Openssl s_server DTLSv1.2 不适用于证书 RSA-PSS

Openssl s_server DTLSv1.2 is not working with certificate RSA-PSS

提问人:ChrisKris 提问时间:11/17/2023 最后编辑:ChrisKris 更新时间:11/19/2023 访问量:42

问:

我在使用 DTLS 和 RSA-PSS 证书时遇到了一些问题。

我的最终实体证书带有 rsa-pss 密钥并使用 rsa-pss 签名算法签名: 我的最终实体在我的根证书 CA_ROOT_PKCS1_5.crt 下注册 证书摘录: .... 主题公钥信息: 公钥算法:rsassaPss RSA-PSS 公钥:(2048 位) ... 签名算法:rsassaPss 哈希算法:sha512 掩码算法:mgf1 with sha512 盐长:0x01BE 预告片字段:0xBC(默认) ...在此处输入图像描述

出于测试目的,我在客户端和服务器端使用相同的密钥对。

我在客户端和服务器之间进行TLSv1.2连接(tls相互身份验证):

openssl s_server -cert ee_underRoot_pss_sign_pss.crt -key ee_pss_RSA.key -CAfile CA_ROOT_PKCS1_5.crt -tls1_2 -accept 127.0.0.1:30000 -security_debug_verbose

openssl s_client -showcerts -tls1_2 -cert ee_underRoot_pss_sign_pss.crt -key ee_pss_RSA.key -CAfile CA_ROOT_PKCS1_5.crt -connect 127.0.0.1:30000 -security_debug_verbose

一切都很顺利!

我现在尝试做同样的事情,但在 DTLSv1.2 中:

openssl s_server -cert ee_underRoot_pss_sign_pss.crt -key ee_pss_RSA.key -CAfile CA_ROOT_PKCS1_5.crt -dtls1_2 -accept 127.0.0.1:30000 -security_debug_verbose

openssl s_client -showcerts -dtls1_2 -cert ee_underRoot_pss_sign_pss.crt -key ee_pss_RSA.key -CAfile CA_ROOT_PKCS1_5.crt -connect 127.0.0.1:30000 -security_debug_verbose

但握手失败,出现以下错误:“无共享密码”

在此处输入图像描述

当我查看客户端支持的密码套件时,有一个与我使用 TLS 在此处输入图像描述时相同的列表

以下是服务器端的跟踪:

verify depth is 10, must return a certificate
Using default temp DH parameters
Security callback: Certificate chain EE key=RSA-PSS, bits=2048, security bits=112: yes
Security callback: Certificate chain CA digest=RSASSA-PSS, security bits=256: yes
ACCEPT
Security callback: Version=???: yes
Security callback: Version=???: yes
Security callback: Version=???: yes
Security callback: : yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=ECDSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=9, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=10, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=11, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=4, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=ECDSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=RSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=DSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=ECDSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=ECDSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=ECDSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=9, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=10, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=11, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algid=4, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algid=5, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algid=6, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=RSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=RSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=RSA, security bits=256: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=ECDSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=ECDSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=RSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=RSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA224, algorithm=DSA, security bits=112: yes
Security callback: Shared Signature Algorithm digest=SHA1, algorithm=DSA, security bits=80: yes
Security callback: Shared Signature Algorithm digest=SHA256, algorithm=DSA, security bits=128: yes
Security callback: Shared Signature Algorithm digest=SHA384, algorithm=DSA, security bits=192: yes
Security callback: Shared Signature Algorithm digest=SHA512, algorithm=DSA, security bits=256: yes
ERROR
540409864:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2263:
shutting down SSL
CONNECTION CLOSED

(相反,我使用包含“公钥 rsaencryption”而不是“公钥 rsapss”的证书,DTLS 有效)

我不明白为什么它适用于 TLS1.2 而不是 DTLS1.2。你能帮我吗?

(我同时遇到 openssl1.1.1 和 openssl3.0 的问题)'

OpenSSL RSA TLS1.2 DTLS的

评论

答:

1赞 dave_thompson_085 11/19/2023 #1

我不能证明是否定的——虽然这是关于代码的,但我不确定它是否真的是主题——但我怀疑这是因为没有任何东西说它应该起作用

5246 和 6347 都没有提到 PSS(尽管 4055 早在 2005 年就实现了它,并且在 PKIX 证书中也实现了 OAEP,这些证书在某种程度上与 TLS 和 DTLS 相关联)。8446 要求协议签名使用 PSS(如果是 RSA),并且在 4.2.3 中更喜欢证书(sigals 和 sigalgs-cert),并声明

   -  Implementations that advertise support for RSASSA-PSS (which is
      mandatory in TLS 1.3) MUST be prepared to accept a signature using
      that scheme even when TLS 1.2 is negotiated.  In TLS 1.2,
      RSASSA-PSS is used with RSA cipher suites.

1.3中也重申了这一点。在 DTLS 1.2 中没有关于使用 PSS 的类似声明,对 6347 的唯一引用是关于使用 cookie 卸载 HRR 状态。

无论如何,这就是代码实现的 - PSS 证书和密钥允许仅在 TLS 版本 1.2 中选择具有 aRSA 的 1.2 套件,而不是(任何)DTLS。

注意:DTLS 1.3 实现(必须使用 PSS,并可能为 1.2 提供它作为“奖励”)最近才开始,因为它可能需要更改 API,并且 3.2 已经处于测试阶段,因此它可能至少需要等待 3.3。

上一个:GoLang - tls。LoadX509KeyPair 无法解析私钥

下一个:Tiny Core Linux:wget:无法执行“openssl”:没有这样的文件或目录