编写生成ssl认证文件函数和相关的测试例子

2025-11-10 08:30:19 +08:00 · 2025-11-10 08:30:19 +08:00 · ff0b020166
commit ff0b020166
parent b3b1f91080
3 changed files with 149 additions and 0 deletions
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -80,4 +80,11 @@ http {
           }
        }
    }
+
+    server {
+        listen      9081 ssl http2;
+        server_name  *.*;
+        ssl_certificate ssl/metroid.crt;
+        ssl_certificate_key ssl/metroid.key;
+    }
 }
--- a/src/test/test.lua
+++ b/src/test/test.lua
@ -353,6 +353,24 @@ end
 --清除角色的权限数据
 --perm:clearRolePermissions("admin")

+
+local generateCert = require("util.generatorssl")
+-- 使用示例
+local success, files = generateCert:generate_self_signed_cert(
+        "example.com",
+        365,
+        2048,
+        "./ssl_certs"
+)
+
+if success then
+    print("SSL证书生成成功:")
+    print("私钥文件: "..files.key)
+    print("证书文件: "..files.cert)
+else
+    print("证书生成失败")
+end
+
 --[[
 --读取用户表、角色表和权限表中配置的权限数据
 local roleDao = require("dao.role")
--- a/src/util/generatorssl.lua
+++ b/src/util/generatorssl.lua
@ -0,0 +1,124 @@
+---
+--- Generated by EmmyLua(https://github.com/EmmyLua)
+--- Created by admin.
+--- DateTime: 2025/11/9 17:47
+---
+
+local openssl = require "openssl"
+local fs = require "lfs"
+
+local _M = {}
+function _M:generate_self_signed_cert(domain, days, key_size, output_dir)
+    -- 创建输出目录
+    if not fs.attributes(output_dir) then
+        fs.mkdir(output_dir)
+    end
+
+    -- 生成RSA私钥
+    local pkey = openssl.pkey.new {
+        type = "RSA",
+        bits = key_size or 2048
+    }
+
+    -- 创建X.509证书
+    local x509 = openssl.x509.new {
+        version = 3,
+        serial = openssl.rand.bytes(8),
+        subject = {
+            commonName = domain
+        },
+        notBefore = os.time(),
+        notAfter = os.time() + (days or 365) * 24 * 60 * 60,
+        pubkey = pkey
+    }
+
+    -- 设置扩展属性
+    x509:extensions {
+        {
+            object = "basicConstraints",
+            critical = true,
+            value = "CA:FALSE"
+        },
+        {
+            object = "keyUsage",
+            critical = true,
+            value = "digitalSignature,keyEncipherment"
+        },
+        {
+            object = "subjectAltName",
+            value = "DNS:"..domain
+        }
+    }
+
+    -- 自签名
+    x509:sign(pkey)
+
+    -- 保存文件
+    local key_path = output_dir.."/"..domain..".key"
+    local cert_path = output_dir.."/"..domain..".crt"
+
+    local key_file = io.open(key_path, "w")
+    key_file:write(pkey:export("PEM"))
+    key_file:close()
+
+    local cert_file = io.open(cert_path, "w")
+    cert_file:write(x509:export("PEM"))
+    cert_file:close()
+
+    -- 设置文件权限
+    os.execute("chmod 600 "..key_path)
+
+    return true, {key = key_path, cert = cert_path}
+end
+
+function _M:verify_cert_chain(cert_path, intermediate_path, root_path)
+    -- 加载所有证书
+    local function load_cert(file)
+        local f = io.open(file, "r")
+        if not f then return nil end
+        local data = f:read("*a")
+        f:close()
+        return openssl.x509.read(data)
+    end
+
+    local cert = load_cert(cert_path)
+    local intermediate = load_cert(intermediate_path)
+    local root = load_cert(root_path)
+
+    if not (cert and intermediate and root) then
+        return false, "证书加载失败"
+    end
+
+    -- 构建证书链
+    local store = openssl.x509.store.new()
+    store:add(root)
+    store:add(intermediate)
+
+    -- 验证链
+    local ctx = openssl.x509.store.ctx.new(store, cert)
+    ctx:add_cert(intermediate)
+
+    local ok, err = ctx:verify()
+    return ok, ok and "证书链验证通过" or ("验证失败: "..(err or "未知错误"))
+end
+
+return _M
+
+--[[
+local
+-- 使用示例
+local success, files = generate_self_signed_cert(
+        "example.com",
+        365,
+        2048,
+        "./ssl_certs"
+)
+
+if success then
+    print("SSL证书生成成功:")
+    print("私钥文件: "..files.key)
+    print("证书文件: "..files.cert)
+else
+    print("证书生成失败")
+end
+--]]