google cloud iot core certificates - google-cloud-iot

I am confused with the certificated associated with the google cloud iot core.
which CA certificate is used at the registry level and how to generate it.
And the "roots.pem" certificate used to communicate between device and cloud iot core using mqtt bridge, which i got from this link 'https://pki.google.com/roots.pem'. Is it different than the one which is associated with the registry level certificate?
I have tried adding roots.pem certificate but it throws an error that file is too big. I have also added public key which is used to authenticate device using public/private key pair it was added successfully. but i get confused which one to use and where to use and how to generate one.
How to verify Device with registry level ca certificates for more security?
I am using following command,
for getting roots.pem certificate
'https://pki.google.com/roots.pem'
for getting public/private key pair
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -days 1000000 -out rsa_cert.pem -subj "/CN=unused"

I hope I can help answer your question. One thing that pops out is your use of the Google roots.pem. I'm not sure what that file is, but I haven't needed it in order to validate my GCP IoT clients. I use an openssl command nearly identical to yours (I just haven't been using the "-days:" parameter, but maybe I should!), then on the GCP Console web page for the device I use the "Add public key" to manually copy/paste the contents of the generated public key file (i.e.: "rsa_cert.pem"). Finally, I use the generated private key file (i.e.: "rsa_private.pem") in my code to sign the JWT.
Does that help? I'm not an "expert", but I've been working pretty regularly with this stuff for a couple months.
-C

I personally use python to connect my device and the line of code looks like this:
self.Mqttclient = self.get_client(
self.projectId, cloud_region, self.registryId, self.deviceId,
self.credential, algorithm, root_certificate,
mqtt_hostname, mqtt_port)
so yes I created the root.pem exactly like you did, and create the public and private file with a python script that basically is the same thing you do with openssl in command line.
You can have a look here for more info about certificates.

Related

i can't decrypt or verify messages sent using Symantecs PGP using GPG Keychain

I'm not using command line, merely two separate GUI programs that should functionally work together, but I'm unable to both verify a signed file and decrypt a file sent to me by someone else using Symantec's PGP program and I'm using "GPG Keychain." They have my public key and I have theirs. Any idea why they're not working when they should be?

How to hide sensitive data from node.conf?

Can someone please give me an example for corporatePasswordStore that is mentioned here:
https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2
I've been doing a lot of research in the last few days on how to hide the plain passwords from node.conf; it's a new topic for me and this is what I came up with so far:
Create a priv/pub key with gpg2
Create a password store with pass (using the key that I generated earlier).
Store all the plain passwords from node.conf inside that password store.
Replace the plain passwords in node.conf with environment variables (e.g. keyStorePassword = ${KEY_PASS})
Create a script file (e.g. start_node.sh) that will do the following:
a. Set an environment variable to one of the passwords from the password store: export key_store_password=$(pass node.conf/keyStorePassword)
b. Start the node: java -jar corda.jar
c. Restart the gpg agent to clear the cached passwords, otherwise you can get any password from the store without passing the passphrase: gpgconf --reload gpg-agent
Pros:
Using the bash file start_node.sh allows to set many passwords as environment variables at once (e.g. keyStore, trustStore, db passwords, RPC user password)
Since we are running the bash file with bash start_node.sh and not source start_node.sh, the environment variable is not exposed to the parent process (i.e. you cannot read that environment variable value inside the terminal where you ran bash start_node.sh
History commands are not enabled by default inside bash scripts.
Cons:
You no longer can have a service that automatically starts on VM startup, because the start_node.sh script will ask for the passphrase for your gpg key that was used to encrypt the passwords inside the password store (i.e. it's an interactive script).
Am I over-complicating this? Do you have an easier approach? Is it even necessary to hide the plain passwords?
I'm using Corda open source so I can't use the Configuration Obfuscator (which is for Enterprise only): https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator (edited)
I wrote a detailed article here: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c, which covers the following topics:
Enable SSL for database connection.
Enable SSL for RPC connection.
Enable SSL for Corda webserver.
Enable SSL for Corda standalone shell.
Hide plain text passwords.
Set permissions for RPC users.

AIX OpenPGP Certificate SecureZip

I have been tasked with duplicating the functionality of SecureZip; namely encrypting and digitally signing a file and then sending via SFTP.
I've been able to put together a java program based on the bouncycastle examples, and have been able to encrypt and decrypt files (with a locally generated PGP key) using this program. However, now I'm trying to implement the digital signature and want to capture the keys used for signing on the AIX system that is running the SecureZip commands.
So when I run the command
pkzipc -listcertificates
I get a response that indicates there are two OpenPGP certificates available for signing. Referring to them using
pkzipc -archivetype=pgp -add -recipient=<PUBLIC KEY RECIPIENT> -certificate=<CERT NAME> -sign=files file.out file.in
allows me to create the encrypted files using this CERT NAME cert. My question is, where? Where are these certificates located? Does AIX have a central OpenPGP certificate location or are these somehow imported into some SecureZip storage location?
Using SecureZip Server Version 14 for AIX
Using AIX 7100-03
I found the certificate location. Evidently there are three locations in UNIX that PKZIPC looks (according to the manual I finally got my hands on):
For public keys:
$PK_OPENGPG_PUBLIC_RING
$HOME/.pgp/pubring.pkr
For private keys:
$PK_OPENPGP_SECRET_RING
$HOME/.pgp/secring.skr
$HOME/.gnupg/secring.gpg

GPG Encrypt Fails in IIS .net App but works in Visual Studio

Workstation: Win7 Pro
Server: Win 2008
VB.net - using the System.Diagnostics.Process tools
Gpg4win 2.2.5 in stalled on both computers.
The Key Pair was generated on Win 7 and backed up to the server.
A public key was provided by the recipient.
Both keys were moved to a file share
Both gpg installations were cleared of all keys.
The Backup of the key pair was imported as well as the Public key of the recipient.
Both keys were trusted. This was all done in DOS command window.
gpg --allow-secret-key-import --import "//fileshare/KeyBackup.gpg"
(results indicate Secret key is available)
gpg --allow-secret-key-import --import "//fileshare/PUBLIC.asc"
gpg --edit-key pairkey#mycompany.com (trusted "ultimately")
gpg --edit-key publicKeys#their.com (trusted "ultimately")
In visual studio, on my work station, a vb.net app successfully encrypts and signs a file.
Move the app to the server and run under IIS, encryption fails with message, "No Secret Key". To make it more fun, encryption DOES work on the server if you use manual DOS commands.
The file to be encrypted is on a share and both applications reference it.
That I can tell both Gpg4win installations are identical and have the very same keys. Both keys were imported from the same location in the same manner.
I await the opinions of the superior minds of Stackoverflow.
Thanks
I tried setting the GNUPGHOME environmental variable to a specific location, my ASP.NET application running from IIS didn't seem to honor it and couldn't find my keys.
Eventually I discovered it kept trying to find the key files from c:\gnupg on the iis server (irrespective of GNUPGHOME). I copied all the keyring files to that location, and it finally worked.

How to generate a key in Qt using openssl?

I need to create a private key using openssl in Qt and then use that key to sign a zip file? I dont even have a clue on how to do this! Can somebody help me to do this?
Creating a key is a multi-step process: create a "certificate signing request" CSR, give the CSR to the "certificate authority" CA, the CA will sign the certificate and return to you a public certificate. (You do this once at first program execution.) You add the certificate and private key to your certificate store (once per program execution), and then you can finally sign the file (probably using an EVP_* function). (Once per zip file.)
Good luck :) OpenSSL is a beast. I suggest using a helper tool such as TinyCA if you're also going to be your own CA. (There's nothing wrong with learning the openssl command line for CA functions, it is just a ton of extra work that doesn't get you much closer to your immediate goal. Still worth looking at.)

Resources