I need to build an encrypted connection between two peers, and I need to authenticate both. Both peers already share a fingerprint (SHA256 hash) of the other peer public key. I m not using X509 or OpenPGP keys/certs as they are too big and bulky for my needs and they don t fit in the security model.
I m 试图通过滥用其X509模式与M2Crypto(宗教图书馆)建立联系:
鉴于母体是私人钥匙,形成了一种几乎自动的ert。
与其他同侪建立联系,提供我的证明
• 核实其他同侪 c;
Is the following code secure? is it correct? is there a way do do it better (maybe with other libraries)? My doubts are about OpenSSL not actually using the certificate public key for authentication as I m not requesting any verification of the certificates.
我只需要使用被废弃编码编码的机车钥匙所储存的加密流,欢迎任何免费的假日软件解决方案。 我更喜欢M2Crypto,因为我知道它更好,并且已经在同一个项目中使用它的一些法典。
我的守则(调整客户同侪,服务器应当类似):
other_fingerprints = [] #list of fingerprints, (binary data)
mysocket = ... #any socket object
CERTFILE, KEYFILE = "testcert","testkey" # private key wrapped in the cert
from M2Crypto import *
ctx = SSL.Context( sslv3 )
ctx.set_verify(SSL.verify_none, depth=1)
ctx.load_cert(CERTFILE, KEYFILE)
c = SSL.Connection(ctx, mysocket)
c.connect_ssl()
peercert = c.get_peer_cert()
keyobj = peercert.get_pubkey()
keydata = keyobj.as_der()
md = EVP.MessageDigest( sha256 )
md.update(keydata)
h = md.digest()
if h not in other_fingerprints:
raise(IOError) #other party not auth ed
# from now on the connection is secure, right?
c.send("Hello secret world!")
print c.recv(4096)
c.close()
事先感谢你的答复和建议。