From 97d7de9af2cb6cc3bbbcae18ada738ace7771903 Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Fri, 1 Mar 2024 13:03:12 +0100 Subject: portal-ng pods run under root user - switch base image from openresty to nginx-unprivileged - remove custom lua plugin code - dynamically determine dns resolver ip during container startup Issue-ID: PORTALNG-67 Change-Id: I23fb5e684dbb98a326afb00911a1f5ae78e2536d Signed-off-by: Fiete Ostkamp --- server/resty/openssl/include/x509/altname.lua | 49 --------- server/resty/openssl/include/x509/crl.lua | 86 --------------- server/resty/openssl/include/x509/csr.lua | 88 --------------- server/resty/openssl/include/x509/extension.lua | 44 -------- server/resty/openssl/include/x509/init.lua | 138 ------------------------ server/resty/openssl/include/x509/name.lua | 21 ---- server/resty/openssl/include/x509/revoked.lua | 17 --- 7 files changed, 443 deletions(-) delete mode 100644 server/resty/openssl/include/x509/altname.lua delete mode 100644 server/resty/openssl/include/x509/crl.lua delete mode 100644 server/resty/openssl/include/x509/csr.lua delete mode 100644 server/resty/openssl/include/x509/extension.lua delete mode 100644 server/resty/openssl/include/x509/init.lua delete mode 100644 server/resty/openssl/include/x509/name.lua delete mode 100644 server/resty/openssl/include/x509/revoked.lua (limited to 'server/resty/openssl/include/x509') diff --git a/server/resty/openssl/include/x509/altname.lua b/server/resty/openssl/include/x509/altname.lua deleted file mode 100644 index ce1db67..0000000 --- a/server/resty/openssl/include/x509/altname.lua +++ /dev/null @@ -1,49 +0,0 @@ -local GEN_OTHERNAME = 0 -local GEN_EMAIL = 1 -local GEN_DNS = 2 -local GEN_X400 = 3 -local GEN_DIRNAME = 4 -local GEN_EDIPARTY = 5 -local GEN_URI = 6 -local GEN_IPADD = 7 -local GEN_RID = 8 - -local default_types = { - OtherName = GEN_OTHERNAME, -- otherName - RFC822Name = GEN_EMAIL, -- email - RFC822 = GEN_EMAIL, - Email = GEN_EMAIL, - DNSName = GEN_DNS, -- dns - DNS = GEN_DNS, - X400 = GEN_X400, -- x400 - DirName = GEN_DIRNAME, -- dirName - EdiParty = GEN_EDIPARTY, -- EdiParty - UniformResourceIdentifier = GEN_URI, -- uri - URI = GEN_URI, - IPAddress = GEN_IPADD, -- ipaddr - IP = GEN_IPADD, - RID = GEN_RID, -- rid -} - -local literals = { - [GEN_OTHERNAME] = "OtherName", - [GEN_EMAIL] = "email", - [GEN_DNS] = "DNS", - [GEN_X400] = "X400", - [GEN_DIRNAME] = "DirName", - [GEN_EDIPARTY] = "EdiParty", - [GEN_URI] = "URI", - [GEN_IPADD] = "IP", - [GEN_RID] = "RID", -} - -local types = {} -for t, gid in pairs(default_types) do - types[t:lower()] = gid - types[t] = gid -end - -return { - types = types, - literals = literals, -} \ No newline at end of file diff --git a/server/resty/openssl/include/x509/crl.lua b/server/resty/openssl/include/x509/crl.lua deleted file mode 100644 index 7870cd3..0000000 --- a/server/resty/openssl/include/x509/crl.lua +++ /dev/null @@ -1,86 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.evp" -require "resty.openssl.include.objects" -require "resty.openssl.include.x509" -require "resty.openssl.include.stack" - -local asn1_macro = require "resty.openssl.include.asn1" - -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - -asn1_macro.declare_asn1_functions("X509_CRL", asn1_macro.has_new_ex) - -ffi.cdef [[ - X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); - int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name); - int X509_CRL_set_version(X509_CRL *x, long version); - - int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); - X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); - int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos); - void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx); - - int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); - int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); - - int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); - X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); - int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); - - int X509_CRL_print(BIO *bio, X509_CRL *crl); - - int X509_CRL_get0_by_serial(X509_CRL *crl, - X509_REVOKED **ret, ASN1_INTEGER *serial); - int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x); - - //STACK_OF(X509_REVOKED) - OPENSSL_STACK *X509_CRL_get_REVOKED(X509_CRL *crl); - - int X509_CRL_get0_by_serial(X509_CRL *crl, - X509_REVOKED **ret, ASN1_INTEGER *serial); -]] - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); - int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); - /*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); - /*const*/ ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); - long X509_CRL_get_version(const X509_CRL *crl); - - X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); - - int X509_CRL_get_signature_nid(const X509_CRL *crl); - ]] -end -if OPENSSL_10 or BORINGSSL_110 then - -- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros) - ffi.cdef [[ - typedef struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR *sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - // STACK_OF(X509_REVOKED) - OPENSSL_STACK *revoked; - // STACK_OF(X509_EXTENSION) - OPENSSL_STACK /* [0] */ *extensions; - ASN1_ENCODING enc; - } X509_CRL_INFO; - - // Note: this struct is trimmed - struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO *crl; - // trimmed - } /* X509_CRL */ ; - - int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); - int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); - ]] -end diff --git a/server/resty/openssl/include/x509/csr.lua b/server/resty/openssl/include/x509/csr.lua deleted file mode 100644 index 44c4801..0000000 --- a/server/resty/openssl/include/x509/csr.lua +++ /dev/null @@ -1,88 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.evp" -require "resty.openssl.include.objects" -require "resty.openssl.include.x509" -require "resty.openssl.include.stack" - -local asn1_macro = require "resty.openssl.include.asn1" - -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - -asn1_macro.declare_asn1_functions("X509_REQ", asn1_macro.has_new_ex) - -ffi.cdef [[ - int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); - - EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); - int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); - - int X509_REQ_set_version(X509_REQ *x, long version); - - int X509_REQ_get_attr_count(const X509_REQ *req); - - int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); - X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); - int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos); - - int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp); - void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a); - int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); - X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); - - int *X509_REQ_get_extension_nids(void); - - int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); - int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); - - int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); - X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); - - // STACK_OF(X509_EXTENSION) - OPENSSL_STACK *X509_REQ_get_extensions(X509_REQ *req); - // STACK_OF(X509_EXTENSION) - int X509_REQ_add_extensions(X509_REQ *req, OPENSSL_STACK *exts); - - int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k); -]] - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); - long X509_REQ_get_version(const X509_REQ *req); - - int X509_REQ_get_signature_nid(const X509_REQ *crl); - ]] -end -if OPENSSL_10 or BORINGSSL_110 then - ffi.cdef [[ - typedef struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - /*X509_PUBKEY*/ void *pubkey; - /* d=2 hl=2 l= 0 cons: cont: 00 */ - /*STACK_OF(X509_ATTRIBUTE)*/ OPENSSL_STACK *attributes; /* [ 0 ] */ - } X509_REQ_INFO; - - // Note: this struct is trimmed - typedef struct X509_req_st { - X509_REQ_INFO *req_info; - X509_ALGOR *sig_alg; - // trimmed - //ASN1_BIT_STRING *signature; - //int references; - } X509_REQ; - ]] -end - -if OPENSSL_3X then - ffi.cdef [[ - int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, - const char *propq); - ]] -end diff --git a/server/resty/openssl/include/x509/extension.lua b/server/resty/openssl/include/x509/extension.lua deleted file mode 100644 index 14b231e..0000000 --- a/server/resty/openssl/include/x509/extension.lua +++ /dev/null @@ -1,44 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.x509v3" -require "resty.openssl.include.x509" -local asn1_macro = require "resty.openssl.include.asn1" -local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X - -asn1_macro.declare_asn1_functions("X509_EXTENSION") - -if OPENSSL_3X then - ffi.cdef [[ - struct v3_ext_ctx { - int flags; - X509 *issuer_cert; - X509 *subject_cert; - X509_REQ *subject_req; - X509_CRL *crl; - /*X509V3_CONF_METHOD*/ void *db_meth; - void *db; - EVP_PKEY *issuer_pkey; - }; - - int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey); - ]] - -else - ffi.cdef [[ - struct v3_ext_ctx { - int flags; - X509 *issuer_cert; - X509 *subject_cert; - X509_REQ *subject_req; - X509_CRL *crl; - /*X509V3_CONF_METHOD*/ void *db_meth; - void *db; - }; - ]] -end - -ffi.cdef [[ - int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data); - int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj); -]] \ No newline at end of file diff --git a/server/resty/openssl/include/x509/init.lua b/server/resty/openssl/include/x509/init.lua deleted file mode 100644 index ec104ef..0000000 --- a/server/resty/openssl/include/x509/init.lua +++ /dev/null @@ -1,138 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.bio" -require "resty.openssl.include.pem" -require "resty.openssl.include.stack" -local asn1_macro = require "resty.openssl.include.asn1" - -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - -asn1_macro.declare_asn1_functions("X509", asn1_macro.has_new_ex) - -ffi.cdef [[ - int i2d_X509_bio(BIO *bp, X509 *x509); - X509 *d2i_X509_bio(BIO *bp, X509 **x509); - - // STACK_OF(X509) - OPENSSL_STACK *X509_chain_up_ref(OPENSSL_STACK *chain); - - int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); - int X509_verify(X509 *a, EVP_PKEY *r); - - ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); - - int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); - X509_EXTENSION *X509_get_ext(const X509 *x, int loc); - int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); - void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); - - int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); - int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); - ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex); - ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); - X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); - X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, - int nid, int crit, - ASN1_OCTET_STRING *data); - - // needed by pkey - EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); - EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); - int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); - int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); - - EVP_PKEY *X509_get_pubkey(X509 *x); - int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); - int X509_set_version(X509 *x, long version); - int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); - - X509_NAME *X509_get_subject_name(const X509 *a); - int X509_set_subject_name(X509 *x, X509_NAME *name); - X509_NAME *X509_get_issuer_name(const X509 *a); - int X509_set_issuer_name(X509 *x, X509_NAME *name); - - int X509_pubkey_digest(const X509 *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); - int X509_digest(const X509 *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); - - const char *X509_verify_cert_error_string(long n); - int X509_verify_cert(X509_STORE_CTX *ctx); - - int X509_get_signature_nid(const X509 *x); - - unsigned char *X509_alias_get0(X509 *x, int *len); - unsigned char *X509_keyid_get0(X509 *x, int *len); - int X509_check_private_key(X509 *x, EVP_PKEY *k); -]] - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - int X509_up_ref(X509 *a); - - int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); - int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); - /*const*/ ASN1_TIME *X509_get0_notBefore(const X509 *x); - /*const*/ ASN1_TIME *X509_get0_notAfter(const X509 *x); - long X509_get_version(const X509 *x); - const ASN1_INTEGER *X509_get0_serialNumber(X509 *x); - - X509_EXTENSION *X509_delete_ext(X509 *x, int loc); - ]] -elseif OPENSSL_10 then - ffi.cdef [[ - // STACK_OF(X509_EXTENSION) - X509_EXTENSION *X509v3_delete_ext(OPENSSL_STACK *x, int loc); - ]] -end - -if OPENSSL_10 or BORINGSSL_110 then - -- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros) - ffi.cdef [[ - // crypto/x509/x509.h - typedef struct X509_val_st { - ASN1_TIME *notBefore; - ASN1_TIME *notAfter; - } X509_VAL; - - typedef struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; - } X509_ALGOR; - - // Note: this struct is trimmed - typedef struct x509_cinf_st { - /*ASN1_INTEGER*/ void *version; - /*ASN1_INTEGER*/ void *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - /*X509_PUBKEY*/ void *key; - /*ASN1_BIT_STRING*/ void *issuerUID; /* [ 1 ] optional in v2 */ - /*ASN1_BIT_STRING*/ void *subjectUID; /* [ 2 ] optional in v2 */ - /*STACK_OF(X509_EXTENSION)*/ OPENSSL_STACK *extensions; /* [ 3 ] optional in v3 */ - // trimmed - // ASN1_ENCODING enc; - } X509_CINF; - // Note: this struct is trimmed - struct x509_st { - X509_CINF *cert_info; - // trimmed - } X509; - - int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); - int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); - ASN1_INTEGER *X509_get_serialNumber(X509 *x); - ]] -end - -if BORINGSSL_110 then - ffi.cdef [[ - ASN1_TIME *X509_get_notBefore(const X509 *x); - ASN1_TIME *X509_get_notAfter(const X509 *x); - ]] -end diff --git a/server/resty/openssl/include/x509/name.lua b/server/resty/openssl/include/x509/name.lua deleted file mode 100644 index 2f933ae..0000000 --- a/server/resty/openssl/include/x509/name.lua +++ /dev/null @@ -1,21 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.asn1" -require "resty.openssl.include.objects" -local asn1_macro = require "resty.openssl.include.asn1" - -asn1_macro.declare_asn1_functions("X509_NAME") - -ffi.cdef [[ - int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len, int loc, - int set); - - int X509_NAME_entry_count(const X509_NAME *name); - X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); - ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne); - ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); - int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, - int lastpos); -]] \ No newline at end of file diff --git a/server/resty/openssl/include/x509/revoked.lua b/server/resty/openssl/include/x509/revoked.lua deleted file mode 100644 index c6539c9..0000000 --- a/server/resty/openssl/include/x509/revoked.lua +++ /dev/null @@ -1,17 +0,0 @@ -local ffi = require "ffi" - -require "resty.openssl.include.ossl_typ" -require "resty.openssl.include.asn1" -require "resty.openssl.include.objects" -local asn1_macro = require "resty.openssl.include.asn1" - -asn1_macro.declare_asn1_functions("X509_REVOKED") - -ffi.cdef [[ - int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); - int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); - int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); - - const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *r); - const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *r); -]] \ No newline at end of file -- cgit 1.2.3-korg