feature: support custom trusted CA store for cosocket TLS handshake.

Adds the cosocket-level plumbing for a new tcpsock:settrustedstore(store)
method, allowing Lua code to supply a per-handshake X509_STORE that
overrides lua_ssl_trusted_certificate for the upcoming sslhandshake().
This is needed for use cases where the set of trusted CAs is determined
at request time (e.g. per-tenant mTLS upstreams).

* a new X509_STORE *ssl_trusted_store field on
  ngx_http_lua_socket_tcp_upstream_t, used as a one-shot slot consumed
  by the handshake;
* the FFI entry point ngx_http_lua_ffi_socket_tcp_settrustedstore() that
  validates the cosocket state and stores the pointer on the upstream;
* SSL_set1_verify_cert_store() invocation inside
  ngx_http_lua_ffi_socket_tcp_sslhandshake() when a store has been set,
  with the slot cleared after use so it cannot leak across handshakes.

The matching tcpsock:settrustedstore() Lua wrapper will land in
lua-resty-core in a separate change.

Signed-off-by: Walker Zhao <walker.zhao@konghq.com>

Author: findns94

README.markdown

@@ -4060,6 +4060,7 @@ Nginx API for Lua
 * [tcpsock:connect](#tcpsockconnect)
 * [tcpsock:getfd](#getfd)
 * [tcpsock:setclientcert](#tcpsocksetclientcert)
+* [tcpsock:settrustedstore](#tcpsocksettrustedstore)
 * [tcpsock:sslhandshake](#tcpsocksslhandshake)
 * [tcpsock:send](#tcpsocksend)
 * [tcpsock:receive](#tcpsockreceive)
@@ -8126,6 +8127,7 @@ Creates and returns a TCP or stream-oriented unix domain socket object (also kno
 * [bind](#tcpsockbind)
 * [connect](#tcpsockconnect)
 * [setclientcert](#tcpsocksetclientcert)
+* [settrustedstore](#tcpsocksettrustedstore)
 * [sslhandshake](#tcpsocksslhandshake)
 * [send](#tcpsocksend)
 * [receive](#tcpsockreceive)
@@ -8365,6 +8367,36 @@ This method was first introduced in the `v0.10.22` release.
 
 [Back to TOC](#nginx-api-for-lua)
 
+tcpsock:settrustedstore
+-----------------------
+
+**syntax:** *ok, err = tcpsock:settrustedstore(x509_store)*
+
+**context:** *rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.**
+
+Set an X509 trusted certificate store on the TCP socket object. The store will be used by the
+[tcpsock:sslhandshake](#tcpsocksslhandshake) method to verify the remote server's certificate, in
+place of the CAs configured by the [lua_ssl_trusted_certificate](#lua_ssl_trusted_certificate)
+directive. This is useful when the set of trusted CAs is determined at request time, for example
+when talking to per-tenant upstreams whose CAs are not known at configuration time.
+
+* `x509_store` specifies an `X509_STORE *` cdata object that will be used during the SSL/TLS
+  handshake. Such an object can be built using the
+  [resty.openssl.x509.store](https://github.com/fffonion/lua-resty-openssl) library or directly via
+  raw OpenSSL FFI bindings.
+
+If `x509_store` is `nil`, this method will clear any previously set trusted store on the cosocket
+object.
+
+The TCP connection must already be established before calling this method.
+
+The trusted store only takes effect when the next [tcpsock:sslhandshake](#tcpsocksslhandshake)
+call is made with `ssl_verify` set to `true`; with verification off, the store is ignored. The
+store is consumed once per handshake and is not retained across handshakes, so callers wishing to
+apply it to a subsequent handshake on the same cosocket must call this method again.
+
+[Back to TOC](#nginx-api-for-lua)
+
 tcpsock:sslhandshake
 --------------------
 
@@ -8394,7 +8426,10 @@ the remote.
 The optional `ssl_verify` argument takes a Lua boolean value to
 control whether to perform SSL verification. When set to `true`, the server
 certificate will be verified according to the CA certificates specified by
-the [lua_ssl_trusted_certificate](#lua_ssl_trusted_certificate) directive.
+the [lua_ssl_trusted_certificate](#lua_ssl_trusted_certificate) directive,
+or, if [tcpsock:settrustedstore](#tcpsocksettrustedstore) has been called on
+this cosocket, by the X509 store supplied there (which takes precedence for
+this handshake).
 You may also need to adjust the [lua_ssl_verify_depth](#lua_ssl_verify_depth)
 directive to control how deep we should follow along the certificate chain.
 Also, when the `ssl_verify` argument is true and the

src/ngx_http_lua_socket_tcp.c

@@ -1939,6 +1939,16 @@ ngx_http_lua_ffi_socket_tcp_sslhandshake(ngx_http_request_t *r,
 
     u->ssl_verify = verify;
 
+    if (u->ssl_trusted_store) {
+        if (SSL_set1_verify_cert_store(ssl_conn, u->ssl_trusted_store) == 0) {
+            ERR_clear_error();
+            *errmsg = "SSL_set1_verify_cert_store() failed";
+            return NGX_ERROR;
+        }
+
+        u->ssl_trusted_store = NULL;
+    }
+
     if (ocsp_status_req) {
 #ifdef NGX_HTTP_LUA_USE_OCSP
         SSL_set_tlsext_status_type(c->ssl->connection,
@@ -2255,6 +2265,35 @@ ngx_http_lua_ffi_socket_tcp_get_ssl_ctx(ngx_http_request_t *r,
 }
 
 
+int
+ngx_http_lua_ffi_socket_tcp_settrustedstore(ngx_http_request_t *r,
+    ngx_http_lua_socket_tcp_upstream_t *u, void *store, const char **errmsg)
+{
+    if (u == NULL
+        || u->peer.connection == NULL
+        || u->read_closed
+        || u->write_closed)
+    {
+        *errmsg = "closed";
+        return NGX_ERROR;
+    }
+
+    if (u->request != r) {
+        *errmsg = "bad request";
+        return NGX_ERROR;
+    }
+
+    if (store == NULL) {
+        *errmsg = "no trusted store";
+        return NGX_ERROR;
+    }
+
+    u->ssl_trusted_store = store;
+
+    return NGX_OK;
+}
+
+
 #endif  /* NGX_HTTP_SSL */
 
 

src/ngx_http_lua_socket_tcp.h

@@ -135,6 +135,7 @@ struct ngx_http_lua_socket_tcp_upstream_s {
     ngx_ssl_session_t               *ssl_session_ret;
     const char                      *error_ret;
     int                              openssl_error_code_ret;
+    X509_STORE                      *ssl_trusted_store;
 #endif
 
     ngx_chain_t                     *busy_bufs;