Add experimental mTLS support (#263)

* Add experimental support for mTLS

Note this requires patches to OpenResty not yet available in mainline.

* Loosen test cases to expect either cdata or userdata

* Skip mTLS test for CI

* Improve connection error messages

Author: pintsized

lib/resty/http_connect.lua

@@ -1,6 +1,8 @@
 local ngx_re_gmatch = ngx.re.gmatch
 local ngx_re_sub = ngx.re.sub
 local ngx_re_find = ngx.re.find
+local ngx_log = ngx.log
+local ngx_WARN = ngx.WARN
 
 --[[
 A connection function that incorporates:
@@ -28,6 +30,19 @@ client:connect {
     ssl_verify = true,      -- NOTE: defaults to true
     ctx = nil,              -- NOTE: not supported
 
+    -- mTLS options (experimental!)
+    --
+    -- !!! IMPORTANT !!! These options require support for mTLS in cosockets,
+    -- which is currently only available in the following unmerged PRs.
+    --
+    -- * https://github.com/openresty/lua-nginx-module/pull/1602
+    -- * https://github.com/openresty/lua-resty-core/pull/278
+    --
+    -- The details of this feature may change. You have been warned!
+    --
+    ssl_client_cert = nil,
+    ssl_client_priv_key = nil,
+
     proxy_opts,             -- proxy opts, defaults to global proxy options
 }
 ]]
@@ -54,7 +69,8 @@ local function connect(self, options)
     end
 
     -- ssl settings
-    local ssl, ssl_reused_session, ssl_server_name, ssl_verify, ssl_send_status_req
+    local ssl, ssl_reused_session, ssl_server_name
+    local ssl_verify, ssl_send_status_req, ssl_client_cert, ssl_client_priv_key
     if request_scheme == "https" then
         ssl = true
         ssl_reused_session = options.ssl_reused_session
@@ -64,6 +80,8 @@ local function connect(self, options)
         if options.ssl_verify == false then
             ssl_verify = false
         end
+        ssl_client_cert = options.ssl_client_cert
+        ssl_client_priv_key = options.ssl_client_priv_key
     end
 
     -- proxy related settings
@@ -138,7 +156,7 @@ local function connect(self, options)
         local proxy_uri_t
         proxy_uri_t, err = self:parse_uri(proxy_uri)
         if not proxy_uri_t then
-            return nil, err
+            return nil, "uri parse error: ", err
         end
 
         local proxy_scheme = proxy_uri_t[1]
@@ -172,7 +190,9 @@ local function connect(self, options)
         -- proxy based connection
         ok, err = sock:connect(proxy_host, proxy_port, tcp_opts)
         if not ok then
-            return nil, err
+            return nil, "failed to connect to: " .. (proxy_host or "") ..
+                        ":" .. (proxy_port or "") ..
+                        ": ", err
         end
 
         if ssl and sock:getreusedtimes() == 0 then
@@ -192,7 +212,7 @@ local function connect(self, options)
             })
 
             if not res then
-                return nil, err
+                return nil, "failed to issue CONNECT to proxy:", err
             end
 
             if res.status < 200 or res.status > 299 then
@@ -218,6 +238,21 @@ local function connect(self, options)
     local ssl_session
     -- Now do the ssl handshake
     if ssl and sock:getreusedtimes() == 0 then
+
+        -- Experimental mTLS support
+        if ssl_client_cert and ssl_client_priv_key then
+          if type(sock.setclientcert) ~= "function" then
+            ngx_log(ngx_WARN, "cannot use SSL client cert and key without mTLS support")
+
+          else
+            -- currently no return value
+            ok, err = sock:setclientcert(ssl_client_cert, ssl_client_priv_key)
+            if not ok then
+              ngx_log(ngx_WARN, "could not set client certificate: ", err)
+            end
+          end
+        end
+
         ssl_session, err = sock:sslhandshake(ssl_reused_session, ssl_server_name, ssl_verify, ssl_send_status_req)
         if not ssl_session then
             self:close()

t/19-ssl_reused_session.t

@@ -57,7 +57,7 @@ __DATA__
                 host = TEST_SERVER_SOCK,
             })
 
-            assert(type(session) == "userdata", "expected session to be userdata")
+            assert(type(session) == "userdata" or type(session) == "cdata", "expected session to be userdata or cdata")
             assert(httpc:close())
         }
     }
@@ -113,7 +113,7 @@ GET /t
                 host = TEST_SERVER_SOCK,
             })
 
-            assert(type(session) == "userdata", "expected session to be userdata")
+            assert(type(session) == "userdata" or type(session) == "cdata", "expected session to be userdata or cdata")
 
             local httpc2 = assert(require("resty.http").new())
             local ok, err, session2 = assert(httpc2:connect {
@@ -122,7 +122,7 @@ GET /t
                 ssl_reused_session = session,
             })
 
-            assert(type(session2) == "userdata", "expected session2 to be userdata")
+            assert(type(session2) == "userdata" or type(session2) == "cdata", "expected session2 to be userdata or cdata")
 
             assert(httpc:close())
             assert(httpc2:close())

t/20-mtls.t

@@ -0,0 +1,211 @@
+use Test::Nginx::Socket::Lua 'no_plan';
+
+
+#$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8';
+#$ENV{TEST_COVERAGE} ||= 0;
+
+log_level 'debug';
+
+no_long_string();
+#no_diff();
+
+sub read_file {
+    my $infile = shift;
+    open my $in, $infile
+        or die "cannot open $infile for reading: $!";
+    my $cert = do { local $/; <$in> };
+    close $in;
+    $cert;
+}
+
+our $MTLSCA = read_file("t/cert/mtls_ca.crt");
+our $MTLSClient = read_file("t/cert/mtls_client.crt");
+our $MTLSClientKey = read_file("t/cert/mtls_client.key");
+our $TestCert = read_file("t/cert/test.crt");
+our $TestKey = read_file("t/cert/test.key");
+
+our $HtmlDir = html_dir;
+
+use Cwd qw(cwd);
+my $pwd = cwd();
+
+our $mtls_http_config = <<"_EOC_";
+    lua_package_path "$pwd/lib/?.lua;/usr/local/share/lua/5.1/?.lua;;";
+server {
+    listen unix:$::HtmlDir/mtls.sock ssl;
+
+    ssl_certificate        $::HtmlDir/test.crt;
+    ssl_certificate_key    $::HtmlDir/test.key;
+    ssl_client_certificate $::HtmlDir/mtls_ca.crt;
+    ssl_verify_client      on;
+    server_tokens          off;
+    server_name            example.com;
+
+    location / {
+        echo -n "hello, \$ssl_client_s_dn";
+    }
+}
+_EOC_
+
+our $mtls_user_files = <<"_EOC_";
+>>> mtls_ca.crt
+$::MTLSCA
+>>> mtls_client.key
+$::MTLSClientKey
+>>> mtls_client.crt
+$::MTLSClient
+>>> test.crt
+$::TestCert
+>>> test.key
+$::TestKey
+_EOC_
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: Connection fails during handshake without client cert and key
+--- http_config eval: $::mtls_http_config
+--- config eval
+"
+lua_ssl_trusted_certificate $::HtmlDir/test.crt;
+location /t {
+    content_by_lua_block {
+        local httpc = assert(require('resty.http').new())
+
+        local ok, err = httpc:connect {
+          scheme = 'https',
+          host = 'unix:$::HtmlDir/mtls.sock',
+        }
+
+        if ok and not err then
+          local res, err = assert(httpc:request {
+            method = 'GET',
+            path = '/',
+            headers = {
+              ['Host'] = 'example.com',
+            },
+          })
+
+          ngx.status = res.status -- expect 400
+        end
+
+        httpc:close()
+    }
+}
+"
+--- user_files eval: $::mtls_user_files
+--- request
+GET /t
+--- error_code: 400
+--- no_error_log
+[error]
+[warn]
+
+
+=== TEST 2: Connection fails during handshake with not priv_key
+--- http_config eval: $::mtls_http_config
+--- SKIP
+--- config eval
+"
+lua_ssl_trusted_certificate $::HtmlDir/test.crt;
+location /t {
+    content_by_lua_block {
+        local f = assert(io.open('$::HtmlDir/mtls_client.crt'))
+        local cert_data = f:read('*a')
+        f:close()
+
+        local ssl = require('ngx.ssl')
+
+        local cert = assert(ssl.parse_pem_cert(cert_data))
+
+        local httpc = assert(require('resty.http').new())
+
+        local ok, err = httpc:connect {
+          scheme = 'https',
+          host = 'unix:$::HtmlDir/mtls.sock',
+          ssl_client_cert = cert,
+          ssl_client_priv_key = 'foo',
+        }
+
+        if ok and not err then
+          local res, err = assert(httpc:request {
+            method = 'GET',
+            path = '/',
+            headers = {
+              ['Host'] = 'example.com',
+            },
+          })
+
+          ngx.say(res:read_body())
+        end
+
+        httpc:close()
+    }
+}
+"
+--- user_files eval: $::mtls_user_files
+--- request
+GET /t
+--- error_code: 200
+--- error_log
+could not set client certificate: bad client pkey type
+--- response_body_unlike: hello, CN=foo@example.com,O=OpenResty,ST=California,C=US
+
+
+=== TEST 3: Connection succeeds with client cert and key. SKIP'd for CI until feature is merged.
+--- SKIP
+--- http_config eval: $::mtls_http_config
+--- config eval
+"
+lua_ssl_trusted_certificate $::HtmlDir/test.crt;
+
+location /t {
+    content_by_lua_block {
+        local f = assert(io.open('$::HtmlDir/mtls_client.crt'))
+        local cert_data = f:read('*a')
+        f:close()
+
+        f = assert(io.open('$::HtmlDir/mtls_client.key'))
+        local key_data = f:read('*a')
+        f:close()
+
+        local ssl = require('ngx.ssl')
+
+        local cert = assert(ssl.parse_pem_cert(cert_data))
+        local key = assert(ssl.parse_pem_priv_key(key_data))
+
+        local httpc = assert(require('resty.http').new())
+
+        local ok, err = httpc:connect {
+          scheme = 'https',
+          host = 'unix:$::HtmlDir/mtls.sock',
+          ssl_client_cert = cert,
+          ssl_client_priv_key = key,
+        }
+
+        if ok and not err then
+          local res, err = assert(httpc:request {
+            method = 'GET',
+            path = '/',
+            headers = {
+              ['Host'] = 'example.com',
+            },
+          })
+
+          ngx.say(res:read_body())
+        end
+
+        httpc:close()
+    }
+}
+"
+--- user_files eval: $::mtls_user_files
+--- request
+GET /t
+--- no_error_log
+[error]
+[warn]
+--- response_body
+hello, CN=foo@example.com,O=OpenResty,ST=California,C=US
+

t/cert/mtls_ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIUfTh89NyxxmbVwNZ/YFddssWc+WkwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAoM
+CU9wZW5SZXN0eTEiMCAGA1UEAwwZT3BlblJlc3R5IFRlc3RpbmcgUm9vdCBDQTAe
+Fw0xOTA5MTMyMjI4MTJaFw0zOTA5MDgyMjI4MTJaMFoxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlPcGVuUmVzdHkxIjAgBgNVBAMM
+GU9wZW5SZXN0eSBUZXN0aW5nIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDcMg2DeV8z+0E2ZiXUax111lKzhAbMCK0RJlV9tAi+YdcsDR/t
+zvvAZNGONUoewUuz/7E88oweh+Xi1GJtvd0DjB70y7tgpf5PUXovstWVwy7s5jZo
+kgn62yi9ZOOZpjwnYTBviirtRTnZRwkzL6wF0xMyJjAbKBJuPMrMiyFdh82lt7wI
+NS4mhyEdM0UiVVxfC2uzsddTOcOJURfGbW7UZm4Xohzq4QZ8geQj2OT5YTqw7dZ7
+Xxre5H7IcNcAh+vIk5SEBV1WE+S5MnFly7gaLYNc49OSfz5Hcpv59Vr+4bZ+olbW
+nQ/uU8BQovtkW6pjuT8nC4OKs2e8osoAZuk0rFS1uC501C+yES48mzaU8ttAidu6
+nb/JgsdkrnJQeTc5rAoER4M2ne5kqtEXN8wzf3/sazo2PLywbfrUXUTV6kJilrGr
+RkBN+fr6HTBkf+ooQMBOQPTojUdwbR86CLCyiJov2bzmBfGcOgSakv59S+uvUZFp
+FLTiahuzLfcgYsG3UKQA47pYlNdUqP8vCCaf1nwmqjx2KS3Z/YFnO/gQgtY+f0Bh
+UpnUDv+zBxpVFfVCyxByEsDPdwDkqLSwB6+YZINl36S48iXpoPhNXIYmO6GnhNWV
+k2/RyCDTxEO+MbXHVg6iyIVHJWth7m18vl4uuSK/LbJHV9Q9Z7G99DQ0NwIDAQAB
+o2MwYTAdBgNVHQ4EFgQUuoo+ehdlDFcQU+j5qONMKh0NtFQwHwYDVR0jBBgwFoAU
+uoo+ehdlDFcQU+j5qONMKh0NtFQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAM7c9q41K8306lfAVLqtbtaeETy+xxYG
+XE2HfFW1IuukrXQ8d/JH4stL/HcHJzzhHPf5p3ja3Snu9zPmTk3pgUPDYPZf57tR
+NCqwxjn6blwXWlzQqSavto9KAx3IWHuj0OTrZz/a1KPb9NGvatBhgthyRCRTbvhL
+OA5tveuYSHb724cp3NZ1xaTQmDZsSgHCoCJ/7RnlbcJ7RsKCOzCWNFRomH410vdv
+TajkUBlEC4OC1RIvxuVePHHb1ogbbe93SA/9mzw/E5SfoeF3mvByN4Ay8awXbNlH
+26RfuIdGc4fZRc/87s4yPwhYScZBG+pHO0gn42E0FyiG6Jp3rhHMH5Sa2hNlPMpn
+hYMaA6zQI4n/3AeFNM0VGxA+Yg/Al2WpXEJARrZqMW/qcrdMcPj5WeY6Tb6er04S
+kfImwhMIajl3nNc9tHoad8r2VuMWMltH/dnWuEdo+pPdIY3fdJdyQeoLQDDLEQwL
+AYrFy4uzKfQogfQBIHRdIMZTJh5v3mAFDpK59I5yzSt1GtUnFMC5MVOg+LbOo5UW
+FCtwaW5EZiTszmakvvWMMZe9HwZMYNCeSGGtiPA/GA2zNci/n2TEcB11HgiY52y2
+E/40nS61oL81zMwhV7l5psgJxQ2ORsKRJPHjADwvwh3xyCEJgVyBRCDX7J3PpAUO
+79DprjVU8t7p
+-----END CERTIFICATE-----