gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.增加配置文件对默认证书读取配置项

Browse Source 
2.删除默认证书路径下无效证书
3.删除区分公钥和私钥读取证书模式
This commit is contained in:
fengweihao
2018-12-13 10:12:24 +08:00
parent 131dbeaaa1
commit f8f9c22a85
10 changed files with 27 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/cert_conf.c
View File

@@ -21,7 +21,8 @@
struct config_bucket_t certConfig = {
.thread_nu = 1,
.expire_after = 30,
.def_path = "/home/test",
.ca_path = "./cert/mesalab-ca.pem",
.uninsec_path = "./cert/mesalab-ca-untrust.pem",
.addr_t = {9995, 6379, "0.0.0.0", 0, 6379, "0.0.0.0"},
.keyring = {0, 0, NULL, NULL},
};
@@ -47,11 +48,19 @@ static int load_system_config(char *config)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of valid time failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "def-ca-path", rte->def_path, 128);
if (xret < 0 && !rt_dir_exsit(rte->def_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the def path failed or the (%s) does not exist",
rte->def_path);
xret = MESA_load_profile_string_nodef(config, "CONFIG", "ca_path", rte->ca_path, 128);
if (xret <0 && rt_file_exsit(rte->ca_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the ca path failed or the (%s) does not exist",
rte->ca_path);
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128);
if (xret <0 && rt_file_exsit(rte->uninsec_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist",
rte->ca_path);
goto finish;
}
finish:
return xret;

3
src/cert_conf.h
View File

@@ -72,7 +72,8 @@ struct ntc_maat_t{
struct config_bucket_t{
unsigned int thread_nu;
unsigned int expire_after;
char def_path[128];
char ca_path[128];
char uninsec_path[128];
struct ntc_maat_t maat_t;
struct _initer_addr_t addr_t;
struct key_ring_list keyring;

30
src/cert_session.c
View File

@@ -55,9 +55,6 @@
#define LOCAL_USER_DER 2
#define LOCAL_USER_P12 3
#define DEFAULT_PRIVATEKEY_NAME "mesalab-ca-cert.key"
#define DEFAULT_CA_CERTIFICATE "mesalab-ca-cert.cer"
#define MESALAB_INSEC_CERT "mesalab-insec-cert.cer"
#define MESALAB_INSEC_KEY "mesalab-insec-cert.key"
@@ -1293,8 +1290,7 @@ finish:
return 0;
}
int x509_privatekey_init(char *private_file, char *public_file,
EVP_PKEY **key, X509 **root)
int x509_privatekey_init(char *ca_file, EVP_PKEY **key, X509 **root)
{
int xret = -1;
FILE *fp; RSA *rsa = NULL;
@@ -1309,9 +1305,9 @@ int x509_privatekey_init(char *private_file, char *public_file,
goto pkey_free;
}
fp = fopen(private_file, "r");
fp = fopen(ca_file, "r");
if (NULL == fp){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", private_file);
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", ca_file);
RSA_free(rsa);
goto pkey_free;
}
@@ -1323,9 +1319,9 @@ int x509_privatekey_init(char *private_file, char *public_file,
fclose(fp);
BIO *in;
in = BIO_new_file(public_file, "r");
in = BIO_new_file(ca_file, "r");
if (!in){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", public_file);
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", ca_file);
goto pkey_free;
}
@@ -1590,7 +1586,7 @@ static int
task_private_init(struct event_base *base, libevent_thread *info)
{
int xret = -1;
char key_path[256] = {0}, cert_path[256] = {0};
struct config_bucket_t *config = cert_default_config();
/* Initialize the redis connection*/
xret = redis_rsync_init(base, &info->cl_ctx);
@@ -1604,22 +1600,14 @@ task_private_init(struct event_base *base, libevent_thread *info)
}
/* Initialize the X509 CA*/
snprintf(key_path, sizeof(key_path), "%s/%s", cert_default_config()->def_path, DEFAULT_PRIVATEKEY_NAME);
snprintf(cert_path, sizeof(cert_path), "%s/%s", cert_default_config()->def_path, DEFAULT_CA_CERTIFICATE);
xret = x509_privatekey_init(key_path, cert_path, &info->def.key, &info->def.root);
xret = x509_privatekey_init(config->ca_path, &info->def.key, &info->def.root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
goto finish;
}
/* Initialize the insec CA*/
memset(key_path, 0, 256);
memset(cert_path, 0, 256);
snprintf(key_path, sizeof(key_path), "%s/%s", cert_default_config()->def_path, MESALAB_INSEC_KEY);
snprintf(cert_path, sizeof(cert_path), "%s/%s", cert_default_config()->def_path, MESALAB_INSEC_CERT);
xret = x509_privatekey_init(key_path, cert_path, &info->def.insec_key, &info->def.insec_root);
xret = x509_privatekey_init(config->uninsec_path, &info->def.insec_key, &info->def.insec_root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
goto finish;
@@ -1740,7 +1728,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
if(info->cl_ctx->err != 0){
if (info->sync)
redisFree(info->sync);
xret = redis_sync_init(&info->sync);
if (xret < 0 || !info->sync){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "[%d]trying to connect sync redis failed", tid);

3
src/cert_store.c
View File

@@ -93,7 +93,8 @@ void cert_preview ()
printf("%30s:%45d\n", "Maat Redis Port", rte->addr_t.maat_port);
printf("%30s:%45d\n", "Maat Redis index", rte->addr_t.dbindex);
printf("%30s:%45d\n", "Libevent Port", rte->addr_t.e_port);
printf("%30s:%45s\n", "Def Cert Path", rte->def_path);
printf("%30s:%45s\n", "Cert Path", rte->ca_path);
printf("%30s:%45s\n", "Uninsec cert Path", rte->uninsec_path);
printf("%30s:%45s\n", "Log Directory", logging_sc_lid.run_log_path);
printf("%30s:%45s\n", "Table Info", rte->maat_t.info_path);
if (rte->maat_t.maat_json_switch == 1){