gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加公钥强度可配置功能

Browse Source
This commit is contained in:
fengweihao
2019-08-20 15:41:41 +08:00
parent 835605dce3
commit b8f59677bf
1 changed files with 31 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
src/cert_session.c
View File

@@ -114,8 +114,26 @@ finish:
return;
}
static
int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits)
static int x509_public_str2idx(const char *public_algo)
{
int bits = 1024;
if (strcasestr(public_algo, "1024") != NULL)
{
bits = 1024;
}
if (strcasestr(public_algo, "2048") != NULL)
{
bits = 2048;
}
if (strcasestr(public_algo, "4096") != NULL)
{
bits = 4096;
}
return bits;
}
static int create_client_key(EVP_PKEY** pkey, char *pubkey, char* public_algo)
{
RSA *rsa = NULL;
EVP_PKEY *pk = NULL;
@@ -124,8 +142,7 @@ int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits)
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, gen new key failed!");
goto err;
}
rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
rsa = RSA_generate_key(x509_public_str2idx(public_algo), RSA_F4, NULL, NULL);
if(!EVP_PKEY_assign_RSA(pk, rsa)){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, assign key failed!");
EVP_PKEY_free(pk);
@@ -488,14 +505,14 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time)
}
X509 *
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl)
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo)
{
int rv;
X509 *crt = NULL;
EVP_PKEY* key = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
if(!create_client_key(&key, pkey, 1024)){
if(!create_client_key(&key, pkey, public_algo)){
goto err;
}
//subjectname,issuername
@@ -515,7 +532,7 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int
!X509_set_pubkey(crt, key))
goto errout;
if (*expire_time == -1)
if (*expire_time == 0)
{
int day = 0, sec = 0;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
@@ -530,6 +547,7 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int
{
goto errout;
}
*expire_time = half_hours(*expire_time);
}
EVP_PKEY_free(key);
@@ -877,69 +895,6 @@ int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
return ret;
}
X509 *x509_modify_by_cert_bak(X509 *cacrt, EVP_PKEY *cakey, const char* host,
char *pubkey, const int days)
{
X509* x = NULL;
EVP_PKEY* pk = NULL;
char* ctx[] = {(char*)host, "CN", "mystate",
"mycity", "myorganization", "mygroup",
"sample@sample.com"};
if(!create_client_key(&pk, pubkey, 1024)){
goto err;
}
if((x = X509_new()) == NULL){
goto err;
}
if (!X509_set_version(x, 0x02)){
goto err;
}
if (!X509_set_version(x, 0x02) ||
!X509_set_issuer_name(x, X509_get_subject_name(cacrt)) ||
!rand_serial(NULL, X509_get_serialNumber(x)) ||
!X509_gmtime_adj(X509_get_notBefore(x), 0L) ||
!X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) ||
!X509_set_pubkey(x, pk) ||
!add_cert_ctx(X509_get_subject_name(x), ctx, 7))
goto err;
#if 1
/* Add various extensions: standard extensions */
add_ext(cacrt, x, NID_basic_constraints, "critical,CA:FALSE");
add_ext(cacrt, x, NID_subject_key_identifier, "hash");
add_ext(cacrt, x, NID_key_usage, "Digital Signature, Key Encipherment, Data Encipherment");
/**/
add_ext(cacrt, x, NID_authority_key_identifier, "keyid:always");
add_ext(cacrt, x, NID_ext_key_usage, "serverAuth,clientAuth");
/*NID_certificate_policies*/
/*
char dns[128] = {0}, domain[16] = {0};
sscanf(host, "%*[^.].%[^.]", domain);
snprintf(dns, 127, "DNS:%s.com, DNS:*.%s.com, DNS:www.%s.cn", domain, domain, domain);
add_ext(cacrt, x, NID_subject_alt_name, dns);
*/
#endif
if(!X509_sign(x, cakey, EVP_sha256())){
goto err;
}
return x;
err:
if(x)
X509_free(x);
if(pk)
EVP_PKEY_free(pk);
return NULL;
}
char *x509_get_sn(X509 *x509)
{
ASN1_INTEGER *asn1_i = NULL;
@@ -982,7 +937,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req
int is_valid = request->is_valid;
int keyring_id = request->keyring_id;
int expire_time = 0; char *crlurl = NULL;
char *serial = NULL;
char *serial = NULL, *public_algo = NULL;
X509 *cacrt = NULL; EVP_PKEY *cakey = NULL;
struct config_bucket_t *rte = cert_default_config();
@@ -1034,8 +989,9 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req
cakey = pxy_obj->key;
expire_time = pxy_obj->expire_after;
crlurl = pxy_obj->v3_ctl;
public_algo = pxy_obj->public_algo;
modify:
x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl);
x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl, public_algo);
if (!x509){
goto finish;
}
@@ -1209,9 +1165,7 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c)
}
}else{
chain[0] = root;
}
printf("sign = %s\n", sign);
}
web_json_table_add(pkey, sign, chain, &request->odata);
if (NULL == c){
@@ -1934,8 +1888,8 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring));
atomic64_set(&pxy_obj->ref_cnt, 1);
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_after, pxy_obj->public_algo,
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%s\t%lu\t%s\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, pxy_obj->public_algo, &pxy_obj->expire_after,
pxy_obj->v3_ctl, &pxy_obj->is_valid);
if(ret!=9)
{