10.9 Using a Whitelist to Verify Certificates
10.9.1 ProblemYou have a certificate that you want to compare against a list of known good certificates. 10.9.2 SolutionThe average certificate is generally small, often under 2 KB in size. Because a certificate is both reasonably small and cannot be undetectably modified once it has been signed by a CA, it might seem reasonable to do a byte-for-byte comparison of the certificate with a list of certificates. One problem with this approach is that if you are comparing a certificate against a sizable list, performing the comparisons can become a time-consuming operation. The other problem is that of storing all the certificates in the list against which the certificate to verify will be compared. A better way is to compute the fingerprint of each certificate and store the fingerprint instead of the entire certificate. Fingerprints are generally only 16 or 20 bytes in size, depending on the message digest algorithm used to compute them. 10.9.3 DiscussionIn OpenSSL, computing the fingerprint of a certificate is as simple as a single call to X509_digest( ). Comparing fingerprints is done with a byte-for-byte comparison. The only work you really need to do is to decide on which message digest algorithm to use. MD5 is still the most popular algorithm, but we recommend using something stronger, such as SHA1. MD5 only has a 16-byte output, and there are known attacks against it, whereas SHA1 has a 20-byte output, and there are no known attacks against it. #include <string.h> #include <openssl/evp.h> #include <openssl/ssl.h> #include <openssl/x509.h> int spc_fingerprint_cert(X509 *cert, EVP_MD *digest, unsigned char *fingerprint, int *fingerprint_length) { if (*fingerprint_length < EVP_MD_size(digest)) return 0; if (!X509_digest(cert, digest, fingerprint, fingerprint_length)) return 0; return *fingerprint_length; } int spc_fingerprint_equal(unsigned char *fp1, int fp1len, unsigned char *fp2, int fp2len) { return (fp1len = = fp2len && !memcmp(fp1, fp2, fp1len)); } Using CryptoAPI on Windows, computing the fingerprint of a certificate is also very simple. A single call to CryptHashCertificate( ) with the certificate's CERT_CONTEXT object is all that's necessary. The following implementation of SpcFingerPrintCert( ) makes two calls so that it can verify that the buffer is big enough to hold the hash. #include <windows.h> #include <wincrypt.h> DWORD SpcFingerPrintCert(PCCERT_CONTEXT pCertContext, ALG_ID Algid, BYTE *pbFingerPrint, DWORD *pcbFingerPrint) { DWORD cbComputedHash; if (!CryptHashCertificate(0, Algid, 0, pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, 0, &cbComputedHash)) return 0; if (*pcbFingerPrint < cbComputedHash) return 0; CryptHashCertificate(0, Algid, 0, pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, pbFingerPrint, pcbFingerPrint); return *pcbFingerPrint; } int SpcFingerPrintEqual(BYTE *pbFingerPrint1, DWORD cbFingerPrint1, BYTE *pbFingerPrint2, DWORD cbFingerPrint2) { return (cbFingerPrint1 = = cbFingerPrint2 && !memcmp(pbFingerPrint1, pbFingerPrint2, cbFingerPrint1)); } You can use a whitelist in place of normal certificate verification routines. Whitelists are most often useful in servers that want to authenticate clients, rather than the other way around, but they can be used either way. In server mode, you can use the SSL_VERIFY_PEER flag to request a certificate from the client, but remember that the client does not have to supply a certificate in response to a request. If you want to require that the client respond, you also need to use the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag so that the connection is terminated if the client does not send a certificate. The downside to using these flags is that OpenSSL will attempt to verify the certificate on its own. With a little trickery, we can short-circuit OpenSSL's certificate verification routines and do a little post-connection verification of our own. We will do this by setting up a verify callback function that always returns success. The verify callback is called for each certificate in the chain when verifying a certificate. It is called with the X509_STORE_CTX containing everything relevant, as well as a boolean indicator of whether OpenSSL has determined the certificate to be valid or not. Typically, the callback will return the same verification status, but it is not required. The callback can reverse the decision that OpenSSL has made. int spc_whitelist_callback(int ok, X509_STORE_CTX *store) { return 1; } Once the connection has been established, we can get a copy of the peer's certificate, compute its fingerprint, and compare it against the fingerprints we have in our list. The list can be stored in memory, in a disk file, on a flash memory card, or on some other medium. How the list is stored is irrelevant; what is important is the comparison of fingerprints. The functions shown in the previous code are flexible in that they allow you to choose any message digest algorithm you like. Note, though, that if you are always using the same ones, the functions can be simplified, and you need not keep track of the fingerprint length because you know that a message digest is a fixed size (MD5 is 16 bytes; SHA1 is 20 bytes). The following snippet of code roughly demonstrates the work that needs to be done to employ whitelist-based certificate verification: int fingerprint_length; SSL *ssl; EVP_MD *digest; SSL_CTX *ctx; unsigned char fingerprint[EVP_MAX_MD_SIZE]; spc_x509store_t spc_store; spc_init_x509store(&spc_store); spc_x509store_setcallback(&spc_store, spc_whitelist_callback); spc_x509store_setflags(&spc_store, SPC_X509STORE_SSL_VERIFY_PEER | SPC_X509STORE_SSL_VERIFY_FAIL_IF_NO_PEER_CERT); ctx = spc_create_sslctx(&spc_store); /* use the ctx to establish a connection. This will yield an SSL object */ cert = SSL_get_peer_certificate(ssl); digest = EVP_sha1( ); fingerprint_length = sizeof(fingerprint); spc_fingerprint_cert(cert, digest, fingerprint, &fingerprint_length); /* use the fingerprint to compare against the list of known cert fingerprints */ |
EAN: 2147483647
Pages: 266