diff options
| author | fengweihao <[email protected]> | 2019-08-20 15:41:41 +0800 |
|---|---|---|
| committer | fengweihao <[email protected]> | 2019-08-20 15:41:41 +0800 |
| commit | b8f59677bf30188475bbc4d07a1fd0f37b672b07 (patch) | |
| tree | a7e31563fdc08cce39622d88292e08c60323fba8 | |
| parent | 835605dce3826a7545abe8c86c337f3da5b60e16 (diff) | |
增加公钥强度可配置功能
| -rw-r--r-- | src/cert_session.c | 108 |
1 files changed, 31 insertions, 77 deletions
diff --git a/src/cert_session.c b/src/cert_session.c index ae7f40b..54f1144 100644 --- a/src/cert_session.c +++ b/src/cert_session.c @@ -114,8 +114,26 @@ finish: return; } -static -int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits) +static int x509_public_str2idx(const char *public_algo) +{ + int bits = 1024; + + if (strcasestr(public_algo, "1024") != NULL) + { + bits = 1024; + } + if (strcasestr(public_algo, "2048") != NULL) + { + bits = 2048; + } + if (strcasestr(public_algo, "4096") != NULL) + { + bits = 4096; + } + return bits; +} + +static int create_client_key(EVP_PKEY** pkey, char *pubkey, char* public_algo) { RSA *rsa = NULL; EVP_PKEY *pk = NULL; @@ -124,8 +142,7 @@ int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits) mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, gen new key failed!"); goto err; } - - rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); + rsa = RSA_generate_key(x509_public_str2idx(public_algo), RSA_F4, NULL, NULL); if(!EVP_PKEY_assign_RSA(pk, rsa)){ mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, assign key failed!"); EVP_PKEY_free(pk); @@ -488,14 +505,14 @@ static time_t ASN1_GetTimeT(ASN1_TIME* time) } X509 * -x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl) +x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo) { int rv; X509 *crt = NULL; EVP_PKEY* key = NULL; X509_NAME *subject = NULL, *issuer = NULL; - if(!create_client_key(&key, pkey, 1024)){ + if(!create_client_key(&key, pkey, public_algo)){ goto err; } //subjectname,issuername @@ -515,7 +532,7 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int !X509_set_pubkey(crt, key)) goto errout; - if (*expire_time == -1) + if (*expire_time == 0) { int day = 0, sec = 0; ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt))); @@ -530,6 +547,7 @@ x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int { goto errout; } + *expire_time = half_hours(*expire_time); } EVP_PKEY_free(key); @@ -877,69 +895,6 @@ int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) return ret; } -X509 *x509_modify_by_cert_bak(X509 *cacrt, EVP_PKEY *cakey, const char* host, - char *pubkey, const int days) -{ - X509* x = NULL; - EVP_PKEY* pk = NULL; - - char* ctx[] = {(char*)host, "CN", "mystate", - "mycity", "myorganization", "mygroup", - "[email protected]"}; - - if(!create_client_key(&pk, pubkey, 1024)){ - goto err; - } - - if((x = X509_new()) == NULL){ - goto err; - } - - if (!X509_set_version(x, 0x02)){ - goto err; - } - - if (!X509_set_version(x, 0x02) || - !X509_set_issuer_name(x, X509_get_subject_name(cacrt)) || - !rand_serial(NULL, X509_get_serialNumber(x)) || - !X509_gmtime_adj(X509_get_notBefore(x), 0L) || - !X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) || - !X509_set_pubkey(x, pk) || - !add_cert_ctx(X509_get_subject_name(x), ctx, 7)) - goto err; -#if 1 - - /* Add various extensions: standard extensions */ - add_ext(cacrt, x, NID_basic_constraints, "critical,CA:FALSE"); - add_ext(cacrt, x, NID_subject_key_identifier, "hash"); - add_ext(cacrt, x, NID_key_usage, "Digital Signature, Key Encipherment, Data Encipherment"); - - /**/ - - add_ext(cacrt, x, NID_authority_key_identifier, "keyid:always"); - - add_ext(cacrt, x, NID_ext_key_usage, "serverAuth,clientAuth"); - /*NID_certificate_policies*/ -/* - char dns[128] = {0}, domain[16] = {0}; - sscanf(host, "%*[^.].%[^.]", domain); - snprintf(dns, 127, "DNS:%s.com, DNS:*.%s.com, DNS:www.%s.cn", domain, domain, domain); - add_ext(cacrt, x, NID_subject_alt_name, dns); -*/ -#endif - if(!X509_sign(x, cakey, EVP_sha256())){ - goto err; - } - return x; - -err: - if(x) - X509_free(x); - if(pk) - EVP_PKEY_free(pk); - return NULL; -} - char *x509_get_sn(X509 *x509) { ASN1_INTEGER *asn1_i = NULL; @@ -982,7 +937,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req int is_valid = request->is_valid; int keyring_id = request->keyring_id; int expire_time = 0; char *crlurl = NULL; - char *serial = NULL; + char *serial = NULL, *public_algo = NULL; X509 *cacrt = NULL; EVP_PKEY *cakey = NULL; struct config_bucket_t *rte = cert_default_config(); @@ -1034,8 +989,9 @@ static int x509_online_append(struct x509_object_ctx *def, struct request_t *req cakey = pxy_obj->key; expire_time = pxy_obj->expire_after; crlurl = pxy_obj->v3_ctl; + public_algo = pxy_obj->public_algo; modify: - x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl); + x509 = x509_modify_by_cert(cacrt, cakey, request->origin, pkey, &expire_time, crlurl, public_algo); if (!x509){ goto finish; } @@ -1209,9 +1165,7 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c) } }else{ chain[0] = root; - } - printf("sign = %s\n", sign); - + } web_json_table_add(pkey, sign, chain, &request->odata); if (NULL == c){ @@ -1934,8 +1888,8 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__) memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring)); atomic64_set(&pxy_obj->ref_cnt, 1); - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d", &pxy_obj->keyring_id, profile_name, - pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_after, pxy_obj->public_algo, + ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%s\t%lu\t%s\t%d", &pxy_obj->keyring_id, profile_name, + pxy_obj->keyring_type, private_file, public_file, pxy_obj->public_algo, &pxy_obj->expire_after, pxy_obj->v3_ctl, &pxy_obj->is_valid); if(ret!=9) { |