Same CSR with different signature using sha256WithRSAEncryption - encryption

The bounty expires in 19 hours. Answers to this question are eligible for a +50 reputation bounty.
XWIKO wants to draw more attention to this question:
Explain why using the same private key and sha256 can yield different results from Azure KeyVault and OpenSSL
I have downloaded a CSR from Azure Key Vault and wanted to recreate that CSR with openSSL commands.
Reason is we might want to create that CSR from scripts without having an Azure KeyVault.
My context:
I Created a CSR in Azure KeyVault
I have a retrieved the private key that the KeyVault used to create the CSR.
I inspected the KeyVault generated CSR using openssl req -text -noout -verify -in csr.csr
I Created my own CSR using OpenSSL And made sure all the subject information and Requested Extensions are the same as the KeyVault one.
When inspecting the newly created CSR (using above command) and the one generated by Azure KeyVault, they are identical (e.g. same modulus, same request extensions, same subject) except for the signature.
My question:
Are there components in a CSR that are not inspected using above command that can explain why the signatures are different while the rest is the same? Or is it because it is generated on a different machine? Or can it be they (KeyVault and OpenSSL) used different algorithms for sha256WithRSAEncryption which is not viewable with above inspection command? I'm trying to understand.
Version: 1 (0x0)
Subject: <<obf>>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
<<obf>>
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<<obf>>
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
<<obf>>

Related

google cloud iot core certificates

I am confused with the certificated associated with the google cloud iot core.
which CA certificate is used at the registry level and how to generate it.
And the "roots.pem" certificate used to communicate between device and cloud iot core using mqtt bridge, which i got from this link 'https://pki.google.com/roots.pem'. Is it different than the one which is associated with the registry level certificate?
I have tried adding roots.pem certificate but it throws an error that file is too big. I have also added public key which is used to authenticate device using public/private key pair it was added successfully. but i get confused which one to use and where to use and how to generate one.
How to verify Device with registry level ca certificates for more security?
I am using following command,
for getting roots.pem certificate
'https://pki.google.com/roots.pem'
for getting public/private key pair
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -days 1000000 -out rsa_cert.pem -subj "/CN=unused"
I hope I can help answer your question. One thing that pops out is your use of the Google roots.pem. I'm not sure what that file is, but I haven't needed it in order to validate my GCP IoT clients. I use an openssl command nearly identical to yours (I just haven't been using the "-days:" parameter, but maybe I should!), then on the GCP Console web page for the device I use the "Add public key" to manually copy/paste the contents of the generated public key file (i.e.: "rsa_cert.pem"). Finally, I use the generated private key file (i.e.: "rsa_private.pem") in my code to sign the JWT.
Does that help? I'm not an "expert", but I've been working pretty regularly with this stuff for a couple months.
-C
I personally use python to connect my device and the line of code looks like this:
self.Mqttclient = self.get_client(
self.projectId, cloud_region, self.registryId, self.deviceId,
self.credential, algorithm, root_certificate,
mqtt_hostname, mqtt_port)
so yes I created the root.pem exactly like you did, and create the public and private file with a python script that basically is the same thing you do with openssl in command line.
You can have a look here for more info about certificates.

How to use RSA BSafe Crypto-J library on Enterprise ColdFusion 2016

On the official Encrypt() doc page, it lists a number of RSA BSafe Crypto-J library encryption options for ColdFusion Enterprise, which I'm using. Under the Usage heading, it lists RSA PKCS#1 v1.5 (sign, verify) (SHA-1,SHA-224,SHA-256,SHA-384,SHA-512), of which I want to use the SHA-256.
I've tried the following as the algorithm parameter, some of which I found googling:
RS256
SHA-256
SHA256
SHA256withRSA
sha256WithRSAEncryption
The result is always an error, e.g. for the first one above:
The RS256 algorithm is not supported by the Security Provider you have chosen.
How do I check the Security Provider I apparently have chosen? I don't see anything about it in ColdFusion Administrator.
What is the correct string, in my case, to pass as the algorithm parameter?

AIX OpenPGP Certificate SecureZip

I have been tasked with duplicating the functionality of SecureZip; namely encrypting and digitally signing a file and then sending via SFTP.
I've been able to put together a java program based on the bouncycastle examples, and have been able to encrypt and decrypt files (with a locally generated PGP key) using this program. However, now I'm trying to implement the digital signature and want to capture the keys used for signing on the AIX system that is running the SecureZip commands.
So when I run the command
pkzipc -listcertificates
I get a response that indicates there are two OpenPGP certificates available for signing. Referring to them using
pkzipc -archivetype=pgp -add -recipient=<PUBLIC KEY RECIPIENT> -certificate=<CERT NAME> -sign=files file.out file.in
allows me to create the encrypted files using this CERT NAME cert. My question is, where? Where are these certificates located? Does AIX have a central OpenPGP certificate location or are these somehow imported into some SecureZip storage location?
Using SecureZip Server Version 14 for AIX
Using AIX 7100-03
I found the certificate location. Evidently there are three locations in UNIX that PKZIPC looks (according to the manual I finally got my hands on):
For public keys:
$PK_OPENGPG_PUBLIC_RING
$HOME/.pgp/pubring.pkr
For private keys:
$PK_OPENPGP_SECRET_RING
$HOME/.pgp/secring.skr
$HOME/.gnupg/secring.gpg

Decrypting/Encrypting PGP in Load Runner Script for correlation/parameterization

One of the applications that we stumbled up on is a ThickClient Desktop application with WCF Webservices at the backend. We are able to record the communication using LR VuGen 11.52/12.02 which is in the form SOAP Requests.
We are facing a big challenge wherein the ThickClient sends out communication via PGP Encryption.
-----BEGIN PGP MESSAGE-----
Version: BCPG v1.46
KBRJxQLWTz6CiuqI9pV8pkuA41zdH8czrTOdsa2ChiXvhSjhSFcFNLZ742cZ9rE/
tZ9Fg/4UGaNbC68oZi5OnTzcvP6JxIoUW9mA+xVcmnnbBUq2e7uTbySU2+eAZw9j
1OGYj1ubLVYEq4kNYcauvKpF+XfkoCQxDVfn/5hIzPNUrdIhoNgPlrcosU6ZyMSE
1wG9r3/P1ddnuhdQxn+rdEfxsk7BicJCbeCqaFpovKXbo4M/piquFMN96/Jfnoak
RDc6VweQQMlbovz3v6jVEhXWJnAonVTWY5R2Z3Dz/HRgWkU40OdPb2PQIjvaOsIy
qvQHMdwsn/+m6Pz8QRI9+RsGvvmhwHkE1t82tuqVZbUJL5g5+EZHAeHrbgnIyvgT
DO6A4AO0gzkDwG1ey80skC3Zc77rD6FhzQrnS7Nc2GeQLVRe3PIs10OCMhqDI+n9
fAFaTg93lcU=
=lX0X
-----END PGP MESSAGE-----
Is there a method or process by which we can decrypt such messages and correlate/parameterize required data and then repost the same to server?
Yes. You need the decryption and encryption keys. You will also need an implementation of the PGP algorithm in C. With all of those items in place you also stand better than fair chance of leveraging the DFE (Data format extentions) for Loadrunner to have the work of encryption and decryption handled on the fly.
References
http://cypherspace.org/openpgp/
http://claudihome.com/html/LR/WebHelp/Content/VuGen/c_web_data_format_extensions.htm

What is a PGP Secret Key?

I am working on a C# app that encrypts/decrypts messages using PGP implemented by the Bouncy Castle (BC) library. I know PKI but the secret key in PGP throws me off a bit. I looked at the BC examples/source code and the PGP RFC but came away with more questions.
Is Secretkey == Session key?
Is Secretkey == Symmetric key?
Is Secretkey == private key (pub/priv key pairs)? At least the following seems to suggest that the secret key is a private key.
internal static PgpPrivateKey FindSecretKey(PgpSecretKeyRingBundle pgpSec, long keyID, char[] pass)
The RFC says the secretkey contains, among others, information about the publickey or may be the public key itself (at least that's my reading).
Also, somewhere I read the Secretkey is basically a password encrypted privatekey.
When/why would I need a secret key in the PGP protocol? Signing or encrypting?
Thanks
Quoting RFC 4880, OpenPGP, 5.5.1.3. Secret-Key Packet:
A Secret-Key packet contains all the information that is found in a
Public-Key packet, including the public-key material, but also
includes the secret-key material after all the public-key fields.
and 11.2. Transferable Secret Keys:
[...] The format of a transferable
secret key is the same as a transferable public key except that
secret-key and secret-subkey packets are used instead of the public
key and public-subkey packets. Implementations SHOULD include self-
signatures on any user IDs and subkeys, [...]
With other words, the secret key contains the public/private key pair (eg., RSA), but should also contain user IDs and self-signatures. 12.1. Key Structures gives more details on how exported keys are constructed. A helpful tool for understanding the composition of OpenPGP packets are gpg --list-packets [file] or pgpdump [file], which dump the packet structure of their input.
In this case the secret key is a private key. The private key can be used for signing or decryption. Encryption and verification is performed using the public key of the other party. A secret key is nowadays mostly thought of to be a symmetric key, but it can also mean private, especially in older protocols.
There is a lot of this kind of confusion in cryptography, the best thing to do is to look at the context. For instance, if there is a public key, the key cannot be symmetric.

Resources