feat(tls) new method resty.kong.tls.set_upstream_cert_and_key for dynamically overriding client certificate used while connecting to upstream

Author: dndx

README.md

@@ -3,6 +3,19 @@ Name
 lua-kong-nginx-module - Nginx C module that exposes a Lua API to dynamically control Nginx
 
 
+Table of Contents
+=================
+
+* [Name](#name)
+* [Description](#description)
+* [Install](#install)
+* [Methods](#methods)
+    * [resty.kong.tls.request\_client\_certificate](#restykongtlsrequest_client_certificate)
+    * [resty.kong.tls.disable\_session\_reuse](#restykongtlsdisable_session_reuse)
+    * [resty.kong.tls.get\_full\_client\_certificate\_chain](#restykongtlsget_full_client_certificate_chain)
+    * [resty.kong.tls.upstream\_cert\_and\_key](#restykongtlsupstream_cert_and_key)
+* [License](#license)
+
 Description
 ===========
 Kong often needs to be able to change Nginx behavior at runtime. Traditionally this
@@ -44,6 +57,8 @@ in later phases.
 This function returns `true` when the call is successful. Otherwise it returns
 `nil` and a string describing the error.
 
+[Back to TOC](#table-of-contents)
+
 resty.kong.tls.disable\_session\_reuse
 --------------------------------------
 **syntax:** *succ, err = resty.kong.tls.disable\_session\_reuse()*
@@ -56,9 +71,10 @@ disabling session ticket and session ID for the current TLS connection.
 This function returns `true` when the call is successful. Otherwise it returns
 `nil` and a string describing the error.
 
+[Back to TOC](#table-of-contents)
 
 resty.kong.tls.get\_full\_client\_certificate\_chain
--------------------------------------------
+----------------------------------------------------
 **syntax:** *pem_chain, err = resty.kong.tls.get\_full\_client\_certificate\_chain()*
 
 **context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, log_by_lua**
@@ -83,6 +99,31 @@ In this case caller should use
 associate this session with one of the previous handshakes to identify the connecting
 client.
 
+[Back to TOC](#table-of-contents)
+
+resty.kong.tls.set\_upstream\_cert\_and\_key
+--------------------------------------------
+**syntax:** *ok, err = resty.kong.tls.set\_upstream\_cert\_and\_key(chain, key)*
+
+**context:** *rewrite_by_lua*, access_by_lua*, balancer_by_lua**
+
+Overrides and enables sending client certificate while connecting to the
+upstream in the current request.
+
+`chain` is the client certificate and intermediate chain (if any) returned by
+functions such as [ngx.ssl.parse\_pem\_cert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_cert).
+
+`key` is the private key corresponding to the client certificate returned by
+functions such as [ngx.ssl.parse\_pem\_priv\_key](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_priv_key).
+
+On success, this function returns `true` and future handshakes with upstream servers
+will always use the provided client certificate. Otherwise `nil` and a string describing the error
+will be returned.
+
+This function can be called multiple times in the same request. Later calls override
+previous ones.
+
+[Back to TOC](#table-of-contents)
 
 License
 =======
@@ -102,3 +143,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 ```
+
+[Back to TOC](#table-of-contents)
+

config

@@ -1,7 +1,10 @@
 ngx_module_type=HTTP
 ngx_module_name=ngx_http_lua_kong_module
 ngx_module_srcs="$ngx_addon_dir/src/ngx_http_lua_kong_module.c"
+ngx_module_incs="$ngx_addon_dir/src"
 
 . auto/module
 
 ngx_addon_name=$ngx_module_name
+
+have=NGX_HTTP_LUA_KONG . auto/have

lualib/resty/kong/tls.lua

@@ -26,6 +26,8 @@ const char *ngx_http_lua_kong_ffi_request_client_certificate(ngx_http_request_t
 int ngx_http_lua_kong_ffi_get_full_client_certificate_chain(
     ngx_http_request_t *r, char *buf, size_t *buf_len);
 const char *ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r);
+int ngx_http_lua_kong_ffi_set_upstream_client_cert_and_key(ngx_http_request_t *r,
+    void *_chain, void *_key);
 ]])
 
 
@@ -47,12 +49,33 @@ local NGX_DECLINED = ngx.DECLINED
 local NGX_ABORT = -6
 
 
+local get_request
+do
+    local ok, exdata = pcall(require, "thread.exdata")
+    if ok and exdata then
+        function get_request()
+            local r = exdata()
+            if r ~= nil then
+                return r
+            end
+        end
+
+    else
+        local getfenv = getfenv
+
+        function get_request()
+            return getfenv(0).__ngx_req
+        end
+    end
+end
+
+
 function _M.request_client_certificate(no_session_reuse)
     if get_phase() ~= 'ssl_cert' then
         error("API disabled in the current context")
     end
 
-    local r = getfenv(0).__ngx_req
+    local r = get_request()
     -- no need to check if r is nil as phase check above
     -- already ensured it
 
@@ -70,7 +93,7 @@ function _M.disable_session_reuse()
         error("API disabled in the current context")
     end
 
-    local r = getfenv(0).__ngx_req
+    local r = get_request()
 
     local errmsg = C.ngx_http_lua_kong_ffi_disable_session_reuse(r)
     if errmsg == nil then
@@ -95,7 +118,7 @@ do
             error("API disabled in the current context", 2)
         end
 
-        local r = getfenv(0).__ngx_req
+        local r = get_request()
 
         size_ptr[0] = DEFAULT_CERT_CHAIN_SIZE
 
@@ -131,4 +154,37 @@ do
 end
 
 
+do
+    local ALLOWED_PHASES = {
+        ['rewrite'] = true,
+        ['balancer'] = true,
+        ['access'] = true,
+    }
+
+    function _M.set_upstream_cert_and_key(chain, key)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if not chain or not key then
+            error("chain and key must not be nil", 2)
+        end
+
+        local r = get_request()
+
+        local ret = C.ngx_http_lua_kong_ffi_set_upstream_client_cert_and_key(
+            r, chain, key)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream client cert and key"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+end
+
+
 return _M

src/ngx_http_lua_kong_module.c

@@ -18,6 +18,7 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
+#include "ngx_http_lua_kong_module.h"
 
 
 #if (NGX_SSL)
@@ -201,7 +202,6 @@ ngx_http_lua_kong_ffi_request_client_certificate(ngx_http_request_t *r)
 #if (NGX_SSL)
     ngx_connection_t    *c = r->connection;
     ngx_ssl_conn_t      *sc;
-    SSL_CTX             *ctx;
 
     if (c->ssl == NULL) {
         return "server does not have TLS enabled";
@@ -305,3 +305,170 @@ ngx_http_lua_kong_ffi_get_full_client_certificate_chain(ngx_http_request_t *r,
     return NGX_ABORT;
 #endif
 }
+
+
+#if (NGX_HTTP_SSL)
+
+/*
+ * called by ngx_http_upstream_ssl_init_connection right after
+ * ngx_ssl_create_connection to override any parameters in the
+ * ngx_ssl_conn_t before handshake occurs
+ *
+ * c->ssl is guaranteed to be present and valid
+ */
+
+void
+ngx_http_lua_kong_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
+{
+    ngx_ssl_conn_t              *sc = c->ssl->connection;
+    ngx_http_lua_kong_ctx_t     *ctx;
+    STACK_OF(X509)              *chain;
+    EVP_PKEY                    *pkey;
+    X509                        *x509;
+#ifdef OPENSSL_IS_BORINGSSL
+    size_t                       i;
+#else
+    int                          i;
+#endif
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_lua_kong_module);
+    if (ctx == NULL || ctx->upstream_client_certificate_chain == NULL) {
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "skip overriding upstream SSL configuration, "
+                       "certificate not set");
+        return;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "overriding upstream SSL configuration");
+
+    chain = ctx->upstream_client_certificate_chain;
+    pkey = ctx->upstream_client_private_key;
+
+    if (sk_X509_num(chain) < 1) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+                      "invalid client certificate chain provided while "
+                      "handshaking with upstream");
+        goto failed;
+    }
+
+    x509 = sk_X509_value(chain, 0);
+    if (x509 == NULL) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "sk_X509_value() failed");
+        goto failed;
+    }
+
+    if (SSL_use_certificate(sc, x509) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_use_certificate() failed");
+        goto failed;
+    }
+
+    /* read rest of the chain */
+
+    for (i = 1; i < sk_X509_num(chain); i++) {
+        x509 = sk_X509_value(chain, i);
+        if (x509 == NULL) {
+            ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "sk_X509_value() failed");
+            goto failed;
+        }
+
+        if (SSL_add1_chain_cert(sc, x509) == 0) {
+            ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_add1_chain_cert() failed");
+            goto failed;
+        }
+    }
+
+    if (SSL_use_PrivateKey(sc, pkey) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_use_PrivateKey() failed");
+        goto failed;
+    }
+
+    return;
+
+failed:
+
+    ERR_clear_error();
+}
+
+
+static X509 *
+ngx_http_lua_kong_x509_copy(X509 *in)
+{
+    return X509_up_ref(in) == 0 ? NULL : in;
+}
+
+
+static void
+ngx_http_lua_kong_cleanup(void *data)
+{
+    ngx_http_lua_kong_ctx_t     *ctx = data;
+
+    if (ctx->upstream_client_certificate_chain != NULL) {
+        sk_X509_pop_free(ctx->upstream_client_certificate_chain, X509_free);
+        EVP_PKEY_free(ctx->upstream_client_private_key);
+    }
+}
+
+
+int
+ngx_http_lua_kong_ffi_set_upstream_client_cert_and_key(ngx_http_request_t *r,
+    void *_chain, void *_key)
+{
+    STACK_OF(X509)              *chain = _chain;
+    EVP_PKEY                    *key = _key;
+    STACK_OF(X509)              *new_chain;
+    ngx_http_lua_kong_ctx_t     *ctx;
+    ngx_pool_cleanup_t          *cln;
+
+    if (chain == NULL || key == NULL) {
+        return NGX_ERROR;
+    }
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_lua_kong_module);
+    if (ctx == NULL) {
+        ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_lua_kong_ctx_t));
+        if (ctx == NULL) {
+            return NGX_ERROR;
+        }
+
+        cln = ngx_pool_cleanup_add(r->pool, 0);
+        if (cln == NULL) {
+            return NGX_ERROR;
+        }
+
+        cln->data = ctx;
+        cln->handler = ngx_http_lua_kong_cleanup;
+
+        ngx_http_set_ctx(r, ctx, ngx_http_lua_kong_module);
+
+    } else if (ctx->upstream_client_certificate_chain != NULL) {
+        ngx_http_lua_kong_cleanup(ctx);
+
+        ctx->upstream_client_certificate_chain = NULL;
+        ctx->upstream_client_private_key = NULL;
+    }
+
+    if (EVP_PKEY_up_ref(key) == 0) {
+        goto failed;
+    }
+
+    new_chain = sk_X509_deep_copy(chain, ngx_http_lua_kong_x509_copy,
+                                  X509_free);
+    if (new_chain == NULL) {
+        EVP_PKEY_free(key);
+        goto failed;
+    }
+
+    ctx->upstream_client_certificate_chain = new_chain;
+    ctx->upstream_client_private_key = key;
+
+    return NGX_OK;
+
+failed:
+
+    ERR_clear_error();
+
+    return NGX_ERROR;
+}
+
+#endif

src/ngx_http_lua_kong_module.h

@@ -0,0 +1,20 @@
+#ifndef _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_
+#define _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+typedef struct {
+    STACK_OF(X509)      *upstream_client_certificate_chain;
+    EVP_PKEY            *upstream_client_private_key;
+} ngx_http_lua_kong_ctx_t;
+
+
+void ngx_http_lua_kong_set_upstream_ssl(ngx_http_request_t *r,
+    ngx_connection_t *c);
+
+
+#endif /* _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_ */