Lua:使用 LuaSec 成功进行客户端身份验证后如何获取客户端详细信息
我使用 LuaSec 0.4 中的默认“oneshot”示例(见下文)来实现 2 路身份验证。身份验证成功,因此显然证书颁发机构 (CA) 承认对等方就是他们声称的身份。
但我怎样才能看到同行声称是谁呢?例如,如何检查对等证书的组织名称?因为虽然客户端现在可以相信服务器已被 CA 识别,但客户端并不知道服务器是否真的是正确的对等点。
反之亦然:服务器知道 CA 已知连接客户端。但是很多客户端都是CA已知的,那么服务器如何知道连接的是哪个客户端呢?
-------- For the sake of completeness
------- server code:
require("socket")
require("ssl")
local params = {
mode = "server",
protocol = "sslv3",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = {"all", "no_sslv2"},
}
-- SSL context
local ctx = assert(ssl.newcontext(params))
local server = socket.tcp()
server:setoption('reuseaddr', true)
assert( server:bind("127.0.0.1", 8888) )
server:listen()
local peer = server:accept()
-- SSL wrapper
peer = assert( ssl.wrap(peer, ctx) )
assert( peer:dohandshake() )
local fd = peer:getfd()
peer:send("oneshot test\n")
peer:close()
------- client code:
require("socket")
require("ssl")
local params = {
mode = "client",
protocol = "sslv3",
key = "../certs/clientAkey.pem",
certificate = "../certs/clientA.pem",
cafile = "../certs/rootA.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = {"all", "no_sslv2"},
}
local peer = socket.tcp()
peer:connect("127.0.0.1", 8888)
-- SSL wrapper
peer = assert( ssl.wrap(peer, params) )
assert(peer:dohandshake())
print(peer:receive("*l"))
peer:close()
I am using the default 'oneshot' example (see below) from LuaSec 0.4 to implement 2-way authentication. Authentication is successful, so apparently the Certificate Authority (CA) acknowledges that the peers are who they claim to be.
But how can I see who the peers claim to be? E.g. how can I inspect the organization name of the peer's certificate? Because although the client can now trust that the server is known by the CA, the client does not know if the server is really the right peer.
And the other way around: the server knows that the connect client is known by the CA. But many clients are known by the CA, so how can the server know which client is connected?
-------- For the sake of completeness
------- server code:
require("socket")
require("ssl")
local params = {
mode = "server",
protocol = "sslv3",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = {"all", "no_sslv2"},
}
-- SSL context
local ctx = assert(ssl.newcontext(params))
local server = socket.tcp()
server:setoption('reuseaddr', true)
assert( server:bind("127.0.0.1", 8888) )
server:listen()
local peer = server:accept()
-- SSL wrapper
peer = assert( ssl.wrap(peer, ctx) )
assert( peer:dohandshake() )
local fd = peer:getfd()
peer:send("oneshot test\n")
peer:close()
------- client code:
require("socket")
require("ssl")
local params = {
mode = "client",
protocol = "sslv3",
key = "../certs/clientAkey.pem",
certificate = "../certs/clientA.pem",
cafile = "../certs/rootA.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = {"all", "no_sslv2"},
}
local peer = socket.tcp()
peer:connect("127.0.0.1", 8888)
-- SSL wrapper
peer = assert( ssl.wrap(peer, params) )
assert(peer:dohandshake())
print(peer:receive("*l"))
peer:close()
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
从 0.4 开始,LuaSec 不提供用于检索/解码证书的 API。由于我们在 Prosody XMPP 服务器中使用 LuaSec,并且 XMPP 也可以使用 TLS+证书进行身份验证,因此我们一直在 LuaSec 上进行黑客攻击以支持 API。
我们的工作尚未合并到上游,但希望很快就会合并。同时,您可以在这里找到它:http://code.matthewwild.co.uk/luasec- hg
获取远程实体的证书非常简单:
这将返回一个 X509 证书对象,具有各种方法,例如:subject()、:issuer() 和 :extensions()。
当我们最终确定代码时,一些 API 可能会发生变化,但如果您有任何问题,请随时与我联系。
As of 0.4 LuaSec does not provide an API for retrieving/decoding certificates. As we use LuaSec in the Prosody XMPP server and XMPP can also use TLS+certs for authentication, we've been hacking on LuaSec to support APIs for this.
Our work is not yet merged upstream, but hopefully it shall be soon. In the meantime you can find it here: http://code.matthewwild.co.uk/luasec-hg
Getting the remote entity's cert is as simple as:
This returns an X509 cert object with various methods like :subject(), :issuer() and :extensions().
Some of the APIs are probably going to change as we finalise the code, but feel free to contact me if you have any issues.
不幸的是,目前似乎无法在 LuaSec 中获取身份/检查证书。这是一个非常简单的绑定(就 API 而言,而不是功能而言),可以连接到安全服务器。
为了获取证书,最简单的方法是修改LuaSec并添加一个类似
getpeercert()的函数,该函数内部使用SSL_get_peer_certificate(const SSL *ssl)并返回一个Lua包含主要条目的表。Unfortunately, it seems there is currently no way the get the identity/examine the certificate in LuaSec. It is a very simple binding (in terms of API, not functionality) to enable connecting to secured servers.
In order get the certificate, the easiest way is to modify LuaSec and add a function like
getpeercert(), which internally usesSSL_get_peer_certificate(const SSL *ssl)and returns a Lua table with the main entries.