use SSL_CTX_use_enc_certificate if (enc_cert->len > 0)#8
Open
theburn wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
当使用
签名证书和加密证书同时具备签名和加密功能时, 浏览器会提示错误,具体原因如下:ngx_ssl_certificate加载签名证书;SSL_CTX_use_certificate中调用ssl_set_cert;ssl_set_cert中对证书进行查询(ssl_cert_lookup_by_pkey),获得index为3,即为ECC签名证书x;ex_kusage字段和X509v3_KU_DIGITAL_SIGNATURE做了与运算,满足条件,因此对证书做了赋值,即c->pkeys[3].x509 = x;ex_kusage字段和(X509v3_KU_KEY_ENCIPHERMENT | X509v3_KU_DATA_ENCIPHERMENT | X509v3_KU_KEY_AGREEMENT)做了与运算(分支里面存在i=SSL_PKEY_ECC_ENC的复制,即 此时i值赋值为9),也满足条件,因此也做了赋值,即c->pkeys[9].x509 = x,即给加密证书的位置,赋值了签名证书,其实是个误操作;SSL_CTX_use_PrivateKey中调用ssl_set_pkey,设置c->pkeys[3].privatekey = pkey这个是正常操作,将idx=3的私钥写入对应的位置;加密证书步骤,使用SSL_CTX_use_certificate_file,内部其实调用的也是SSL_CTX_use_certificate,进而调用了ssl_set_cert;加密证书中也支持签名,因此证书的ex_kusage字段X509v3_KU_DIGITAL_SIGNATURE的与操作也为真,但是此时证书进行查询(ssl_cert_lookup_by_pkey)获得的idx依然是3,导致X509_check_private_key中证书参数是签名证书的证书,私钥参数是加密证书的私钥,因此导致check失败,然后c->pkeys[3].privatekey = NULL;,所以后面会看到idx=3的证书私钥为NULL;ex_kusage字段和(X509v3_KU_KEY_ENCIPHERMENT | X509v3_KU_DATA_ENCIPHERMENT | X509v3_KU_KEY_AGREEMENT)做了与运算(此时i值赋值为9),也满足条件,因此也做了赋值,即c->pkeys[9].x509 = x;第3步赋值错误的操作进行了修正;SSL_CTX_use_enc_PrivateKey中的ssl_set_enc_pkey,将加密证书的私钥写入正确的位置(idx=9)。因此,问题就在于,由于两张证书均有签名和加密功能,在openssl库上的实现存在混淆,导致最终
ssl-ctx-certs-pkeys数组中的idx=3的私钥丢失。当把证书换成一样的时候,由于私钥和证书一样,X509_check是通过的,因此没有问题。
然后准备修改TASSL-1.1.1b时,发现已经实现了
SSL_CTX_use_enc_certificate,直接替换后,测试正常。虽然理论上, 加密证书应该只有加密的usage, 签名证书只需要签名的usage,但是考虑兼容性,建议还是使用 SSL_CTX_use_enc_certificate 进行替换。