feature: mbedtls add multi server cert support

2024-12-02 20:08:21 +08:00 · 2020-09-06 21:26:30 +08:00 · 2020-09-06 21:26:30 +08:00 · 5d88ea55a9
commit 5d88ea55a9
parent 1c13d28c92
3 changed files with 90 additions and 0 deletions
--- a/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp
+++ b/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp
@ -42,6 +42,11 @@ public:
 	 */
 	bool load_ca(const char* ca_file, const char* ca_path);

+	/**
+	 * @override
+	 */
+	bool append_key_cert(const char* crt_file, const char* key_file, const char* key_pass = NULL);
+
 	/**
 	 * @override
 	 */
--- a/lib_acl_cpp/include/acl_cpp/stream/sslbase_conf.hpp
+++ b/lib_acl_cpp/include/acl_cpp/stream/sslbase_conf.hpp
@ -38,8 +38,24 @@ public:
 	/**
 	 * 添加一个服务端/客户端自己的证书，可以多次调用本方法加载多个证书
 	 * @param crt_file {const char*} 证书文件全路径，非空
+	 * @param key_file {const char*} 密钥文件全路径，非空
+	 * @param key_pass {const char*} 密钥文件的密码，没有密钥密码可写 NULL
 	 * @return {bool} 添加证书是否成功
 	 */
+	virtual bool append_key_cert(const char* crt_file, const char* key_file, const char* key_pass = NULL)
+	{
+		(void) crt_file;
+		(void) key_file;
+		(void) key_pass;
+		return false;
+	}
+
+	/**
+	 * 添加一个服务端/客户端自己的证书，可以多次调用本方法加载多个证书
+	 * @param crt_file {const char*} 证书文件全路径，非空
+	 * @return {bool} 添加证书是否成功
+	 * @deprecated use append_key_cert
+	 */
 	virtual bool add_cert(const char* crt_file)
 	{
 		(void) crt_file;
@ -51,6 +67,7 @@ public:
 	 * @param key_file {const char*} 密钥文件全路径，非空
 	 * @param key_pass {const char*} 密钥文件的密码，没有密钥密码可写 NULL
 	 * @return {bool} 设置是否成功
+	 * @deprecated use append_key_cert
 	 */
 	virtual bool set_key(const char* key_file, const char* key_pass = NULL)
 	{
--- a/lib_acl_cpp/src/stream/mbedtls_conf.cpp
+++ b/lib_acl_cpp/src/stream/mbedtls_conf.cpp
@ -17,6 +17,7 @@
 # include "mbedtls-2.7.12/x509_crt.h"
 # include "mbedtls-2.7.12/x509.h"
 # include "mbedtls-2.7.12/ssl_cache.h"
+# include "mbedtls-2.7.12/platform.h"
 #endif

 #ifndef ACL_PREPARE_COMPILE
@ -69,6 +70,7 @@
 #  define SSL_CONF_CA_CHAIN_NAME	"mbedtls_ssl_conf_ca_chain"
 #  define SSL_CONF_OWN_CERT_NAME	"mbedtls_ssl_conf_own_cert"
 #  define SSL_CONF_AUTHMODE_NAME	"mbedtls_ssl_conf_authmode"
+#  define SSL_CONF_INIT_FREE		"mbedtls_ssl_config_free"
 #  ifdef DEBUG_SSL
 #   define SSL_CONF_DBG_NAME		"mbedtls_ssl_conf_dbg"
 #  endif
@ -316,6 +318,7 @@ static bool load_from_ssl(void)
 	LOAD_SSL(SSL_CONF_CA_CHAIN_NAME, ssl_conf_ca_chain_fn, __ssl_conf_ca_chain);
 	LOAD_SSL(SSL_CONF_OWN_CERT_NAME, ssl_conf_own_cert_fn, __ssl_conf_own_cert);
 	LOAD_SSL(SSL_CONF_AUTHMODE_NAME, ssl_conf_authmode_fn, __ssl_conf_authmode);
+	LOAD_SSL(SSL_CONF_INIT_FREE, ssl_config_init_fn, __ssl_config_free);
 # ifdef DEBUG_SSL
 	LOAD_SSL(SSL_CONF_DBG_NAME, ssl_conf_dbg_fn, __ssl_conf_dbg);
 # endif
@ -447,6 +450,7 @@ static void mbedtls_dll_load(void)
 #  define __ssl_conf_ca_chain		::mbedtls_ssl_conf_ca_chain
 #  define __ssl_conf_own_cert		::mbedtls_ssl_conf_own_cert
 #  define __ssl_conf_authmode		::mbedtls_ssl_conf_authmode
+#  define __ssl_config_free		::mbedtls_ssl_config_free
 #  ifdef DEBUG_SSL
 #   define __ssl_conf_dbg		::mbedtls_ssl_conf_dbg
 #  endif
@ -713,6 +717,8 @@ mbedtls_conf::~mbedtls_conf(void)
 	if (init_status_ != CONF_INIT_NIL) {
 		__entropy_free((mbedtls_entropy_context*) entropy_);
 	}
+
+	__ssl_config_free((mbedtls_ssl_config*)conf_);
 	acl_myfree(conf_);
 	acl_myfree(entropy_);

@ -794,6 +800,68 @@ bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path)
 #endif
 }

+bool mbedtls_conf::append_key_cert(const char* crt_file, const char* key_file, const char* key_pass)
+{
+	if (crt_file == NULL || crt_file[0] == '\0' ||
+		key_file == NULL || key_file[0] == '\0') {
+		logger_error("crt_file or key_file null");
+		return false;
+	}
+
+#ifdef HAS_MBEDTLS
+	int ret = 0;
+	X509_CRT *cert = NULL;
+	PKEY *pkey = NULL;
+	if (!init_once()) {
+		logger_error("init_once error");
+		return false;
+	}
+
+	// cert will be managed by mbedtls
+	cert = static_cast<X509_CRT*>(mbedtls_calloc(1, sizeof(X509_CRT)));
+	__x509_crt_init(cert);
+	ret = __x509_crt_parse_file(cert, crt_file);
+	if (ret != 0) {
+		goto ERR;
+	}
+
+	// pkey will be managed by mbedtls
+	pkey = static_cast<PKEY*>(mbedtls_calloc(1, sizeof(PKEY)));
+	__pk_init(pkey);
+	ret = __pk_parse_keyfile(pkey, key_file, key_pass ? key_pass : "");
+	if (ret != 0) {
+		goto ERR;
+	}
+
+	ret = __ssl_conf_own_cert((mbedtls_ssl_config*)conf_, cert, pkey);
+	if (ret != 0) {
+		goto ERR;
+	}
+
+	cert_status_ = CONF_OWN_CERT_OK;
+	return true;
+ERR:
+	logger_error("append_key_cert(%s:%s) error: -0x%04x", crt_file, key_file, -ret);
+	if (cert) {
+		__x509_crt_free(cert);
+		mbedtls_free(cert);
+	}
+
+	if (pkey) {
+		__pk_free(pkey);
+		mbedtls_free(pkey);
+	}
+	return false;
+#else
+	(void) crt_file;
+	(void) key_file;
+	(void) key_pass;
+
+	logger_error("HAS_MBEDTLS not defined!");
+	return false;
+#endif
+}
+
 bool mbedtls_conf::add_cert(const char* crt_file)
 {
 	if (crt_file == NULL || *crt_file == 0) {