I am trying to generate a encrytpted private/public key using the code example given here
https://docs.snowflake.com/en/user-guide/key-pair-auth.html
$ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8
however it just generates an empty file. Is there something I'm missing perhaps?
Any tips would be appreciated
I am currently framing the openssl commands as a string and using linux system call int system(const char *command); for signing and verifying certain files.
For generating sha i use below command.
openssl dgst -sha256 > test_sha256.txt
After generating test_sha256.txt, i will sign this with my CA , which gives me signature.p7s, from which i extract CRLs(asn1parse -inform DER and dd ) and combining CRLs with my root CA, then i verify using below command.
openssl cms -verify -inform DER -in signature.p7s -binary -content test_sha256.txt -CAfile combined_CA.pem -purpose any -signer signer_file.crt
How can we achieve the same thing using the openssl library calls? Do we have separate openssl functions to achieve sign & verify.
I want to use OpenSSL or any native Linux command to grab the certificate of a SQL Server. I tried the same way as I do with an HTTP server but it doesn't work.
openssl s_client -showcerts -connect MY.MSSQL.SERVER:1433
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This gist by github user lnattrass gives a python script that is "A terrible way to connect to MS SQL Server and dump the certificate as a PEM" (his wording) in python. Yes, that's not what you asked about, you asked about OpenSSL. But one of the comments says in part
I was able to get the same results using openssl like this: openssl s_client -showcerts -connect <hostname>:<port> </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem as suggested somewhere.
(no clue where "somewhere" would have been.)
I've tried the openssl method but it failed for me:
rpresser#11MTLDEV-L11626:~$ openssl s_client -showcerts -connect mysqlserver.mydomain.com:1433 </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem
unable to load certificate
140246796931520:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Perhaps this was because the self-signed cert (see below) was not trusted? I'm really not sure.
After fixing one indentation bug, the python method worked for me:
rpresser#11MTLDEV-L11626:/mnt/c/temp$ python3 get_tds_cert.py redacted.domain.COM 1433
# get_tdspacket: 0, tdspacket len: 43
# Header: {'type': 4, 'status': 1, 'length': 43, 'channel': 0, 'packet': 1, 'window': 0}
# Remaining tdspbuf length: 0
# Starting TLS handshake loop..
# Shaking (0/5)
# get_tdspacket: 0, tdspacket len: 894
# Header: {'type': 18, 'status': 1, 'length': 894, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0
# Shaking (1/5)
# get_tdspacket: 0, tdspacket len: 67
# Header: {'type': 18, 'status': 1, 'length': 67, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0
# Handshake completed, dumping certificates
-----BEGIN CERTIFICATE-----
MIIB+zCCAWSgAwIBAgIQYc0YElx/YYFF/Q0PIYETxDANBgkqhkiG9w0BAQUFADA7
MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
bABsAGIAYQBjAGswIBcNMjAwMjAyMDQ0NzA5WhgPMjA1MDAyMDIwNDQ3MDlaMDsx
OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAohSQbug4qZug
ji16iKuNpX4OzGc9DPAORaho8LB2AGinol+rEmcTGRofeIg9zeXMbiOwWbrCnT3/
RUDLOW6V4papZ7H/qIcmVIKdzNCezWMlfPd0h4S00kVovHDIbC1t2uhcDdfEIsh+
fbgzS34bkXNACurtV5t8kpPWYDsRwqsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBr
qfAph+/NF6Cgxisp7UHq9kjQ6sYNCIXfq9mJnRqX+I8H6nxSQfpDlljdvKN3GYeg
SL4jowNL11z5xjpJS9/KhLFwodicWKt0Go/CqusPWJKVJo0HgIn9a1hHPipRbR8w
3+QRy50kaPXm5VOoSg83+CjEg9ri7jfgtWLetq+xoQ==
-----END CERTIFICATE-----
I haven't bothered to redact the certificate because it is the SQL Server self-signed fallback, as displayed by SSLShopper Certificate Decoder
Certificate Information:
Common Name: SSL_Self_Signed_Fallback
Valid From: February 1, 2020
Valid To: February 1, 2050
Serial Number: 61cd18125c7f618145fd0d0f218113c4
Inspired by the https://gist.github.com/lnattrass/a4a91dbf439fc1719d69f7865c1b1791 with help from https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/1ef08b76-1594-40cf-8ce0-d2407133dd3d
Similar implementation in groovy (java 11) which returns certificate chain from sql server:
groovy sqlserver-cert.groovy <host> <port>
After looking for openssl solutions without sucesss and fighting with the python script without success too (both the initial and the fixed versions throwed an error) i resorted to use nmap, in this case it was quite easy:
nmap -v --script=ssl-cert -p 1433 server.example.com
In the output there should be a certificate such as this (selfsigned cert), you should be able to clean the formatting and use it where you need.
| SHA-1: dba1 14a3 d2c7 9410 0a7a bb8d d08e e1a0 d6a1 9e87
| -----BEGIN CERTIFICATE-----
| MIIB+zCCAWSgAwIBAgIQJW6eoEmJJJJDqpOSmq2W6TANBgkqhkiG9w0BAQUFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMTE4MTEyOTQ5WhgPMjA1MzAxMTgxMTI5NDlaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKxXDgSq1++4
| yDSOmXDO5F2gDa1cW2x4USQOxXq5ux4RObhteo9pVOIDi2TfmKMUl9OTNUqfxiTl
| YJtHmBKP7aghWK5Z9p5VBDfbzmAG04tdII49piocKvdimy96veGWnPUGFdovx35k
| dEOT7+NpQTVIDscsIIDa8csQJmuwgdsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBV
| 0KzioJl5tcvpjG2VK/TTpfAdZnz4MZwhg/ThviRtcV3WLVkKbCOh0A1ljCoURgsX
| HIvYXBHn1XdJn4F8HHeh8B53tjwRYkvxg2jGWfKofr0nAu23rbMv3543UroSH6r2
| 3CeLkgsAwFUcXPUfYwae5L48FKlkD5V2TsOhmy8rvg==
|_-----END CERTIFICATE-----
Previously I was using rsa signature with no padding ,but now I was asked to add PKCS1_OAEP padding ,Initially I tried simple adding this flag "RSA_PKCS1_OAEP_PADDING", but it is giving error code while running like this
error:04066076:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:unknown padding type
Further I googled about the rsa signature with PKCS1_OAEP padding but didn't get anything except it is said that for implementing RSA_PKCS1_OAEP padding you have to use this one
int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
unsigned char *f, int fl, unsigned char *p, int pl);
and then do private_encrypt with RSA_NO_padding but still having confusion as they have not explained clearly how to use this padding_add function explictly .can anyone provide help .would really appreciate that .
thanks in advance
According to RFC 3447 OAEP padding scheme can be used only with encryption operation and therefore it cannot be used with signatures. If standard RSASSA-PKCS1-v1_5 scheme is not good enough for you I believe you should use RSASSA-PSS which is recommended for new applications and have characteristics similar to OAEP scheme. See RFC 3447 for more details.
You can easily check out that my answer is correct with command line OpenSSL tool:
Generate private key:
openssl genrsa -out private.key 2048
Generate some input data:
echo "Hello world" > input.data
Try to generate signature with OAEP scheme:
openssl rsautl -sign -oaep -inkey private.key -in input.data -out output.data
RSA operation error
139655304349344:error:04066076:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:unknown padding type:rsa_eay.c:389:
Try to encrypt data with OAEP scheme:
openssl rsautl -encrypt -oaep -inkey private.key -in input.data -out output.data
You can also take a look at "rsautl" module source code if you need more information but remember that RFC 3347 is your friend :)
I am experimenting with using libtomcrypt to do RSA-2048 bit encryption. My current objective is to import a public key from a file. This file was generated using OpenSSL with the command:
$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem
So I believe my public key is in PKCS#1 padding and in OpenSSL's PEM format.
I believe the function I need to use is rsa_import(), but that takes an in buffer, a length, and outputs an rsa_key pointer. Just to be clear, I believe what I need to do is as follows:
Read in the contents of public.pem to a buffer
Toss out the Header and Footers containing "Begin Public Key" etc.
Decode data from base64.
Pass in resulting data to rsa_import.
Is this correct? Can anyone who has used libtomcrypt for this purpose comment on this? Thanks.
So, upon digging into the source of rsa_import(), I figured out pretty quickly that it was expecting the key to be in DER format. Since I had access to the private key, I just made a DER file using this openssl command:
openssl rsa -in private.pem -outform DER -pubout -out public.der
Notably the argument for -outform is now DER rather than PEM. After this, I just read the file contents into a char buffer, then passed that in as the main argument for rsa_import. After that rsa_import made the key no problem and I was able to encrypt/decrypt from there.