Client is currently encrypting files using OpenSSL:
C:\openssl\bin"\openssl.exe smime -encrypt -des3 -in "%1.xml" -out "%1.xml.cip" "certificate.pem" >> D:\Log\log_encrypt.txt
if errorlevel 0 (del "%1.csv")
Now they want to do something like this:
ERP system -> Generate Payroll -> Encrypt using OpenSSL SMIME
So my first thought was to just run above bat command from ERP system. But the problem is client doesn't want to have unencrypted payroll file on disk even for a moment (although they are already doing this with other files: save unencrypted -> encrypt -> delete unencrypted). So I have to write an app that will get data directly from ERP (that's not a problem), encrypt it using OpenSSL, and save encrypted file.
I found a c# wrapper openssl-net: https://github.com/openssl-net/openssl-net
To be honest I don't know how to achieve above OpenSSL smime des3 encryption using client certificate and that wrapper. Any help please? Documentation or something?
You can create the same S/MIME encrypted result identical to the one produced from openssl.exe smime -encrypt with OpeSSL Library for .NET with the code snippet below:
DidiSoft.OpenSsl.Cms.OpenSslSmime smime = new DidiSoft.OpenSsl.Cms.OpenSslSmime();
smime.EncryptFile("Input.txt", "certificate.pem", #"encrypted.dat", CmsCipherAlgorithm.Des3);
Disclaimer: I work for DidiSoft
Related
I have a linux command and I'm trying to figure out how to mimic it in C# to get what is expected but can't seem to get it. It has to do with hashing a url with a secret key. The linux command is (fake site and numbers just for example):
echo -n "http://example.com/deliver?id=8247653546577888776655553d323453-3h78-7y42-b3d7-8u4q111y5hr6×tamp=1556034591" | openssl dgst -sha1 -hmac "567gy324-6666-4444-fr46-2h7arwdh5555"
I don't really know what the commands mean so not sure where to even start with how to try and get this kind of call in C#.
This OpenSSL command is calculating an HMAC of the data passed to it on stdin (i.e. the output from the echo command). HMAC is a type of Message Authentication Code (MAC) and is used to verify the integrity of the message, i.e. if an attacker were to modify the message in any way then the MAC code would no longer match (it would fail to verify). HMAC combines a key with an underlying hash algorithm (SHA1 in this case) to generate the output MAC value.
The Microsoft docs provide a full example of how to perform an HMAC with SHA1 operation here:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha1?view=netframework-4.8
Summary: how can I generate key.pem file used for packaging google extension using c#?
As far as I know the pem file used in Google extension generated by using below code
openssl pkcs8 -topk8 -nocrypt -out key.pem
and it's pkcs8 key , I tried to use bouncycastle to generate it from RSA XML file like discriped in this post , but the final generated .pem file dose not accepted by google chrome, it's structure is correct but length of the file is almost half of the one generated by chrome browser in the packaging proccess.
the final key required by google chrome is something like below
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC0Bo/mh3bSiOiP
CUxtpa0c8IhDNJqaRDNWaKiqothEjgI7D/IU/uHacPotyedjzLFNr0cnhgguO4dQ
dNaSN+tAlgBqcexBbAl31+BEghNy+1PB189VNVSf8G+qOfF0SIKuBbb/+Q4TrvOD
XPrzulQpLcHMqRGqRE4PkT6574pKyiQGJvjeLBLEQtiobKkzoG3HOFkl9RsKae1f
Tuf8f25aVhKjoUyWp1mOfhHwdfT+76rmrz7F9X1s6M7pxigIfCiYPXHrWh02GTbj
EVLKTpVBg31JmrKErNJsv/j5P3wuSI12TCW4u1RXfahBHhi263oGCQ/2JO/Fm4+v
5wtX20x5AgMBAAECggEBAJjceZPlsp9SYSYTXzI7W6MXGpz2LdCP2IemlpFNdRXA
/2PnRkdNpbk19TisGC5FwMeV7XVB+fBH274Vd5zwnnFY7UF1OobSlbeNNoD1ck5P
2e7esM5JWnH0VtzUFpIGf/AEKj9v2uQbyenhKbWKoavVjpmZdcZ9+Up+qiR3oZWe
YiScMlYm5KL+pTD1IMZQ46DoxU17VhOVxbZoZOf+a5iAPtskjJyz12EOVldHASGz
VZkM54C+BrCTdJjOB5C7cth94D7J7nhgovBP0jz6A7WZtDpgBB6j1lFBwKSWw0U4
0LGZb/Mlb29txAoeR1YSHCe6RKuyyY3oas6fJ1kdRgECgYEA12r1nkK8fjNybMbp
No+TsWD9YDTLZrndHBMIR+GtUKWCXTpw7EwT0BCU4ATm6TiTje0ZI9kZW1tnbB4W
iCIyU8o/OeIBBbqKMLtk2iN82KFrNbIbA4IER0J441evYZTnh9NbkJks8iyATPdC
hypRiOi1V4n9CFDguGHj+IsKpLUCgYEA1fC65ASTYGhQ5iQ56G48iKV5XIBldKad
MFcaxzAA/Hp6GMywHqEiYvk/WmCakDmIK1g7Rf7LURvWTYp1nytRBzTRDvrf4ESU
WF4z5Mr6EcnqKEpqDO/tDCwUp+4BReXMrf99KXRAWYig9zjq8garYEmIznoIc02i
4Q/X1uu1RzUCgYEAxzQFxj/4hsuUeLrIVsgWz+Tc6eZoYapmqdt/wNkUqIslLoko
e5suhy2OPkrKLck/yfMDWH8eT7kKvpRkSac12v4f0asJPv7tY3snHAHNJZa/yXvW
Nzw4MJ1rpPAlIpvML3JoLiM3yQsV6haM0ulzVKO9biIQd2wzIs6DPgd15DECgYEA
lQ2vaAW4GEcVdgJvRfznt9xx/XyHMwqSIYfOZFCRn1ZFktmpKu3g40v8U59SkIFE
2c4THeUzCkN2v3dkE40+WuL1dJZdPAcLw7V+Oj0glRw0Q/X0hSbz5LMhgQ5VXLmK
LP//183it351h0jkh9MVu3QAGLr1AEBq5pr/KgH2vrECgYEAr6y3cCo/gdUi6v3Y
39B6LTcmqeKZbpqh3LzBl+I6Ke9t/TOqCZhwtuolMDkFLhZ9woGDeB1VBfV7yUW4
xyF3rE6uMSEZyD5ivku7VC2Gsz/2XuRGl8iToGXgGxzzg6HMQr6Hw36+0VFzzxSo
xn9/6PuHd1bNooOv1S3s0WVkTJw=
-----END PRIVATE KEY-----
I can send notifications to my iPhone device succeffully using Push Sharp via sandbox APNS server but I am having a problem.
I have generated .cer and .p12 files and then installed them on my windows 8 development machine successfully.
I used this tutorial to install the certificates on my windows 8 machine.
Yesterday things were working fine and I was sending the notification successfully. I shutdown my system and then next day when I try to run the code I was getting following exception:
the message was unexpected or badly formatted pushsharp
I tried different solution available on Google but nothing helped. Then I delete the certificates from my machine and then re-install them and things started to work again.
In order to make the service fool proof I shutdown the system to check if notification sending fails or not, and yes it fail again with the same exception.
I again deleted the certificates and re-install them to correct the issue. I do not know whats the actuall problem? what makes PUSHSharp to stop sending notification after shutdown.
Note: Windows firwall is disabled.
Any idea?
I have been working with PushSharp for the past few weeks and have not had this problem. My environment is Windows 7 however. After you've created the appropriate Push Notification Certificate in iPhone Developer Program Portal you should have downloaded a file named something like apn_developer_identity.cer. If you have not done so already, you should open/import this file into Keychain, into your login section.
Finally, if you filter Keychain to show your login container's Certificates, you should see your Certificate listed. Expand the certificate, and there should be a Key underneath/attached to it.
Right Click or Ctrl+Click on the appropriate Certificate and choose Export. Keychain will ask you to choose a password to export to. Pick one and remember it. You should end up with a .p12 file. You will need this file and the password you picked to use the Notification and Feedback Libraries here.
OpenSSL
Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest
Convert apn_developer_identity.cer (der format) to pem:
openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM}
Next, Convert p12 private key to pem (requires the input of a minimum 4 char password):
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
(Optional): If you want to remove password from the private key:
openssl rsa -out private_key_noenc.pem -in private_key.pem
Take the certificate and the key (with or without password) and create a PKCS#12 format file:
openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name "apn_developer_identity" -out apn_developer_identity.p12
Once you generate the p12 file using these steps you will not really need to snap it to your console. You will just need to make changes in your code as follows:
var appleCert = File.ReadAllBytes("C:/Certificate/aps_dev_identity.p12");
Hope this helps.
I have been working on MOON APNS since 2012 and it's working fine but from last few days i am getting below error message
Error Message : System.Security.Authentication.AuthenticationException: A Call to SSPI failed, see inner exception.
System.ComponentModel.Win32Exception: The message received was
unexpected or badly formatted
Solution : in PushNotification.cs file replace
_apnsStream.AuthenticateAsClient(host, certificates, System.Security.Authentication.SslProtocols.Ssl3, false);
with
_apnsStream.AuthenticateAsClient(host, certificates, System.Security.Authentication.SslProtocols.Tls, false);
As, I didn't find any confirmation from apple side but from github.com I found solution for this and it's work for us.
It's seems that apple depricate "unsafer" protocol SSL.
Check first if you can do the notifications with C# code like this one first, then worry about the installation. I had the same message when I was trying to execute the code, I didn't care about installation, and solved it by making sure that I use a certificate of type .p12 and not .pem and to make sure that the .p12 had a password. I can now send notifications to my iPhone from a console C# app in my pc.
I'm currently trying to create a chat based on the SslStream class.
I was going through that msdn link: click here
I realized that I need to get an X509Certificate to establish that task. But I really don't know how can I get one? I know that there are ones who cost money, but there aren't free ones available?
P.S: I'm coming here after doing some search in google about that subject but haven't found any helpfull infomation.
So my question is: Where can I get an x509 certificate?
Thank you.
You can create certificates with the makecert tool.
Or, if your're only interested in encrypting the traffic, without signing it, and you control the client and the server, just use a CryptoStream.
You can generate your own, and sign it yourself, using openssl, though keep in mind if the client tries to verify it, and by client I usually mean the browser, since this is their most common use, though not the only one, they won't be able to.
I know that there are ones who cost money, but there aren't free ones available?
Basically what you are paying for is for a CA, certificate authority to sign it, as such when clients go and verify who you are with with CA it'll pass.
openssl: http://www.openssl.org/
This is the command I ussually use openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem
server.pem is your certificate and server.key is your private key.
Giving that you probably already have .NET SDK installed maybe makecert is a better/eassier approach since you would need to build openssl.
Stil I went to their docs and I couldn't find how to set the key size, though apparently the default is 1028 and I think using RSA , but I did find this:
makecert -pe -ss MY -$ individual -n "CN=your name here" -len 2048 -r
from MakeCert - Is it possible to change the key size? to http://www.mazecomputer.com/sxs/help/shared.htm
openssl supports many types not just RSA but maybe you don't need them.
These guys http://www.cacert.org/ have been giving away free certificates for years.
Read through this for clarity. You can sign your public key using Symantec's Verisign service. It is definitely not cheap. For testing, you can make your own certificate using a dummy CA.
I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.