Flash SecureSocket和RSA私钥
[英]Flash SecureSocket and RSA private key
问题描述
I am trying to communicate to a server through SSL. 
我正在尝试通过SSL与服务器通信。 The PEM client file is consisted of a certificate and an rsa private key. PEM客户端文件由证书和rsa私钥组成。
I managed to convert both the certificate and key to binary DER. 我设法将证书和密钥都转换为二进制DER。 I load the DER certificate to SecureSocket succesfully (with function addBinaryChainBuildingCertificate ) but when I try to connect to the server I get a "principal mismatch" error. 我成功地将DER证书加载到SecureSocket(使用addBinaryChainBuildingCertificate函数),但是当我尝试连接到服务器时,出现“主要不匹配”错误。 If I try to use the aforementioned function to load the DER key, I get a "wrong parameter" error. 如果我尝试使用上述功能加载DER键,则会收到“错误的参数”错误。
I suppose the "principal mismatch" is because I haven't loaded the private key. 我想“主要不匹配”是因为我还没有加载私钥。 But I see no function to load an RSA key to SecureSocket. 但是我看不到将RSA密钥加载到SecureSocket的功能。 Is there any solution to this? 有什么解决办法吗? Do I need to communicate to the server with only a certificate but remove the key from the equation? 我是否只需要使用证书就可以与服务器通信,而是从等式中删除密钥?
EDIT : 编辑:
Code : 代码:
package {
import flash.display.Sprite;
import flash.net.SecureSocket;
import flash.net.URLLoader;
import flash.events.ProgressEvent;
import flash.events.Event;
import flash.events.IOErrorEvent;
import flash.net.URLLoaderDataFormat;
import flash.net.URLRequest;
import flash.utils.ByteArray;
public class TestSSL2 extends Sprite {
private var mSocket:SecureSocket = new SecureSocket();
private var certFile:String = "ca.der";
private var keyFile:String = "key.der";
private var cert:ByteArray;
private var key:ByteArray;
public function TestSSL2() {
trace("SecureSocket.isSupported",SecureSocket.isSupported);
var urlLoader:URLLoader = new URLLoader();
urlLoader.addEventListener(Event.COMPLETE, certLoaded, false, 0, true);
urlLoader.dataFormat = URLLoaderDataFormat.BINARY;
urlLoader.load(new URLRequest(certFile));
}
private function certLoaded(e:Event):void {
cert = (e.target as URLLoader).data;
trace("certificate",cert.length);
mSocket.addBinaryChainBuildingCertificate(cert, true);
var urlLoader:URLLoader = new URLLoader();
urlLoader.addEventListener(Event.COMPLETE, keyLoaded, false, 0, true);
urlLoader.dataFormat = URLLoaderDataFormat.BINARY;
urlLoader.load(new URLRequest(keyFile));
}
private function keyLoaded(e:Event):void {
key = (e.target as URLLoader).data;
trace("key",key.length);
mSocket.addBinaryChainBuildingCertificate(key, true);
mSocket.connect("127.0.0.1", 3000);
mSocket.addEventListener(Event.CONNECT, socketConnected);
mSocket.addEventListener(IOErrorEvent.IO_ERROR, onError);
mSocket.addEventListener(ProgressEvent.SOCKET_DATA, socketData );
}
private function onError(error:IOErrorEvent):void {
trace("ERROR!",error.text,":",mSocket.serverCertificateStatus);
}
private function socketConnected(e:Event):void {
trace("Connected", e);
}
private function socketData(e:*):void {
var data:String;
data = mSocket.readUTFBytes(mSocket.bytesAvailable);
trace(data);
}
}
}
Result : 结果:
SecureSocket.isSupported true
certificate 497
key 607
ArgumentError: Error #2004: One of the parameters is invalid.
at flash.net::SecureSocket/addBinaryChainBuildingCertificate()
at TestSSL2/keyLoaded()
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at flash.net::URLLoader/onComplete()
If I comment the line : 如果我评论这一行:
//mSocket.addBinaryChainBuildingCertificate(key, true);
I get : 我得到:
SecureSocket.isSupported true
certificate 497
key 607
ERROR! Error #2031: Socket Error. URL: 127.0.0.1 : principalMismatch
1 个解决方案
解决方案1
3 已采纳 2012-11-21 05:56:08
Firstly: 首先:
The "principal mismatch" indicates that the common name of the certificate on the secured server does not match the DNS name that you are connecting to. “主要不匹配”表示受保护服务器上证书的通用名称与您要连接的DNS名称不匹配。
Considering that you are making a connect to localhost (127.0.0.1) there will most certainly be a mismatch. 考虑到您正在连接到本地主机(127.0.0.1),因此肯定会出现不匹配的情况。 Flash sockets are particularly strict when it comes to making secure connections and there is no mechanism to override security features unlike other runtimes (eg .NET and Java). Flash套接字在建立安全连接时特别严格,并且与其他运行时(例如.NET和Java)不同,没有机制可以覆盖安全性功能。 The following must be true: 必须满足以下条件:
- The certificate common name mush match the DNS name (there is a relaxation here for 'star' certs ie a cert for
*.bob.comis considered valid formr.bob.com)证书通用名称必须与DNS名称匹配(“星”证书在这里有一个松弛,即*.bob.com的证书被认为对mr.bob.com有效) - The certificate must be valid in terms of expiry and trust chain 证书必须在有效期限和信任链方面有效
Secondly: 其次:
You seem to have some misconception on how certificates work. 您似乎对证书的工作方式有一些误解。 You do not need to add any certificates using the addBinaryChainBuildingCertificate() method if the server certificate is issued by a trusted root authority ie the certificate that signed the server certificate is in the local trust store of the target device. 如果服务器证书是由受信任的根证书颁发机构颁发的,即对服务器证书进行签名的证书位于目标设备的本地信任存储中,则无需使用addBinaryChainBuildingCertificate()方法添加任何证书。
To illustrate: 为了显示:
- I have a certificate for
this.is.awesome.cominstalled on my server and a DNS entry that resolvesthis.is.awesome.comto my server's IP Address我在服务器上安装了this.is.awesome.com的证书,并且有一个DNS条目将this.is.awesome.com解析为服务器的IP地址。 - This certificate is issued by the Entrust L1C certificate authority. 该证书由Entrust L1C证书颁发机构颁发。
- The L1C certificate is in turn issued by the Entrust 2048 root authority. L1C证书又由Entrust 2048根颁发机构颁发。
On my PC I have the Entrust 2048 Root authority installed in my Trusted Root certificate store. 在我的PC上,我的受信任的根证书存储区中安装了Entrust 2048根权限。 However I do not have the L1C certificate installed. 但是,我没有安装L1C证书。 When I attempt to connect to this.is.awesome.com the connection will fail as the server certificate cannot be validated against the L1C authority. 当我尝试连接到this.is.awesome.com ,连接将失败,因为无法根据L1C权限验证服务器证书。
If I add the DER encoded L1C certificate using addBinaryChainBuildingCertificate() then the connection will succeed. 如果我使用addBinaryChainBuildingCertificate()添加DER编码的L1C证书,则连接将成功。 The server certificate will be validated against the L1C certificate which will in turn be validated against the 2048 Root certificate which is a trusted root. 服务器证书将根据L1C证书进行验证,而L1C证书随后将根据2048根证书(即受信任的根)进行验证。
To summarize: 总结一下:
Your connection issues seem to stem from your attempt to connect to localhost. 您的连接问题似乎源于您尝试连接到本地主机。 Try adding an entry to your HOSTS file that maps the name on your certificate to 127.0.0.1 and then connecting to that name. 尝试将一个条目添加到HOSTS文件中,该条目将证书上的名称映射到127.0.0.1,然后连接到该名称。 If that fails check the issuer chain on your certificate and add the chain of issuers by calling addBinaryChainBuildingCertificate() once for each issuing certificate in the chain. 如果失败,请检查证书上的颁发者链,并通过对链中的每个颁发证书调用一次addBinaryChainBuildingCertificate()来添加颁发者链。 The final or root certificate should be marked as such by passing true as the second parameter to addBinaryChainBuildingCertificate() 最终证书或根证书应通过将true作为第二个参数传递给addBinaryChainBuildingCertificate()进行标记
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.