1.修改将SNI写入签发的实体证书的SNA 2.修改certstreo打包脚步
This commit is contained in:
fengweihao
@@ -383,41 +383,6 @@ ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid)
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**todo Use rules to determine if an sni exists */
|
||||
static int
|
||||
x509_alt_name_cmp(unsigned char *name, char *extraname)
|
||||
{
|
||||
return strcmp((char *)name, extraname);
|
||||
}
|
||||
|
||||
static int
|
||||
x509_get_alt_name(X509 *x509, char *extraname)
|
||||
{
|
||||
int i, xret = 1;
|
||||
|
||||
if (x509 == NULL || extraname[0] == '\0'){
|
||||
xret = 0;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
|
||||
if (subjectAltNames){
|
||||
int cnt = sk_GENERAL_NAME_num(subjectAltNames);
|
||||
|
||||
for (i = 0; i < cnt; i++) {
|
||||
GENERAL_NAME* generalName = sk_GENERAL_NAME_value(subjectAltNames, i);
|
||||
xret = x509_alt_name_cmp(ASN1_STRING_data(GENERAL_NAME_get0_value(generalName, NULL)), extraname);
|
||||
if (xret == 0)
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (subjectAltNames)
|
||||
GENERAL_NAMES_free(subjectAltNames);
|
||||
finish:
|
||||
return xret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Add extension using V3 code: we can set the config file as NULL because we
|
||||
* wont reference any other sections.
|
||||
@@ -487,13 +452,11 @@ finish:
|
||||
|
||||
X509 *
|
||||
x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey,
|
||||
int days, char *extraname, char *crl)
|
||||
int days, char *crl)
|
||||
{
|
||||
int rv;
|
||||
X509 *crt = NULL;
|
||||
EVP_PKEY* key = NULL;
|
||||
GENERAL_NAME *gn = NULL;
|
||||
GENERAL_NAMES *names = NULL;
|
||||
X509_NAME *subject = NULL, *issuer = NULL;
|
||||
|
||||
if(!create_client_key(&key, pkey, 1024)){
|
||||
@@ -564,51 +527,12 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey,
|
||||
goto errout;
|
||||
}
|
||||
}
|
||||
char *cfval;
|
||||
if (x509_get_alt_name(origcrt, extraname) == 0) {
|
||||
/* no extraname provided: copy original subjectAltName ext */
|
||||
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
|
||||
NID_subject_alt_name) == -1)
|
||||
goto errout;
|
||||
} else {
|
||||
names = (GENERAL_NAMES *)X509_get_ext_d2i(origcrt, NID_subject_alt_name, 0, 0);
|
||||
if (!names) {
|
||||
/* no subjectAltName present: add new one */
|
||||
cfval = (char *)malloc(strlen(extraname) + 5);
|
||||
if (sprintf(cfval, "DNS:%s", extraname) < 0)
|
||||
goto errout;
|
||||
if (ssl_x509_v3ext_add(&ctx, crt, "subjectAltName",
|
||||
cfval) == -1) {
|
||||
free(cfval);
|
||||
goto errout;
|
||||
}
|
||||
free(cfval);
|
||||
} else {
|
||||
/* add extraname to original subjectAltName
|
||||
* and add it to the new certificate */
|
||||
gn = GENERAL_NAME_new();
|
||||
if (!gn)
|
||||
goto errout2;
|
||||
gn->type = GEN_DNS;
|
||||
gn->d.dNSName = ASN1_IA5STRING_new();
|
||||
if (!gn->d.dNSName)
|
||||
goto errout3;
|
||||
ASN1_STRING_set(gn->d.dNSName,
|
||||
(unsigned char *)extraname,
|
||||
strlen(extraname));
|
||||
sk_GENERAL_NAME_push(names, gn);
|
||||
X509_EXTENSION *ext = X509V3_EXT_i2d(
|
||||
NID_subject_alt_name, 0, names);
|
||||
if (!X509_add_ext(crt, ext, -1)) {
|
||||
if (ext) {
|
||||
X509_EXTENSION_free(ext);
|
||||
}
|
||||
goto errout3;
|
||||
}
|
||||
X509_EXTENSION_free(ext);
|
||||
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
|
||||
}
|
||||
}
|
||||
/* no extraname provided: copy original subjectAltName ext */
|
||||
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
|
||||
NID_subject_alt_name) == -1)
|
||||
{
|
||||
goto errout;
|
||||
}
|
||||
#ifdef DEBUG_CERTIFICATE
|
||||
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
|
||||
#endif /* DEBUG_CERTIFICATE */
|
||||
@@ -705,11 +629,6 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey,
|
||||
goto errout;
|
||||
|
||||
return crt;
|
||||
|
||||
errout3:
|
||||
GENERAL_NAME_free(gn);
|
||||
errout2:
|
||||
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
|
||||
errout:
|
||||
X509_free(crt);
|
||||
EVP_PKEY_free(key);
|
||||
@@ -840,8 +759,9 @@ redis_reget_callback(redisAsyncContext __attribute__((__unused__))*cl_ctx,
|
||||
void keyring_table_free_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA* ad,
|
||||
long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
|
||||
{
|
||||
if (ad == NULL)
|
||||
if (*ad == NULL)
|
||||
return;
|
||||
|
||||
struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*ad);
|
||||
atomic64_dec(&pxy_obj->ref_cnt);
|
||||
if (atomic64_read(&pxy_obj->ref_cnt) == 0)
|
||||
@@ -850,7 +770,8 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
|
||||
X509_free(pxy_obj->root);
|
||||
if (pxy_obj->key)
|
||||
EVP_PKEY_free(pxy_obj->key);
|
||||
kfree(&pxy_obj);
|
||||
free(pxy_obj);
|
||||
pxy_obj = NULL;
|
||||
*ad=NULL;
|
||||
}
|
||||
}
|
||||
@@ -1065,7 +986,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req
|
||||
_crl = pxy_obj->v3_ctl;
|
||||
modify:
|
||||
x509 = x509_modify_by_cert(_root, _key, request->origin, pkey,
|
||||
_expire, request->sni, _crl);
|
||||
_expire, _crl);
|
||||
if (!x509){
|
||||
goto finish;
|
||||
}
|
||||
@@ -2002,8 +1923,13 @@ void keyring_table_dup_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_E
|
||||
long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
|
||||
{
|
||||
struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*from);
|
||||
if(pxy_obj==NULL)
|
||||
{
|
||||
*to=NULL;
|
||||
return;
|
||||
}
|
||||
atomic64_inc (&pxy_obj->ref_cnt);
|
||||
*to=pxy_obj;
|
||||
*((struct pxy_obj_keyring**)to)=pxy_obj;
|
||||
}
|
||||
|
||||
int maat_table_ex_init(const char* table_name,
|
||||
|
||||
Reference in New Issue
Block a user