@@ -167,18 +167,34 @@ local function connect(self, options)
167167 local cert_hash
168168 if ssl and ssl_client_cert and ssl_client_priv_key then
169169 local status , res = xpcall (function ()
170- return require (" resty.openssl.x509"
170+ local x509 = require (" resty.openssl.x509"
171+ local pkey = require (" resty.openssl.pkey"
172+ return { x509 , pkey }
171173 end , debug.traceback )
172174
173175 if status then
174- local x509 = res
176+ local x509 = res [1 ]
177+ local pkey = res [2 ]
175178 local cert , err = x509 .new (ssl_client_cert )
176179 if not cert then
177180 return nil , err
178181 end
179182 -- should not free the cdata passed in
180183 ffi_gc (cert .ctx , nil )
181184
185+ local key , err = pkey .new (ssl_client_priv_key )
186+ if not key then
187+ return nil , err
188+ end
189+ -- should not free the cdata passed in
190+ ffi_gc (key .ctx , nil )
191+
192+ -- check the private key in order to make sure the caller is indeed the holder of the cert
193+ ok , err = cert :check_private_key (key )
194+ if not ok then
195+ return nil , " failed to match the private key with the certificate: " .. err
196+ end
197+
182198 cert_hash , err = cert :digest (" sha256"
183199 if cert_hash then
184200 cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
@@ -188,11 +204,11 @@ local function connect(self, options)
188204 end
189205
190206 else
191- if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ .x509)' not found" then
207+ if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ .( x509|pkey )' not found" then
192208 ngx_log (ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS."
193209
194210 else
195- return nil , " failed to load module 'resty.openssl.x509 ':\n " .. res
211+ return nil , " failed to load module 'resty.openssl.* ':\n " .. res
196212 end
197213 end
198214 end
0 commit comments