注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

widebright的个人空间

// 编程和生活

 
 
 

日志

 
 

gnutls的certtool 工具生成ca 证书的和使用,以freeDiameter为例  

2014-12-08 17:42:45|  分类: linux相关 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
好像libgnttls库也是可以使用opensll命令生成的证书的,下面这个步骤来自 gnutls的 certttool命令。


freeDiameter的相关配置项和使用函数
(?i:"TLS_Cred") { return TLS_CRED; }
(?i:"TLS_CA") { return TLS_CA; }
(?i:"TLS_CRL") { return TLS_CRL; }
(?i:"TLS_Prio") { return TLS_PRIO; }
(?i:"TLS_DH_bits") { return TLS_DH_BITS; }
(?i:"TLS_DH_file") { return TLS_DH_FILE; }

配置
#TLS_Cred = "cert.pem", "privkey.pem";
#TLS_CA = "cacert.pem";
#TLS_DH_File = "dh.pem";

--------------------------
tls_cred: TLS_CRED '=' QSTRING ',' QSTRING ';'

CHECK_GNUTLS_DO( gnutls_certificate_set_x509_key_file(
      conf->cnf_sec_data.credentials,
      conf->cnf_sec_data.cert_file,  对应  cert.pem
      conf->cnf_sec_data.key_file,   对应 privkey.pem
      GNUTLS_X509_FMT_PEM),
-----------------------------------
tls_ca: TLS_CA '=' QSTRING ';'

gnutls_x509_crt_list_import2(&calist, &cacount,
                       &cafile,                     //对应 "cacert.pem";
                       GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED),

gnutls_x509_trust_list_add_cas (fd_g_config->cnf_sec_data.trustlist, calist, cacount, 0)
-----------------------------
tls_crl: TLS_CRL '=' QSTRING ';'

gnutls_x509_crl_list_import2(&crllist, &crlcount, &crlfile, GNUTLS_X509_FMT_PEM, 0),
{ yyerror (&yylloc, conf, "Error importing CRL file.");

gnutls_certificate_set_x509_crl_file(
conf->cnf_sec_data.credentials,
conf->cnf_sec_data.ca_file,
GNUTLS_X509_FMT_PEM),

废除证书列表,不一定要用吧
-----------------------------
tls_prio: TLS_PRIO '=' QSTRING ';'

gnutls_priority_init(
&conf->cnf_sec_data.prio_cache,
conf->cnf_sec_data.prio_string,
&err_pos),
-----------------------------
tls_dh: TLS_DH_BITS '=' INTEGER ';'

如果指定就从文件读取,然后调用
gnutls_dh_params_import_pkcs3

不指定一个文件,就自动生成,但计算代价很大,比较慢
// Generating fresh Diffie-Hellman parameters
gnutls_dh_params_generate2

The Diffie-Hellman based ciphersuites (ANON-DH or DHE)

To generate parameters for Diffie-Hellman key exchange, use the command:

$ certtool --generate-dh-params --outfile dh.pem --sec-param medium

试试:
certtool --generate-dh-params --outfile dh.pem
Generating DH parameters...


如何使用GnuTLS的例子
===================
http://www.gnutls.org/manual/gnutls.html#How-to-use-GnuTLS-in-applications
6 How to use GnuTLS in applications

http://www.gnutls.org/manual/gnutls.html#GnuTLS-application-examplesi
7 GnuTLS application examples



例子里面要使用的证书的生成
===========================
http://www.gnutls.org/manual/gnutls.html#gnutls_002dserv-Invocation
gnutls-serv Examples


1. 首先需要安装 gnutls-bin 这个包,里面有生成证书的几个命令
比如certtool( Generate X.509 certificates, certificate requests, and private
keys.)

http://www.gnutls.org/manual/html_node/certtool-Invocation.html
bright@ubuntu:~$ certtool
The program 'certtool' is currently not installed. You can install it by typing:
sudo apt-get install gnutls-bin


2.  自带一个gnutls-serv工具程序,可以哦你用来调试编写的client的连接
Running your own TLS server based on GnuTLS can be useful when debugging clients and/or GnuTLS itself. This section describes how to use gnutls-serv as a simple HTTPS server.

The most basic server can be started as:

gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
It will only support anonymous ciphersuites, which many TLS clients refuse to use.



3.  生成CA根证书
The next step is to add support for X.509. First we generate a CA:

$ certtool --generate-privkey > x509-ca-key.pem
$ echo 'cn = GnuTLS test CA' > ca.tmpl
$ echo 'ca' >> ca.tmpl                          /// 这个表示是不是CA 根证书
$ echo 'cert_signing_key' >> ca.tmpl           //这个表示 是不是用于签名其他证书
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
  --template ca.tmpl --outfile x509-ca.pem

-------------------------------------------------
试试上面的命令
// 生成 RSA  私钥
bright@ubuntu:~/gnutls_ca$ certtool --generate-privkey > x509-ca-key.pem
Generating a 2432 bit RSA private key...

// 用这个私钥生成自签名的根证书,不是用模板的。(还是用模板好点吧,手工容易出错)
bright@ubuntu:~/gnutls_ca$ certtool --generate-self-signed --load-privkey x509-ca-key.pem  --outfile x509-ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): cn
Organization name: DD
Organizational unit name: IN
Locality name: GZ
State or province name: GD
Common name: DD_IN
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1417742972): 


Activation/Expiration time.
The certificate will expire in (days): 3650


Extensions.
Does the certificate belong to an authority? (y/N): y    // 这里一定要选y对应CA证书
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): N
Will the certificate be used for IPsec IKE operations? (y/N): N
Is this also a TLS web server certificate? (y/N): N
Enter the e-mail of the subject of the certificate: 
Will the certificate be used to sign other certificates? (y/N): y    // 这里一定要选,
Will the certificate be used to sign CRLs? (y/N): N
Will the certificate be used to sign code? (y/N): N
Will the certificate be used to sign OCSP requests? (y/N): N
Will the certificate be used for time stamping? (y/N): N
Enter the URI of the CRL distribution point: 
X.509 Certificate Information:
Version: 3
Serial Number (hex): 54810a7c
Validity:
Not Before: Fri Dec 05 01:29:35 UTC 2014
Not After: Mon Dec 02 01:29:40 UTC 2024
Subject: C=cn,O=DD,OU=IN,L=GZ,ST=GD,CN=DD_IN
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:dc:23:43:9b:4f:a7:ad:ae:1a:39:12:16:5b:a6:d7
4c:52:46:05:31:8f:d1:9d:48:e5:34:28:e0:13:ea:78
bd:8e:14:76:78:c7:fa:d1:d6:06:5a:df:99:63:1f:c3
46:20:ac:6c:bb:4c:ab:59:aa:55:8e:c4:03:40:18:6f
27:b6:dd:76:8b:a8:1d:05:6a:26:1b:ec:9b:5b:8d:4c
0d:bb:28:e9:8a:e8:7d:33:6e:dd:ea:70:ae:a1:ed:a1
14:c4:eb:25:6f:cc:7a:74:1a:05:b8:77:ee:21:92:0e
23:20:d0:32:93:1c:89:be:45:04:f4:e6:ca:9a:fc:42
e5:df:ee:a4:d5:08:f2:04:c6:6b:22:35:e2:30:e0:c8
0e:de:90:50:51:74:b9:f8:05:af:54:75:a3:20:78:be
8e:15:75:92:90:cf:af:b8:f9:6a:c6:76:7e:2c:9c:ce
07:0d:82:4b:7a:9e:81:b9:44:2d:34:f9:f7:02:0c:40
70:93:3c:31:b3:df:35:f3:b7:8c:07:fb:58:30:6c:96
8f:c1:85:aa:2a:58:8d:9d:08:0b:d0:90:82:2f:33:0a
88:f1:38:ac:47:ac:96:8d:49:48:eb:4f:ad:69:86:71
a6:92:09:51:93:ee:a3:50:68:ec:39:a5:3b:e2:ba:b1
bf:9d:1e:27:87:0d:af:35:cb:3c:86:9d:1a:11:8f:6b
4a:5c:7a:1a:30:67:1b:93:13:c2:3e:9b:a2:9f:c0:9b
8f:7f:11:9e:24:41:25:74:0f:04:c4:38:46:db:06:98
a5
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE    ///这里一定检查 是true的
Key Usage (critical):
Certificate signing.               //没错吧
Subject Key Identifier (not critical):
d99a8c2f6f8c2370d74b4a7405bdedf905df1f47
Other Information:
Public Key Id:
d99a8c2f6f8c2370d74b4a7405bdedf905df1f47

Is the above information ok? (y/N): y


Signing certificate...
--------------------------------------------------


4.  生成服务器端的证书
...
Then generate a server certificate. Remember to change the dns_name value to the name of your server host, or skip that command to avoid the field.

$ certtool --generate-privkey > x509-server-key.pem
$ echo 'organization = GnuTLS test server' > server.tmpl
$ echo 'cn = test.gnutls.org' >> server.tmpl
$ echo 'tls_www_server' >> server.tmpl
$ echo 'encryption_key' >> server.tmpl
$ echo 'signing_key' >> server.tmpl
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
  --template server.tmpl --outfile x509-server.pem



-------------------------------------------------------------------------------
试试上面的命令

bright@ubuntu:~/gnutls_ca$ certtool --generate-privkey > x509-server-key.pem
Generating a 2432 bit RSA private key...

bright@ubuntu:~/gnutls_ca$ certtool --generate-certificate --load-privkey x509-server-key.pem --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem  --outfile x509-server.pem
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): cn
Organization name: DD
Organizational unit name: IN
Locality name: GZ
State or province name: GD
Common name: DD_IN
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1417973130): 


Activation/Expiration time.
The certificate will expire in (days): 3650


Extensions.
Does the certificate belong to an authority? (y/N): N        ///非 ca证书
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N): N
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: peer1.localdomain     /// freeDiameter 里面会调用 gnutls_x509_crt_check_hostname 函数检查检查hostname  
Enter a dnsName of the subject of the certificate: peer2.localdomain  
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
X.509 Certificate Information:
Version: 3
Serial Number (hex): 54848d8a
Validity:
Not Before: Sun Dec 07 17:25:33 UTC 2014
Not After: Wed Dec 04 17:25:44 UTC 2024
Subject: C=cn,O=DD,OU=IN,L=GZ,ST=GD,CN=DD_IN
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:a5:e1:8f:06:f2:f1:81:68:da:91:32:fe:2e:82:79
52:d4:b7:3f:43:35:f0:89:7c:6a:b6:d0:1a:92:ca:29
9d:c3:71:2b:a4:87:78:59:b4:a4:73:db:30:bd:dd:04
7b:96:94:87:96:fd:5d:e9:17:dc:47:aa:41:91:58:06
c2:88:03:5a:c7:11:ef:9d:1b:86:0a:d1:29:d6:45:6f
b1:1e:98:0a:bd:c8:f8:ee:9e:34:94:b0:c4:25:b2:a8
d4:b4:55:cf:6b:5b:26:b1:18:fb:fb:97:2d:dd:2b:a5
fb:4f:2d:78:7d:6f:fc:66:f8:0f:ac:21:76:7e:90:45
e8:2b:dc:75:26:92:33:2a:d7:d4:42:74:d9:42:58:fa
c4:fe:ea:66:35:f6:c5:d9:27:80:dd:38:a4:55:0c:7b
e9:58:51:cf:f5:e1:bd:ab:cb:98:c8:2f:f7:5f:99:9f
5d:fa:55:cc:5a:d0:8d:7c:1d:0b:0b:43:77:2b:43:e5
a5:3d:68:4e:ae:ab:83:75:68:0f:25:9c:5a:96:87:f4
61:6f:27:f9:e7:99:6a:16:b5:26:90:b8:15:56:37:32
4b:d5:5f:08:18:6d:05:3a:7c:d3:bd:71:4e:34:da:be
d7:27:aa:26:ce:ae:5e:fb:b2:6c:b5:3e:0c:54:56:e6
6a:36:1c:c5:56:ed:ba:66:e2:98:43:29:c8:9b:06:b2
18:94:ab:15:13:ab:02:a9:87:9a:e1:26:f8:60:35:04
10:9a:c1:b0:93:b1:57:d2:e9:36:41:e3:be:ae:f0:a1
c5
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: peer1.localdomain
DNSname: peer2.localdomain
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
1dbd6547cc93f8999fc886334c8d5f35d9b42fab
Authority Key Identifier (not critical):
d99a8c2f6f8c2370d74b4a7405bdedf905df1f47
Other Information:
Public Key Id:
1dbd6547cc93f8999fc886334c8d5f35d9b42fab

Is the above information ok? (y/N): y


Signing certificate...
-------------------------------------------------------------------------------

5. 生成客户端的证书
...
For use in the client, you may want to generate a client certificate as well.

$ certtool --generate-privkey > x509-client-key.pem
$ echo 'cn = GnuTLS test client' > client.tmpl
$ echo 'tls_www_client' >> client.tmpl
$ echo 'encryption_key' >> client.tmpl
$ echo 'signing_key' >> client.tmpl
$ certtool --generate-certificate --load-privkey x509-client-key.pem \
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
  --template client.tmpl --outfile x509-client.pem
...
To be able to import the client key/certificate into some applications, you will need to convert them into a PKCS#12 structure. This also encrypts the security sensitive key with a password.

$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
  --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
  --outder --outfile x509-client.p12
For icing, we’ll create a proxy certificate for the client too.

$ certtool --generate-privkey > x509-proxy-key.pem
$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
  --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
  --load-certificate x509-client.pem --template proxy.tmpl \
  --outfile x509-proxy.pem



6.  生成废除证书的列表(可选的吧,不一定用到)
Certificate revocation list generation

To create an empty Certificate Revocation List (CRL) do:
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
           --load-ca-certificate x509-ca.pem

To create a CRL that contains some revoked certificates, place the certificates in a file and use --load-certificate as follows:
$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
  --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
To verify a Certificate Revocation List (CRL) do:

$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem


7. 程序使用证书的例子
...
Then start the server again:

$ gnutls-serv --http \
            --x509cafile x509-ca.pem \
            --x509keyfile x509-server-key.pem \
            --x509certfile x509-server.pem
Try connecting to the server using your web browser. Note that the server listens to port 5556 by default.

While you are at it, to allow connections using DSA, you can also create a DSA key and certificate for the server. These credentials will be used in the final example below.

$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
  --template server.tmpl --outfile x509-server-dsa.pem
...
The next step is to create OpenPGP credentials for the server.

gpg --gen-key
...enter whatever details you want, use 'test.gnutls.org' as name...
Make a note of the OpenPGP key identifier of the newly generated key, here it was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it.

gpg -a --export 5D1D14D8 > openpgp-server.txt
gpg --export 5D1D14D8 > openpgp-server.bin
gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
Let’s start the server with support for OpenPGP credentials:

gnutls-serv --http --priority NORMAL:+CTYPE-OPENPGP \
            --pgpkeyfile openpgp-server-key.txt \
            --pgpcertfile openpgp-server.txt
The next step is to add support for SRP authentication. This requires an SRP password file created with srptool. To start the server with SRP support:

gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
            --srppasswdconf srp-tpasswd.conf \
            --srppasswd srp-passwd.txt
Let’s also start a server with support for PSK. This would require a password file created with psktool.

gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
            --pskpasswd psk-passwd.txt
Finally, we start the server with all the earlier parameters and you get this command:

gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-OPENPGP \
            --x509cafile x509-ca.pem \
            --x509keyfile x509-server-key.pem \
            --x509certfile x509-server.pem \
            --x509dsakeyfile x509-server-key-dsa.pem \
            --x509dsacertfile x509-server-dsa.pem \
            --pgpkeyfile openpgp-server-key.txt \
            --pgpcertfile openpgp-server.txt \
            --srppasswdconf srp-tpasswd.conf \
            --srppasswd srp-passwd.txt \
            --pskpasswd psk-passwd.txt
  评论这张
 
阅读(1347)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017