From c58e459005828af5e38299b1b19169d7b428d620 Mon Sep 17 00:00:00 2001
From: luwenpeng <luwenpeng@zdjizhi.com>
Date: Mon, 6 Jan 2020 18:17:13 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=9C=A8=E5=8F=AF=E4=BF=A1?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=AD=98=E5=82=A8=E4=B8=AD=E6=9F=A5=E6=89=BE?=
 =?UTF-8?q?=E4=B8=AD=E9=97=B4=E8=AF=81=E4=B9=A6=E7=9A=84=E6=96=B9=E5=BC=8F?=
 =?UTF-8?q?=EF=BC=9A=E4=B9=8B=E5=89=8D=E6=98=AF=E9=80=9A=E8=BF=87=20subjec?=
 =?UTF-8?q?t=20=E6=9F=A5=E6=89=BE=EF=BC=8C=E6=97=A0=E6=B3=95=E5=A4=84?=
 =?UTF-8?q?=E7=90=86=20subject=20=E5=90=8C=E5=90=8D=E7=9A=84=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=EF=BC=9B=E7=8E=B0=E4=BF=AE=E6=94=B9=E4=B8=BA=E5=AE=8C?=
 =?UTF-8?q?=E5=85=A8=E5=8C=B9=E9=85=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 platform/src/ssl_fetch_cert.cpp | 45 +++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 19 deletions(-)

diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp
index 57ce781..7dd6231 100644
--- a/platform/src/ssl_fetch_cert.cpp
+++ b/platform/src/ssl_fetch_cert.cpp
@@ -16,13 +16,14 @@
 #include <MESA/MESA_prof_load.h>
 
 typedef struct x509_object_st {
-	int type;
-	union {
-		char     *ptr;
-		X509     *x509;
-		X509_CRL *crl;
-		EVP_PKEY *pkey;
-	} data;
+    /* one of the above types */
+    X509_LOOKUP_TYPE type;
+    union {
+        char     *ptr;
+        X509     *x509;
+        X509_CRL *crl;
+        EVP_PKEY *pkey;
+    } data;
 } X509_OBJECT;
 
 typedef struct ssl_kafka_logger_s {
@@ -183,28 +184,34 @@ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *
 	char        *issuer = NULL;
 	char        *fingerprint = NULL;
 	X509        *cert = NULL;
-	X509_LOOKUP *lookup = NULL;
-	X509_OBJECT  stmp;
-
+	X509_OBJECT *obj = NULL;
 	if (!g_kafka_logger || !g_kafka_logger->enable) {
 		return;
 	}
 
-	// don`t need call X509_LOOKUP_free(lookup)
-	lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir());
-	if (lookup == NULL) {
-		return;
-	}
-
 	deep = sk_X509_num(cert_chain);
 	for (int i = 1; i < deep; i++) {
 		// need't call X509_FREE(cert)
 		cert = sk_X509_value(cert_chain, i);
 		assert(cert);
 
-		stmp.type = X509_LU_NONE;
-		stmp.data.ptr = NULL;
-		ret = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_subject_name(cert), &stmp);
+		obj = X509_OBJECT_new();
+		assert(obj);
+		obj->type = X509_LU_X509;
+		obj->data.x509 = (X509 *)cert;
+
+		// not in trusted store
+ 		if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL)
+		{
+			ret = 0;
+		}
+		// in trusted store
+		else
+		{
+			ret = 1;
+		}
+		X509_OBJECT_free(obj);
+
 		subj = ssl_x509_subject(cert);
 		issuer = ssl_x509_issuer(cert);
 		fingerprint = ssl_x509_fingerprint(cert, 0);