证书校验不通过时,输出证书信息。
This commit is contained in:
zhengchao
@@ -149,7 +149,8 @@ int ssl_x509_serial_copyrand(X509 *, X509 *);
|
|||||||
X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *);
|
X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *);
|
||||||
|
|
||||||
X509 * ssl_x509_load(const char *);
|
X509 * ssl_x509_load(const char *);
|
||||||
char * ssl_x509_subject(X509 *);
|
char * ssl_x509_subject(const X509 * crt);
|
||||||
|
char * ssl_x509_issuer(const X509 * crt);
|
||||||
char * ssl_x509_subject_cn(X509 *, size_t *);
|
char * ssl_x509_subject_cn(X509 *, size_t *);
|
||||||
|
|
||||||
int ssl_x509_fingerprint_sha1(X509 *, unsigned char *);
|
int ssl_x509_fingerprint_sha1(X509 *, unsigned char *);
|
||||||
|
|||||||
@@ -640,18 +640,19 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
|||||||
struct future* f_certstore_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p);
|
struct future* f_certstore_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p);
|
||||||
ctx->f_certstore_rpc = f_certstore_rpc;
|
ctx->f_certstore_rpc = f_certstore_rpc;
|
||||||
char *url = NULL;
|
char *url = NULL;
|
||||||
url = (char*)malloc(strlen(escaped_origin_cert_pem) + TFE_STRING_MAX);
|
|
||||||
//keyring_id = 1;
|
//keyring_id = 1;
|
||||||
if(sni == NULL || sni[0] == '\0')
|
if(sni == NULL || sni[0] == '\0')
|
||||||
{
|
{
|
||||||
sprintf(url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s",
|
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s",
|
||||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid, escaped_origin_cert_pem);
|
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid, escaped_origin_cert_pem);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
sprintf(url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s",
|
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s",
|
||||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid, escaped_origin_cert_pem);
|
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid, escaped_origin_cert_pem);
|
||||||
}
|
}
|
||||||
|
TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url);
|
||||||
curl_free(escaped_origin_cert_pem);
|
curl_free(escaped_origin_cert_pem);
|
||||||
tfe_rpc_async_ask(f_certstore_rpc, url, GET, DONE_CB, NULL, 0, evbase);
|
tfe_rpc_async_ask(f_certstore_rpc, url, GET, DONE_CB, NULL, 0, evbase);
|
||||||
free(url);
|
free(url);
|
||||||
|
|||||||
@@ -598,9 +598,10 @@ error_out:
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, const char** error_string)
|
int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, char** error_string)
|
||||||
{
|
{
|
||||||
int ret = 0, err_code=0;
|
int ret = 0, err_code=0;
|
||||||
|
char *subj=NULL, *issuer=NULL;
|
||||||
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
|
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
|
||||||
if (cert_chain == NULL)
|
if (cert_chain == NULL)
|
||||||
{
|
{
|
||||||
@@ -617,7 +618,14 @@ int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, const char** error
|
|||||||
if(ret!=1)
|
if(ret!=1)
|
||||||
{
|
{
|
||||||
err_code=X509_STORE_CTX_get_error(ctx);
|
err_code=X509_STORE_CTX_get_error(ctx);
|
||||||
*error_string=X509_verify_cert_error_string(err_code);
|
subj=ssl_x509_subject(cert);
|
||||||
|
issuer=ssl_x509_issuer(cert);
|
||||||
|
asprintf(error_string, "%s : subject - %s issuer - %s"
|
||||||
|
, X509_verify_cert_error_string(err_code)
|
||||||
|
, subj
|
||||||
|
, issuer);
|
||||||
|
free(subj);
|
||||||
|
free(issuer);
|
||||||
}
|
}
|
||||||
X509_STORE_CTX_free(ctx);
|
X509_STORE_CTX_free(ctx);
|
||||||
return (ret == 1);
|
return (ret == 1);
|
||||||
@@ -953,7 +961,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
|||||||
struct ssl_stream * s_stream = ctx->s_stream;
|
struct ssl_stream * s_stream = ctx->s_stream;
|
||||||
struct ssl_mgr* mgr=s_stream->mgr;
|
struct ssl_mgr* mgr=s_stream->mgr;
|
||||||
SSL_SESSION * ssl_sess = NULL;
|
SSL_SESSION * ssl_sess = NULL;
|
||||||
const char* error_string=NULL;
|
char* error_string=NULL;
|
||||||
|
|
||||||
if (events & BEV_EVENT_ERROR)
|
if (events & BEV_EVENT_ERROR)
|
||||||
{
|
{
|
||||||
@@ -993,6 +1001,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
|||||||
char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
|
char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
|
||||||
TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
|
TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
|
||||||
free(addr_str);
|
free(addr_str);
|
||||||
|
free(error_string);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -1062,6 +1062,27 @@ errout:
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
char* ssl_X509_print_name(X509_NAME* name)
|
||||||
|
{
|
||||||
|
//ref: https://kahdev.wordpress.com/2008/11/23/a-certificates-name-issuer-and-its-keyusage/
|
||||||
|
// Set up a BIO to put the name line into.
|
||||||
|
BIO *name_Bio = BIO_new(BIO_s_mem());
|
||||||
|
|
||||||
|
// Now, put the name line into the BIO.
|
||||||
|
X509_NAME_print_ex(name_Bio, name, 0, XN_FLAG_ONELINE);
|
||||||
|
|
||||||
|
// Obtain a reference to the data and copy out
|
||||||
|
// just the length of the data.
|
||||||
|
char *data_start = NULL;
|
||||||
|
char *name_string = NULL;
|
||||||
|
long nameLength = BIO_get_mem_data(name_Bio, &data_start);
|
||||||
|
|
||||||
|
name_string = ALLOC(char, nameLength + 1);
|
||||||
|
memset(name_string, 0, nameLength + 1);
|
||||||
|
memcpy(name_string, data_start, nameLength);
|
||||||
|
BIO_vfree(name_Bio);
|
||||||
|
return name_string;
|
||||||
|
}
|
||||||
/*
|
/*
|
||||||
* Returns the result of ssl_key_identifier_sha1() as hex characters with or
|
* Returns the result of ssl_key_identifier_sha1() as hex characters with or
|
||||||
* without colons in a newly allocated string.
|
* without colons in a newly allocated string.
|
||||||
@@ -1080,12 +1101,21 @@ char * ssl_key_identifier(EVP_PKEY * key, int colons)
|
|||||||
* Returns the one-line representation of the subject DN in a newly allocated
|
* Returns the one-line representation of the subject DN in a newly allocated
|
||||||
* string which must be freed by the caller.
|
* string which must be freed by the caller.
|
||||||
*/
|
*/
|
||||||
char *
|
char * ssl_x509_subject(const X509 * crt)
|
||||||
ssl_x509_subject(X509 * crt)
|
|
||||||
{
|
{
|
||||||
return X509_NAME_oneline(X509_get_subject_name(crt), NULL, 0);
|
return ssl_X509_print_name(X509_get_subject_name(crt));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Returns the one-line representation of the issuer in a newly allocated
|
||||||
|
* string which must be freed by the caller.
|
||||||
|
*/
|
||||||
|
char * ssl_x509_issuer(const X509 * crt)
|
||||||
|
{
|
||||||
|
return ssl_X509_print_name(X509_get_issuer_name(crt));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Parse the common name from the subject distinguished name.
|
* Parse the common name from the subject distinguished name.
|
||||||
* Returns string allocated using malloc(), caller must free().
|
* Returns string allocated using malloc(), caller must free().
|
||||||
|
|||||||
Reference in New Issue
Block a user