// // Created by lwp on 2019/10/16. // #include #include #include #include #include typedef struct x509_object_st { /* one of the above types */ X509_LOOKUP_TYPE type; union { char *ptr; X509 *x509; X509_CRL *crl; EVP_PKEY *pkey; } data; } X509_OBJECT; static tfe_kafka_logger_t *g_kafka_logger = NULL; void ssl_mid_cert_kafka_logger_destory(void) { tfe_kafka_logger_destroy(g_kafka_logger); } int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section) { int enable = 0; char nic_name[64] = {0}; char broker_list[TFE_SYMBOL_MAX] = {0}; char topic_name[TFE_SYMBOL_MAX] = {0}; const char *errstr = "SSL mid cert cache occer error, "; MESA_load_profile_int_def(profile, section, "mc_cache_enable", &enable, 0); MESA_load_profile_string_def(profile, section, "mc_cache_eth", nic_name, sizeof(nic_name), "eth0"); MESA_load_profile_string_def(profile, section, "mc_cache_topic", topic_name, sizeof(topic_name), "PXY-EXCH-INTERMEDIA-CERT"); if (MESA_load_profile_string_def(profile, section, "mc_cache_broker_list", broker_list, sizeof(broker_list), NULL) < 0) { TFE_LOG_ERROR(g_default_logger, "%s, Fail to get mc_cache_broker_list in profile %s section %s.", errstr, profile, section); return -1; } g_kafka_logger = tfe_kafka_logger_create(enable, nic_name, broker_list, topic_name, g_default_logger); if (g_kafka_logger) return 0; else return -1; } static void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerprint, const char *cert) { if (g_kafka_logger->enable == 0) { return; } cJSON *obj = NULL; cJSON *dup = NULL; char *msg = NULL; obj = cJSON_CreateObject(); cJSON_AddStringToObject(obj, "sni", sni); cJSON_AddStringToObject(obj, "fingerprint", fingerprint); cJSON_AddStringToObject(obj, "cert", cert); cJSON_AddStringToObject(obj, "tfe_ip", g_kafka_logger->local_ip_str); dup = cJSON_Duplicate(obj, 1); msg = cJSON_PrintUnformatted(dup); TFE_LOG_DEBUG(g_default_logger, "log to [%s] msg:%s", g_kafka_logger->topic_name, msg); tfe_kafka_logger_send(g_kafka_logger, msg, strlen(msg)); free(msg); cJSON_Delete(dup); cJSON_Delete(obj); } // test use http://www.360.cn/ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store, const char *hostname) { int ret; int deep; char *pem = NULL; char *subj = NULL; char *issuer = NULL; char *fingerprint = NULL; X509 *cert = NULL; X509_OBJECT *obj = NULL; if (!g_kafka_logger || !g_kafka_logger->enable) { return; } deep = sk_X509_num(cert_chain); for (int i = 1; i < deep; i++) { // need't call X509_FREE(cert) cert = sk_X509_value(cert_chain, i); assert(cert); obj = X509_OBJECT_new(); assert(obj); obj->type = X509_LU_X509; obj->data.x509 = (X509 *)cert; // not in trusted store if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL) { ret = 0; } // in trusted store else { ret = 1; } X509_OBJECT_free(obj); subj = ssl_x509_subject(cert); issuer = ssl_x509_issuer(cert); fingerprint = ssl_x509_fingerprint(cert, 0); pem = ssl_x509_to_pem(cert); TFE_LOG_DEBUG(g_default_logger, "[dep:%d/%d] in_trusted_store:%d, sin:%s; subject:(%s); issuer:(%s); fingerprint:%s; cert:%s", i, deep, ret, (hostname ? hostname : "NULL"), (subj ? subj : "NULL"), (issuer ? issuer : "NULL"), (fingerprint ? fingerprint : "NULL"), ((pem && g_kafka_logger->enable == 0x10) ? pem : " ...")); if (!ret && fingerprint && pem) { ssl_mid_cert_kafka_logger_send(hostname, fingerprint, pem); } if (pem) free(pem); if (subj) free(subj); if (issuer) free(issuer); if (fingerprint) free(fingerprint); } }