gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

支持CERTEX HSM接口调用

Browse Source 
读取配置表PXY_PROFILE_HSM
重构配置读取代码
This commit is contained in:
fengweihao
2020-11-12 15:56:34 +08:00
parent 9962458ad6
commit d452d7b5f2
15 changed files with 4201 additions and 388 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
program/include/cert_conf.h
View File

@@ -18,6 +18,8 @@
#include <MESA/Maat_rule.h>
#include <MESA/MESA_htable.h>
#include "rlib_load.h"
#define CT_PATH_MAX 256
#define CT_ARRARY_LEN (CT_PATH_MAX/2)
#define CT_STRING_MAX 1024
@@ -38,57 +40,58 @@ struct tfe_http_request{
struct pxy_obj_keyring{
int keyring_id;
int use_hsm;
int slot_id;
atomic64_t ref_cnt;
uint64_t expire_time;
time_t op_time;
EVP_PKEY *key;
X509 *issuer;
char v3_ctl[CT_STRING_MAX];
char keyring_type[CT_ARRARY_LEN];
char public_algo[CT_STRING_MAX];
char v3_ctl[CT_STRING_MAX];
int is_send;
int is_valid;
time_t op_time;
atomic64_t ref_cnt;
CK_SESSION_HANDLE session;
STACK_OF(X509) *stack_ca;
};
struct _initer_addr_t{
uint16_t e_port; /*libevent prot*/
uint16_t maat_port; /*maat redis port*/
char maat_ip[16]; /*maat redis ip */
int dbindex; /*maat redis dbindex*/
uint16_t store_port; /*store redis port */
char store_ip[16]; /*store redis ip*/
uint16_t statsd_port;
char statsd_server[16];
struct pxy_profile_hsm
{
int profile_id;
int ref_cnt;
char *server_ip;
char *passwd;
pthread_mutex_t lock;
};
struct ntc_maat_t{
unsigned int maat_json_switch;
unsigned int effective_interval_s;
char info_path[128];
char pxy_path[128];
char inc_cfg_dir[128];
char full_cfg_dir[128];
enum kerying_profile_table
{
POLICY_PROFLIE_TABLE_KERING,
POLICY_PROFILE_TABLE_HSM,
POLICY_PROFILE_TABLE_MAX
};
struct config_bucket_t{
Maat_feather_t feather;
int table_id;
struct cert_store_policy{
int mode;
unsigned int enable;
unsigned int local_debug;
unsigned int thread_nu;
unsigned int expire_after;
Maat_feather_t feather;
int plolicy_table_id[POLICY_PROFILE_TABLE_MAX];
uint16_t e_port;
uint16_t store_port;
char store_ip[46];
char ca_path[128];
char uninsec_path[128];
struct ntc_maat_t maat_t;
struct _initer_addr_t addr_t;
};
extern struct config_bucket_t *cfg_instanec();
extern struct cert_store_policy * g_certstore_policy;
void cert_store_init_config(const char *config);
void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile);
#endif

2
program/include/cert_session.h
View File

@@ -103,7 +103,7 @@ typedef struct {
} x509_forge_thread;
int cert_store_session_init();
int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile);
void sigproc(int __attribute__((__unused__))sig);

129
program/src/cert_conf.cpp
View File

@@ -18,51 +18,41 @@
#include <MESA/MESA_prof_load.h>
struct config_bucket_t certConfig;
struct config_bucket_t *cfg_instanec()
{
return &certConfig;
}
static int load_system_config(const char *config)
static int load_system_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
struct config_bucket_t *rte = cfg_instanec();
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "thread-nu", &(rte->thread_nu));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "thread-nu", &(certstore_policy->thread_nu));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
}
xret = MESA_load_profile_int_def(config, "CONFIG", "mode", &(rte->mode), 0);
xret = MESA_load_profile_int_def(main_profile, "CONFIG", "mode", &(certstore_policy->mode), 0);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of run mode failed");
}
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "expire_after", &(rte->expire_after));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "expire_after", &(certstore_policy->expire_after));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of valid time failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "ca_path", rte->ca_path, 128);
if (xret <0 && rt_file_exsit(rte->ca_path)){
xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "ca_path", certstore_policy->ca_path, 128);
if (xret <0 && rt_file_exsit(certstore_policy->ca_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the ca path failed or the (%s) does not exist",
rte->ca_path);
certstore_policy->ca_path);
goto finish;
}
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "local_debug", &(rte->local_debug));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "local_debug", &(certstore_policy->local_debug));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of local_debug failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128);
if (xret <0 && rt_file_exsit(rte->uninsec_path)){
xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "untrusted_ca_path", certstore_policy->uninsec_path, 128);
if (xret <0 && rt_file_exsit(certstore_policy->uninsec_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist",
rte->ca_path);
certstore_policy->ca_path);
goto finish;
}
@@ -70,55 +60,23 @@ finish:
return xret;
}
static int load_module_config(const char *config)
static int load_module_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
struct config_bucket_t *rte = cfg_instanec();
xret = MESA_load_profile_short_nodef(config, "LIBEVENT", "port", (short *)&(rte->addr_t.e_port));
xret = MESA_load_profile_short_nodef(main_profile, "LIBEVENT", "port", (short *)&(certstore_policy->e_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Libevent Port invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "MAAT_REDIS", "ip", rte->addr_t.maat_ip, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "port", (short *)&(rte->addr_t.maat_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis port invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "dbindex", (short *)&(rte->addr_t.dbindex));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis dbindex invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "CERTSTORE_REDIS", "ip", rte->addr_t.store_ip, 16);
xret = MESA_load_profile_string_nodef(main_profile, "CERTSTORE_REDIS", "ip", certstore_policy->store_ip, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "CERTSTORE_REDIS", "port", (short *)&(rte->addr_t.store_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "stat", "statsd_server", rte->addr_t.statsd_server, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "stat", "statsd_port", (short *)&(rte->addr_t.statsd_port));
xret = MESA_load_profile_short_nodef(main_profile, "CERTSTORE_REDIS", "port", (short *)&(certstore_policy->store_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
goto finish;
@@ -127,61 +85,10 @@ finish:
return xret;
}
static int load_maat_config(const char *config)
void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
load_system_config(certstore_policy, main_profile);
struct ntc_maat_t *maat_t = &cfg_instanec()->maat_t;
xret = MESA_load_profile_uint_nodef(config, "MAAT", "maat_json_switch", &(maat_t->maat_json_switch));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "table_info", maat_t->info_path, 128);
if (xret < 0 && !rt_file_exsit( maat_t->info_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->info_path);
goto finish;
}
if (maat_t->maat_json_switch == 1){
xret = MESA_load_profile_string_nodef(config, "MAAT", "pxy_obj_keyring", maat_t->pxy_path, 128);
if (xret < 0 && !rt_file_exsit(maat_t->pxy_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the pxy obj keyring failed or the (%s) does not exist",
maat_t->pxy_path);
goto finish;
}
}
if (maat_t->maat_json_switch == 0){
xret = MESA_load_profile_uint_nodef(config, "MAAT", "effective_interval", &(maat_t->effective_interval_s));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the interval of scan failed");
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "inc_cfg_dir", maat_t->inc_cfg_dir, 128);
if (xret < 0 && !rt_file_exsit( maat_t->inc_cfg_dir)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->inc_cfg_dir);
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "full_cfg_dir", maat_t->full_cfg_dir, 128);
if (xret < 0 && !rt_file_exsit( maat_t->full_cfg_dir)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->full_cfg_dir);
goto finish;
}
}
finish:
return xret;
}
void cert_store_init_config(const char *config)
{
load_system_config(config);
load_maat_config(config);
load_module_config(config);
load_module_config(certstore_policy, main_profile);
}

690
program/src/cert_session.cpp
View File

@@ -32,6 +32,8 @@
#include <openssl/engine.h>
#include <openssl/pkcs12.h>
#include <openssl/rsa.h>
#include <openssl/asn1.h>
#include <openssl/ossl_typ.h>
#include <event2/listener.h>
#include <event2/http.h>
@@ -61,6 +63,8 @@
static x509_forge_thread *threads;
CK_FUNCTION_LIST *funcs=NULL;
enum keypair_action
{
KEYPAIR_ACTION_REQ = 0,
@@ -681,108 +685,8 @@ finish:
return;
}
X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo)
const EVP_MD* ssl_x509_set_md(const EVP_MD *md, EVP_PKEY *cakey, X509 *origcrt)
{
int rv;
X509 *crt = NULL;
EVP_PKEY* key = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
if(!ssl_key_gen(&key, pkey, public_algo)){
goto err;
}
//subjectname,issuername
subject = X509_get_subject_name(origcrt);
issuer = X509_get_subject_name(cacrt);
if (!subject || !issuer)
return NULL;
crt = X509_new();
if (!crt)
return NULL;
//version,subjectname,issuername,serialnum,time,pubkey
if (!X509_set_version(crt, 0x02) ||
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
!X509_set_pubkey(crt, key))
goto errout;
if (*expire_time <= 0)
{
int day = 0, sec = 0;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
}
else
{
if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
{
goto errout;
}
*expire_time = half_hours(*expire_time);
}
EVP_PKEY_free(key);
//extensions
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier",
"hash") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier",
"keyid,issuer:always") == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_basic_constraints);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints",
"CA:FALSE");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage",
"digitalSignature,"
"keyEncipherment");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_ext_key_usage);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage",
"serverAuth");
if (rv == -1)
goto errout;
if (crlurl != NULL && strcasecmp(crlurl, "null")){
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
char * crlurlval;
if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
goto errout;
if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
{
free(crlurlval);
goto errout;
}
free(crlurlval);
}
/* no extraname provided: copy original subjectAltName ext */
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_subject_alt_name) == -1)
{
goto errout;
}
#ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
#endif /* DEBUG_CERTIFICATE */
const EVP_MD *md;
switch (EVP_PKEY_type(EVP_PKEY_base_id(cakey))) {
#ifndef OPENSSL_NO_RSA
case EVP_PKEY_RSA:
@@ -868,10 +772,184 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
break;
#endif /* !OPENSSL_NO_ECDSA */
default:
md = NULL;
}
return md;
}
int pkcs11_signature_algotonid(unsigned long algo)
{
switch(algo)
{
case CKM_SHA1_RSA_PKCS:
return NID_sha1WithRSAEncryption;
case CKM_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
return NID_sha256WithRSAEncryption;
default:
break;
}
return 0;
}
int X509_pkcs11_sign(X509* x509, unsigned long pkcs11_signing_algo, CK_SESSION_HANDLE pkcs11_session)
{
int rv =0;
CK_OBJECT_HANDLE pkcs11_key_handle = 0;
// set signature algorithm in the certificate
const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509);
X509_ALGOR *tsig_alg=const_cast<X509_ALGOR *>(tsig_alg_org);
if (tsig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
const X509_ALGOR *sig_alg_org;
X509_get0_signature(NULL, &sig_alg_org, x509);
X509_ALGOR *sig_alg=const_cast<X509_ALGOR *>(sig_alg_org);
if (sig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
// DER-encode certificate
unsigned char *x509_der_buf;
const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf);
CK_MECHANISM mechanism = { pkcs11_signing_algo, NULL_PTR, 0 };
rv = funcs->C_SignInit(pkcs11_session, &mechanism, pkcs11_key_handle);
// determine signature size
CK_ULONG signature_size = 0;
rv= funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, NULL, &signature_size);
// sign
const ASN1_BIT_STRING *psig_org;
X509_get0_signature(&psig_org, NULL, x509);
ASN1_BIT_STRING *psig=const_cast<ASN1_BIT_STRING *>(psig_org);
if (psig->data)
OPENSSL_free(psig->data);
psig->data = (unsigned char*)OPENSSL_malloc(signature_size);
psig->length = signature_size;
rv = funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, psig->data, &signature_size);
psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
psig->flags|=ASN1_STRING_FLAG_BITS_LEFT;
OPENSSL_free(x509_der_buf);
return rv;
}
X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session)
{
int rv;
X509 *crt=NULL;
EVP_PKEY* key=NULL;
const EVP_MD *md=NULL;
X509_NAME *subject=NULL, *issuer=NULL;
if(!ssl_key_gen(&key, pkey, public_algo)){
goto err;
}
subject = X509_get_subject_name(origcrt);
issuer = X509_get_subject_name(cacrt);
if (!subject || !issuer)
return NULL;
crt = X509_new();
if (!crt)
return NULL;
if (!X509_set_version(crt, 0x02) ||
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
!X509_set_pubkey(crt, key))
goto errout;
if (*expire_time <= 0)
{
int day = 0, sec = 0;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
}
else
{
if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
{
goto errout;
}
*expire_time = half_hours(*expire_time);
}
EVP_PKEY_free(key);
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier","hash") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier","keyid,issuer:always") == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_basic_constraints);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints","CA:FALSE");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage", "digitalSignature," "keyEncipherment");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_ext_key_usage);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage","serverAuth");
if (rv == -1)
goto errout;
if (crlurl != NULL && strcasecmp(crlurl, "null")){
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
char * crlurlval;
if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
goto errout;
if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
{
free(crlurlval);
goto errout;
}
free(crlurlval);
}
/* no extraname provided: copy original subjectAltName ext */
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_subject_alt_name) == -1)
{
goto errout;
}
#ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
#endif /* DEBUG_CERTIFICATE */
if (ssl_x509_set_md(md, cakey, origcrt)==NULL)
{
goto errout;
}
if (!X509_sign(crt, cakey, md))
goto errout;
if(session==0)
{
if (!X509_sign(crt, cakey, md))
goto errout;
}
else
{
if(!X509_pkcs11_sign(crt, CKM_RSA_PKCS, session))
goto errout;
}
return crt;
errout:
@@ -956,9 +1034,7 @@ static
int redis_rsync_init(struct event_base *base, struct redisAsyncContext **cl_ctx)
{
int xret = -1;
struct config_bucket_t *redis = cfg_instanec();
*cl_ctx = redisAsyncConnect(redis->addr_t.store_ip, redis->addr_t.store_port);
*cl_ctx = redisAsyncConnect(g_certstore_policy->store_ip, g_certstore_policy->store_port);
if((*cl_ctx)->err ) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Redis Connect error : %s", (*cl_ctx)->errstr);
goto finish;
@@ -1120,13 +1196,11 @@ static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
{
struct pxy_obj_keyring *pxy_obj=NULL;
struct config_bucket_t *rte = cfg_instanec();
char cfg_id_str[16] = {0};
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", keyring_id);
int tables_id = rte->table_id;
pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(rte->feather, tables_id, (const char*)cfg_id_str);
int tables_id = g_certstore_policy->plolicy_table_id[POLICY_PROFLIE_TABLE_KERING];
pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(g_certstore_policy->feather, tables_id, (const char*)cfg_id_str);
return pxy_obj;
}
@@ -1139,15 +1213,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
X509 *cacrt = NULL; EVP_PKEY *cakey = NULL;
char *v3_ctl=NULL, *public_algo=NULL;
struct config_bucket_t *rte = cfg_instanec();
if (is_valid == 0 && keyring_id != 0) keyring_id = 0;
if (is_valid == 1 && keyring_id == 0) keyring_id = 1;
struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id);
if (NULL == pxy_obj)
{
if (!rte->local_debug)
if (!g_certstore_policy->local_debug)
{
if (1==is_valid) pxy_obj = get_obj_for_id(1);
if (0==is_valid) pxy_obj = get_obj_for_id(0);
@@ -1165,7 +1237,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = cfg_instanec()->expire_after;
expire_time = g_certstore_policy->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: Use local keypair, sign cert!!!");
goto modify;
}
@@ -1173,10 +1245,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
if(pxy_obj->use_hsm)
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = cfg_instanec()->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not supported, use local keypair, sign cert!!!");
if(pxy_obj->session==0)
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = g_certstore_policy->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!");
}
goto modify;
}
if (!STRCMP(pxy_obj->keyring_type, "end-entity"))
@@ -1199,7 +1274,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
expire_time = pxy_obj->expire_time;
*stack_ca = pxy_obj->stack_ca;
modify:
x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo);
x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo, pxy_obj->session);
if (!x509){
goto finish;
}
@@ -1261,7 +1336,6 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
int xret = -1;
redisReply *reply;
struct config_bucket_t *config = cfg_instanec();
x509_forge_thread *thread = threads + request->thread_id;
struct evhttp_request *evh_req = request->evh_req;
@@ -1278,7 +1352,7 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
case '$' :
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Writing data(%s) to redis failed", request->rkey);
fp_stat_latency(request->create_time, KEYPAIR_ACTION_SQL);
if (config->mode){
if (g_certstore_policy->mode){
redisAsyncCommand(thread->cl_ctx, redis_reget_callback, request, "GET %s", request->rkey);
}else{
redis_sync_reget_callback(request, sync);
@@ -1363,8 +1437,7 @@ static int web_json_table_add(char *privatekey, char *sign, char **digital_certi
return 0;
}
static int
redis_clnt_pdu_send(struct tfe_http_request *request)
static int redis_clnt_pdu_send(struct tfe_http_request *request)
{
#define MAX_CHAIN_LEN 6
int xret = -1, i = 0;
@@ -1722,7 +1795,6 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
struct evbuffer * evbuf_body = NULL;
char *input = NULL; ssize_t inputlen=0;
x509_forge_thread *info = (x509_forge_thread *)arg;
struct config_bucket_t *config = cfg_instanec();
if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) {
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)");
@@ -1763,7 +1835,7 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
}
FS_operate(g_FP_instance.handle, g_FP_instance.line_ids[KEYPAIR_ACTION_REQ], 0, FS_OP_ADD, 1);
xret = get_keypair_cache(info, request, config->mode);
xret = get_keypair_cache(info, request, g_certstore_policy->mode);
if (xret >= 0)
{
goto finish;
@@ -1777,11 +1849,10 @@ finish:
int redis_sync_init(struct redisContext **c)
{
int xret = -1;
struct config_bucket_t *redis = cfg_instanec();
struct timeval timeout = { 1, 500000 }; // 1.5 seconds
*c = redisConnectWithTimeout(redis->addr_t.store_ip, redis->addr_t.store_port, timeout);
*c = redisConnectWithTimeout(g_certstore_policy->store_ip, g_certstore_policy->store_port, timeout);
if (*c == NULL || (*c)->err) {
if (*c) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Sync connection error: %s", (*c)->errstr);
@@ -1801,10 +1872,9 @@ static int
worker_private_init(struct event_base *base, x509_forge_thread *thread)
{
int xret = -1;
struct config_bucket_t *config = cfg_instanec();
/* Initialize the redis connection*/
if (config->mode)
if (g_certstore_policy->mode)
{
xret = redis_rsync_init(base, &thread->cl_ctx);
if (xret < 0 || !thread->cl_ctx){
@@ -1817,10 +1887,10 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Initialize the sync redis connection is failure");
}
if (config->local_debug)
if (g_certstore_policy->local_debug)
{
/* Initialize the X509 CA*/
xret = x509_key_pair_init(config->ca_path, &thread->def.key, &thread->def.root);
xret = x509_key_pair_init(g_certstore_policy->ca_path, &thread->def.key, &thread->def.root);
if (xret < 0 || !(thread->def.key) || !(thread->def.root))
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
@@ -1828,7 +1898,7 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
}
/* Initialize the insec CA*/
xret = x509_key_pair_init(config->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
xret = x509_key_pair_init(g_certstore_policy->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
if (xret < 0 || !(thread->def.key) || !(thread->def.root))
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
@@ -1868,7 +1938,7 @@ static void *pthread_worker_libevent(void *arg)
bound = evhttp_accept_socket_with_handle(http, thread_ctx->accept_fd);
if (bound != NULL) {
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound,
cfg_instanec()->addr_t.e_port);
g_certstore_policy->e_port);
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id);
@@ -2002,7 +2072,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
x509_forge_thread *info = NULL;
x509_forge_thread *threads = (x509_forge_thread *)argv;
unsigned int thread_nu = cfg_instanec()->thread_nu;
unsigned int thread_nu = g_certstore_policy->thread_nu;
for (tid = 0; tid < (int)thread_nu; tid++) {
info = threads + tid;
if(info->sync == NULL){
@@ -2015,7 +2085,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "[%d]trying to connect sync redis success", tid);
}
if(cfg_instanec()->mode)
if(g_certstore_policy->mode)
{
xret = redis_rsync_init(info->base, &info->cl_ctx);
if (xret < 0 || !info->cl_ctx){
@@ -2028,21 +2098,20 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
}
}
static int
keyring_server_init()
static int keyring_server_init(struct cert_store_policy *certstore_policy)
{
int xret = -1;
unsigned int tid = 0;
x509_forge_thread *thread = NULL;
uint32_t tm_link_detetion = 0;
unsigned int thread_nu = cfg_instanec()->thread_nu;
unsigned int thread_nu = certstore_policy->thread_nu;
/* Create a new evhttp object to handle requests. */
struct sockaddr_in sin;
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_port = htons(cfg_instanec()->addr_t.e_port);
sin.sin_port = htons(g_certstore_policy->e_port);
evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in), LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1);
if (accept_fd < 0)
{
@@ -2114,9 +2183,7 @@ void sigproc(int __attribute__((__unused__))sig)
unsigned int tid = 0;
x509_forge_thread *thread = NULL;
struct config_bucket_t *rte = cfg_instanec();
for (tid = 0; tid < rte->thread_nu; tid++)
for (tid = 0; tid < g_certstore_policy->thread_nu; tid++)
{
thread = threads + tid;
if (thread->sync)
@@ -2131,12 +2198,15 @@ void sigproc(int __attribute__((__unused__))sig)
exit(1);
}
static int mesa_fiel_stat_init()
static int field_stat_init(struct cert_store_policy *certstore_policy, const char *profile)
{
int value=0, i=0;
int value=0, i=0, statsd_port=0;
char statsd_server[46]={0};
char stat_path[128] ={0}, pname[32]={0};
struct _initer_addr_t *addr_t = &(cfg_instanec()->addr_t);
MESA_load_profile_string_def(profile, "stat", "statsd_server", statsd_server, sizeof(statsd_server), "");
MESA_load_profile_int_def(profile, "stat", "statsd_port", &(statsd_port), 0);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Filed initiate from %s:%d.", statsd_server, statsd_port);
g_FP_instance.favorite=FS_CALC_CURRENT;
strcpy(g_FP_instance.histogram_bins, FP_HISTOGRAM_BINS);
@@ -2155,10 +2225,10 @@ static int mesa_fiel_stat_init()
FS_set_para(fs, CREATE_THREAD, &value, sizeof(value));
value=2;
FS_set_para(fs, STAT_CYCLE, &value, sizeof(value));
if(strlen(addr_t->statsd_server)>0 && addr_t->statsd_port!=0)
if(strlen(statsd_server)>0 && statsd_port!=0)
{
FS_set_para(fs, STATS_SERVER_IP, addr_t->statsd_server, strlen(addr_t->statsd_server)+1);
FS_set_para(fs, STATS_SERVER_PORT, &(addr_t->statsd_port), sizeof(addr_t->statsd_port));
FS_set_para(fs, STATS_SERVER_IP, statsd_server, strlen(statsd_server)+1);
FS_set_para(fs, STATS_SERVER_PORT, &(statsd_port), sizeof(statsd_port));
}
FS_set_para(fs, HISTOGRAM_GLOBAL_BINS, g_FP_instance.histogram_bins, strlen(g_FP_instance.histogram_bins)+1);
@@ -2186,15 +2256,58 @@ static int mesa_fiel_stat_init()
return 0;
}
void keyring_table_new_cb(int __attribute__((__unused__))table_id, const char __attribute__((__unused__))*key,
const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))* argp)
static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
{
struct pxy_profile_hsm* ply_profile=NULL;
char cfg_id_str[16] = {0};
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id);
int table_id = g_certstore_policy->plolicy_table_id[POLICY_PROFILE_TABLE_HSM];
ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str);
return ply_profile;
}
CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id)
{
int ret=0;
CK_FLAGS flags;
CK_SESSION_HANDLE session=0;
struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
if(ply_profile == NULL || funcs->C_OpenSession==NULL)
{
goto error;
}
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
ret = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if(ret)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk open session faild, error : %d", ret);
goto error;
}
ret = funcs->C_Login(session, CKU_USER, (CK_UTF8CHAR_PTR)ply_profile->passwd, strlen(ply_profile->passwd));
if(ret)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk login faild, error : %d", ret);
goto error;
}
return session;
error:
if(session)
{
funcs->C_CloseSession(session);
}
return 0;
}
void keyring_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0, slot_id=-1;
int include_root=0, is_valid=0;
char profile_name[CT_ARRARY_LEN]={0};
char private_file[CT_STRING_MAX] = {0}, public_file[CT_STRING_MAX]={0};
char __attribute__((__unused__))_priv_file[CT_PATH_MAX] = {0};
char __attribute__((__unused__))_publi_file[CT_PATH_MAX] = {0};
int ret=0;
struct pxy_obj_keyring *pxy_obj = NULL;
pxy_obj = (struct pxy_obj_keyring *)malloc(sizeof(struct pxy_obj_keyring));
@@ -2208,7 +2321,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d\t%d\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo,
pxy_obj->v3_ctl, &pxy_obj->is_send, &pxy_obj->use_hsm, &pxy_obj->slot_id, &pxy_obj->is_valid);
pxy_obj->v3_ctl, &include_root, &pxy_obj->use_hsm, &slot_id, &is_valid);
if(ret!=12)
{
kfree(pxy_obj);
@@ -2218,7 +2331,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
pxy_obj->op_time = time(NULL);
/*Load PUBLICKEY***/
if ((pxy_obj->issuer = x509_get_root_ca(public_file, pxy_obj->is_send, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d",
pxy_obj->keyring_id);
goto finish;
@@ -2227,12 +2340,16 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
if(pxy_obj->use_hsm == 0)
{
/*Load PRIVATEKEY**/
if ((pxy_obj->key = cert_load_key(private_file)) == NULL){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d",
pxy_obj->keyring_id);
if ((pxy_obj->key = cert_load_key(private_file)) == NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d", pxy_obj->keyring_id);
goto finish;
}
}
else
{
pxy_obj->session = keyring_pkcs11_login(slot_id);
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
pxy_obj->keyring_id);
@@ -2254,21 +2371,19 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
*((struct pxy_obj_keyring**)to)=pxy_obj;
}
int maat_table_ex_init(const char* table_name,
int maat_table_ex_init(const char* table_name,int profile_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func)
{
int table_id = 0;
struct config_bucket_t *rte = cfg_instanec();
table_id= rte->table_id = Maat_table_register(rte->feather, table_name);
table_id= g_certstore_policy->plolicy_table_id[profile_id] = Maat_table_register(g_certstore_policy->feather, table_name);
if(table_id<0)
{
goto finish;
}
table_id=Maat_plugin_EX_register(rte->feather,
table_id=Maat_plugin_EX_register(g_certstore_policy->feather,
table_id,
new_func,free_func,
dup_func,NULL,0,NULL);
@@ -2276,65 +2391,234 @@ finish:
return table_id;
}
int maat_feather_init()
#define MAAT_INPUT_JSON 1
#define MAAT_INPUT_REDIS 2
#define MAAT_INPUT_FILE 0
static Maat_feather_t create_maat_feather(const char *profile, const char *section, int max_thread)
{
int ret = -1;
Maat_feather_t feather = NULL;
int scan_interval_ms = 1000;
Maat_feather_t target;
int input_mode = 0;
int ret = 0, effect_interval = 60;
char table_info[CT_STRING_MAX] = {0}, inc_cfg_dir[CT_STRING_MAX] = {0}, ful_cfg_dir[CT_STRING_MAX] = {0};
char redis_server[CT_STRING_MAX] = {0};
char redis_port_range[CT_STRING_MAX] = {0};
char accept_tags[CT_STRING_MAX] = {0};
char accept_path[CT_PATH_MAX] = {0};
int redis_port_begin = 0, redis_port_end = 0;
int redis_port_select = 0;
int redis_db_idx = 0;
char json_cfg_file[CT_STRING_MAX] = {0};
struct config_bucket_t *rte = cfg_instanec();
struct ntc_maat_t *maat_t = &rte->maat_t;
MESA_load_profile_int_def(profile, section, "maat_json_switch", &(input_mode), 0);
MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), "");
MESA_load_profile_string_def(profile, section, "accept_path", accept_path, sizeof(accept_path), "");
MESA_load_profile_string_def(profile, section, "pxy_obj_keyring", json_cfg_file, sizeof(json_cfg_file), "");
MESA_load_profile_string_def(profile, "MAAT_REDIS", "ip", redis_server, sizeof(redis_server), "");
MESA_load_profile_string_def(profile, "MAAT_REDIS", "port", redis_port_range, sizeof(redis_server), "6379");
MESA_load_profile_int_def(profile, "MAAT_REDIS", "dbindex", &(redis_db_idx), 0);
MESA_load_profile_string_def(profile, section, "inc_cfg_dir", inc_cfg_dir, sizeof(inc_cfg_dir), "");
MESA_load_profile_string_def(profile, section, "full_cfg_dir", ful_cfg_dir, sizeof(ful_cfg_dir), "");
MESA_load_profile_int_def(profile, section, "effective_interval", &(effect_interval), 60);
int effective_interval_ms = maat_t->effective_interval_s * 1000;
effect_interval *= 1000; //convert s to ms
feather = Maat_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle);
Maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
if (maat_t->maat_json_switch == 1){
Maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1);
target = Maat_feather(max_thread, table_info, logging_sc_lid.run_log_handle);
Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
switch (input_mode)
{
case MAAT_INPUT_JSON:
Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
break;
case MAAT_INPUT_REDIS:
ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
if (ret == 1)
{
redis_port_select = redis_port_begin;
}
else if (ret == 2)
{
srand(time(NULL));
redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
}
Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
break;
case MAAT_INPUT_FILE:
Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
break;
default:
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out;
}
if (maat_t->maat_json_switch == 0){
Maat_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1);
Maat_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1);
}
if (maat_t->maat_json_switch == 2){
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1);
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port));
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex));
Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./foreign_files/", strlen("./foreign_files/") + 1);
Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
if (strlen(accept_path) > 0)
{
MESA_load_profile_string_def(accept_path, "maat", "ACCEPT_TAGS", accept_tags, sizeof(accept_tags), "{\"tags\":[{\"tag\":\"device_id\",\"value\":\"device_1\"}]}");
Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags));
mesa_runtime_log(RLOG_LV_INFO, "accept tags : %s", accept_tags);
}
Maat_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
Maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
/***/
const char* foregin_dir="./foreign_files/";
Maat_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1);
ret = Maat_initiate_feather(feather);
if (ret < 0)
{
ret = Maat_initiate_feather(target);
if (ret < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
}
rte->feather = feather;
goto error_out;
}
return target;
error_out:
Maat_burn_feather(target);
return NULL;
}
int table_id = maat_table_ex_init("PXY_PROFILE_KEYRING",
keyring_table_new_cb,
keyring_table_free_cb,
keyring_table_dup_cb);
void hsm_profile_table_start_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char server_type[128]={0};
char ip[46]={0}, passwd[128] = {0};
char effective_range[256] = {0};
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, server_type, ip, passwd, effective_range, &is_valid);
if(ret!=6)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse config failed: %s", table_line);
return;
}
/*Whether to take effect**/
struct pxy_profile_hsm* ply_profile = (struct pxy_profile_hsm*)kmalloc(sizeof(struct pxy_profile_hsm), MPF_CLR, -1);
ply_profile->profile_id=profile_id;
ply_profile->ref_cnt=1;
pthread_mutex_init(&(ply_profile->lock), NULL);
ply_profile->server_ip=strdup(ip);
ply_profile->passwd=strdup(passwd);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Policy table add success %d", profile_id);
*ad = ply_profile;
return;
}
void hsm_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
{
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*from);
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt++;
pthread_mutex_unlock(&(ply_obj->lock));
*to=ply_obj;
}
void hsm_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
if(*ad==NULL)
{
return;
}
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*ad);
if(ply_obj==NULL)
{
return;
}
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt--;
if(ply_obj->ref_cnt>0)
{
pthread_mutex_unlock(&(ply_obj->lock));
return;
}
pthread_mutex_unlock(&(ply_obj->lock));
pthread_mutex_destroy(&(ply_obj->lock));
kfree(&ply_obj->server_ip);
kfree(&ply_obj->passwd);
kfree(&ply_obj);
*ad=NULL;
return;
}
int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int table_id = 0;
certstore_policy->feather = create_maat_feather(main_profile, "maat", certstore_policy->thread_nu);
if(!certstore_policy->feather)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
return 0;
}
table_id = maat_table_ex_init("PXY_PROFILE_KEYRING", POLICY_PROFLIE_TABLE_KERING, keyring_table_new_cb, keyring_table_free_cb, keyring_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed");
}
table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed");
return 0;
}
field_stat_init(certstore_policy, main_profile);
return 0;
}
int cert_store_session_init()
int do_user_GetFunctionList(void)
{
mesa_fiel_stat_init();
return FC_GetFunctionList(&funcs);
}
maat_feather_init();
int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret=0;
char library_path[256]={0};
CK_C_INITIALIZE_ARGS cinit_args;
keyring_server_init();
MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable));
MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), "");
if(certstore_policy->enable == 0)
{
goto finish;
}
xret=LoadPkcsLib(library_path);
if(xret!=0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path);
goto finish;
}
xret = do_user_GetFunctionList();
if(xret!=0 || funcs->C_Initialize==NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret);
goto finish;
}
memset(&cinit_args, 0x0, sizeof(cinit_args));
cinit_args.flags = CKF_OS_LOCKING_OK;
xret = funcs->C_Initialize(&cinit_args);
if(xret!=0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed");
}
finish:
return xret;
}
int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
maat_feather_init(certstore_policy, main_profile);
pkcs11_module_init(certstore_policy, main_profile);
keyring_server_init(certstore_policy);
return 0;
}

51
program/src/cert_store.cpp
View File

@@ -12,14 +12,15 @@
#include <unistd.h>
#include "rt_string.h"
#include "rt_stdlib.h"
#include "rt_common.h"
#include <cert_conf.h>
#include <cert_session.h>
#include "cert_conf.h"
#include "cert_session.h"
#include "logging.h"
#include <MESA/MESA_prof_load.h>
#define CERT_BASIC_CFG "./conf/cert_store.ini"
struct cert_store_policy * g_certstore_policy = NULL;
/* VERSION STRING */
#ifdef TARGET_GIT_VERSION
@@ -39,33 +40,18 @@ enum syslog_display_format{
FORMAT_SYSLOG
};
static
void cert_store_preview ()
static void cert_store_preview()
{
struct config_bucket_t *rte = cfg_instanec();
printf("\r\nBasic Configuration of CertStore \n");
printf("%30s:%45s\n", "Run Mode", (rte->mode == 1)?"async":"sync");
printf("%30s:%45d\n", "The Threads", rte->thread_nu);
printf("%30s:%45s\n", "Store Redis Ip", rte->addr_t.store_ip);
printf("%30s:%45d\n", "Store Redis Port", rte->addr_t.store_port);
printf("%30s:%45s\n", "Maat Redis Ip", rte->addr_t.maat_ip);
printf("%30s:%45d\n", "Maat Redis Port", rte->addr_t.maat_port);
printf("%30s:%45d\n", "Maat Redis index", rte->addr_t.dbindex);
printf("%30s:%45d\n", "Libevent Port", rte->addr_t.e_port);
printf("%30s:%45s\n", "Cert Path", rte->ca_path);
printf("%30s:%45s\n", "Uninsec cert Path", rte->uninsec_path);
printf("%30s:%45s\n", "Run Mode", (g_certstore_policy->mode == 1)?"async":"sync");
printf("%30s:%45d\n", "The Threads", g_certstore_policy->thread_nu);
printf("%30s:%45s\n", "Store Redis Ip", g_certstore_policy->store_ip);
printf("%30s:%45d\n", "Store Redis Port", g_certstore_policy->store_port);
printf("%30s:%45d\n", "Libevent Port", g_certstore_policy->e_port);
printf("%30s:%45s\n", "Cert Path", g_certstore_policy->ca_path);
printf("%30s:%45s\n", "Uninsec cert Path", g_certstore_policy->uninsec_path);
printf("%30s:%45s\n", "Log Directory", logging_sc_lid.run_log_path);
printf("%30s:%45s\n", "Table Info", rte->maat_t.info_path);
if (rte->maat_t.maat_json_switch == 1){
printf("%30s:%45s\n", "Pxy Obj Keyring", rte->maat_t.pxy_path);
}
if (rte->maat_t.maat_json_switch == 0){
printf("%30s:%45d\n", "Scan Interval", rte->maat_t.effective_interval_s);
printf("%30s:%45s\n", "Full Cfg Path", rte->maat_t.full_cfg_dir);
printf("%30s:%45s\n", "Inc Cfg Path", rte->maat_t.inc_cfg_dir);
}
printf("\r\n");
}
@@ -93,6 +79,8 @@ void __signal_handler_cb(int sig)
int main(int argc, char **argv)
{
int opt = 0;
const char * main_profile = "./conf/cert_store.ini";
while ((opt = getopt(argc, argv, "v")) != -1)
{
switch (opt)
@@ -104,9 +92,13 @@ int main(int argc, char **argv)
break;
}
}
cert_store_syslog_init(CERT_BASIC_CFG, version());
cert_store_init_config(CERT_BASIC_CFG);
g_certstore_policy = (struct cert_store_policy *) kmalloc (sizeof(struct cert_store_policy), MPF_CLR, -1);
assert(g_certstore_policy);
cert_store_syslog_init(main_profile, version());
cert_store_init_config(g_certstore_policy, main_profile);
cert_store_preview();
@@ -116,8 +108,7 @@ int main(int argc, char **argv)
{
signal(signals[i], __signal_handler_cb);
}
cert_store_session_init();
cert_store_session_init(g_certstore_policy, main_profile);
return 0;
}