From 9f2d64e865095ac064d5eb0dd5118cbe9132e23f Mon Sep 17 00:00:00 2001 From: fengweihao Date: Fri, 30 Oct 2020 19:37:24 +0800 Subject: [PATCH] =?UTF-8?q?=E9=80=82=E9=85=8D=E7=95=8C=E9=9D=A2PXY=5FPROFI?= =?UTF-8?q?LE=5FKEYRING=E8=A1=A8=E7=BB=93=E6=9E=84=E5=8F=98=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- program/include/cert_conf.h | 2 ++ program/src/cert_session.cpp | 32 +++++++++++++++++++++++--------- resource/conf/table_info.conf | 2 +- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/program/include/cert_conf.h b/program/include/cert_conf.h index 0e28062..0dda0d4 100644 --- a/program/include/cert_conf.h +++ b/program/include/cert_conf.h @@ -37,6 +37,8 @@ struct tfe_http_request{ struct pxy_obj_keyring{ int keyring_id; + int use_hsm; + int slot_id; uint64_t expire_time; EVP_PKEY *key; X509 *issuer; diff --git a/program/src/cert_session.cpp b/program/src/cert_session.cpp index 25c5540..4853cdd 100644 --- a/program/src/cert_session.cpp +++ b/program/src/cert_session.cpp @@ -1170,6 +1170,15 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque goto modify; } } + + if(pxy_obj->use_hsm) + { + cacrt = (is_valid == 1) ? def->root : def->insec_root; + cakey = (is_valid == 1) ? def->key : def->insec_key; + expire_time = cfg_instanec()->expire_after; + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not supported, use local keypair, sign cert!!!"); + goto modify; + } if (!STRCMP(pxy_obj->keyring_type, "end-entity")) { mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is an entity",keyring_id); @@ -2196,10 +2205,10 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__) memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring)); atomic64_set(&pxy_obj->ref_cnt, 1); - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d", &pxy_obj->keyring_id, profile_name, + ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d\t%d\t%d", &pxy_obj->keyring_id, profile_name, pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo, - pxy_obj->v3_ctl, &pxy_obj->is_send, &pxy_obj->is_valid); - if(ret!=10) + pxy_obj->v3_ctl, &pxy_obj->is_send, &pxy_obj->use_hsm, &pxy_obj->slot_id, &pxy_obj->is_valid); + if(ret!=12) { kfree(pxy_obj); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore parse config failed: %s", table_line); @@ -2213,12 +2222,17 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__) pxy_obj->keyring_id); goto finish; } - /*Load PRIVATEKEY**/ - if ((pxy_obj->key = cert_load_key(private_file)) == NULL){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d", - pxy_obj->keyring_id); - goto finish; - } + + if(pxy_obj->use_hsm == 0) + { + /*Load PRIVATEKEY**/ + if ((pxy_obj->key = cert_load_key(private_file)) == NULL){ + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d", + pxy_obj->keyring_id); + goto finish; + } + } + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d", pxy_obj->keyring_id); *ad = pxy_obj; diff --git a/resource/conf/table_info.conf b/resource/conf/table_info.conf index 21d4105..df14e30 100644 --- a/resource/conf/table_info.conf +++ b/resource/conf/table_info.conf @@ -17,4 +17,4 @@ #id name type src_charset dst_charset do_merge cross_cache quick_mode 1 COMPILE compile 2 GROUP group -3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":10,"foreign":"4,5"} +3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":12,"foreign":"4,5"}