删除自签发证书无法自定义校检通过

删除签发证书及http链接处理结束打印
author: fengweihao <[email protected]> 2019-06-14 20:18:19 +0800
committer: fengweihao <[email protected]> 2019-06-14 20:18:19 +0800
commit: 7f134b02419cbd0c76ef4346b9ff9e449c86d33c (patch)
tree: 6648c7df7d3580c5be001433e734bc9e5a9da60f /src
parent: 60f710b656415a07910902f695a731b1ebc905b1 (diff)
1 files changed, 6 insertions, 78 deletions
diff --git a/src/cert_session.c b/src/cert_session.c
index 9cdc1e4..480b5fd 100644
--- a/src/cert_session.c
+++ b/src/cert_session.c
@@ -843,7 +843,7 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
     if (ad == NULL)
         return;
 	struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*ad);
-	atomic64_dec(&pxy_obj->ref_cnt);	
+	atomic64_dec(&pxy_obj->ref_cnt);
     if (atomic64_read(&pxy_obj->ref_cnt) == 0)
     {
         if (pxy_obj->root)
@@ -989,64 +989,6 @@ finish:
 	return serial;
 }
 
-static int check(X509_STORE *ctx, X509 *x,
-                 STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE __attribute__((__unused__))*e)
-{
-    int i = 0, ret = 0;
-    X509_STORE_CTX *csc;
-
-    csc = X509_STORE_CTX_new();
-    if (csc == NULL) {
-        goto end;
-    }
-    X509_STORE_set_flags(ctx, 0);
-    if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
-        goto end;
-    }
-    if (tchain)
-        X509_STORE_CTX_trusted_stack(csc, tchain);
-    if (crls)
-        X509_STORE_CTX_set0_crls(csc, crls);
-    i = X509_verify_cert(csc);
-    X509_STORE_CTX_free(csc);
-
-    ret = 0;
- end:
-    if (i > 0) {
-        ret = 1;
-    }
-    return (ret);
-}
-
-static int
-x509_check_chain(STACK_OF(X509) *stack_ca, X509 *ca, X509 *x)
-{
-    int i = 0, xret = 0;
-    X509_LOOKUP *lookup = NULL;
-    X509_STORE *cert_ctx = NULL;
-
-    cert_ctx = X509_STORE_new();
-    if (cert_ctx == NULL){
-        goto end;
-    }
-    X509_STORE_set_verify_cb(cert_ctx, NULL);
-
-    lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
-    if (stack_ca != NULL){
-        for (i = 0; i < sk_X509_num(stack_ca); i++){
-            X509_STORE_add_cert(lookup->store_ctx, sk_X509_value(stack_ca, i));
-        }
-    }
-    X509_STORE_add_cert(lookup->store_ctx, ca);
-    xret = check(cert_ctx, x, NULL, NULL, NULL, NULL);
-end:
-    if (cert_ctx != NULL)
-        X509_STORE_free(cert_ctx);
-
-    return xret;
-}
-
 static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
 {
 	struct pxy_obj_keyring *pxy_obj=NULL;
@@ -1063,7 +1005,7 @@ static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
 
 static int x509_online_append(struct x509_object_ctx *def, struct request_t *request,
                               char **root, char **sign, char *pkey,
-                              STACK_OF(X509) **stack_ca, int *verify)
+                              STACK_OF(X509) **stack_ca)
 {
     X509* x509 = NULL;
     int is_valid = request->is_valid;
@@ -1132,11 +1074,6 @@ modify:
     mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate serial number is %s", serial);
     OPENSSL_free(serial);
 
-    *verify = x509_check_chain(*stack_ca, _root, x509);
-    if (*verify != 1)
-    {
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certificate chain match failed");
-    }
     x509_get_msg_from_ca(x509, sign);
     x509_get_msg_from_ca(_root, root);
 
@@ -1277,26 +1214,18 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c)
 {
 #define MAX_CHAIN_LEN 6
     int xret = -1, i = 0;
-    int expire_after, verify = 0;
+    int expire_after;
     STACK_OF(X509) *stack_ca = NULL;
-    uint64_t startTime = 0, endTime = 0;
     libevent_thread *info   = threads + request->thread_id;
     char *sign = NULL, pkey[SG_DATA_SIZE] = {0};
     char *root = NULL;
 
-    startTime        = rt_time_ns();
-
-    expire_after = x509_online_append(&info->def, request, &root, &sign, pkey, &stack_ca, &verify);
+    expire_after = x509_online_append(&info->def, request, &root, &sign, pkey, &stack_ca);
     if (sign == NULL && pkey[0] == '\0'){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to sign certificate");
         evhttp_send_error(request->evh_req, HTTP_NOTFOUND, 0);
         goto finish;
     }
-    endTime           = rt_time_ns();
-    info->diffTime += (endTime - startTime);
-
-    mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%lu - %lu = %lu", startTime, endTime, endTime - startTime);
-
     FS_internal_operate(SGstats.handle, info->column_ids, SGstats.line_ids[3], FS_OP_SET, info->diffTime);
     FS_internal_operate(SGstats.handle, info->field_ids, 0, FS_OP_ADD, 1);
 
@@ -1317,7 +1246,7 @@ redis_clnt_pdu_send(struct request_t *request, redisAsyncContext *c)
 
     web_json_table_add(pkey, sign, chain, &request->odata);
 
-    if ((NULL == c) || (verify == 0)){
+    if (NULL == c){
         struct evhttp_request *evh_req = request->evh_req;
         FS_internal_operate(SGstats.handle, info->column_ids, SGstats.line_ids[2], FS_OP_ADD, 1);
         evhttp_socket_send(evh_req, request->odata);
@@ -1558,7 +1487,6 @@ static void
 evhttp_socket_close_cb(struct evhttp_connection *evcon,
                        void __attribute__((__unused__))*arg)
 {
-    mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Evhttp connection is broken");
     if (NULL == evcon){
         goto finish;
     }
@@ -2038,7 +1966,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
     }
     memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring));
 	atomic64_set(&pxy_obj->ref_cnt, 1);
-	
+
 	ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d", &pxy_obj->keyring_id, profile_name,
 		       pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_after, pxy_obj->public_algo,
 		       pxy_obj->v3_ctl, &pxy_obj->is_valid);
author	fengweihao <[email protected]>	2019-06-14 20:18:19 +0800
committer	fengweihao <[email protected]>	2019-06-14 20:18:19 +0800
commit	7f134b02419cbd0c76ef4346b9ff9e449c86d33c (patch)
tree	6648c7df7d3580c5be001433e734bc9e5a9da60f /src
parent	60f710b656415a07910902f695a731b1ebc905b1 (diff)