feature: support passphrase protected private key.

Author: zhuizhuhaomeng

lib/ngx/ssl.lua

@@ -65,7 +65,8 @@ if subsystem == 'http' then
         size_t pem_len, unsigned char *der, char **err);
 
     int ngx_http_lua_ffi_priv_key_pem_to_der(const unsigned char *pem,
-        size_t pem_len, unsigned char *der, char **err);
+        size_t pem_len, const unsigned char *passphrase,
+        unsigned char *der, char **err);
 
     int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r,
         char **err);
@@ -135,7 +136,8 @@ elseif subsystem == 'stream' then
         size_t pem_len, unsigned char *der, char **err);
 
     int ngx_stream_lua_ffi_priv_key_pem_to_der(const unsigned char *pem,
-        size_t pem_len, unsigned char *der, char **err);
+        size_t pem_len, const unsigned char *passphrase,
+        unsigned char *der, char **err);
 
     int ngx_stream_lua_ffi_ssl_get_tls1_version(ngx_stream_lua_request_t *r,
         char **err);
@@ -330,10 +332,11 @@ function _M.cert_pem_to_der(pem)
 end
 
 
-function _M.priv_key_pem_to_der(pem)
+function _M.priv_key_pem_to_der(pem, passphrase)
     local outbuf = get_string_buf(#pem)
 
-    local sz = ngx_lua_ffi_priv_key_pem_to_der(pem, #pem, outbuf, errmsg)
+    local sz = ngx_lua_ffi_priv_key_pem_to_der(pem, #pem,
+                                               passphrase, outbuf, errmsg)
     if sz > 0 then
         return ffi_str(outbuf, sz)
     end

lib/ngx/ssl.md

@@ -89,8 +89,9 @@ server {
         -- assuming the user already defines the my_load_private_key()
         -- function herself.
         local pem_pkey = assert(my_load_private_key())
+        local passphrase = "password" -- or nil
 
-        local der_pkey, err = ssl.priv_key_pem_to_der(pem_pkey)
+        local der_pkey, err = ssl.priv_key_pem_to_der(pem_pkey, passphrase)
         if not der_pkey then
             ngx.log(ngx.ERR, "failed to convert private key ",
                     "from PEM to DER: ", err)
@@ -188,14 +189,16 @@ function to do the conversion first.
 
 priv_key_pem_to_der
 -------------------
-**syntax:** *der_priv_key, err = ssl.priv_key_pem_to_der(pem_priv_key)*
+**syntax:** *der_priv_key, err = ssl.priv_key_pem_to_der(pem_priv_key, passphrase)*
 
 **context:** *any*
 
 Converts the PEM-formatted SSL private key data into the DER format (for later uses
 in the [set_der_priv_key](#set_der_priv_key)
 function, for example).
 
+The `passphrase` is the passphrase for `pem_priv_key` if the private key is password protected.
+
 In case of failures, returns `nil` and a string describing the error.
 
 Alternatively, you can do the PEM to DER conversion *offline* with the `openssl` command-line utility, like below

t/cert/test_passphrase.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICozCCAgwCCQDEutRdSs3vZjANBgkqhkiG9w0BAQUFADCBlDELMAkGA1UEBhMC
+Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlblpoZW4xEjAQBgNV
+BAoMCU9wZW5SZXN0eTESMBAGA1UECwwJT3BlblJlc3R5MREwDwYDVQQDDAh0ZXN0
+LmNvbTEjMCEGCSqGSIb3DQEJARYUZ3VhbmdsaW5sdkBnbWFpbC5jb20wIBcNMTYw
+NDI4MTQ0MzI4WhgPMjE1MTAzMjcxNDQzMjhaMIGUMQswCQYDVQQGEwJDTjESMBAG
+A1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuWmhlbjESMBAGA1UECgwJT3Bl
+blJlc3R5MRIwEAYDVQQLDAlPcGVuUmVzdHkxETAPBgNVBAMMCHRlc3QuY29tMSMw
+IQYJKoZIhvcNAQkBFhRndWFuZ2xpbmx2QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA2KZ+HdH9R2tarxD8PKqu5EYq2BNGlFRg1xJmrw0XZBRM
+UP/VPb+sIeioooz36uhiXfQjExlpBCA/0zNAN+HbFyqpPPTf1qLGrj/dqeE4MJaN
+Bwzxiv3fZnENT65u2qbiFWIY+ATNHgA20d50nxNNjPTzLbkx/nYXL92r4kuAGk0C
+AwEAATANBgkqhkiG9w0BAQUFAAOBgQCfMo0qbcs3kwl1tcNBO5hCcUUJRzyv041V
+ff/nZ/JPIMo/LSZd12K82G/dLRN7uRT9nzqtm+JRkHALHWWWFKi6bdg1vcdOTWqC
+08bCkJHQoXJQQLvvA6gNvnR+0b7L4CrCmrcyYgKDLXVGNP9Wv/PqSWWbxsmqngkA
+Mvy6CVytFw==
+-----END CERTIFICATE-----

t/cert/test_passphrase.key

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,679ACC8E69ACAA92
+
+Ssrjp3VU4somCNPiXkWqcudDnvnwbyj/Q0pS07at3lXKbhQSgI1Tzhg9Pm3BXXj5
+mkLdeGG5ocrj1Q9dhtmZgZeHHQIiynZBhjBu1Y+HPef8jXOWLrCOi8EKiWkJ2qG3
+V1KFM/95CcDt0mRLykUXEL3IpUst05SFb9XwiLokB7ypeu3NhgNUHjL6G+ubB4ri
+TOUjCW4pEoNHjdC22IiqSncwCVhluYSGhr6ktHKehZMhYIXmL1wmSLdhTlsPXCQl
+xvYILQ2vJcKIR1BkeYYPD/OQC6zCZlXIErzfgeZiz2+NTudKYpb9VmsQKsO+R8L7
+tZ/fNaR0vk8bbimMHgStAV4acVsC/7WxsqOjMJ8VTq1iqhYPl6N7kRdR3H3kSSOm
+cN9T3SrOHDVaHbnWgToaOE4mKFjvFSLIOcWgus0iOHWXmY+SLG+Ndag3oVB6R9oB
+cAHX19mq99+GhzA8IV4I0En2UCKQhnGPvkM+9mcCDxhRETlwncDjlMGOHpQ65J9r
+eReVPIpnDkvHxPGTtsR3ZHTdWTZb+C0W2N3QIlJKrOzxFmfoj++yG3tMX42aDY0g
+DVkrXgcKobiWN0AVrJNAwfG7uObKSCFYgz/0RRMCO4cjXRW99nxdjVDZhyc6R0Te
+jzuF04okkOLNb25n2hP+yIULrn+6Nv/uHtFI0j0n3hOzcKh//dNbACSAKgkHni9g
+JKDFJXgLJxf+Wc3So0DF9gYMKJJ+WbcdVT9gkC7RyQHlC90Pn7kNXzHr0ZawUsNI
+ZxSkL4dMhYAfA4lUBJbOkwbSurv97LinOSRffpM0Nmf7VNw/Ue15eg==
+-----END RSA PRIVATE KEY-----

t/ssl.t

@@ -2705,3 +2705,135 @@ read server port from Lua: nilunix domain has no port
 [error]
 [alert]
 [emerg]
+
+
+
+=== TEST 28: PEM key protected by passphrase
+--- http_config
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name   test.com;
+        ssl_certificate_by_lua_block {
+            local ssl = require "ngx.ssl"
+
+            ssl.clear_certs()
+
+            local f = assert(io.open("t/cert/test_passphrase.crt"))
+            local cert_data = f:read("*a")
+            f:close()
+
+            local cert, err = ssl.cert_pem_to_der(cert_data)
+            if not cert then
+                ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err)
+                return
+            end
+
+            local ok, err = ssl.set_der_cert(cert)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set DER cert: ", err)
+                return
+            end
+
+            local f = assert(io.open("t/cert/test_passphrase.key"))
+            local pkey_data = f:read("*a")
+            f:close()
+
+            pkey_data, err = ssl.priv_key_pem_to_der(pkey_data, "123456")
+            if not pkey_data then
+                ngx.log(ngx.ERR, "failed to convert pem key to der key: ", err)
+                return
+            end
+            local ok, err = ssl.set_der_priv_key(pkey_data)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set private key: ", err)
+                return
+            end
+        }
+        ssl_certificate ../../cert/test2.crt;
+        ssl_certificate_key ../../cert/test2.key;
+
+        server_tokens off;
+        location /foo {
+            default_type 'text/plain';
+            content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) }
+            more_clear_headers Date;
+        }
+    }
+--- config
+    server_tokens off;
+    lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt;
+    lua_ssl_verify_depth 3;
+
+    location /t {
+        content_by_lua_block {
+            do
+                local sock = ngx.socket.tcp()
+
+                sock:settimeout(3000)
+
+                local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+                if not ok then
+                    ngx.say("failed to connect: ", err)
+                    return
+                end
+
+                ngx.say("connected: ", ok)
+
+                local sess, err = sock:sslhandshake(nil, "test.com", false)
+                if not sess then
+                    ngx.say("failed to do SSL handshake: ", err)
+                    return
+                end
+
+                ngx.say("ssl handshake: ", type(sess))
+
+                local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n"
+                local bytes, err = sock:send(req)
+                if not bytes then
+                    ngx.say("failed to send http request: ", err)
+                    return
+                end
+
+                ngx.say("sent http request: ", bytes, " bytes.")
+
+                while true do
+                    local line, err = sock:receive()
+                    if not line then
+                        -- ngx.say("failed to receive response status line: ", err)
+                        break
+                    end
+
+                    ngx.say("received: ", line)
+                end
+
+                local ok, err = sock:close()
+                ngx.say("close: ", ok, " ", err)
+            end  -- do
+            -- collectgarbage()
+        }
+    }
+
+--- request
+GET /t
+--- response_body
+connected: 1
+ssl handshake: userdata
+sent http request: 56 bytes.
+received: HTTP/1.1 201 Created
+received: Server: nginx
+received: Content-Type: text/plain
+received: Content-Length: 4
+received: Connection: close
+received: 
+received: foo
+close: 1 nil
+
+--- error_log
+lua ssl server name: "test.com"
+
+--- no_error_log
+[error]
+[alert]
+[emerg]

t/stream/ssl.t

@@ -2034,3 +2034,109 @@ client certificate subject: nil
 [error]
 [alert]
 [emerg]
+
+
+
+=== TEST 26: private key protected by passphrase
+--- stream_config
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        ssl_certificate_by_lua_block {
+            local ssl = require "ngx.ssl"
+
+            ssl.clear_certs()
+
+            local f = assert(io.open("t/cert/test_passphrase.crt"))
+            local cert_data = f:read("*a")
+            f:close()
+
+            local cert, err = ssl.cert_pem_to_der(cert_data)
+            if not cert then
+                ngx.log(ngx.ERR, "failed to convert pem cert to der cert: ", err)
+                return
+            end
+
+            local ok, err = ssl.set_der_cert(cert)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set DER cert: ", err)
+                return
+            end
+
+            local f = assert(io.open("t/cert/test_passphrase.key"))
+            local pkey_data = f:read("*a")
+            f:close()
+
+            pkey_data, err = ssl.priv_key_pem_to_der(pkey_data, "123456")
+            if not pkey_data then
+                ngx.log(ngx.ERR, "failed to convert pem key to der key: ", err)
+                return
+            end
+
+            local ok, err = ssl.set_der_priv_key(pkey_data)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set DER private key: ", err)
+                return
+            end
+        }
+        ssl_certificate ../../cert/test2.crt;
+        ssl_certificate_key ../../cert/test2.key;
+
+        return 'it works!\n';
+    }
+--- stream_server_config
+    lua_ssl_trusted_certificate ../../cert/chain/root-ca.crt;
+    lua_ssl_verify_depth 3;
+
+    content_by_lua_block {
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(3000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "test.com")
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(sess))
+
+            while true do
+                local line, err = sock:receive()
+                if not line then
+                    -- ngx.say("failed to receive response status line: ", err)
+                    break
+                end
+
+                ngx.say("received: ", line)
+            end
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        -- collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+ssl handshake: userdata
+received: it works!
+close: 1 nil
+
+--- error_log
+lua ssl server name: "test.com"
+
+--- no_error_log
+[error]
+[alert]
+[emerg]