Python Openssl Sign and Verify functions - c++

I'm currently working on expanding some python code a co-worker wrote to use X509 certificates with the OpenSSL library. I have managed to get all but a few of the OpenSSL functions working. The libraries / functions that I am using are
from OpenSSL.crypto import FILETYPE_PEM
from OpenSSL.crypto load_certificate, verify, sign, load_privatekey
I am currently creating certificates on my local machine with
openssl req -x509 -newkey rsa:2048 -out rootcert.pem -outform PEM -days 1825
and then "pushing" that to a server (also on local machine), which then returns me a 64 character long random alphanumeric string. I then take the string and sign it using
openssl rsautl -sign -inkey rootprivkey.pem -in string -out signedstring
When I push the signed random string to the server, it takes it to verify (using OpenSSL.crypto.verify) with the certificate I previously sent, the process fails. However, if I use the verify function on the command line (openssl rsautl -verify -inkey rootprivkey.pem -in signedstring), it works.
If I push the private key to the server and use the OpenSSL.crypto.sign (sign(private key, data, digest)) function to sign the same random string and put that into the verify (verify(certificate, signature, data, digest)) function, it works.
I've tried all of the different types of padding when signing the string, and none of those worked. I've also tried doing a digest hash of the string first and then signing that file, based on an old question on SO:
openssl dgst -sha1 -binary < string > digeststring
openssl rsautl -sign -inkey rootprivkey.pem -keyform PEM -in digeststring > signedstring
But obviously that did not work either.
I do not know if I am either generating the certificate and signing the string incorrectly, if I am using the OpenSSL.crypto library incorrectly (I have checked many times to make sure that I am passing the correct variables into the OpenSSL functions), or if the command line functions and the python functions are incompatible.
For reference:
Python 2.7.3
OpenSSL 1.0.1 (March 12)

Related

OpenSSL Can't open cert_config.txt for reading, No such file or directory 25968:error:02001002:system library:fopen:

I am in step 3 of AWS OTA documentation https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html
I am able to do the first two steps but not able to make the certificate:
openssl req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt
I get the following error:
Can't open cert_config.txt for reading, No such file or directory
25968:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1k/crypto/bio/bss_file.c:69:fopen('cert_config.txt','r')
25968:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1k/crypto/bio/bss_file.c:76:
I have tried:
installing another version of ssl instead of using git bash but I ran into the same issue
I have tried elevated privleges as adminstrator
I have tried the full path to "cert_config.txt" with or without double quotations and to no avail
Any help is appreciated
I am an idiot, if I look at the full file it's cert_config.txt.txt
Try ./cert_config.txt in the parameter.

How to sign an ova file?

I am trying to sign an ova file by following this link. I also generated the manifest file but I don't see any information in the signed file. Here is the command I am using:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:1024 -keyout myself.pem -out myself.pem
openssl sha1 *.ova > myself.mf
ovftool --privateKey=myself.pem sample.ova sample-signed.ova
When I run ovftool sample-signed.ova it has no manifest information. I tried unzipping the ova file and did exactly the same with ovf file but it didn't help either.
ovftool --version
VMware ovftool 4.1.0 (build-2459827)
OVA is a tar archive of
OVF (XML) file,
related resource files (e.g. disk VMDKs),
and that MF file containing hashes of files on the list above,
etc...? (e.g. CERT signature).
Signing process adds a CERT file (containing generated signature of the MF file, and the certificate). I'm note sure for now whether ovftool can operate on OVF or MF file itself. However, when running on the whole OVA archive, it also creates the MF file, if missing, into the new signed OVA (that's for ovftool-4.5.0-20459872).

.pfx with multiple PrivateKeyEntry not working in Postman - Error: MULTIPLE_PRIVATE_KEYS_IN_PKCS12

I'm trying to put all the different certificates in a single .pfx (PKCS12) file. I am able to import all the PrivateKeyEntry(s) in a master pfx file (also I verified the entries using keytool command - output snippet -
alias1, Sep 9, 2020,PrivateKeyEntry,
Certificate fingerprint (SHA1):<XX:YY:...>
alias2, Sep 9, 2020,PrivateKeyEntry,
Certificate fingerprint (SHA1):<AA:BB:...>
)
but when I'm using this pfx in Postman I'm getting "Error: MULTIPLE_PRIVATE_KEYS_IN_PKCS12"!
When I'm using certificates individually then everything is working fine in Postman. I checked already that multiple PrivateKeyEntry can reside in a single .pfx file - Can a .pfx file contain more than one private key?.
Instead of maintaining separate pfx files to connect separate systems I want to keep all certificate entries in a single file (pfx) so that can be used for all the different systems.
Is it possible?
Thanks in advance!
You can convert pfx certificate into another format. Crt+key works for me.
You can use OpenSSL to convert certificate:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -in certificate.pfx -nocerts -out key-encrypted.key

Define CA Info at Compile Time for libcurl

I have built libcurl for Windows x64 with OpenSSL. If I specify the CA Info with the libcurl command as shown below I am able to post my data via https.
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\\cacert.pem");
My question is regards to option 3 under the heading “Certificate Verification” found here: https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
Thanks!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL has the same settings for compile time. More accurately, they are Autotools options.
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
I build cURL on occasion for testing on older systems like CentOS 5. I find it is easiest to download an updated cacert.pem, and then use --with-ca-bundle.
If you want to use --with-ca-path, then that is the one where each certificate is hashed. So you will have a directory with 120 or 150 files in it. The files will have names like NNNNNNNN.0, NNNNNNNN.1 and so on. NNNNNNNN will be a hash, and collisions are resolved by incrementing the suffix.
I keep my script for building cURL online at Build-Scripts | build-curl.sh.

How is "Encryption key SHA256" computed on Google Cloud Storage?

I generated an AES key and used gsutil to upload a client-side encrypted file to GCP storage. The file is shown to be client-encrypted and the metadata contains an "Encryption key Sha256" that appears to be base 64.
When I calculate the sha256sum of my key string and convert to base 64, it does not match. How is this value computed?
The hash is computed on the base64 decoded key string.
Try using this command:
export encryption_key=yxCPz7MD1bLjcBJXiXAlu6obBAAn2leIebkTtnxtB+U=
echo "${encryption_key}" | base64 -d | openssl dgst -binary -sha256 | base64
Reference:
https://unix.stackexchange.com/questions/3675/how-can-i-get-a-base64-encoded-shax-on-the-cli?newreg=54d06c85faaf4d739723334c6f9e13d3