webrtcx509certificateclient-certificatesself-signeddtls

Not sure if self-signed ECDSA certificate generated programmatically complies for use with WebRTC and if fingerprint computation is correct


As should be clear, I am a newbie to certificates and cryptography in general.

I am trying to generate self-signed certificates programmatically for use with WebRTC in the implementation of a SFU. The RFC at Section 4.9, on the subject of certificates used for WebRTC, states:

The following values MUST be supported by a user agent: { name: "RSASSA-PKCS1-v1_5", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" }, and { name: "ECDSA", namedCurve: "P-256" }.

After creating an ECDSA cert programmatically in C and saving it, I run the following command on the certificate file created:

  openssl x509 -in /tmp/ecdsa_certificate -text  #Linux command-line

I get the output:

  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number: 1 (0x1)
          Signature Algorithm: ecdsa-with-SHA256
          Issuer: C = IN, O = XYZ Tech., CN = localhost
          Validity
              Not Before: Jun 23 17:28:14 2020 GMT
              Not After : Jun 23 17:28:14 2021 GMT
          Subject: C = IN, O = XYZ Tech., CN = localhost
          Subject Public Key Info:
              Public Key Algorithm: id-ecPublicKey
                  Public-Key: (256 bit)
                  pub:
                      04:d9:c8:cc:93:13:54:3d:e6:40:d7:2f:33:da:f2:
                      d4:e4:62:83:a4:ec:ad:98:f5:d5:2e:cf:3b:e8:5f:
                      ad:da:b9:e0:59:f0:19:59:84:b8:47:45:b4:21:56:
                      30:c8:1d:0b:9b:2d:02:e2:f5:4d:c7:57:2e:e6:a6:
                      f9:c4:c4:a7:5c
                  ASN1 OID: secp256k1
      Signature Algorithm: ecdsa-with-SHA256
           30:44:02:20:58:0a:49:7d:e3:0f:d7:56:6a:5c:af:f8:bd:1d:
           5e:54:bb:15:10:ec:05:3a:3a:db:79:8f:e6:70:86:6d:3d:f1:
           02:20:4f:89:5f:df:21:46:1b:da:6b:40:04:98:2c:df:35:ff:
           e5:3d:52:d5:07:76:bf:23:a4:01:b7:28:bf:f5:83:30
  -----BEGIN CERTIFICATE-----
  MIIBTTCB9QIBATAKBggqhkjOPQQDAjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJ
  WFlaIFRlY2guMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNjIzMTcyODE0WhcN
  MjEwNjIzMTcyODE0WjA1MQswCQYDVQQGEwJJTjESMBAGA1UECgwJWFlaIFRlY2gu
  MRIwEAYDVQQDDAlsb2NhbGhvc3QwVjAQBgcqhkjOPQIBBgUrgQQACgNCAATZyMyT
  E1Q95kDXLzPa8tTkYoOk7K2Y9dUuzzvoX63aueBZ8BlZhLhHRbQhVjDIHQubLQLi
  9U3HVy7mpvnExKdcMAoGCCqGSM49BAMCA0cAMEQCIFgKSX3jD9dWalyv+L0dXlS7
  FRDsBTo623mP5nCGbT3xAiBPiV/fIUYb2mtABJgs3zX/5T1S1Qd2vyOkAbcov/WD
  MA==
  -----END CERTIFICATE-----

Does this certificate comply with the requirements of WebRTC for DTLS handshaking. It appears that only the public key and the fingerprint of the certificate matters for WebRTC usage.

Question 2: I tried to compute the fingerprint over the certificate using the following function:

   if (X509_digest(certificate, EVP_sha256(), rfingerprint, &fingerprintSize) !=0 )
      printf("Error in X509_digest\n");
   printf("finger print size is %d\n", fingerprintSize);

It displays a fingerprint size of only 7! In most of the SDPs I see that the fingerprint attribute is a lot longer. Any comments?


Solution

  • When working on Pion I was in the same boat as you asinix :) This is what I use to generate locally when testing WebRTC stuff.

      openssl ecparam -out key.pem -name prime256v1 -genkey
      openssl req -new -sha256 -key key.pem -out server.csr
      openssl x509 -req -sha256 -days 365 -in server.csr -signkey key.pem -out cert.pem
    

    If you get stuck you can also do RSA! Maybe just to unblock you on building your MVP :)

    The implementation is Pure Go now, but you can see the first version where we did CGO here

    I am not sure where your stuff differs, but feel free to copy/compare (no attribution needed)!