修改在可信证书存储中查找中间证书的方式：之前是通过 subject 查找，无法处理 subject 同名的问题；现修改为完全匹配

1 files changed, 26 insertions, 19 deletions

diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp
index 57ce781..7dd6231 100644
--- a/platform/src/ssl_fetch_cert.cpp
+++ b/platform/src/ssl_fetch_cert.cpp
@@ -16,13 +16,14 @@
 #include <MESA/MESA_prof_load.h>
 
 typedef struct x509_object_st {
-	int type;
-	union {
-		char     *ptr;
-		X509     *x509;
-		X509_CRL *crl;
-		EVP_PKEY *pkey;
-	} data;
+    /* one of the above types */
+    X509_LOOKUP_TYPE type;
+    union {
+        char     *ptr;
+        X509     *x509;
+        X509_CRL *crl;
+        EVP_PKEY *pkey;
+    } data;
 } X509_OBJECT;
 
 typedef struct ssl_kafka_logger_s {
@@ -183,28 +184,34 @@ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *
 	char        *issuer = NULL;
 	char        *fingerprint = NULL;
 	X509        *cert = NULL;
-	X509_LOOKUP *lookup = NULL;
-	X509_OBJECT  stmp;
-
+	X509_OBJECT *obj = NULL;
 	if (!g_kafka_logger || !g_kafka_logger->enable) {
 		return;
 	}
 
-	// don`t need call X509_LOOKUP_free(lookup)
-	lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir());
-	if (lookup == NULL) {
-		return;
-	}
-
 	deep = sk_X509_num(cert_chain);
 	for (int i = 1; i < deep; i++) {
 		// need't call X509_FREE(cert)
 		cert = sk_X509_value(cert_chain, i);
 		assert(cert);
 
-		stmp.type = X509_LU_NONE;
-		stmp.data.ptr = NULL;
-		ret = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_subject_name(cert), &stmp);
+		obj = X509_OBJECT_new();
+		assert(obj);
+		obj->type = X509_LU_X509;
+		obj->data.x509 = (X509 *)cert;
+
+		// not in trusted store
+ 		if (X509_OBJECT_retrieve_match(X509_STORE_get0_objects(trusted_store), obj) == NULL)
+		{
+			ret = 0;
+		}
+		// in trusted store
+		else
+		{
+			ret = 1;
+		}
+		X509_OBJECT_free(obj);
+
 		subj = ssl_x509_subject(cert);
 		issuer = ssl_x509_issuer(cert);
 		fingerprint = ssl_x509_fingerprint(cert, 0);