SSL 双向认证

简介
完成靶机LaCasaDePapel时，遇到了ssl双向认证的问题，通过双向认证给确信的用户下发通行证；本文翻译自国外文章，通过一个demo展示ssl双向认证。

服务器配置

创建node脚本

const express = require('express')
const fs = require('fs')
const https = require('https')

const opts = {
	key: fs.readFileSync('server_key.pem')
	, cert: fs.readFileSync('server_cert.pem')
	, requestCert: true
	, rejectUnauthorized: false
	, ca: [
		fs.readFileSync('server_cert.pem')
	]
}

const app = express()

app.get('/', (req, res) => {
	res.send('<a href="authenticate">Log in using client certificate</a>')
})

app.get('/authenticate', (req, res) => {
	const cert = req.connection.getPeerCertificate()
	if (req.client.authorized) {
		res.send(`Hello ${cert.subject.CN}, your certificate was issued by ${cert.issuer.CN}!`)
	}
	else if (cert.subject) {
		res.status(403)
			.send(`Sorry ${cert.subject.CN}, certificates from ${cert.issuer.CN} are not welcome here.`)
	}
	else {
		res.status(401)
		   .send(`Sorry, but you need to provide a client certificate to continue.`)
	}
})

https.createServer(opts, app).listen(9999)

创建ssh key

1	$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 365 -subj "/CN=localhost/O=Client\ Certificate\ Demo"

生成客户端证书

# 创建Alice的证书
$ openssl req -newkey rsa:4096 -keyout alice_key.pem -out alice_csr.pem -nodes -days 365 -subj "/CN=Alice"
# 创建Bob的证书
$ openssl req -newkey rsa:4096 -keyout bob_key.pem -out bob_csr.pem -nodes -days 365 -subj "/CN=Bob"

使用服务器端证书对客户端证书进行签名

1
2
3

$ openssl x509 -req -in alice_csr.pem -CA server_cert.pem -CAkey server_key.pem -out alice_cert.pem -set_serial 01 -days 365
# 将证书导出为p12格式
$ openssl pkcs12 -export -clcerts -in alice_cert.pem -inkey alice_key.pem -out alice.p12

使用Bob对客户端证书进行签名

1	$ openssl x509 -req -in bob_csr.pem -signkey bob_key.pem -out bob_cert.pem -days 365

通过客户端证书访问https服务

curl –insecure –cert alice.p12 –cert-type p12 https://localhost:9999/authenticate