#177 在用户访问的过程中，获取未见到过、可信的中间证书

2019-10-23 10:29:30 +08:00
parent 7476f84fa1
commit 96a13b6a51
4 changed files with 77 additions and 2 deletions
--- a/platform/src/ssl_fetch_cert.cpp
+++ b/platform/src/ssl_fetch_cert.cpp
@@ -0,0 +1,58 @@
+//
+// Created by lwp on 2019/10/16.
+//
+
+#include "ssl_utils.h"
+#include <assert.h>
+
+typedef struct x509_object_st {
+	int type;
+	union {
+		char *ptr;
+		X509 *x509;
+		X509_CRL *crl;
+		EVP_PKEY *pkey;
+	} data;
+} X509_OBJECT;
+
+
+// test use http://www.360.cn/
+void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store) {
+	// 证书链中的证书下标为 [0, count - 1]，下标为 count - 1 的证书不一定在可信证书列表中
+	int count = sk_X509_num(cert_chain);
+	printf("------------------ max depth is : %d\n", count);
+
+	// don`t need call X509_LOOKUP_free(lookup)
+	X509_LOOKUP *lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir());
+	if (lookup == NULL) {
+		return;
+	}
+
+	for (int i = 1; i < count; i++) {
+		// don1t need call X509_FREE(cert)
+		X509 *cert = sk_X509_value(cert_chain, i);
+		assert(cert);
+
+		X509_OBJECT stmp;
+		stmp.type = X509_LU_NONE;
+		stmp.data.ptr = NULL;
+		int result = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_issuer_name(cert), &stmp);
+		char *subj = ssl_x509_subject(cert);
+		char *issuer = ssl_x509_issuer(cert);
+		if (result) {
+			printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:1\n", i, subj, issuer);
+			// not use continue, case the intermediate certificate is exist and the root certificate is not exist.
+			/* continue; */
+		} else {
+			printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:0\n", i, subj, issuer);
+			char *string = ssl_x509_to_str(cert);
+			if (string) {
+				// TODO log kafka
+				printf("%s\n", string);
+				free(string);
+			}
+		}
+		free(subj);
+		free(issuer);
+	}
+}