#177 在用户访问的过程中，获取未见到过、可信的中间证书

2019-10-23 10:29:30 +08:00
parent fe7fc6fa9c
commit 3a68352964
4 changed files with 77 additions and 2 deletions
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -1,6 +1,6 @@
 find_package(SYSTEMD REQUIRED)

-add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/ssl_stream.cpp src/key_keeper.cpp
+add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp
 	src/ssl_sess_cache.cpp src/ssl_sess_ticket.cpp src/ssl_service_cache.cpp
 	src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp src/ssl_utils.cpp
 	src/tcp_stream.cpp src/main.cpp src/proxy.cpp src/sender_scm.cpp src/watchdog_kni.cpp)
--- a/platform/include/internal/ssl_fetch_cert.h
+++ b/platform/include/internal/ssl_fetch_cert.h
@@ -0,0 +1,11 @@
+//
+// Created by lwp on 2019/10/16.
+//
+
+#ifndef TFE_SSL_FETCH_CERT_H
+#define TFE_SSL_FETCH_CERT_H
+
+void ssl_fetch_cert_url_by_aia(X509 *cert);
+void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store);
+
+#endif //TFE_SSL_FETCH_CERT_H
--- a/platform/src/ssl_fetch_cert.cpp
+++ b/platform/src/ssl_fetch_cert.cpp
@@ -0,0 +1,58 @@
+//
+// Created by lwp on 2019/10/16.
+//
+
+#include "ssl_utils.h"
+#include <assert.h>
+
+typedef struct x509_object_st {
+	int type;
+	union {
+		char *ptr;
+		X509 *x509;
+		X509_CRL *crl;
+		EVP_PKEY *pkey;
+	} data;
+} X509_OBJECT;
+
+
+// test use http://www.360.cn/
+void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store) {
+	// 证书链中的证书下标为 [0, count - 1]，下标为 count - 1 的证书不一定在可信证书列表中
+	int count = sk_X509_num(cert_chain);
+	printf("------------------ max depth is : %d\n", count);
+
+	// don`t need call X509_LOOKUP_free(lookup)
+	X509_LOOKUP *lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir());
+	if (lookup == NULL) {
+		return;
+	}
+
+	for (int i = 1; i < count; i++) {
+		// don1t need call X509_FREE(cert)
+		X509 *cert = sk_X509_value(cert_chain, i);
+		assert(cert);
+
+		X509_OBJECT stmp;
+		stmp.type = X509_LU_NONE;
+		stmp.data.ptr = NULL;
+		int result = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_issuer_name(cert), &stmp);
+		char *subj = ssl_x509_subject(cert);
+		char *issuer = ssl_x509_issuer(cert);
+		if (result) {
+			printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:1\n", i, subj, issuer);
+			// not use continue, case the intermediate certificate is exist and the root certificate is not exist.
+			/* continue; */
+		} else {
+			printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:0\n", i, subj, issuer);
+			char *string = ssl_x509_to_str(cert);
+			if (string) {
+				// TODO log kafka
+				printf("%s\n", string);
+				free(string);
+			}
+		}
+		free(subj);
+		free(issuer);
+	}
+}
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -1,5 +1,6 @@

 #include "ssl_trusted_cert_storage.h"
+#include "ssl_fetch_cert.h"
 #include "MESA_htable_aux.h"
 #include <MESA/MESA_htable.h>

@@ -401,6 +402,11 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		ret=1;
 	}

+	// case cert verify success
+	if (ret == 1) {
+		ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store);
+	}
+
 	X509_STORE_CTX_free(ctx);
 	pthread_rwlock_unlock(&(storage->rwlock));
 	return ret;