不确定以编程方式生成的自签名 ECDSA 证书是否符合与 WebRTC 一起使用以及指纹计算是否正确
Not sure if self-signed ECDSA certificate generated programmatically complies for use with WebRTC and if fingerprint computation is correct
应该明确的是,我是证书和密码学的新手。
我正在尝试以编程方式生成自签名证书,以便在 SFU 的实施中与 WebRTC 一起使用。 RFC at Section 4.9,关于用于 WebRTC 的证书,指出:
The following values MUST be supported by a user agent: { name:
"RSASSA-PKCS1-v1_5", modulusLength: 2048, publicExponent: new
Uint8Array([1, 0, 1]), hash: "SHA-256" }, and { name: "ECDSA",
namedCurve: "P-256" }.
在 C 中以编程方式创建 ECDSA 证书并保存后,我 运行 在创建的证书文件上执行以下命令:
openssl x509 -in /tmp/ecdsa_certificate -text #Linux command-line
我得到输出:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = IN, O = XYZ Tech., CN = localhost
Validity
Not Before: Jun 23 17:28:14 2020 GMT
Not After : Jun 23 17:28:14 2021 GMT
Subject: C = IN, O = XYZ Tech., CN = localhost
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d9:c8:cc:93:13:54:3d:e6:40:d7:2f:33:da:f2:
d4:e4:62:83:a4:ec:ad:98:f5:d5:2e:cf:3b:e8:5f:
ad:da:b9:e0:59:f0:19:59:84:b8:47:45:b4:21:56:
30:c8:1d:0b:9b:2d:02:e2:f5:4d:c7:57:2e:e6:a6:
f9:c4:c4:a7:5c
ASN1 OID: secp256k1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:58:0a:49:7d:e3:0f:d7:56:6a:5c:af:f8:bd:1d:
5e:54:bb:15:10:ec:05:3a:3a:db:79:8f:e6:70:86:6d:3d:f1:
02:20:4f:89:5f:df:21:46:1b:da:6b:40:04:98:2c:df:35:ff:
e5:3d:52:d5:07:76:bf:23:a4:01:b7:28:bf:f5:83:30
-----BEGIN CERTIFICATE-----
MIIBTTCB9QIBATAKBggqhkjOPQQDAjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJ
WFlaIFRlY2guMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNjIzMTcyODE0WhcN
MjEwNjIzMTcyODE0WjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJWFlaIFRlY2gu
MRIwEAYDVQQDDAlsb2NhbGhvc3QwVjAQBgcqhkjOPQIBBgUrgQQACgNCAATZyMyT
E1Q95kDXLzPa8tTkYoOk7K2Y9dUuzzvoX63aueBZ8BlZhLhHRbQhVjDIHQubLQLi
9U3HVy7mpvnExKdcMAoGCCqGSM49BAMCA0cAMEQCIFgKSX3jD9dWalyv+L0dXlS7
FRDsBTo623mP5nCGbT3xAiBPiV/fIUYb2mtABJgs3zX/5T1S1Qd2vyOkAbcov/WD
MA==
-----END CERTIFICATE-----
此证书是否符合 WebRTC 对 DTLS 握手的要求。似乎只有 public 密钥和证书的指纹对 WebRTC 的使用很重要。
问题二:
我尝试使用以下函数计算证书上的指纹:
if (X509_digest(certificate, EVP_sha256(), rfingerprint, &fingerprintSize) !=0 )
printf("Error in X509_digest\n");
printf("finger print size is %d\n", fingerprintSize);
显示指纹大小只有7!在大多数 SDP 中,我看到指纹属性要长得多。有什么意见吗?
当我在 Pion 上工作时,我和你 asinix 在同一条船上 :) 这是我在测试 WebRTC 东西时用来在本地生成的东西。
openssl ecparam -out key.pem -name prime256v1 -genkey
openssl req -new -sha256 -key key.pem -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey key.pem -out cert.pem
如果你遇到困难,你也可以做RSA!也许只是为了让您在构建 MVP 时畅通无阻 :)
现在的实现是 Pure Go,但是你可以看到我们做了 CGO 的第一个版本 here
我不确定您的内容有何不同,但请随时 copy/compare(无需注明出处)!
应该明确的是,我是证书和密码学的新手。
我正在尝试以编程方式生成自签名证书,以便在 SFU 的实施中与 WebRTC 一起使用。 RFC at Section 4.9,关于用于 WebRTC 的证书,指出:
The following values MUST be supported by a user agent: { name: "RSASSA-PKCS1-v1_5", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" }, and { name: "ECDSA", namedCurve: "P-256" }.
在 C 中以编程方式创建 ECDSA 证书并保存后,我 运行 在创建的证书文件上执行以下命令:
openssl x509 -in /tmp/ecdsa_certificate -text #Linux command-line
我得到输出:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = IN, O = XYZ Tech., CN = localhost
Validity
Not Before: Jun 23 17:28:14 2020 GMT
Not After : Jun 23 17:28:14 2021 GMT
Subject: C = IN, O = XYZ Tech., CN = localhost
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d9:c8:cc:93:13:54:3d:e6:40:d7:2f:33:da:f2:
d4:e4:62:83:a4:ec:ad:98:f5:d5:2e:cf:3b:e8:5f:
ad:da:b9:e0:59:f0:19:59:84:b8:47:45:b4:21:56:
30:c8:1d:0b:9b:2d:02:e2:f5:4d:c7:57:2e:e6:a6:
f9:c4:c4:a7:5c
ASN1 OID: secp256k1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:58:0a:49:7d:e3:0f:d7:56:6a:5c:af:f8:bd:1d:
5e:54:bb:15:10:ec:05:3a:3a:db:79:8f:e6:70:86:6d:3d:f1:
02:20:4f:89:5f:df:21:46:1b:da:6b:40:04:98:2c:df:35:ff:
e5:3d:52:d5:07:76:bf:23:a4:01:b7:28:bf:f5:83:30
-----BEGIN CERTIFICATE-----
MIIBTTCB9QIBATAKBggqhkjOPQQDAjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJ
WFlaIFRlY2guMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNjIzMTcyODE0WhcN
MjEwNjIzMTcyODE0WjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJWFlaIFRlY2gu
MRIwEAYDVQQDDAlsb2NhbGhvc3QwVjAQBgcqhkjOPQIBBgUrgQQACgNCAATZyMyT
E1Q95kDXLzPa8tTkYoOk7K2Y9dUuzzvoX63aueBZ8BlZhLhHRbQhVjDIHQubLQLi
9U3HVy7mpvnExKdcMAoGCCqGSM49BAMCA0cAMEQCIFgKSX3jD9dWalyv+L0dXlS7
FRDsBTo623mP5nCGbT3xAiBPiV/fIUYb2mtABJgs3zX/5T1S1Qd2vyOkAbcov/WD
MA==
-----END CERTIFICATE-----
此证书是否符合 WebRTC 对 DTLS 握手的要求。似乎只有 public 密钥和证书的指纹对 WebRTC 的使用很重要。
问题二: 我尝试使用以下函数计算证书上的指纹:
if (X509_digest(certificate, EVP_sha256(), rfingerprint, &fingerprintSize) !=0 )
printf("Error in X509_digest\n");
printf("finger print size is %d\n", fingerprintSize);
显示指纹大小只有7!在大多数 SDP 中,我看到指纹属性要长得多。有什么意见吗?
当我在 Pion 上工作时,我和你 asinix 在同一条船上 :) 这是我在测试 WebRTC 东西时用来在本地生成的东西。
openssl ecparam -out key.pem -name prime256v1 -genkey
openssl req -new -sha256 -key key.pem -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey key.pem -out cert.pem
如果你遇到困难,你也可以做RSA!也许只是为了让您在构建 MVP 时畅通无阻 :)
现在的实现是 Pure Go,但是你可以看到我们做了 CGO 的第一个版本 here
我不确定您的内容有何不同,但请随时 copy/compare(无需注明出处)!