diff --git a/ca/tango-ca-v3-trust-ca.pem b/ca/tango-ca-v3-trust-ca.pem new file mode 100644 index 0000000..df0ea43 --- /dev/null +++ b/ca/tango-ca-v3-trust-ca.pem @@ -0,0 +1,51 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJ6NvcrjBM17LJ ++lD2RM+2A4tcwppfgb08ZQnsVEjtltat6c4x9sj9VqqOatIo+9GHGZ/FKSacnADx +utm/pWSr2nxtrJdM1SCqR9OF2eZGfhdJK2ufWLcOkX7/+CEAXVEOXL4xxnNS55Lu +OyCMOidPkq+Xzk1SJBIrpFrpctMxTFzJcvu35chtkF1IxPhN1dTVW6LJtz55U8gv +J0Blg/w7EkfsHd/KHvBMdpbGx02vTnWUXPYGyi2wvOy5ptOthrSlxyxGwmByehPP +s5XGk7M8m2eZzf+Kb5i/2e+wE8PrXCpGL1Picj4Ab1hLFyZVRtNVfVzqk+kCEv6e +chbp2fE/AgMBAAECggEBAMC6imuqxaYD2sCbNH7ujgpidbuUckCqGdU1aPRyO662 +ZbNaUx00QQQ5ntIUuwit3oID/pL3RckFzIzxW3poyKCWDGGv9jg71FNV/l1s8jbl +kxqf3Loct5erYDu7QN0VNhLsigv/LwO60nCedeIEfJOjJANWxE2c6s9HshPWLCuH +0g/iOhm7+8QpZc9O/D4izUJkVVDThWlDjrgVX0p58k2VuECxEsyuMrRG+1B/hwkg ++US+pmKywrxTl9cjkoXPPRvEnt+gdI5b1F3HIdK+MD7uJhBdmAoEH45T+5B9EIRG +3OQwneGm/Ti4GQvXGQJgRlFCTd9f+6NK7etOTTI/6bkCgYEA92dJQ+DFzg+H5pC7 +8cC2aWyfmQaGNQiGn0Vbb+OTNUUrFoEkHWnx3229fkArxuBr3GUmqxgSMVlVadYR +R7kFaUe5x+DBQNWkKN2BjO60cSSkDL2qpMyjGdsk815LqclGOZwzecF+Y4d2Pjg+ +nEXBjVjhEX5rCpfw/SCWJdqCHgsCgYEA0OzkzOD7m6OPXY+SXjcfoGx0wIS2Iw0J +QDEJvs4Xsxxi/jSe69PIWXooJjuiPFi9yF+eroyU1/gPs+toKjKLeOK6lR/Da2Xq +chlS3DnLwjGCMHEDGgUKWiBpNJgqhFrQtNfPn17vQAgUDv8AefKKxk9WV0I26MmP +7FuzOLWN3h0CgYEAqX2nIcuBeBQHxJtvRsYBsePqysk/dGGs6Lx5UgQUu6/xPu+m +MEh+ndTutul7lDn3avwZK6nH/Or4qxMur3ZAEMpEqnx9qM80MZLeyBBYqhKyGNBv +cYuISZRqkhgNufncFGfAlC9NSR5qkWGy8xiO6yjyuCtlZdKGFMQYWUKDVdUCgYEA +hMAhWXUTKn+w1rglPqwz8lE3liQ9PuRHnnwKPyzgrjQ5SmDRIfN9eC1AWZrGqSWR +4UGwqCQ3Z0r9X0sS8s0PBg66k4qNNy6Y20rv9XLb31Zp7LHCUMQnIcE6V+rgCR1T +Q7Vk/VTrHHqFlEm/Wb0dJIjAyc0O6rc4NezGYiAqNpkCgYADwUmclyFqwjfW1n1C +sTgLr2KR7klBWMwQi40QNXLGVW+Yz0mkXC9zAvNZppQPPlzMvdnVtnAaCxPf5l2t +sYOp0iEo5LWxjuFA4yKNgQiLKMGTfaWmhR+jckCtS+teDAkqDkq053pOH+k39sDS +uSpbZibQO4PvyFDs/pOGfTu8Hw== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDzTCCArWgAwIBAgIGDhoh7QVJMA0GCSqGSIb3DQEBCwUAMD4xIDAeBgNVBAMM +F1RhbmdvIFNlY3VyZSBHYXRld2F5IENBMRowGAYDVQQKDBFNYXNlcmF0aSBTb2x1 +dGlvbjAeFw0xOTAyMTcwMTM1MTJaFw0yMjAyMTgwMTM1MTJaMD4xIDAeBgNVBAMM +F1RhbmdvIFNlY3VyZSBHYXRld2F5IENBMRowGAYDVQQKDBFNYXNlcmF0aSBTb2x1 +dGlvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMno29yuMEzXssn6 +UPZEz7YDi1zCml+BvTxlCexUSO2W1q3pzjH2yP1Wqo5q0ij70YcZn8UpJpycAPG6 +2b+lZKvafG2sl0zVIKpH04XZ5kZ+F0kra59Ytw6Rfv/4IQBdUQ5cvjHGc1Lnku47 +IIw6J0+Sr5fOTVIkEiukWuly0zFMXMly+7flyG2QXUjE+E3V1NVbosm3PnlTyC8n +QGWD/DsSR+wd38oe8Ex2lsbHTa9OdZRc9gbKLbC87Lmm062GtKXHLEbCYHJ6E8+z +lcaTszybZ5nN/4pvmL/Z77ATw+tcKkYvU+JyPgBvWEsXJlVG01V9XOqT6QIS/p5y +FunZ8T8CAwEAAaOB0DCBzTAPBgNVHRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQE +AwICBDB4BgNVHSUEcTBvBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggr +BgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYKKwYB +BAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBMA4GA1UdDwEB/wQEAwIBBjAd +BgNVHQ4EFgQULQNPIvNlh8oGhVmVqAG3syRbdWAwDQYJKoZIhvcNAQELBQADggEB +AAzCDOWcu38Sw+AWQSq5y0RwL6ga8W5hB0HTqxPpnUUhZN3LMl8F3E/1JK/wWDWF +meJACTiL/rMDSWFUz57xGm4SmiPSOgWmToQ5PYahyNlkw9uODxRyl84zEMp/MXfi +LL57v3XFRnTbTHaEu3ew/Xjkhq1/mhwYblP17iPq1i8o4AqX2OGLIueDrz3j80AV +syrm3cFE5jPJHvvVuArvIDdCnhCX2g0Es6cYSYppMxRtRiZnydqJ3o326zTigdIB +8zYflognJJkV2lavt0nz4NkvmlOj3S88smWxxYRzKEpEw8/m+DbhGIx6R7w0Ot6Q +bzLgBvYDF+BCkkjaQCR334M= +-----END CERTIFICATE----- diff --git a/ca/tango-ca-v3-untrust-ca.pem b/ca/tango-ca-v3-untrust-ca.pem new file mode 100644 index 0000000..ba03c06 --- /dev/null +++ b/ca/tango-ca-v3-untrust-ca.pem @@ -0,0 +1,51 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrtAM/GPvdhxsA +uipj2ohNEN7NCD11fu3wDQ8rO+n2BXdTobpfMh816e7vtPSz1VEMYr4DTRe8GpEp +Yj3bxnWLVAe9+M4A1E1a/K9F50wqlF/Mm12MlSF3hscPRwfO1k0tYcNwVOfuoyTD +BvqVXxZaz+nM70h38wkfqfaOeLC/eB7khejq5HSCQvTPtBShY8ZhAIPkybk8YUBH +IQjHV4vqRGxkAgSxgrT7z99Sqd8NJE48M0b7IyhaWisGHCa2KDK7xbPRzojX9Oi2 +F/rraZZo4t6p9ab7SxV/+JZ7juE5PbGJs+cXJe3fufXAisGtX2LougxQEpO6BB8c +1j4gtF7rAgMBAAECggEANbwqX+7Ts+p6WunoJkPX8DZdY9E2WrUUhdGwc5lWiPYA ++B1fFDe9aMQDUOVSx4z0xmmIicPwr5+o2kiyjzs2whnUKnHZFo1agCUgPUI7pf+1 +U3Uz+7EYPi3h0jgqi2Kp2JAF9/u6cgaAlMB0X5bYiicTRl2EUnWu30fzr3a56dGM +nKf3p9ELEud7ax+kC7fEspJoxSWVbqHK1d78OubfsUjyiE9zAC1znH8nZURYx5SP +u7k6L9lcBOAqLQ2//zAVLvjdcpATFsgodnQQYFHRYkJSjmIY50dIuqf0JwtGZVYt +xtOaxE5jDc2odh9Ly7jVYTspX4QN3KlkiUmAfeSMkQKBgQDYv4Rn+FiPaRkNazJI +WSzsGKLjnd8gNfQjh65wqTDDGECjBH8xtzIuOJ+XXc/L+iNGRsf9grnWsTJsuMby +u+YD3OfHFpsbHaYtTNP64e/hUk5MHE1oNLmptFTnqFyreICPJaGJToOjTiunF/rj +cS32/z6B7JbfufWvtMH7yvI+RQKBgQDKzDQmjrvjc4yhVnB71TwqKVKGi5YdQPM/ +WfLUgXebzy+ZhwdDhIGoNs9GR1WRakJrPBQdpWazEK0ig9qYMa0lki26QyhfyZg1 +eYkDgIxvA8/AJxlp0gYgAdn34WhQDoSHQW4jEiMJIxV0uvzvMpMDyewLEQ+k6dLB +87/Cur9TbwKBgGCBhXa1gNj5tone/NhxvCqzHXOzSzGQVE+tjeHjsy5qkf0Dd46v +PsyNsaE3x9nOWf5kbY9WsWACLa1y6EITn2qA5UIjspP0M5Vf69J83s24U9xXja+k +KjaBcHxk3j4KvVL/Mllsd/gySgVwC+lQ72JWa4J10Qd0SQwes3BlAE7xAoGAEo3U +R6LPdePgffJWoD3GH2Vgc4bZ2RtUJfuox+CAfPTbugQsmfTJmAZLuHZWUdOS+BSr +EntLhh6EeJ/vo/UHjmRtYpk6XGkpT9squfNM5etHWqE5JgFdJhiFRLSOwqRRY76M +wRCru+5FzEQ/V/McmEAlJG4PLFtoOO6AIOTNFGkCgYAY+e5iN+VUJ4ziFn5Ytjhd +8fs2YajiLMrS5r7gANVAJIA0991ZkJGTSosSqwMM3cM9fsS0kfWKv64QgW5M1uGX +3eJl7ojVilxFMCzS+OdjUOrVQFE7P1/fDozxwvFOfYZE024XAY0PvAme59m8Kbqt +1H4MiZbv4gVIbK5mI9ZzFw== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIGDhoh7clOMA0GCSqGSIb3DQEBCwUAMEYxKDAmBgNVBAMM +H1RhbmdvIFNlY3VyZSBHYXRld2F5IENBIFVOVFJVU1QxGjAYBgNVBAoMEU1hc2Vy +YXRpIFNvbHV0aW9uMB4XDTE5MDIxNzAxMzUxN1oXDTIyMDIxODAxMzUxN1owRjEo +MCYGA1UEAwwfVGFuZ28gU2VjdXJlIEdhdGV3YXkgQ0EgVU5UUlVTVDEaMBgGA1UE +CgwRTWFzZXJhdGkgU29sdXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCrtAM/GPvdhxsAuipj2ohNEN7NCD11fu3wDQ8rO+n2BXdTobpfMh816e7v +tPSz1VEMYr4DTRe8GpEpYj3bxnWLVAe9+M4A1E1a/K9F50wqlF/Mm12MlSF3hscP +RwfO1k0tYcNwVOfuoyTDBvqVXxZaz+nM70h38wkfqfaOeLC/eB7khejq5HSCQvTP +tBShY8ZhAIPkybk8YUBHIQjHV4vqRGxkAgSxgrT7z99Sqd8NJE48M0b7IyhaWisG +HCa2KDK7xbPRzojX9Oi2F/rraZZo4t6p9ab7SxV/+JZ7juE5PbGJs+cXJe3fufXA +isGtX2LougxQEpO6BB8c1j4gtF7rAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB +/zARBglghkgBhvhCAQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUF +BwMCBggrBgEFBQcDBAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYG +CisGAQQBgjcKAwEGCisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAO +BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFI/dacOl4JQdR9xDiWpJf/2mvblUMA0G +CSqGSIb3DQEBCwUAA4IBAQAOWQiEcJqpen1/AXfprE+9uqwQWt/Gh8UPYZPE7Kcc +VnhlqTDO+nGLVPM97ju/NjFNojJaMxsKBHVcRRHA3V+sKtqoHNUVhHJLtMDvh+2w +vloUM11ckgilIOYqFzjeIL11NB4ivAN7V9jP6Sh8gC31Q6Ttd6FkJ7f9QObQ6sKT +OEmaMqKVe6H0+U4jhQF3/gSW+PAIb1YIJof/wtewBCDm5Pp2UYaNlrnMGTIxayXQ +Cc+h16oDTRPBsLZgDkmR5fslRH9CAbxC4/b2M1jU/MKlWlu7ThzAPPEtEKqpiLSi +Ebfe/jvJ786VcXwO09FWfCiUjE9Gf4rbMZjkkHOL7UPa +-----END CERTIFICATE----- diff --git a/conf/cert_store.ini b/conf/cert_store.ini index 78d01bb..6929e72 100644 --- a/conf/cert_store.ini +++ b/conf/cert_store.ini @@ -11,8 +11,8 @@ thread-nu = 4 expire_after = 30 #Local default root certificate path local_debug = 0 -ca_path = ../ca/mesalab-ca.pem -untrusted_ca_path = ../ca/mesalab-ca-untrust.pem +ca_path = ./cert/tango-ca-v3-trust-ca.pem +untrusted_ca_path = ./cert/mesalab-ca-untrust.pem [NTC_MAAT] #Configure the load mode, #0: using the configuration distribution network @@ -22,13 +22,13 @@ maat_json_switch=2 #When the loading mode is sent to the network, set the scanning configuration modification interval (s). effective_interval=1 #Specify the location of the configuration library table file -table_info=../conf/table_info.conf +table_info=./conf/table_info.conf #Incremental profile path -inc_cfg_dir=../rule/inc/index +inc_cfg_dir=./rule/inc/index #Full profile path -full_cfg_dir=../rule/full/index +full_cfg_dir=./rule/full/index #Json file path when json schema is used -pxy_obj_keyring=../conf/pxy_obj_keyring.json +pxy_obj_keyring=./conf/pxy_obj_keyring.json [LIBEVENT] #Local monitor port number, default is 9991 port = 9991 diff --git a/src/cert_session.c b/src/cert_session.c index 480b5fd..c91822f 100644 --- a/src/cert_session.c +++ b/src/cert_session.c @@ -383,41 +383,6 @@ ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid) return 1; } - -/**todo Use rules to determine if an sni exists */ -static int -x509_alt_name_cmp(unsigned char *name, char *extraname) -{ - return strcmp((char *)name, extraname); -} - -static int -x509_get_alt_name(X509 *x509, char *extraname) -{ - int i, xret = 1; - - if (x509 == NULL || extraname[0] == '\0'){ - xret = 0; - goto finish; - } - - GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); - if (subjectAltNames){ - int cnt = sk_GENERAL_NAME_num(subjectAltNames); - - for (i = 0; i < cnt; i++) { - GENERAL_NAME* generalName = sk_GENERAL_NAME_value(subjectAltNames, i); - xret = x509_alt_name_cmp(ASN1_STRING_data(GENERAL_NAME_get0_value(generalName, NULL)), extraname); - if (xret == 0) - break; - } - } - if (subjectAltNames) - GENERAL_NAMES_free(subjectAltNames); -finish: - return xret; -} - /* * Add extension using V3 code: we can set the config file as NULL because we * wont reference any other sections. @@ -487,13 +452,11 @@ finish: X509 * x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, - int days, char *extraname, char *crl) + int days, char *crl) { int rv; X509 *crt = NULL; EVP_PKEY* key = NULL; - GENERAL_NAME *gn = NULL; - GENERAL_NAMES *names = NULL; X509_NAME *subject = NULL, *issuer = NULL; if(!create_client_key(&key, pkey, 1024)){ @@ -564,51 +527,12 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, goto errout; } } - char *cfval; - if (x509_get_alt_name(origcrt, extraname) == 0) { - /* no extraname provided: copy original subjectAltName ext */ - if (ssl_x509_v3ext_copy_by_nid(crt, origcrt, - NID_subject_alt_name) == -1) - goto errout; - } else { - names = (GENERAL_NAMES *)X509_get_ext_d2i(origcrt, NID_subject_alt_name, 0, 0); - if (!names) { - /* no subjectAltName present: add new one */ - cfval = (char *)malloc(strlen(extraname) + 5); - if (sprintf(cfval, "DNS:%s", extraname) < 0) - goto errout; - if (ssl_x509_v3ext_add(&ctx, crt, "subjectAltName", - cfval) == -1) { - free(cfval); - goto errout; - } - free(cfval); - } else { - /* add extraname to original subjectAltName - * and add it to the new certificate */ - gn = GENERAL_NAME_new(); - if (!gn) - goto errout2; - gn->type = GEN_DNS; - gn->d.dNSName = ASN1_IA5STRING_new(); - if (!gn->d.dNSName) - goto errout3; - ASN1_STRING_set(gn->d.dNSName, - (unsigned char *)extraname, - strlen(extraname)); - sk_GENERAL_NAME_push(names, gn); - X509_EXTENSION *ext = X509V3_EXT_i2d( - NID_subject_alt_name, 0, names); - if (!X509_add_ext(crt, ext, -1)) { - if (ext) { - X509_EXTENSION_free(ext); - } - goto errout3; - } - X509_EXTENSION_free(ext); - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - } - } + /* no extraname provided: copy original subjectAltName ext */ + if (ssl_x509_v3ext_copy_by_nid(crt, origcrt, + NID_subject_alt_name) == -1) + { + goto errout; + } #ifdef DEBUG_CERTIFICATE ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL); #endif /* DEBUG_CERTIFICATE */ @@ -705,11 +629,6 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, goto errout; return crt; - -errout3: - GENERAL_NAME_free(gn); -errout2: - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); errout: X509_free(crt); EVP_PKEY_free(key); @@ -840,8 +759,9 @@ redis_reget_callback(redisAsyncContext __attribute__((__unused__))*cl_ctx, void keyring_table_free_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp) { - if (ad == NULL) + if (*ad == NULL) return; + struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*ad); atomic64_dec(&pxy_obj->ref_cnt); if (atomic64_read(&pxy_obj->ref_cnt) == 0) @@ -850,7 +770,8 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp) X509_free(pxy_obj->root); if (pxy_obj->key) EVP_PKEY_free(pxy_obj->key); - kfree(&pxy_obj); + free(pxy_obj); + pxy_obj = NULL; *ad=NULL; } } @@ -1065,7 +986,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req _crl = pxy_obj->v3_ctl; modify: x509 = x509_modify_by_cert(_root, _key, request->origin, pkey, - _expire, request->sni, _crl); + _expire, _crl); if (!x509){ goto finish; } @@ -2002,8 +1923,13 @@ void keyring_table_dup_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_E long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp) { struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*from); + if(pxy_obj==NULL) + { + *to=NULL; + return; + } atomic64_inc (&pxy_obj->ref_cnt); - *to=pxy_obj; + *((struct pxy_obj_keyring**)to)=pxy_obj; } int maat_table_ex_init(const char* table_name, diff --git a/src/package/Makefile b/src/package/Makefile index 9400904..f1b5d91 100644 --- a/src/package/Makefile +++ b/src/package/Makefile @@ -11,22 +11,22 @@ install: # # cp -f lib/* /usr/local/lib/ # sudo ldconfig - if [ ! -d "/home/ceiec/certstore" ]; then mkdir -p "/home/ceiec/certstore"; fi + if [ ! -d "/home/tsg/certstore" ]; then mkdir -p "/home/tsg/certstore"; fi chmod +x certstore r2_certstore r3_certstore chmod +x tool/signssl.sh tool/x509 for d in $(SUBDIRS); do \ - cp -rf $$d /home/ceiec/certstore; \ + cp -rf $$d /home/tsg/certstore; \ done update: chmod +x certstore - cp -f certstore /home/ceiec/certstore + cp -f certstore /home/tsg/certstore # cp -f bin/cert_server /usr/local/bin/ uninstall: - rm -rf /home/ceiec/certstore + rm -rf /home/tsg/certstore