I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.
Related
I have a linux command and I'm trying to figure out how to mimic it in C# to get what is expected but can't seem to get it. It has to do with hashing a url with a secret key. The linux command is (fake site and numbers just for example):
echo -n "http://example.com/deliver?id=8247653546577888776655553d323453-3h78-7y42-b3d7-8u4q111y5hr6×tamp=1556034591" | openssl dgst -sha1 -hmac "567gy324-6666-4444-fr46-2h7arwdh5555"
I don't really know what the commands mean so not sure where to even start with how to try and get this kind of call in C#.
This OpenSSL command is calculating an HMAC of the data passed to it on stdin (i.e. the output from the echo command). HMAC is a type of Message Authentication Code (MAC) and is used to verify the integrity of the message, i.e. if an attacker were to modify the message in any way then the MAC code would no longer match (it would fail to verify). HMAC combines a key with an underlying hash algorithm (SHA1 in this case) to generate the output MAC value.
The Microsoft docs provide a full example of how to perform an HMAC with SHA1 operation here:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha1?view=netframework-4.8
I want to create an encrypted XML file. Encrypted as a whole.
I have one big class, which I serialize to a string. Then I convert it to bytes (f.e in one test case it takes 1128 bytes) and I want to encrypt those bytes.
I need to have a certificate which no admin user has access to, so I created my cert like this:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -FriendlyName "XD" -NotAfter
(Get-Date).AddYears(10) -KeyAlgorithm RSA -KeyLength 2048 -Subject "test"
Then in my C# app I get to that cert by .Subject and I want to encrypt my bytes using it. The problem is, that I get the exception with bad length message, which suggest, that I want to encrypt too many bytes with RSA.
Now I know I can use AES or something else, but I need to have this key in the certificate in the store, so no one except admin user, which creates that cert has access to it. And as I've read the documentation for New-SelfSignedCertificate - it cannot create a cert with f.e AES key.
So my question here would be: Is there a way to create a cert with a particular key algorithm which would be able to encrypt at least 2-3k bytes?
RSA can only encrypt messages that are smaller than the modulus of the key pair. Some bytes should be reserved for padding, and the exact number depends on the padding scheme you are using.
In practice, asymmetric algorithms like RSA are usually used for key transport, not directly for message encryption. If you have a long message, encrypt it with AES, using a random key. Then encrypt the AES key with RSA, using the public key of the message recipient.
Standards like TLS, PGP, and S/MIME use RSA in this way.
Client is currently encrypting files using OpenSSL:
C:\openssl\bin"\openssl.exe smime -encrypt -des3 -in "%1.xml" -out "%1.xml.cip" "certificate.pem" >> D:\Log\log_encrypt.txt
if errorlevel 0 (del "%1.csv")
Now they want to do something like this:
ERP system -> Generate Payroll -> Encrypt using OpenSSL SMIME
So my first thought was to just run above bat command from ERP system. But the problem is client doesn't want to have unencrypted payroll file on disk even for a moment (although they are already doing this with other files: save unencrypted -> encrypt -> delete unencrypted). So I have to write an app that will get data directly from ERP (that's not a problem), encrypt it using OpenSSL, and save encrypted file.
I found a c# wrapper openssl-net: https://github.com/openssl-net/openssl-net
To be honest I don't know how to achieve above OpenSSL smime des3 encryption using client certificate and that wrapper. Any help please? Documentation or something?
You can create the same S/MIME encrypted result identical to the one produced from openssl.exe smime -encrypt with OpeSSL Library for .NET with the code snippet below:
DidiSoft.OpenSsl.Cms.OpenSslSmime smime = new DidiSoft.OpenSsl.Cms.OpenSslSmime();
smime.EncryptFile("Input.txt", "certificate.pem", #"encrypted.dat", CmsCipherAlgorithm.Des3);
Disclaimer: I work for DidiSoft
I have been attempting to create an SSL server that loads a certificate from a .crt. I have tried both X509Certificate.CreateFromCertFile(#".\Secure\Certificate\" + CertName + ".crt"); and the cert.import, and neither works. On both, I get an issue saying "The server mode SSL must use a certificate with the associated private key". And the key is there! My directory:
Secure/
Certificate/
ZeusHTTP.crt
ZeusHTTP.csr
ZeusHTTP.key
Plugins/
...
The certs are created with OpenSSL.
A simple read of the docs tells us that you should be using a pkcs7 file that usually has file suffix p7b. You'll need to either convert your OpenSSL cert to this format, or find a utility that can generate one from scratch.
The server mode SSL must use a certificate with the associated private key". And the key is there...
As other have stated, they must be in the same file. Here are the steps to do it.
First
Copy ZeusHTTP.crt to ZeusHTTP-chain.crt:
cp ZeusHTTP.crt ZeusHTTP-chain.crt
Second
Open ZeusHTTP-chain.crt and ensure it has all the intermediates certificates required to validate the server certificate. So you will have 2 or more certificates:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Add certificates as required. For example, if you got a free Startcom certificate, then you need to add the sub.class1.server.ca.pem intermediate from StartSSL's Index of Certs.
Sending all certificates is required to solve the "which directory" problem in PKI. Its a well known problem in PKI, and essentially it means a client does not know where to go to fetch missing intermediate certificates.
Third
Perform the following to generate a PKCS 12 file:
openssl pkcs12 -export -in ZeusHTTP-chain.crt -inkey ZeusHTTP.key -out ZeusHTTP.p12
Fourth
Finally, install the certificate on IIS as a test.
For your code, I believe you need to load it into a Certificate2 and not a Certificate.
Also see How to read a .p12 file in my web service on Stack Overflow and how to create x509 certificate and use it in sslstream on MSDN.
I'm currently trying to create a chat based on the SslStream class.
I was going through that msdn link: click here
I realized that I need to get an X509Certificate to establish that task. But I really don't know how can I get one? I know that there are ones who cost money, but there aren't free ones available?
P.S: I'm coming here after doing some search in google about that subject but haven't found any helpfull infomation.
So my question is: Where can I get an x509 certificate?
Thank you.
You can create certificates with the makecert tool.
Or, if your're only interested in encrypting the traffic, without signing it, and you control the client and the server, just use a CryptoStream.
You can generate your own, and sign it yourself, using openssl, though keep in mind if the client tries to verify it, and by client I usually mean the browser, since this is their most common use, though not the only one, they won't be able to.
I know that there are ones who cost money, but there aren't free ones available?
Basically what you are paying for is for a CA, certificate authority to sign it, as such when clients go and verify who you are with with CA it'll pass.
openssl: http://www.openssl.org/
This is the command I ussually use openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem
server.pem is your certificate and server.key is your private key.
Giving that you probably already have .NET SDK installed maybe makecert is a better/eassier approach since you would need to build openssl.
Stil I went to their docs and I couldn't find how to set the key size, though apparently the default is 1028 and I think using RSA , but I did find this:
makecert -pe -ss MY -$ individual -n "CN=your name here" -len 2048 -r
from MakeCert - Is it possible to change the key size? to http://www.mazecomputer.com/sxs/help/shared.htm
openssl supports many types not just RSA but maybe you don't need them.
These guys http://www.cacert.org/ have been giving away free certificates for years.
Read through this for clarity. You can sign your public key using Symantec's Verisign service. It is definitely not cheap. For testing, you can make your own certificate using a dummy CA.