diff options
author | robot-piglet <robot-piglet@yandex-team.com> | 2024-09-25 18:01:01 +0300 |
---|---|---|
committer | robot-piglet <robot-piglet@yandex-team.com> | 2024-09-25 18:09:43 +0300 |
commit | c9d7dbfe7496e368fdac64fa36ef1bd24745cfc5 (patch) | |
tree | 954c5819b9062a83f580a5e354b9e5419b207f51 | |
parent | 07ceeeab0c1d69f642190a110ca748163bc189b6 (diff) | |
download | ydb-c9d7dbfe7496e368fdac64fa36ef1bd24745cfc5.tar.gz |
Intermediate changes
commit_hash:a2a7945a295a16d334554e99646b5d670df0bdeb
-rw-r--r-- | yt/yt/core/rpc/grpc/helpers.cpp | 46 | ||||
-rw-r--r-- | yt/yt/core/rpc/grpc/helpers.h | 9 | ||||
-rw-r--r-- | yt/yt/core/rpc/grpc/proto/grpc.proto | 1 | ||||
-rw-r--r-- | yt/yt/core/rpc/grpc/server.cpp | 22 |
4 files changed, 59 insertions, 19 deletions
diff --git a/yt/yt/core/rpc/grpc/helpers.cpp b/yt/yt/core/rpc/grpc/helpers.cpp index a42d958a11..bfe01bf540 100644 --- a/yt/yt/core/rpc/grpc/helpers.cpp +++ b/yt/yt/core/rpc/grpc/helpers.cpp @@ -42,6 +42,11 @@ TGprString MakeGprString(char* str) return TGprString(str, gpr_free); } +TX509Ptr MakeX509Ptr(X509* cert) +{ + return TX509Ptr(cert, X509_free); +} + TStringBuf ToStringBuf(const grpc_slice& slice) { return TStringBuf( @@ -522,25 +527,21 @@ TGrpcServerCredentialsPtr LoadServerCredentials(const TServerCredentialsConfigPt nullptr)); } -std::optional<TString> ParseIssuerFromX509(TStringBuf x509String) +TX509Ptr ParsePemCertToX509(TStringBuf pemCert) { auto* bio = BIO_new(BIO_s_mem()); auto bioGuard = Finally([&] { BIO_free(bio); }); - BIO_write(bio, x509String.data(), x509String.length()); - - auto* x509 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr); - auto x509Guard = Finally([&] { - X509_free(x509); - }); + BIO_write(bio, pemCert.data(), pemCert.length()); - if (!x509) { - return std::nullopt; - } + return MakeX509Ptr(PEM_read_bio_X509(bio, nullptr, nullptr, nullptr)); +} - auto* issuerName = X509_get_issuer_name(x509); +std::optional<TString> ParseIssuerFromX509(const TX509Ptr& pemCertX509) +{ + auto* issuerName = X509_get_issuer_name(pemCertX509.get()); std::array<char, 1024> buf; auto* issuerString = X509_NAME_oneline(issuerName, buf.data(), buf.size()); @@ -551,6 +552,29 @@ std::optional<TString> ParseIssuerFromX509(TStringBuf x509String) return TString(issuerString); } +std::optional<TString> ParseSerialNumberFromX509(const TX509Ptr& pemCertX509) +{ + ASN1_STRING* serialNumber = X509_get_serialNumber(pemCertX509.get()); + if (!serialNumber) { + return std::nullopt; + } + BIGNUM* bn = ASN1_INTEGER_to_BN(serialNumber, nullptr); + auto bnGuard = Finally([&] { + BN_free(bn); + }); + if (!bn) { + return std::nullopt; + } + char* hexSerialNumber = BN_bn2hex(bn); + auto serialNumberGuard = Finally([&] { + OPENSSL_free(hexSerialNumber); + }); + if (!hexSerialNumber) { + return std::nullopt; + } + return TString(hexSerialNumber); +} + //////////////////////////////////////////////////////////////////////////////// TGuardedGrpcCompletionQueue::TGuardedGrpcCompletionQueue(TGrpcCompletionQueuePtr completionQueue) diff --git a/yt/yt/core/rpc/grpc/helpers.h b/yt/yt/core/rpc/grpc/helpers.h index 8c3d2ec565..b6b775c483 100644 --- a/yt/yt/core/rpc/grpc/helpers.h +++ b/yt/yt/core/rpc/grpc/helpers.h @@ -16,6 +16,8 @@ #include <contrib/libs/grpc/include/grpc/impl/codegen/grpc_types.h> #include <contrib/libs/grpc/include/grpc/byte_buffer_reader.h> +typedef struct x509_st X509; + namespace NYT::NRpc::NGrpc { //////////////////////////////////////////////////////////////////////////////// @@ -23,6 +25,9 @@ namespace NYT::NRpc::NGrpc { using TGprString = std::unique_ptr<char, void(*)(void*)>; TGprString MakeGprString(char* str); +using TX509Ptr = std::unique_ptr<X509, void(*)(X509*)>; +TX509Ptr MakeX509Ptr(X509* cert); + TStringBuf ToStringBuf(const grpc_slice& slice); //////////////////////////////////////////////////////////////////////////////// @@ -289,7 +294,9 @@ TError DeserializeError(TStringBuf serializedError); TGrpcPemKeyCertPair LoadPemKeyCertPair(const TSslPemKeyCertPairConfigPtr& config); TGrpcChannelCredentialsPtr LoadChannelCredentials(const TChannelCredentialsConfigPtr& config); TGrpcServerCredentialsPtr LoadServerCredentials(const TServerCredentialsConfigPtr& config); -std::optional<TString> ParseIssuerFromX509(TStringBuf x509String); +TX509Ptr ParsePemCertToX509(TStringBuf pemCert); +std::optional<TString> ParseIssuerFromX509(const TX509Ptr& pemCertX509); +std::optional<TString> ParseSerialNumberFromX509(const TX509Ptr& pemCertX509); //////////////////////////////////////////////////////////////////////////////// diff --git a/yt/yt/core/rpc/grpc/proto/grpc.proto b/yt/yt/core/rpc/grpc/proto/grpc.proto index 6ec01e35f9..cde26cec75 100644 --- a/yt/yt/core/rpc/grpc/proto/grpc.proto +++ b/yt/yt/core/rpc/grpc/proto/grpc.proto @@ -13,6 +13,7 @@ message TSslCredentialsExt optional string peer_identity = 1; optional string issuer = 2; + optional string serial_number = 3; } //////////////////////////////////////////////////////////////////////////////// diff --git a/yt/yt/core/rpc/grpc/server.cpp b/yt/yt/core/rpc/grpc/server.cpp index bb693aea89..c90f488740 100644 --- a/yt/yt/core/rpc/grpc/server.cpp +++ b/yt/yt/core/rpc/grpc/server.cpp @@ -779,7 +779,7 @@ private: std::optional<NGrpc::NProto::TSslCredentialsExt> sslCredentialsExtension; ParsePeerIdentity(authContext, &sslCredentialsExtension); - ParseIssuer(authContext, &sslCredentialsExtension); + ParseIssuerAndSerialNumber(authContext, &sslCredentialsExtension); return sslCredentialsExtension; } @@ -803,7 +803,7 @@ private: (*sslCredentialsExtension)->set_peer_identity(TString(peerIdentityProperty->value, peerIdentityProperty->value_length)); } - static void ParseIssuer(const TGrpcAuthContextPtr& authContext, std::optional<NGrpc::NProto::TSslCredentialsExt>* sslCredentialsExtension) + static void ParseIssuerAndSerialNumber(const TGrpcAuthContextPtr& authContext, std::optional<NGrpc::NProto::TSslCredentialsExt>* sslCredentialsExtension) { const char* peerIdentityPropertyName = grpc_auth_context_peer_identity_property_name(authContext.Unwrap()); if (!peerIdentityPropertyName) { @@ -816,15 +816,23 @@ private: return; } - auto issuer = ParseIssuerFromX509(TStringBuf(pemCertProperty->value, pemCertProperty->value_length)); - if (!issuer) { + auto pemCertX509 = ParsePemCertToX509(TStringBuf(pemCertProperty->value, pemCertProperty->value_length)); + if (!pemCertX509) { return; } - if (!sslCredentialsExtension->has_value()) { - sslCredentialsExtension->emplace(); + if (auto issuer = ParseIssuerFromX509(pemCertX509)) { + if (!sslCredentialsExtension->has_value()) { + sslCredentialsExtension->emplace(); + } + (*sslCredentialsExtension)->set_issuer(std::move(*issuer)); + } + if (auto serialNumber = ParseSerialNumberFromX509(pemCertX509)) { + if (!sslCredentialsExtension->has_value()) { + sslCredentialsExtension->emplace(); + } + (*sslCredentialsExtension)->set_serial_number(std::move(*serialNumber)); } - (*sslCredentialsExtension)->set_issuer(std::move(*issuer)); } void ParseTimeout() |