tls/ssl

Author: wang-jun-coder

Security/crypto.md

@@ -0,0 +1,61 @@
+## 加密
+
+
+### 加密算法分类
+* 对称加密
+	* 加密解密使用同样的秘钥
+* 非对称加密（公开密钥加密）
+	* 公钥加密的数据只能用私钥解密
+	* 私钥加密的数据只能用公钥解密
+
+### HTTPS、TLS、SSL
+HTTPS 也称作 HTTP over SSL，相当于 HTTP + SSL/TLS。
+TLS 的前身是 SSL，TLS 1.0 常被标识为 SSL 3.1， TLS1.1 为 SSL 3.2，TLS 1.2为SSL 3.3
+
+#### SSL/TLS 的运行过程
+其基本思路是采用公钥加密算法，客户端向服务器所有公钥，使用公钥加密后传输信息，服务器使用私钥解密。  
+为了防止公钥被篡改，采用数字证书（包含公钥等信息，客户端通过数字签名进行验证），只要证书是可信的，公钥就是可信的，浏览器内置CA根证书。  
+非对称加密计算量较大，所以在每一次会话时客户端和服务器均生成一个 会话秘钥 ，使用会话秘钥进行对称加密，对会话秘钥进行非对称加密，以减少加密所消耗的时间。
+
+主要流程分四个步骤，这四个步骤通信都是明文的
+
+* 客户端先向服务器发起请求，并提供信息
+	* 支持的协议版本，如：TLS 1.2
+	* 客户端随机数，用于生成会话秘钥
+	* 支持的加密算法
+	* 支持的压缩算法
+* 服务器回应请求，并返回以下内容
+	* 确认使用的协议，若无法与浏览器所支持的达成一致则关闭加密通信
+	* 服务器随机数，用于生产会话秘钥
+	* 确认加密使用算法
+	* 服务器的数字证书
+* 客户端收到回应，验证证书（证书机构，域名，时效等）, 通过后再向服务器发送以下信息
+	* 一个随机数，使用服务器公钥加密
+	* 编码改变通知，标记随后信息均使用加密方法和秘钥传送
+	* 客户端握手结束通知，同时也是前面发送内容的 hash 值，用来供服务器校验
+
+* 服务器最后回应
+	* 编码改变通知，标记随后使用约定的加密方法和秘钥发送
+	* 服务器握手结束通知，同时也是前面发送内容的 hash 值，供客户端校验
+
+上述过程出现了三个随机数，前两个明文发送，第三个则通过公钥加密发送，此时客户端和服务端均知道这三个随机数，两端分别使用事先约定的加密算法生成同一把 会话秘钥，之后的传输，使用这个会话秘钥进行对称加密。
+
+#### 数字证书如何确保不被篡改
+* 客户端不可能内置所有公钥，但可内置 CA 公钥证书（数量不多）
+* 若服务端给客户端仅传递公钥，中途可能被中间人替换公钥，无法确保信息不泄露
+* 服务端可以通过 CA 认证拿到 数字证书（包含公钥和数字签名等），传递给客户端（传输过程也可能被替换，但浏览器无法解密，除非客户端信任被替换的证书）
+* 客户端接收到服务器的数字证书后，通过 CA 解密拿到公钥和数字签名，同时客户端通过相同算法（域名，证书，等信息）自己生成数字签名，与数字证书内的签名进行对比。
+
+
+### https通信如何劫持？
+* 客户端信任中间人证书
+* 中间人自己签发数字证书，由于客户端已信任中间人证书，则与中间人建立 https 连接，
+* 中间人与真实服务器链接，并转发响应信息给客户端
+* 重要的是，不要轻易信任证书
+
+
+
+
+
+
+

Security/crypto/assets/private.pem

@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,A1ACC788CA8C691CD02A9B83745082D1
+
+KyAphDlWN0AK59zdkH5Z4oQsnpmbmZwZ1iPAoEsBE0dyc65+lLYdbik7KpQqiGCx
+9pVjRgoTPhlPVptJmNOxMMdVXREeIUZ62lR/RsMjlTOYewKGpRPOkGFbKMceEai5
+ZVOScGh8156Tg8QW0kJHD4yfECCjJ1rhbpqEq+HEG2kwQAF3b6p6QX+ZDOk7aw1B
+ss/sE16k/8CYxrvhE9S+2GP6N9oFj17LFkVYg5x8tPf+iZ5jgObnaR+gvbEiTj2f
+Or2GF8PRm6fYmueDS2EporZp+JauiBxSOLny4i9skXCXTzsuMUkPrG3YoCwW8xZv
+sBbexoqoYZtifN54Xd8AlBfzkwsjHNoHd2Wp/5C4LojuNRWRThH2UcIPAXS5mkul
+e8X6llB/0YY+sfESN01VYXBlkenwWjUA8HP3Cy46V/Ah58K5cmyEj+E7Ryk1UvJO
+nulUhBV0JbbPEQBmbHoq+D39RqtNWx8crH+xCFUllNfq2EdPftSmZTmCOCCJzwzs
+5b8NTiyBI99T6WMTBiJUB8y/AmCwzO+YBTooYoJmdQg2Gv+4jWoLi5xKGWva9+SM
+k44mS1Ew84vYYlMB7lpa3VSEwKvo6yOhvV3fwpwPC3qxF2bsCalY4HC3Yh6ArC9O
+RTJU42UdFoKscpJN2Djujl3Fm6SIzfoLdaY5ifguT9a3Kv7md/blJqVKRhmWFiJj
+kaOT2LPcqUw8c2URC8srE4Ba/U0J0FY64eIfXbJM/MKW9YFQOl/8qYNBlaa81E9r
+TYvmyZhFH6oksr4bEnq9NJHtkk2E9/pMCTMBej7Kb24m9GL8v4kr52Dow8H4vQQ8
+H3lMXj/Te+qU0m+CTXVKcDyAJ+KvwGCOOp588XVkff3bO6rXHeWux0fv3MWfIpRx
+78TeEyy3ZnUOCfUeXNEXC7uZcoXXAT+6q56Kr5o2NFccnaKKwKU4wvYgvMcIKncj
+k4rX7YYAqsjLixEy9p1p04zNNRwXcFq13ZFXWEP2ZDvv0S33XJEDAmIPgLwMSRB5
+lh/tE0RThbEy0YXoeDFSFf9qBcRqgHa8LMEnahzqmfT9iE5jdsCYQaNEODMcbi9K
+jy2DtgJx28Zqi+KqBGGy6JgUA8lH7lJIDas8IvQjVUjODv6V7hm+Ipw7N1zkFXFN
+hJ4CIOiRwsIeKnYmJ4AOOBl059vWn09OvZ1h+t+srHVvRzPjy0eidIczC6iljrwv
+69pFrwJtscYl9NuMiZhMrzl5ahEfujQwgk5/+CEusif5uHyyz/epQhZwkkAf2FWe
+eoZWicxfOtSF2dkr+mwlPDJhaZMSFU+YSgtvdFsNIOFf5PhIPQ7B4DhJGvD8Z2bl
+le8x0T38xhUZQ1bt/lHaprLkfUPuOE84pgrWvEVRgaRawetK40XXoHPljGaIyGX6
+9HouRpnLDzUTVY3jXiZTdcv8PyZhXTezi65Oola0lTpDB8XwZSBw300jJDNtFz7i
+CEWgPo6jNpEzI6EAOJmpMT23HG0kB4AQ0vF3jslzP/nuK4/IZ3nE/PaL3Vm6not3
+84tgLWfAWQ60hbWGFlE/LxSBBl9EzunGl8ITWH4I3OFVMNDE4e7FKXVRmtH1wHz3
+yo8CC4tD4hMXzYL1j5RUZ7YyqaaKEx0SHffJ+fB9DyI9HuhYasPzHvbKCs0Ef0H8
+sp6wJBVftVxlDxkHJZfBuQGs9B3MztOb3jVz0NT7q0wfY7b8O1of68idrLhduHs3
+4ZOLiZygCNopk78J31zXjCQXrTe9utUKRvMqDNmR1oWq0JQWf0ThFjXsuPVOkxfq
+fTRFRwtsrqb44rXD0rQdr6WJPlatPm/hlOGWU9TB6+zpFGGpjy0vMcC5Ebv2PH41
+nNkkfbv+PsxrcZOXWxMdZLmNlQ5k+rKTn1A9tEy9I3RVzmtx8/1RYBWu+yWeMdYB
+TtcFs6kLIJIpRuPCTbOtj8gWCtNhEnGHViYAtp0uL5KndvyMPzBFu1yPYxK8+YKr
+agdApqc9MmFcq0z4LgXPOhNU+VRaxqVB/yEgcvXZ5JwYvnGCDDyk7M0TFsy/kEaA
+KyK8dJt9hT8TBFfaNVxWzNWQgIg65kTwIVWUewh7Ao6NTEglzoXxSvUExGC3i4DC
+RoaEHj8+db/mQmG/DJK1+zYB1sZz8Zfqr+7hPhJVGlfWTZxa8eev7Mop5TsUIXRC
+lIxTx29QlQ7ZUY7MCg1/lQDtesz+fh8i/a4E9/Sm7APkQsRymgSUEUasiAvkwhmH
+GU8DrGUZW/7ucSZL8kv9XjaUuVzxZqmPY0EovR6hEvyUdRRvrPO/27tZufdZZXJe
+/35fsB6muEjhFwPCjfYdbAOBQKUy+RYZV7QfcjmpZHrba9cUYuErbiiJCNcWHZH2
+JJtjZ8EDNLX7tPSwWFe+DcfGV5c18nVyX2WSWlOFIGOmB5k3kLeTVfhB9PFPdtKP
+29m5vc7zGMHUC4VohYRblIIJVv6EUankKspp9Yu6UB+kWPo9GK/cpEUQuYWKPgNo
+fmmO2g81Dwrt9yTHoe+DcQhzAOVWKBt4m8plxu968IZxu4mqPNNxRpJW0QapihoP
+qKy9fzNXlBNjgYf16TAm8OLbAKuklhCJqwIg6A2KgQK+n6c4QRw9g5QnTbLjw+5A
+v7xUm5wkzQKd27kit4GWkyPrA6a4JO98ErjaSWyqMm3MS2tOpg30duozKby9FBRW
+debKcDIwetEbeXxRg0mbPryT3DpZxtqAszw9+awIYF1dNfkzt2VZhFacwYNyXJ40
+gv+k54pfP2CBqANKSJeyH3JAWZ8KTCB9wqVyqBbsk9cE5S3tjiSE5VSTn65V9WuR
+b7hz4eA1ktOmkJUlNWkjCGqRa3zxUZ0VsIxs3hr1J1NOH/NNUY+HZsacgL9qIe0z
+gpm6FH9f3Chdly0zeTP8D4ao566ZkgSstIdm5TGjEwKftiJTXxEakeLlc6SfchBX
+eZ4Y3AbPiSnKYApBfkTTJk5PzkmrcN3wg9HqbzKA6BkSo87PrsX7XbFP/aDEc1Rf
+NcUUmvPMhF/UJyXr1Ty6fTVwhsMHtPSIfo5I2V5dLezy11rb0P8wCb0IgtktahjA
+AoDdzXtjszb6wFYSeGk5yzplCwlNlJ3jnk/iYU/cZd114fDQ53dOFynY0HiXcUSw
+-----END RSA PRIVATE KEY-----

Security/crypto/assets/public.pem

@@ -0,0 +1,13 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEA2Vi3YzQWrBCLQkaJJehwDBnJQXkhwL6sGZhOZw5PSFPWQH/wHtok
+lb83GSrf8N4nv5jTmqE988V7xosFEaMKutmoC72u5mSwNibVQ6uneMU/TO/PJjmb
+pu1agrCFkYyHYCiAS4BZL5xVOSc+1dwUcdFG5fptwMealX1CRGsE1kHY2bu3tT22
+MVLkTnT7ARK+ofjJfASFlEozVfH/Zyl5ml2CdvIu+H91iuARV8z8BD2Lmt6fHLx9
+AAIYZzne5kvXKKBW1sK1VBFC22982Az1XNYf1wM2RlUoejlt/86xx2SOqwKRrUmV
+C7qRDATKUS9SJDv5wlXvQXRGtZjYHM7X6sq13ubsP/fUB5WXbhcEVnIgEb4tlko+
+SU34SGHg50h0OQkNghaD747v7c1VRP61+NFuHyMH61MMY6c83b7lwbZ/prhDwDLZ
+Scx6Eu6QrUHZNDxnv+fEv9WA1QEOGJjPMmRpOhsj6snTQR2aDhQyKNQNBSW4jW7A
+O4onvSaddzFHX1U0tQuv0MLiR8ZyGVuOJJv7Fpl5tbUrTIOBkwCB0473/4P0hOH4
+ylCBqTrjPDwFIZ7jqZVM6T9EcXg6e5/bE0FJJKest4i+twC3z9Smn9tsXzHA4ap0
+LNR6rWYRuBA5dtCxb7orcRcK70Wrwj+nmUgsUp7FYXzwxw9aClptb+cCAwEAAQ==
+-----END RSA PUBLIC KEY-----

Security/crypto/create-secret.js

@@ -0,0 +1,21 @@
+const crypto = require('crypto');
+const fs = require('fs');
+
+// nodejs  v10.12.0 +
+const {publicKey, privateKey} = crypto.generateKeyPairSync('rsa', {
+    modulusLength: 4096,
+    namedCurve: 'namedCurve',
+    publicKeyEncoding: {
+        type: 'pkcs1',
+        format: 'pem'
+    },
+    privateKeyEncoding: {
+        type: 'pkcs1',
+        format: 'pem',
+        cipher: 'aes-256-cbc',
+        passphrase: 'private-key-passphrase'
+    }
+});
+
+fs.writeFileSync('./assets/public.pem', publicKey);
+fs.writeFileSync('./assets/private.pem', privateKey);

Security/crypto/encrypt-decrypt.js

@@ -0,0 +1,50 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const assert = require('assert');
+
+// 可使用 node create-secret.js 生成公钥私钥
+const publicKey = fs.readFileSync('./assets/public.pem');
+const privateKey = fs.readFileSync('./assets/private.pem');
+// 要传输的信息
+const message = 'this is some message need be encrypt';
+
+
+// 私钥加密公钥解密
+const privateKeyEn = crypto.privateEncrypt({
+    key: privateKey,
+    passphrase: 'private-key-passphrase'
+}, Buffer.from(message));
+console.log(`私钥加密密文: ${privateKeyEn.toString('hex')}`);
+const publicKeyDe = crypto.publicDecrypt(publicKey, privateKeyEn);
+assert.deepStrictEqual(message, publicKeyDe.toString(), '公钥解密私钥加密的数据与原数据不一致');
+
+
+// 公钥加密, 私钥解密
+const publicKeyEn = crypto.publicEncrypt(publicKey, Buffer.from(message));
+const privateKeyDe = crypto.privateDecrypt({
+    key: privateKey,
+    passphrase:'private-key-passphrase'
+}, publicKeyEn);
+console.log(`公钥加密密文: ${privateKeyEn.toString('hex')}`);
+assert.deepStrictEqual(message, privateKeyDe.toString(), '私钥解密公钥加密的数据与原数据不一致');
+
+
+
+// 对称加密
+const algorithm = 'aes-256-cbc';
+const key = '1234567890abcdef1234567890abcdef';
+const iv = '1234567890abcdef';
+
+const enCipher = crypto.createCipheriv(algorithm, key, iv);
+let en = enCipher.update(message, 'utf8', 'hex');
+en += enCipher.final('hex');
+console.log(`对称加密密文: ${en}`);
+const deCipher = crypto.createDecipheriv(algorithm, key, iv);
+let de = deCipher.update(en, 'hex', 'utf8');
+de += deCipher.final('utf8');
+assert.deepStrictEqual(message, de, '解密对称加密数据与原数据不一致');
+
+// // nodejs 支持的一些加密算法和 hash
+// console.log(crypto.getCiphers());
+// console.log(crypto.getCurves());
+// console.log(crypto.getHashes());

Security/demo/app.js

@@ -0,0 +1,44 @@
+const Koa = require('koa');
+const app = new Koa();
+const views = require('koa-views');
+const json = require('koa-json');
+const onerror = require('koa-onerror');
+const bodyparser = require('koa-bodyparser');
+const logger = require('koa-logger');
+
+const index = require('./routes/index');
+const users = require('./routes/users');
+
+// error handler
+onerror(app);
+
+// middlewares
+app.use(bodyparser({
+  enableTypes:['json', 'form', 'text']
+}));
+app.use(json());
+app.use(logger());
+app.use(require('koa-static')(__dirname + '/public'));
+
+app.use(views(__dirname + '/views', {
+  extension: 'pug'
+}));
+
+// logger
+app.use(async (ctx, next) => {
+  const start = new Date();
+  await next();
+  const ms = new Date() - start;
+  console.log(`${ctx.method} ${ctx.url} - ${ms}ms`)
+});
+
+// routes
+app.use(index.routes(), index.allowedMethods());
+app.use(users.routes(), users.allowedMethods());
+
+// error-handling
+app.on('error', (err, ctx) => {
+  console.error('server error', err, ctx)
+});
+
+module.exports = app;

Security/demo/bin/www

@@ -0,0 +1,90 @@
+#!/usr/bin/env node
+
+/**
+ * Module dependencies.
+ */
+
+var app = require('../app');
+var debug = require('debug')('demo:server');
+var http = require('http');
+
+/**
+ * Get port from environment and store in Express.
+ */
+
+var port = normalizePort(process.env.PORT || '3000');
+// app.set('port', port);
+
+/**
+ * Create HTTP server.
+ */
+
+var server = http.createServer(app.callback());
+
+/**
+ * Listen on provided port, on all network interfaces.
+ */
+
+server.listen(port);
+server.on('error', onError);
+server.on('listening', onListening);
+
+/**
+ * Normalize a port into a number, string, or false.
+ */
+
+function normalizePort(val) {
+  var port = parseInt(val, 10);
+
+  if (isNaN(port)) {
+    // named pipe
+    return val;
+  }
+
+  if (port >= 0) {
+    // port number
+    return port;
+  }
+
+  return false;
+}
+
+/**
+ * Event listener for HTTP server "error" event.
+ */
+
+function onError(error) {
+  if (error.syscall !== 'listen') {
+    throw error;
+  }
+
+  var bind = typeof port === 'string'
+    ? 'Pipe ' + port
+    : 'Port ' + port;
+
+  // handle specific listen errors with friendly messages
+  switch (error.code) {
+    case 'EACCES':
+      console.error(bind + ' requires elevated privileges');
+      process.exit(1);
+      break;
+    case 'EADDRINUSE':
+      console.error(bind + ' is already in use');
+      process.exit(1);
+      break;
+    default:
+      throw error;
+  }
+}
+
+/**
+ * Event listener for HTTP server "listening" event.
+ */
+
+function onListening() {
+  var addr = server.address();
+  var bind = typeof addr === 'string'
+    ? 'pipe ' + addr
+    : 'port ' + addr.port;
+  debug('Listening on ' + bind);
+}

Security/demo/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "demo",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "start": "node bin/www",
+    "dev": "./node_modules/.bin/nodemon bin/www",
+    "prd": "pm2 start bin/www",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "debug": "^2.6.3",
+    "koa": "^2.2.0",
+    "koa-bodyparser": "^3.2.0",
+    "koa-convert": "^1.2.0",
+    "koa-json": "^2.0.2",
+    "koa-logger": "^2.0.1",
+    "koa-onerror": "^1.2.1",
+    "koa-router": "^7.1.1",
+    "koa-static": "^3.0.0",
+    "koa-views": "^5.2.1",
+    "pug": "^2.0.0-rc.1"
+  },
+  "devDependencies": {
+    "@types/koa": "^2.0.48",
+    "nodemon": "^1.8.1"
+  }
+}

Security/demo/public/stylesheets/style.css

@@ -0,0 +1,8 @@
+body {
+  padding: 50px;
+  font: 14px "Lucida Grande", Helvetica, Arial, sans-serif;
+}
+
+a {
+  color: #00B7FF;
+}