I have a data file, a signature file (created by the GnuPG) and a public key.
I need to check the validity of the signed file. What's the best way to do this with Qt? I've found the Qt Cryptographic Architecture, but can't find any examples for my task. Can QCA do this?
It's always best not to write crypto yourself. can you write a wrapper around calls to gnupg and just execute gpg --verify pub.key file?
Having said that, it looks qca has done some of this work, see qca_securemessage.h, you presumeably want to call void startVerify(const QByteArray &detachedSig = QByteArray());
Related
I'm very new to this OpenSSL stuff and trying to learn my way through it. I want to generate an ec key but its keep failing to generate. I'm currently using OpenSSL 1.1.1n and here's a snippet based on understaning of EC_Key through documentation and from other people's example online:
EC_KEY* key = EC_KEY_new_by_curve_name(NID_secp521r1);
if (!key)
{
ERROR
}
EC_GROUP* ecgroup = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (ecgroup)
{
printf("ECGROUP IS NOT NULL!\n");
if (EC_KEY_set_group(key, ecgroup) != 1)
{
ERROR
}
}
if (EC_KEY_generate_key(key) != 1) //<-- fails at this function
{
ERROR
}
Maybe this piece of code is from an older version of OpenSSL but I don't see that function being mentioned in a change log. Any help would be really appreciated! Thanks in advance!
Edit:
Thanks for Jakob's answer I was able to get some more information about the failure by using ERR_get_error() function. The error I see now is
error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy
The manual states:
EC_KEY_generate_key() generates a new public and private key for the
supplied eckey object. eckey must have an EC_GROUP object associated
with it before calling this function. [...]
Did you associate an EC_GROUP with the key before calling the function? There is a function called EC_KEY_set_group() which can be used to add a group object. Such an object can be created with the EC_GROUP_new().
By the way is there a reason, why you are still using OpenSSL 1.1.1. I would recommend using the latest version of the library OpenSSL 3.0. Even if you only want to learn stuff, it is probably more useful, if you immediately learn the newer version.
Edit
I do not know, what is behind your ERROR macro, but it might be a good idea to learn the OpenSSL error handling system. There are functions like ERR_print_errors() that maybe could have given you a hint about what was going wrong.
Answering myself in case someone is having this same issue.
I was able to get around this problem by building OpenSSl with no-shared flag. I'm not sure how that is affecting the lib in getting an entropy but that's the parameter that made the EC_KEY_generate_key() work.
Here's my working configuration command:
perl Configure no-shared VC-WIN32
The background of this is that I'm going to be given a binary file that's been signed using CryptoPP, with the signature included in the file, and the public key, and I want to be able to verify the file and extract the data (without its signature) into another file.
The code that's used to do this with Crypto++ is relatively trivial, but I've been looking around and can't find anything similar. Everything I've looked at seems to be messages where the signature is separate, but I'm not sure how I work out where, in the file, to pull the signature out.
The reason I want to do this is that, given I have a need for OpenSSL for other reasons, I don't want to have to also include Crypto++ in my application if I don't have to.
The existing verification code is like this:
const char *key = kPublicKey; // hex encoded public key
CryptoPP::StringSource f( key, true, new CryptoPP::HexDecoder);
CryptoPP::RSASS< CryptoPP::PSSR, CryptoPP::SHA1 >::Verifier verifier(f);
CryptoPP::FileSource( packageFilename.toStdString().c_str(), true,
new CryptoPP::SignatureVerificationFilter(
verifier,
new CryptoPP::FileSink( recoveredFilename.toStdString().c_str()),
CryptoPP::SignatureVerificationFilter::THROW_EXCEPTION | CryptoPP::SignatureVerificationFilter::PUT_MESSAGE )
);
Which, as I said, looks trivial but, presumably, there's a lot going on under the hood. Essentially that's given the name of a file that includes the content AND the signature, and a "verifier" which incorporates the public key, and checks if the file content is correct and produces a copy of the file without the signature in it.
What I want to do, then, is replicate this using OpenSSL, but I'm not sure whether there are functions in OpenSSL that will let me just pass the whole file and public key and let it work out where the signature is itself, or if I need to pull the signature out of the file somehow (it's stored at the end of the file!), then pass the file content bit by bit into EVP_DigestVerifyUpdate, then pass the signature into EVP_DigestVerifyFinal function.
Any help would be very gratefully appreciate.
UPDATE
I'm new to digital signing, so may have missed the significance of PSSR here. After some further research I now understand that the idea of PSSR is that the signature contains the message. It may be that the whole of the above could be summarised to:
Given a public key, and a PSSR signature generated using Crypto++, is it possible to verify the message and extract the original data using OpenSSL?
From the files (signatures) I've looked at, that have been generated by Crypto++ using its PSSR implementation, it looks like the data isn't changed; it just has extra stuff added at the end (the SIGNATURE_AT_END flag is used). I am struggling to find any reference to PSSR/PSS-R and OpenSSL using Google.
I'm trying to implement an icon-based property in Windows File Explorer, and my understanding from this post is that it requires returning a property store binary file from the property handler. Does anyone know how to create a property store binary file? After searching, I've come across some documentation on the specification, but I don't see any examples of how to create one. Thank you very much.
You don't need any binary file, you just need an implementation of IPropertyStore. You can create one using the PSCreateMemoryPropertyStore method.
IPropertyStore *ps;
if (SUCCEEDED(PSCreateMemoryPropertyStore(IID_PPV_ARGS(&ps))))
{
// do your work
ps->Release();
}
I'm trying to use QHttp for an update app. But there is a problem for me which I can't solve.
I try to download a file (works perfectly) but if there is no connection to the internet, the file is created but has 0 bytes. My old file is then overwritten with the empty file, which is not so good for the application trying to use the file. What I need is to check if the computer is connected to the internet.
Note: proxy may set. I used this example from Qt's homepage.
You should switch to the QNetworkAccessManager as Mike Suggested, here is an example of a slot on the finished() signal:
void ApplicationUpdate::replyFinishedhttpGetChangeLog(QNetworkReply* myReply) {
if (myReply->error() != QNetworkReply::NoError)
{
QByteArray returnedData = myReply->readAll();
if (returnedData.size() > 0) {
if( m_fileChangeLog->exists() )
{
m_fileChangeLog->close();
m_fileChangeLog->remove();
}
m_fileChangeLog->open(QIODevice::ReadWrite);
QDataStream out( m_fileChangeLog );
out.writeRawData(returnedData.data(), returnedData.size());
m_fileChangeLog->flush();
m_fileChangeLog->close();
}
}
}
Firstly, you should probably now be using QNetworkAccessManager rather than QHttp.
Using either of them, you should do a dummy query to a site you pretty much always know will be up (e.g. http://www.google.com/) and use that as a test to see if you have an internet connection.
A better way of doing this would be instead to use QNetworkAccessManager to read into a QByteArray and then check it isn't empty before writing to your file.
Whenever you write a file that might already exist, you should create a QTemporaryFile first, then, after successful download, rename it to the final name.
i ran into the same problem, after a bit of poking around, I've isolated the problem down to the project configuration file (.pro), in the broken configuration I was linking the networking library explicitly with the statement : "LIBS += -lQtNetwork". In the working configuration, I used the more formal (and qt compilant) approach of delcaring what Qt components are included in the project, like so: "QT = core gui network xml", adjust accordingly for your sitiation, the netowkring slots did not work on windows when explicitly linked but did work on linux. Using the qt compilant approach works on both platforms.
I need to replace all WinAPI calls of the
CreateFile,
ReadFile,
SetFilePointer,
CloseHandle
with my own implementation (which use low-level file reading via Bluetooth).
The code, where functions will be replaced, is Video File Player and it already works with the regular hdd files.
It is also needed, that Video Player still can play files from HDD, if the file in the VideoPlayer input is a regular hdd file.
What is the best practice for such task?
I suggest that you follow these steps:
Write a set of wrapper functions, e.g MyCreateFile, MyReadFile, etc, that initially just call the corresponding API and pass the same arguments along, unmodified.
Use your text editor to search for all calls to the original APIs, and replace these with calls to your new wrapper functions.
Test that the application still functions correctly.
Modify the wrapper functions to suit your own purposes.
Note that CreateFile is a macro which expands to either CreateFileW or CreateFileA, depending on whether UNICODE is defined. Consider using LPCTSTR and the TCHAR functions so that your application can be built as either ANSI or Unicode.
Please don't use #define, as suggested in other responses here, as this will just lead to maintenance problems, and as Maximilian correctly points out, it's not a best-practice.
You could just write your new functions in a custom namespace. e.g.
namespace Bluetooth
{
void CreateFile(/*params*/);
void etc...
}
Then in your code, the only thing you would have to change is:
if (::CreateFile(...))
{
}
to
if (Bluetooth::CreateFile(...))
{
}
Easy! :)
If you're trying to intercept calls to these APIs from another application, consider Detours.
If you can edit the code, you should just re-write it to use a custom API that does what you want. Failing that, use Maximilian's technique, but be warned that it is a maintenance horror.
If you cannot edit the code, you can patch the import tables to redirect calls to your own code. A description of this technique can be found in this article - search for the section titled "Spying by altering of the Import Address Table".
This is dangerous, but if you're careful you can make it work. Also check out Microsoft Detours, which does the same sort of thing but doesn't require you to mess around with the actual patching.
If you really want to hijack the API, look at syringe.dll (L-GPL).
I don't think this is best practice but it should work if you put it in an include file that's included everywhere the function you want to change is called:
#define CreateFile MyCreateFile
HRESULT MyCreateFile(whatever the params are);
Implementation of MyCreateFile looks something like this:
#undef CreateFile
HRESULT MyCreateFile(NobodyCanRememberParamListsLikeThat params)
{
if (InputIsNormalFile())
CreateFile(params);
else
// do your thing
}
You basically make every CreateFile call a MyCreateFile call where you can decide if you want need to use your own implementation or the orginal one.
Disclaimer: I think doing this is ugly and I wouldn't do it. I'd rather search and replace all occurences or something.