TLS身份验证:每个证书需要包含什么内容?

huangapple go评论90阅读模式
英文:

TLS Authentication: What does each cert need to contain?

问题

我正在编写一个配置守护程序。

它的工作原理如下:

接受以下请求方法:

  • GET(读取)
  • POST(更新)
  • PUT(创建)
  • DELETE(删除)

示例:

PUT http://server1/key(请求体为 value)

将 value 存储在 key 下

GET http://server1/key

返回响应体中的 value

现在,当进行 PUT、POST、DELETE 请求时,它会复制该请求并将其发送到其他节点,以便每个节点都具有相同的数据,并且可以在任何节点上查询,以防其中一个节点不可用。它添加了一个标头,以便节点知道它们不应该复制请求并发送给其他节点。

好的,到目前为止这个工作正常,但现在我只想允许节点和 WebUI 能够向这些节点发送请求。这就是 TLS 起作用的地方。

据我所了解,我需要一个根证书颁发机构(rootCA),这样我就可以签署服务器和客户端证书。而且我希望拥有有效的证书,而不是“自签名”证书,因为我将使用 Go 和 crypto/tls,并且它应该验证这些证书。

我的问题是:

每个证书需要哪些扩展或字段?
当向配置服务器池添加新节点时,我不想重新生成服务器和客户端证书。

我将通过 IP 地址连接,而不是通过主机名/域名(以跳过主机名查找和第三方窃听的潜在风险,通过将 IP 分配给他们自己的域名,例如 s1.myserver.com 是我的,具有 IP 1.2.3.4,而随机人创建了一个 DNS 条目 random.dude.com 1.2.3.4,因为我通过对 clustercfg.mydomain.com 进行 NS 查找来获取所有节点的列表)

在每个新节点上,我需要创建一个服务器证书(这是我,验证它是真实的)

在每个新节点上,我需要创建一个客户端证书(以便我可以验证该客户端节点是有效的,并且被允许访问该服务器节点)

问题是:

X509v3 扩展:
    X509v3 密钥用法:critical
        数字签名、密钥加密、证书签名
    X509v3 扩展密钥用法:
        TLS Web 服务器身份验证
    X509v3 基本约束:critical
        CA:TRUE
    X509v3 主题备用名称:
        DNS:server1.myserver.com,IP 地址:2a02::0:0:0:0:0:0:2,IP 地址:1.2.3.4

根证书、服务器证书、客户端证书需要哪些内容,以便我能够进行“TLS 身份验证”?

英文:

I'm writing a config daemon.

It works like this:

accepts

  • GET (read)
  • POST (update)
  • PUT (create)
  • DELETE (delete)

methods

example:

PUT http://server1/key (body = value)

stores value under key

GET http://server1/key

returns value in response body

Now, when a PUT, POST, DELETE is made it duplicates this request and sends it to peers, so that every node has the same data and any node can be queried in case one of the nodes is unavailable. It adds a header so the nodes know that they shouldn't duplicate a request and send out to other nodes.

Ok, this works so far, but now I'd like to only allow the nodes and a WebUI to be able to transmit requests to those nodes. And here is where TLS comes into play.

As far as I understand I need a rootCA, so I can sign server and client certificates. And I'd like to have valid certificates, not "self-signed" because I would use Go and crypto/tls and it should verify the certificates.

My question is:

Which extensions or fields do each of the certificates need?
I wouldn't want to re-generate the server and client certs when a new node is added to the config server pool.

I would connect by IP address, not by hostname/dnsname (to skip hostname lookups and the potential eavesdropping of a third party by assigning an IP to their own dnsname, e.g. s1.myserver.com is mine with IP 1.2.3.4 and random dude creates a DNS entry with random.dude.com 1.2.3.4, because I get a list of all nodes by doing a NS lookup of clustercfg.mydomain.com)

On each new node I'd need to create a server cert (this is me, verify that it's true)

On each new node I'd need to create a client cert (so I can authenticate that this client node is valid and is allowed to access this server node)

The question is:

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment, Certificate Sign
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Basic Constraints: critical
        CA:TRUE
    X509v3 Subject Alternative Name: 
        DNS:server1.myserver.com, IP Address:2a02::0:0:0:0:0:0:2, IP Address:1.2.3.4

What does a rootCA, a server certificate, a client certificate need so I'm able to do "TLS Authentication"?

答案1

得分: 0

你可以像在Web服务器中使用的那样,使用普通的服务器证书作为服务器的证书。当你连接时,Go语言会进行适当的检查。

至于客户端证书,这里有一个代码片段展示了如何在Go语言中生成和使用客户端证书。

我曾经在一个类似的安全系统中使用过这段代码,用于客户端与服务器的通信。

你不需要通过IP地址进行连接,因为客户端会检查服务器的证书是否与主机名匹配,这是一个非常好的检查。

希望对你有所帮助!

英文:

You can use a normal server certificate like the ones you use in a web server for the server. Go will check that properly when you connect.

As for client certificates, here is a gist showing how to generate and use the client certificates from Go.

I've uses this code for a similar secure system of clients contacting servers.

You don't need to connect by IP address as the client will check the server's certificate matches the hostname which is an extremely good check.

Hope that helps!

答案2

得分: 0

需要什么?

  1. 证书颁发机构(CA)
  2. 由第一个CA签署的另一个CA
  3. 如果需要,可以添加更多的CA

第2和第3是可选的。

CA需要 template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign

  1. 服务器证书和密钥

使用最小的CA对证书进行签名。最小的CA将用于验证客户端证书。

该证书还充当客户端证书,因此需要:

template.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}

如果需要更高的安全性,可以添加SANs。

template.DNSNames
template.IPAddresses
  1. 在服务器端
var (
    selfname string
    certFile = flag.String("cert", "", "server certificate file.")
    keyFile  = flag.String("key", "", "server private key file.")
    rootCA   = flag.String("ca", "cacerts.pem", "rootca")
)
certpool := x509.NewCertPool()
pem, err := ioutil.ReadFile(*rootCA)
if err != nil {
    log.Fatalf("Failed to read client certificate authority: %v", err)
}
if !certpool.AppendCertsFromPEM(pem) {
    log.Fatalf("Can't parse client certificate authority")
}

config := &tls.Config{
    ServerName: selfname, // os.Hostname()
    ClientAuth: tls.RequireAndVerifyClientCert,
    ClientCAs:  certpool,
    MinVersion: tls.VersionTLS10,
}

server := http.Server{
    Addr:         ":12345",
    ReadTimeout:  time.Second * 10,
    WriteTimeout: time.Second * 10,
    TLSConfig:    config,
}
log.Fatalln(server.ListenAndServeTLS(*certFile, *keyFile))

以上是所需的内容。

英文:

What is needed?

  1. A Certificate Authority (CA)
  2. Another CA signed by the first CA
  3. More CAs if you like

2 and 3 are optional

CAs need template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign

  1. A server certificate and key

Sign the certificate with the least CA created. The least CA will be the one you will use to verify client certificates

This certificate also acts as a client certificate, so it needs

template.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}

If you need more security add SANs.

template.DNSNames
template.IPAddresses
  1. In your server

a <SO formatting stuff

var (
	selfname string
	certFile = flag.String(&quot;cert&quot;, &quot;&quot;, &quot;server certificate file.&quot;)
	keyFile  = flag.String(&quot;key&quot;, &quot;&quot;, &quot;server private key file.&quot;)
	rootCA   = flag.String(&quot;ca&quot;, &quot;cacerts.pem&quot;, &quot;rootca&quot;)
)
certpool := x509.NewCertPool()
pem, err := ioutil.ReadFile(*rootCA)
if err != nil {
log.Fatalf(&quot;Failed to read client certificate authority: %v&quot;, err)
}
if !certpool.AppendCertsFromPEM(pem) {
	log.Fatalf(&quot;Can&#39;t parse client certificate authority&quot;)
}

config := &amp;tls.Config{
	ServerName: selfname, // os.Hostname()
	ClientAuth: tls.RequireAndVerifyClientCert,
	ClientCAs:  certpool,
	MinVersion: tls.VersionTLS10,
}

server := http.Server{
	Addr:         &quot;:12345&quot;,
	ReadTimeout:  time.Second * 10,
	WriteTimeout: time.Second * 10,
	TLSConfig:    config,
}
log.Fatalln(server.ListenAndServeTLS(*certFile, *keyFile))

huangapple
  • 本文由 发表于 2014年10月17日 22:24:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/26427175.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定