OCSP nextupdate

[ElvinEfendi]

I hereby granted the copyright of the changes in this pull request
to the authors of this lua-resty-core project.

Fixes #75
Depends on openresty/lua-nginx-module#1694

This is a sister PR of openresty/lua-nginx-module#1694.

I can not find the necessary keys to create another OCSP response with nextUpdate set. I can do the whole thing from ground up and include all the necessary keys and certs - but if there's already a way to sign another OCSP response for the existing certs in t/ it would be better to use that so that I can add more meaningful test cases. UPDATE: I included all the necessary test fixtures and also steps to (re)generate them.

[ElvinEfendi]

Here's the local test run:

> lua-resty-core (ocsp-nextupdate)$ docker run -w /app --rm -it -v ${PWD}:/app lua_ngx t/ocsp.t
t/ocsp.t .. 1/258 TEST 17: no status req from client - WARNING: killing the child process 21 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 13/258 TEST 16: good status req from client - WARNING: killing the child process 34 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 29/258 TEST 18: good OCSP response with nextUpdate present - WARNING: killing the child process 47 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 48/258 TEST 5: get OCSP responder (truncated) - WARNING: killing the child process 60 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 57/258 TEST 4: get OCSP responder (issuer cert not next to the leaf cert) - WARNING: killing the child process 73 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 77/258 TEST 6: create OCSP request (good) - WARNING: killing the child process 86 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 83/258 TEST 9: create OCSP request (no issuer cert in the chain) - WARNING: killing the child process 99 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 97/258 TEST 1: get OCSP responder (good case) - WARNING: killing the child process 112 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 116/258 TEST 8: create OCSP request (empty string cert chain) - WARNING: killing the child process 125 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 123/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 129/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
TEST 12: validate good OCSP response - no certs in response - WARNING: killing the child process 138 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 135/258 TEST 10: validate good OCSP response - WARNING: killing the child process 151 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 149/258 TEST 11: fail to validate OCSP response - no issuer cert - WARNING: killing the child process 164 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 163/258 TEST 14: fail to validate OCSP response - OCSP response signed by an unknown cert and the OCSP response does not contain the unknown cert - WARNING: killing the child process 177 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 184/258 TEST 13: validate OCSP response - OCSP response signed by an unknown cert and the OCSP response contains the unknown cert - WARNING: killing the child process 190 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 198/258 TEST 19: revoked OCSP response with nextUpdate present - WARNING: killing the child process 203 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 205/258 TEST 7: create OCSP request (buffer too small) - WARNING: killing the child process 216 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 219/258 TEST 2: get OCSP responder (not found) - WARNING: killing the child process 229 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 231/258 TEST 15: fail to validate OCSP response - OCSP response returns revoked status - WARNING: killing the child process 242 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 245/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:08 [crit] 255#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 252/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:09 [crit] 255#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
END - WARNING: killing the child process 255 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. ok
All tests successful.
Files=1, Tests=258, 54 wallclock secs ( 0.08 usr  0.02 sys +  1.49 cusr  1.92 csys =  3.51 CPU)
Result: PASS

[ElvinEfendi]

cc @agentzh @thibaultcha

[ElvinEfendi]

Can I get some feedback on this?

[agentzh]

Please don't change the order of exsting return value because this will break backward-compatibility and
break existing user code. Let use use the 3rd return value for this new data.

Also, will you please add some docs for this new feature?

[ElvinEfendi]

I tried to stick to the common convention of returning the error message as the last value. But if we want to avoid the backward incompatibility at the cost of breaking that convention, I can do it.

Also, will you please add some docs for this new feature?

Definitely, I'll add some docs once we settle on the implementation.

[agentzh]

@ElvinEfendi Sorry for the delay on our side. Please check out my review comments. Thanks!

[agentzh]

This may interfere with other FFI-based Lua modules. Let's not try to define common types like time_t ourselves. Just use built-in type names like long directly.

[madrzejewski]

Hi,

Any news on this PR ? I would like to contribute but I'm afraid it's out of my league.

Having access to the nextUpdate field will be useful to cache the OCSP responses. I don't see how we can activate OCSP in Openresty without caching any of the OCSP responses at all, it will be terrible on a server with some heavy trafic.

Right now I'm thinking about managing the OCSP requests/responses without Openresty, by offloading the responsability to another service and storing the OCSP responses inside a Redis DB that Openresty will use too. It may be more scalable on a server with a lot of certificates and/or differents domains on it (like a load balancer for instance).

[madrzejewski]

Great job, thank you guys 👍