通过建立一个SSL server和一个SSL client来GDB跟踪代码分析流程。
环境搭建:建立一个root-ca和一个sub-ca,sub-ca签发server证书和client证书。
环境目录与文件如下,仅列出涉及的文件,有些自动生成的未列出:
demoCA
cacerts //存放生成的CA文件,生成CA证书后统一放在此目录
root-ca.crt //生成的root-ca证书
sub-ca.crt //生成的sub-ca证书
certs //存放用户证书
client.crt //客户端证书
server.crt //服务端证书
private //存放证书对应的私钥
client.key
server.key
root-ca.key
sub-ca.key
root-ca //用来生成root-ca的目录
certs //存放root-ca签发生成的证书目录
db //存放crlnumber、index、serial等辅助文件的目录
private //存放root-ca的私钥
root-ca.conf//生成root-ca及签发证书的配置文件
sub-ca //用来生成sub-ca的目录
certs //存放sub-ca签发生成的证书目录
db //存放crlnumber、index、serial等辅助文件的目录
private //存放sub-ca、server、client的私钥
sub-ca.conf //生成sub-ca及签发证书的配置文件
root-ca.conf配置文件如下:
[default]
name = root-ca
domain_suffix = certusnet.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "CN"
organizationName = "Certusnet"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=certusnet.com
permitted;DNS.1=certusnet.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
sub-ca.conf配置文件如下:
[default]
name = sub-ca
domain_suffix = certusnet.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "CN"
organizationName = "Certusnet"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
copy_extensions = copy
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=certusnet.com
permitted;DNS.1=certusnet.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
对应的目录创建好后,开始创建各个证书:
创建root-ca:使用root-ca.conf配置文件创建root-ca。在root-ca目录中操作步骤如下:
touch db/index
openssl rand -hex 16 >serial
echo 1001 > db/crlnumber
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
创建sub-ca:使用sub-ca.conf配置文件创建sub-ca。在sub-ca目录中操作步骤如下:
touch db/index
openssl rand -hex 16 >serial
echo 1001 > db/crlnumber
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
返回root-ca目录签发sub-ca的证书请求
openssl ca -config root-ca.conf -in ../sub-ca/sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
并把生成的sub-ca.crt 拷贝到sub-ca目录
创建server和client的证书
先生成两个证书请求文件:
openssl req -newkey rsa:1024 -out server.csr -keyout server.key
openssl req -newkey rsa:1024 -out client.csr -keyout client.key
使用sub-ca签发两个证书:
openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext
生成完毕之后,把对应的文件拷贝到对应的目录。
启动server端:
./openssl s_server -cert /home/demoCA/certs/server.crt -key /home/demoCA/private/server.key -CApath /home/demoCA/cacerts/ -ssl3
GDB启动client端:
gdb --args ./openssl s_client -ssl3 -CApath /home/demoCA/certs/
中间命令参考:openssl-cookbook.pdf / openssl编程介绍.pdf
