以编程方式驱动证书颁发机构(C# 或 C++)
我正在编写一个客户端/服务器应用程序,要求服务器能够对客户端进行身份验证,并且还要求对所有通信进行加密。
提供此功能的机制需要独立于服务器和客户端应用程序中,并且需要完全自动化(无需人工交互)。 SSL 似乎是实现此目的的最佳方法,也是我熟悉使用的方法。
对于每个需要部署客户端软件的客户端,我计划创建(动态)一个 MSI 安装程序,其中包含应用程序、客户端证书(由服务器签名)、私钥和服务器公共证书(以便客户端可以对服务器进行身份验证 - 服务器证书可以是自签名的)。
我可以为客户端生成密钥并创建 CSR,但似乎无法找到实际签署 CSR 并为客户端生成证书的方法。我研究了 Win32 Crypto API,但没有找到任何有关如何实际签署 CSR 并获取客户端证书的示例。
我知道如何使用 openssl 工具从命令行执行所有这些操作,但不确定如何从应用程序内执行此操作。
请注意,不能选择对 openssl 工具进行系统调用并传入我知道可以工作的参数,因为依赖 openssl 工具不以任何方式受到损害会带来巨大的安全风险。这样做并不能满足自包含的要求。
我正在以正确的方式解决这个问题,或者是否有更好的方法来实现同样的事情 - 基本上对连接到服务器的客户端进行身份验证,以及连接客户端对它们连接到的服务器进行身份验证的方式,全部加密。
我无法对具有静态 IP 或主机名的服务器(或客户端)做出任何假设(DNS 无论如何都可能被破坏),也无法对任何现有的 PKI 基础设施做出任何假设。
我主要在 C#.Net 中编写此内容,但如果它为我提供了此功能,我会考虑为其编写一个 C++ 扩展。
最后,这是我在这里发表的第一篇文章,所以如果我错过了一些明显的内容或缺少任何细节,请询问,我会填补空白:)
谢谢,
詹姆斯
I'm writing a client/server application that requires the server needs to be able to authenticate the client and also requires all comms to be encrypted.
The mechanism to provide this needs to be self contained within the server and client application and also to be fully automated (no human interaction required). SSL seems to be the best way to do this and is also something I am familiar with using.
For each client that needs the client software deploying to it, I planned to create (on the fly) an MSI installer with the application, the clients certificate (signed by the server) and private key and the servers public certificate (so the clients can authenticate the server - the server certificate could be self signed).
I can generate the key for the client and make a CSR, but don't seem to be able to find a way of actually signing the CSR and generating a certificate for the client thou. I have looked into the Win32 Crypto API, but haven't managed to find any examples of how to actually sign a CSR and get a client certificate.
I know how to do all of this from the command line with the openssl tool, but am not sure of how to do it from within an application.
Please note that making system calls out to the openssl tool and passing in the parameters I know to work is not an option as it's a huge security risk to rely on the openssl tool not being compromised in any way. Doing it this way wouldn't for fill the self contained requirement.
I am going about this the right way, or is there a better way to achieve the same thing - basically authentication of the clients connecting to the server and a way of the connecting client to authenticate the server they connect to, all encrypted.
I cannot make any assumptions about the server (or clients) having a static IP or hostname (DNS can be broken anyways), nor can I make any assumptions about any existing PKI infrastructure.
I am writing this primarily in C#.Net, but would consider writing a C++ extension to this if it gives me this functionality.
Finally this is my first post here, so if I've missed out something obvious or have been short on any details, please ask and I'll fill in the gaps :)
Thanks,
James
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 C# 中,您可以使用我们 SecureBlackbox 产品的 PKIBlackbox 包,它提供了您所需要的所有功能正在 .NET 中寻找。也许 BouncyCastle 库也包含此功能。
In C# you can use PKIBlackbox package of our SecureBlackbox product which provides all the functionality you are looking for in .NET. Maybe BouncyCastle library also includes this functionality.
您至少需要重新考虑其中的一部分。你所做的事情是根本不安全的。客户端的私钥需要在客户端生成。否则它就不是私有的,因此它不可能满足 PKI 的任何原则。包括您签发该许可证的目的。你失去了独特性,也失去了不可否认性。这都是致命的缺陷。
You need to rethink at least part of this. What you are doing is radically insecure. The client's private key needs to be generated at the client. Otherwise it isn't private, so it cannot possibly satisfy any of the tenets of PKI,. including the purpose for which you are issuing it. You lose uniqueness and you also lose non-repudiability. These are both fatal flaws.