gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改公钥长度为2048, 复制原证书的过期时间

Browse Source
This commit is contained in:
崔一鸣
2019-07-19 17:42:36 +08:00
parent 1b13ef037c
commit a7586a38ca
2 changed files with 42 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
platform/src/key_keeper.cpp
View File

@@ -337,7 +337,8 @@ static long keyring_local_cache_query_cb(void * data, const uchar * key, uint si
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey)
{
//TODO: could be optimized to save cpu.
EVP_PKEY* forge_key = ssl_key_genrsa(1024);
EVP_PKEY* forge_key = ssl_key_genrsa(2048);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
STACK_OF(X509)* chain = sk_X509_new_null();
sk_X509_push(chain, ca);

42
platform/src/ssl_utils.cpp
View File

@@ -616,6 +616,42 @@ int ssl_x509_serial_copyrand(X509 * dstcrt, X509 * srccrt)
return 0;
}
static time_t ASN1_GetTimeT(ASN1_TIME* time){
struct tm t;
const char* str = (const char*) time->data;
size_t i = 0;
memset(&t, 0, sizeof(t));
if (time->type == V_ASN1_UTCTIME) {/* two digit year */
t.tm_year = (str[i++] - '0') * 10;
t.tm_year += (str[i++] - '0');
if (t.tm_year < 70)
t.tm_year += 100;
} else if (time->type == V_ASN1_GENERALIZEDTIME) {/* four digit year */
t.tm_year = (str[i++] - '0') * 1000;
t.tm_year+= (str[i++] - '0') * 100;
t.tm_year+= (str[i++] - '0') * 10;
t.tm_year+= (str[i++] - '0');
t.tm_year -= 1900;
}
t.tm_mon = (str[i++] - '0') * 10;
t.tm_mon += (str[i++] - '0') - 1; // -1 since January is 0 not 1.
t.tm_mday = (str[i++] - '0') * 10;
t.tm_mday+= (str[i++] - '0');
t.tm_hour = (str[i++] - '0') * 10;
t.tm_hour+= (str[i++] - '0');
t.tm_min = (str[i++] - '0') * 10;
t.tm_min += (str[i++] - '0');
t.tm_sec = (str[i++] - '0') * 10;
t.tm_sec += (str[i++] - '0');
/* Note: we did not adjust the time based on time zone information */
return mktime(&t);
}
/*
* Create a fake X509v3 cert, signed by the provided CA,
* based on the original cert retrieved from the real server.
@@ -645,11 +681,13 @@ X509 * ssl_x509_forge(X509 * cacrt, EVP_PKEY * cakey, X509 * origcrt, EVP_PKEY *
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_serial_copyrand(crt, origcrt) == -1 ||
!X509_gmtime_adj(X509_get_notBefore(crt), (long) -60 * 60 * 24) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long) 60 * 60 * 24 * 364) ||
//!X509_gmtime_adj(X509_get_notBefore(crt), (long) -60 * 60 * 24) ||
//!X509_gmtime_adj(X509_get_notAfter(crt), (long) 60 * 60 * 24 * 364) ||
!X509_set_pubkey(crt, key))
goto errout;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
/* add standard v3 extensions; cf. RFC 2459 */
X509V3_CTX ctx;