chore(tls): remove request_client_certificate and set_client_ca_list (#54)

OpenResty has supported [ssl.verify_client](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#verify_client),
which is able to replace our usage of `kong.tls.request_client_certificate` and `kong.tls.set_client_ca_list`.
Thus we don't need to maintain these two APIs ourselves anymore.

FT-3584

Author: catbro666

README.md

@@ -13,9 +13,7 @@ Table of Contents
     * [lua\_kong\_load\_var\_index](#lua_kong_load_var_index)
     * [lua\_kong\_set\_static\_tag](#lua_kong_set_static_tag)
 * [Methods](#methods)
-    * [resty.kong.tls.request\_client\_certificate](#restykongtlsrequest_client_certificate)
     * [resty.kong.tls.disable\_session\_reuse](#restykongtlsdisable_session_reuse)
-    * [resty.kong.tls.set\_client\_ca\_list](#restykongtlsset_client_ca_list)
     * [resty.kong.tls.get\_full\_client\_certificate\_chain](#restykongtlsget_full_client_certificate_chain)
     * [resty.kong.tls.set\_upstream\_cert\_and\_key](#restykongtlsset_upstream_cert_and_key)
     * [resty.kong.tls.set\_upstream\_ssl\_trusted\_store](#restykongtlsset_upstream_ssl_trusted_store)
@@ -144,29 +142,6 @@ you will always get the value where your Lua code runs in but not others.
 Methods
 =======
 
-resty.kong.tls.request\_client\_certificate
--------------------------------------------
-**syntax:** *succ, err = resty.kong.tls.request\_client\_certificate()*
-
-**context:** *ssl_certificate_by_lua**
-
-**subsystems:** *http*
-
-Requests client to present its client-side certificate to initiate mutual TLS
-authentication between server and client.
-
-This function only *requests*, but does not *require* the client to start the mTLS
-process. Even if the client did not present a client certificate the TLS handshake
-will still complete (obviously not being mTLS in that case).
-Whether the client honored the request can be determined using
-[get\_full\_client\_certificate\_chain](#restykongtlsget_full_client_certificate_chain)
-in later phases.
-
-This function returns `true` when the call is successful. Otherwise it returns
-`nil` and a string describing the error.
-
-[Back to TOC](#table-of-contents)
-
 resty.kong.tls.disable\_session\_reuse
 --------------------------------------
 **syntax:** *succ, err = resty.kong.tls.disable\_session\_reuse()*
@@ -183,59 +158,6 @@ This function returns `true` when the call is successful. Otherwise it returns
 
 [Back to TOC](#table-of-contents)
 
-resty.kong.tls.set\_client\_ca\_list
--------------------------------------------
-**syntax:** *succ, err = resty.kong.tls.set\_client\_ca\_list(ca_list)*
-
-**context:** *ssl_certificate_by_lua**
-
-**subsystems:** *http*
-
-Set the CA DN list to the underlying SSL structure, which will be sent in the
-Certificate Request Message of downstram TLS handshake.
-
-The downstream client then can use this DN information to filter certificates,
-and chooses an appropriate certificate issued by a CA in the list.
-
-`ca_list` is of type `STACK_OF(X509) *` which can be created by using the API
-of `resty.openssl.x509.chain` as follows:
-
-```lua
-local tls_lib = require "resty.kong.tls"
-local x509_lib = require "resty.openssl.x509"
-local chain_lib = require "resty.openssl.x509.chain"
-
-local suc, err
-local chain = chain_lib.new()
--- err check
-local x509, err = x509_lib.new(pem_cert, "PEM")
--- err check
-suc, err = chain:add(x509)
--- err check
-
--- `chain.ctx` is the raw data of the chain, i.e. `STACK_OF(X509) *`
-suc, err = tls_lib.set_client_ca_list(chain.ctx)
--- err check
-```
-
-Or by using `ngx.ssl` as follows:
-
-```lua
-local ssl = require "ngx.ssl"
-
-local chain, err = ssl.parse_pem_cert(pem_cert_chain)
--- note the `chain` returned by `ssl.parse_pem_cert` is already a raw `STACK_OF(X509) *`
--- err check
-
-suc, err = tls_lib.set_client_ca_list(chain)
--- err check
-```
-
-This function returns `true` when the call is successful. Otherwise it returns
-`nil` and a string describing the error.
-
-[Back to TOC](#table-of-contents)
-
 resty.kong.tls.get\_full\_client\_certificate\_chain
 ----------------------------------------------------
 **syntax:** *pem_chain, err = resty.kong.tls.get\_full\_client\_certificate\_chain()*

lualib/resty/kong/tls.lua

@@ -23,12 +23,9 @@ base.allows_subsystem('http', 'stream')
 
 if ngx.config.subsystem == "http" then
     ffi.cdef([[
-    const char *ngx_http_lua_kong_ffi_request_client_certificate(ngx_http_request_t *r);
     int ngx_http_lua_kong_ffi_get_full_client_certificate_chain(
         ngx_http_request_t *r, char *buf, size_t *buf_len);
     const char *ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r);
-    const char *ngx_http_lua_kong_ffi_set_client_ca_list(ngx_http_request_t *r,
-        void *ca_list);
     int ngx_http_lua_kong_ffi_set_upstream_client_cert_and_key(ngx_http_request_t *r,
         void *_chain, void *_key);
     int ngx_http_lua_kong_ffi_set_upstream_ssl_trusted_store(ngx_http_request_t *r,
@@ -77,22 +74,6 @@ local function get_request()
 end
 
 if ngx.config.subsystem == "http" then
-    function _M.request_client_certificate(no_session_reuse)
-        if get_phase() ~= 'ssl_cert' then
-            error("API disabled in the current context")
-        end
-
-        local r = get_request()
-
-        local errmsg = C.ngx_http_lua_kong_ffi_request_client_certificate(r)
-        if errmsg == nil then
-            return true
-        end
-
-        return nil, ffi_string(errmsg)
-    end
-
-
     function _M.disable_session_reuse()
         if get_phase() ~= 'ssl_cert' then
             error("API disabled in the current context")
@@ -109,25 +90,6 @@ if ngx.config.subsystem == "http" then
     end
 
 
-    function _M.set_client_ca_list(ca_list)
-        if get_phase() ~= 'ssl_cert' then
-            error("API disabled in the current context")
-        end
-
-        local r = get_request()
-        if not r then
-            error("no request found")
-        end
-
-        local errmsg = C.ngx_http_lua_kong_ffi_set_client_ca_list(r, ca_list)
-        if errmsg == nil then
-            return true
-        end
-
-        return nil, ffi_string(errmsg)
-    end
-
-
     do
         local ALLOWED_PHASES = {
             ['rewrite'] = true,

src/ngx_http_lua_kong_ssl.c

@@ -55,15 +55,6 @@ ngx_http_lua_kong_ssl_init(ngx_conf_t *cf)
 }
 
 #if (NGX_SSL)
-static int
-ngx_http_lua_kong_verify_callback(int ok, X509_STORE_CTX *x509_store)
-{
-    /* similar to ngx_ssl_verify_callback, always allow handshake
-     * to conclude before deciding the validity of client certificate */
-    return 1;
-}
-
-
 static int
 ngx_http_lua_kong_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 {
@@ -146,83 +137,6 @@ ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r)
 }
 
 
-/*
- * request downstream to present a client certificate during TLS handshake,
- * but does not validate it
- *
- * this is roughly equivalent to setting ssl_verify_client to optional_no_ca
- *
- * on success, NULL is returned, otherwise a static string indicating the
- * failure reason is returned
- */
-
-const char *
-ngx_http_lua_kong_ffi_request_client_certificate(ngx_http_request_t *r)
-{
-#if (NGX_SSL)
-    ngx_connection_t    *c = r->connection;
-    ngx_ssl_conn_t      *sc;
-
-    if (c->ssl == NULL) {
-        return "server does not have TLS enabled";
-    }
-
-    sc = c->ssl->connection;
-
-    SSL_set_verify(sc, SSL_VERIFY_PEER, ngx_http_lua_kong_verify_callback);
-
-    return NULL;
-
-#else
-    return "TLS support is not enabled in Nginx build";
-#endif
-}
-
-
-/*
- * Set the CA DN list to the underlying SSL structure, which will be sent in the
- * Certificate Request Message of downstram TLS handshake.
- *
- * The downstream client can use this DN information to filter certificates,
- * and chooses an appropriate certificate issued by a CA in the list.
- *
- * on success, NULL is returned, otherwise a static string indicating the
- * failure reason is returned.
- */
-
-const char *
-ngx_http_lua_kong_ffi_set_client_ca_list(ngx_http_request_t *r,
-                                         const STACK_OF(X509) *ca_list)
-{
-#if (NGX_SSL)
-    ngx_connection_t    *c = r->connection;
-    ngx_ssl_conn_t      *sc;
-    X509                *ca;
-    int                  i;
-
-    if (c->ssl == NULL) {
-        return "server does not have TLS enabled";
-    }
-
-    sc = c->ssl->connection;
-
-    for (i = 0; i < sk_X509_num(ca_list); i++) {
-        ca = sk_X509_value(ca_list, i);
-
-        /* will call X509_NAME_dup() internally */
-        if (SSL_add_client_CA(sc, ca) == 0) {
-            return "unable to add the CA name to the list";
-        }
-    }
-
-    return NULL;
-
-#else
-    return "TLS support is not enabled in Nginx build";
-#endif
-}
-
-
 int
 ngx_http_lua_kong_ffi_get_full_client_certificate_chain(ngx_http_request_t *r,
     char *buf, size_t *buf_len)