fix(set_upstream_ssl_trusted_store) use correct type for

resty.openssl.x509.store object checks

README.md

@@ -148,7 +148,7 @@ resty.kong.tls.set\_upstream\_ssl\_trusted\_store
 Set upstream ssl verification trusted store of current request. Global setting set by
 `proxy_ssl_trusted_certificate` will be overwritten for the current request.
 
-`store` is a `X509_STORE*` cdata that can be created by
+`store` is a table object that can be created by
 [resty.openssl.x509.store.new](https://github.com/fffonion/lua-resty-openssl#storenew).
 
 On success, this function returns `true` and future handshakes with upstream servers

lualib/resty/kong/tls.lua

@@ -200,28 +200,33 @@ if ngx.config.subsystem == "http" then
             error("unknown return code: " .. tostring(ret))
         end
 
-        function _M.set_upstream_ssl_trusted_store(store)
-            if not ALLOWED_PHASES[get_phase()] then
-                error("API disabled in the current context", 2)
-            end
+        do
+          local store_lib = require("resty.openssl.x509.store")
 
-            if type(store) ~= 'cdata' then
-                error("store expects a cdata object but found " .. type(store), 2)
-            end
+          function _M.set_upstream_ssl_trusted_store(store)
+              if not ALLOWED_PHASES[get_phase()] then
+                  error("API disabled in the current context", 2)
+              end
 
-            local r = get_request()
+              if not store_lib.istype(store) then
+                  error("store expects a resty.openssl.x509.store" ..
+                        " object but found " .. type(store), 2)
+              end
 
-            local ret = C.ngx_http_lua_kong_ffi_set_upstream_ssl_trusted_store(
-                r, store)
-            if ret == NGX_OK then
-                return true
-            end
+              local r = get_request()
 
-            if ret == NGX_ERROR then
-                return nil, "error while setting upstream trusted store"
-            end
+              local ret = C.ngx_http_lua_kong_ffi_set_upstream_ssl_trusted_store(
+                  r, store.ctx)
+              if ret == NGX_OK then
+                  return true
+              end
 
-            error("unknown return code: " .. tostring(ret))
+              if ret == NGX_ERROR then
+                  return nil, "error while setting upstream trusted store"
+              end
+
+              error("unknown return code: " .. tostring(ret))
+          end
         end
 
         function _M.set_upstream_ssl_verify(verify)

t/002-upstream-tls.t

@@ -651,7 +651,7 @@ X509_check_host(): match
                 f:close()
                 assert(s:add(x509.new(cert_data)))
             end
-            local ok, err = tls.set_upstream_ssl_trusted_store(s.ctx)
+            local ok, err = tls.set_upstream_ssl_trusted_store(s)
             if not ok then
                 ngx.say("set_upstream_ssl_trusted_store failed: ", err)
             end
@@ -718,7 +718,7 @@ upstream SSL certificate verify error: (2:unable to get issuer certificate)
                 f:close()
                 assert(s:add(x509.new(cert_data)))
             end
-            local ok, err = tls.set_upstream_ssl_trusted_store(s.ctx)
+            local ok, err = tls.set_upstream_ssl_trusted_store(s)
             if not ok then
                 ngx.say("set_upstream_ssl_trusted_store failed: ", err)
             end
@@ -786,7 +786,7 @@ X509_check_host(): match
                 assert(s:add(x509.new(cert_data)))
             end
             for i=0,3 do
-                local ok, err = tls.set_upstream_ssl_trusted_store(s.ctx)
+                local ok, err = tls.set_upstream_ssl_trusted_store(s)
                 if not ok then
                     ngx.say("set_upstream_ssl_trusted_store failed: ", err)
                     return