feature: support custom trusted CA store for cosocket TLS handshake.

Adds the cosocket-level plumbing for a new tcpsock:settrustedstore(store)
method, allowing Lua code to supply a per-handshake X509_STORE that
overrides lua_ssl_trusted_certificate for the upcoming sslhandshake().
This is needed for use cases where the set of trusted CAs is determined
at request time (e.g. per-tenant mTLS upstreams).

* a new X509_STORE *ssl_trusted_store field on
  ngx_http_lua_socket_tcp_upstream_t, used as a one-shot slot consumed
  by the handshake;
* the FFI entry point ngx_http_lua_ffi_socket_tcp_settrustedstore() that
  validates the cosocket state and stores the pointer on the upstream;
* SSL_set1_verify_cert_store() invocation inside
  ngx_http_lua_ffi_socket_tcp_sslhandshake() when a store has been set,
  with the slot cleared after use so it cannot leak across handshakes.

The matching tcpsock:settrustedstore() Lua wrapper will land in
lua-resty-core in a separate change.

Signed-off-by: Walker Zhao <walker.zhao@konghq.com>

Author: findns94

doc/HttpLuaModule.wiki

@@ -6662,6 +6662,7 @@ Creates and returns a TCP or stream-oriented unix domain socket object (also kno
 * [[#tcpsock:bind|bind]]
 * [[#tcpsock:connect|connect]]
 * [[#tcpsock:setclientcert|setclientcert]]
+* [[#tcpsock:settrustedstore|settrustedstore]]
 * [[#tcpsock:sslhandshake|sslhandshake]]
 * [[#tcpsock:send|send]]
 * [[#tcpsock:receive|receive]]
@@ -6866,6 +6867,34 @@ that was previously set on the cosocket object.
 
 This method was first introduced in the `v0.10.22` release.
 
+== tcpsock:settrustedstore ==
+
+'''syntax:''' ''ok, err = tcpsock:settrustedstore(x509_store)''
+
+'''context:''' ''rewrite_by_lua*, access_by_lua*, content_by_lua*, ngx.timer.*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua*, ssl_client_hello_by_lua*''
+
+Set an X509 trusted certificate store on the TCP socket object. The store will be used by the
+[tcpsock:sslhandshake](#tcpsocksslhandshake) method to verify the remote server's certificate, in
+place of the CAs configured by the [[#lua_ssl_trusted_certificate|lua_ssl_trusted_certificate]]
+directive. This is useful when the set of trusted CAs is determined at request time, for example
+when talking to per-tenant upstreams whose CAs are not known at configuration time.
+
+* <code>x509_store</code> specifies an <code>X509_STORE *</code> cdata object that will be used
+  during the SSL/TLS handshake. Such an object can be built using the
+  [resty.openssl.x509.store](https://github.com/fffonion/lua-resty-openssl) library or directly via
+  raw OpenSSL FFI bindings.
+
+If <code>x509_store</code> is <code>nil</code>, this method will clear any existing trusted store
+that was previously set on the cosocket object.
+
+The TCP connection must already be established before calling this method. The trusted store is
+applied to the underlying SSL connection during the next [tcpsock:sslhandshake](#tcpsocksslhandshake)
+call when <code>ssl_verify</code> is <code>true</code>; it is not retained across handshakes, so
+callers wishing to apply it to a subsequent handshake on the same cosocket must call this method
+again.
+
+This method was first introduced in the `v0.10.27` release.
+
 == tcpsock:sslhandshake ==
 
 '''syntax:''' ''session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?, send_status_req?)''
@@ -6894,7 +6923,10 @@ the remote.
 The optional <code>ssl_verify</code> argument takes a Lua boolean value to
 control whether to perform SSL verification. When set to <code>true</code>, the server
 certificate will be verified according to the CA certificates specified by
-the [[#lua_ssl_trusted_certificate|lua_ssl_trusted_certificate]] directive.
+the [[#lua_ssl_trusted_certificate|lua_ssl_trusted_certificate]] directive,
+or, if [[#tcpsock:settrustedstore|tcpsock:settrustedstore]] has been called on
+this cosocket, by the X509 store supplied there (which takes precedence for
+this handshake).
 You may also need to adjust the [[#lua_ssl_verify_depth|lua_ssl_verify_depth]]
 directive to control how deep we should follow along the certificate chain.
 Also, when the <code>ssl_verify</code> argument is true and the

src/ngx_http_lua_socket_tcp.c

@@ -1939,6 +1939,16 @@ ngx_http_lua_ffi_socket_tcp_sslhandshake(ngx_http_request_t *r,
 
     u->ssl_verify = verify;
 
+    if (u->ssl_trusted_store) {
+        if (SSL_set1_verify_cert_store(ssl_conn, u->ssl_trusted_store) == 0) {
+            ERR_clear_error();
+            *errmsg = "SSL_set1_verify_cert_store() failed";
+            return NGX_ERROR;
+        }
+
+        u->ssl_trusted_store = NULL;
+    }
+
     if (ocsp_status_req) {
 #ifdef NGX_HTTP_LUA_USE_OCSP
         SSL_set_tlsext_status_type(c->ssl->connection,
@@ -2255,6 +2265,35 @@ ngx_http_lua_ffi_socket_tcp_get_ssl_ctx(ngx_http_request_t *r,
 }
 
 
+int
+ngx_http_lua_ffi_socket_tcp_settrustedstore(ngx_http_request_t *r,
+    ngx_http_lua_socket_tcp_upstream_t *u, void *store, const char **errmsg)
+{
+    if (u == NULL
+        || u->peer.connection == NULL
+        || u->read_closed
+        || u->write_closed)
+    {
+        *errmsg = "closed";
+        return NGX_ERROR;
+    }
+
+    if (u->request != r) {
+        *errmsg = "bad request";
+        return NGX_ERROR;
+    }
+
+    if (store == NULL) {
+        *errmsg = "no trusted store";
+        return NGX_ERROR;
+    }
+
+    u->ssl_trusted_store = store;
+
+    return NGX_OK;
+}
+
+
 #endif  /* NGX_HTTP_SSL */
 
 

src/ngx_http_lua_socket_tcp.h

@@ -135,6 +135,7 @@ struct ngx_http_lua_socket_tcp_upstream_s {
     ngx_ssl_session_t               *ssl_session_ret;
     const char                      *error_ret;
     int                              openssl_error_code_ret;
+    X509_STORE                      *ssl_trusted_store;
 #endif
 
     ngx_chain_t                     *busy_bufs;