2019-10-23 10:29:30 +08:00
|
|
|
|
//
|
|
|
|
|
|
// Created by lwp on 2019/10/16.
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
|
|
#include <assert.h>
|
2019-12-06 15:51:03 +08:00
|
|
|
|
#include <cjson/cJSON.h>
|
2020-03-09 16:28:56 +08:00
|
|
|
|
|
|
|
|
|
|
#include <ssl_utils.h>
|
|
|
|
|
|
#include <tfe_kafka_logger.h>
|
2019-10-28 17:10:38 +08:00
|
|
|
|
#include <MESA/MESA_prof_load.h>
|
2019-10-23 10:29:30 +08:00
|
|
|
|
|
|
|
|
|
|
typedef struct x509_object_st {
|
2020-03-09 16:28:56 +08:00
|
|
|
|
/* one of the above types */
|
|
|
|
|
|
X509_LOOKUP_TYPE type;
|
|
|
|
|
|
union {
|
|
|
|
|
|
char *ptr;
|
|
|
|
|
|
X509 *x509;
|
|
|
|
|
|
X509_CRL *crl;
|
|
|
|
|
|
EVP_PKEY *pkey;
|
|
|
|
|
|
} data;
|
2019-10-23 10:29:30 +08:00
|
|
|
|
} X509_OBJECT;
|
|
|
|
|
|
|
2020-03-09 16:28:56 +08:00
|
|
|
|
static tfe_kafka_logger_t *g_kafka_logger = NULL;
|
2019-10-28 17:10:38 +08:00
|
|
|
|
|
2020-03-09 16:28:56 +08:00
|
|
|
|
void ssl_mid_cert_kafka_logger_destory(void)
|
|
|
|
|
|
{
|
|
|
|
|
|
tfe_kafka_logger_destroy(g_kafka_logger);
|
2019-10-28 17:10:38 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-12-06 15:51:03 +08:00
|
|
|
|
int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section)
|
|
|
|
|
|
{
|
2020-03-09 16:28:56 +08:00
|
|
|
|
int enable = 0;
|
|
|
|
|
|
char nic_name[64] = {0};
|
|
|
|
|
|
char broker_list[TFE_SYMBOL_MAX] = {0};
|
|
|
|
|
|
char topic_name[TFE_SYMBOL_MAX] = {0};
|
|
|
|
|
|
const char *errstr = "SSL mid cert cache occer error, ";
|
|
|
|
|
|
|
|
|
|
|
|
MESA_load_profile_int_def(profile, section, "mc_cache_enable", &enable, 0);
|
|
|
|
|
|
MESA_load_profile_string_def(profile, section, "mc_cache_eth", nic_name, sizeof(nic_name), "eth0");
|
|
|
|
|
|
MESA_load_profile_string_def(profile, section, "mc_cache_topic", topic_name, sizeof(topic_name), "PXY-EXCH-INTERMEDIA-CERT");
|
2020-03-09 16:56:39 +08:00
|
|
|
|
if (!enable) // is disable,skip broker list
|
|
|
|
|
|
goto skip;
|
2020-03-09 16:28:56 +08:00
|
|
|
|
if (MESA_load_profile_string_def(profile, section, "mc_cache_broker_list", broker_list, sizeof(broker_list), NULL) < 0)
|
|
|
|
|
|
{
|
2019-12-06 15:51:03 +08:00
|
|
|
|
TFE_LOG_ERROR(g_default_logger, "%s, Fail to get mc_cache_broker_list in profile %s section %s.", errstr, profile, section);
|
2020-03-09 16:28:56 +08:00
|
|
|
|
return -1;
|
2019-10-28 17:10:38 +08:00
|
|
|
|
}
|
2020-03-09 16:56:39 +08:00
|
|
|
|
skip:
|
2020-03-09 16:28:56 +08:00
|
|
|
|
g_kafka_logger = tfe_kafka_logger_create(enable, nic_name, broker_list, topic_name, g_default_logger);
|
|
|
|
|
|
if (g_kafka_logger)
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
else
|
|
|
|
|
|
return -1;
|
2019-10-28 17:10:38 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-03-09 16:28:56 +08:00
|
|
|
|
static void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerprint, const char *cert)
|
2019-12-06 15:51:03 +08:00
|
|
|
|
{
|
2020-03-09 16:28:56 +08:00
|
|
|
|
if (g_kafka_logger->enable == 0)
|
2019-12-06 15:51:03 +08:00
|
|
|
|
{
|
2019-10-28 17:10:38 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
2019-12-06 15:51:03 +08:00
|
|
|
|
cJSON *obj = NULL;
|
|
|
|
|
|
cJSON *dup = NULL;
|
|
|
|
|
|
char *msg = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
obj = cJSON_CreateObject();
|
2019-12-06 17:23:21 +08:00
|
|
|
|
cJSON_AddStringToObject(obj, "sni", sni);
|
|
|
|
|
|
cJSON_AddStringToObject(obj, "fingerprint", fingerprint);
|
2019-12-06 15:51:03 +08:00
|
|
|
|
cJSON_AddStringToObject(obj, "cert", cert);
|
2020-03-09 16:28:56 +08:00
|
|
|
|
cJSON_AddStringToObject(obj, "tfe_ip", g_kafka_logger->local_ip_str);
|
2019-12-06 15:51:03 +08:00
|
|
|
|
dup = cJSON_Duplicate(obj, 1);
|
|
|
|
|
|
msg = cJSON_PrintUnformatted(dup);
|
|
|
|
|
|
TFE_LOG_DEBUG(g_default_logger, "log to [%s] msg:%s", g_kafka_logger->topic_name, msg);
|
2020-03-09 16:28:56 +08:00
|
|
|
|
tfe_kafka_logger_send(g_kafka_logger, msg, strlen(msg));
|
2019-12-06 15:51:03 +08:00
|
|
|
|
|
|
|
|
|
|
free(msg);
|
2019-12-06 17:23:21 +08:00
|
|
|
|
cJSON_Delete(dup);
|
2019-12-06 15:51:03 +08:00
|
|
|
|
cJSON_Delete(obj);
|
2019-10-28 17:10:38 +08:00
|
|
|
|
}
|
2019-10-23 10:29:30 +08:00
|
|
|
|
|
|
|
|
|
|
// test use http://www.360.cn/
|
2019-12-06 15:51:03 +08:00
|
|
|
|
void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store, const char *hostname) {
|
|
|
|
|
|
int ret;
|
|
|
|
|
|
int deep;
|
2020-01-02 18:45:42 +08:00
|
|
|
|
char *pem = NULL;
|
2019-12-06 15:51:03 +08:00
|
|
|
|
char *subj = NULL;
|
|
|
|
|
|
char *issuer = NULL;
|
|
|
|
|
|
char *fingerprint = NULL;
|
|
|
|
|
|
X509 *cert = NULL;
|
2020-01-06 18:17:13 +08:00
|
|
|
|
X509_OBJECT *obj = NULL;
|
2019-12-06 15:51:03 +08:00
|
|
|
|
if (!g_kafka_logger || !g_kafka_logger->enable) {
|
2019-10-28 17:10:38 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-12-06 15:51:03 +08:00
|
|
|
|
deep = sk_X509_num(cert_chain);
|
|
|
|
|
|
for (int i = 1; i < deep; i++) {
|
|
|
|
|
|
// need't call X509_FREE(cert)
|
|
|
|
|
|
cert = sk_X509_value(cert_chain, i);
|
2019-10-23 10:29:30 +08:00
|
|
|
|
assert(cert);
|
|
|
|
|
|
|
2020-01-06 18:17:13 +08:00
|
|
|
|
obj = X509_OBJECT_new();
|
|
|
|
|
|
assert(obj);
|
|
|
|
|
|
obj->type = X509_LU_X509;
|
|
|
|
|
|
obj->data.x509 = (X509 *)cert;
|
|
|
|
|
|
|
2020-06-12 21:15:39 +08:00
|
|
|
|
X509_OBJECT_up_ref_count(obj);
|
|
|
|
|
|
|
2020-01-06 18:17:13 +08:00
|
|
|
|
// not in trusted store
|
2020-03-09 16:28:56 +08:00
|
|
|
|
if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL)
|
2020-01-06 18:17:13 +08:00
|
|
|
|
{
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
// in trusted store
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
}
|
2020-06-12 21:15:39 +08:00
|
|
|
|
// https://man.openbsd.org/X509_OBJECT_up_ref_count.3
|
|
|
|
|
|
// https://groups.google.com/forum/m/#!msg/mailing.openssl.dev/9-PNIcR91Qo/FqnBOr8sBAAJ
|
|
|
|
|
|
//X509_OBJECT_free_contents(obj);
|
2020-01-06 18:17:13 +08:00
|
|
|
|
X509_OBJECT_free(obj);
|
|
|
|
|
|
|
2019-12-06 15:51:03 +08:00
|
|
|
|
subj = ssl_x509_subject(cert);
|
|
|
|
|
|
issuer = ssl_x509_issuer(cert);
|
|
|
|
|
|
fingerprint = ssl_x509_fingerprint(cert, 0);
|
2020-01-02 18:45:42 +08:00
|
|
|
|
pem = ssl_x509_to_pem(cert);
|
|
|
|
|
|
|
2020-01-08 14:29:55 +08:00
|
|
|
|
TFE_LOG_DEBUG(g_default_logger, "[dep:%d/%d] in_trusted_store:%d, sin:%s; subject:(%s); issuer:(%s); fingerprint:%s; cert:%s",
|
2020-03-09 16:28:56 +08:00
|
|
|
|
i, deep, ret, (hostname ? hostname : "NULL"), (subj ? subj : "NULL"), (issuer ? issuer : "NULL"), (fingerprint ? fingerprint : "NULL"),
|
|
|
|
|
|
((pem && g_kafka_logger->enable == 0x10) ? pem : " ..."));
|
|
|
|
|
|
|
2020-01-02 18:45:42 +08:00
|
|
|
|
if (!ret && fingerprint && pem) {
|
|
|
|
|
|
ssl_mid_cert_kafka_logger_send(hostname, fingerprint, pem);
|
2019-10-23 10:29:30 +08:00
|
|
|
|
}
|
2020-01-02 18:45:42 +08:00
|
|
|
|
if (pem)
|
|
|
|
|
|
free(pem);
|
2019-12-06 15:51:03 +08:00
|
|
|
|
if (subj)
|
|
|
|
|
|
free(subj);
|
|
|
|
|
|
if (issuer)
|
|
|
|
|
|
free(issuer);
|
|
|
|
|
|
if (fingerprint)
|
|
|
|
|
|
free(fingerprint);
|
2019-10-23 10:29:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
