Hello,
first let me apologise in advance since this list is probably
inappropriate but I got no answer in openssl-users in more than one week,
that list seems more user-tools oriented. I forward the whole email, but
please have a look at least in the summary that prepends it. I appreciate
all help I can get. :-)
Summary:
* Client and server have their RSA key pairs. They also have exchanged
their public keys. I.e. client has server's public RSA key, Server has
client's public RSA key.
* Both generate temporary in-memory certificate with dummy data,
containing public key, and signed with private. These certificates are
both-ways exchanged during the TLS handshake.
* Now the client has to verify the server's certificate and vice-versa.
Since I disable all OpenSSL verification with
SSL_CTX_set_cert_verify_callback(), I have to do it manually.
*** THIS IS THE PART I HAVE DOUBTS ABOUT ***
For this part I call the undocumented X509_get_pubkey(received_cert), and
compare that public key to the one stored. But How can I verify that the
received certificate is not tampered, i.e. properly signed by that peer's
private key, what call in the API should I use? Any other comments on this
trust verification procedure?
Thank you in advance,
Dimitris
---------- Forwarded message ----------
Date: Mon, 29 Jul 2013 16:29:26 +0200 (CEST)
From: Dimitrios Apostolou <ji...@gmx.net>
To: openssl-us...@openssl.org
Subject: Using TLS to establish SSH-like key based trust model
Hello list,
I am trying to use OpenSSL to provide SSH-like trust model, by using TLS. That
means that the two peers have an RSA key pair stored, no certificate. They have
also exchanged their public keys in a secure manner. Here is the way I do it, I
would appreciate all opinions on this:
* During initialisation peers generate an in-memory, temporary x509
certificate. It contains the minimal dummy data I could get away with, i.e. a
dummy CN, issuer, and 100 years lifetime before expiring. These are never
checked anyway.
* The important step is that the certificate contains the peer's public key and
it is signed using the peer's private key:
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, PRIVKEY);
X509_set_pubkey(x509, pkey);
X509_sign(x509, pkey, EVP_sha384());
* The x509 certificate is then assigned to SSL_CTX (SSL_CTX_use_certificate())
and is used for the whole application lifetime.
* For trust establishment I disable the callback mechanism
(SSL_CTX_set_cert_verify_callback(always_success_callback)) mainly because I
had issues with multiple threads. I also set the option to request certificate
both ways (SSL_CTX_set_verify(SSL_VERIFY_PEER) in both peers). Immediately
after each TLS session is established I do the following:
X509 *received_cert = SSL_get_peer_certificate(ssl);
EVP_PKEY *received_pubkey = X509_get_pubkey(received_cert);
// expected_rsa_key is the foreign peer's public key, we assume it has been
safely exchanged
EVP_PKEY expected_pubkey = { 0 };
ret = EVP_PKEY_assign_RSA(&expected_pubkey, expected_rsa_key);
ret = EVP_PKEY_cmp(received_pubkey, &expected_pubkey);
if (ret == 1)
return 1; // THE SESSION IS SECURE!
else
return 0; // WATCH-OUT!
That means I ignore all of the certificate besides the public key, which I
compare to the stored one. The in-memory certificate is re-generated from the
stored RSA key every time the application starts.
Do you think this is a secure design/implementation for my requirements? Can
you identify any flaws?
Thank you in advance,
Dimitris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
