I am writting a program in C/C++ on a linux plattofrm to parse X509. Most importantly right now is the public key but I might need other info as well.
I have used the code (in Open SSL) from this post http://www.zedwood.com/article/c-openssl-parse-x509-certificate-pem and it works fine, but my certifcates are in DER format and I therefore need to convert them prior to this (which I can do in the command prompt).
What I need is to do this conversion in code, or other code that does the same on DER certificate directly.
I have tried to replace som components in the code to make it DER instad of PEM but no luck (have been trying to use some id2 commands but I am not even sure if that is correct).
Any help would be apprectiated.
simply use d2i_X509_bio instead of PEM_read_bio_X509 to read the certificate. See how to convert the Certificate String into X509 structure.? and http://www.openssl.org/docs/crypto/d2i_X509.html
Related
I need to write a c++ code to validate content of id_rsa-cert.pub file. is there any APIs available in Openssl https://www.openssl.org/ that i can use?
if the contents are invalid, i need to abort the operation with invalid key file. as an example ssh-keygen tool does it: https://serverfault.com/questions/453296/how-do-i-validate-an-rsa-ssh-public-key-file-id-rsa-pub
I need to create a internal AES/Base64 encrypt system for my application.
I mean , I don't want to have any side dll for my exe like openssl library.
I found this threads :
Problems with CryptoPP C++ AES-256+Base64
Crypto++ encrypt and decrypt in two different c++ programs
But they wasn't what I need , I searched and I found nothing.
What I need exactly is like this site : https://aesencryption.net/
First an AES encryption with a key at 256bit mode
Next convert it to Base64 ( a Result of encryption in base64 in aesencryption.net )
And a decrypt system to get the first string from encrypted result.
In this thread the key has to be 32 lenght but in the aesencryption.net it can be everything .
Can you please guide me how can I create a system like aesencryption.net site ?
I need to read a X509 certificate in C++. I couldn't find a way to do that with the GnuTLS library. The certificate has to be read in PEM or DER format, so that I can process it twith functions of the GnuTLS library. Is there a pendant to the bio files provided in openssl, which allow me to read the certificate and concert it into processable format?
Actually it is important to generate a variable which contains a tuple of the certificate and the length of the certificate. The certificate can be read using fopen() and fread(). The tuple can be processed with gnutls_x509_crt_import(). That solves the problem for me.
I'm trying to encrypt and sign a file with cryptoapi with some X.509 certificates. I want to verify and decrypt this file with openssl.
On windows I think I need to use the CryptSignAndEncryptMessage function to encrypt and sign data. I used this example from MSDN to create a signed and encrypted message.
How can I decrypt/verify this file using openssl? I removed the first 4 bytes from the message since it contained the length of the message (from the windows blob).
When I call openssl -asn1parse I get some output that indicates it to be parsable by openssl.
When trying to verify the signature with openssl I recieve an error:
openssl rsautl -verify -inkey AlonsoCert.pem -keyform pem -certin -in sandvout-without-4byte.txt
RSA operation error
3073579208:error:0406706C:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data greater than mod len:rsa_eay.c:680:
CryptSignAndEncrypt message seems to use RC4 cipher with empty ASN.1 parameters field and, looking at OpenSSL sources, openssl chokes on try to generate IV (which is not needed for RC4).
Try to use other cipher (AES for example) in CryptAndSignMessage.
Anyway, RC4 is very old, insecure, and obsolete.
Your ASN.1 dump information shows you've created a PKCS#7 CMS output from your CryptoAPI code. As a result you cannot use the basic OpenSSL decryption and verification methods.
Instead, use the cms mode:
openssl cms -decrypt -inform DER -in sandvout-without-4byte.txt
-out decrypted.bin -recip testkey.pfx
(Note: I've not used this mode before, so I think the syntax I've suggested is correct. Either way, this should hopefully be the step in the right direction that solves this.)
Try using openssl smime to verify and/or decrypt. The syntax is fairly straight-forward but you can find the information here: http://www.openssl.org/docs/apps/smime.html
I have a CERT_CONTEXT structure which I've extracted from a smart card on Windows via the CryptoAPI. I need to convert this structure into a DER encoded byte array which is consistent with OpenSSL. The closest match I've got so far is via CryptEncodeObject using X509_ASN_ENCODING and the X509_CERT_TO_BE_SIGNED modifier which takes the CERT_INFO structure as input.
The problem is that it doesn't match with the output produced by the OpenSSL i2d_X509 function. Using a 2048 bit x509 certificate as input, OpenSSL produces 1789 bytes of encoded output whilst the Windows CryptoAPI produces 1638 bytes of encoded output.
The only option left that I can see is to create an X509 cert on the fly using the values from the CERT_CONTEXT structure and the encode the resulting object directly with the i2d_X509 function. The only problem with this is that I can't extract the private key from the smart card, so this may cause problems with the x509 cert creation routines.
If anyone can provide any insight/advice/tips into these matters, I'd be much obliged.
DER encoded certificate can be obtained from (ctx->pbCertEncoded, ctx->cbCertEncoded) buffer where ctx is a PCCERT_CONTEXT object. Still you won't be able to recover the private key.