Re: Using TLS to establish SSH-like key based trust model

[Dimitrios Apostolou]

Hi, I'd appreciate any feedback on the quoted message. I'm not experienced 
with the OpenSSL API and I had to dig into the library source code to 
achieve the custom result I needed.

Thank you in advance,
Dimitris
On Mon, 29 Jul 2013, Dimitrios Apostolou wrote:

Hello list,

I am trying to use OpenSSL to provide SSH-like trust model, by using TLS. 
That means that the two peers have an RSA key pair stored, no certificate. 
They have also exchanged their public keys in a secure manner. Here is the 
way I do it, I would appreciate all opinions on this:

* During initialisation peers generate an in-memory, temporary x509 
certificate. It contains the minimal dummy data I could get away with, i.e. a 
dummy CN, issuer, and 100 years lifetime before expiring. These are never 
checked anyway.

* The important step is that the certificate contains the peer's public key 
and it is signed using the peer's private key:

   EVP_PKEY *pkey = EVP_PKEY_new();
   EVP_PKEY_assign_RSA(pkey, PRIVKEY);
   X509_set_pubkey(x509, pkey);
   X509_sign(x509, pkey, EVP_sha384());

* The x509 certificate is then assigned to SSL_CTX 
(SSL_CTX_use_certificate()) and is used for the whole application lifetime.

* For trust establishment I disable the callback mechanism 
(SSL_CTX_set_cert_verify_callback(always_success_callback)) mainly because I 
had issues with multiple threads. I also set the option to request 
certificate both ways (SSL_CTX_set_verify(SSL_VERIFY_PEER) in both peers). 
Immediately after each TLS session is established I do the following:

   X509 *received_cert = SSL_get_peer_certificate(ssl);
   EVP_PKEY *received_pubkey = X509_get_pubkey(received_cert);
   // expected_rsa_key is the foreign peer's public key, we assume it has 
been safely exchanged
   EVP_PKEY expected_pubkey = { 0 };
   ret = EVP_PKEY_assign_RSA(&expected_pubkey, expected_rsa_key);
   ret = EVP_PKEY_cmp(received_pubkey, &expected_pubkey);
   if (ret == 1)
       return 1;        // THE SESSION IS SECURE!
   else
       return 0;        // WATCH-OUT!

That means I ignore all of the certificate besides the public key, which I 
compare to the stored one. The in-memory certificate is re-generated from the 
stored RSA key every time the application starts.

Do you think this is a secure design/implementation for my requirements? Can 
you identify any flaws?


Thank you in advance,
Dimitris

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org