From fc2791ee90bbda32a58f0e366e11a86f8e04c6e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B4=94=E4=B8=80=E9=B8=A3?= <cuiyiming@iie.ac.cn>
Date: Fri, 26 Jul 2019 10:13:09 +0800
Subject: [PATCH] =?UTF-8?q?=E8=B0=83=E6=95=B4keykeeper=E8=AF=81=E4=B9=A6?=
 =?UTF-8?q?=E8=BF=87=E6=9C=9F=E6=97=B6=E9=97=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 platform/include/internal/ssl_utils.h |  2 +-
 platform/src/key_keeper.cpp           | 17 ++++++++++-------
 platform/src/ssl_utils.cpp            | 25 +++++++++++++++++--------
 3 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/platform/include/internal/ssl_utils.h b/platform/include/internal/ssl_utils.h
index 5fc085b..2c4939d 100644
--- a/platform/include/internal/ssl_utils.h
+++ b/platform/include/internal/ssl_utils.h
@@ -146,7 +146,7 @@ int ssl_x509_v3ext_add(X509V3_CTX * ctx, X509 * crt, const char * k, const char
 int ssl_x509_v3ext_copy_by_nid(X509 *, X509 *, int);
 
 int ssl_x509_serial_copyrand(X509 *, X509 *);
-X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *);
+X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *, int);
 
 X509 * ssl_x509_load(const char *);
 char * ssl_x509_subject(const X509 * crt);
diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp
index 078d9c6..3bed45c 100644
--- a/platform/src/key_keeper.cpp
+++ b/platform/src/key_keeper.cpp
@@ -45,6 +45,8 @@ struct key_keeper
 	unsigned int no_cache;
 	struct key_keeper_stat stat;
 
+	int cert_expire_time;
+
 };
 
 
@@ -334,12 +336,12 @@ static long keyring_local_cache_query_cb(void * data, const uchar * key, uint si
 }
 
 
-static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey)
+static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey, int cert_expire_time)
 {
 	//TODO: could be optimized to save cpu.
-	
+
 	EVP_PKEY* forge_key = ssl_key_genrsa(2048);
-	X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
+	X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL, cert_expire_time);
 	STACK_OF(X509)* chain = sk_X509_new_null();
 	sk_X509_push(chain, ca);
 	ssl_x509_refcount_inc(ca);
@@ -480,6 +482,7 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
 	MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60);
 	MESA_load_profile_uint_def(profile, section, "no_cache", &(keeper->no_cache), 0);
 
+	MESA_load_profile_int_def(profile, section, "cert_expire_time", &(keeper->cert_expire_time), 24);
 	keeper->cert_cache = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
 	if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path))
 	{
@@ -502,8 +505,8 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
 			goto error_out;
 		}
 	}
-	TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d",
-		section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
+	TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d, cert_expire_time:%d",
+		section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds, keeper->cert_expire_time);
 
 	return keeper;
 
@@ -628,11 +631,11 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
 			struct keyring_private* kyr=NULL;
 			if(is_cert_valid == 1)
 			{
-				kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key);
+				kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key, keeper->cert_expire_time);
 			}
 			else
 			{
-				kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key);
+				kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key, keeper->cert_expire_time);
 			}
 			if(kyr)
 			{
diff --git a/platform/src/ssl_utils.cpp b/platform/src/ssl_utils.cpp
index 80f379f..97865f8 100644
--- a/platform/src/ssl_utils.cpp
+++ b/platform/src/ssl_utils.cpp
@@ -302,7 +302,7 @@ char * ssl_ssl_masterkey_to_str(SSL * ssl)
 	unsigned char * k, * r;
 	//https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_get_master_key.html
 	//In current versions of the TLS protocols, the length of client_random (and also server_random) is
-	//always SSL3_RANDOM_SIZE bytes. 
+	//always SSL3_RANDOM_SIZE bytes.
 	unsigned char kbuf[48]={0}, rbuf[32]={0};//
 	k = &kbuf[0];
 	r = &rbuf[0];
@@ -659,7 +659,7 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time){
  * The optional argument extraname is added to subjectAltNames if provided.
  */
 X509 * ssl_x509_forge(X509 * cacrt, EVP_PKEY * cakey, X509 * origcrt, EVP_PKEY * key,
-	const char * extraname, const char * crlurl)
+	const char * extraname, const char * crlurl, int cert_expire_time)
 {
 	X509_NAME * subject, * issuer;
 	GENERAL_NAMES * names;
@@ -680,15 +680,24 @@ X509 * ssl_x509_forge(X509 * cacrt, EVP_PKEY * cakey, X509 * origcrt, EVP_PKEY *
 		!X509_set_subject_name(crt, subject) ||
 		!X509_set_issuer_name(crt, issuer) ||
 		ssl_x509_serial_copyrand(crt, origcrt) == -1 ||
-		//!X509_gmtime_adj(X509_get_notBefore(crt), (long) -60 * 60 * 24) ||
-		//!X509_gmtime_adj(X509_get_notAfter(crt), (long) 60 * 60 * 24 * 364) ||
 		!X509_set_pubkey(crt, key))
 		goto errout;
 
-	ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
-	ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
-	/* add standard v3 extensions; cf. RFC 2459 */
+	if(cert_expire_time == -1)
+	{
+		ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
+		ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
+	}
+	else
+	{
+		if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - cert_expire_time * 1800)) ||
+		   !X509_gmtime_adj(X509_get_notAfter(crt), (long)(cert_expire_time * 1800))
+		{
+			goto errout;
+		}
+	}
 
+	/* add standard v3 extensions; cf. RFC 2459 */
 	X509V3_CTX ctx;
 	X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
 	if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier", "hash") == -1 ||
@@ -2344,7 +2353,7 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len,
 			}
 		}
 		_chello->cipher_suites_len = j*2;
-		
+
 		pos += len;
 
 		/* Compression Methods */