gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.删除Make中对分布式锁的编译

Browse Source 
2.修改读取证书格式接口
3.修改签发证书方式
4.修改获取签发证书私钥接口
This commit is contained in:
fengweihao
2018-07-26 17:18:00 +08:00
parent 7b644cbbc3
commit 2ad1b5c977
4 changed files with 178 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
ca/ca.cer
View File

Binary file not shown.

26
ca/private.key
View File

@@ -1,15 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDSUISXQpxxynP+3G67oEGsbQVhica8kQOC8KJFJ7FpeRfIIBmF
ygA2LlhLDbTP6OSDHGpkPrBGBOmhEqui+HYaz9Fs/gSIwf1o5FNDUtSEuUZxmUir
3AWmYu1TVtGVFchacZgxBp+qX6GuIrMqBr0ilQxvI+e4jtD7f8UvhE4hbwIDAQAB
AoGAGbiNLq6P0X7QBthQlpO31G2U3ePqsT8O7eGeBtUe5mZP2ULLvEgDFJ1AYRVx
CohSAhLklBPynO2W4QMWiJzYXKBSMrl42j1ZxruP8HJcPXqVeoJURG8rToqJPbtv
0CYCPqY1zcYQEJXtE3BPxs8Z/4lPQyD1te8+UJ6tLWUQYwECQQDpZxG2AuOHimSA
7WioppNAvNvKHo2odPI4NLO1vhu8maoJbDpQi8CuSE5wOiob+TejFYXMvhqkgBnB
GU8z+vbvAkEA5q00rRxCwB4+0+7w2oPNq+4xjixs2yGgFOGP7MnlseZChLYzdzFf
dM0tULJ0wgQQqBfsbnvl4LnXZYBGlAt9gQJAbFOi+7fxhEnuBYyqg4P0WhqNZAy0
MJg+h2mmctaOJwWmzoLFufZy8jCq/xlvy9XqRa3KkNE2qlyuF1o40WZMTwJBAIbx
/qXiqX4Ac5rB5m6+ulwBPUZB4PCUjDSK/Ap21gOrg3BlslfhL0mCGidiLoGtpRzg
2fSMUJ+VuFdtolxLGIECQHiCXHaLTxk+Yt5KACNMOgdMcdKjuQ/XktDD2SJ87LnP
W7ZrSVKks9jhreGq/uJ72edP3yJzHiEiMPu/8/4nJkA=
MIICXgIBAAKBgQDjo0ofVgglpdx19ds6/tTMXUbQMznXfvyJ1XLc3cOC1eqBj333
MUQc8N+rJGGRZWPsnGsRy/xw3c/2jxiLM0evA16G/ZcphyjRpKG5d0LVyKa2x1S8
9xM3TFAcLRMlIwvfkmNWqDIk8AQifLb3lhuYrZQTAKwrhlInzh5me47/qQIDAQAB
AoGBAKXM61IDoY96TScF2ZYQwgHP9qHyjbCt51alRzIjvCFxmYqgbwk6sve5YdAP
gZkbFjriewHNZ6L1jGFzPFc3FH++8WF1ThhGs4rAfe4rexA2gx1XZLqy+UPLECiK
/xebOwarLSQoB9V6A+quLU1CD/rNt2IeQL3N5LNBlDlwn2LhAkEA8+R2Ib+xZ+hn
CrWAdiEONfOVdNWMwfyAaMC3DlHjMAYuWEIBcTXQui8L6ddv5JkxPw3Z8Aae72ff
09OtnjGrFQJBAO7wQTKYycETzzkCOqYPiT70Mg1gnk/9cIjcRWhWhNXofxIZ9PaQ
kP71+z47ydAB/0Wq5Xe7DgHficUoVCnZF0UCQEjY6WwFLMEjinuJYPhnwS3eNrrx
+hwLBnPDdCnjzZ8PiZI1DOc6ssCZws4y2ioGk84Inhryb1CEzzcfF9GTdk0CQQDo
6XHkbGNevnylSbL55PMYVtnjiGdJ+fcUsgNGbfAWxAf6EStkng95OTart4RGK2w2
8Ru11rUUxl55vZItKN0xAkEAsLEqmoX/hl2PO807nQEAsDlWCsTRGawl/hz2Gq+n
boD5yf2eW3n51Rn60cGgrInu1VifVamlQJq4zwdvJ2zjcg==
-----END RSA PRIVATE KEY-----

4
src/Makefile
View File

@@ -36,10 +36,6 @@ dir := ./components/syslogd
include $(dir)/syslog.mk
OBJS += $(OBJS_$(dir))
dir := ./components/redis
include $(dir)/redis.mk
OBJS += $(OBJS_$(dir))
dir := ./rt
include $(dir)/rt.mk
OBJS += $(OBJS_$(dir))

312
src/cert_session.c
View File

@@ -100,7 +100,7 @@ ssl_x509_serial_copyrand(X509 *dstcrt, X509 *srccrt)
{
ASN1_INTEGER *srcptr, *dstptr;
BIGNUM *bnserial;
unsigned int rand;
long rand;
int rv;
#ifndef PURIFY
@@ -160,7 +160,7 @@ ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid)
}
X509 *
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
x509_modify_by_cert_bak(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
int days, const char *extraname, const char *crlurl)
{
X509_NAME *subject, *issuer;
@@ -409,7 +409,7 @@ finish:
return;
}
void x509_get_pubkey_form_ca(X509 *crt, char *pubkey)
void x509_get_private_key(EVP_PKEY *pkey, char *pubkey)
{
BIO *bp = NULL;
int len = 0;
@@ -419,38 +419,26 @@ void x509_get_pubkey_form_ca(X509 *crt, char *pubkey)
goto finish;
}
EVP_PKEY * pkey = X509_get_pubkey(crt);
if (pkey == NULL) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Error getting public key");
goto free_err;
}
PEM_write_bio_PUBKEY(bp, pkey);
PEM_write_bio_PrivateKey(bp, pkey, NULL, NULL, 0, NULL, NULL);
len = BIO_read(bp, pubkey, SG_DATA_SIZE);
if(len <= 0) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Error reading signature file");
goto free_key;
goto free_err;
}
pubkey[len] = '\0';
free_key:
EVP_PKEY_free(pkey);
free_err:
BIO_free(bp);
finish:
return;
}
static void callback(int __attribute__((__unused__))p, int __attribute__((__unused__))n,
void __attribute__((__unused__))*arg)
{
return;
}
/*
* Add extension using V3 code: we can set the config file as NULL because we
* wont reference any other sections.
*/
int add_ext(X509 *cert, int nid, char *value)
int add_ext(X509 *cacrt, X509 *cert, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
@@ -461,7 +449,7 @@ int add_ext(X509 *cert, int nid, char *value)
* Issuer and subject certs: both the target since it is self signed, no
* request and no CRL
*/
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
X509V3_set_ctx(&ctx, cacrt, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
@@ -471,102 +459,6 @@ int add_ext(X509 *cert, int nid, char *value)
return 1;
}
int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits,
int serial, char *host, int days)
{
X509 *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name = NULL;
if ((pkeyp == NULL) || (*pkeyp == NULL)) {
if ((pk = EVP_PKEY_new()) == NULL) {
abort();
return (0);
}
} else
pk = *pkeyp;
if ((x509p == NULL) || (*x509p == NULL)) {
if ((x = X509_new()) == NULL)
goto err;
} else
x = *x509p;
rsa = RSA_generate_key(bits, RSA_F4, callback, NULL);
if (!EVP_PKEY_assign_RSA(pk, rsa)) {
abort();
goto err;
}
rsa = NULL;
X509_set_version(x, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days);
X509_set_pubkey(x, pk);
name = X509_get_subject_name(x);
/*
* This function creates and adds the entry, working out the correct
* string type and performing checks on its length. Normally we'd check
* the return value for errors...
*/
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned char *)"UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN",
MBSTRING_ASC, (const unsigned char *)host, -1, -1, 0);
/*
* Its self signed so set the issuer name to be the same as the subject.
*/
X509_set_issuer_name(x, name);
/* Add various extensions: standard extensions */
add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");
add_ext(x, NID_subject_key_identifier, "hash");
/* Some Netscape specific extensions */
add_ext(x, NID_netscape_cert_type, "sslCA");
add_ext(x, NID_netscape_comment, "example comment extension");
#ifdef CUSTOM_EXT
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
add_ext(x, nid, "example comment alias");
}
#endif
if (!X509_sign(x, pk, EVP_sha1()))
goto err;
*x509p = x;
*pkeyp = pk;
return (1);
err:
return (0);
}
X509 *x509_create_cert(char *host, int days)
{
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
mkcert(&x509, &pkey, 1024, 0, host, days);
EVP_PKEY_free(pkey);
return x509;
}
#if 0
static int fs_internal_operate(int id, int id2, int column_id, int column_id2, long long diffTime)
{
@@ -589,6 +481,7 @@ finish:
}
#endif
static
int redis_rsync_init(struct event_base *base, struct redisAsyncContext **cl_ctx)
{
int xret = -1;
@@ -652,7 +545,7 @@ redis_reget_callback(redisAsyncContext __attribute__((__unused__))*cl_ctx,
return;
}
static void
static void __attribute__((__unused__))
redis_set_callback(redisAsyncContext *cl_ctx, void *r,
void *privdata)
{
@@ -700,28 +593,155 @@ finish:
return;
}
int x509_online_append(char *host, EVP_PKEY *key, X509 *root, char *ca_s, char *pubkey)
static
int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits)
{
int xret = -1;
struct config_bucket_t *rte = cert_default_config();
RSA *rsa = NULL;
EVP_PKEY *pk = NULL;
X509* ca = x509_create_cert(host, rte->days);
if (!ca){
goto finish;
}
X509* x509 = x509_modify_by_cert(root, key, ca, X509_get_pubkey(root),
rte->days, NULL, NULL);
if (!x509){
if((pk = EVP_PKEY_new()) == NULL){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, gen new key failed!");
goto err;
}
x509_get_pubkey_form_ca(x509, pubkey);
rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
if(!EVP_PKEY_assign_RSA(pk, rsa)){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, assign key failed!");
EVP_PKEY_free(pk);
goto err;
}
x509_get_private_key(pk, pubkey);
rsa = NULL;
*pkey = pk;
return 1;
err:
return 0;
}
int add_cert_ctx(X509_NAME* name, char* ctx[], int num)
{
int i = 0;
int max = 0;
int item[] = {NID_commonName, NID_countryName,
NID_stateOrProvinceName, NID_localityName,
NID_organizationName, NID_organizationalUnitName,
NID_pkcs9_emailAddress};
max = sizeof(item)/sizeof(item[0]);
max = max > num ? num : max;
for(i = 0; i< max; ++i){
if(!X509_NAME_add_entry_by_NID(name, item[i], MBSTRING_UTF8, (unsigned char *)ctx[i], -1, -1, 0)){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "add_cert_ctx, add entry:%d to %s failed!", item[i], ctx[i]);
return 0;
}
}
return 1;
}
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
{
#define SERIAL_RAND_BITS 124
BIGNUM *btmp;
int ret = 0;
if (b)
btmp = b;
else
btmp = BN_new();
if (!btmp)
return 0;
if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
goto error;
if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
goto error;
ret = 1;
error:
if (!b)
BN_free(btmp);
return ret;
}
X509 *x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, const char* host,
char *pubkey, const int days)
{
X509* x = NULL;
EVP_PKEY* pk = NULL;
char* ctx[] = {(char*)host, "CN", "mystate",
"mycity", "myorganization", "mygroup",
"sample@sample.com"};
if(!create_client_key(&pk, pubkey, 1024)){
goto err;
}
if((x = X509_new()) == NULL){
goto err;
}
if (!X509_set_version(x, 0x02)){
goto err;
}
if (!X509_set_version(x, 0x02) ||
!X509_set_issuer_name(x, X509_get_subject_name(cacrt)) ||
!rand_serial(NULL, X509_get_serialNumber(x)) ||
!X509_gmtime_adj(X509_get_notBefore(x), 0L) ||
!X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) ||
!X509_set_pubkey(x, pk) ||
!add_cert_ctx(X509_get_subject_name(x), ctx, 7))
goto err;
#if 1
/* Add various extensions: standard extensions */
add_ext(cacrt, x, NID_basic_constraints, "critical,CA:FALSE");
add_ext(cacrt, x, NID_subject_key_identifier, "hash");
add_ext(cacrt, x, NID_key_usage, "Digital Signature, Key Encipherment, Data Encipherment");
/**/
add_ext(cacrt, x, NID_authority_key_identifier, "keyid:always");
add_ext(cacrt, x, NID_ext_key_usage, "serverAuth,clientAuth");
/*NID_certificate_policies*/
/*
char dns[128] = {0}, domain[16] = {0};
sscanf(host, "%*[^.].%[^.]", domain);
snprintf(dns, 127, "DNS:%s.com, DNS:*.%s.com, DNS:www.%s.cn", domain, domain, domain);
add_ext(cacrt, x, NID_subject_alt_name, dns);
*/
#endif
if(!X509_sign(x, cakey, EVP_sha256())){
goto err;
}
return x;
err:
if(x)
X509_free(x);
if(pk)
EVP_PKEY_free(pk);
return NULL;
}
int x509_online_append(char *host, EVP_PKEY *key, X509 *root, char *ca_s, char *pubkey)
{
struct config_bucket_t *rte = cert_default_config();
X509* x509 = x509_modify_by_cert(root, key, host, pubkey, rte->days);
if (!x509){
goto finish;
}
x509_get_msg_from_ca(x509, ca_s);
X509_free(x509);
err:
X509_free(ca);
finish:
return xret;
return 0;
}
static char readBytes(char *str)
@@ -855,7 +875,7 @@ finish:
void redis_get_callback(redisAsyncContext *c, void *r, void *privdata)
{
int __attribute__((__unused__))xret = -1;
int __attribute__((__unused__))xret = -1;
redisReply *reply = (redisReply*)r;
struct request_t *request = (struct request_t *)privdata;
@@ -881,7 +901,7 @@ void redis_get_callback(redisAsyncContext *c, void *r, void *privdata)
int x509_privatekey_init(EVP_PKEY **key, X509 **root)
{
int xret = -1, len = 0;
int xret = -1;
FILE *fp; RSA *rsa = NULL;
char key_path[128] = {0}, cert_path[128] = {0};
struct config_bucket_t *rte = cert_default_config();
@@ -899,7 +919,6 @@ int x509_privatekey_init(EVP_PKEY **key, X509 **root)
goto pkey_free;
}
unsigned char buf[SG_DATA_SIZE],*p;
fp = fopen(key_path, "r");
if (NULL == fp){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", key_path);
@@ -913,21 +932,20 @@ int x509_privatekey_init(EVP_PKEY **key, X509 **root)
}
fclose(fp);
fp = fopen(cert_path, "rb");
if (NULL == fp){
BIO *in;
in = BIO_new_file(cert_path, "r");
if (!in){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", cert_path);
goto pkey_free;
}
len = fread(buf, 1, SG_DATA_SIZE, fp);
fclose(fp);
p = buf;
*root = X509_new();
if ( d2i_X509(root, (const unsigned char**)&p, len) == NULL )
if ((*root = PEM_read_bio_X509(in, NULL, 0, NULL)) == NULL )
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Application for x509 failed");
goto pkey_free;
}
BIO_free(in);
xret = 0;
goto finish;
@@ -938,10 +956,10 @@ finish:
}
static int
rt_decode_uri(const char *uri, char *host,
ev_decode_uri(const char *uri, char *host,
int *flag, int *valid)
{
const char *fg = NULL, *vl = NULL, *ht = NULL;
const char *fg = NULL, *vl = NULL, *hst = NULL;
char *decoded_uri = NULL;
struct evkeyvalq params;
@@ -952,9 +970,9 @@ rt_decode_uri(const char *uri, char *host,
evhttp_parse_query(decoded_uri, &params);
ht = evhttp_find_header(&params, "host");
if (ht[0] != '\0')
memcpy(host, ht, strlen(ht));
hst = evhttp_find_header(&params, "host");
if (hst[0] != '\0')
memcpy(host, hst, strlen(hst));
fg = evhttp_find_header(&params, "flag");
if (fg)
@@ -1016,7 +1034,7 @@ pthread_work_proc(struct evhttp_request *evh_req, void *arg)
FS_internal_operate(SGstats.handle, t->column_ids, SGstats.line_ids[0], FS_OP_ADD, 1);
rt_decode_uri(uri, request->host, &request->flag, &request->valid);
ev_decode_uri(uri, request->host, &request->flag, &request->valid);
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[Thread %d]Received a %s request for %s, host:%s, flag:%d, valid:%d\nHeaders:",
request->t_id, cmdtype, uri, request->host,
request->flag, request->valid);