aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrobot-piglet <robot-piglet@yandex-team.com>2024-09-25 18:01:01 +0300
committerrobot-piglet <robot-piglet@yandex-team.com>2024-09-25 18:09:43 +0300
commitc9d7dbfe7496e368fdac64fa36ef1bd24745cfc5 (patch)
tree954c5819b9062a83f580a5e354b9e5419b207f51
parent07ceeeab0c1d69f642190a110ca748163bc189b6 (diff)
downloadydb-c9d7dbfe7496e368fdac64fa36ef1bd24745cfc5.tar.gz
Intermediate changes
commit_hash:a2a7945a295a16d334554e99646b5d670df0bdeb
-rw-r--r--yt/yt/core/rpc/grpc/helpers.cpp46
-rw-r--r--yt/yt/core/rpc/grpc/helpers.h9
-rw-r--r--yt/yt/core/rpc/grpc/proto/grpc.proto1
-rw-r--r--yt/yt/core/rpc/grpc/server.cpp22
4 files changed, 59 insertions, 19 deletions
diff --git a/yt/yt/core/rpc/grpc/helpers.cpp b/yt/yt/core/rpc/grpc/helpers.cpp
index a42d958a11..bfe01bf540 100644
--- a/yt/yt/core/rpc/grpc/helpers.cpp
+++ b/yt/yt/core/rpc/grpc/helpers.cpp
@@ -42,6 +42,11 @@ TGprString MakeGprString(char* str)
return TGprString(str, gpr_free);
}
+TX509Ptr MakeX509Ptr(X509* cert)
+{
+ return TX509Ptr(cert, X509_free);
+}
+
TStringBuf ToStringBuf(const grpc_slice& slice)
{
return TStringBuf(
@@ -522,25 +527,21 @@ TGrpcServerCredentialsPtr LoadServerCredentials(const TServerCredentialsConfigPt
nullptr));
}
-std::optional<TString> ParseIssuerFromX509(TStringBuf x509String)
+TX509Ptr ParsePemCertToX509(TStringBuf pemCert)
{
auto* bio = BIO_new(BIO_s_mem());
auto bioGuard = Finally([&] {
BIO_free(bio);
});
- BIO_write(bio, x509String.data(), x509String.length());
-
- auto* x509 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
- auto x509Guard = Finally([&] {
- X509_free(x509);
- });
+ BIO_write(bio, pemCert.data(), pemCert.length());
- if (!x509) {
- return std::nullopt;
- }
+ return MakeX509Ptr(PEM_read_bio_X509(bio, nullptr, nullptr, nullptr));
+}
- auto* issuerName = X509_get_issuer_name(x509);
+std::optional<TString> ParseIssuerFromX509(const TX509Ptr& pemCertX509)
+{
+ auto* issuerName = X509_get_issuer_name(pemCertX509.get());
std::array<char, 1024> buf;
auto* issuerString = X509_NAME_oneline(issuerName, buf.data(), buf.size());
@@ -551,6 +552,29 @@ std::optional<TString> ParseIssuerFromX509(TStringBuf x509String)
return TString(issuerString);
}
+std::optional<TString> ParseSerialNumberFromX509(const TX509Ptr& pemCertX509)
+{
+ ASN1_STRING* serialNumber = X509_get_serialNumber(pemCertX509.get());
+ if (!serialNumber) {
+ return std::nullopt;
+ }
+ BIGNUM* bn = ASN1_INTEGER_to_BN(serialNumber, nullptr);
+ auto bnGuard = Finally([&] {
+ BN_free(bn);
+ });
+ if (!bn) {
+ return std::nullopt;
+ }
+ char* hexSerialNumber = BN_bn2hex(bn);
+ auto serialNumberGuard = Finally([&] {
+ OPENSSL_free(hexSerialNumber);
+ });
+ if (!hexSerialNumber) {
+ return std::nullopt;
+ }
+ return TString(hexSerialNumber);
+}
+
////////////////////////////////////////////////////////////////////////////////
TGuardedGrpcCompletionQueue::TGuardedGrpcCompletionQueue(TGrpcCompletionQueuePtr completionQueue)
diff --git a/yt/yt/core/rpc/grpc/helpers.h b/yt/yt/core/rpc/grpc/helpers.h
index 8c3d2ec565..b6b775c483 100644
--- a/yt/yt/core/rpc/grpc/helpers.h
+++ b/yt/yt/core/rpc/grpc/helpers.h
@@ -16,6 +16,8 @@
#include <contrib/libs/grpc/include/grpc/impl/codegen/grpc_types.h>
#include <contrib/libs/grpc/include/grpc/byte_buffer_reader.h>
+typedef struct x509_st X509;
+
namespace NYT::NRpc::NGrpc {
////////////////////////////////////////////////////////////////////////////////
@@ -23,6 +25,9 @@ namespace NYT::NRpc::NGrpc {
using TGprString = std::unique_ptr<char, void(*)(void*)>;
TGprString MakeGprString(char* str);
+using TX509Ptr = std::unique_ptr<X509, void(*)(X509*)>;
+TX509Ptr MakeX509Ptr(X509* cert);
+
TStringBuf ToStringBuf(const grpc_slice& slice);
////////////////////////////////////////////////////////////////////////////////
@@ -289,7 +294,9 @@ TError DeserializeError(TStringBuf serializedError);
TGrpcPemKeyCertPair LoadPemKeyCertPair(const TSslPemKeyCertPairConfigPtr& config);
TGrpcChannelCredentialsPtr LoadChannelCredentials(const TChannelCredentialsConfigPtr& config);
TGrpcServerCredentialsPtr LoadServerCredentials(const TServerCredentialsConfigPtr& config);
-std::optional<TString> ParseIssuerFromX509(TStringBuf x509String);
+TX509Ptr ParsePemCertToX509(TStringBuf pemCert);
+std::optional<TString> ParseIssuerFromX509(const TX509Ptr& pemCertX509);
+std::optional<TString> ParseSerialNumberFromX509(const TX509Ptr& pemCertX509);
////////////////////////////////////////////////////////////////////////////////
diff --git a/yt/yt/core/rpc/grpc/proto/grpc.proto b/yt/yt/core/rpc/grpc/proto/grpc.proto
index 6ec01e35f9..cde26cec75 100644
--- a/yt/yt/core/rpc/grpc/proto/grpc.proto
+++ b/yt/yt/core/rpc/grpc/proto/grpc.proto
@@ -13,6 +13,7 @@ message TSslCredentialsExt
optional string peer_identity = 1;
optional string issuer = 2;
+ optional string serial_number = 3;
}
////////////////////////////////////////////////////////////////////////////////
diff --git a/yt/yt/core/rpc/grpc/server.cpp b/yt/yt/core/rpc/grpc/server.cpp
index bb693aea89..c90f488740 100644
--- a/yt/yt/core/rpc/grpc/server.cpp
+++ b/yt/yt/core/rpc/grpc/server.cpp
@@ -779,7 +779,7 @@ private:
std::optional<NGrpc::NProto::TSslCredentialsExt> sslCredentialsExtension;
ParsePeerIdentity(authContext, &sslCredentialsExtension);
- ParseIssuer(authContext, &sslCredentialsExtension);
+ ParseIssuerAndSerialNumber(authContext, &sslCredentialsExtension);
return sslCredentialsExtension;
}
@@ -803,7 +803,7 @@ private:
(*sslCredentialsExtension)->set_peer_identity(TString(peerIdentityProperty->value, peerIdentityProperty->value_length));
}
- static void ParseIssuer(const TGrpcAuthContextPtr& authContext, std::optional<NGrpc::NProto::TSslCredentialsExt>* sslCredentialsExtension)
+ static void ParseIssuerAndSerialNumber(const TGrpcAuthContextPtr& authContext, std::optional<NGrpc::NProto::TSslCredentialsExt>* sslCredentialsExtension)
{
const char* peerIdentityPropertyName = grpc_auth_context_peer_identity_property_name(authContext.Unwrap());
if (!peerIdentityPropertyName) {
@@ -816,15 +816,23 @@ private:
return;
}
- auto issuer = ParseIssuerFromX509(TStringBuf(pemCertProperty->value, pemCertProperty->value_length));
- if (!issuer) {
+ auto pemCertX509 = ParsePemCertToX509(TStringBuf(pemCertProperty->value, pemCertProperty->value_length));
+ if (!pemCertX509) {
return;
}
- if (!sslCredentialsExtension->has_value()) {
- sslCredentialsExtension->emplace();
+ if (auto issuer = ParseIssuerFromX509(pemCertX509)) {
+ if (!sslCredentialsExtension->has_value()) {
+ sslCredentialsExtension->emplace();
+ }
+ (*sslCredentialsExtension)->set_issuer(std::move(*issuer));
+ }
+ if (auto serialNumber = ParseSerialNumberFromX509(pemCertX509)) {
+ if (!sslCredentialsExtension->has_value()) {
+ sslCredentialsExtension->emplace();
+ }
+ (*sslCredentialsExtension)->set_serial_number(std::move(*serialNumber));
}
- (*sslCredentialsExtension)->set_issuer(std::move(*issuer));
}
void ParseTimeout()