From 051b555c615edc03ea2e1034f41bc9e590ec4741 Mon Sep 17 00:00:00 2001
From: alashkova <n.alashkova@micord.ru>
Date: Mon, 24 Feb 2025 16:17:45 +0300
Subject: [PATCH] =?UTF-8?q?SUPPORT-8941.=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?=
 =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D0=BE=20=D0=BF=D0=BE=D0=BB=D1=83=D1=87=D0=B5?=
 =?UTF-8?q?=D0=BD=D0=B8=D0=B5=20=D0=BD=D0=B0=D0=B7=D0=B2=D0=B0=D0=BD=D0=B8?=
 =?UTF-8?q?=D1=8F=20=D0=B8=20=D1=82=D0=B8=D0=BF=D0=B0=20=D0=BF=D1=80=D0=BE?=
 =?UTF-8?q?=D0=B2=D0=B0=D0=B9=D0=B4=D0=B5=D1=80=D0=B0=20=D0=B8=D0=B7=20?=
 =?UTF-8?q?=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80=D0=B0=D1=86?=
 =?UTF-8?q?=D0=B8=D0=BE=D0=BD=D0=BD=D0=BE=D0=B3=D0=BE=20=D1=84=D0=B0=D0=B9?=
 =?UTF-8?q?=D0=BB=D0=B0=20(=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D0=BA?=
 =?UTF-8?q?=D0=B0=20=D0=AD=D0=9F=20=D0=BC=D0=B0=D1=80=D0=BA=D0=B5=D1=80?=
 =?UTF-8?q?=D0=B0=20=D0=B4=D0=BE=D1=81=D1=82=D1=83=D0=BF=D0=B0)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/modules/service_verify.c | 32 ++++++++++++++++++++++++--------
 src/modules/service_verify.h |  3 ++-
 src/service_manager.c        |  2 +-
 src/utils/cryptopro.c        | 28 ++++++++++++++--------------
 src/utils/cryptopro.h        |  2 +-
 5 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/src/modules/service_verify.c b/src/modules/service_verify.c
index 521be5e..3316dc1 100644
--- a/src/modules/service_verify.c
+++ b/src/modules/service_verify.c
@@ -26,6 +26,10 @@ static const char*  ACCEPTABLE_CONTENT_TYPE         = "text/plain";
 typedef struct verify_service_s {
     const verify_conf_t        *conf;
 
+    cryptopro_context_t      cryptopro_ctx;
+
+    timer_context_t          timer_ctx;
+
 } verify_service_t;
 
 
@@ -41,7 +45,7 @@ typedef struct fcgi_verify_request_s {
 static fcgi_request_handler_pt fcgi_request_finalize_handler(fcgi_handler_status_t status);
 static void fcgi_verify_request_clear(fcgi_verify_request_t *req_info);
 static fcgi_handler_status_t verify_jwt_sign(fcgi_verify_request_t* req_info, 
-                                                const verify_service_t *ctx);
+                                                verify_service_t *ctx);
 
 
 int 
@@ -102,7 +106,7 @@ verify_conf_clear(verify_conf_t *conf)
 }
 
 HVerify 
-verify_service_create(const verify_conf_t *conf)
+verify_service_create(const verify_conf_t *conf, const main_conf_t *main_conf)
 {
     LOG_TRACE("verify_service_create enter");
 
@@ -114,6 +118,15 @@ verify_service_create(const verify_conf_t *conf)
 
     hverify->conf = conf;
 
+    init_timers(&hverify->timer_ctx);
+
+    cryptopro_context_set(&hverify->cryptopro_ctx, 
+                            NULL, 
+                            NULL,
+                            main_conf->cp_name,
+                            main_conf->cp_type,
+                            &hverify->timer_ctx);
+
     LOG_TRACE("verify_service_create exit");
     return (HVerify)hverify;
 
@@ -246,9 +259,9 @@ fcgi_verify_request_clear(fcgi_verify_request_t *req_info)
 }
 
 static int
-verify_sign_using_thumbprint_list(const string_list_t* thumbprint_list, const str_t* alg, 
-                                    const str_t* header_payload, const str_t* sign, 
-                                    bool* is_verified, char** verify_error)
+verify_sign_using_thumbprint_list(cryptopro_context_t *ctx, const string_list_t* thumbprint_list, 
+                                    const str_t* alg, const str_t* header_payload, 
+                                    const str_t* sign, bool* is_verified, char** verify_error)
 {
     int rc = -1;
 
@@ -263,7 +276,9 @@ verify_sign_using_thumbprint_list(const string_list_t* thumbprint_list, const st
 
         LOG_DEBUG("Try to verify jwt using cert with thumbprint '%s'...", cert_thumbprint);
 
-        rc = cryptopro_verify(&thumbprint, alg, header_payload, sign, is_verified, verify_error);
+        ctx->cert_thumbprint = &thumbprint;
+
+        rc = cryptopro_verify(ctx, alg, header_payload, sign, is_verified, verify_error);
         if (rc) {
             LOG_ERROR("cryptopro_verify() failed for cert with thumbprint '%s'", cert_thumbprint);
         }
@@ -282,7 +297,7 @@ verify_sign_using_thumbprint_list(const string_list_t* thumbprint_list, const st
 }
 
 static fcgi_handler_status_t
-verify_jwt_sign(fcgi_verify_request_t* req_info, const verify_service_t *ctx)
+verify_jwt_sign(fcgi_verify_request_t* req_info, verify_service_t *ctx)
 {
     LOG_TRACE("verify_jwt_sign enter");
 
@@ -329,7 +344,8 @@ verify_jwt_sign(fcgi_verify_request_t* req_info, const verify_service_t *ctx)
         goto error;
     }
 
-    if (verify_sign_using_thumbprint_list(&ctx->conf->esia_cert_thumbprint_list, &alg, 
+    if (verify_sign_using_thumbprint_list(&ctx->cryptopro_ctx,
+                                            &ctx->conf->esia_cert_thumbprint_list, &alg, 
                                             &header_payload, &sign, &is_verified, 
                                             &req_info->verify_error)) {
         goto error;
diff --git a/src/modules/service_verify.h b/src/modules/service_verify.h
index b6346ce..c116e97 100644
--- a/src/modules/service_verify.h
+++ b/src/modules/service_verify.h
@@ -1,6 +1,7 @@
 #ifndef SERVICE_VERIFY_H_INCLUDED
 #define SERVICE_VERIFY_H_INCLUDED
 
+#include "main_conf.h"
 #include "fcgisrv/fcgi_server.h"
 
 #include "utils/conf_file_context.h"
@@ -18,7 +19,7 @@ typedef struct verify_conf_s {
 int verify_conf_load(verify_conf_t *conf, const conf_file_context_t conf_file);
 void verify_conf_clear(verify_conf_t *conf);
 
-HVerify verify_service_create(const verify_conf_t *conf);
+HVerify verify_service_create(const verify_conf_t *conf, const main_conf_t *main_conf);
 void verify_service_free(HVerify hverify);
 
 fcgi_handler_status_t fcgi_verify_handler(FCGX_Request* request, void* ctx);
diff --git a/src/service_manager.c b/src/service_manager.c
index 608e583..b432990 100644
--- a/src/service_manager.c
+++ b/src/service_manager.c
@@ -251,7 +251,7 @@ init_services(service_manager_t* services, const service_manager_conf_t* service
     }
     
     /* verify service */
-    services->hverify = verify_service_create(&services_cf->verify_cf);
+    services->hverify = verify_service_create(&services_cf->verify_cf, &services_cf->main_cf);
     if (services->hverify == NULL) {
         goto error;
     }
diff --git a/src/utils/cryptopro.c b/src/utils/cryptopro.c
index 7ffa51f..5d183fd 100644
--- a/src/utils/cryptopro.c
+++ b/src/utils/cryptopro.c
@@ -673,7 +673,7 @@ get_verify_error(char** verify_error)
 }
 
 int 
-cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* data, 
+cryptopro_verify(cryptopro_context_t *ctx, const str_t* alg, const str_t* data, 
                     const str_t* sign, bool* is_verified, char** verify_error)
 {
     int rc = -1;
@@ -684,13 +684,10 @@ cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* da
     HCRYPTKEY hPubKey = 0;
     str_t sign_reversed = str_t_null;
     ALG_ID alg_id;
-    timer_context_t timer_ctx = {};
-
-    init_timers(&timer_ctx);
 
     LOG_TRACE("cryptopro_verify enter");
 
-    timer_on_cryptopro_verify_enter(&timer_ctx);
+    timer_on_cryptopro_verify_enter(ctx->timer_ctx);
 
     *is_verified = false;
 
@@ -707,22 +704,25 @@ cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* da
         goto exit;
     }
 
-    certificate = get_cert_by_thumbprint(hStoreHandle, cert_thumbprint);
+    certificate = get_cert_by_thumbprint(hStoreHandle, ctx->cert_thumbprint);
     if (certificate == NULL) {
         goto exit;
     }
 
-    timer_on_verify_cert_chain_enter(&timer_ctx);
+    timer_on_verify_cert_chain_enter(ctx->timer_ctx);
 
-    if (!verify_cert_chain(certificate, &timer_ctx)) {
+    if (!verify_cert_chain(certificate, ctx->timer_ctx)) {
         goto exit;
     }
 
-    timer_on_verify_cert_chain_exit(&timer_ctx);
+    timer_on_verify_cert_chain_exit(ctx->timer_ctx);
 
-    if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_GOST_2012_256, 
+    LOG_DEBUG("provider: '%s', prov_type: %u", ctx->provider, ctx->prov_type);
+
+    if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, ctx->provider, ctx->prov_type, 
                                                 CRYPT_VERIFYCONTEXT)) {
-        LOG_ERROR("CryptAcquireContext() failed");
+        LOG_ERROR("CryptAcquireContext() failed. provider: '%s', prov_type: %u", 
+                        ctx->provider, ctx->prov_type);
         goto exit;
     }
 
@@ -757,7 +757,7 @@ cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* da
             goto exit;
         }
         LOG_WARN("%s, cert_thumbprint: %.*s", *verify_error, 
-                    (int) cert_thumbprint->len, cert_thumbprint->data);
+                    (int) ctx->cert_thumbprint->len, ctx->cert_thumbprint->data);
     }
 
 exit:
@@ -802,8 +802,8 @@ exit:
                     cp_function_list.GetLastError());
     }
 
-    timer_on_cryptopro_verify_exit(&timer_ctx);
-    timer_log_verify(&timer_ctx);
+    timer_on_cryptopro_verify_exit(ctx->timer_ctx);
+    timer_log_verify(ctx->timer_ctx);
 
     return rc;  
 }
diff --git a/src/utils/cryptopro.h b/src/utils/cryptopro.h
index efe129a..6a318c4 100644
--- a/src/utils/cryptopro.h
+++ b/src/utils/cryptopro.h
@@ -43,7 +43,7 @@ void close_signer_cert(cryptopro_context_t *ctx);
 
 int cryptopro_sign(const cryptopro_context_t *ctx, const str_t *data, /*out*/ str_t *sign);
 
-int cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t *data, 
+int cryptopro_verify(cryptopro_context_t *сtx, const str_t* alg, const str_t *data, 
                         const str_t *sign, bool* is_verified, char** verify_error);
 
 int cryptopro_gen_random(const cryptopro_context_t *ctx, unsigned char* data, size_t len);