-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic authentication is not really possible to get working with manually-issued certs #237
Comments
Sorry, what exactly do you want to do? The certificate format is proprietary (it is not X509), but the framework is pretty standard stuff. There are methods to set a particular certificate, and a certificate tool, if you want to generate one. Also, just to clarify, the Diffie-Hellman key exchange is always done with ephemeral keys. The keys used for signing have longer lifetimes. What was your goal in specifying a particular key to use for key exchange? |
I guess I poorly translated the text from Russian, so in short I want to
sign keys that are exchanged so that I can verify that they weren't
tampered with. (Like TLS, where certificates are signed by CA).
ср, 15 июн. 2022 г. в 03:59, Fletcher Dunn ***@***.***>:
… Sorry, what exactly do you want to do?
The certificate format is proprietary (it is not X509), but the framework
is pretty standard stuff. There are methods to set a particular
certificate, and a certificate tool, if you want to generate one.
Also, just to clarify, the Diffie-Hellman key *exchange* is always done
with ephemeral keys. The keys used for signing have longer lifetimes. What
was your goal in specifying a particular key to use for key exchange?
—
Reply to this email directly, view it on GitHub
<#237 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AR5IDSDRU7CT34XUVIPZT5TVPETHRANCNFSM5YYO7LDA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
There is a basic cert store, and a certificate generation tool. And you can hardcode a particular trusted root AC key by #defining STEAMNETWORKINGSOCKETS_HARDCODED_ROOT_CA_KEY. However, I suspect there might be some missing pieces, depending on your use case. I can think of at least three: 1.) The cert tool actually doesn't have a way to specify the identity that should go into the cert. Each of those would be really easy to add, though. All of the stuff under the hood is present, there just isn't the exact API call you need. NOTE: It might seem kinda weird that these don't exist to handle the "typical" use case, but it actually hasn't come up, because all of the certificate issuance in Steam and partners is all automated! We never issue certificates by hand. One thing that would be quite a lot of work to fix is that, unlike TLS, we do not send intermediate certs in the handshake. We require that both sides have all required intermediate certs. So if you are using any intermediate certs you need to make sure they are distributed. If you only have a single root CA, then you just hardcode the trusted key. If you tell me more about your use case, I might be able to point you in the right direction if you are interested in adding those missing pieces. Again, I think it would be pretty easy, as everything under the hood is present, there just isn't the highest level API entry point to do exactly what you need. |
I guess this is what I need. The only modifications needed are adding
identity to certtool generation (for me it's plain string), re-enabling
signed certificate enforcement, removing appID check and adding ability to
parse certificate from string (or outputting certificate in array form).
ср, 15 июн. 2022 г., 19:28 Fletcher Dunn ***@***.***>:
… I'm not sure what your use case is exactly, but I suspect there might be
some missing pieces. I can think of at least three:
1.) The cert tool actually doesn't have a way to specify the identity that
should go into the cert.
2.) There isn't an easy way to tell the library to use a particular
private key and cert into the library.
3.) There isn't really an API for adding intermediate certs into the cert
store.
Each of those would be really easy to add, though. All of the stuff under
the hood is present, there just isn't the exact API call you need.
There is a basic cert store, and a certificate generation tool. And you
can hardcode a particular trusted root AC key by #defining
STEAMNETWORKINGSOCKETS_HARDCODED_ROOT_CA_KEY.
NOTE: It might seem kinda weird that these don't exist to handle the
"typical" use case, but it actually hasn't come up, because all of the
certificate issuance in Steam and partners is all automated! We never issue
certificates by hand.
One thing that would be quite a lot of work to fix is that, unlike TLS, we
do not send intermediate certs in the handshake. We require that both sides
have all required intermediate certs. So if you are using any intermediate
certs you need to make sure they are distributed. If you only have a single
root CA, then you just hardcode the trusted key.
If you tell me more about your use case, I might be able to point you in
the right direction if you are interested in adding those missing pieces.
Again, I think it would be pretty easy, as everything under the hood is
present, there just isn't the highest level API entry point to do exactly
what you need.
—
Reply to this email directly, view it on GitHub
<#237 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AR5IDSDDW3RQ4K3OUKBEAH3VPIAETANCNFSM5YYO7LDA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I changed the title to clarify what is needed here. If I have some time I'll add the needed features. I don't think there's anything unusual your use case, it seems like an entirely normal situation. It's actually kind of surprising that nobody has complained about this not being possible before. |
From my quick look at code, i found out that there is key exchange public key signing in source, but no way to set keys for it are provided in the interface. (It is possible to set them through certificates, but certificates don't look like they are made for usage outside Steamworks).
And my question is: can i set keys for signing and verifying key exchange public keys using only interface?
If no, i think it's worth considering adding some simple API for that, for example:
(CECSigningPublic/PrivateKey are here for example)
I think, it will improve protection against MITM.
The text was updated successfully, but these errors were encountered: