I'm trying to read the PKCS#12 file and extract private key programmatically in C. I've found here solution, but this program automatically decrypts my private key and checks only the PKCS#12 file password. Is there any way to also verify the private key passphrase?
Related
If a user have 2 pairs of public and private key, how can the server that has the public keys know which one to use? The server should encrypt the message using the public key to that private key, however how does it know?
No. SSH does not do Encrypt&Decrypt, but Sign&Verify sequence.
The server sends some data, client signs them using its private key and server can verify the data using all of the public keys it has stored in authorized_keys file.
But in real world, there is optional phase before doing all the above. The client sends also the public keys to match correct public part on the server.
OpenSSL's rsautl allows signing with a private key. This is without a hash. Then recovering the signed file with a public key.
I've looked at CryptCreateHash/CryptSignHash/CryptHashData but I'm not sure how to do it. I believe those functions will only sign the hash of the data, not the data itself.
Is there any way I can sign with the private key and no hash involved?
Edit: Made necessary changes from jww's recommendations.
I need to create a SAML2 assertion for a business partner we work with, who now requires a SAML2 SSO. We would be the identity provider.
They sent us their Public Key. We created a public key and sent ours to them. During the creation step, we had the option to exclude the private key and we did so.
I am not sure which combination of keys, and which form of the key (public or private), is used in the signing phase. What do we do with their public key? What do we do with our public and private keys? Do I have to create another version of our key that includes the private key?
Would someone care to offer a simple step by step explanation of a generic signing process, making clear which form of the key is used, and when?
First off. You do not give your private key to another entity. The whole point of the private-public key system is that you dont need to share you private key.
Signing is done with your private key and verified using your public key.
Encryption is down using theirs public key and is decrypted using their private key.
I have generated a self signed certificate using the CertCreateSelfSignCertificate function. This yields a PCCERT_CONTEXT.
How can I export the certificate stored in the PCCERT_CONTEXT variable with only the public key? I want to do this, to send it to other parties in the network, so these are able to encrypt messages using the public key.
I thought this was a straight forward option, but it isnt.
No need for a pfx.
The certificate is present inside the structure CERT_CONTEXT : just save the content of the buffer pointed by the member pbCertEncoded and whose length is the value of the member cbCertEncoded.
Moreover, the public key from this certificate is directly present in the CERT_CONTEXT structure : pCertInfo->SubjectPublicKeyInfo. For example, you can import it using CryptImportPublicKeyInfo and then call CryptEncrypt to encrypt data.
With these two options, you have all what is needed to start encrypting messages. Of course, the private key must be kept safe to be able to decrypt encrypted data.
Looks like you will need to first put the certificate into a certificate store and then export it using PFXExportCertStoreEx passing dwFlags of 0 (i.e. not setting EXPORT_PRIVATE_KEYS).
P.S. nothing is ever straight forward when dealing with cryptography libraries, be it CryptAPI, JSSE, OpenSSL... it's always a nightmare.
Are the exported private keys gotten by executing gpg --export-secret-keys still encrypted and protected by their passphrase? This seems to be the case but I can't find anywhere that explicitly confirms this.
If the exported keys are still encrypted then is there anyway to get the pure, unencrypted private key (like you can for the public segment)?
Exported secret keys are encrypted by default, however --export-options export-reset-subkey-passwd will produce an unprotected export:
When using the --export-secret-subkeys command, this option resets the passphrases for all exported subkeys to empty. This is useful when the exported subkey is to be used on an unattended machine where a passphrase doesn't necessarily make sense. Defaults to no.
Are exported secret keys still protected by their passphrase? You could find the answer to this so easily by exporting and then importing a secret key.
GnuPG has no simple way to export a private key in the way you describe. I can only hope you have a good reason for wanting to do this, and that you're aware of how dangerous it is to let the bits and bytes of an unprotected private key touch a disk. That said, the only option I see is to remove the passphrase before exporting...
gpg --edit-key KEYID
> passwd
> *(Press Enter twice, i.e., use a blank passphrase)*
> save
PS: This should be moved to Superuser; it's off-topic here.
Yes secret keys are encrypted after exporting. Once you've imported the private key file via the following command:
gpg --import <name of your private key>.pgp
It will prompt you to enter the correct passphrase (same passphrase used to create the private key in the first place).