feature: TCP cosocket client certificate support. closes #534

Author: dndx

README.markdown

@@ -927,7 +927,6 @@ TODO
 * add `ignore_resp_headers`, `ignore_resp_body`, and `ignore_resp` options to [ngx.location.capture](#ngxlocationcapture) and [ngx.location.capture_multi](#ngxlocationcapture_multi) methods, to allow micro performance tuning on the user side.
 * add automatic Lua code time slicing support by yielding and resuming the Lua VM actively via Lua's debug hooks.
 * add `stat` mode similar to [mod_lua](https://httpd.apache.org/docs/trunk/mod/mod_lua.html).
-* cosocket: add client SSL certificate support.
 
 [Back to TOC](#table-of-contents)
 
@@ -7346,7 +7345,7 @@ This method was first introduced in the `v0.5.0rc1` release.
 tcpsock:sslhandshake
 --------------------
 
-**syntax:** *session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?, send_status_req?)*
+**syntax:** *session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?, send_status_req?, options_table?)*
 
 **context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua**
 
@@ -7382,6 +7381,18 @@ to validate the server name in the server certificate.
 The optional `send_status_req` argument takes a boolean that controls whether to send
 the OCSP status request in the SSL handshake request (which is for requesting OCSP stapling).
 
+An optional Lua table can be specified as the last argument to this method to specify various handshake options:
+
+* `client_cert` specify a client certificate chain cdata object that will be used while handshaking with
+remote server. These objects can be created using [ngx.ssl.parse\_pem\_cert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_cert)
+function provided by lua-resty-core. Note that specifying the `client_cert` option requires
+corresponding `client_priv_key` be provided too. See below.
+* `client_priv_key` specify a private key corresponds to the `client_cert` option above.
+These objects can be created using [ngx.ssl.parse\_pem\_priv\_key](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_priv_key)
+function provided by lua-resty-core.
+
+The support for the options table argument was first introduced in the v0.10.16 release.
+
 For connections that have already done SSL/TLS handshake, this method returns
 immediately.
 

src/ngx_http_lua_socket_tcp.c

@@ -1534,23 +1534,27 @@ ngx_http_lua_socket_conn_error_retval_handler(ngx_http_request_t *r,
 static int
 ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
 {
-    int                      n, top;
+    int                      n, top, i;
     ngx_int_t                rc;
     ngx_str_t                name = ngx_null_string;
     ngx_connection_t        *c;
     ngx_ssl_session_t      **psession;
     ngx_http_request_t      *r;
     ngx_http_lua_ctx_t      *ctx;
     ngx_http_lua_co_ctx_t   *coctx;
+    STACK_OF(X509)          *chain = NULL;
+    X509                    *x509;
+    EVP_PKEY                *pkey;
+    ngx_ssl_conn_t          *ssl_conn;
 
     ngx_http_lua_socket_tcp_upstream_t  *u;
 
     /* Lua function arguments: self [,session] [,host] [,verify]
-       [,send_status_req] */
+       [,send_status_req] [, opts] */
 
     n = lua_gettop(L);
-    if (n < 1 || n > 5) {
-        return luaL_error(L, "ngx.socket sslhandshake: expecting 1 ~ 5 "
+    if (n < 1 || n > 6) {
+        return luaL_error(L, "ngx.socket sslhandshake: expecting 1 ~ 6 "
                           "arguments (including the object), but seen %d", n);
     }
 
@@ -1626,6 +1630,8 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
         return 2;
     }
 
+    ssl_conn = c->ssl->connection;
+
     ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module);
     if (ctx == NULL) {
         return luaL_error(L, "no ctx found");
@@ -1695,6 +1701,95 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
 #endif
                     }
                 }
+
+                if (n >= 6) {
+                    if (lua_type(L, 6) == LUA_TTABLE) {
+                        lua_getfield(L, 6, "client_cert");
+
+                        if (!lua_isnil(L, -1)) {
+                            chain = luaL_checkcdataptr(L, -1);
+                            if (chain == NULL) {
+                                return luaL_error(L, "\"client_cert\" can "
+                                                  "not be NULL");
+                            }
+
+                            /* chain != NULL */
+
+                            lua_pop(L, 1);
+
+                            lua_getfield(L, 6, "client_priv_key");
+
+                            pkey = luaL_checkcdataptr(L, -1);
+                            if (pkey == NULL) {
+                                return luaL_error(L, "\"client_priv_key\" can "
+                                                  "not be NULL");
+                            }
+
+                            if (sk_X509_num(chain) < 1) {
+                                ERR_clear_error();
+                                return luaL_error(L, "invalid client "
+                                                  "certificate chain");
+                            }
+
+                            x509 = sk_X509_value(chain, 0);
+                            if (x509 == NULL) {
+                                ERR_clear_error();
+                                lua_pushnil(L);
+                                lua_pushliteral(L, "lua ssl fetch client "
+                                                "certificate from chain "
+                                                "failed");
+                                return 2;
+                            }
+
+                            if (SSL_use_certificate(ssl_conn, x509) == 0) {
+                                ERR_clear_error();
+                                lua_pushnil(L);
+                                lua_pushliteral(L, "lua ssl set client "
+                                                "certificate failed");
+                                return 2;
+                            }
+
+                            /* read rest of the chain */
+
+                            for (i = 1; i < sk_X509_num(chain); i++) {
+                                x509 = sk_X509_value(chain, i);
+                                if (x509 == NULL) {
+                                    ERR_clear_error();
+                                    lua_pushnil(L);
+                                    lua_pushliteral(L, "lua ssl fetch client "
+                                                    "intermediate certificate "
+                                                    "from chain failed");
+                                    return 2;
+                                }
+
+                                if (SSL_add1_chain_cert(ssl_conn, x509) == 0) {
+                                    ERR_clear_error();
+                                    lua_pushnil(L);
+                                    lua_pushliteral(L, "lua ssl set client "
+                                                    "intermediate certificate "
+                                                    "failed");
+                                    return 2;
+                                }
+                            }
+
+                            if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) {
+                                ERR_clear_error();
+                                lua_pushnil(L);
+                                lua_pushliteral(L, "lua ssl set client "
+                                                "private key failed");
+                                return 2;
+                            }
+                        }
+
+                        lua_pop(L, 1);
+
+                    } else if (!lua_isnil(L, 6)) {
+                        return luaL_error(L, "ngx.socket sslhandshake: bad "
+                                          "options table type, expecting a "
+                                          "table but seen %s",
+                                          lua_typename(L, lua_type(L, 6)));
+                    }
+                }
             }
         }
     }