gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改中间证书的判定条件,只缓存 x509V3 的中间证书

Browse Source
This commit is contained in:
luwenpeng
2020-07-01 14:54:04 +08:00
parent bbbea82e1e
commit 01a476774e
1 changed files with 112 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
platform/src/ssl_fetch_cert.cpp
View File

@@ -9,10 +9,12 @@
#include <tfe_kafka_logger.h> #include <tfe_kafka_logger.h>
#include <MESA/MESA_prof_load.h> #include <MESA/MESA_prof_load.h>
typedef struct x509_object_st { typedef struct x509_object_st
{
/* one of the above types */ /* one of the above types */
X509_LOOKUP_TYPE type; X509_LOOKUP_TYPE type;
union { union
{
char *ptr; char *ptr;
X509 *x509; X509 *x509;
X509_CRL *crl; X509_CRL *crl;
@@ -20,6 +22,19 @@ typedef struct x509_object_st {
} data; } data;
} X509_OBJECT; } X509_OBJECT;
enum CERT_TYPE {
ENTITY_CERT = 0,
INTERMEDIATE_CERT = 1,
ROOT_CERT = 2,
MAX_TYPE = 3,
};
static char cert_type_desc[MAX_TYPE][64] = {
{"Entity certificate"},
{"Intermediate certificate"},
{"Root certificate"},
};
static tfe_kafka_logger_t *g_kafka_logger = NULL; static tfe_kafka_logger_t *g_kafka_logger = NULL;
void ssl_mid_cert_kafka_logger_destory(void) void ssl_mid_cert_kafka_logger_destory(void)
@@ -33,16 +48,15 @@ int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section)
char nic_name[64] = {0}; char nic_name[64] = {0};
char broker_list[TFE_SYMBOL_MAX] = {0}; char broker_list[TFE_SYMBOL_MAX] = {0};
char topic_name[TFE_SYMBOL_MAX] = {0}; char topic_name[TFE_SYMBOL_MAX] = {0};
const char *errstr = "SSL mid cert cache occer error, ";
MESA_load_profile_int_def(profile, section, "mc_cache_enable", &enable, 0); MESA_load_profile_int_def(profile, section, "mc_cache_enable", &enable, 0);
MESA_load_profile_string_def(profile, section, "mc_cache_eth", nic_name, sizeof(nic_name), "eth0"); MESA_load_profile_string_def(profile, section, "mc_cache_eth", nic_name, sizeof(nic_name), "eth0");
MESA_load_profile_string_def(profile, section, "mc_cache_topic", topic_name, sizeof(topic_name), "PXY-EXCH-INTERMEDIA-CERT"); MESA_load_profile_string_def(profile, section, "mc_cache_topic", topic_name, sizeof(topic_name), "PXY-EXCH-INTERMEDIA-CERT");
if (!enable) // is disableskip broker list if (!enable)
goto skip; goto skip;
if (MESA_load_profile_string_def(profile, section, "mc_cache_broker_list", broker_list, sizeof(broker_list), NULL) < 0) if (MESA_load_profile_string_def(profile, section, "mc_cache_broker_list", broker_list, sizeof(broker_list), NULL) < 0)
{ {
TFE_LOG_ERROR(g_default_logger, "%s, Fail to get mc_cache_broker_list in profile %s section %s.", errstr, profile, section); TFE_LOG_ERROR(g_default_logger, "Fail to get mc_cache_broker_list in profile %s section %s.", profile, section);
return -1; return -1;
} }
skip: skip:
@@ -78,9 +92,40 @@ static void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerpr
cJSON_Delete(obj); cJSON_Delete(obj);
} }
// test use http://www.360.cn/ static int is_x509v3_ca_cert(X509 *x)
void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store, const char *hostname) { {
int ret; /* what is Basic Constraint Extension:
* http://www.pkiglobe.org/
* https://tools.ietf.org/html/rfc5280#section-4.2.1.9
*
* how to visit Basic Constraint Extension:
* https://stackoverflow.com/questions/40609792/how-can-i-verify-certificate-has-ca-true-basic-constraint
*/
int is_ca = 0;
BASIC_CONSTRAINTS *bs = NULL;
if (X509_get_version(x) != 2)
{
return is_ca;
}
bs = (BASIC_CONSTRAINTS *)X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL);
if (bs)
{
if (bs->ca)
{
is_ca = 1;
}
BASIC_CONSTRAINTS_free(bs);
}
return is_ca;
}
void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store, const char *hostname)
{
int in_store;
int type;
int deep; int deep;
char *pem = NULL; char *pem = NULL;
char *subj = NULL; char *subj = NULL;
@@ -88,57 +133,87 @@ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *
char *fingerprint = NULL; char *fingerprint = NULL;
X509 *cert = NULL; X509 *cert = NULL;
X509_OBJECT *obj = NULL; X509_OBJECT *obj = NULL;
if (!g_kafka_logger || !g_kafka_logger->enable) { if (!g_kafka_logger || !g_kafka_logger->enable)
{
return; return;
} }
deep = sk_X509_num(cert_chain); deep = sk_X509_num(cert_chain);
for (int i = 1; i < deep; i++) { for (int i = 0; i < deep; i++)
// need't call X509_FREE(cert) {
cert = sk_X509_value(cert_chain, i); cert = sk_X509_value(cert_chain, i);
assert(cert); assert(cert);
obj = X509_OBJECT_new(); in_store = 0;
assert(obj);
obj->type = X509_LU_X509;
obj->data.x509 = (X509 *)cert;
X509_OBJECT_up_ref_count(obj);
// not in trusted store
if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL)
{
ret = 0;
}
// in trusted store
else
{
ret = 1;
}
// https://man.openbsd.org/X509_OBJECT_up_ref_count.3
// https://groups.google.com/forum/m/#!msg/mailing.openssl.dev/9-PNIcR91Qo/FqnBOr8sBAAJ
//X509_OBJECT_free_contents(obj);
X509_OBJECT_free(obj);
subj = ssl_x509_subject(cert); subj = ssl_x509_subject(cert);
issuer = ssl_x509_issuer(cert); issuer = ssl_x509_issuer(cert);
fingerprint = ssl_x509_fingerprint(cert, 0); fingerprint = ssl_x509_fingerprint(cert, 0);
pem = ssl_x509_to_pem(cert); pem = ssl_x509_to_pem(cert);
TFE_LOG_DEBUG(g_default_logger, "[dep:%d/%d] in_trusted_store:%d, sin:%s; subject:(%s); issuer:(%s); fingerprint:%s; cert:%s", if (!is_x509v3_ca_cert(cert))
i, deep, ret, (hostname ? hostname : "NULL"), (subj ? subj : "NULL"), (issuer ? issuer : "NULL"), (fingerprint ? fingerprint : "NULL"), {
((pem && g_kafka_logger->enable == 0x10) ? pem : " ...")); type = ENTITY_CERT;
goto end;
}
else
{
if (subj && issuer && strcmp(subj, issuer) == 0)
{
type = ROOT_CERT;
goto end;
}
else
{
type = INTERMEDIATE_CERT;
}
}
if (!ret && fingerprint && pem) { obj = X509_OBJECT_new();
assert(obj);
obj->type = X509_LU_X509;
obj->data.x509 = (X509 *)cert;
X509_OBJECT_up_ref_count(obj);
// not in trusted store
if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL)
{
in_store = 0;
}
// in trusted store
else
{
in_store = 1;
}
X509_OBJECT_free(obj);
if (!in_store && fingerprint && pem)
{
ssl_mid_cert_kafka_logger_send(hostname, fingerprint, pem); ssl_mid_cert_kafka_logger_send(hostname, fingerprint, pem);
} }
end:
TFE_LOG_DEBUG(g_default_logger, "[dep:%d/%d] is %s, in_trusted_store:%d, sin:%s; subject:(%s); issuer:(%s); fingerprint:%s; cert:%s",
i, deep, cert_type_desc[type], in_store, (hostname ? hostname : "NULL"), (subj ? subj : "NULL"), (issuer ? issuer : "NULL"), (fingerprint ? fingerprint : "NULL"),
((pem && g_kafka_logger->enable == 0x10) ? pem : " ..."));
if (pem) if (pem)
{
free(pem); free(pem);
pem = NULL;
}
if (subj) if (subj)
{
free(subj); free(subj);
subj = NULL;
}
if (issuer) if (issuer)
{
free(issuer); free(issuer);
issuer = NULL;
}
if (fingerprint) if (fingerprint)
{
free(fingerprint); free(fingerprint);
fingerprint = NULL;
}
} }
} }