Skip to content

Commit

Permalink
change: unify the keyring and key_encrypt_salt fields (#10771)
Browse files Browse the repository at this point in the history
  • Loading branch information
@RitterHou
RitterHou authored Jan 25, 2024
1 parent 847db2a commit 75cff5e
Show file tree
Hide file tree
Showing 23 changed files with 99 additions and 124 deletions.
2 changes: 1 addition & 1 deletion apisix/cli/file.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ local function path_is_multi_type(path, type_val)
return true
end

if path == "apisix->ssl->key_encrypt_salt" then
if path == "apisix->data_encryption->keyring" then
return true
end

Expand Down
7 changes: 6 additions & 1 deletion apisix/cli/schema.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,12 @@ local config_schema = {
}
}
},
key_encrypt_salt = {
}
},
data_encryption = {
type = "object",
properties = {
keyring = {
anyOf = {
{
type = "array",
Expand Down
3 changes: 2 additions & 1 deletion apisix/plugin.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -906,7 +906,8 @@ local enable_data_encryption
local function enable_gde()
if enable_data_encryption == nil then
enable_data_encryption =
core.table.try_read_attr(local_conf, "apisix", "data_encryption", "enable")
core.table.try_read_attr(local_conf, "apisix", "data_encryption",
"enable_encrypt_fields")
_M.enable_data_encryption = enable_data_encryption
end

Expand Down
39 changes: 8 additions & 31 deletions apisix/ssl.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,17 +92,6 @@ local function init_iv_tbl(ivs)
end


local _aes_128_cbc_with_iv_tbl_ssl
local function get_aes_128_cbc_with_iv_ssl(local_conf)
if _aes_128_cbc_with_iv_tbl_ssl == nil then
local ivs = core.table.try_read_attr(local_conf, "apisix", "ssl", "key_encrypt_salt")
_aes_128_cbc_with_iv_tbl_ssl = init_iv_tbl(ivs)
end

return _aes_128_cbc_with_iv_tbl_ssl
end


local _aes_128_cbc_with_iv_tbl_gde
local function get_aes_128_cbc_with_iv_gde(local_conf)
if _aes_128_cbc_with_iv_tbl_gde == nil then
Expand All @@ -127,43 +116,31 @@ end

function _M.aes_encrypt_pkey(origin, field)
local local_conf = core.config.local_conf()
local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]

if not field then
-- default used by ssl
local aes_128_cbc_with_iv_tbl_ssl = get_aes_128_cbc_with_iv_ssl(local_conf)
local aes_128_cbc_with_iv_ssl = aes_128_cbc_with_iv_tbl_ssl[1]
if aes_128_cbc_with_iv_ssl ~= nil and core.string.has_prefix(origin, "---") then
return encrypt(aes_128_cbc_with_iv_ssl, origin)
if aes_128_cbc_with_iv_gde ~= nil and core.string.has_prefix(origin, "---") then
return encrypt(aes_128_cbc_with_iv_gde, origin)
end
else
if field == "data_encrypt" then
local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]
if aes_128_cbc_with_iv_gde ~= nil then
return encrypt(aes_128_cbc_with_iv_gde, origin)
end
end
end

return origin
end


local function aes_decrypt_pkey(origin, field)
local local_conf = core.config.local_conf()
local aes_128_cbc_with_iv_tbl

if not field then
if core.string.has_prefix(origin, "---") then
return origin
end
aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_ssl(local_conf)
else
if field == "data_encrypt" then
aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
end
if not field and core.string.has_prefix(origin, "---") then
return origin
end

local local_conf = core.config.local_conf()
local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
if #aes_128_cbc_with_iv_tbl == 0 then
return origin
end
Expand Down
22 changes: 7 additions & 15 deletions conf/config-default.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,16 +108,6 @@ apisix:
# Disabled by default because it renders Perfect Forward Secrecy (FPS)
# useless. See https://github.com/mozilla/server-side-tls/issues/135.

key_encrypt_salt: # This field is only used to encrypt the private key of SSL.
- edd1c9f0985e76a2 # Set the encryption key for AES-128-CBC. It should be a
# hexadecimal string of length 16.
# If not set, APISIX saves the original data into etcd.
# CAUTION: If you would like to update the key, add the new key as the
# first item in the array and keep the older keys below the newly added
# key, so that data can be decrypted with the older keys and encrypted
# with the new key. Removing the old keys directly can render the data
# unrecoverable.

# fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during
# # the handshake.

Expand All @@ -128,11 +118,13 @@ apisix:

disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED.

data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema.
enable: false
keyring: # Set the encryption key for AES-128-CBC. It should be a
- qeddd145sfvddff3 # hexadecimal string of length 16.
# If not set, APISIX saves the original data into etcd.
data_encryption: # Data encryption settings.
enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema.
keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields`
# in plugin schema.
- qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string
# of length 16.
- edd1c9f0985e76a2 # If not set, APISIX saves the original data into etcd.
# CAUTION: If you would like to update the key, add the new key as the
# first item in the array and keep the older keys below the newly added
# key, so that data can be decrypted with the older keys and encrypted
Expand Down
8 changes: 4 additions & 4 deletions t/admin/ssl2.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -431,8 +431,8 @@ qr/"snis":\["update1.com","update2.com"\]/
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: "edd1c9f0985e76a2"
data_encryption:
keyring: "qeddd145sfvddff3"
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -468,8 +468,8 @@ false
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: "edd1c9f0985e76a2"
data_encryption:
keyring: "qeddd145sfvddff3"
--- config
location /t {
content_by_lua_block {
Expand Down
62 changes: 31 additions & 31 deletions t/admin/ssl4.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,14 +110,14 @@ run_tests;

__DATA__
=== TEST 1: set ssl(sni: www.test.com), encrypt with the first key_encrypt_salt
=== TEST 1: set ssl(sni: www.test.com), encrypt with the first keyring
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt:
data_encryption:
keyring:
- edd1c9f0985e76a1
- edd1c9f0985e76a2
- qeddd145sfvddff3
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -152,8 +152,8 @@ passed
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: "edd1c9f0985e76a1"
data_encryption:
keyring: "edd1c9f0985e76a1"
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -182,12 +182,12 @@ passed
=== TEST 3: client request with the old style key_encrypt_salt
=== TEST 3: client request with the old style keyring
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: "edd1c9f0985e76a1"
data_encryption:
keyring: "edd1c9f0985e76a1"
--- response_body eval
qr{connected: 1
ssl handshake: true
Expand All @@ -207,12 +207,12 @@ server name: "www.test.com"
=== TEST 4: client request with the new style key_encrypt_salt
=== TEST 4: client request with the new style keyring
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt:
data_encryption:
keyring:
- edd1c9f0985e76a1
--- response_body eval
qr{connected: 1
Expand All @@ -233,26 +233,26 @@ server name: "www.test.com"
=== TEST 5: client request failed with the wrong key_encrypt_salt
=== TEST 5: client request failed with the wrong keyring
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt:
- edd1c9f0985e76a2
data_encryption:
keyring:
- qeddd145sfvddff3
--- error_log
decrypt ssl key failed
[alert]
=== TEST 6: client request successfully, use the two key_encrypt_salt to decrypt in turn
=== TEST 6: client request successfully, use the two keyring to decrypt in turn
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt:
- edd1c9f0985e76a2
data_encryption:
keyring:
- qeddd145sfvddff3
- edd1c9f0985e76a1
--- response_body eval
qr{connected: 1
Expand All @@ -273,8 +273,8 @@ close: 1 nil}
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt:
data_encryption:
keyring:
- edd1c9f0985e76a1
--- config
location /t {
Expand All @@ -292,8 +292,8 @@ location /t {
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: null
data_encryption:
keyring: null
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -324,12 +324,12 @@ passed
=== TEST 9: client request without key_encrypt_salt
=== TEST 9: client request without keyring
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: null
data_encryption:
keyring: null
--- response_body eval
qr{connected: 1
ssl handshake: true
Expand All @@ -353,8 +353,8 @@ server name: "www.test.com"
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: null
data_encryption:
keyring: null
--- config
location /t {
content_by_lua_block {
Expand All @@ -371,8 +371,8 @@ location /t {
--- yaml_config
apisix:
node_listen: 1984
ssl:
key_encrypt_salt: null
data_encryption:
keyring: null
--- config
location /t {
content_by_lua_block {
Expand Down
Loading

0 comments on commit 75cff5e

Please sign in to comment.