gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

调整keykeeper证书过期时间

Browse Source
This commit is contained in:
崔一鸣
2019-07-26 10:13:09 +08:00
parent cf9ee6ceff
commit fc2791ee90
3 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
platform/src/key_keeper.cpp
View File

@@ -45,6 +45,8 @@ struct key_keeper
unsigned int no_cache;
struct key_keeper_stat stat;
int cert_expire_time;
};
@@ -334,12 +336,12 @@ static long keyring_local_cache_query_cb(void * data, const uchar * key, uint si
}
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey)
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey, int cert_expire_time)
{
//TODO: could be optimized to save cpu.
EVP_PKEY* forge_key = ssl_key_genrsa(2048);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL, cert_expire_time);
STACK_OF(X509)* chain = sk_X509_new_null();
sk_X509_push(chain, ca);
ssl_x509_refcount_inc(ca);
@@ -480,6 +482,7 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60);
MESA_load_profile_uint_def(profile, section, "no_cache", &(keeper->no_cache), 0);
MESA_load_profile_int_def(profile, section, "cert_expire_time", &(keeper->cert_expire_time), 24);
keeper->cert_cache = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path))
{
@@ -502,8 +505,8 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
goto error_out;
}
}
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d",
section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d, cert_expire_time:%d",
section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds, keeper->cert_expire_time);
return keeper;
@@ -628,11 +631,11 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
struct keyring_private* kyr=NULL;
if(is_cert_valid == 1)
{
kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key);
kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key, keeper->cert_expire_time);
}
else
{
kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key);
kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key, keeper->cert_expire_time);
}
if(kyr)
{