I am reconstructing X509 certificates in OpenSSL from a custom format. Is there a clean way to put an existing signature into a certificate instead of signing from a private key (using X509_sign())?
I'd like to avoid dirty solutions like memcpy and use only the OpenSSL API. The next goal is to call it from Python.
I noticed a few extra APIs like X509_sign_ctx() and X509_REQ_sign(). Is it possible to pass an existing signature within the context with X509_sign_ctx()? Maybe another option would be to generate a response to the certificate signing request that is then passed to X509_REQ_sign().
Related
I want to use some API data to build a front app in angularjs 1. For that I have to decrypt the data first using AES128 and use it then send encrypt data to API. I can use crypto.js for that task but then the key will be visible to anyone.
Is their any secure way of doing this?
Thanks
For that you need to use angular-crypto.js for more information please refer this
github repository...encryption and decryption
Here what we can us
You have to modify API so that it will generate pair of keya: public key and private key. This public key will be given to angular code where it will be able to encrypt using this public key. Encrypted data will be send to API where it will use private key to decrypt it. This is the most secure way to do it where it encrypted data will not be able to be decrypted without secret private key.
There're some more ways to enhance security such as using hash functions and digital signatures
When i register a callback using SSL_CTX_set_cert_verify_callback, I get the callback. The ctx contains the cert but I cant seem to find the whole cert chain sent by the client. Does anyone know which field in the ctx would have it ? or how can i retrieve it so that I can do the full validation.
SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, NULL);
Thanks...
The verify callback for client certificates works the same way as the callback for the server certificates, i.e.
OpenSSL will build the chain based on what the client has send and what the server knows as local CA path.
For each part of the chain the verification callback will be called. This means that the callback will be called for local certificates which are part of the trust chain even if the client has not send them. And the callback will not called for certificates which are not part of the chain even if the client has send them.
If the client will send chain certificates depends on the client. But there is nothing in the standard which makes this impossible and openssl s_client -cert leaf.pem -CAfile chain.pem ... can be used to make the client send both leaf and chain certificates.
The chain of certs sent by the client is stored in the ctx->untrusted structure which is a stack of certs considered 'untrusted' because it is not part of the trust store. You don't really need to access this chain because openssl will automatically use it while performing the certificate chain validation process. In fact, I would be careful modifying this, since it could have unintended consequences. Refer to this thread on the openssl forum which cautions against changing the struct.
I am stuck to retrieve the Key_block generated after the SSL handshake. I implemented a simple Client.cpp/Server.cpp program that is working well for exchanging encrypted data.
I would like to retrieve the key_block because I want to re-use it and perform my own encryption in another communication, but without having another handshake again.
I tried :
ssl->s3->tmp.key_block
but it retrieves an empty string (?!) and of course
ssl->s3->tmp.key_block_length
retrieves 0 value.
I call these methods just after SSL_accept(ssl) succeeds.
Once I've been able to catch this key_block, I'll need to find the encryption function used by SSL_write(...)
Hope you hear me, because the openSSL doc seems encrypted to my eyes.. =)
XY problem. You don't need this. Just open another SSL connection to the same target and it should re-use the same SSL session and therefore the same session master secret. Maybe even the same session key, but what do you care, as long as it's secure? You seem to be just trying to avoid a second full SSL handshake, but you can do that by suitable configuration at the client.
I need to create a PKCS7 signature for some data using my Python app running on Google App Engine (GAE). More specifically, I am trying to create a PKCS7 signature of an Apple Passbook pass manifest; the Passbook pass requires the PKCS7 signature file to be present in order to be a complete and valid pass.
I have spent almost a week researching and trying to no avail.
I can successfully create the signature using openssl command line on my local PC with:
openssl smime -binary -sign -certfile WWDR.pem -signer certificate.pem -inkey key.pem -in manifest.json -out signature -outform DER
I can also successfully create the signature using M2Crypto library on my local PC with:
from M2Crypto import BIO, SMIME, X509
s = SMIME.SMIME()
s.load_key('identity.pem') # my certificate and private key
x509 = X509.load_cert('WWDR.pem') # Apple's intermediate certificate
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
p7 = s.sign(bio_manifest, SMIME.PKCS7_DETACHED | SMIME.PKCS7_BINARY)
pkcs7_buffer = BIO.MemoryBuffer()
p7.write_der(pkcs7_buffer)
f = open('signature', 'w')
f.write(pkcs7_buffer.read())
f.close()
However, M2Crypto is a wrapper to OpenSSL which is not supported on GAE.
GAE supports the pycrypto library, but it doesn't seem this library has support for PKCS7 signing.
I've also looked at tlslite, which is a pure python implementation and therefore should be supported on GAE, but it also doesn't seem to have support for PKCS7 signing.
I'm looking for guidance from anyone that has been able to successfully create a PKCS7 signature on GAE. If you could point me to a pure python library or any other solution, I'd really appreciate it.
Otherwise, I feel like I've reached the boundary of what is possible with GAE and will be looking to move my app to another platform. I'm a bit flabbergasted that it has been this difficult and that GAE doesn't support the openssl library given the importance of data security; it appears they aren't serious about providing a web app service that offers support for anything beyond the basics. Unless (hopefully) I've missed the obvious.
Thanks for any help!
I have a problem with keypair and certificate generate in token using csp or pkcs, and i must to distict this then i want to know
"How to check certificate and key pair created by CSP or PKCS ??".
You should check their respective API as the first step.
For PKCS, you should read PKCS11 standard as mentioned on: http://www.rsa.com/rsalabs/node.asp?id=2133
This API interface will contains the method to check on the certificate.
Take note that in general, CSP is used by only Microsoft Product, while PKCS is used by the other software vendors.