feature: support load private key with password #973
Conversation
src/ngx_http_lua_ssl_certby.c
Outdated
| { | ||
| BIO *in; | ||
| EVP_PKEY *pkey; | ||
| ngx_str_t password; |
There was a problem hiding this comment.
Coding style issue. Please use the ngx-releng script to check your code. Thank you.
t/140-ssl-c-api.t
Outdated
|
|
||
|
|
||
|
|
||
| === TEST 6: simple cert + private key with password |
There was a problem hiding this comment.
Better create a new .t file to avoid growing this test file from forever :)
There was a problem hiding this comment.
Also, we can simply test the Lua API here instead of the plain C API since lua-resty-core is already visible to this module's test suite.
Finally, I think you can use the new add_block_preprocessor feature of Test::Nginx::Socket to avoid the massive code duplication in these SSL related tests. See
http://search.cpan.org/dist/Test-Nginx/lib/Test/Nginx/Socket.pm#add_block_preprocessor
There was a problem hiding this comment.
FWIW, the pattern i've been using is testing the C FFI function in lua-nginx-module and test the Lua function in lua-resty-core. Otheriwse you create a co-dependency on both repos that makes the tests fail for both lua-nginx-module and lua-resty-core PRs until you merge both. (Assuming this is what you meant in the first paragraph).
There was a problem hiding this comment.
@agentzh Thanks for you suggestion, I will take a look at add_block_preprocessor.
@ghedo what's your meaning? My plan is to add the new api at first. When we let it merge to master then creating another PR to lua-resty-core. Is that wrong?
Now I know what's yours meaning, So we just simply test the C API in lua-nginx-module and test the Lua API in lua-resty-core :D
src/ngx_http_lua_ssl_certby.c
Outdated
| int len; | ||
| BIO *in; | ||
| EVP_PKEY *pkey; | ||
| ngx_str_t password; |
src/ngx_http_lua_ssl.c
Outdated
| @@ -34,4 +34,35 @@ ngx_http_lua_ssl_init(ngx_log_t *log) | |||
| } | |||
|
|
|||
|
|
|||
| int | |||
| ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, | |||
There was a problem hiding this comment.
This should probably be moved to ngx_http_lua_ssl_certby.c and declared static since it's only used there.
There was a problem hiding this comment.
maybe ngx_http_lua_ssl_password_callback is a useful function ? I mean that it will be used in other scene like cosocket in future.
There was a problem hiding this comment.
@detailyang I personally prefer @ghedo 's suggestion.
When it will be used in other place, we can move it out in the future :)
|
Will you please look at the new codebase, Many thanks :D |
src/ngx_http_lua_ssl.c
Outdated
| @@ -34,4 +34,35 @@ ngx_http_lua_ssl_init(ngx_log_t *log) | |||
| } | |||
|
|
|||
|
|
|||
| int | |||
| ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, | |||
There was a problem hiding this comment.
@detailyang I personally prefer @ghedo 's suggestion.
When it will be used in other place, we can move it out in the future :)
| @@ -982,6 +982,51 @@ ngx_http_lua_ffi_priv_key_pem_to_der(const u_char *pem, size_t pem_len, | |||
| } | |||
|
|
|||
|
|
|||
| int | |||
| ngx_http_lua_ffi_priv_key_pem_to_der_with_password(const u_char *pem, | |||
| size_t pem_len, const u_char *pwd, size_t pwd_len, u_char *der, char **err) | |||
There was a problem hiding this comment.
How about reuse the current ngx_http_lua_ffi_priv_key_pem and pwd == NULL means without password?
So that we can reuse most of the code.
There was a problem hiding this comment.
@doujiang24 I have considered the ngx_http_lua_ffi_priv_key_pem. But there are some existing tests which are rely on it. I'm not sure it's worth to change the ngx_http_lua_ffi_priv_key_pem. So just add the new api ngx_http_lua_ffi_priv_key_pem_to_der_with_password, then reimplement the Lua FFI API ngx.ssl.priv_key_pem_to_der to support password
So if we almost agree to reimplement the ngx_http_lua_ffi_priv_key_pem, I will try to do :D
t/141-ssl-c-api-password.t
Outdated
| @@ -0,0 +1,584 @@ | |||
| # vim:set ft= ts=4 sw=4 et fdm=marker: | |||
There was a problem hiding this comment.
I think it's fine to use t/151-ssl-c-api-password.t, so that we don't need to rename t/141-luajit.t to t/151-luajit.t.
The num order is not important here:)
|
Now the only question is that we can choose to reimplement What's your guys suggestion? |
|
@detailyang , see #750 if you want to reuse |
|
@detailyang Huh, that is another reason why we shouldn't call into C functions directly through FFI in lua-nginx-module's test suite. We should really only test the lua-resty-core Lua API instead ;) |
|
@agentzh Thanks. |
zhuizhuhaomeng
force-pushed
the
master
branch
from
f924579 to
fef2581
Compare
|
This PR implements the same function #1991 |
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.
@agentzh This feature is separated at #957 . Now It adds the FFI API as the following:
When we think it can be merged to master, I will create another PR for lua-resty-core to implment load private with password.