lua-resty-core
lua-resty-core copied to clipboard
OCSP nextupdate
I hereby granted the copyright of the changes in this pull request to the authors of this lua-resty-core project.
Fixes https://github.com/openresty/lua-resty-core/issues/75 Depends on https://github.com/openresty/lua-nginx-module/pull/1694
This is a sister PR of https://github.com/openresty/lua-nginx-module/pull/1694.
I can not find the necessary keys to create another OCSP response with nextUpdate
set. I can do the whole thing from ground up and include all the necessary keys and certs - but if there's already a way to sign another OCSP response for the existing certs in t/
it would be better to use that so that I can add more meaningful test cases. UPDATE: I included all the necessary test fixtures and also steps to (re)generate them.
Here's the local test run:
> lua-resty-core (ocsp-nextupdate)$ docker run -w /app --rm -it -v ${PWD}:/app lua_ngx t/ocsp.t
t/ocsp.t .. 1/258 TEST 17: no status req from client - WARNING: killing the child process 21 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 13/258 TEST 16: good status req from client - WARNING: killing the child process 34 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 29/258 TEST 18: good OCSP response with nextUpdate present - WARNING: killing the child process 47 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 48/258 TEST 5: get OCSP responder (truncated) - WARNING: killing the child process 60 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 57/258 TEST 4: get OCSP responder (issuer cert not next to the leaf cert) - WARNING: killing the child process 73 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 77/258 TEST 6: create OCSP request (good) - WARNING: killing the child process 86 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 83/258 TEST 9: create OCSP request (no issuer cert in the chain) - WARNING: killing the child process 99 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 97/258 TEST 1: get OCSP responder (good case) - WARNING: killing the child process 112 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 116/258 TEST 8: create OCSP request (empty string cert chain) - WARNING: killing the child process 125 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 123/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 129/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
TEST 12: validate good OCSP response - no certs in response - WARNING: killing the child process 138 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 135/258 TEST 10: validate good OCSP response - WARNING: killing the child process 151 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 149/258 TEST 11: fail to validate OCSP response - no issuer cert - WARNING: killing the child process 164 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 163/258 TEST 14: fail to validate OCSP response - OCSP response signed by an unknown cert and the OCSP response does not contain the unknown cert - WARNING: killing the child process 177 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 184/258 TEST 13: validate OCSP response - OCSP response signed by an unknown cert and the OCSP response contains the unknown cert - WARNING: killing the child process 190 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 198/258 TEST 19: revoked OCSP response with nextUpdate present - WARNING: killing the child process 203 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 205/258 TEST 7: create OCSP request (buffer too small) - WARNING: killing the child process 216 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 219/258 TEST 2: get OCSP responder (not found) - WARNING: killing the child process 229 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 231/258 TEST 15: fail to validate OCSP response - OCSP response returns revoked status - WARNING: killing the child process 242 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 245/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:08 [crit] 255#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 252/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:09 [crit] 255#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
END - WARNING: killing the child process 255 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. ok
All tests successful.
Files=1, Tests=258, 54 wallclock secs ( 0.08 usr 0.02 sys + 1.49 cusr 1.92 csys = 3.51 CPU)
Result: PASS
cc @agentzh @thibaultcha
Can I get some feedback on this?
@ElvinEfendi Sorry for the delay on our side. Please check out my review comments. Thanks!
Hi,
Any news on this PR ? I would like to contribute but I'm afraid it's out of my league.
Having access to the nextUpdate field will be useful to cache the OCSP responses. I don't see how we can activate OCSP in Openresty without caching any of the OCSP responses at all, it will be terrible on a server with some heavy trafic.
Right now I'm thinking about managing the OCSP requests/responses without Openresty, by offloading the responsability to another service and storing the OCSP responses inside a Redis DB that Openresty will use too. It may be more scalable on a server with a lot of certificates and/or differents domains on it (like a load balancer for instance).