Merge branch 'master' into feat/add_labels_for_upstream

apache · Sep 22, 2020 · c8550b7 · c8550b7
2 parents 654f8a7 + 36d3b82
commit c8550b7
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 7 deletions.
diff --git a/apisix/admin/ssl.lua b/apisix/admin/ssl.lua
@@ -96,6 +96,12 @@ function _M.put(id, conf)
     -- encrypt private key
     conf.key = aes_encrypt(conf.key)
 
+    if conf.keys then
+        for i = 1, #conf.keys do
+            conf.keys[i] = aes_encrypt(conf.keys[i])
+        end
+    end
+
     local key = "/ssl/" .. id
     local res, err = core.etcd.set(key, conf)
     if not res then
@@ -137,6 +143,12 @@ function _M.post(id, conf)
     -- encrypt private key
     conf.key = aes_encrypt(conf.key)
 
+    if conf.keys then
+        for i = 1, #conf.keys do
+            conf.keys[i] = aes_encrypt(conf.keys[i])
+        end
+    end
+
     local key = "/ssl"
     -- core.log.info("key: ", key)
     local res, err = core.etcd.push("/ssl", conf)

diff --git a/apisix/http/router/radixtree_sni.lua b/apisix/http/router/radixtree_sni.lua
@@ -62,6 +62,20 @@ local function parse_pem_priv_key(sni, pkey)
 end
 
 
+local function decrypt_priv_pkey(iv, key)
+    if core.string.has_prefix(key, "---") then
+        return key
+    end
+
+    local decrypted = iv:decrypt(ngx_decode_base64(key))
+    if decrypted then
+        return decrypted
+    end
+
+    core.log.error("decrypt ssl key failed. key[", key, "] ")
+end
+
+
 local function create_router(ssl_items)
     local ssl_items = ssl_items or {}
 
@@ -95,13 +109,23 @@ local function create_router(ssl_items)
             end
 
             -- decrypt private key
-            if aes_128_cbc_with_iv ~= nil and
-                not core.string.has_prefix(ssl.value.key, "---") then
-                local decrypted = aes_128_cbc_with_iv:decrypt(ngx_decode_base64(ssl.value.key))
-                if decrypted == nil then
-                    core.log.error("decrypt ssl key failed. key[", ssl.value.key, "] ")
-                else
-                    ssl.value.key = decrypted
+            if aes_128_cbc_with_iv ~= nil then
+                if ssl.value.key then
+                    local decrypted = decrypt_priv_pkey(aes_128_cbc_with_iv,
+                                                        ssl.value.key)
+                    if decrypted then
+                        ssl.value.key = decrypted
+                    end
+                end
+
+                if ssl.value.keys then
+                    for i = 1, #ssl.value.keys do
+                        local decrypted = decrypt_priv_pkey(aes_128_cbc_with_iv,
+                                                            ssl.value.keys[i])
+                        if decrypted then
+                            ssl.value.keys[i] = decrypted
+                        end
+                    end
                 end
             end
 

diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
@@ -1164,3 +1164,93 @@ qr/parsing (cert|(priv key)) for sni: www.test2.com/
 --- grep_error_log_out
 parsing cert for sni: www.test2.com
 parsing priv key for sni: www.test2.com
+
+
+
+=== TEST 26: set ssl(encrypt ssl keys with another iv)
+--- config
+location /t {
+    content_by_lua_block {
+        -- etcd sync
+        ngx.sleep(0.2)
+
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("conf/cert/test2.crt")
+        local raw_ssl_key = t.read_file("conf/cert/test2.key")
+        local ssl_key = t.aes_encrypt(raw_ssl_key)
+        local data = {
+            certs = { ssl_cert },
+            keys = { ssl_key },
+            snis = {"test2.com", "*.test2.com"},
+            cert = ssl_cert,
+            key = raw_ssl_key,
+        }
+
+        local code, body = t.test('/apisix/admin/ssl/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data),
+            [[{
+                "node": {
+                    "value": {
+                        "snis": ["test2.com", "*.test2.com"]
+                    },
+                    "key": "/apisix/ssl/1"
+                },
+                "action": "set"
+            }]]
+            )
+
+        ngx.status = code
+        ngx.say(body)
+    }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: client request: test2.com (with encrypted ssl keys by mistake)
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+location /t {
+    content_by_lua_block {
+        -- etcd sync
+        ngx.sleep(0.2)
+
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "test2.com", true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(sess))
+        end  -- do
+        -- collectgarbage()
+    }
+}
+--- request
+GET /t
+--- response_body
+connected: 1
+failed to do SSL handshake: handshake failed
+--- error_log
+decrypt ssl key failed.