diff --git a/platform/include/internal/ssl_utils.h b/platform/include/internal/ssl_utils.h index 6f4e7cc..1896de1 100644 --- a/platform/include/internal/ssl_utils.h +++ b/platform/include/internal/ssl_utils.h @@ -149,7 +149,8 @@ int ssl_x509_serial_copyrand(X509 *, X509 *); X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *); X509 * ssl_x509_load(const char *); -char * ssl_x509_subject(X509 *); +char * ssl_x509_subject(const X509 * crt); +char * ssl_x509_issuer(const X509 * crt); char * ssl_x509_subject_cn(X509 *, size_t *); int ssl_x509_fingerprint_sha1(X509 *, unsigned char *); diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp index bf59bee..f30bcdf 100644 --- a/platform/src/key_keeper.cpp +++ b/platform/src/key_keeper.cpp @@ -640,18 +640,19 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c struct future* f_certstore_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p); ctx->f_certstore_rpc = f_certstore_rpc; char *url = NULL; - url = (char*)malloc(strlen(escaped_origin_cert_pem) + TFE_STRING_MAX); + //keyring_id = 1; if(sni == NULL || sni[0] == '\0') { - sprintf(url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s", + asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s", keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid, escaped_origin_cert_pem); } else { - sprintf(url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s", + asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s", keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid, escaped_origin_cert_pem); } + TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url); curl_free(escaped_origin_cert_pem); tfe_rpc_async_ask(f_certstore_rpc, url, GET, DONE_CB, NULL, 0, evbase); free(url); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index d0a43b1..7c8aa75 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -598,9 +598,10 @@ error_out: return NULL; } -int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, const char** error_string) +int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, char** error_string) { int ret = 0, err_code=0; + char *subj=NULL, *issuer=NULL; STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl); if (cert_chain == NULL) { @@ -617,7 +618,14 @@ int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, const char** error if(ret!=1) { err_code=X509_STORE_CTX_get_error(ctx); - *error_string=X509_verify_cert_error_string(err_code); + subj=ssl_x509_subject(cert); + issuer=ssl_x509_issuer(cert); + asprintf(error_string, "%s : subject - %s issuer - %s" + , X509_verify_cert_error_string(err_code) + , subj + , issuer); + free(subj); + free(issuer); } X509_STORE_CTX_free(ctx); return (ret == 1); @@ -953,7 +961,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events, struct ssl_stream * s_stream = ctx->s_stream; struct ssl_mgr* mgr=s_stream->mgr; SSL_SESSION * ssl_sess = NULL; - const char* error_string=NULL; + char* error_string=NULL; if (events & BEV_EVENT_ERROR) { @@ -993,6 +1001,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events, char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM); TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string); free(addr_str); + free(error_string); } } else diff --git a/platform/src/ssl_utils.cc b/platform/src/ssl_utils.cc index 53944ae..11fa6bf 100644 --- a/platform/src/ssl_utils.cc +++ b/platform/src/ssl_utils.cc @@ -1062,6 +1062,27 @@ errout: return -1; } +char* ssl_X509_print_name(X509_NAME* name) +{ + //ref: https://kahdev.wordpress.com/2008/11/23/a-certificates-name-issuer-and-its-keyusage/ + // Set up a BIO to put the name line into. + BIO *name_Bio = BIO_new(BIO_s_mem()); + + // Now, put the name line into the BIO. + X509_NAME_print_ex(name_Bio, name, 0, XN_FLAG_ONELINE); + + // Obtain a reference to the data and copy out + // just the length of the data. + char *data_start = NULL; + char *name_string = NULL; + long nameLength = BIO_get_mem_data(name_Bio, &data_start); + + name_string = ALLOC(char, nameLength + 1); + memset(name_string, 0, nameLength + 1); + memcpy(name_string, data_start, nameLength); + BIO_vfree(name_Bio); + return name_string; +} /* * Returns the result of ssl_key_identifier_sha1() as hex characters with or * without colons in a newly allocated string. @@ -1080,12 +1101,21 @@ char * ssl_key_identifier(EVP_PKEY * key, int colons) * Returns the one-line representation of the subject DN in a newly allocated * string which must be freed by the caller. */ -char * -ssl_x509_subject(X509 * crt) +char * ssl_x509_subject(const X509 * crt) { - return X509_NAME_oneline(X509_get_subject_name(crt), NULL, 0); + return ssl_X509_print_name(X509_get_subject_name(crt)); } +/* + * Returns the one-line representation of the issuer in a newly allocated + * string which must be freed by the caller. + */ +char * ssl_x509_issuer(const X509 * crt) +{ + return ssl_X509_print_name(X509_get_issuer_name(crt)); +} + + /* * Parse the common name from the subject distinguished name. * Returns string allocated using malloc(), caller must free().