I use the following command line to generate the ECDSA signature in Linux. In Linux, you can use the command line to verify the signature. This is no problem
In Windows, the same command line can also be signed and verified successfully
openssl ecparam -name secp192k1 -genkey -out ec.key
openssl ec -in ec.key -pubout -out ec.pubkey
openssl dgst -sha1 -sign ec.key -out ec.sig content.txt
openssl dgst -sha1 -verify ec.pubkey -signature ec.sig content.txt
But here's the thing.
I put all files generated in Linux into Windows, and then use the command line to verify the signature, the result is an error, why?
content.txt, Linux generates content that ends in a byte 0x0a, but Windows creates content that doesn't end in a byte 0x0A. So, in fact, Linux and Windows sign different content, so Windows verifies that Linux doesn't sign it correctly
Related
Which programme or command do you use to extract the public key from a p12 protected with a password? I am trying with the command hydrabut i think it only works along networks
You can use openssl to check, convert etc. a p12 file.
E.g.:
openssl pkcs12 -info -in example.p12
or
openssl pkcs12 -in example.p12 -out example.pem -nodes
etc.
You can make openssl read the password from a file or stdin. E.g.:
openssl [...] -pass stdin
See man page for openssl for more ideas.
I signed an encrypted file (org-enc-file.txt) with the following command:
# openssl dgst -sha1 -sign priv.pem org-enc-file.txt > file.txt.sig
The signed file was sent to a System B that has all(public key) elements to verify and decrypt the file(file.txt.sig).
in the external system I used this command :
openssl dgst -sha1 -verify public.pem -signature file.txt.sig org-enc-file.txt
It says that verification OK only when the original encrypted file (org-enc-file.txt) is used as the last parameter of the command.
why the command openssl dgst -sha1 -verify needs the original file , is it always mandatory to send the original file with the signed file ?
The signature you create with the command
# openssl dgst -sha1 -sign priv.pem org-enc-file.txt > file.txt.sig
only contains the signature, not the content of the original file you signed with. So when verifying the signature, you need the original file as well.
I would like to use the Mobile Push Gateway to send push messages when my app is in the background. I followed this tutorial and almost done it, but i can't convert the .p12 file to .pem. I could successfully export the .p12 certificate, but can't finish the next steps, maybe i missed something, but can't figure it out.
It's clear that i need to run an openssl command in the Terminal like this:
openssl pkcs12 -in <EXPORTED_CERT_NAME.p12> -out <PEM_CERT_NAME.pem> -nodes
This is my version:
openssl pkcs12 -in <cert.p12> -out <newCert.pem> -nodes
cert.p12 is the exported certificate from the keychain, newCert.pem is the new file's name. I've pasted it into the terminal and pressed enter, but nothing happens. Just getting this message cert2.pem: No such file or directory.
When i try to check the cert with this command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert server_certificates_bundle_sandbox.pem -key server_certificates_bundle_sandbox.pem
Get this error:
Error opening client certificate private key file server_certificates_bundle_sandbox.pem
2668:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('server_certificates_bundle_sandbox.pem','r')
2668:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
What did i wrong? Is it something wrong in my openssl code or i need to do something different in the terminal?
Update 3
a, version
cd /tmp
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
Error opening input file devKey.p12
devKey.p12: No such file or directory
b, version
In this case I don't have chance to enter the password, because the error shows up right after the openssl command.
cd documents
openssl pkcs12 -in devKey.p12 -out samplePem.pem -nodes
Enter Import Password:
Mac verify error: invalid password?
Update 2
I tried it without the < > in the names
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
And it seems something happened
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
....
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
But when i try to verify it still get an error:
Error opening client certificate private key file newDevCert.pem
850:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('newDevCert.pem','r')
850:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
Update (earlier)
I've exported a new .p12 certificate and tried it again. If i just open the terminal and run this code:
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
Got this error
-bash: developerTest.p12: No such file or directory
I saved developerTest.p12 into my Documents folder, so when i try
cd documents
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
I get a different error:
-bash: newDevCert.pem: No such file or directory
In this case I think the answer is a little bit closer, when I run the command inside the Documents folder it finds the exported .p12, however something is still wrong.
Is it sure that the PEM_CERT_NAME can be anything?
The /tmp version:
cd /tmp
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
-bash: developerTest.p12: No such file or directory
-node should be -nodes (this means "no des")
Never use the greater than / less than (< or >) in a filename. The have special meaning in Unix (redirects). When used in instructions, they basically mean, "replace whats between the < and > with your own value, and omit the < and >".
For example, this should work fine:
cd /tmp
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -nodes
Let me know if the above works.
Although similar to this SO question, I am not asking:
Under what conditions does an extension's ID change?
nor
How can I upload my zip archive to the Chrome Dashboard?
I am however asking, how I can obtain an extension's key without using the Chrome Dashboard. Therefore, I do not consider it a duplicate of this SO question.
The documentation for using Google Identity inside a Chrome extension states the need to copy an extensions's key to its manifest file.
To keep your application ID constant, you need to copy the key in the
installed manifest.json to your source manifest.
However, when navigating to the recommended directory (...Google/Chrome/Default/Extensions) I do not see the ID of my unpacked extension. I realise this is because the extension was not installed as .crx file. However, the documentation is clearly written for the purposes of development:
Copy key in the installed manifest.json to your source manifest, so
that your application ID will stay constant during development.
How can I avoid packaging my extension and reinstalling each time I make a change?
If my development extension has no installed manifest file from which I can obtain the extension's key, where can I get it from?
The easy way
The easiest way to get an extension ID is to generate the .pem file and extract the extension ID using the steps described in my other answer (read the part below the image).
The command-line way
The rest of this answer is for those who want to generate the extension ID with command-line tools only. I'm going to use OpenSSL because it is cross-platform.
First, we generate a private key. Keep this private key secret and do not lose it. Otherwise you will not be able to create a CRX file with the same extension ID. As of writing, the private keys generated by Chrome are 2048-bit RSA keys in PKCS #8 format (1024-bit until 2013). Throughout the answer, I will refer to this private key file as key.pem, because the Chrome Web Store expects that the private key is called key.pem.
Second, I show how to generate the value for the "key" field of the manifest file. This is just the public key, encoded in base64 format.
The third command in my answer shows how to calculate the extension ID given a public key (derived from a private key).
Linux / Mac
OpenSSL is installed on most Linux distros. If not, just install openssl via your favorite package manager.
# Create private key called key.pem
2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
# Generate string to be used as "key" in manifest.json (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
# Calculate extension ID (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | shasum -a 256 | head -c32 | tr 0-9a-f a-p
I've put 2>/dev/null at the start of each line to prevent "writing RSA key" from being output to the console.
Windows
If you don't have OpenSSL, you can get a precompiled binary from this mirror.
#echo off
:: Assuming that you have installed OpenSSL in this directory
SET PATH=%PATH%;C:\OpenSSL-Win32\bin
:: Create private key called key.pem
2>NUL openssl genrsa -out priv.tmp 2048
2>NUL openssl pkcs8 -topk8 -in priv.tmp -nocrypt -out key.pem
del priv.tmp
:: Generate string to be used as "key" in manifest.json
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl base64 -A -in pub.tmp
del pub.tmp
:: Calculate extension ID
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl dgst -sha256 -out checksum.tmp pub.tmp
SET /p EXTID=<checksum.tmp
SET EXTID=%EXTID:* =%
SET EXTID=%EXTID:~0,32%
SET EXTID=%EXTID:f=p%
SET EXTID=%EXTID:e=o%
SET EXTID=%EXTID:d=n%
SET EXTID=%EXTID:c=m%
SET EXTID=%EXTID:b=l%
SET EXTID=%EXTID:a=k%
SET EXTID=%EXTID:9=j%
SET EXTID=%EXTID:8=i%
SET EXTID=%EXTID:7=h%
SET EXTID=%EXTID:6=g%
SET EXTID=%EXTID:5=f%
SET EXTID=%EXTID:4=e%
SET EXTID=%EXTID:3=d%
SET EXTID=%EXTID:2=c%
SET EXTID=%EXTID:1=b%
SET EXTID=%EXTID:0=a%
echo %EXTID%
del checksum.tmp pub.tmp
#echo on
I've put 2>NUL at the start of each line with the openssl command to hide a harmless warning about a missing config file.
Examples
Here is an example of running the previous commands on Linux. The relevant output of the commands are boldfaced. The first command creates a file, so there is no visible output in the shell. Note that the output of the second and third command do not end with a line break, so there is a "$" at the end of the line (which should not be copied).
$ # Create private key called key.pem
$ 2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
$ # Generate string to be used as "key" in manifest.json (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8vj7SK0NZ6ak7K6m6KEAkfGaNfKUahqFFms6W8rq+voaW7nETrpsMqNyhmBQ+ea0KkyI/S5XIrDQPqDcNpvesYlg9lsmi7CQBZjJw7zNqKkvn0oYaP4SNtWZfZopBumqFbzFi5cst2PT+XU9CBitxXNtocRtcjOsa44W1gPA5xanmtlF258N6Nann+rSOAdhIWqSo/J6fj72cxTNfmqLkwAvhdS4Zyux4F87vxp4YTSwElfYXFsHZWi7h66uuuMzqyOyJz5grhCJ24rtTshMQUCxQWyhO2XT2J1tVfUN1YVw6xdKUz3aGyKZeXCuql5klHmlqE9PTlbKj/1VMiIgCQIDAQAB$
$ # Calculate extension ID (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | sha256sum | head -c32 | tr 0-9a-f a-p
mfabfdnimhipcapcioneheloaehhoggk$
$ cat key.pem # Show content of key.pem for completeness of this demo
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDy+PtIrQ1npqTs
rqbooQCR8Zo18pRqGoUWazpbyur6+hpbucROumwyo3KGYFD55rQqTIj9LlcisNA+
oNw2m96xiWD2WyaLsJAFmMnDvM2oqS+fShho/hI21Zl9mikG6aoVvMWLlyy3Y9P5
dT0IGK3Fc22hxG1yM6xrjhbWA8DnFqea2UXbnw3o1qef6tI4B2EhapKj8np+PvZz
FM1+aouTAC+F1LhnK7HgXzu/GnhhNLASV9hcWwdlaLuHrq664zOrI7InPmCuEInb
iu1OyExBQLFBbKE7ZdPYnW1V9Q3VhXDrF0pTPdobIpl5cK6qXmSUeaWoT09OVsqP
/VUyIiAJAgMBAAECggEAIztFPKmTOwdn/MXqf+rwqTjuUopFSQllaPXNdYf8AL6J
Wema9IuFquYWcjO/Ki1wzH1ik8vHaMlYuOwcYnLBnN69x5s6AKFukNEx2IclDyLR
O/jDh13oCDl600KqVk1Fk3dW8cHPAxyfnRmJ6wWhFPOC3yUbdabWhpYI66mJrDhN
ZpN04RmH7DIlhlBpvq/OMVodhRtqb4/EVJYghTxUsrsv/I+3t3zl/o/c0DiOjiVZ
pEBYzn0rrHP8BAEhJWagGNgvotHPaVKAjoYcUiOUtMM4P1Js034XKjP4MHE1pMbN
VlVnQMz3/6CXFL+wU1QqfohdChmcnc4QwM+vCFK47QKBgQD/FjHxhCJco0rNqNua
B0inGx2Jfb4b+FWwLyNobaYey11o0MjpkpAvYcfe3zW8DQtmepDxGL8CpORoWtFg
sVnmhAir0I6bxdZLMwKcp4T+kHW3n/ae3z8tPvMvclCnARGEp+ccyDH9X2iyaSd5
8DeJ6ND32+yr+vLgyyK/JW1z5wKBgQDz167cLe+xoRUqlKdJq8lzmij30lGVUT2D
5Fn+2YUKIMeVEM7PlEmu9UmpN5HMA+LSNeiMZ1uhW5YQovXlXZCWoRqieeI4LMoM
M335hsAWpS8pFRdlXMy885w5FUC5v4Ji0RUI37WON6fxNd8zFVqAMOcAANg716RI
MWfblCJOjwKBgQDV8BKBIbYEBfv10poja9p2NFqodqpcIQIU2uQScGvzxdIY14q5
wu9kndiYxpH1nuch0sf/PSbuG8do8kpKk1P37mKrXyZL5TgeJ7EYG7OCITxpfiLE
Ci6dTv98mp6kAlRj8sH1tL2gaEWR5Hl0XpDl/DpOtsefUcAj4prIv6Y1nwKBgGUk
obNSmonjdxQidQFp8DWzTCr/Yje9ava6UVoUf8qjriV2w1H3AFlCBTvbgO5O7laj
ZcJXXPqhMq3T6ospNEBGsvWR+PO0IFrPQQGvkx3Rhq5TwVCaHZKCudozppVlin/S
mhcENBq5mz/CSMK3qMJjhm3J6+dmmw4W8C10VIahAoGARf4zus0TQIxRlix1Oaaz
sM5yANLcLivoeJDVOlUFUWgeSUc6Yma8T/FYlAkEVyyK+/nCWNErTS2yOzXEff01
n8F0h1DJ4K5zxt0OhGUIUAGgR/kqpub0omqTJcJndLv2qgzofwK21Uih6yQzDeus
lJsf3m3tuax5kcmhnDojbtE=
-----END PRIVATE KEY-----
The easiest way I found to do this is by packaging the chrome extension in development mode.
To package an extension:
Bring up the Extensions management page by going to this URL:
chrome://extensions
Ensure that the "Developer mode" checkbox in the top right-hand corner is checked.
Click the Pack extension button. A dialog appears.
In the Extension root directory field, specify the path to the extension's folder—for example, ~/mytodosextension. (Ignore the other field; you don't specify a private key file the first time you package a particular extension.)
Click Package. The packager creates two files:
a .crx file, which is the actual extension that can be installed,
and a .pem file, which contains the private key.
See chrome documentation here
Unpacked Chrome extensions ID is generated based on the path of it's directory. For unpacked extension you can generate the id in following way (code in Python):
import hashlib
m = hashlib.sha256()
m.update(bytes(PATH.encode('utf-8')))
EXTID = ''.join([chr(int(i, base=16) + ord('a')) for i in m.hexdigest()][:32])
where PATH is normalized path to the extension, ie.:
PATH = os.path.dirname(os.path.realpath(__file__))
Would I have to make any changes to these linux commands to make it work on windows? Do all the pipes and redirects work as they do on linux?
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key.pub
openssl rsa -pubin -modulus -noout < key.pub
#
# to decrypt mess.enc (message encrypted via javascript)
cat mess.enc | openssl base64 -d | openssl rsautl -inkey key.pem -decrypt
I expect I must swap cat for type, and I am hoping the rest will work as it is. Can anyone confirm this?
Equivalent of cat on Windows will be of great help. Rest of the commands are same and should work fine on Windows.
Equivalent of cat on Windows
openssl
cat key.pem
type key.pem
cat=type