We are using Chilkat for sending emails and we need to sign emails
also with CNG certificates (using Microsoft Software Key Storage Provider).
It looks like Chilkat cannot SetSigningCert(), because the Chilkat.
Cert opened from CertStore does not include the private key. Only
SetSigningCert2 (,privateKey) works for me, when that cert was
exportable and when I exported that private key on my own way and
imported it with Chilkat as PrivateKey.Load. We should also have a
solution for none-exportable CNG certificates to sign a Chilkat
email.
If using an older version of Chilkat, update to the latest version (v9.50.79 at the time of this message post) and try again...
Related
I have been following this sample from AWS. I have followed the guide, downloaded the certificates, converted them into .pfx and tested them in a local code similar to the sample. The code works fine and the intended connection can be established. However, when I try to upload the certificate to Azure Key Vault, I get this error:
The specified X.509 certificate content is invalid. Error: one or more x.509 properties are invalid.
I have Googled and tested quite a few different openssl commands, and also tried to upload through PowerShell (just incase), but its always the same error. I am a bit clueless as to why this (as far as I know) official AWS example does not just work, and why I can not just export certificates from one big cloud company to another.
Does anyone have any guesses as to what is going wrong and what properties may be invalid, or how I can find out?
PS: My Azure code is getting all configurations from the Key Vault secrets (connection strings, etc). I figured it could similarly be used to store certificates that my code can retrieve and use, instead of storing the certificate file in the project. Do let me know if I have misunderstood what kind of certificates should be saved in the Key Vault.
Please check if following can be worked around:
Please note that Key Vault requires /accepts only a PEM or PFX file
along with a private key.
If you have a private key stored separately in a different format,
you need to combine the key with the certificate and key should not
be encrypted. Some certificate authorities (CAs) provide certificates
in other formats. Therefore, before you import the certificate, make
sure that it's in either PEM or PFX file format and it uses key
either (RSA) or elliptic-curve cryptography (ECC) encryption. see
creating a certificate with a ca not partnered with key-vault
Some factors to check:
Please check if the Pfx was expired or Pfx password is incorrect or
has an invalid format.
Try Re-importing the cert from a pfx file with the --password
parameter if it is password protected.
Also make sure you have access policies created create,get
,set,delete ,list for user that is trying to create and also for the
application.
And the name of the secret or certificate that you are uploading
must be unique and should not match with any other secret that was
created previously. Content-type must be application/x-pkcs12 for
pfx file.
Also check the similar case from SO reference
References:
Understand X.509 public key certificates | Microsoft Docs /About Azure Key Vault Certificates
"The parameter KeyVault Certificate has an invalid value"- Microsoft
Q&A
Currently, in openssl there's an option to set the signing certificate to be used to sign challenge in case of client-side authentication (server wishes to verify the client).
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
int (*client_cert_cb) (SSL *ssl, X509 **x509,
EVP_PKEY **pkey));
In the example above the signing certificate to be set (cert + pkey) in the callback function. They will be used to sign the challenge automatically once the server request client-side authentication.
However, I wish to create a callback in openssl that will get the challenge and my code will sign it from my own callback implementation. Such capability is required in macOS where the signing certificates are often saved in keychain and cannot be exported. The client may only get pkey reference and it sign the challenge inside the keychain.
I guess that in windows certificate store, it's the same situation, where the private key cannot be exported, no ?
Thanks
I have been successfully testing sending push notifications to Apple devices using SNS, currently in Xcode with the APNS_SANDBOX.
We are now ready to move to production and are having an absolute nightmare getting the certificates set up properly on the APNS (Production) application endpoint.
I am following the same process we followed during development and have consulted several guides.
Each time we try to send a push notification to a device we get the following failure notification:
{"DeliveryAttempts":1,"EndpointArn":"arn:aws:sns:eu-west-1:123456789:endpoint/APNS/Name/e591d1a1-8db3-3382-8091-ab1a3cb3cac5","EventType":"DeliveryFailure","FailureMessage":"Endpoint is disabled","FailureType":"EndpointDisabled","MessageId":"08a70f95-773c-58fb-a6f9-5df1650eeb19","Resource":"arn:aws:sns:eu-west-1:123456789:app/APNS/Name","Service":"SNS","Time":"2017-10-20T15:02:10.824Z"}
I understand this can relate to several issues but is likely a problem with the certificate uploaded to SNS.
The process we have followed:
From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs
Create a new App ID and enable the Push Notifications service.
Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.
Double click the .cer file to add it to the Keychain on mac.
At this point we have consulted http://docs.aws.amazon.com/sns/latest/dg/mobile-push-apns.html documentation which suggests running the following command:
openssl x509 -in myapnsappcert.cer -inform DER -out myapnsappcert.pem
Back inside Keychain select Keys, highlight the apps private key and export it the .p12 file.
Back in the command prompt run the following command as per the AWS docs: openssl pkcs12 -in myapnsappprivatekey.p12 -out myapnsappprivatekey.pem -nodes -clcerts to generate another .pem file.
Amazon goes on to say:
The newly created .pem file will be used to configure Amazon SNS for sending mobile push notification messages.
This leads me to believe the docs are outdated as uploading the .pem file to the SNS APNS Applications credentials manager returns an error stating that it cannot read the file.
According to the SNS credentials manager for the APNS Application, it only accepts the .p12 file... if that is the case, why the need to create the final .pem file? This step still required? Have I missed a step?
I uploaded the final .p12 file anyway, but obviously, it does not work.
I appreciate there are other questions similar to this but the answers are so broad that there are no real solutions other than trial and error. I believe my issue is specifically related to incorrectly generated certificates, or a step is missing out of the process.
I guess I am reaching out to anybody who has done this recently who can clarify the steps involved.
Thanks
After a lot of trial and error, i've managed to get it working. I'm not sure if AWS docs are outdated but they are certainly over kill.
Here goes:
From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs
Create a new App ID and enable the Push Notifications service.
Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.
Double click the .cer file to add it to the Keychain on mac.
Open Keychain, select 'My Certificates' highlight the certificate that got added in step 3, probably starts with 'Apple Push Services'.
Right-click the cert and export it (extension is .p12). If it asks you to set a password you can leave blank.
In AWS SNS, navigate into Applications, click into your APNS application (or add a new application). Under 'platform application actions' click update credentials and upload your exported .p12 file.
Finally, click 'Load credentials from file' and update to exit the application settings.
Enjoy push notifications in your app.
This worked for me, I'm not sure why AWS docs suggest the commands to convert files, it looks like they're not necessary and have caused great confusion.
Hope this else somebody.
I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.
I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.
I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )
The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature.
For my first tests I write my own "hello world" backend, that logs the JWT.
I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid.
To make the signature valid I would need a valid public key.
I don't know where to find that key.
I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.
I tried this, and also its base64-encoded representation, in http://jwt.io but no success.
Because I was wondering where my public key is, I have also read:
How to validate a JWT from WSO2 API Manager
(and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ )
However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.
Here are some more precise questions:
WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)
Thanks for any tips!
(maybe all I need is the default public key, seeing as I'm using the default keystore!)
Answering myself in case anyone has the same issue.
Two things helped me out:
first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:
log in as tenant admin in APIM carbon portal
navigate to configure / keystores
there was a keystore for the tenancy (called sandbox1.jks), click on public key
save the downloaded sandbox1.cert and convert it to pem using the above command
The resulting pem worked fine with jwt.io using RS256
Hope this helps others!
I am creating a web service for end users which will have a front-end in the form of an Adobe AIR desktop app but users will be able to access their data through the website too. User's data will be synchronized between the server and the local data store. The problem is that I cannot get an SSL certificate. Is there a way to make this more secure....
I think I can use something like two-legged oAuth or an Amazon S3 like authentication system?
What do you recommend in such a situation?
The first question is: why can you not get an SSL certificate? I can think of two reasons:
SSL certificates are too expensive
You don't want to have a certificate issued by a third party
If your problem is #1, StartSSL provides free certificates with a 1-year validity or charges $50 for unlimited certificates valid for 2 years (including wildcards). They are recognized by both Mozilla and the Microsoft trust store.
If the issue is #2, why not issue a self-signed certificate and hard-code it into your application? That does not compromise the security of the system at all (only your particular cert will be accepted by the app), but eliminates the need to "get" an SSL certificate from somewhere else.
If you really really can't use SSL, look at challenge-response systems such as Kerberos or anonymous key-material generators like Diffie-Hellman (with an asymmetric key for server identity validation). Many methods exist for secure two-party authentication over an insecure line. The key is that the ID verification step must be challenge-response instead of a "send me your secret" scheme.