pgmoon icon indicating copy to clipboard operation
pgmoon copied to clipboard

Published 20 hours ago verified publisher icon leafo

set correct signarue digest name when using ECDSA cert

Open outsinre opened this issue 3 years ago • 4 comments

When using ECDSA certificate, the signature name is the full name (e.g., ecdsa-with-SHA384), but indeed should be the digest part only (e.g., SHA384).

This PR fixes the issue. Make sure lua-resty-openssl is bumped to 0.8.10.

outsinre avatar Jun 28 '22 13:06 outsinre

What's needed here to get this merged? @leafo can you please take a look?

gsimko avatar Oct 06 '22 23:10 gsimko

Just an update that this also fixes when the signature is RSA-SHA1.

If we want to stay closer to what postgres does, instead of objects.txt2nid(signature) we could directly do server_cert.get_signature_nid(). For reference, here is the postgres code: https://github.com/postgres/postgres/blob/a601366a460f68472bf70c4d94c57baa0a3ed1b2/src/backend/libpq/be-secure-openssl.c#L1434

gsimko avatar Oct 06 '22 23:10 gsimko

This code is only compatible with openresty, not the other socket layers. Additionally it looks like the test suite did not run, does it need to be rebased to pick up the latest workflow?

leafo avatar Oct 07 '22 00:10 leafo

I couldn't find a solution with cqueues and luasocket for the signature -> digest conversion but added manual handling for the two scenarios I have observed (ecdsa-with-sha384 and rsa-sha1). Can you please take a look at https://github.com/leafo/pgmoon/pull/130 @leafo ?

gsimko avatar Oct 08 '22 05:10 gsimko