diff --git a/README.md b/README.md index 746b4e7..9bef9ab 100644 --- a/README.md +++ b/README.md @@ -16,13 +16,11 @@ src/rt 公共函数 备注: 发送请求命令: keyring id存在(读取表指定的证书颁发) -curl -X GET "192.168.11.100:9991/ca?kering_id=1&origin_cert="xxxxxxxx"" -m 30 -v +curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=1&sni="www.google.com"&is_valid=1" -m 30 -v keyring id不存在(读取本地默认证书颁发) -curl -X GET "192.168.11.100:9991/ca?kering_id=12&origin_cert="xxxxxxx"" -m 30 -v -keyring id存在,表中valid为不可用(读取keyring id = 256,不信任证书颁发) -curl -X GET "192.168.11.100:9991/ca?kering_id=5&origin_cert="xxxxxxx"" -m 30 -v -keyring id存在,证书类型为实体证书 -curl -X GET "192.168.11.100:9991/ca?kering_id=4&origin_cert="xxxxxxxx"" -m 30 -v +curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=5&sni="www.google.com"&is_valid=1" -m 30 -v +keyring id存在,表中valid为不可用(不信任证书颁发) +curl -F "blob=@tango-ca-v3.cer;type=text/plain" "http://192.168.11.100:9991/ca?keyring_id=5&sni="www.google.com"&is_valid=0" -m 30 -v 使用--daemon运行时,配置文件中使用绝对路径 [安装包使用] diff --git a/conf/pxy_obj_keyring.json b/conf/pxy_obj_keyring.json index 0ee74d5..cb60567 100644 --- a/conf/pxy_obj_keyring.json +++ b/conf/pxy_obj_keyring.json @@ -73,10 +73,11 @@ { "table_name": "PXY_PROFILE_KEYRING", "table_content": [ - "0\tname_01\troot\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-untrust-ca.pem\t30\tNULL\tNULL\t1\t", - "1\tname_01\troot\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-trust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-v3-trust-ca.pem\t30\tNULL\tNULL\t1\t", + "0\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-untrust-ca.pem\t30\tNULL\tNULL\t1024\t1\t", + "1\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-trust-ca.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-v3-trust-ca.pem\t30\tNULL\tNULL\t1024\t1\t", - "2\tname_01\tintermediate\t/home/fengweihao/workspace/cert_store/test_data/Tango-National-Proxy-L2.key\t/home/fengweihao/workspace/cert_store/test_data/Tango-National-Proxy-L2.pem\t30\tNULL\tNULL\t1\t" + "2\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-cer.pem\t24\tNULL\tNULL\t2048\t1\t", + "3\tname_01\troot\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/build/transfer/test_cert/root/tango-ca-trust-ca-cer.pem\t-1\tNULL\tNULL\t4096\t1\t" ] } ] diff --git a/conf/table_info.conf b/conf/table_info.conf index 69dca58..21d4105 100644 --- a/conf/table_info.conf +++ b/conf/table_info.conf @@ -17,4 +17,4 @@ #id name type src_charset dst_charset do_merge cross_cache quick_mode 1 COMPILE compile 2 GROUP group -3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":9,"foreign":"4,5"} +3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":10,"foreign":"4,5"} diff --git a/src/cert_conf.h b/src/cert_conf.h index 730bd8b..1c6c781 100644 --- a/src/cert_conf.h +++ b/src/cert_conf.h @@ -36,15 +36,16 @@ struct request_t{ struct pxy_obj_keyring{ int keyring_id; - atomic64_t ref_cnt; + int bits; + uint64_t expire_time; + EVP_PKEY *key; + X509 *root; char keyring_type[CT_ARRARY_LEN]; - uint64_t expire_after; char public_algo[CT_STRING_MAX]; char v3_ctl[CT_STRING_MAX]; char finger[EVP_MAX_MD_SIZE]; - EVP_PKEY *key; - X509 *root; - int is_valid; + int is_valid; + atomic64_t ref_cnt; STACK_OF(X509) *stack_ca; }; diff --git a/src/cert_session.c b/src/cert_session.c index 606c11b..2cbe242 100644 --- a/src/cert_session.c +++ b/src/cert_session.c @@ -488,14 +488,14 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time) } X509 * -x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl) +x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, int bits) { int rv; X509 *crt = NULL; EVP_PKEY* key = NULL; X509_NAME *subject = NULL, *issuer = NULL; - if(!create_client_key(&key, pkey, 1024)){ + if(!create_client_key(&key, pkey, bits)){ goto err; } //subjectname,issuername @@ -992,9 +992,8 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req STACK_OF(X509) **stack_ca) { X509* x509 = NULL; - int is_valid = request->is_valid; - int keyring_id = request->keyring_id; - int expire_time = 0; char *crlurl = NULL; + int is_valid = request->is_valid; int keyring_id = request->keyring_id; + int expire_time = 0, bits = 0; char *crlurl = NULL; char *serial = NULL; X509 *cacrt = NULL; EVP_PKEY *cakey = NULL; @@ -1045,10 +1044,11 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req } cacrt = pxy_obj->root; cakey = pxy_obj->key; - expire_time = pxy_obj->expire_after; + expire_time = pxy_obj->expire_time; crlurl = pxy_obj->v3_ctl; + bits = pxy_obj->bits; modify: - x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl); + x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl, bits); if (!x509){ goto finish; } @@ -1220,7 +1220,7 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c) } }else{ chain[0] = root; - } + } web_json_table_add(pkey, sign, chain, &request->odata); if (NULL == c){ @@ -1895,10 +1895,10 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__) memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring)); atomic64_set(&pxy_obj->ref_cnt, 1); - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d", &pxy_obj->keyring_id, profile_name, - pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_after, pxy_obj->public_algo, - pxy_obj->v3_ctl, &pxy_obj->is_valid); - if(ret!=9) + ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d", &pxy_obj->keyring_id, profile_name, + pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo, + pxy_obj->v3_ctl, &pxy_obj->bits, &pxy_obj->is_valid); + if(ret!=10) { kfree(&pxy_obj); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore parse config failed: %s", table_line);