#68 从目录中加载额外的证书和crl。

2018-11-02 20:38:06 +08:00
parent d0ea605a5b
commit 668c1b3e52
10 changed files with 450 additions and 994 deletions
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -26,15 +26,79 @@ static void free_ssl_x509_obj(void* data)
 }
 struct ssl_trusted_cert_storage
 {
-	char* pem_bundle;
+	char* pem_bundle, *pem_dir;
    MESA_htable_handle hash_table;
 	pthread_rwlock_t rwlock;
 	X509_STORE* effective_store;
 };
-static X509_STORE* _X509_store_create(const char* pem_bundle)
+ static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
+ {
+	 int ret=0;
+	 BIO *bio=NULL;
+	 X509* x=NULL;
+	 X509_CRL* x_crl=NULL;
+	 int error;
+	 
+	 bio=BIO_new_file(filename, "r");
+	 if(bio==NULL)
+	 {
+		 return -1;
+	 }
+	 ret=0;
+	 if(type==SSL_X509_OBJ_CERT)
+	 {
+		 while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
+		 {
+			 ret=X509_STORE_add_cert(store, x);
+			 if(ret==0)
+			 {
+				 X509_free(x);
+				 break;
+			 }
+		 }
+	 }
+	 else if(type==SSL_X509_OBJ_CRL)
+	 {
+		 while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
+		 {
+			 ret=X509_STORE_add_crl(store, x_crl);
+			 if(ret==0)
+			 {
+				  X509_CRL_free(x_crl);
+				  break;
+			 }		 
+		 }
+	 }
+	 if(ret==0)
+	 {
+		 BIO_free(bio);
+		 return -1;
+	 }
+	 BIO_free(bio);
+	 return 1;
+ }
+
+ static int filter_pem_fn(const struct dirent * ent)
+ {
+ 	const char* fn_suffix=".pem";
+ 	if(strlen(ent->d_name)< strlen(fn_suffix))
+	{
+		return 0;
+	}
+	if(0!=strcmp(ent->d_name+strlen(ent->d_name)-strlen(fn_suffix), fn_suffix))
+	{
+		return 0;
+	}
+	return 1;
+ }
+
+static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir)
 {
-	int ret=0;
+	int ret=0, n=0, i=0;
+	
+	struct dirent **namelist;
 	X509_STORE* store=X509_STORE_new();
+	char path[TFE_STRING_MAX]={0};
 	if (store == NULL)
 	{
 		return NULL;
@@ -55,6 +119,24 @@ static X509_STORE* _X509_store_create(const char* pem_bundle)
 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_set1_param(store, param);
 	X509_VERIFY_PARAM_free(param);
+
+	n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
+	
+	for(i=0;i<n;i++)
+	{
+		snprintf(path, sizeof(path), "%s/%s",pem_dir, namelist[i]->d_name);
+		if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path);
+		}
+		else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
+		}
+		free(namelist[i]);
+	}
+	free(namelist);
+
 	return store;
 }
 static MESA_htable_handle _create_mesa_htable(void)
@@ -76,18 +158,18 @@ static MESA_htable_handle _create_mesa_htable(void)
 	ret = MESA_htable_mature(htable);
 	return htable;
 }
-struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle)
+struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir)
 {
 	int ret=0;
 	struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
-	storage->effective_store=_X509_store_create(pem_bundle);
+	storage->effective_store=_X509_store_create(pem_bundle, pem_dir);
 	if (storage->effective_store == NULL)
 	{
 		return NULL;
 	}

 	storage->pem_bundle=tfe_strdup(pem_bundle);
-	
+	storage->pem_dir=tfe_strdup(pem_dir);
 	storage->hash_table=_create_mesa_htable();
 	pthread_rwlock_init(&(storage->rwlock), NULL);
 	
@@ -100,52 +182,7 @@ void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
 	return;
 }

-static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
-{
-	int ret=0;
-	BIO *bio=NULL;
-	X509* x=NULL;
-	X509_CRL* x_crl=NULL;
-	int error;
-	
-	bio=BIO_new_file(filename, "r");
-	if(bio==NULL)
-	{
-		return -1;
-	}
-	ret=0;
-	if(type==SSL_X509_OBJ_CERT)
-	{
-		while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
-		{
-			ret=X509_STORE_add_cert(store, x);
-			if(ret==0)
-			{
-				X509_free(x);
-				break;
-			}
-		}
-	}
-	else if(type==SSL_X509_OBJ_CRL)
-	{
-		while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
-		{
-			ret=X509_STORE_add_crl(store, x_crl);
-			if(ret==0)
-			{
-				 X509_CRL_free(x_crl);
-				 break;
-			}		
-		}
-	}
-	if(ret==0)
-	{
-		BIO_free(bio);
-		return -1;
-	}
-	BIO_free(bio);
-	return 1;
-}
+
 int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename)
 {

@@ -198,7 +235,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
 		ret=-1;
 		goto error_out;
 	}
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
 	MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
 	X509_STORE_free(storage->effective_store);
 	storage->effective_store=temp_store;
@@ -215,7 +252,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
 	MESA_htable_destroy(storage->hash_table, NULL);
 	
 	storage->hash_table=_create_mesa_htable();
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);

 	pthread_rwlock_wrlock(&(storage->rwlock));
 	X509_STORE_free(storage->effective_store);