fix(aux/jwk) remove ecx.d if exporting as public key

Fix #151
fffonion · Apr 15, 2024 · 03ac0c0 · 03ac0c0
1 parent 48c5107
commit 03ac0c0
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 85 deletions.
diff --git a/lib/resty/openssl/auxiliary/jwk.lua b/lib/resty/openssl/auxiliary/jwk.lua
@@ -245,9 +245,11 @@ function _M.dump_jwk(pkey, is_priv)
     jwk = {
       kty = "OKP",
       crv = ecx_curves_reverse[pkey.key_type],
-      d = encode_base64url(params.private),
       x = encode_base64url(params.public),
     }
+    if is_priv then
+      jwk.d = encode_base64url(params.private)
+    end
   else
     return nil, "jwk.dump_jwk: not implemented for this key type"
   end

diff --git a/t/openssl/aux/jwk.t b/t/openssl/aux/jwk.t
@@ -9,12 +9,13 @@ my $pwd = cwd();
 my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
 
 our $HttpConfig = qq{
-    lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
+    lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
     init_by_lua_block {
         if "1" == "$use_luacov" then
             require 'luacov.tick'
             jit.off()
         end
+        _G.myassert = require("helper").myassert
     }
 };
 
@@ -39,18 +40,10 @@ __DATA__
                 dq  = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
                 qi  = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
             })
-            local privkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
-            local privkey, err = require("resty.openssl.pkey").new(jwk, {
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
                 format = "JWK",
-            })
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            }))
 
             -- errors
             local _, err = require("resty.openssl.pkey").new('asdasd', {
@@ -71,22 +64,10 @@ __DATA__
                 n   = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
                 e   = "AQAB",
             })
-            local pubkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
 
-            local s, err = pubkey:encrypt("23333")
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
-            local s, err = privkey:decrypt(s)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local s = myassert(pubkey:encrypt("23333"))
+            local s = myassert(privkey:decrypt(s))
             ngx.say(s)
         }
     }
@@ -112,18 +93,10 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
                 y   = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
                 d   = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
             })
-            local privkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
-            local privkey, err = require("resty.openssl.pkey").new(jwk, {
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
                 format = "JWK",
-            })
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            }))
 
             -- errors
             local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@@ -142,24 +115,12 @@ pkey.new:load_key: failed to construct RSA key from JWK: at least "n" and "e" pa
                 x   = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
                 y   = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
             })
-            local pubkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
 
             local d = require("resty.openssl.digest").new("sha256")
             d:update("23333")
-            local s, err = privkey:sign(d)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
-            local ok, err = pubkey:verify(s, d)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local s = myassert(privkey:sign(d))
+            local ok = myassert(pubkey:verify(s, d))
             ngx.say(ok)
         }
     }
@@ -183,18 +144,10 @@ true
                 x   = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
                 d   = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
             })
-            local privkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
-            local privkey, err = require("resty.openssl.pkey").new(jwk, {
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk, {
                 format = "JWK",
-            })
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            }))
 
             -- errors
             local _, err = require("resty.openssl.pkey").new(require("cjson").encode({
@@ -211,11 +164,7 @@ true
                 crv = "Ed25519",
                 x   = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
             })
-            local pubkey, err = require("resty.openssl.pkey").new(jwk)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local pubkey = myassert(require("resty.openssl.pkey").new(jwk))
 
         }
     }
@@ -232,23 +181,11 @@ true
 --- config
     location =/t {
         content_by_lua_block {
-            local privkey, err = require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'})
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local privkey = myassert(require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'}))
 
-            local pem, err = privkey:tostring("public")
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local pem = myassert(privkey:tostring("public"))
 
-            local pubkey, err = require("resty.openssl.pkey").new(pem)
-            if err then
-                ngx.log(ngx.ERR, err)
-                return
-            end
+            local pubkey = myassert(require("resty.openssl.pkey").new(pem))
 
             local _, err = pubkey:tostring("private", "JWK")
             ngx.say(err)
@@ -261,3 +198,65 @@ true
 '
 --- no_error_log
 [error]
+
+
+=== TEST 5: Dump pubkey from privkey doesn't contain private part
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local jwk = require("cjson").encode({
+                kty = "RSA",
+                n   = "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w",
+                e   = "AQAB",
+                d   = "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q",
+                p   = "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0",
+                q   = "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8",
+                dp  = "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE",
+                dq  = "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk",
+                qi  = "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"
+            })
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+            for k, _ in pairs(jwk) do
+                if k ~= "kty" and k ~= "kid" and k ~= "n" and k ~="e" then
+                    ngx.say("RSA JWK pubkey contains private part: " .. k)
+                end
+            end
+
+            local jwk = require("cjson").encode({
+                kty = "EC",
+                crv = "P-256",
+                x   = "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
+                y   = "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
+                d   = "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
+            })
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+            for k, _ in pairs(jwk) do
+                if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" and k ~="y" then
+                    ngx.say("EC JWK pubkey contains private part: " .. k)
+                end
+            end
+
+            local jwk = require("cjson").encode({
+                kty = "OKP",
+                crv = "Ed25519",
+                x   = "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo",
+                d   = "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
+            })
+            local privkey = myassert(require("resty.openssl.pkey").new(jwk))
+            local jwk = require("cjson").decode(myassert(privkey:tostring("public", "JWK")))
+            for k, _ in pairs(jwk) do
+                if k ~= "kty" and k ~= "kid" and k ~= "crv" and k ~= "x" then
+                    ngx.say("ECX JWK pubkey contains private part: " .. k)
+                end
+            end
+        }
+    }
+--- request
+    GET /t
+--- response_body eval
+''
+--- no_error_log
+[error]