gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

调整keykeeper证书过期时间

Browse Source
This commit is contained in:
崔一鸣
2019-07-26 10:13:09 +08:00
parent cf9ee6ceff
commit fc2791ee90
3 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
platform/include/internal/ssl_utils.h
View File

@@ -146,7 +146,7 @@ int ssl_x509_v3ext_add(X509V3_CTX * ctx, X509 * crt, const char * k, const char
int ssl_x509_v3ext_copy_by_nid(X509 *, X509 *, int);
int ssl_x509_serial_copyrand(X509 *, X509 *);
X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *);
X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, EVP_PKEY *, const char *, const char *, int);
X509 * ssl_x509_load(const char *);
char * ssl_x509_subject(const X509 * crt);

15
platform/src/key_keeper.cpp
View File

@@ -45,6 +45,8 @@ struct key_keeper
unsigned int no_cache;
struct key_keeper_stat stat;
int cert_expire_time;
};
@@ -334,12 +336,12 @@ static long keyring_local_cache_query_cb(void * data, const uchar * key, uint si
}
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey)
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey, int cert_expire_time)
{
//TODO: could be optimized to save cpu.
EVP_PKEY* forge_key = ssl_key_genrsa(2048);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL, cert_expire_time);
STACK_OF(X509)* chain = sk_X509_new_null();
sk_X509_push(chain, ca);
ssl_x509_refcount_inc(ca);
@@ -480,6 +482,7 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60);
MESA_load_profile_uint_def(profile, section, "no_cache", &(keeper->no_cache), 0);
MESA_load_profile_int_def(profile, section, "cert_expire_time", &(keeper->cert_expire_time), 24);
keeper->cert_cache = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path))
{
@@ -502,8 +505,8 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
goto error_out;
}
}
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d",
section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, no_cache:%u ,ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d, cert_expire_time:%d",
section, tmp, keeper->no_cache, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds, keeper->cert_expire_time);
return keeper;
@@ -628,11 +631,11 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
struct keyring_private* kyr=NULL;
if(is_cert_valid == 1)
{
kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key);
kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key, keeper->cert_expire_time);
}
else
{
kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key);
kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key, keeper->cert_expire_time);
}
if(kyr)
{

17
platform/src/ssl_utils.cpp
View File

@@ -659,7 +659,7 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time){
* The optional argument extraname is added to subjectAltNames if provided.
*/
X509 * ssl_x509_forge(X509 * cacrt, EVP_PKEY * cakey, X509 * origcrt, EVP_PKEY * key,
const char * extraname, const char * crlurl)
const char * extraname, const char * crlurl, int cert_expire_time)
{
X509_NAME * subject, * issuer;
GENERAL_NAMES * names;
@@ -680,15 +680,24 @@ X509 * ssl_x509_forge(X509 * cacrt, EVP_PKEY * cakey, X509 * origcrt, EVP_PKEY *
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_serial_copyrand(crt, origcrt) == -1 ||
//!X509_gmtime_adj(X509_get_notBefore(crt), (long) -60 * 60 * 24) ||
//!X509_gmtime_adj(X509_get_notAfter(crt), (long) 60 * 60 * 24 * 364) ||
!X509_set_pubkey(crt, key))
goto errout;
if(cert_expire_time == -1)
{
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
/* add standard v3 extensions; cf. RFC 2459 */
}
else
{
if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - cert_expire_time * 1800)) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)(cert_expire_time * 1800))
{
goto errout;
}
}
/* add standard v3 extensions; cf. RFC 2459 */
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier", "hash") == -1 ||