resty/openssl/include/x509.lua'
no file '/opt/openresty/lualib/resty/openssl/include/x509/init.lua'
no file './resty/openssl/include/x509.lua'
no file '/opt/openresty/luajit/share/luajit-2.1.0-beta3/resty/openssl/include/x509.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/include/x509.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/include/x509/init.lua'
no file '/opt/openresty/luajit/share/lua/5.1/resty/openssl/include/x509.lua'
no file '/opt/openresty/luajit/share/lua/5.1/resty/openssl/include/x509/init.lua'
no file '/home/me/projects/project/resty_modules/lualib/resty/openssl/include/x509.so'
no file '/opt/openresty/site/lualib/resty/openssl/include/x509.so'
no file '/opt/openresty/lualib/resty/openssl/include/x509.so'
no file './resty/openssl/include/x509.so'
no file '/usr/local/lib/lua/5.1/resty/openssl/include/x509.so'
no file '/opt/openresty/luajit/lib/lua/5.1/resty/openssl/include/x509.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/home/me/projects/project/resty_modules/lualib/resty.so'
no file '/opt/openresty/site/lualib/resty.so'
no file '/opt/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/opt/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
[C]: in function 'require'
...ects/project/resty_modules/lualib/resty/openssl/pkey.lua:13: in main chunk
[C]: in function 'require'
init_by_lua:4: in main chunk
nginx / openresty config file:
worker_processes 2;
events {
worker_connections 1024;
}
http {
include mime.types;
lua_package_path "$prefix/lua/?.ljbc;$prefix/lua/?.lua;$prefix/resty_modules/lualib/?.ljbc;$prefix/resty_modules/lualib/?.lua;;";
lua_package_cpath "$prefix/resty_modules/lualib/?.so;;";
init_by_lua_block {
local openssl = require "resty.openssl"
openssl.load_library()
require "resty.openssl.pkey"
}
server {
listen 8080 reuseport;
location / {
default_type 'text/plain';
return 200 'running';
}
}
}
File tree generated by opm:
resty_modules
├── lualib
│ └── resty
│ ├── openssl
│ │ ├── asn1.lua
│ │ ├── auxiliary
│ │ │ ├── ctypes.lua
│ │ │ ├── jwk.lua
│ │ │ ├── nginx_c.lua
│ │ │ └── nginx.lua
│ │ ├── bn.lua
│ │ ├── cipher.lua
│ │ ├── ctx.lua
│ │ ├── dh.lua
│ │ ├── digest.lua
│ │ ├── ec.lua
│ │ ├── ecx.lua
│ │ ├── err.lua
│ │ ├── hmac.lua
│ │ ├── include
│ │ │ ├── asn1.lua
│ │ │ ├── bio.lua
│ │ │ ├── bn.lua
│ │ │ ├── conf.lua
│ │ │ ├── crypto.lua
│ │ │ ├── dh.lua
│ │ │ ├── ec.lua
│ │ │ ├── evp
│ │ │ │ ├── cipher.lua
│ │ │ │ ├── kdf.lua
│ │ │ │ ├── mac.lua
│ │ │ │ ├── md.lua
│ │ │ │ └── pkey.lua
│ │ │ ├── evp.lua
│ │ │ ├── hmac.lua
│ │ │ ├── objects.lua
│ │ │ ├── ossl_typ.lua
│ │ │ ├── param.lua
│ │ │ ├── pem.lua
│ │ │ ├── pkcs12.lua
│ │ │ ├── provider.lua
│ │ │ ├── rand.lua
│ │ │ ├── rsa.lua
│ │ │ ├── ssl.lua
│ │ │ ├── stack.lua
│ │ │ ├── x509
│ │ │ │ ├── altname.lua
│ │ │ │ ├── crl.lua
│ │ │ │ ├── csr.lua
│ │ │ │ ├── extension.lua
│ │ │ │ ├── init.lua
│ │ │ │ ├── name.lua
│ │ │ │ └── revoked.lua
│ │ │ ├── x509v3.lua
│ │ │ └── x509_vfy.lua
│ │ ├── kdf.lua
│ │ ├── mac.lua
│ │ ├── objects.lua
│ │ ├── param.lua
│ │ ├── pkcs12.lua
│ │ ├── pkey.lua
│ │ ├── provider.lua
│ │ ├── rand.lua
│ │ ├── rsa.lua
│ │ ├── ssl_ctx.lua
│ │ ├── ssl.lua
│ │ ├── stack.lua
│ │ ├── util.lua
│ │ ├── version.lua
│ │ └── x509
│ │ ├── altname.lua
│ │ ├── chain.lua
│ │ ├── crl.lua
│ │ ├── csr.lua
│ │ ├── extension
│ │ │ ├── dist_points.lua
│ │ │ └── info_access.lua
│ │ ├── extension.lua
│ │ ├── extensions.lua
│ │ ├── init.lua
│ │ ├── name.lua
│ │ ├── revoked.lua
│ │ └── store.lua
│ └── openssl.lua
├── manifest
│ ├── lua-resty-openssl.list
│ └── lua-resty-openssl.meta
├── pod
│ └── lua-resty-openssl-0.8.1
│ └── lua-resty-openssl-0.8.1.pod
└── resty.index
Dependency to git for installation of version 0.8.2-1
When I install version 0.8.2-1 I get an error
luarocks install lua-resty-openssl 0.8.2-1
Error
Error: 'git' program not found. Make sure Git is installed and is available in your PATH (or you may want to edit the 'variables.GIT' value in file '/usr/local/openresty/luajit/etc/luarocks/config-5.1.lua')
After installing git the installation succeeded.
When I install the previous version I do not need to install git in my docker container.
When I check https://luarocks.org/modules/fffonion/lua-resty-openssl/0.8.2-1 there is no src download, with 0.8.1-1 there is. Is it on purpose there is no src download on the newer version?
Would be nice there is no dependency on git to install the module, is it possible the src download is available on module install?
Public key construction creates alerts
I receive the following error when constructing a public key from an exponent and modulus:
ignoring stale global SSL error (SSL: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed)
This is how I'm constructing the key:
local key, err = pkey.new(json_text, {format = "JWK"})
...
local pem, err = key:to_PEM("public",false)
After a bit I get an alert in my nginx log with the error from above.
sign CSR with exixsring root Keys.
Is there any way to sign csr with existing root CA key and crt ?
I could not find in source code and examples.
Thanks
Regression since release 0.8.0
Hello,
i'm experiencing an issue which got introduced with release 0.8.0. Testing up to 0.7.5 shows no error. From 0.8.0 on all releases show the following error:
Error ...al/openresty/luajit/share/lua/5.1/resty/openssl/hmac.lua:48: missing declaration for symbol EVP_MD_size
My code does the following call into resty.openssl:
local d, err = require("resty.openssl.hmac").new(jwt_secret, "sha1")
Do you have any idea what's going wrong?
best regards
Florian
尝试解密微信支付AEAD_AES_256_GCM的加密文本遇到错误:cipher:final: EVP_CipherFinal_ex failed
你好大神, 我尝试解码微信支付(https://pay.weixin.qq.com/wiki/doc/apiv3/apis/chapter3_5_5.shtml) 传过来的加密文本(AEAD_AES_256_GCM), 出错, 提示cipher:final: EVP_CipherFinal_ex failed.
于是我尝试使用贵库的aes-256-gcm来加密同一段文本, 发现绝大多部分字符和微信支付相同, 只有结尾几个字符不一样(微信以TxPo11gThp6ldZaomAaeB1结尾, 贵库以Q=结尾):
微信密件:
Fv0Lo+9D/umAGsuf0me2hfeKKSYzCwRga2ZNyap+ITSVB1lkiRYfaxQIxcQ+DFzsmhcBfP7lqmyK+ldu17vdXoh2ctIcdXO7skKFnLVQhTbE/pPqoAt/npXqa4YGAmUZXFDw1i/OM5muoKE3uOK54JqahsovwP7ixkb09gkoUnpOFQVu57glYn79XwoE3iVGLIojdszqCVaSS3a7EbIDKmSEvWsT0HB4eC2t5J6NhFyn/MCC5d1tcmmqcoa3hIdL4qDS2v4PiOis3x11dkDbcBYCRxwo4t+H78QgVUl/40ZcLAwYNF9rdfyFSt9lWedSHCPt0ulGebvrXLg+7CqMqL4QD4c/t007beHZgR5paMY6HOhOcHv/njETITx5m1tRUNOeatxNmdq5Q3J0BeB9GDcV5mGlgcx2njEfjnoWn3aPRfeTIYYzLT7BZP2hifhkJlF2qSTx3/So55qVtFLzt8DhBSKyzUrR40/Eb/pgmduiFxo/HfTvgDu9Cumphy1aB4UqvUks9+fK7JOiLN7To2rkXJsJFfqPCOrSN/u0ZFYgIFylOmTxPo11gThp6ldZaomAaeB1
lua-resty-openssl密件
Fv0Lo+9D/umAGsuf0me2hfeKKSYzCwRga2ZNyap+ITSVB1lkiRYfaxQIxcQ+DFzsmhcBfP7lqmyK+ldu17vdXoh2ctIcdXO7skKFnLVQhTbE/pPqoAt/npXqa4YGAmUZXFDw1i/OM5muoKE3uOK54JqahsovwP7ixkb09gkoUnpOFQVu57glYn79XwoE3iVGLIojdszqCVaSS3a7EbIDKmSEvWsT0HB4eC2t5J6NhFyn/MCC5d1tcmmqcoa3hIdL4qDS2v4PiOis3x11dkDbcBYCRxwo4t+H78QgVUl/40ZcLAwYNF9rdfyFSt9lWedSHCPt0ulGebvrXLg+7CqMqL4QD4c/t007beHZgR5paMY6HOhOcHv/njETITx5m1tRUNOeatxNmdq5Q3J0BeB9GDcV5mGlgcx2njEfjnoWn3aPRfeTIYYzLT7BZP2hifhkJlF2qSTx3/So55qVtFLzt8DhBSKyzUrR40/Eb/pgmduiFxo/HfTvgDu9Cumphy1aB4UqvUks9+fK7JOiLN7To2rkXJsJFfqPCOrSN/u0ZFYgIFylOmQ=
这是代码:
local key = string.rep("0", 32)
local iv = "gLm1Ft8R0tva"
local aad = "transaction"
local mode = "aes-256-gcm"
local to_be_encrypted = '{"mchid":"**","appid":"**","out_trade_no":"**","transaction_id":"**","trade_type":"JSAPI","trade_state":"SUCCESS","trade_state_desc":"支付成功","bank_type":"UPQUICKPASS_DEBIT","attach":"","success_time":"2023-01-28T14:25:02+08:00","payer":{"openid":"**"},"amount":{"total":10,"payer_total":10,"currency":"CNY","payer_currency":"CNY"}}'
local wx_encrypt = "Fv0Lo+9D/umAGsuf0me2hfeKKSYzCwRga2ZNyap+ITSVB1lkiRYfaxQIxcQ+DFzsmhcBfP7lqmyK+ldu17vdXoh2ctIcdXO7skKFnLVQhTbE/pPqoAt/npXqa4YGAmUZXFDw1i/OM5muoKE3uOK54JqahsovwP7ixkb09gkoUnpOFQVu57glYn79XwoE3iVGLIojdszqCVaSS3a7EbIDKmSEvWsT0HB4eC2t5J6NhFyn/MCC5d1tcmmqcoa3hIdL4qDS2v4PiOis3x11dkDbcBYCRxwo4t+H78QgVUl/40ZcLAwYNF9rdfyFSt9lWedSHCPt0ulGebvrXLg+7CqMqL4QD4c/t007beHZgR5paMY6HOhOcHv/njETITx5m1tRUNOeatxNmdq5Q3J0BeB9GDcV5mGlgcx2njEfjnoWn3aPRfeTIYYzLT7BZP2hifhkJlF2qSTx3/So55qVtFLzt8DhBSKyzUrR40/Eb/pgmduiFxo/HfTvgDu9Cumphy1aB4UqvUks9+fK7JOiLN7To2rkXJsJFfqPCOrSN/u0ZFYgIFylOmTxPo11gThp6ldZaomAaeB1"
local cipher = assert(require("resty.openssl.cipher").new(mode))
local encrypted = assert(cipher:encrypt(key, iv, to_be_encrypted, true, aad))
ngx.say("加密文本是否和微信支付一致: ", ngx.encode_base64(encrypted) == wx_encrypt)
local tag = assert(cipher:get_aead_tag())
-- ngx.say("tag is: ", ngx.encode_base64(tag), " ", #tag)
-- 解密自己加密的文本没有问题
local decrypted = assert(cipher:decrypt(key, iv, encrypted, true, aad, tag))
print(decrypted)typo in function name
openssl.luaossl_compact -> openssl.luaossl_compat ?
loop or previous error loading module 'resty.openssl.version'
I'm using Lua Resty with Nginx on a brand new machine with debian bullseye.
Nginx:
access_by_lua {
local res, err = require("resty.openidc").authenticate(opts, nil, nil, session_ops)
}
Error log:
1360195#1360195: *5594350 lua entry thread aborted: runtime error: ...local/share/lua/5.1/resty/openssl/include/evp/cipher.lua:4: loop or previous error loading module 'resty.openssl.version'
stack traceback:
coroutine 0:
[C]: in function 'require'
/usr/local/share/lua/5.1/resty/openidc.lua:965: in function 'openidc_load_jwt_and_verify_crypto'
/usr/local/share/lua/5.1/resty/openidc.lua:1052: in function 'openidc_load_and_validate_jwt_id_token'
/usr/local/share/lua/5.1/resty/openidc.lua:1150: in function 'authenticate'
access_by_lua(XX):41: in function <access_by_lua(XX):1>, client: XX, server: XX, request: "GET /XX
I have experimented and the error starts happening with version 1.2.0, versions up to 1.2.0 work correctly.
Symbol not found: sk_pop_free
I'm trying to load an X509 certificate, and I get this stack trace:
/nix/store/qk3yaqbsy8plc0y2ip9hspcz7fmlw9jf-luajit-2.1.0-2022-04-05/bin/lua: rocks/share/lua/5.1/resty/openssl/include/stack.lua:41: dlsym(RTLD_DEFAULT, OPENSSL_sk_pop_free): symbol not found
stack traceback:
[C]: in function '__index'
rocks/share/lua/5.1/resty/openssl/include/stack.lua:41: in main chunk
[C]: in function 'require'
...05-env/share/lua/5.1/resty/openssl/include/x509/init.lua:6: in main chunk
[C]: in function 'require'
rocks/share/lua/5.1/resty/openssl/pkey.lua:13: in main chunk
[C]: in function 'require'
./util/crypto.lua:12: in main chunk
[C]: in function 'require'
main.lua:7: in main chunk
[C]: at 0x0104078470
Do you know what is causing it?
Crash when signature with invalid JWK is attempted
If an invalid JWK that is missing the private exponent p is passed to pkey.new() for the OKP type, the subsequent call to pkey:sign() will result in a crash and kill the worker.
Can be reproduced with:
local pkey, err = openssl_pkey.new(
'{"kty" : "OKP", "crv" : "Ed25519","x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4"}',
{format = "JWK"}
)
pkey:sign("something")
Using the following JWK instead works as expected: {"kty" : "OKP", "crv" : "Ed25519","x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "d" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM"}.
Hot to get fingerprint?
hello,
Hot to get fingerprint by lua-resty-openssl?
thanks.
Iterating over x509.altname stack crashes when encountering type IP
From time to time I am getting a certificate which have the altname IP-type fields present. I don't really need them, but I still need to iterate over all altnames to retrieve the needed ones, but iteration crashes when encountering the IP type.
Replacing the error("NYI") by v = "NOTIMPLEMENTED" helped, but that's more of a hack than a solution.
I wonder if it is possible to somehow patch it that it doesn't crash on nonimplemented/unknown altname types.
aux is a reserved name in Windows
This package can't be used in Windows as is due to aux being a reserved name. I needed to rename the folder and references to the files in the folder in order to get this package working.
I would suggest changing that folder to a new name.
aes-gcm-aead.lua 这个demo无法正常运行
第19行直接抛出错误attempt to call method 'update_aead_aad' (a nil value)
Read custom X509 extension
Hi, how can i read the value of a custom x509 certificate extension?
I have a user certificate that contains the '1.2.840.10070.8.1' OID (https://oidref.com/1.2.840.10070). This OID contains the value for the user RBAC role that i need to manage in nginx.
Using the get_extension method, passing the '1.2.840.10070.8.1' value, the result value is nil.
Is lua-resty-openssl-aux-module still required to run lua-resty-openssl in production?
We are using official OpenResty Docker images as base, e.g. openresty/openresty:1.19.9.1-1-alpine-fat and installing pgmoon into it
luarocks install pgmoon
in order to access Postgres.
After upgrading the Postgres from 12.x to 14.x we ran into
[error] 216#216: *1 lua entry thread aborted: runtime error: /usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: module 'resty.openssl.ssl' not found:
no field package.preload['resty.openssl.ssl']
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
no file './resty/openssl/ssl.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/openssl/ssl.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/ssl.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl/init.lua'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
no file './resty/openssl/ssl.so'
no file '/usr/local/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
stack traceback:
coroutine 0:
[C]: in function 'require'
/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: in function 'auth'
/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:268: in function 'connect'
and OpenResty couldn't connect to Postgres anymore.
The fix was to add lua-resty-openssl
luarocks install lua-resty-openssl
Now the connection works, but we are getting following warnings
[lua] nginx.lua:260: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production.
It looks like we need to install https://github.com/fffonion/lua-resty-openssl-aux-module
But, as far as I understand it, we would need to build OpenResty from source to do so.
Is lua-resty-openssl-aux-module still required to run in production?
What are the drawbacks running lua-resty-openssl in production without lua-resty-openssl-aux-module?
Is there a way to add lua-resty-openssl-aux-module to the official OpenResty Docker image without building from source?
Thanks!
nginx using boringssl start failed
when using boringSSL, it start failed. any suggestions?
--with-openssl=../quiche/quiche/deps/boringssl \
--with-quiche=../quiche \
nginx config
init_by_lua_block {
require("resty.acme.autossl").init({
-- setting the following to true
-- implies that you read and accepted https://letsencrypt.org/repository/
tos_accepted = true,
-- uncomment following for first time setup
-- staging = true,
-- uncomment following to enable RSA + ECC double cert
domain_key_types = { "rsa", "ecc" },
-- uncomment following to enable tls-alpn-01 challenge
-- enabled_challenge_handlers = { "http-01", "tls-alpn-01" },
account_key_path = "/etc/nginx/account.key",
account_email = "n
@example.com",
-- domain_whitelist = { "example.com" },
domain_whitelist_callback = function(domain, is_new_cert_needed)
return true
end,
renew_check_interval = 24 * 3600,
storage_adapter = "file",
storage_config = {
dir = "/etc/nginx/acme",
},
})
}
init_worker_by_lua_block {
require("resty.acme.autossl").init_worker()
}
error log
nginx: [error] init_by_lua error: /etc/nginx/lualib/resty/openssl/version.lua:60: OpenSSL has encountered an error: /etc/nginx/lualib/resty/openssl/version.lua:45: /usr/local/lib/libluajit-5.1.so.2: undefined symbol: SSLeay; is OpenSSL library loaded?
stack traceback:
[C]: in function 'error'
/etc/nginx/lualib/resty/openssl/version.lua:60: in main chunk
[C]: in function 'require'
/etc/nginx/lualib/resty/acme/openssl.lua:4: in main chunk
[C]: in function 'require'
/etc/nginx/lualib/resty/acme/util.lua:4: in main chunk
[C]: in function 'require'
/etc/nginx/lualib/resty/acme/client.lua:3: in main chunk
[C]: in function 'require'
/etc/nginx/lualib/resty/acme/autossl.lua:2: in main chunk
[C]: in function 'require'
init_by_lua:2: in main chunk
nginx info
[root@8635137b486f lualib]# nginx -V
nginx version: nginx/1.20.2
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-cc-opt=-DTCP_FASTOPEN=23 --with-ld-opt='-ljemalloc -Wl,-rpath,/usr/local/lib' --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-http_xslt_module=dynamic --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-threads --with-openssl=../quiche/quiche/deps/boringssl --with-quiche=../quiche --add-module=./module/ngx_brotli --add-module=./module/njs/nginx --add-module=./module/ngx_devel_kit-0.3.1 --add-module=./module/lua-nginx-module-0.10.20 --add-module=./module/stream-lua-nginx-module-0.0.10 --add-module=./module/nginx-rtmp-module --add-module=./module/nginx-client-module --add-module=./module/nginx-multiport-module --add-module=./module/nginx-toolkit-module --add-dynamic-module=./module/dynamic/ngx_waf --add-dynamic-module=./module/dynamic/ngx_http_geoip2_module --add-dynamic-module=./module/dynamic/echo-nginx-module --add-dynamic-module=./module/dynamic/headers-more-nginx-module --add-dynamic-module=./module/dynamic/srcache-nginx-module --add-dynamic-module=./module/dynamic/ngx_http_substitutions_filter_module
ldd /usr/sbin/nginx
[root@8635137b486f lualib]# ldd /usr/sbin/nginx
linux-vdso.so.1 => (0x00007ffc9a114000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007fafe1e74000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fafe1c70000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fafe1a54000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fafe181d000)
libm.so.6 => /lib64/libm.so.6 (0x00007fafe151b000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007fafe22af000)
libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x00007fafe225b000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fafe1305000)
libc.so.6 => /lib64/libc.so.6 (0x00007fafe0f37000)
/lib64/ld-linux-x86-64.so.2 (0x00007fafe2119000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fafe0c2f000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fafe0a2c000)
BoringSSL not working
Hi how could this error be resolved?
journalctl -xe [log]
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/resty/openssl/version.lua:60: OpenSSL has encountered an error: /usr/local/share/lua/5.1/resty/openssl/version.lua:45: /usr/local/lib/libluajit-5.1.so.2: undefined symbol: SSLeay; is OpenSSL library loaded?
Aug 18 15:44:15 localserver nginx[71449]: stack traceback:
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'error'
Aug 18 15:44:15 localserver nginx[71449]: /usr/local/share/lua/5.1/resty/openssl/version.lua:60: in main chunk
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'require'
Aug 18 15:44:15 localserver nginx[71449]: /usr/local/share/lua/5.1/resty/acme/openssl.lua:4: in main chunk
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'require'
Aug 18 15:44:15 localserver nginx[71449]: /usr/local/share/lua/5.1/resty/acme/util.lua:4: in main chunk
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'require'
Aug 18 15:44:15 localserver nginx[71449]: /usr/local/share/lua/5.1/resty/acme/client.lua:3: in main chunk
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'require'
Aug 18 15:44:15 localserver nginx[71449]: /usr/local/share/lua/5.1/resty/acme/autossl.lua:2: in main chunk
Aug 18 15:44:15 localserver nginx[71449]: [C]: in function 'require'
Aug 18 15:44:15 localserver nginx[71449]: init_by_lua:3: in main chunk
Aug 18 15:44:15 localserver systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
nginx -V
root@localserver:/etc/nginx# nginx -V
nginx version: nginx/1.19.6
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --with-openssl=quiche/quiche/deps/boringssl --with-quiche=quiche --with-http_ssl_module --with-http_v2_module --with-http_v3_module --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --with-pcre --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_ssl_module --with-http_sub_module --with-http_image_filter_module=dynamic --modules-path=/etc/nginx/modules --add-module=modules/ngx_devel_kit-0.3.1 --add-module=modules/ngx_pagespeed --add-module=modules/ngx_brotli --add-module=modules/headers-more-nginx-module-0.33 --add-module=modules/lua-nginx-module-0.10.21 --with-cc-opt='-I quiche/quiche/deps/boringssl/include' --with-ld-opt='-L quiche/quiche/deps/boringssl/build/ssl -L quiche/quiche/deps/boringssl/build/crypto'
How to verify a signature ?
Hi there,
I have an issue with resty.openssl.bn new method
here my code
local public_key = "04bccc9cf60be6a6aa7f01f582e81559ab0789d8710c9a0d73450e999156d1aeb7c1bb45f5faafb7d27ac18b570025abdb892244cfeb0d5e15959e5a9a7af77764"
local openssl_bn = require("resty.openssl.bn")
local public_key_bn = assert(openssl_bn.new(public_key, 16))it raise runtime error: /usr/local/openresty/lua/signature.lua:15: expect nil or a number at #1
Basically I want to convert this ruby code
group = OpenSSL::PKey::EC::Group.new(cryptographic_primitive)
key = OpenSSL::PKey::EC.new(group)
public_key_bn = OpenSSL::BN.new(public_key, 16)
key.public_key = OpenSSL::PKey::EC::Point.new(group, public_key_bn)
valid = key.dsa_verify_asn1(Base64.decode64(b64_hash), Base64.decode64(b64_signature))any thoughts ?
module 'resty.openssl.x509' not found
resty.openssl.x509 not working.
I want to solve this.
1. Installation on amazon linux 2
yum install -y gcc gcc-c++ make tar wget lua-devel pcre-devel openssl-devel
cd /usr/local/src
wget https://github.com/openresty/luajit2/archive/v2.1-20231117.tar.gz
tar -zxvf v2.1-20231117.tar.gz
cd luajit2-2.1-20231117
make
make install
cd ..
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
wget https://github.com/vision5/ngx_devel_kit/archive/v0.3.3.tar.gz
tar -zxvf v0.3.3.tar.gz
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.25.tar.gz
tar -zxvf v0.10.25.tar.gz
wget 'https://openresty.org/download/nginx-1.19.3.tar.gz'
tar -xzvf nginx-1.19.3.tar.gz
cd nginx-1.19.3/
./configure --prefix=/opt/nginx \
--with-http_ssl_module \
--with-ld-opt="-Wl,-rpath,/usr/local/lib" \
--add-module=/usr/local/src/ngx_devel_kit-0.3.3 \
--add-module=/usr/local/src/lua-nginx-module-0.10.25
make
make install
cd ..
wget https://github.com/openresty/lua-resty-core/archive/v0.1.27.tar.gz
tar -zxvf v0.1.27.tar.gz
cd lua-resty-core-0.1.27/
make install PREFIX=/opt/nginx
cd ..
wget https://github.com/openresty/lua-resty-lrucache/archive/v0.13.tar.gz
tar -zxvf v0.13.tar.gz
cd lua-resty-lrucache-0.13
make install PREFIX=/opt/nginx
cd ..
wget https://github.com/fffonion/lua-resty-openssl/archive/refs/tags/0.8.26.tar.gz
tar -zxvf 0.8.26.tar.gz
cd lua-resty-openssl-0.8.26/
make install PREFIX=/opt/nginx
cd ..
/opt/nginx/sbin/nginx
2. Nginx configuration
worker_processes auto;
error_log /var/log/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main escape=json '{"time": "$time_iso8601",'
'"client": "$remote_addr",'
'"vhost": "$host",'
'"status": "$status",'
'"protocol": "$server_protocol",'
'"method": "$request_method",'
'"path": "$request_uri",'
'"req": "$request",'
'"size": "$body_bytes_sent",'
'"reqtime": "$request_time",'
'"apptime": "$upstream_response_time",'
'"user_agent": "$http_user_agent",'
'"forwarded_for": "$http_x_forwarded_for",'
'"forwarded_proto": "$http_x_forwarded_proto",'
'"referer": "$http_referer"}';
access_log /var/log/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include mime.types;
lua_package_path "/opt/nginx/lib/lua/?.lua;;";
default_type application/octet-stream;
server {
listen 80;
server_name localhost;
location / {
content_by_lua_block {
ngx.say("Hello, Lua!")
}
}
location /put {
access_by_lua_file /opt/cert/mtls.lua;
proxy_pass https://httpbin.org;
}
}
}
3. Create mtls.lua file
local openssl_x509 = require("resty.openssl.x509")
local function authenticate_with_cert(cert_pem)
if not cert_pem or cert_pem == "" then
ngx.log(ngx.ERR, "ERROR")
return false
end
local cert, err = openssl_x509.new(cert_pem)
if not cert then
ngx.log(ngx.ERR, "ERROR: ", err)
return false
end
if not cert:valid_at() then
ngx.log(ngx.ERR, "ERROR")
return false
end
local ca_cert_pem = io.open("/opt/cert/rootCA.pem", "r"):read("*a")
local ca_cert = openssl_x509.new(ca_cert_pem)
if not cert:verify(ca_cert:get_pubkey()) then
ngx.log(ngx.ERR, "ERROR")
return false
end
return true
end
local client_cert = ngx.req.get_headers()["X-Client-Cert"]
if not authenticate_with_cert(client_cert) then
ngx.exit(ngx.HTTP_FORBIDDEN)
end4. Http request
curl -H 'X-Client-Cert: aaa' -X PUT http://localhost/put
5. Error found
2023/12/26 13:52:55 [error] 9774#0: *553 lua entry thread aborted: runtime error: /opt/cert/mtls.lua:1: module 'resty.openssl.x509' not found:
no field package.preload['resty.openssl.x509']
no file '/opt/nginx/lib/lua/resty/openssl/x509.lua'
no file './resty/openssl/x509.lua'
no file '/usr/local/share/luajit-2.1/resty/openssl/x509.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/x509.lua'
no file '/usr/local/share/lua/5.1/resty/openssl/x509/init.lua'
no file './resty/openssl/x509.so'
no file '/usr/local/lib/lua/5.1/resty/openssl/x509.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
coroutine 0:
[C]: in function 'require'
/opt/cert/mtls.lua:1: in main chunk, client: 127.0.0.1, server: localhost, request: "PUT /put HTTP/1.1", host: "localhost"
Makefile doesn't installs all files
It has
$(INSTALL) lib/resty/openssl*.lua $(DESTDIR)$(LUA_LIB_DIR)/resty/
$(INSTALL) lib/resty/openssl/*.lua $(DESTDIR)$(LUA_LIB_DIR)/resty/openssl/
but this misses "auxiliary", "include" and "x509" subdirs in resty/openssl/ dir
I guess the same problem was in #2
lua-resty-openssl not work for latest nginx-1.21.X version
How does it work for rsa pss sign or verify ?
How does it work for rsa pss sign or verify ? Can you give me some examples?
can't find the module x509
When I try to use require("openssl")
the program cause a error like this
resty/openssl/pkey.lua:15: module 'resty.openssl.include.x509' not found:
no field package.preload['resty.openssl.include.x509']
and I didn't find the x509.lua in the directory of include.
Wrong parameter in dump_jwk used
In
the wrong parameter is used. The line should bey = b64.encode_base64url(params.y:to_binary()),
nginx: [error] init_by_lua error: resty.openssl.auxiliary.nginx doesn't support Nginx version 1026000
nginx: [error] init_by_lua error: resty.openssl.auxiliary.nginx doesn't support Nginx version 1026000
| stack traceback:
| [C]: in function 'error'
| /usr/local/lib/resty/openssl/auxiliary/nginx.lua:128: in main chunk
| [C]: in function 'require'
| /usr/local/lib/resty/openssl/ssl_ctx.lua:9: in main chunk
| [C]: in function 'require'
| /usr/local/lib/resty/acme/challenge/tls-alpn-01.lua:11: in main chunk
| [C]: in function 'require'
| /usr/local/lib/resty/acme/client.lua:115: in function 'new'
| /usr/local/lib/resty/acme/autossl.lua:471: in function 'init'
| init_by_lua(waf/init.conf:1):15: in main chunk.
F5 nginx: https://nginx.org/en/download.html
free nginx: https://freenginx.org/en/download.html
It's better not bind `X509_STORE_set_flags` logic in `store:add(crl)`
Adding crl file into the store does not necessarily mean the crl must be checked. The flag should be set on needs.
https://github.com/fffonion/lua-resty-openssl/blob/master/lib/resty/openssl/x509/store.lua#L78-L80
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.