gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

支持softhsm签发证书,softhsm已与tfe联调通过

Browse Source 
修复一些bug
This commit is contained in:
fengweihao
2020-11-26 19:26:25 +08:00
parent f3cbd19825
commit 2dc0440f8e
4 changed files with 130 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
program/src/cert_session.cpp
View File

@@ -570,7 +570,7 @@ int ssl_x509_v3ext_add(X509V3_CTX * ctx, X509 * crt, const char *k, const char *
{ {
X509_EXTENSION * ext; X509_EXTENSION * ext;
if (!(ext = X509V3_EXT_conf(NULL, ctx, k, v))) if (!(ext = X509V3_EXT_conf(NULL, ctx, (char *)k, (char *)v)))
{ {
return -1; return -1;
} }
@@ -826,17 +826,68 @@ finish:
return -1; return -1;
} }
static int soft_find_object(CK_SESSION_HANDLE sess, CK_OBJECT_CLASS cls, CK_OBJECT_HANDLE_PTR ret)
{
CK_ATTRIBUTE attrs[2];
unsigned int nattrs = 0;
CK_ULONG count;
CK_RV rv;
attrs[0].type = CKA_CLASS;
attrs[0].pValue = &cls;
attrs[0].ulValueLen = sizeof(cls);
nattrs++;
rv = FC_FindObjectsInit(sess, attrs, nattrs);
if (rv != CKR_OK)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_FindObjectsInit(%lu)\n", rv);
}
rv = FC_FindObjects(sess, ret, 1, &count);
if (rv != CKR_OK)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_FindObjects(%lu)\n", rv);
}
if (count == 0)
*ret = CK_INVALID_HANDLE;
FC_FindObjectsFinal(sess);
return 0;
}
int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session) int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session)
{ {
int xret =1; int xret =1;
CK_OBJECT_HANDLE hObject = 0; CK_OBJECT_HANDLE hObject = 0;
#ifdef SOHT_HSM_ENABLE
mech = CKM_CERTEX_GOSTR3410_2001;
xret = soft_find_object(session, CKO_PRIVATE_KEY, &hObject);
#else
xret = x509_find_object(session, &hObject); xret = x509_find_object(session, &hObject);
#endif
if(xret != 0 || hObject == CK_INVALID_HANDLE) if(xret != 0 || hObject == CK_INVALID_HANDLE)
{ {
return 0; return 0;
} }
// set signature algorithm in the certificate
if (x509->cert_info->signature)
{
const int signingAlgoNid = pkcs11_signature_algotonid(mech);
X509_ALGOR_set0(x509->cert_info->signature, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
if (x509->sig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(mech);
X509_ALGOR_set0(x509->sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
// DER-encode certificate
unsigned char *certDerBuf = NULL;
const size_t certDerLen = ASN1_item_i2d((ASN1_VALUE*)x509->cert_info, &certDerBuf, ASN1_ITEM_rptr(X509_CINF));
CK_MECHANISM sign_mechanism; CK_MECHANISM sign_mechanism;
memset (&sign_mechanism, 0, sizeof (sign_mechanism)); memset (&sign_mechanism, 0, sizeof (sign_mechanism));
sign_mechanism.mechanism = mech; sign_mechanism.mechanism = mech;
@@ -846,48 +897,36 @@ int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "There was an error initializing the sign function"); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "There was an error initializing the sign function");
return 0; return 0;
} }
// set signature algorithm in the certificate
const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509);
X509_ALGOR *tsig_alg=const_cast<X509_ALGOR *>(tsig_alg_org);
if (tsig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(mech);
X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
const X509_ALGOR *sig_alg_org;
X509_get0_signature(NULL, &sig_alg_org, x509);
X509_ALGOR *sig_alg=const_cast<X509_ALGOR *>(sig_alg_org);
if (sig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(mech);
X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
// DER-encode certificate // determine signature size
unsigned char *x509_der_buf;CK_ULONG signature_size = 0; CK_ULONG signatureSize = 0;
const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf); xret = FC_Sign(session, certDerBuf, certDerLen, NULL, &signatureSize);
xret = FC_Sign (session, x509_der_buf, x509_der_len, NULL, &signature_size);
if (xret != CKR_OK) if (xret != CKR_OK)
{ {
OPENSSL_free(certDerBuf);
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "The length of the certificate failed");
return 0; return 0;
} }
// sign // sign
const ASN1_BIT_STRING *psig_org; if (x509->signature->data)
X509_get0_signature(&psig_org, NULL, x509); OPENSSL_free(x509->signature->data);
ASN1_BIT_STRING *psig=const_cast<ASN1_BIT_STRING *>(psig_org); x509->signature->data = (unsigned char*)OPENSSL_malloc(signatureSize);
if (psig->data) x509->signature->length = signatureSize;
OPENSSL_free(psig->data); xret = FC_Sign(session, certDerBuf, certDerLen, x509->signature->data, &signatureSize);
psig->data = (unsigned char*)OPENSSL_malloc(signature_size); if (xret != CKR_OK)
psig->length = signature_size; {
xret = FC_Sign(session, x509_der_buf, x509_der_len, psig->data, &signature_size); OPENSSL_free(certDerBuf);
psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "HSM failed to issue the certificate");
psig->flags|=ASN1_STRING_FLAG_BITS_LEFT; return 0;
}
OPENSSL_free(x509_der_buf); x509->signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
FC_FindObjectsFinal(session); x509->signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
return xret; OPENSSL_free(certDerBuf);
return 1;
} }
X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session) X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session)
@@ -981,14 +1020,13 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
#ifdef DEBUG_CERTIFICATE #ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL); ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
#endif /* DEBUG_CERTIFICATE */ #endif /* DEBUG_CERTIFICATE */
if (ssl_x509_set_md(md, cakey, origcrt)==NULL)
{
goto errout;
}
if(session==0) if(session==0)
{ {
if (ssl_x509_set_md(md, cakey, origcrt)==NULL)
{
goto errout;
}
if (!X509_sign(crt, cakey, md)) if (!X509_sign(crt, cakey, md))
goto errout; goto errout;
} }
@@ -1001,7 +1039,8 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
return crt; return crt;
errout: errout:
X509_free(crt); X509_free(crt);
EVP_PKEY_free(key); if(key)
EVP_PKEY_free(key);
err: err:
return NULL; return NULL;
} }
@@ -1303,8 +1342,8 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
cakey = (is_valid == 1) ? def->key : def->insec_key; cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = g_certstore_policy->expire_after; expire_time = g_certstore_policy->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!"); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!");
goto modify;
} }
goto modify;
} }
if (!STRCMP(pxy_obj->keyring_type, "end-entity")) if (!STRCMP(pxy_obj->keyring_type, "end-entity"))
{ {
@@ -2308,26 +2347,57 @@ static int field_stat_init(struct cert_store_policy *certstore_policy, const cha
return 0; return 0;
} }
#if 0 static int gert_present_slot(int tokens)
static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
{ {
struct pxy_profile_hsm* ply_profile=NULL; CK_RV xret;
CK_ULONG p11_num_slots = 0;
CK_SLOT_ID_PTR p11_slots = NULL;
CK_SLOT_ID opt_slot = 0;
char cfg_id_str[16] = {0}; xret = FC_GetSlotList(tokens, NULL, &p11_num_slots);
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id); if (xret != CKR_OK)
int table_id = g_certstore_policy->plolicy_table_id[POLICY_PROFILE_TABLE_HSM]; {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotList(%lu)", xret);
}
free(p11_slots);
p11_slots = (CK_SLOT_ID_PTR )calloc(p11_num_slots, sizeof(CK_SLOT_ID));
if (p11_slots == NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "calloc failed");
exit(1);
}
ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str); xret = FC_GetSlotList(tokens, p11_slots, &p11_num_slots);
return ply_profile; if (xret != CKR_OK)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotList(%lu)", xret);
}
unsigned int i;
for (i = 0; i < p11_num_slots; i++) {
CK_SLOT_INFO info;
xret = FC_GetSlotInfo(p11_slots[i], &info);
if (xret != CKR_OK)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotInfo(%lu)", xret);
}
if (info.flags & CKF_TOKEN_PRESENT) {
opt_slot = p11_slots[i];
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Using slot %u with a present token (0x%lx)\n", i, opt_slot);
break;
}
}
return opt_slot;
} }
#endif
CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id) CK_SESSION_HANDLE keyring_hsm_login(int slot_id)
{ {
int ret=0; int ret=0;
CK_FLAGS flags; CK_FLAGS flags;
CK_SESSION_HANDLE session=0; CK_SESSION_HANDLE session=0;
#ifdef SOHT_HSM_ENABLE
slot_id = gert_present_slot(0);
#endif
//struct pxy_profile_hsm* ply_profile = get_profile_by_id(0); //struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION; flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
ret = FC_OpenSession(slot_id, flags, NULL, NULL, &session); ret = FC_OpenSession(slot_id, flags, NULL, NULL, &session);
@@ -2381,7 +2451,8 @@ void keyring_table_new_cb(int table_id, const char* key, const char* table_line,
pxy_obj->op_time = time(NULL); pxy_obj->op_time = time(NULL);
/*Load PUBLICKEY***/ /*Load PUBLICKEY***/
if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){ if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL )
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d", mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d",
pxy_obj->keyring_id); pxy_obj->keyring_id);
goto finish; goto finish;
@@ -2398,7 +2469,7 @@ void keyring_table_new_cb(int table_id, const char* key, const char* table_line,
} }
else else
{ {
pxy_obj->session = keyring_pkcs11_login(slot_id); pxy_obj->session = keyring_hsm_login(slot_id);
} }
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d", mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
@@ -2524,73 +2595,6 @@ error_out:
return NULL; return NULL;
} }
void hsm_profile_table_start_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char server_type[128]={0};
char ip[46]={0}, passwd[128] = {0};
char effective_range[256] = {0};
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, server_type, ip, passwd, effective_range, &is_valid);
if(ret!=6)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse config failed: %s", table_line);
return;
}
/*Whether to take effect**/
struct pxy_profile_hsm* ply_profile = (struct pxy_profile_hsm*)kmalloc(sizeof(struct pxy_profile_hsm), MPF_CLR, -1);
ply_profile->profile_id=profile_id;
ply_profile->ref_cnt=1;
pthread_mutex_init(&(ply_profile->lock), NULL);
ply_profile->server_ip=strdup(ip);
ply_profile->passwd=strdup(passwd);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Policy table add success %d", profile_id);
*ad = ply_profile;
return;
}
void hsm_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
{
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*from);
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt++;
pthread_mutex_unlock(&(ply_obj->lock));
*to=ply_obj;
}
void hsm_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
if(*ad==NULL)
{
return;
}
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*ad);
if(ply_obj==NULL)
{
return;
}
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt--;
if(ply_obj->ref_cnt>0)
{
pthread_mutex_unlock(&(ply_obj->lock));
return;
}
pthread_mutex_unlock(&(ply_obj->lock));
pthread_mutex_destroy(&(ply_obj->lock));
kfree(&ply_obj->server_ip);
kfree(&ply_obj->passwd);
kfree(&ply_obj);
*ad=NULL;
return;
}
int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile) int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{ {
int table_id = 0; int table_id = 0;
@@ -2608,26 +2612,12 @@ int maat_feather_init(struct cert_store_policy *certstore_policy, const char *ma
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed"); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed");
} }
#if 0
table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed");
return 0;
}
#endif
field_stat_init(certstore_policy, main_profile); field_stat_init(certstore_policy, main_profile);
return 0; return 0;
} }
int do_user_GetFunctionList(void) int hsm_module_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
return FC_GetFunctionList(&funcs);
}
int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{ {
int xret=0; int xret=0;
char library_path[256]={0}; char library_path[256]={0};
@@ -2635,7 +2625,7 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m
MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable)); MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable));
MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), ""); MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), "");
MESA_load_profile_string_def(main_profile, "certex_hsm", "password", g_certstore_policy->password, sizeof(g_certstore_policy->password), "987654321"); MESA_load_profile_string_def(main_profile, "certex_hsm", "password", g_certstore_policy->password, sizeof(g_certstore_policy->password), "");
MESA_load_profile_string_def(main_profile, "certex_hsm", "label", g_certstore_policy->label, sizeof(g_certstore_policy->label), "TEST"); MESA_load_profile_string_def(main_profile, "certex_hsm", "label", g_certstore_policy->label, sizeof(g_certstore_policy->label), "TEST");
if(certstore_policy->enable == 0) if(certstore_policy->enable == 0)
@@ -2649,20 +2639,11 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path);
goto finish; goto finish;
} }
#if 0
xret = do_user_GetFunctionList();
if(xret!=0 || funcs->C_Initialize==NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret);
goto finish;
}
#endif
memset(&cinit_args, 0x0, sizeof(cinit_args)); memset(&cinit_args, 0x0, sizeof(cinit_args));
cinit_args.flags = CKF_OS_LOCKING_OK; cinit_args.flags = CKF_OS_LOCKING_OK;
xret = FC_Initialize(&cinit_args); xret = FC_Initialize(&cinit_args);
if(xret!=0) if(xret!=0)
{ {
//FreePkcsLib();
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed"); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed");
} }
finish: finish:
@@ -2671,7 +2652,7 @@ finish:
int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile) int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{ {
pkcs11_module_init(certstore_policy, main_profile); hsm_module_init(certstore_policy, main_profile);
maat_feather_init(certstore_policy, main_profile); maat_feather_init(certstore_policy, main_profile);

4
vendor/CMakeLists.txt vendored
View File

@@ -4,8 +4,8 @@ include(ExternalProject)
### OpenSSL 1.1.1 ### OpenSSL 1.1.1
ExternalProject_Add(OpenSSL PREFIX openssl ExternalProject_Add(OpenSSL PREFIX openssl
URL ${CMAKE_CURRENT_SOURCE_DIR}/openssl-1.1.1.tar.gz URL ${CMAKE_CURRENT_SOURCE_DIR}/openssl-1.0.2k.tar.gz
URL_MD5 d65944e4aa4de6ad9858e02c82d85183 URL_MD5 1867fcc743aeefb16c99d915fc7440c8
CONFIGURE_COMMAND ./Configure enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers linux-x86_64 --prefix=<INSTALL_DIR> --openssldir=<INSTALL_DIR>/lib/ssl CONFIGURE_COMMAND ./Configure enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers linux-x86_64 --prefix=<INSTALL_DIR> --openssldir=<INSTALL_DIR>/lib/ssl
enable-ec_nistp_64_gcc_128 no-shared enable-ec_nistp_64_gcc_128 no-shared
BUILD_COMMAND ${MAKE_COMMAND} BUILD_COMMAND ${MAKE_COMMAND}

BIN
vendor/openssl-1.0.2k.tar.gz vendored Normal file
View File

Binary file not shown.

BIN
vendor/openssl-1.1.1.tar.gz vendored
View File

Binary file not shown.