There is numbers of tools that converts certdata.txt from here into .pem format again. However I would need to do it the opposing way: create certadata.txt from a given .pem or .der file.
Does anyone knows a tool that converts *.pem certs into the certdata.txt?
After getting a closer look of nss-tools I have found what I really needed:
nss-addbuiltin:
Read a der-encoded cert from certfile or stdin, and output
it to stdout in a format suitable for the builtin root module.
Example: nss-addbuiltin -n MyCA -t "C,C,C" -i myca.der >> certdata.txt
The file you referenced is a definition file. You generally never feed it directly to an application, instead you convert the certdata.txt into a list of certificates in .pem format.
This is what most of consumers fo:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/J7mY_cpOyX4
http://curl.haxx.se/cvssource/lib/mk-ca-bundle.pl
https://security.stackexchange.com/questions/42946/where-can-i-find-all-ssl-ca-certificates
If you use the PEM list, then it's just as simple as adding your certificate to the end of that list.
Related
I've been struggling for several days about how to compute the digest for the SignedProperties element in a XAdES signature. I have a reference XML file with the two digest values computed (the file being signed and and the signed properties), and I know it's good because it passes the verifiers. I computed the right digest value for the file being signed, but whatever I give as an input to the digest method (I use OpenSSL), I cannot get the same value that in the reference file. Of course my own file don't pass the verifier after that. I use the following command to compute the digest:
openssl dgst -sha256 -binary myfile.xml | openssl base64
I recorded the file myfile.xml by extracting the SignedProperties element of the reference file and saved it as is.
<xades:SignedProperties Id="xmldsig-f6a6a2a1-87af-4720-8eed-cf4532e99106-signedprops"><xades:SignedSignatureProperties><xades:SigningTime>2015-09-22T09:02:48.624+02:00</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>cAJECbIzXZiLH+ILWPrM5jfA13GKcEC8t1qe7/BxqBM=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US</ds:X509IssuerName><ds:X509SerialNumber>13010307134774063901853305426952669967</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties><xades:SignedDataObjectProperties><xades:DataObjectFormat ObjectReference="#xmldsig-f6a6a2a1-87af-4720-8eed-cf4532e99106-ref0"><xades:Description>signature détachée du fichier indexfile.txt</xades:Description><xades:MimeType>text/plain</xades:MimeType></xades:DataObjectFormat></xades:SignedDataObjectProperties></xades:SignedProperties></xades:SignedProperties>
Apparently, I should get the value :
6JK3GHDL25+EIRefNMQJ3SOGSI8uzQ45PiziMomZkYs=
But I can't get it. I don't know if some transformations or canonicalization must be applied, the specification is very vague about this part. It's encoded in UTF-8, no line feeds.
Does anyone how to do this ? Any trick ?
I finally found out how to obtain the right digest value. Apparently, the same canonicalization algorithm must be applied to the SignedProperties element, although this is not described precisely in the recommendation. I missed two important things in generating the canonized form :
Auto-closed tags must be explicitly opened and closed : becomes
Any namespace declared in an ancestor element must be reported in the root element of the document subset, even if it is not used in this particular subset, which I found quite weird.
Anyway the correct canonized form for this subset is :
<xades:SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Id="SignedProperties"><xades:SignedSignatureProperties><xades:SigningTime>2015-09-22T09:02:48.624+02:00</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>cAJECbIzXZiLH+ILWPrM5jfA13GKcEC8t1qe7/BxqBM=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US</ds:X509IssuerName><ds:X509SerialNumber>13010307134774063901853305426952669967</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties><xades:SignedDataObjectProperties><xades:DataObjectFormat ObjectReference="#SignedFile"><xades:Description>signature détachée du fichier indexfile.txt</xades:Description><xades:MimeType>text/plain</xades:MimeType></xades:DataObjectFormat></xades:SignedDataObjectProperties></xades:SignedProperties>
I have created a PFX PDU using the java bouncycastle library. Inside the PFX PDU, there are two certificates and two encrypted private keys. All the contents are used as PKCS#7 data content (i.e. no encryption, stored as octet strings).I organised the elements according to the guidelines of PKCS#12 (RFC 7292 Section 5). Then I wrote the DER encoded byte array to a file.
I opened the file in a hex editor and saw that the object structure is OK. I have also read the file contents and built a bouncycastle PFX object from it. But when I try to open the .pfx file from my file system, the Certificate Import Wizard asks for the password for the private key. I did not use any password to create the PFX object. I have tried to use empty string and the password used for encrypting the private keys, but they didn't work. It shows "The password you entered is incorrect.".
Is there something I missed here? How can I get the password required to import certificates?
In RFC 7292, section 4.1, page 41, details of AuthenticatedSafe is described. AutthenticatedSafe is sequence OF ContentInfo which could one of three types.
AuthenticatedSafe ::= SEQUENCE OF ContentInfo
-- Data if unencrypted
-- EncryptedData if password-encrypted
-- EnvelopedData if public key-encrypted
Make your authenticatedSafe data as EncryptedData where you needs to encrypt the BERencoded value of AuthenticatedSafe with the SecretKey generated from password you will give using SecretKeyFactory and PBEParameterSpec.
Hope that, this will help you. Cheers !!!
I'd like to prepare a simple script for connecting to some VPN network. The password to the network consists of two elements: pretty complicated pass + randomized token. I don't want to remember this password but store it encrypted in some secure directory. Now, the script I need should ask me for a passphrase and some token, read decrypt a pass from a file and run some commands. All those are pretty easy except one thing: is it possible to decrypt a file to a variable instead of file? I mean I'd like to get something like
PASS=`mdecrypt password.nc`
but as far as I know mdecrypt generates a file as a result instead of returning value. I know I could run something like
`mdecrypt password.nc`
PASS=`cat password`
`unlink password`
but is there some easier (one liner) solution?
uset the -F option
-F Force output on standard output or input from stdin if that is a
terminal. By default mcrypt will not output encrypted data to
terminal
I tried to examine the content of a .torrent file using a
$ od -c xyz.torrent
Some of the content of the file is in plain text like the information regarding the trackers, creation date, the encoding used,the length and the number of pieces but the rest is encoded. Can somebody please tell me how i can examine the torrent file so that i can decode everything.
.torrent files are bencoded dictionaries
More information
Use lstor from the pyroscope package: https://code.google.com/p/pyroscope/wiki/CommandLineTools#lstor
It pretty-prints the contents of .torrent files.
I have a .bmp image. I wanted to encrypt the image file using openssl command. The following is the command I have used to encrypt the image.
openssl enc -aes-128-cbc -e -in pic_original.bmp -out aes128cbc.bmp -K 00112233445566778889aabbccddeeff -iv 0102030405060708
As per ECB mode is concerned I should be able to view partial image when I encrypt the file using ECB mode however I cannot see the image at all. The image viewing software says there is bogus header data
Is there any thing wrong in the command I used for encrypting the file. Can someone help me with this please
Thanks
You can easily copy the header back on top of the image:
dd if=/path/oldfile.bmp of=newfile.bmp bs=54 count=1 conv=notrunc
To learn about dd:
man dd
You can search for examples of this on the web .E. Hugo's blog
That's because you encrypted everything, including header. You should extract bitmap data into a raw stream, encrypt that and attach header back to it.
You need to extract the header from the original image and use it to replace the header of the encrypted file. Generally for a bmp file, the first 54 bytes contain the header info.
to do this:
head -c 54 pic_og.bmp > header
tail -c +55 pic_cbc.bmp > body_cbc
cat header body_cbc > new_enc_cbc.bmp