diff options
Diffstat (limited to 'files/zh-cn/web/http/public_key_pinning/index.html')
| -rw-r--r-- | files/zh-cn/web/http/public_key_pinning/index.html | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/public_key_pinning/index.html b/files/zh-cn/web/http/public_key_pinning/index.html new file mode 100644 index 0000000000..85cd9454fb --- /dev/null +++ b/files/zh-cn/web/http/public_key_pinning/index.html @@ -0,0 +1,159 @@ +--- +title: HTTP Public Key Pinning (HPKP) +slug: Web/HTTP/Public_Key_Pinning +translation_of: Web/HTTP/Public_Key_Pinning +--- +<div> +<p>HTTP公钥锁定(HPKP)是一种安全功能,它告诉Web客户端将特定加密公钥与某个Web服务器相关联,以降低使用伪造证书进行MITM攻击的风险。</p> + +<p>为确保TLS会话中使用的服务器公钥的真实性,此公钥将包装到X.509证书中,该证书通常由证书颁发机构(CA)签名。诸如浏览器之类的Web客户端信任许多这些CA,它们都可以为任意域名创建证书。如果攻击者能够攻击单个CA,则他们可以对各种TLS连接执行MITM攻击。 HPKP可以通过告知客户端哪个公钥属于某个Web服务器来规避HTTPS协议的这种威胁。</p> + +<p>HPKP是首次使用信任(TOFU)技术。 Web服务器第一次通过特殊的HTTP标头告诉客户端哪些公钥属于它,客户端会在给定的时间段内存储此信息。当客户端再次访问服务器时,它希望证书链中至少有一个证书包含一个公钥,其指纹已通过HPKP已知。如果服务器提供未知的公钥,则客户端应向用户发出警告。</p> +</div> + +<p> </p> + +<p class="note">Firefox和Chrome禁用固定主机的引脚验证,其验证的证书链终止于用户定义的信任锚(而不是内置信任锚)。 这意味着对于导入自定义根证书的用户,将忽略所有固定违规。</p> + +<h2 id="启用_HPKP">启用 HPKP</h2> + +<p>要为您的站点启用此功能,您需要在通过HTTPS访问站点时返回Public-Key-Pins HTTP标头:</p> + +<pre>Public-Key-Pins: pin-sha256="base64=="; max-age=<em>expireTime</em> [; includeSubDomains][; report-uri="<em>reportURI"</em>] +</pre> + +<dl> + <dt><code>pin-sha256</code></dt> + <dd>引用的字符串是Base64编码的主题公钥信息(SPKI)指纹。 可以为不同的公钥指定多个引脚。 某些浏览器将来可能允许使用其他哈希算法而不是SHA-256。 请参阅下文,了解如何从证书或密钥文件中提取此信息。</dd> + <dt><code>max-age</code></dt> + <dd>浏览器应记住仅使用其中一个已定义的密钥访问此站点的时间(以秒为单位)。</dd> + <dt><code>includeSubDomains</code> {{optional_inline}}</dt> + <dd>如果指定了此可选参数,则此规则也适用于所有站点的子域。</dd> + <dt><code>report-uri</code> {{optional_inline}}</dt> + <dd>如果指定了此可选参数,则会将引脚验证失败报告给给定的URL。</dd> +</dl> + +<div class="note"> +<p><strong>注意</strong> :当前规范要求包含第二个用于备份密钥的引脚,该引脚尚未在生产中使用。 这允许更改服务器的公钥,而不会破坏已经记下引脚的客户端的可访问性。 例如,当前一个密钥被泄露时,这很重要。</p> +</div> + +<h3 id="提取Base64编码的公钥信息">提取Base64编码的公钥信息</h3> + +<div class="note"> +<p><strong>注意:</strong>虽然下面的示例显示了如何在服务器证书上设置引脚,但建议将引脚放在颁发服务器证书的CA的中间证书上,以简化证书续订和轮换。</p> +</div> + +<p> </p> + +<p>首先,您需要从证书或密钥文件中提取公钥信息,并使用Base64对其进行编码。</p> + +<p>以下命令将帮助您从密钥文件,证书签名请求或证书中提取Base64编码信息。</p> + +<p> </p> + +<pre>openssl rsa -in my-rsa-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64</pre> + +<pre>openssl ec -in my-ecc-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64</pre> + +<pre>openssl req -in my-signing-request.csr -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64</pre> + +<pre>openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64</pre> + +<p>以下命令将提取网站的Base64编码信息。</p> + +<pre>openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64</pre> + +<h3 id="HPKP_头示例">HPKP 头示例</h3> + +<pre>Public-Key-Pins: + pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; + pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; + max-age=5184000; includeSubDomains; + report-uri="<em>https://www.example.org/hpkp-report"</em></pre> + +<p>在此示例中,pin-sha256 =“cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2 + soZS7sWs =”固定服务器在生产中使用的公钥。 第二个引脚声明引脚-sha256 =“M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE =”也固定备份密钥。 max-age = 5184000告诉客户端将此信息存储两个月,根据IETF RFC,这是一个合理的时间限制。 此密钥固定也适用于所有子域,includeSubDomains声明告知。 最后,report-uri =“https://www.example.net/hpkp-report”解释了报告引脚验证失败的位置。</p> + +<h3 id="Report-Only_header">Report-Only header</h3> + +<p>Instead of using a {{HTTPHeader("Public-Key-Pins")}} header you can also use a {{HTTPHeader("Public-Key-Pins-Report-Only")}} header. This header only sends reports to the <code>report-uri</code> specified in the header and does still allow browsers to connect to the webserver even if the pinning is violated.</p> + +<h3 id="Setting_up_your_webserver_to_include_the_HPKP_header">Setting up your webserver to include the HPKP header</h3> + +<p>The concrete steps necessary to deliver the HPKP header depend on the web server you use.</p> + +<div class="note"> +<p><strong>Note:</strong> These examples use a max-age of two months and include all subdomains. It is advised to verify that this setup will work for your server.</p> +</div> + +<div class="warning"> +<p id="HPKP_has_the_potential_to_lock_out_users_for_a_long_time_if_used_incorrectly!_The_use_of_backup_certificates_andor_pinning_the_CA_certificate_is_recommend.">HPKP has the potential to lock out users for a long time if used incorrectly! The use of backup certificates and/or pinning the CA certificate is recommended.</p> +</div> + +<h4 id="Apache">Apache</h4> + +<p>Adding a line similar to the following to your webserver's config will enable HPKP on your Apache. This requires <code>mod_headers</code> enabled.</p> + +<pre>Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains" +</pre> + +<h4 id="Nginx">Nginx</h4> + +<p>Adding the following line and inserting the appropriate <code>pin-sha256="..."</code> values will enable HPKP on your nginx. This requires the <code>ngx_http_headers_module.</code></p> + +<pre>add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains' always;</pre> + +<h4 id="Lighttpd">Lighttpd</h4> + +<p>The following line with your relevant key information (pin-sha256="..." fields) will enable HPKP on lighttpd.</p> + +<pre>setenv.add-response-header = ( "Public-Key-Pins" => "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains")</pre> + +<p><strong>Note:</strong> This requires the <code>mod_setenv</code> server.module loaded which can be included by the following if not already loaded.</p> + +<pre>server.modules += ( "mod_setenv" )</pre> + +<h4 id="IIS">IIS</h4> + +<p>Add the following line to the Web.config file to send the <code>Public-Key-Pins</code> header:</p> + +<pre class="brush: xml"><system.webServer> + ... + + <httpProtocol> + <customHeaders> + <add name="Public-Key-Pins" value="pin-sha256=&quot;base64+primary==&quot;; pin-sha256=&quot;base64+backup==&quot;; max-age=5184000; includeSubDomains" /> + </customHeaders> + </httpProtocol> + + ... +</system.webServer> +</pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Title</th> + </tr> + <tr> + <td>{{RFC("7469", "Public-Key-Pins", "2.1")}}</td> + <td>Public Key Pinning Extension for HTTP</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.Public-Key-Pins")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Public-Key-Pins")}}</li> + <li>{{HTTPHeader("Public-Key-Pins-Report-Only")}}</li> + <li>Browser test site: <a href="https://projects.dm.id.lv/Public-Key-Pins_test">HSTS and HPKP test</a></li> +</ul> |