How can I save a X509AttributeCertificate to PKCS12 keystore ?
I guess this is what you are looking for: https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
Related
I am trying to use MP4Box to edit the #EXT-X-MAP:URI="fragment_init.mp4" file used in HLS fMP4. My current approach is to dump the mp4 file to an xml file, edit the xml and then package back into an mp4 file. Firstly, the source gstgenerated.mp4 file is converted to 2sec HLS fragments:
MP4Box -dash 2000 -frag 2000 -profile full -out master.m3u8 -segment-name fragment_ gstgenerated.mp4
Then the newly created fragment_init.mp4 file is dumped to the default fragment_init_dump.xml file:
MP4Box -dxml fragment_init.mp4
But if I try to re-create the mp4 file with the -package option an error is generated:
C:\Users\KFerguson\Videos\PAR> MP4Box -package fragment_init_dump.xml -new init.mp4
Missing 4CC code for meta name - please use ABCD:fileName
Failed to package file
Can anyone help with interpreting this and comment if I am on the right path to the box editing objective?
I wrote a self-defined OpenSSL engine and engine tester in ubuntu 20.4. And the OpenSSL version is 1.1.1.
The goal is to use engine in TLS session, and the first step is to use command line to sign a digest. The reference website is:
https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms
But the tester use the engine by calling the function, like ECDSA_sign and ECDSA_verify in the code, which can't act as expected. I hope to achieve the effect like:
$ openssl dgst -engine <engine_id> -sha256 -sign -out
So what should I do? And is this practicable?
Thanks a lot!
That OpenSSL wiki page is useful for beginners to learn how OpenSSL engine works, but it is too old that a lot of APIs in the page has been deprecated, especially the ECC functions.
Yes it is practicable.
Copy your YOUR_ENGINE_NAME.so to /usr/lib/x86_64-linux-gnu/engines-1.1/, then edit /etc/openssl.cnf to tell OpenSSL command line utility to start with loading your engine:
# Insert near top of file openssl.cnf:
openssl_conf = openssl_init
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
......
......
# Insert at bottom of file openssl.cnf:
[ openssl_init ]
engines = engine_section
[ engine_section ]
YOUR_ENGINE_NAME = YOUR_ENGINE_NAME_section
[ YOUR_ENGINE_NAME_section ]
engine_id = YOUR_ENGINE_NAME
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/YOUR_ENGINE_NAME.so
default_algorithms = ALL
init = 1
You can put some printf info in your engine's init function. It will display after OpenSSL command line utility started if the engine is properly loaded:
$ openssl
engine bind start
YOUR_ENGINE init success
OpenSSL>
I try to implement EBICS 3.0 communication but I can't send correctly my INI request.
I use NodeJS Ebics Client (https://github.com/eCollect/node-ebics-client)
that I try to edit to use H005 schema but I get [EBICS_INVALID_XML] XML invalid according to EBICS XML schema error when I try to send the request.
There is the generated XML (with fake data of course):
<?xml version="1.0" encoding="utf-8"?>
<ebicsUnsecuredRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:org:ebics:H005" Version="H005" Revision="1">
<header authenticate="true">
<static>
<HostID>EBIXQUAL</HostID>
<PartnerID>123456789987654321</PartnerID>
<UserID>123456789987654321</UserID>
<Product Language="en">Node Ebics Client 0.0.7</Product>
<OrderDetails>
<AdminOrderType>INI</AdminOrderType>
</OrderDetails>
<SecurityMedium>0000</SecurityMedium>
</static>
<mutable />
</header>
<body>
<DataTransfer> <OrderData>eJx1k1lzolAQhf9Kinmk4r2ACFhICsQFESGs4hsEZAmbLIL8+skkU06s1LzdPue71VXdp9mXIc+ermHdJGWxQLAJRJ7C4q0MkiJaIF17fqaRF441kqjw2q4Otc6Xw5taB2Eteq339PG7aOZBs0Ditq3mAPR9P+mJSVlHAIcQAsiADyZokugX8kU/oKGfvDWftAEhhvzoJBXnkmO/3raXdSHHBs1cN/iHWimDLusajt/7qsQ7VHydVqOkJnKTtPv49YrpB9MWNmhxrVtHX+W6fG12Y4pT7/WJSgyyEEZBURIvJ0+nYZrKnQnOrUTtYmy1tnHNOZY1mJl8VKK5WsFj1jPO8XxBz2mkudTa8Zshv6nQnV2EHQZeB95tUmFDWZ0f3jK1qPm1CqjKoqnzoAzVsBSnbtXsyBNJDISH4Wjn5XQa69aQyrHDZ8RYjpniXpaR2+CQ34trK+xRu98ymxtPboVYEGVXpse1MuZaKB5WiYvtKw+QaW8ykS+mEmr0obaMs2p/TYAt2rLvCGanCdXNl6/mJqiWbUq1lrIZ9FxhZDXV9p30vj1OvT19842Lt61O64OmWu+6jqZvCxZ8G/Kfga+GqizCouX4V174dO/KZ/WwIDPJQ6P18orDIcY8Q+YZp0wMziGcY9iEoYgTC/4xLHjY9j0P9ldGOR7CGQt+yN+kh+R4dVuEtSRyGE5MyRlFMwxNzcgpgWMfne4uazX/pf5aPzrcr4D7DcBUGOc=</OrderData>
</DataTransfer>
</body>
</ebicsUnsecuredRequest>
For me the structure of the document seems correct. Isn't it ?
What's wrong with this XML document ?
The schema seems to be there https://github.com/openyard/ebics/tree/master/xsd/h005
Is someone have ever try the implementation of the new stantard in nodeJS ?
If yes please give your feedback
Thanks
To get it working with EBICS 3.0, ensure that S002 is used within your OrderData, e.g.:
<?xml version="1.0" encoding="UTF-8"?>
<SignaturePubKeyOrderData xmlns="http://www.ebics.org/S002" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:s001="http://www.ebics.org/S002" xsi:schemaLocation="http://www.ebics.org/S002 ebics_signature_S002.xsd">
<SignaturePubKeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
<SignatureVersion>A005</SignatureVersion>
</SignaturePubKeyInfo>
<PartnerID>XYZ</PartnerID>
<UserID>ABC</UserID>
</SignaturePubKeyOrderData>
Also ensure that your Certificate is correctly created.
E.g.: under WSL (in Windows 10+) or Linux with openssl:
sudo apt-get install openssl
openssl genrsa -out /mnt/c/Temp/auth.pem 2048
openssl req -new -key /mnt/c/Temp/auth.pem -out /mnt/c/Temp/auth.csr
openssl x509 -req -days 365 -in /mnt/c/Temp/auth.csr -signkey /mnt/c/Temp/auth.pem -out /mnt/c/Temp/auth.crt
Then read in your auth.crt file.
Using BouncyCastle, this can be achieved with (example in C#):
cert = new X509Certificate2(#"c:/Temp/sign.crt");
I have this public and private key, how to i decode this ?
thank you, very much.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl0NyHA+z9w6LiYURla4UCcedc
2SpsS4SnVGdSSEHTMsc9NbMX2fVPX9q8yyYBMypvBYnVLc7gNozr3bziLLhOGWjv
Dh3zaC3/Q4wu6Osroo9Af9PoHr1riEve8ioz058mPP28TGOBb/oYa5TaeYw4GGMc
mqvZMrRlGhPZIOsePQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCl0NyHA+z9w6LiYURla4UCcedc2SpsS4SnVGdSSEHTMsc9NbMX
2fVPX9q8yyYBMypvBYnVLc7gNozr3bziLLhOGWjvDh3zaC3/Q4wu6Osroo9Af9Po
Hr1riEve8ioz058mPP28TGOBb/oYa5TaeYw4GGMcmqvZMrRlGhPZIOsePQIDAQAB
AoGAF74YVZzSSmPA5vlWec8zdG4q2ridwnPtwqfrQ3TlOACFVtZhloC3B26KO447
GuDgqpT4b3XnsWMeOoe9jAUrPohy0ISiYYvp0h+KHjFUFt9XH9d3hlm0VqRCExNA
rG3sXXuoSmyyGIin/7l4pFJuFCyDLESQQ4zJGCicMiCpWAECQQDcM0eDTL0t/web
5XfOw5LUJLgNlAQyWmncojVB4QbT0XixZD/UBKlPyt2lwbSncRmSW7TJzb+epdHf
FKCEfub9AkEAwMYbAh4VUal0q+aBGheo3N/4cZy0GC4unM15F9lxkOn06RGSmFQ5
0ulhlH3f5h5uVIFh7jT1Nk27H2EjTxHYQQJAMoDUWwnjrcP7Q8cqZlK2v084o2ya
Vc4kz4SogFaTEUvOyai7du4mwvU9RsIZo/mtqsK7wTkeRM21R9vcQOc2JQJAQWf1
6fYDDb4NE/YVf6DfbnGffgzJHhstPY6Js4nXem+m5R1NO9n39JOyxAshWJaioJF1
hLj7Kf2dq7vtmvpXAQJBANAYjUpCT8cYA5XpbmeMHTw3XGuF1N2wBpfu5BNsN8Nh
l0NZkzFHNpempMYTr/1TnUaeAynlevfw6/mSK40YHrQ=
-----END RSA PRIVATE KEY-----
basically any ASN.1 decoder that recognizes DER structures will do...
for a free javascript version see https://lapo.it/asn1js/
(This uses Python 3)
Open your CMD (windows) from start menu or TERMINAL (mac) from the utilities page in the launchpad. Type:
pip install pycrypto
if that gives you an error, try:
pip3 install pycrypto
(You might not have to do this) Select "Open Module" in the IDLE window, then type crypto. If it gives you an error, then you are good. Then, rename crypto to Crypto with a capital.
Go back to python and type this (in edit window):
from Crypto.PublicKey import RSA
key = RSA.importKey('file.pem') # where file.pem is where your keys are stored, in the format you had in your question
public = key.publickey()
output = public.encrypt('data'.encode('utf-8'),32) # 'data' is a placeholder
output = key.decrypt('data'.encode('utf-8'))
The output will be bytes, to convert to hexadecimal:
print(output.hex())
I am trying to create a "bks" keystore using keytool (using terminal app on Mac OS X). I am following the instructions in:
keytool error: java.security.KeyStoreException: BKS not found
This is my usage:
keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize 2048 -validity 10000 -keypass android -keystore /Users/djames/dropbox/bc146keystore/debug.keystore -storepass android -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/bcprov-jdk16-146.jar -dname "CN=Android Debug, OU=Android, O=Android, L=Whitefish, S=MT, C=US"
I am getting the following error:
keytool error: java.lang.RuntimeException: Usage error, ?providerpath is not a legal command
java.lang.RuntimeException: Usage error, ?providerpath is not a legal command
at sun.security.tools.KeyTool.parseArgs(KeyTool.java:375)
I have seen the -provider path option recommended in countless web posts (including the one above) and when I run keytool -help it confirms the syntax is legal:
keytool usage: ...
-genkeypair [-v] [-protected]
[-alias <alias>]
[-keyalg <keyalg>] [-keysize <keysize>]
[-sigalg <sigalg>] [-dname <dname>]
[-validity <valDays>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
I also tried the following alternative (per http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html):
deleting the -providerpath option of the keytool command,
placing the bcprov-jdk16-146.jar inside the {$JAVA_HOME/lib/ext} folder
adding security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider to the java.security file.
But it still failed.
Any ideas on what I can do differently to succeed in creating a BKS keystore?
It's many years since, but I am attempting this too.
The answer is that you have the parameters in the wrong order. The -providerpath needs to come before the -providerclass parameter.
I hope that helps someone in future searching for a solution.
I was never able to succeed with Keytool. This is what I did to solve the problem instead: I made a copy of the default debug.keytool (a JKS type keystore) that was created by Eclipse (Indigo, SR2) automatically the first time an android program is run in Eclipse, and used Portecle (http://portecle.sourceforge.net/) to convert this to a BKS type keystore. Now this is the tricky part: If I now used the BKS version of debug.keytool in place of the original, I got an "Android packaging error" in Eclipse “java.io.IOException: Invalid keystore format” whenever I would try to run the android program. However, if I left the original JKS version of debug.keytool in the default directory where Eclipse created it, then I could use the BKS version of the debug.keytool in the Android program's /resources/raw subfolder and have Android open it and recognize it. Jim
An easy alternative is to use Portecle to generate the BKS:
Download the needed Boucycastle Provider
Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
Restart Portecle and generate your BKS truststore.
More explanations here.
I am trying to do SSL connection with certificates, so to support in Android I need to use jks / bks files as trust store.
So generated jks file tried in android SSLSocket connection, But
throws exception that jks not able to read. So I have to add
Boncycastle provider to JVM and create bks using jks file
Download the Bouncycastle provider jar file and place under below path:
C:\Program Files\Java\jre1.8.0_191\lib\ext
Update the java.security file by adding provider for the following file
C:\Program Files\Java\jre1.8.0_191\lib\security\java.security
Add the provider
security.provider.12=org.bouncycastle.jce.provider.BouncyCastleProvider
Close command prompt and open execute command to get bks file like below:
keytool -importkeystore -srckeystore <input>.jks -destkeystore <required_bks_file_name>.bks -srcstoretype JKS -deststoretype BKS -srcstorepass <jsk file password> -deststorepass <jsk file password> -provider org.bouncycastle.jce.provider.BouncyCastleProvider
Now you can bks file in your folder.
Thanks