我一直在使用自生成的RSA证书颁发机构来签署我的服务器和客户端证书,到目前为止grpc 节点相互身份验证工作正常。
出于同样的原因,我尝试将 secp256k1 与 ECDSA 算法一起使用,假设BTC或ETH的密钥将直接用于 grpc 身份验证。不幸的是,我无法获得正确的输出。这里有详细信息。
- 操作系统:Ubuntu 18.04 64bit
- 语言:节点
- 身份验证:SSL/TLS
- 签名算法:ecdsa-withsha256
- 密钥生成类型:secp256k1
- 源代码:来自 grpc 节点示例的 dynamic_codegen
以下所有内容和步骤都可以从存储库中找到
- 使用 gen.sh 生成服务器和客户端的 EC secp256k1私钥和 TLS 证书。
# 1. Generate EC private key and self-signed certificate
openssl ecparam -genkey -out ca.key -name secp256k1
openssl req -x509 -new -key ca.key -out ca.cert -subj "/C=FR/ST=Occitanie/L=Toulouse/O=Tech School/OU=Education/CN=*.techschool.guru/emailAddress=root.guru@gmail.com"
echo "CA's self-signed certificate"
openssl x509 -in ca.cert -noout -text
# 2. Generate web server's private key and certificate signing request (EC)
openssl ecparam -genkey -out server.key -name secp256k1
openssl req -key server.key -new -out server.req -subj "/C=FR/ST=Ile de France/L=Paris/O=PC Book/OU=Computer/CN=*.pcbook.com/emailAddress=server@gmail.com"
# 3. Use CA's private key to sign web server's CSR and get back the signed certificate
openssl x509 -req -in server.req -days 60 -CA ca.cert -CAkey ca.key -CAcreateserial -out server.cert -extfile server.ext
echo "Server's signed certificate"
openssl x509 -in server.cert -noout -text
# 4. Generate client's private key and certificate signing request (EC)
openssl ecparam -genkey -out client.key -name secp256k1
openssl req -key client.key -new -out client.req -subj "/C=FR/ST=Alsace/L=Strasbourg/O=PC Client/OU=Computer/CN=*.client.com/emailAddress=client@gmail.com"
# 5. Use CA's private key to sign client's CSR and get back the signed certificate
openssl x509 -req -in client.req -days 60 -CA ca.cert -CAkey ca.key -CAcreateserial -out client.cert -extfile client.ext
echo "Client's signed certificate"
openssl x509 -in client.cert -noout -text
# 6. To verify the server certificate aginst by root CA
echo "server's certificate verification"
openssl verify -show_chain -CAfile ca.cert server.cert
# 7. To verify the client certificate aginst by root CA.
echo "client's certificate verification"
openssl verify -show_chain -CAfile ca.cert client.cert
- 在greeter_server.js中实现服务器端 Auth
function main() {
var server = new grpc.Server();
server.addService(hello_proto.Greeter.service, {sayHello: sayHello});
server.bindAsync('0.0.0.0:50051', grpc.ServerCredentials.createSsl(
fs.readFileSync('./credentials/ca.cert'),
[{
cert_chain: fs.readFileSync('./credentials/server.cert'),
private_key: fs.readFileSync('./credentials/server.key')
}],
true
), () => {
server.start();
});
}
- 在greeter_client.js中实现客户端身份验证
var client = new hello_proto.Greeter(target,
grpc.credentials.createSsl(fs.readFileSync('./credentials/ca.cert'),
fs.readFileSync('./credentials/client.key'),
fs.readFileSync('./credentials/client.cert')));
- 试试看!
npm install
node greeter_server.js
node greeter_client.js
- 输出
/grpc-auth-secp256k1/greeter_client.js:57
console.log('Greeting:', response.message); ^
TypeError: Cannot read property 'message' of undefined
at Object.callback (grpc-auth-secp256k1/greeter_client.js:57:39)
at Object.onReceiveStatus (grpc-auth-secp256k1/node_modules/@grpc/grpc-js/build/src/client.js:176:36)
at Object.onReceiveStatus (grpc-auth-secp256k1/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:342:141)
at Object.onReceiveStatus OpenssLabs/grpc-auth-secp256k1/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:305:181)
at grpc-auth-secp256k1/node_modules/@grpc/grpc-js/build/src/call-stream.js:124:78
at processTicksAndRejections (internal/process/task_queues.js:75:11)
使用RSA Certificate的 grpc 相互身份验证成功,但使用secp256k1失败。所以我的问题:
- 如何显示 grpc TLS 握手信息,如 openssl 调试?
- 有什么线索可以解决这个问题吗?
谢谢