I want to verify detached XML signature using a public key.
I have tried using gpg and openssl but no success.
Can anyone provide me with steps to verify using a public key.
Related
Correct me if I am wrong, but if a byte of an app is changed then the signature of the app changes too. But in this library https://github.com/javiersantos/PiracyChecker in section verify signature there is written that we shoud save the signature in a variable and check if it is correct. I tried it and it works. But if we save signature inside a variable that means the app is changed which means the signatue is changed also and then it can't pass the check wright? So how is that possible?
how does a signature check works?
I now understand it. When a private key creates a certificate, then that certificate can be checked using the public key. But the piracy check included is using the public key or hash of the public key and NOT the whole apk digital signature. When any part of the app is changed there is a high probability that the app digital signature changes. On the other hand, using a public key or hash of a public key inside the piracy check enables us to sign the app using our private key. The piracy check verifies if the app is signed with the equal public key or hash of the public key that is stored inside the code.
I want to aquire a token from an Azure app registration with a certificate.
I followed the instructions here and generated a self signed certificate with Powershell. I also imported the public key into the portal.
But if I want to access the app via .NET, I need to provide the following MSAL configuration:
The CertificateFileContents is just the public key I exported from the certgmgr. But what should I put as the CertificatePass? Is this a hash? Or a private key? I could not find anything in the docs and also the link above does not give me any advice...
Also I do not really understand why the private key is not imported to the portal?
In my experience, CertificatePass should be required when you export a private key.
This document has such content before:
Export the private key, specify a password for the cert file, and
export to a file.
But now it only tells you to export a public key. You can see details from this issue.
So based on the SharePoint document, if you are reading a PFX file from your local machine, I think you should use private key with a password.
Okay, the CertificatePass was the password for the certificate itself.
The Azure Portal itself only holds the public key.
The client application needs to provide the whole certificate with private and public key.
If you export a private/public key from certificate manager in Windows 10, you will not be able to directly export this as base64, but you can create a pfx file.
Those files can later be encoded to Base64 with a tool of your choice. For example this.
The password for your certificate has to be the CertificatePass, the FileContents are the Base64 public and private key, but decrypted with the password.
This is of course only an approach for testing purpose. In a production environment you would rather use key vault or something similar to not have any secrets in your appsettings.json.
I am working on a basic-network project on Hyperledeger Fabric V-1.4.1. I have enrolled an admin and created a user using enrollAdmin.js and registerUser.js. A public Key and a private key is generated for user1. Now I want to use that private key to sign simple data and later verify using the public Key. I have tried using URSA node module which works fine with RSA keys generated through OpenSSL but isn't working with these two keys. Probably because these keys are not RSA, they are ECDSA keys. I have also read the documentation of the Crypto node module and it seems I need to have .pem files as keys to use in Crypto module. But In fabric, I have key files as -priv and -pub format.
Is there any node module that can encrypt decrypt using ECDSA keys?
Is there any specific way in hyperledger fabric to do this?
Or is there any other way I can do this thing? Please ask any questions if necessary.
Thank you.
The two formats you see
priv
pub
Are wallet formate of filestorage
Try to register an identity and enroll with fabric-CA by importing identity service then you will receive certificate and private key just put it in a file and mark the extension as pem and it will work
I am receiving an error when the https server starts, something along the lines of:
Error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
I may be completely going about this the wrong way. I need to get an SSL cert from a 3rd party CA. This CA requires that I give them a Certificate Signing Request (CSR) that I have generated.
I generated a CSR using certreq.exe on Windows and provided the CSR to them. They provided the public key cert in response.
Here's where I'm a little confused. The https server has a key and cert property. As I understand, cert is for the public key (from the CA) and key is for the private key. Where's this private key??
After some googling, it appears that certreq.exe will create a key pair in the windows cert store when the CSR is generated. I exported the PFX, used openssl to extract the private key, and decrypted the key so that it was in a format that had "--BEGIN RSA PRIVATE KEY.. etc". The key looks fine to me. It's formatted the same way my previous self-signed certs were formatted which worked fine.
I used this private key for the https key property and received that asn1 wrong tag error. Am I going about getting the private key the wrong way? Or is the error something else?
I have created one efi and signed with pesign using the docs -
UEFI secure boot :
https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm
https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
And booted with :
sudo qemu-system-x86_64 -L . -pflash /usr/share/qemu/OVMF.fd -hda fat:uefi_disk
uefi disk contains signed efi file
But to secure boot I need to have
DB
DBX
KEK
PK
so that I can enroll in OVMF secure boot
But in the tutorials, never got these how to generate.
Please suggest
In addition to generating keys for secure boot, one need to take care of signing the keys.
procedure for generating keys, signing and storing them to keystore is defined in detail here https://www.rodsbooks.com/efi-bootloaders/secureboot.html
Security keys can be categorised in 2 ways Private and Public and secure boot follow chain of root of trust for key addition PK=>KEK=>DB. Any changes in DB needs to be signed using KEK private key, changes in KEK needs to be signed by PK private key and changes in PK requires key to be signed by previous PK publik key's private key.
Generate PK pair and sign PK public key with private key. PK is a self signed key.
Generate KEK pair and sign KEK public key using PK private key
Generate DB key pair and sign DB public key using KEK private key
Generate DBX key pair and sign DBX key pair using KEK private key
Note : for replacing previous PK from BIOS, you will require an empty key signed by platform owner. Most BIOSs allow changing keys without verifying but ideally it should not be allowed. Whole purpose of secure boot is that things can be traced to root of trust and verified.
Apart from generating completely new set of keys, you can also use Machine Owner's Key MOK for registering a new key with secure boot.
Generate a key pair
sign your utility using private key(using sbsign)
add public key to MOK utility (using mokutility)
also described in link mentioned above