gsimko
commented
1 year ago What's needed here to get this merged? @leafo can you please take a look?
Open outsinre opened 2 years ago
gsimko
commented
1 year ago What's needed here to get this merged? @leafo can you please take a look?
gsimko
commented
1 year ago Just an update that this also fixes when the signature is RSA-SHA1.
If we want to stay closer to what postgres does, instead of objects.txt2nid(signature) we could directly do server_cert.get_signature_nid(). For reference, here is the postgres code: https://github.com/postgres/postgres/blob/a601366a460f68472bf70c4d94c57baa0a3ed1b2/src/backend/libpq/be-secure-openssl.c#L1434
leafo
commented
1 year ago This code is only compatible with openresty, not the other socket layers. Additionally it looks like the test suite did not run, does it need to be rebased to pick up the latest workflow?
gsimko
commented
1 year ago I couldn't find a solution with cqueues and luasocket for the signature -> digest conversion but added manual handling for the two scenarios I have observed (ecdsa-with-sha384 and rsa-sha1). Can you please take a look at https://github.com/leafo/pgmoon/pull/130 @leafo ?
When using ECDSA certificate, the
signaturename is the full name (e.g.,ecdsa-with-SHA384), but indeed should be the digest part only (e.g.,SHA384).This PR fixes the issue. Make sure
lua-resty-opensslis bumped to0.8.10.