I just got my hands on Cryptography the first time. I have a few questions, espacially about sharing a public Key between two programs:
I have two different applications.
One is coded in C++ and running on a Linux Ubuntu Server. The other one is coded in C# and running on my local Windwos 7 Home-PC.
The two applications connect over TCP and I want to create a secure connection between them. I decided to use the RSA-Algorithm.
I created a Key-Pair on the Serverside and hard-coded them into the C++ application. The Public-Key of the server is also hardcoded into the C# application. Now, when the C# Application (Client) connects to the C++ application (Server), it should generate a personal Key-Pair and send the Public-Key to the server. From here on both sides can encrypt their data and send it to each other.
My problem is that I can't bring the Public-Keys to the "same layout". On the serverside I have to use the OpenSSL-Library since C++ does not come with a inbuilt RSA-Library. So the Key-Pair looks like this (example):
$ openssl genrsa -out private_key.pem 2048
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA0DTV2eG8BrhPVWgrqR1PhI5BwLCsuAiBCCDmSShaOsh1uKFW
j7lgBGWyGT77X55DAgXwvjNg+odDfili71poeH/f5/1kCTTC6FFoV6inY0nAcOZ3
...
...
...
...
mxTUFS1Q+vPsmoPCN+C5bP+zv415usUg1Mx8sSly5IS0IQzp2kR8EekhqKLQb06p
2qZfVCuGEXzT+NoT10SOGtZ2+izb+EZM/yRkJFUQS2YwpwPmcZGbAUg=
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DTV2eG8BrhPVWgrqR1P
...
...
...
eH/f5/1kCTTC6FFoV6inY0nAcOZ3Ang1/fywxz5GVm430GuAqloZqNo/iwMZtHcU
aQIDAQAB
-----END PUBLIC KEY-----
And when I create a Key-Pair in C#, it is in XML-Format:
<RSAKeyValue>
<Modulus>w0tU2IBTdZkLB3G9sze92KR67hM3qdbnYCujrp/GflJ/EMgP1dQxTuHOueq+3DzZnUZDVtYic2QDAdJDVDqRiIFbff7+l5IE24kcgIJSN6vJdnSVAVbSzfyZkftsd4faYx055ZYSH3N4Ev52QepgXVKz7G3S+n2xslzFs09SDOVKiUvmXQEG4CsRef4uB1Kk2ElrZBBpuU3G/V4gNpGkQ/TuPbizQL/Oao3HNhxnCsqxzOOCmNoPSiCesWSWpoPTJrBm2jfX5nDJi+l5u3dYrRLpT8h844Y2yplCeDe4M3/maee3d+0+7Ul7m7H73o9nI+cBLWPOy6IYxPMl/kaJxw==</Modulus>
<Exponent>AQAB</Exponent>
<P>4NcTOPdRa05QZy7wKRO6wIYA+tKlc4KkrAMy//xkupYyuTpnt8Zt0B0nsltaOenpJSGMOJOb1VfCH+2R6ol8xNr3yyzz2izHGzNdQAk7V2ant3TIjdUiHS9h8ftTjiANPFO1XZlUyeXQiqe3Qzrjubv8J51Nmk7TssH2fheqrAE=</P>
<Q>3lwFj3P8NLJVWRBEpPDJdjRRF4Qz7SNxthRdtvoifUtcMXw3UDnzsEDZ7A736vUUaaZArjAzO+x3arDaAJfQQk354ushwWw6MGoM0CudfCeUrxy9hi5afnxueWFbhJ+/k9nwPxn9EBBrqfYhNZbGW9vz6ZfHLUX95a5M2+9+1cc=</Q>
<DP>vC0FV44WRJrczB8KvTZX/L2qoEIgWxaiP5zF2F0i6M7AUSpCmBqo2Z8tFCdE0meky4DSXJ+dsuaqABLTJto+5HrnHNLYnGcRlQBeMTQIyFOQVwiUubABxy9a6C2Sdsb4jN76UgX8YqXG7eUEim4FHfPpTDZpNpZ2s4uGg23HWAE=</DP>
<DQ>eER/gWqzc/Es9oI1Dp1p6fQ8FCMeTtoH6/qyAYDjXK+BCwbriAoAQ0mgVOx3rW6nfsk8XLqXS4cHw/4pu35hVyuDx/dzh4G5K2yAx6t/f6KM6fX6kHPL4HP+8Mn2zRH2dcrABfFRjfnDseb9aVXGrfKWx7afNV6RCESxL5gnGws=</DQ>
<InverseQ>wlndxTYxYmAo0+BcyJjVri6Iui/l5p+AGUi6xglmI8HHE3itgyCjfyfsKmsphH88uYYu/qdA80PTIKLdxo7HbUhOiT7f2vtBsCFzo7oB9kTDWrJ70xsQss4jkJGY8rJj4K7Dqwqa6s78ih1heeQhCJuevg8xiEUoqHOx5FtlQ4w=</InverseQ>
<D>NlIczn+bN0mTdMWhY1ks2Daf7tqvj/EzuF9LDwZoGrjtmQhcxzhXYr6SVspBvla6nPFvR5cWTAxUfcwzaBlGY7a/cSNdQ2GdMkdIA0K8hbmltuokjBPPXPZW7PEHMZQ7HXiCoyaD8fWXP4lB8YG0viCD5U6C8aPGqnr9jquQgf9EwXxEZvdktOWLO5PJvd4XaQRk47UcNBkjWnwxO1vq28/OSWTNaoEQqpLNwimHEFHl3MN2IuME1zV4MvKyGsKsKO9EytLk/RD28UDFZGlxU6uNAEjOjQp++CgbFRCEHNOCas5kTa1/fuxVg8RdnFeowAq2otWwhwGlwGiJjjmoAQ==</D>
</RSAKeyValue>
Finally, my questions:
Is "----- BEGIN RSA PRIVATE KEY -----" etc. actually a part of the Key? I'm pretty sure it's not, but I'm better making sure. The confusing thing is that when I leave this text in the key and encrypt/decrypt on the C++ application, it works (with OpenSSL lib).
How can I bring the keys to the same structure so I can send them from one application to another and parse them correctly?
Thank you very much for your help!
Related
Summary: how can I generate key.pem file used for packaging google extension using c#?
As far as I know the pem file used in Google extension generated by using below code
openssl pkcs8 -topk8 -nocrypt -out key.pem
and it's pkcs8 key , I tried to use bouncycastle to generate it from RSA XML file like discriped in this post , but the final generated .pem file dose not accepted by google chrome, it's structure is correct but length of the file is almost half of the one generated by chrome browser in the packaging proccess.
the final key required by google chrome is something like below
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC0Bo/mh3bSiOiP
CUxtpa0c8IhDNJqaRDNWaKiqothEjgI7D/IU/uHacPotyedjzLFNr0cnhgguO4dQ
dNaSN+tAlgBqcexBbAl31+BEghNy+1PB189VNVSf8G+qOfF0SIKuBbb/+Q4TrvOD
XPrzulQpLcHMqRGqRE4PkT6574pKyiQGJvjeLBLEQtiobKkzoG3HOFkl9RsKae1f
Tuf8f25aVhKjoUyWp1mOfhHwdfT+76rmrz7F9X1s6M7pxigIfCiYPXHrWh02GTbj
EVLKTpVBg31JmrKErNJsv/j5P3wuSI12TCW4u1RXfahBHhi263oGCQ/2JO/Fm4+v
5wtX20x5AgMBAAECggEBAJjceZPlsp9SYSYTXzI7W6MXGpz2LdCP2IemlpFNdRXA
/2PnRkdNpbk19TisGC5FwMeV7XVB+fBH274Vd5zwnnFY7UF1OobSlbeNNoD1ck5P
2e7esM5JWnH0VtzUFpIGf/AEKj9v2uQbyenhKbWKoavVjpmZdcZ9+Up+qiR3oZWe
YiScMlYm5KL+pTD1IMZQ46DoxU17VhOVxbZoZOf+a5iAPtskjJyz12EOVldHASGz
VZkM54C+BrCTdJjOB5C7cth94D7J7nhgovBP0jz6A7WZtDpgBB6j1lFBwKSWw0U4
0LGZb/Mlb29txAoeR1YSHCe6RKuyyY3oas6fJ1kdRgECgYEA12r1nkK8fjNybMbp
No+TsWD9YDTLZrndHBMIR+GtUKWCXTpw7EwT0BCU4ATm6TiTje0ZI9kZW1tnbB4W
iCIyU8o/OeIBBbqKMLtk2iN82KFrNbIbA4IER0J441evYZTnh9NbkJks8iyATPdC
hypRiOi1V4n9CFDguGHj+IsKpLUCgYEA1fC65ASTYGhQ5iQ56G48iKV5XIBldKad
MFcaxzAA/Hp6GMywHqEiYvk/WmCakDmIK1g7Rf7LURvWTYp1nytRBzTRDvrf4ESU
WF4z5Mr6EcnqKEpqDO/tDCwUp+4BReXMrf99KXRAWYig9zjq8garYEmIznoIc02i
4Q/X1uu1RzUCgYEAxzQFxj/4hsuUeLrIVsgWz+Tc6eZoYapmqdt/wNkUqIslLoko
e5suhy2OPkrKLck/yfMDWH8eT7kKvpRkSac12v4f0asJPv7tY3snHAHNJZa/yXvW
Nzw4MJ1rpPAlIpvML3JoLiM3yQsV6haM0ulzVKO9biIQd2wzIs6DPgd15DECgYEA
lQ2vaAW4GEcVdgJvRfznt9xx/XyHMwqSIYfOZFCRn1ZFktmpKu3g40v8U59SkIFE
2c4THeUzCkN2v3dkE40+WuL1dJZdPAcLw7V+Oj0glRw0Q/X0hSbz5LMhgQ5VXLmK
LP//183it351h0jkh9MVu3QAGLr1AEBq5pr/KgH2vrECgYEAr6y3cCo/gdUi6v3Y
39B6LTcmqeKZbpqh3LzBl+I6Ke9t/TOqCZhwtuolMDkFLhZ9woGDeB1VBfV7yUW4
xyF3rE6uMSEZyD5ivku7VC2Gsz/2XuRGl8iToGXgGxzzg6HMQr6Hw36+0VFzzxSo
xn9/6PuHd1bNooOv1S3s0WVkTJw=
-----END PRIVATE KEY-----
I have been attempting to create an SSL server that loads a certificate from a .crt. I have tried both X509Certificate.CreateFromCertFile(#".\Secure\Certificate\" + CertName + ".crt"); and the cert.import, and neither works. On both, I get an issue saying "The server mode SSL must use a certificate with the associated private key". And the key is there! My directory:
Secure/
Certificate/
ZeusHTTP.crt
ZeusHTTP.csr
ZeusHTTP.key
Plugins/
...
The certs are created with OpenSSL.
A simple read of the docs tells us that you should be using a pkcs7 file that usually has file suffix p7b. You'll need to either convert your OpenSSL cert to this format, or find a utility that can generate one from scratch.
The server mode SSL must use a certificate with the associated private key". And the key is there...
As other have stated, they must be in the same file. Here are the steps to do it.
First
Copy ZeusHTTP.crt to ZeusHTTP-chain.crt:
cp ZeusHTTP.crt ZeusHTTP-chain.crt
Second
Open ZeusHTTP-chain.crt and ensure it has all the intermediates certificates required to validate the server certificate. So you will have 2 or more certificates:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Add certificates as required. For example, if you got a free Startcom certificate, then you need to add the sub.class1.server.ca.pem intermediate from StartSSL's Index of Certs.
Sending all certificates is required to solve the "which directory" problem in PKI. Its a well known problem in PKI, and essentially it means a client does not know where to go to fetch missing intermediate certificates.
Third
Perform the following to generate a PKCS 12 file:
openssl pkcs12 -export -in ZeusHTTP-chain.crt -inkey ZeusHTTP.key -out ZeusHTTP.p12
Fourth
Finally, install the certificate on IIS as a test.
For your code, I believe you need to load it into a Certificate2 and not a Certificate.
Also see How to read a .p12 file in my web service on Stack Overflow and how to create x509 certificate and use it in sslstream on MSDN.
I'm trying to figure out the message from a PgP public key, ie so I know with what I private key can decrypt the message.
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.7.4114.6375
....
-----END PGP MESSAGE-----
But I found the solutions were for the Java version. See: http://heli0s.darktech.org/?p=433
The C# version don't have "PGPPublicKeyRingCollection". Maybe someone has a tip for me? Or is the only way to work with try and catch?
Dany
I am attempting to use X509Certificate2 and RSACryptoServiceProvider together with PHP OpenSSL commands to implement two-way mutual security.
It all seems to be fine sending a message from PHP to C#, RSACryptoServiceProvider on the .NET server can decrypt the message using it's own private key and verify the signature using the PHP server's public key.
But going the other way, .NET to PHP, is causing trouble using 'openssl_public_decrypt' to verify the signature of the .NET server. It just returns false. 'openssl_private_decrypt' works fine to decrypt the encrypted data with the PHP server's private key.
I created the RSA (2048)self-signed certificates for both servers using openssl (.key and .crt) and then created a .pfx to use as private key in .NET code.
I am wondering what is the problem here. I am using the default settings for the encryption/decryption on both the .NET and PHP servers. Are the encryption/decryption mechanisms not the same on the case when you have encrypted something with a .pfx? Or does openssl_public_decrypt expect a different encryption from what RSACryptoServiceProvider gives you?
Any help would be great, as I'm not really sure where the issue lies.
openssl_public_decrypt is pretty anal about the format of the public key and doesn't support as many padding schemes as openssl_private_decrypt does.
My recommendation: Use phpseclib, a pure PHP RSA implementation. An example:
<?php
include('Crypt/RSA.php');
$rsa = new Crypt_RSA();
$rsa->loadKey('...'); // public key
$plaintext = '...';
$rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
$ciphertext = $rsa->encrypt($plaintext);
$rsa->loadKey('...'); // private key
echo $rsa->decrypt($ciphertext);
?>
It supports a ton more key formats than OpenSSL does, from XML Signature formatted keys, to PuTTY keys, etc.
I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.