codesigning SWF? [英] Codesigning SWF?

查看:248
本文介绍了codesigning SWF?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

AIR允许使用Loader.LoadBytes注入code()

AIR allows to inject code using Loader.LoadBytes()

这允许远程下载的插件,这将有充分的机会来的一切,AIR应用程序可以访问SWF文件。这就对存在安全隐患,所以这将是可取的数字签名的swf的。

this allows to download remote plugins as swf files which will have full access to everything that the AIR application has access to. This imposes a security risk, so it would be desirable to digitally sign the swf's.

什么是做到这一点,以验证code签名?最好的办法

What's the best way to do this and to verify the code signature?

我知道的as3corelib具有一定的加密功能,也为X.509证书 - 但我没有找到一个的ressource解释如何使用它。此外,也许有一些官方的方式来codesign SWF的?

I know the as3corelib has some encryption functionality and also for X.509 certificate - but I didn't find a ressource explaining how to use it. Also, maybe there's some 'official' way to codesign SWF's?

推荐答案

一种可靠的方法是使用公钥加密,它是这样的:

One robust method is using public key encryption, which goes something like this:

  1. 您需要的非对称加密算法(例如,RSA),和一个散列算法(例如,SHA,MD5)。
  2. 生成公私密钥对。
  3. 生成和使用散列算法,数据的校验和。
  4. 加密的校验和使用加密算法的私钥。这将成为签名。
  5. 发送的数据到客户端沿与签名。
  6. 解密客户端上的签名用的公开密钥,以获得原始校验和。
  7. 生成从客户机上的数据的校验和。
  8. 比较校验。如果它们匹配,那么你知道这些数据从你来没有改变。如果他们不匹配,那么你知道它是从你送,或者来自其他人后的数据被更改。

请参阅 http://en.wikipedia.org/wiki/Public-key_cryptography

这是攻击者可以绕过此安全如果它们能够截取的连接和修改原始客户SWF文件,要么改变公共密钥,或完全移除的安全机制。使用TLS或SSL,以prevent黑客截取数据。

An attacker can bypass this security if they are able to intercept the connection and modify the original client SWF file and either change the public key, or remove the security mechanism entirely. Use TLS or SSL to prevent attackers intercepting the data.

这是X.509证书比捆绑了一些元数据的公开密钥而已。该标准还规定了一种机制,验证证书,依靠的证书颁发机构(CA)(请参见 HTTP ://en.wikipedia.org/wiki/X.509 )。

An x.509 certificate is little more than a public key bundled with some meta-data. The standard also specifies a mechanism for validating the certificate, by relying on a certificate authority (CA) (see http://en.wikipedia.org/wiki/X.509).

该AS3Crypto库提供(除其他事项外),RSA,MD5的实现,和X.509解析器(见的 HTTP://$c$c.google.com/p/as3crypto/

The AS3Crypto library provides (amongst other things), an implementation of RSA, MD5, and an x.509 parser (see http://code.google.com/p/as3crypto/).

下面是一些code。签约过程需要计算所述数据的散列,然后用私钥签署它,以产生一个签名,例如:

Here is some code. The signing process entails computing the hash of the data, then signing it with the private key to produce a signature, eg:

var rsa:RSAKey;
var md5:MD5;
var data:ByteArray = getSWFBytes(); 
var signature:ByteArray = new ByteArray();
var originalHash:ByteArray;


// read private key
rsa = PEM.readRSAPrivateKey(private_key);

// create the checksum of the original data
md5 = new MD5();
originalHash = md5.hash(original);

// encrypt the data using the private key
rsa.sign(data, signature, original.length);

的数据和签名被发送到客户端。使用存储在证书中的公共密钥,并将其与该数据的计算的散列客户端解密签名,例如:

The data and signature are sent to the client. The client decrypts the signature using the public key stored in the cert and compare it to the computed hash of the data, eg:

var rsa:RSAKey;
var md5:MD5;
var data:ByteArray = getSWFBytes(); 
var signature:ByteArray = new ByteArray();
var decryptedHash:ByteArray = new ByteArray();
var clientHash:ByteArray;

// load the certificate
var cert:X509Certificate = new X509Certificate(public_cert);

// get the public key from the cert
rsa = cert.getPublicKey();

// decrypt the signature with the public key
rsa.verify(signature, decryptedHash, encrypted.length);

// create a hash of the data
md5 = new MD5();
clientHash = md5.hash(data);

// compare the hashes
// isEqual compares the bytes in the input byte arrays, it returns true only of all bytes in both arrays match
if (isEqual(clientHash, decryptedHash))
    trace("signature valid");
else
    trace("signature invalid")

您可以检查证书是这样签:

You can check if the certificate is signed like this:

var store:X509CertificateCollection = new MozillaRootCertificates();
var cert:X509Certificate = new X509Certificate(public_cert);
var isValid:Boolean = cert.isSigned(store, store);

您可以加载原始SWF字节是这样的:

You can load the raw SWF bytes like this:

var loader:URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.BINARY;
loader.addEventListener(Event.COMPLETE, completeHandler);
loader.load(new URLRequest(url_of_swf_to_load));

例X.509私钥(当你申请一个证书通常创建):

Example x.509 private key (usually created when you apply for a certificate):

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDoKlLzpJeLcoPYQQYPa0diM4zpZ+0rKeRxhx9ssq91DzwAeSmM
7wT03WLiLZkqPt2MS3uNo75zK5RtmjHqF6Ojfs2tbSdlCK5tpisvOAssuq0o5vIz
g/MhS2PIijnBtVB9XFSTXxhveKeIq1VgdB2wHW95+zhBF+Z1hsYcNRRFFwIDAQAB
AoGAI8wK2EhjmXvBuoFkJtJ6wjiCnKaKmiIueBbGkKMIjLsZnFUSRAnCsOLF0WwI
dswUqwIkfdVmkymADFo/IgIdF9hLGNLRskIPKGZWEUC8d5ZJnRg+nuzi2c2msN5u
/BvCCgL5/shBhO5KvrPbU/Fbs/k4saCDQZ2EO4HpueRZWGkCQQD6hC0pTfyW4yQT
Qr/dY7FhOwdOh/8ewGyXBa9ruOuZqTR23Ya20O8NuF22+NqW9AZl7uioiTZyZkOV
jqAckelrAkEA7T9QVdK+QcaQSznrZPJpXlSIDLSBRWjaPKBoypnNTF3y3JkUQE0L
iA0c2oUc8D+LCgx9vA0Ai0IzwzrIec+iBQJAJb5YV4rKbalXPBeodKCajv2nwis3
QtjXA4H1xhMcXBBkOSxzKYQdIEIQzIp91JR7ikwOfaX+sAm8UQImGWfadQJAMAb4
KVePQluDDGd+OqJEKF9uZzwHS1jNjSZf8FuwTrxaFMQ8cEPoiLM22xnFYPFMIU2k
CnSLXqWZOvVkbhxVTQJAL3xIc5AUbhsEp7ZeeJrkPRv5rCObmLw0+wIaERtMX83b
PNM0TpzY6EXk+geTCqudAipYF/A7qn38wpOh+PuuVg==
-----END RSA PRIVATE KEY-----

举例证书:

-----BEGIN CERTIFICATE-----
MIID4zCCA0ygAwIBAgIJAL7k5X3sCvniMA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FDASBgNVBAoTC2h1cmxhbnQuY29tMRcwFQYDVQQLEw5hczMgY3J5cHRvIGxpYjEY
MBYGA1UEAxMPSGVucmkgVG9yZ2VtYW5lMSgwJgYJKoZIhvcNAQkBFhloZW5yaV90
b3JnZW1hbmVAeWFob28uY29tMB4XDTA3MTEwNTA1MjUyOVoXDTA4MTEwNDA1MjUy
OVowgagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQH
EwhTYW4gSm9zZTEUMBIGA1UEChMLaHVybGFudC5jb20xFzAVBgNVBAsTDmFzMyBj
cnlwdG8gbGliMRgwFgYDVQQDEw9IZW5yaSBUb3JnZW1hbmUxKDAmBgkqhkiG9w0B
CQEWGWhlbnJpX3RvcmdlbWFuZUB5YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAOgqUvOkl4tyg9hBBg9rR2IzjOln7Ssp5HGHH2yyr3UPPAB5KYzv
BPTdYuItmSo+3YxLe42jvnMrlG2aMeoXo6N+za1tJ2UIrm2mKy84Cyy6rSjm8jOD
8yFLY8iKOcG1UH1cVJNfGG94p4irVWB0HbAdb3n7OEEX5nWGxhw1FEUXAgMBAAGj
ggERMIIBDTAdBgNVHQ4EFgQU/XyNp2QghYm3MWOU5YoUoFWcTKMwgd0GA1UdIwSB
1TCB0oAU/XyNp2QghYm3MWOU5YoUoFWcTKOhga6kgaswgagxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UE
ChMLaHVybGFudC5jb20xFzAVBgNVBAsTDmFzMyBjcnlwdG8gbGliMRgwFgYDVQQD
Ew9IZW5yaSBUb3JnZW1hbmUxKDAmBgkqhkiG9w0BCQEWGWhlbnJpX3RvcmdlbWFu
ZUB5YWhvby5jb22CCQC+5OV97Ar54jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBABsXUJjiRAz+FeiVq4JMSBWeiiGcXTw+8sNv8SfWaWx3su+AgooKlBn3
nsGKf3BEDdmJCOSgY0+A5Pce9SRoAMhabHKwoLEogrtp2p8vRj2OTMjWBW7ylrxj
FvUpFdc8qFaqTtgH6+JiIYllGFlcsSV+6d9fDPaFDZEHjz5GweWJ
-----END CERTIFICATE-----

这两个例子都是从as3crypto。

Both examples were taken from as3crypto.

这篇关于codesigning SWF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
跨浏览器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆