gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加从配置文件中读取密钥强度配置

Browse Source 
修改本地json配置
This commit is contained in:
fengweihao
2019-08-08 17:12:18 +08:00
parent b5da0551f9
commit bd352e07e3
5 changed files with 27 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -16,13 +16,11 @@ src/rt 公共函数
备注:
发送请求命令:
keyring id存在读取表指定的证书颁发
curl -X GET "192.168.11.100:9991/ca?kering_id=1&origin_cert="xxxxxxxx"" -m 30 -v
curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=1&sni="www.google.com"&is_valid=1" -m 30 -v
keyring id不存在读取本地默认证书颁发
curl -X GET "192.168.11.100:9991/ca?kering_id=12&origin_cert="xxxxxxx"" -m 30 -v
keyring id存在表中valid为不可用读取keyring id = 256,不信任证书颁发)
curl -X GET "192.168.11.100:9991/ca?kering_id=5&origin_cert="xxxxxxx"" -m 30 -v
keyring id存在证书类型为实体证书
curl -X GET "192.168.11.100:9991/ca?kering_id=4&origin_cert="xxxxxxxx"" -m 30 -v
curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=5&sni="www.google.com"&is_valid=1" -m 30 -v
keyring id存在表中valid为不可用不信任证书颁发
curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=5&sni="www.google.com"&is_valid=0" -m 30 -v
使用--daemon运行时配置文件中使用绝对路径
[安装包使用]

7
conf/pxy_obj_keyring.json
View File

@@ -73,10 +73,11 @@
{
"table_name": "PXY_PROFILE_KEYRING",
"table_content": [
"0\tname_01\troot\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-untrust-ca.pem\t30\tNULL\tNULL\t1\t",
"1\tname_01\troot\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-trust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-trust-ca.pem\t30\tNULL\tNULL\t1\t",
"0\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-untrust-ca.pem\t30\tNULL\tNULL\t1024\t1\t",
"1\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-trust-ca.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-trust-ca.pem\t30\tNULL\tNULL\t1024\t1\t",
"2\tname_01\tintermediate\t/home/fengweihao/workspace/cert_store/test_data/Tango-National-Proxy-L2.key\t/home/fengweihao/workspace/cert_store/test_data/Tango-National-Proxy-L2.pem\t30\tNULL\tNULL\t1\t"
"2\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-cer.pem\t24\tNULL\tNULL\t2048\t1\t",
"3\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-cer.pem\t-1\tNULL\tNULL\t4096\t1\t"
]
}
]

2
conf/table_info.conf
View File

@@ -17,4 +17,4 @@
#id name type src_charset dst_charset do_merge cross_cache quick_mode
1 COMPILE compile
2 GROUP group
3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":9,"foreign":"4,5"}
3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":10,"foreign":"4,5"}

11
src/cert_conf.h
View File

@@ -36,15 +36,16 @@ struct request_t{
struct pxy_obj_keyring{
int keyring_id;
atomic64_t ref_cnt;
int bits;
uint64_t expire_time;
EVP_PKEY *key;
X509 *root;
char keyring_type[CT_ARRARY_LEN];
uint64_t expire_after;
char public_algo[CT_STRING_MAX];
char v3_ctl[CT_STRING_MAX];
char finger[EVP_MAX_MD_SIZE];
EVP_PKEY *key;
X509 *root;
int is_valid;
int is_valid;
atomic64_t ref_cnt;
STACK_OF(X509) *stack_ca;
};

24
src/cert_session.c
View File

@@ -488,14 +488,14 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time)
}
X509 *
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl)
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, int bits)
{
int rv;
X509 *crt = NULL;
EVP_PKEY* key = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
if(!create_client_key(&key, pkey, 1024)){
if(!create_client_key(&key, pkey, bits)){
goto err;
}
//subjectname,issuername
@@ -992,9 +992,8 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req
STACK_OF(X509) **stack_ca)
{
X509* x509 = NULL;
int is_valid = request->is_valid;
int keyring_id = request->keyring_id;
int expire_time = 0; char *crlurl = NULL;
int is_valid = request->is_valid; int keyring_id = request->keyring_id;
int expire_time = 0, bits = 0; char *crlurl = NULL;
char *serial = NULL;
X509 *cacrt = NULL; EVP_PKEY *cakey = NULL;
@@ -1045,10 +1044,11 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req
}
cacrt = pxy_obj->root;
cakey = pxy_obj->key;
expire_time = pxy_obj->expire_after;
expire_time = pxy_obj->expire_time;
crlurl = pxy_obj->v3_ctl;
bits = pxy_obj->bits;
modify:
x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl);
x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl, bits);
if (!x509){
goto finish;
}
@@ -1220,7 +1220,7 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c)
}
}else{
chain[0] = root;
}
}
web_json_table_add(pkey, sign, chain, &request->odata);
if (NULL == c){
@@ -1895,10 +1895,10 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring));
atomic64_set(&pxy_obj->ref_cnt, 1);
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_after, pxy_obj->public_algo,
pxy_obj->v3_ctl, &pxy_obj->is_valid);
if(ret!=9)
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo,
pxy_obj->v3_ctl, &pxy_obj->bits, &pxy_obj->is_valid);
if(ret!=10)
{
kfree(&pxy_obj);
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore parse config failed: %s", table_line);