I'm not sure what I'm doing wrong here, but I've got all of my passwords saved in a file as encrypted strings. The command I use to encrypt them is something like:
echo "password" | openssl enc -aes-256-cbc -a -nosalt
I then use password as the encryption key.
Originally (using openssl version 1.0.2g), this resulted in the string
7Lz5dLLYCLCv9GjadL1LTQ==
which has been saved to the passwords file. However, when I now run the same command using version 1.1.0g, I get the string
qq26+CHHB6MuY33GAqeIVw==
This means that when I now come to decode my passwords, they do not decode correctly. Is there something that I'm missing here?
NB: I know that the nosalt option is a bad idea, and I don't actually use it. I've just included it here to help clarify my problem.
The default hash used to generate the encryption key from the password changed between OpenSSL 1.0.2 and OpenSSL 1.1.0.
See this FAQ entry:
https://www.openssl.org/docs/faq.html#USER3
In 1.0.2 the default hash is md5, in 1.1.0 it is sha256. Specify the hash you want to use with the "-md" option.
Related
I started implementing tkinter front end to Linux /usr/bin/pass (will call it PASS for readability) utility (/usr/bin/pass, http://www.passwordstore.org/⟩. Objective: learn Python, tkinter, also I may get secure password manager.
The task didn't look hard at first. Then I encountered two problems which are also my questions.
"pass edit pass-name" command calls vim, and if the file has changed gpg encrypts it then saves in the ~/.pasword-store dir. Ideally I'd like to ask a user for a new password (reserved a tk.Entry for that) and send the new password to PASS.
Is there a way to send a new password to PASS programmatically (without manually editing a file in vim)?
[PASS also makes git commits]
PASS commands may ask for passphrase, e.g., "pass show pass-name". As I understand it is done by gpg-agent (in the terminal where I launch Python appears a question "Enter passphrase: "). I'd like to ask for passphrase in the tkinter app and then send the passphrase to PASS [, gpg, or gpg-agent?]
Is it possible?
Using:
~/.gnupg/gpg.conf
use-agent
pinentry-mode loopback
~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
default-cache-ttl
max-cache-ttl
Python 3.9.2
/usr/bin/pass v1.7.3
gpg (GnuPG) 2.2.27
Debian GNU/Linux 11 (bullseye)
UPDATE 1/18/23
Regarding providing a passphrase to PASS. Going to investigate the following approach: suppress gpg-agent from asking a passphrase but return an error instead 2) catch this error in Python 3) force gpg-agent to cache the passpharse 4) repeat the failed action.
For verifying builds of Renderdoc using the publisher's public key, verifying the Linux binary tarball works as expected; I run gpg --import ./baldurk-pubkey.asc and then gpg --verify renderdoc_1.18.tar.gz.sig renderdoc_1.18.tar.gz and then I receive the following output:
gpg: Signature made Tue Jan 25 07:25:56 2022 MST
gpg: using RSA key 1B039DB9A4718A2D699DE031AC612C3120C34695
gpg: Good signature from "Baldur Karlsson <baldurk#baldurk.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1B03 9DB9 A471 8A2D 699D E031 AC61 2C31 20C3 4695
However, when I try to do the same process for the Windows 64-bit portable zip, i.e. gpg --verify RenderDoc_1.18_64.zip.sig RenderDoc_1.18_64.zip I receive the following output instead:
gpg: Signature made Tue Jan 25 08:01:06 2022 MST
gpg: using RSA key EC0F4688931695D3BCF0D10FB93B9B66E68BA2E9
gpg: Can't check signature: No public key
I receive similar output if I attempt to pass in the extracted qrenderdoc.exe as the second argument instead of the .zip itself.
I understand that the Windows executables have their own digital signatures; if I right-click qrenderdoc.exe, go to "Properties", and then go to the "Digital Signatures" tab, there is a signature by the same publisher. But I am confused as to what purpose the Windows .sig files serve or how to use them. I'm assuming there must be a correct way to do this, or else the sig files would not be provided, but I do not know what that way would be.
OK, I can sort of understand the downvote to my question. Clearly, as the output to the command for the .zip.sig says, it was signed with a different RSA key. I assumed that, since the Renderdoc website makes no mention of another key and nobody else online mentioned any issues with the Renderdoc signatures, then clearly there was an obvious way to find/add said key that I was missing. But after asking the developer, it turns out they changed build systems at some point and a different key was being used, and I guess I was just the first one to notice or report the problem. I can see now that this probably should have been my first assumption; apologies for the unnecessary question.
In the miniscule chance another Renderdoc user stumbles across this: According to the developer, subsequent builds (so anything above the current v1.18) will be signed with the correct key.
I'm trying to create key using below command
openssl genrsa -out /danny/mykey.key 2048 -config /etc/pki/t1s/openssl.cnf
but am getting below error
warning, not much extra random data, consider using the -rand option Generating RSA private key, 2048 bit long modulus
89660:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:512:
You need to read the OpenSSL FAQ, http://openssl.org/faq
can anyone suggest what's wrong happening ? how can I fix it ?
On Linux, I have access to PGP. However, I do not have PGP SDK service running on a particular box to which I have access to.
Normally, I use "pgp --verify --passphrase " to verify the .pgp files.
Is it possible to verify a file (I only need to check if the file is encrypted or not) using pgp but not where PGP SDK service is required?
RHEL already brings GnuPG, which is a fully compliant implementation of OpenPGP. Using gpg --list-only --list-packets you can dump the contents of an OpenPGP file (either sending the contents into STDIN or providing an additional option containing a file name).
An example output for my own key:
$ echo foo | gpg --recipient a4ff2279 --encrypt | gpg2 --list-only --list-packets
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid CC73B287A4388025
data: [4096 bits]
# off=527 ctb=d2 tag=18 hlen=2 plen=63 new-ctb
:encrypted data packet:
length: 63
mdc_method: 2
If you want to test for encrypted information, look for the :pubkey enc packet line if you only want to match public-private-key cryptography, the :encrypted data packet will be available in both public-private-key cryptography and with symmetric encryption.
PGP probably provides similar interfaces, but I have few experience with it and currently no setup around to play with it. Anyway, if using PGP make sure you're not using one of the very old, outdated versions suffering from some flaws and limited compatibility with newer releases of the standard.
I am Exporting only the private key(s) from a .pfx file to a .pem (.key) file:
I am using the command as below.....I executed the command twice to generate the private key twice (It asks me for a import password and a PEM pass phrase each time) in two different physical files
openssl pkcs12 -nocerts -in DigitalCertificateExport.pfx -out
OnlyKey_SameParaPhrase_1.key openssl pkcs12 -nocerts -in
DigitalCertificateExport.pfx -out OnlyKey_SameParaPhrase_2.key
However, the resulting key file has different private key each time. Should it not be the same always? I was expecting it to be the same each time.
Worth mentioning that I provide exactly the same pass phrase each time.
According to this OpenSSL doc, at least some encryption methods for .pem files use a random salt. When using your command to convert a .pfx file I get a file with the following line:
-DEK-Info: DES-EDE3-CBC,6AC8DB439F2BDE03
This cointains a random salt used for encryption and / or validation.