From a571c85b4716b0d065cf347fbc87655cad9cf91a Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Wed, 25 Sep 2024 17:55:12 +0800 Subject: [PATCH] feature (adapt maat): keyring type changed from int to uuid_string when using RPC with cerstore --- platform/include/internal/key_keeper.h | 2 +- platform/src/key_keeper.cpp | 18 ++++++++++-------- platform/src/ssl_stream.cpp | 8 ++++---- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/platform/include/internal/key_keeper.h b/platform/include/internal/key_keeper.h index f3305ab..ae288ec 100644 --- a/platform/include/internal/key_keeper.h +++ b/platform/include/internal/key_keeper.h @@ -27,7 +27,7 @@ void key_keeper_free_keyring(struct keyring* cert); struct evhttp_connection* key_keeper_evhttp_init(struct event_base * evbase, struct evdns_base* dnsbase, struct key_keeper * key_keeper_handler); -void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, +void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, uuid_t *keyring_uuid, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp); void key_keeper_statistic(struct key_keeper *keeper, struct key_keeper_stat* result); diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp index 5e77d12..a093802 100644 --- a/platform/src/key_keeper.cpp +++ b/platform/src/key_keeper.cpp @@ -678,7 +678,7 @@ struct keyring* key_keeper_release_keyring(future_result_t* result) return &(kyr->head); } -static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len, int is_cert_valid) +static uchar* get_key_by_cert(X509* cert, const char *keyring_uuid_str, unsigned int* len, int is_cert_valid) { if(cert == NULL) { @@ -692,7 +692,7 @@ static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len, int } char* key = ALLOC(char, HTABLE_MAX_KEY_LEN); memset(key, 0, HTABLE_MAX_KEY_LEN); - snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_id, is_cert_valid); + snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_uuid_str, is_cert_valid); strncat(key, cert_fingerprint, HTABLE_MAX_KEY_LEN); *len = strnlen(key, HTABLE_MAX_KEY_LEN); free(cert_fingerprint); @@ -716,11 +716,13 @@ char* url_escape(char* url) return _url; } -void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp) +void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, uuid_t *keyring_uuid, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp) { struct promise* p = future_to_promise(f); unsigned int len = 0; - uchar* key = get_key_by_cert(origin_cert, keyring_id, &len, is_cert_valid); + char keyring_uuid_str[UUID_STRING_SIZE]; + uuid_unparse(*keyring_uuid, keyring_uuid_str); + uchar* key = get_key_by_cert(origin_cert, keyring_uuid_str, &len, is_cert_valid); if(key == NULL) { promise_failed(p, FUTURE_ERROR_EXCEPTION, "get hash key by_cert failed"); @@ -771,13 +773,13 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c //keyring_id = 1; if(sni == NULL || sni[0] == '\0') { - asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d", - keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid); + asprintf(&url, "http://%s:%d/ca?keyring_id=%s&is_valid=%d", + keeper->cert_store_host, keeper->cert_store_port, keyring_uuid_str, is_cert_valid); } else { - asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d", - keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid); + asprintf(&url, "http://%s:%d/ca?keyring_id=%s&sni=%s&is_valid=%d", + keeper->cert_store_host, keeper->cert_store_port, keyring_uuid_str, sni, is_cert_valid); } TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url); tfe_rpc_async_ask(f_certstore_rpc, url, POST, DONE_CB, origin_cert_pem, strlen(origin_cert_pem), evbase, dnsbase, evhttp); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 282cf47..f1d9d74 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -2036,16 +2036,16 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p); ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed; - int keyring_id = 0; + uuid_t *keyring_uuid = NULL; if (ctx->is_origin_crt_verify_passed) { - keyring_id = upstream->up_parts.keyring_for_trusted; + keyring_uuid = &upstream->up_parts.keyring_for_trusted; } else { - keyring_id = upstream->up_parts.keyring_for_untrusted; + keyring_uuid = &upstream->up_parts.keyring_for_untrusted; } - key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed, + key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_uuid, ctx->origin_crt, ctx->is_origin_crt_verify_passed, evbase, dnsbase, evhttp); return; }