m2crypto 自定义证书验证
我需要在两个对等点之间建立加密连接,并且需要对两者进行身份验证。 两个对等点已经共享另一个对等点公钥的指纹(SHA256 哈希)。 我没有使用 X509 或 OpenPGP 密钥/证书,因为它们对于我的需求来说太大且笨重,并且不适合安全模型。
我正在尝试通过滥用其 x509 模型来与 M2Crypto (不错的库)建立连接:
给定 rsa 私钥,创建一个自签名的几乎空的证书。
连接到提供我的证书的其他对等点
验证其他对等点证书公钥指纹;
下面的代码安全吗?这是正确的吗?有没有办法做得更好(也许与其他库一起)? 我的疑问是 OpenSSL 实际上没有使用证书公钥进行身份验证,因为我没有请求对证书进行任何验证。
我只需要使用由 der 编码的 rsa 密钥验证的加密流,欢迎任何适用于 python 的免费软件解决方案。我更喜欢 M2Crypto,因为我更了解它,并且已经有一些代码在同一个项目中使用它。
这是我的代码(只是客户端,服务器应该类似):
other_fingerprints = [] #list of fingerprints, (binary data)
mysocket = ... #any socket object
CERTFILE, KEYFILE = "testcert","testkey" # private key wrapped in the cert
from M2Crypto import *
ctx = SSL.Context('sslv3')
ctx.set_verify(SSL.verify_none, depth=1)
ctx.load_cert(CERTFILE, KEYFILE)
c = SSL.Connection(ctx, mysocket)
c.connect_ssl()
peercert = c.get_peer_cert()
keyobj = peercert.get_pubkey()
keydata = keyobj.as_der()
md = EVP.MessageDigest('sha256')
md.update(keydata)
h = md.digest()
if h not in other_fingerprints:
raise(IOError) #other party not auth'ed
# from now on the connection is secure, right?
c.send("Hello secret world!")
print c.recv(4096)
c.close()
提前感谢大家的回答和建议。
I need to build an encrypted connection between two peers, and I need to authenticate both.
Both peers already share a fingerprint (SHA256 hash) of the other peer public key.
I'm not using X509 or OpenPGP keys/certs as they are too big and bulky for my needs and they don't fit in the security model.
I'm trying to build a connection with M2Crypto (nice library) by abusing its x509 model:
given the rsa private key, create a selfsigned almost-empty cert.
connect to the other peer offering my cert
verify the other peer cert public key fingerprint;
Is the following code secure? is it correct? is there a way do do it better (maybe with other libraries)?
My doubts are about OpenSSL not actually using the certificate public key for authentication as I'm not requesting any verification of the certificates.
I just need to use encrypted streams authed by der-encoded rsa keys, any Free Software solution for python is welcome. I'd like M2Crypto more because I know it better and have already some code using it in the same project.
Here is my code (just the client peer, server should be similar):
other_fingerprints = [] #list of fingerprints, (binary data)
mysocket = ... #any socket object
CERTFILE, KEYFILE = "testcert","testkey" # private key wrapped in the cert
from M2Crypto import *
ctx = SSL.Context('sslv3')
ctx.set_verify(SSL.verify_none, depth=1)
ctx.load_cert(CERTFILE, KEYFILE)
c = SSL.Connection(ctx, mysocket)
c.connect_ssl()
peercert = c.get_peer_cert()
keyobj = peercert.get_pubkey()
keydata = keyobj.as_der()
md = EVP.MessageDigest('sha256')
md.update(keydata)
h = md.digest()
if h not in other_fingerprints:
raise(IOError) #other party not auth'ed
# from now on the connection is secure, right?
c.send("Hello secret world!")
print c.recv(4096)
c.close()
Thank you all in advance for your answers and advice.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看来您的方法应该可行,但是您已经可以使用内置的指纹检查器。请参阅此处:要放置什么制作 OpenSSL 密钥时的 commonName?
It seems your approach should work, but there is already a builtin fingerprint checker you might be able to use. See here: What to put for a commonName when making an OpenSSL key?
答案就在问题中:使用正确的 x509 证书,并对称地验证/验证。 “这样安全吗?” - 不,因为你必须问。
您的解决方案可能有效,但事实上您正在寻求有关“这安全吗?”的建议。告诉我你应该直接使用盒子里的东西。
The answer is in the question: use proper x509 certificates, and validate/verify symmetrically. "Is this secure?" - no, because you have to ask.
Your solution may work, but the fact you are asking for advice on "Is this secure?" tells me that you should probably use stuff straight from the box.