deps: update lua-resty-openssl to version 1.6.3

Author: TheophileDiot

CHANGELOG.md

@@ -3,12 +3,12 @@
 ## v1.6.5-rc2 - ????/??/??
 
 - [BUGFIX] Enhance database backup and restore functionality with improved compatibility and options
-- [FEATURE] Add support for new reCAPTCHA version in `AntiBot` plugin
+- [FEATURE] Add support for new reCAPTCHA version in `Antibot` plugin
 - [ALL-IN-ONE] Add support for disabling specific CrowdSec parsers
 - [ALL-IN-ONE] Update CrowdSec version to 1.7.0
 - [DOCS] Add multi-language support to the documentation, including French
 - [DEPS] Update lua-resty-session version to v4.1.4
-- [DEPS] Update lua-resty-openssl version to v1.6.2
+- [DEPS] Update lua-resty-openssl version to v1.6.3
 - [DEPS] Update coreruleset-v4 version to v4.18.0
 - [SECURITY] Enforce restrictive umask across scripts and configurations for improved security
 

src/deps/deps.json

@@ -125,9 +125,9 @@
     },
     {
       "id": "lua-resty-openssl",
-      "name": "lua-resty-openssl v1.6.2",
+      "name": "lua-resty-openssl v1.6.3",
       "url": "https://github.com/fffonion/lua-resty-openssl.git",
-      "commit": "61512f0aea40559997051009fccc2c4d95192607",
+      "commit": "790209507c4bb7d24f5b3eb3f4cb9621af60831b",
       "post_install": "rm -r src/deps/src/lua-resty-openssl/t"
     },
     {

src/deps/src/lua-resty-openssl/CHANGELOG.md

@@ -2,6 +2,12 @@
 ## [Unreleased]
 
 
+<a name="1.6.3"></a>
+## [1.6.3] - 2025-09-04
+### bug fixes
+- **jwk:** allow to load an ECX public key from private JWK [fb800c1](https://github.com/fffonion/lua-resty-openssl/commit/fb800c15951d42edb2c5cd462800f6c0ef5dbc06)
+
+
 <a name="1.6.2"></a>
 ## [1.6.2] - 2025-09-02
 ### bug fixes
@@ -652,7 +658,8 @@
 - **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
 
 
-[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.6.2...HEAD
+[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.6.3...HEAD
+[1.6.3]: https://github.com/fffonion/lua-resty-openssl/compare/1.6.2...1.6.3
 [1.6.2]: https://github.com/fffonion/lua-resty-openssl/compare/1.6.1...1.6.2
 [1.6.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.6.0...1.6.1
 [1.6.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.5.2...1.6.0

src/deps/src/lua-resty-openssl/lib/resty/openssl.lua

@@ -24,7 +24,7 @@ try_require_modules()
 
 
 local _M = {
-  _VERSION = '1.6.2',
+  _VERSION = '1.6.3',
 }
 
 function _M.load_modules()

src/deps/src/lua-resty-openssl/lib/resty/openssl/auxiliary/jwk.lua

@@ -1,6 +1,7 @@
 
 local ffi = require "ffi"
 local C = ffi.C
+local ffi_str = ffi.string
 
 
 local evp_macro = require "resty.openssl.include.evp"
@@ -13,6 +14,7 @@ local encode_base64url = require "resty.openssl.auxiliary.compat".encode_base64u
 local decode_base64url = require "resty.openssl.auxiliary.compat".decode_base64url
 local param_lib = require "resty.openssl.param"
 local json = require "resty.openssl.auxiliary.compat".json
+local ctypes = require "resty.openssl.auxiliary.ctypes"
 local format_error = require "resty.openssl.err".format_error
 
 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
@@ -336,10 +338,8 @@ local jwk_params_required_mapping = {
     x = true,
     y = true,
   },
-  OKP = {
-    -- crv = true, handled earlier
-    x = true,
-  },
+  -- OKP required parameters are checked elsewhere
+  OKP = {},
 }
 
 function _M.load_jwk_ex(txt, ptyp, properties)
@@ -363,6 +363,15 @@ function _M.load_jwk_ex(txt, ptyp, properties)
       return nil, "jwk:load_jwk: missing \"crv\" parameter from OKP JWK"
     end
     tbl["crv"] = nil
+
+    if not tbl["x"] and not tbl["d"] then
+      return nil, "jwk:load_jwk: missing at least one of \"x\" or \"d\" parameter from OKP JWK"
+    end
+
+    if tbl["d"] and selection == evp_macro.EVP_PKEY_PUBLIC_KEY then
+      -- if only 'd' is provided and we want to import a public key, first create a private key
+      selection = evp_macro.EVP_PKEY_KEYPAIR
+    end
   end
 
   local ctx = ffi.new("EVP_PKEY*[1]")
@@ -425,6 +434,34 @@ function _M.load_jwk_ex(txt, ptyp, properties)
     return nil, format_error("jwk:load_jwk: EVP_PKEY_fromdata()")
   end
 
+  if kty == "OKP" and ptyp == "pu" and params_t["priv"] then
+    -- re-export the pubkey
+    local MAX_ECX_KEY_SIZE = 114 -- ed448 uses 114 bytes
+    local buf = ctypes.uchar_array(MAX_ECX_KEY_SIZE)
+    local length = ctypes.ptr_of_size_t(MAX_ECX_KEY_SIZE)
+
+    if C.EVP_PKEY_get_raw_public_key(ctx[0], buf, length) ~= 1 then
+      C.EVP_PKEY_free(ctx[0])
+      return nil, format_error("jwk:load_jwk: unable to derive public key from private key OKP JWK")
+    end
+
+    params_t["pub"] = ffi_str(buf, length[0])
+
+    C.EVP_PKEY_free(ctx[0])
+    ctx[0] = nil
+
+    local params, err = param_lib.construct(params_t, nil, schema)
+    if params == nil then
+      return nil, "jwk:load_jwk: failed to construct parameters for " .. kty .. " key: " .. err
+    end
+
+    if C.EVP_PKEY_fromdata(pctx, ctx, evp_macro.EVP_PKEY_PUBLIC_KEY, params) ~= 1 then
+      return nil, format_error("jwk:load_jwk: EVP_PKEY_fromdata()")
+    end
+
+    return ctx[0]
+  end
+
   return ctx[0]
 end
 

src/deps/src/lua-resty-openssl/lua-resty-openssl-1.6.2-1.rockspec renamed to src/deps/src/lua-resty-openssl/lua-resty-openssl-1.6.3-1.rockspec

@@ -1,8 +1,8 @@
 package = "lua-resty-openssl"
-version = "1.6.2-1"
+version = "1.6.3-1"
 source = {
    url = "git+https://github.com/fffonion/lua-resty-openssl.git",
-   tag = "1.6.2"
+   tag = "1.6.3"
 }
 description = {
    detailed = "FFI-based OpenSSL binding for LuaJIT.",