和tfe联调完成,修复一些已知问题,增加一些日志
This commit is contained in:
崔一鸣
@@ -7,6 +7,8 @@
|
||||
#include "tfe_rpc.h"
|
||||
#include <event2/http.h>
|
||||
#include <cjson/cJSON.h>
|
||||
#include <curl/curl.h>
|
||||
|
||||
#define HTABLE_MAX_KEY_LEN 256
|
||||
#define KEYRING_EXSITED 0
|
||||
#define KEYRING_NOT_EXSITED -1
|
||||
@@ -69,9 +71,6 @@ static struct keyring_private* keyring_new(void)
|
||||
}
|
||||
|
||||
/*
|
||||
* Passed OpenSSL objects are owned by cert_t; refcount will not be
|
||||
* incremented, stack will not be duplicated.
|
||||
*/
|
||||
static struct keyring* keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain)
|
||||
{
|
||||
struct keyring_private* kyr=NULL;
|
||||
@@ -98,6 +97,7 @@ static struct keyring* keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *c
|
||||
}
|
||||
return &(kyr->head);
|
||||
}
|
||||
*/
|
||||
|
||||
// Increment reference count.
|
||||
static void keyring_ref_inc(struct keyring_private* kyr)
|
||||
@@ -198,19 +198,60 @@ void key_keeper_free_keyring(struct keyring *kyr)
|
||||
|
||||
static X509* transform_cert_to_x509(const char* str)
|
||||
{
|
||||
BIO *bio;
|
||||
X509 *cert;
|
||||
//printf("cert: %s", str);
|
||||
BIO *bio = NULL;
|
||||
X509 *cert = NULL;
|
||||
bio = BIO_new(BIO_s_mem());
|
||||
BIO_write(bio, (const void*)str, strnlen(str, TFE_STRING_MAX));
|
||||
if(bio == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
int len = BIO_write(bio, (const void*)str, strlen(str));
|
||||
if (len <= 0 )
|
||||
{
|
||||
BIO_free_all(bio);
|
||||
return NULL;
|
||||
}
|
||||
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
|
||||
BIO_free_all(bio);
|
||||
return cert;
|
||||
}
|
||||
|
||||
static char* transform_cert_to_pem(X509* cert)
|
||||
{
|
||||
if (NULL == cert)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
BIO* bio = NULL;
|
||||
bio = BIO_new(BIO_s_mem());
|
||||
if (NULL == bio)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
if (0 == PEM_write_bio_X509(bio, cert))
|
||||
{
|
||||
BIO_free(bio);
|
||||
return NULL;
|
||||
}
|
||||
char *p = NULL;
|
||||
int len = BIO_get_mem_data(bio, &p);
|
||||
char *pem = (char*)malloc(len + 1);
|
||||
memset(pem, 0, len + 1);
|
||||
BIO_read(bio, pem, len);
|
||||
BIO_free(bio);
|
||||
return pem;
|
||||
}
|
||||
|
||||
static EVP_PKEY* transform_key_to_EVP(const char* str)
|
||||
{
|
||||
//printf("private key: %s", str);
|
||||
BIO *mem;
|
||||
mem = BIO_new_mem_buf(str, -1);
|
||||
if(mem == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
EVP_PKEY* key = PEM_read_bio_PrivateKey(mem, NULL, NULL, 0);
|
||||
BIO_free(mem);
|
||||
return key;
|
||||
@@ -345,9 +386,10 @@ static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyr
|
||||
|
||||
static void certstore_rpc_on_succ(void* result, void* user)
|
||||
{
|
||||
//printf("call certstore_rpc_on_succ\n");
|
||||
struct promise * p = (struct promise *) user;
|
||||
struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p);
|
||||
TFE_LOG_INFO(ctx->logger, "certstore rpc success");
|
||||
future_destroy(ctx->f_certstore_rpc);
|
||||
MESA_htable_handle htable= ctx->htable;
|
||||
const uchar* key = ctx->key;
|
||||
unsigned int key_len = ctx->key_len;
|
||||
@@ -360,6 +402,11 @@ static void certstore_rpc_on_succ(void* result, void* user)
|
||||
{
|
||||
*(data+len) = '\0';
|
||||
struct keyring_private* kyr= get_keyring_from_response(data);
|
||||
if(kyr == NULL)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "get_keyring_from_response failed");
|
||||
return;
|
||||
}
|
||||
keyring_ref_inc(kyr);
|
||||
int ret = MESA_htable_add(htable, key, key_len, (void*)kyr);
|
||||
if(ret<0)
|
||||
@@ -373,7 +420,6 @@ static void certstore_rpc_on_succ(void* result, void* user)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, status_msg);
|
||||
}
|
||||
future_destroy(ctx->f_certstore_rpc);
|
||||
//promise_dettach_ctx(p);
|
||||
//ctx_destroy_cb((void*)ctx);
|
||||
}
|
||||
@@ -381,9 +427,10 @@ static void certstore_rpc_on_succ(void* result, void* user)
|
||||
static void certstore_rpc_on_fail(enum e_future_error err, const char * what, void * user)
|
||||
{
|
||||
struct promise * p = (struct promise *) user;
|
||||
promise_failed(p, err, what);
|
||||
struct key_keeper_promise_ctx* ctx= (struct key_keeper_promise_ctx*)promise_get_ctx(p);
|
||||
TFE_LOG_ERROR(ctx->logger, "certstore rpc failed, what is %s", what);
|
||||
future_destroy(ctx->f_certstore_rpc);
|
||||
promise_failed(p, err, what);
|
||||
//promise_dettach_ctx(p);
|
||||
//ctx_destroy_cb((void*)ctx);
|
||||
}
|
||||
@@ -433,6 +480,8 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
|
||||
MESA_load_profile_uint_def(profile, section, "hash_slot_size", &(keeper->hash_slot_size), 16);
|
||||
MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 16);
|
||||
keeper->htable = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
|
||||
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d",
|
||||
section, keeper->mode, keeper->ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
|
||||
return keeper;
|
||||
}
|
||||
|
||||
@@ -451,17 +500,20 @@ struct keyring* key_keeper_release_keyring(future_result_t* result)
|
||||
return &(kyr->head);
|
||||
}
|
||||
|
||||
|
||||
static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len)
|
||||
{
|
||||
char* cert_fgr = NULL;
|
||||
cert_fgr = ssl_x509_fingerprint(cert, 0);
|
||||
char* key = (char*)malloc(HTABLE_MAX_KEY_LEN);
|
||||
*key = '\0';
|
||||
if(cert == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
char* cert_fgr = NULL;
|
||||
cert_fgr = ssl_x509_fingerprint(cert, 0);
|
||||
if(cert_fgr == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
char* key = (char*)malloc(HTABLE_MAX_KEY_LEN);
|
||||
memset(key, 0, HTABLE_MAX_KEY_LEN);
|
||||
snprintf(key, HTABLE_MAX_KEY_LEN, "%d:", keyring_id);
|
||||
strncat(key, cert_fgr, HTABLE_MAX_KEY_LEN);
|
||||
*len = strnlen(key, HTABLE_MAX_KEY_LEN);
|
||||
@@ -470,12 +522,32 @@ static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len)
|
||||
}
|
||||
|
||||
|
||||
char* url_escape(char* url)
|
||||
{
|
||||
if(url == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
CURL *curl = curl_easy_init();
|
||||
char* _url = NULL;
|
||||
if(curl)
|
||||
{
|
||||
_url = curl_easy_escape(curl, url, strlen(url));
|
||||
}
|
||||
return _url;
|
||||
}
|
||||
|
||||
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase)
|
||||
{
|
||||
struct promise* p = future_to_promise(f);
|
||||
struct key_keeper_promise_ctx* ctx = ALLOC(struct key_keeper_promise_ctx, 1);
|
||||
unsigned int len = 0;
|
||||
uchar* key = get_key_by_cert(origin_cert, keyring_id, &len);
|
||||
if(key == NULL)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "get hash key by_cert failed");
|
||||
return;
|
||||
}
|
||||
struct key_keeper_promise_ctx* ctx = ALLOC(struct key_keeper_promise_ctx, 1);
|
||||
ctx->logger = keeper->logger;
|
||||
ctx->htable = keeper->htable;
|
||||
ctx->key = key;
|
||||
@@ -485,7 +557,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, keyring_local_cache_query_cb, p, &cb_rtn);
|
||||
if(cb_rtn == KEYRING_EXSITED)
|
||||
{
|
||||
printf("KEYRING_EXSITED\n");
|
||||
//printf("KEYRING_EXSITED\n");
|
||||
return;
|
||||
}
|
||||
int mode = 0;
|
||||
@@ -496,22 +568,41 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
switch(mode){
|
||||
case NORMAL:
|
||||
{
|
||||
char* origin_cert_pem = transform_cert_to_pem(origin_cert);
|
||||
if(origin_cert_pem == NULL)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "transform origin_cert to pem failed");
|
||||
return;
|
||||
}
|
||||
char* escaped_origin_cert_pem = url_escape(origin_cert_pem);
|
||||
free(origin_cert_pem);
|
||||
if(escaped_origin_cert_pem == NULL)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "url escape failed");
|
||||
break;
|
||||
}
|
||||
struct future* f_certstore_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p);
|
||||
ctx->f_certstore_rpc = f_certstore_rpc;
|
||||
char url[TFE_STRING_MAX];
|
||||
char _sni[TFE_STRING_MAX] = "www.baidu.com";
|
||||
if(sni)
|
||||
char *url = NULL;
|
||||
url = (char*)malloc(strlen(escaped_origin_cert_pem) + TFE_STRING_MAX);
|
||||
//keyring_id = 1;
|
||||
if(sni == NULL || sni[0] == '\0')
|
||||
{
|
||||
strncpy(_sni, sni, TFE_STRING_MAX);
|
||||
sprintf(url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid, escaped_origin_cert_pem);
|
||||
}
|
||||
snprintf(url, TFE_STRING_MAX, "http://%s:%d/ca?host=%s&flag=1&valid=1&keyring_id=%d", keeper->cert_store_host, keeper->cert_store_port, _sni, keyring_id);
|
||||
printf("url is %s\n", url);
|
||||
else
|
||||
{
|
||||
sprintf(url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid, escaped_origin_cert_pem);
|
||||
}
|
||||
curl_free(escaped_origin_cert_pem);
|
||||
tfe_rpc_async_ask(f_certstore_rpc, url, GET, DONE_CB, NULL, 0, evbase);
|
||||
free(url);
|
||||
break;
|
||||
}
|
||||
case DEBUG:
|
||||
{
|
||||
//TOOD: generate X509 cert
|
||||
char* filename = NULL;
|
||||
if(is_cert_valid == 1)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user