feat(x509.extension) add X509V3_set_issuer_pkey in OpenSSL 3.0

fffonion · fffonion · commit dbd3f7418a66 · 2022-04-14T19:02:06.000+08:00
diff --git a/README.md b/README.md
@@ -3262,9 +3262,13 @@ data = {
   subject = resty.openssl.x509 instance,
   request = resty.openssl.x509.csr instance,
   crl = resty.openssl.x509.crl instance,
+  issuer_pkey = resty.openssl.pkey instance, -- >= OpenSSL 3.0
 }
 ```
 
+From OpenSSL 3.0, `issuer_pkey` can be specified as a fallback source for
+generating the authority key identifier extension when `issuer` is same as `subject`.
+
 When `data` is a string, it's the full nconf string. Using section lookup from `value` to
 `data` is also supported.
 
diff --git a/lib/resty/openssl/x509/extension.lua b/lib/resty/openssl/x509/extension.lua
@@ -15,6 +15,7 @@ local objects_lib = require "resty.openssl.objects"
 local stack_lib = require("resty.openssl.stack")
 local util = require "resty.openssl.util"
 local format_error = require("resty.openssl.err").format_error
+local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
 local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 local _M = {}
@@ -29,6 +30,10 @@ local extension_types = {
   crl     = "resty.openssl.x509.crl",
 }
 
+if OPENSSL_30 then
+  extension_types["issuer_pkey"] = "resty.openssl.pkey"
+end
+
 local nconf_load
 if BORINGSSL then
   nconf_load = function()
@@ -87,6 +92,13 @@ function _M.new(txtnid, value, data)
       end
     end
     C.X509V3_set_ctx(x509_ctx_ptr[0], args.issuer, args.subject, args.request, args.crl, 0)
+
+    if OPENSSL_30 and args.issuer_pkey then
+      if C.X509V3_set_issuer_pkey(x509_ctx_ptr[0], args.issuer_pkey) ~= 1 then
+        return nil, format_error("x509.extension.new: X509V3_set_issuer_pkey")
+      end
+    end
+
   elseif type(data) == 'string' then
     err = nconf_load(conf, data)
     if err then
diff --git a/t/openssl/x509/extension.t b/t/openssl/x509/extension.t
@@ -170,12 +170,45 @@ CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSH
         content_by_lua_block {
             local f = io.open("t/fixtures/Github.pem"):read("*a")
             local x509 = myassert(require("resty.openssl.x509").new(f))
+            f = io.open("t/fixtures/test.crt"):read("*a")
+            local ic = myassert(require("resty.openssl.x509").new(f))
+            f = io.open("t/fixtures/test.key"):read("*a")
+            local ik = myassert(require("resty.openssl.pkey").new(f))
 
             local extension = require("resty.openssl.x509.extension")
             local c = myassert(extension.new("subjectKeyIdentifier", "hash",
-                                        {
-                                            subject = x509,
-                                        }))
+                            {
+                                subject = x509,
+                            }))
+
+            ngx.say(tostring(c))
+
+            if require("resty.openssl.version").OPENSSL_30 then
+                c = myassert(extension.new("authorityKeyIdentifier", "keyid",
+                                {
+                                    subject = x509,
+                                    issuer = x509,
+                                }))
+
+                if tostring(c) ~= "0." then
+                    ngx.log(ngx.ERR, "authorityKeyIdentifier should be empty but got " .. tostring(c))
+                end
+
+                c = myassert(extension.new("authorityKeyIdentifier", "keyid",
+                                {
+                                    subject = x509,
+                                    issuer = x509,
+                                    issuer_pkey = ik,
+                                }))
+                -- when set with issuer_pkey, the X509V3_print doesn't include "keyid:" prefix
+                ngx.print("keyid:")
+            else
+                c = myassert(extension.new("authorityKeyIdentifier", "keyid",
+                                {
+                                    subject = x509,
+                                    issuer = ic,
+                                }))
+            end
 
             ngx.say(tostring(c))
         }
@@ -184,6 +217,7 @@ CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSH
     GET /t
 --- response_body_like eval
 "27:B1:7E:9F:BB:26:99:50:D8:F3:C3:53:5B:FE:31:16:B0:BB:1E:72
+keyid:CF:03:F5:09:EB:83:D2:4F:10:DE:65:92:90:E9:93:3E:38:4C:E8:7C
 "
 --- no_error_log
 [error]
