Retrieve a certificate's SHA1 hash from macOS Keychain Access - x509certificate

I have many certificates with the same name, but they have different SHA1 hashes. I know the expiration date of the cert I want to retrieve, but I don't know its SHA1 hash. I can see the certificate's expiration date in Keychain Access, but how do I see find its SHA1 hash?

To view the SHA-1 fingerprint of a certificate in macOS Keychain Access you have to double click the certificate in the list or select it (single click) and click the "i" button at the bottom of the window. This opens a window with additional information about the certificate. Besides "Trust" there should be another collapsible category named "Details". If you expand it and scroll down to the very bottom, you should see the SHA-1 fingerprint.

Related

install4j stuck at password input during javafx application code-signing for Mac

Despite all our attempts, we could not get past the password entry popup. Usually, this is an issue with an incorrect password or a "head-space and timing issue", but we've confirmed the password to the KeyStore App is correct.
We are attempting to sign our javafx 17 application in order to submit it to the mac app store. We've followed the instructions from Apple to create the certificate, and from the docs on Install4j to upload the certificate. After attempting several times and checking the KeyChain password we still continue to fail - see image below. I've also allowed full access to the certificate in the keyChain app by double clicking the certificate -> Access Control and checking "Allow all applications to access the item". Despite the certificate being unrestricted, we could not get past the password entry.
Install4j Docs on code-signing: https://www.ej-technologies.com/resources/install4j/v/8.0/help/doc/concepts/codeSigning.html
Preparing your app for distribution:
https://developer.apple.com/macos/distribution/
Signing you apps for GateKeeper -- Apple id for apps distributed outside the Mac Store: https://developer.apple.com/developer-id/
Has anyone had a similar issue with Install4j 9.0.7? What was the solution?
--update:
Upon further inspection, the EJ Technologies Install4j docs describe that the certificate "Subject Name" must be "Developer ID Application". I am not sure if this is an accurate description. The certificate's Subject Name, Common Name is "Developer ID Application:MyDeveloperName(123.....)". There is no option from apple to give the Certificate a Subject Name. I'm also not sure if this is related to the password problem.
If you have created the certificate signing request with a private key that uses elliptic curve cryptography, it will not work in 9.0.7. Contact support#ej-technologies.com for a build that will work in this case. Also, please make sure to select both the public and the private key before exporting from the KeyChain app.
I've also allowed full access to the certificate in the keyChain app by double
clicking the certificate -> Access Control and checking "Allow all applications
to access the item"
Don't do that, install4j does not access the KeyChain, it works with the PKCS#11 keystore that you export from it and you set a password during export for full access.
The certificate's Subject Name, Common Name is "Developer ID
Application:MyDeveloperName(123.....)". There is no option from apple to give
the Certificate a Subject Name. I'm also not sure if this is related to the
password problem.
No, that is fine, "Developer ID Application" is the type of the certificate.
However, regarding:
We are attempting to sign our javafx 17 application in order to submit it to
the mac app store.
This will not work with a "Developer ID Application" certificate which is only suitable for standalone distribution. Submitting to the App Store will be supported in the upcoming install4j 10 (very soon). You need different certificates for that and it is not possible to create a signed artifact with install4j 9 that will be accepted by the App Store.
-- Solution:
Based on the answer provided by Ingo Kegel we were successful in 1) bundling our application into a DMG, 2) signing it, and 3) getting it notarized by Apple using Install4j.
Here is a description of what worked.
There are multiple passwords needed. We further had problems with other passwords. After Ingo's comments we were able to get through these. Note that the first password is NOT the apple "Keychain Access" app password. It is the password that you set when you create the .pkcs12 file.
This post is a supplement to the instructions provided by EJ-Technologies and by Apple in order to show how we solved a few area's that were slightly troubling.
Creating a Developer Password with Apple for our application was slightly confusing. After creating the certificateSigningRequest in the "Keychain Access" app, we then needed to create the Application Certificate in the Apple Developer Account (online).
Below: The developer account page, click on the "certificates and id's".
Below: Next page, click on the plus to add a new certificate.
Below: Next page, select the "Developer ID Application, then click continue.
Once Apple had created the certificate we followed the directions to 1) download the cert from apple. It ends with ".cer". 2) install the ".cer" file to your KeyStore app by double clicking on it. This was also problematic and would not install if there was a similar file in the KeyStore App. 3) Export the cert and its related secret to a directory on the hard drive. The certificate and the secret was slightly ambigious. The certificate appears to be a subdirectory of the secret in the KeyStore application. We selected both, and exported them by right clicking on the two.
The instructions were clear from this point forward. However after successfully passing the password entry, we were then faced with a second password entry popup for Apple's notarization. We are creating a .dmg for MacOS 12. Our JavaFX app had to be signed AND notarized in order for our users to avoid "most" of the warnings by Apple.
As mentioned above, install4J asks for the "app specific password" This password had nothing to do with our application, it is an application password between us and install4j.
I created the password in My Apple user account. Note that this is not from the developer account.
In the next screen after clicking here, I simply provided the name "install4j" in the text-entry to describe the password. Also, a Cut and Paste of the password from Apple did not work and caused an error so I pasted the selection from the browser into a text editor and noticed it was wrapped with brackets and several other characters that would make it invalid. Typing the password directly into the install4J text field worked. You will need to save this password for future uploads as well.
After correctly entering these passwords, install4j took about a minute to bundle and sign our application, then sent the dmg to Apple for notorization. Notorization took several minutes. When the operation completed, our dmg was created.
We tested the .dmg by uploading it to our server and downloading it to another device. Everything worked as expected. Apple still warns the user that "the app is not built by Apple", and "it is downloaded from the internet". For the "inexperianced user", this is much easier than without code-signing and notarization.

How to decrypt apk encrypted files from a dead phone with known password?

My problem is the following:my phone's screen is dead, the phone has full disk encryption turned on, I know the password, I need to retrieve data on it and I have an encrypted back up.
The phone is a Samsung Galaxy S7. I cannot access files by plugging the phone into my computer as I can't unlock the phone without the help of the screen. USB debugging is not enabled.
I have a recent backup of the files made with Samsung's Smart Switch. However, all apk files as well as most files are saved as "enc." files and not readable decrypted files.
I have tried using gpg and openssl tools to decrypt those files individually with the FDE password of the phone without any success.
What are my options to A) either access my phone's content without the use of the screen B) or decrypt those encrypted backed up files I have given that I know the phone's password?
Thanks
Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The default password is: "default_password" However, the resultant hash is also signed through a TEE (such as TrustZone), which uses a hash of the signature to encrypt the master key.
When the user sets the PIN/pass or password on the device, only the 128-bit key is re- encrypted and stored. (ie. user PIN/pass/pattern changes do NOT cause re-encryption of userdata.)
I.e you cannot decrypt the data without knowing the master key which is randomly generated and stored on the phone.
You'll need to replace your broken screen.
See this for more information.

Storing encryption keys for desktop application(Email Client)[Duplication]

There are so many articles on stack-overflow and security.stackexchange on storing encryption keys, but I am still confused, so that's why I decided to ask again here.
Basically, I am creating an Email client for education purpose, in that Users can create account where they enter there Email-ID and Password. I am looking for secure way to save the information.
I will be
Encrypting the Email-ID and Password
and storing the encryption key on the user PC because I don't want the user to type in password every time he sends and Email
From reading I have understood that,
I need to store the encryption key in a separate location, so that it will be difficult to find by an hacker, But the problem here is that my application is written in Python and it will be open source application, so hacker can view the source code and get the path of the directory where the key is stored.
Second solution is that I can have a master password which will be used as a key, when the user opens the application for the first time after starting the computer, the application will ask for the master password, then I can store the key in RAM.
Looking at all the articles on internet on this topic this is a repetition, but I am sill learning to make applications and for the last two days I going in a loop with no success.
OS: Linux Ubuntu 14.04
Programming Language/Framework: Python/Gtk+
Your understanding is correct.
It's impossible to prevent a attacker with access to the local key from accessing the password. Obscuring the path where it is stored provides virtually zero additional security - any attacker with the know-how necessary to perform the decryption will easily bypass such a mechanism.
The only secure way to do this is storing the key (or a key to the key) out of the computer - in the user's mind, in the case of the master password mechanism.
If you end up using a master password, don't forget to use a proper key derivation function, ideally with a key-stretching mechanism, such as PBKDF2 or bcrypt. Never use a password as a key directly (or even a simple hash of the password.

where are encryption key's stored?

I'm new to cryptography . I've read that symmetric and asymmetric algorithms use one and two encryption keys respectively . and these keys must be stored somewhere safe . but when I searched the web to find tutorials about how to do encryption in asp.net I found something strange to me ! for example this tutorial .
there is no public or private key stored or supplied when encrypting or decrypting data ! I can't understand .
another problem I have is that all tutorials I've found till now just are codes without any explanations about what are these codes and why are used . I appreciate any good tutorial suggested .
From RSACryptoServiceProvider Constructor:
If no default key is found, a new key is created.
This constructor creates an Exchange key pair suitable to encrypt session keys so that they can be safely stored and exchanged with other users. The generated key corresponds to a key generated using the AT_KEYEXCHANGE value used in the unmanaged Microsoft Cryptographic API (CAPI).
So it is just generating a new key pair if it cant find one that was created already; you should not use this other than for session based data.
 
A little background (I'm assuming your using Windows), Asymmetric key pairs are associated with certificates. These certificates are what you use to place trust on asymmetric keys. Every certificate can be signed by a certificate authority (who is the authority which issues the asymmetric keys), if you trust the certificate authority, then you trust the asymmetric keys which belong to a certificate signed by that authority. All these certificates are stored in your "Certificate Store", aka "Key Store" (Java), "Key Ring" (Mac).
You can view your certificates by doing Start > Run > certmgr.msc. Your certs are under Personal > Certificates. If you open one up, and go to the Certificate Path tab, you will see the certificate chain up to a certificate authority. If that "root" certificate, which belongs to the certificate authority, is found in your Trusted Root Certification Authorities > Certificates store, then the certificate is considered valid and trusted.
If you want to encrypt something for a user, you should go into his certificate store, and pull out his encryption certificate. To do this, you should open up the "Current User's" key store, and iterate through all the certificates in there, and pick out the ones with the key usage of "Key Encipherment", and if more than one, ask the user's which he wants to use.
If you want to encrypt something using a service account (for example if you were a web server) you should use certificates found in the "Local Machine" key store, and only grant your service account read access to the private key associated with the certificate you want to use.
This can be done using X509Store Class, for example:
X509Store certificateStore = new X509Store("MY", StoreLocation.CurrentUser);
X509Certificate2Collection allCertificates = certificateStore.Certificates;
//Iterate through all certificates
"MY" represents personal certificates, the rest can be found here. CurrentUser represents user keys, the other option is LocalMachine.
Once you have the certificate you want to use, you should use the public key for encryption, and the private key for decryption, in conjunction with a symmetric key. So if you had a big set of data you wanted to encrypt, what you would do is:
Get certificate
Pull public key from certificate
Generate symmetric key (AES)
Encrypt data with symmetric key
Encrypt symmetric key with public key
Store encrypted symmetric key with the encrypted data, along with an identifier (Serial Number) for the certificate you used to encrypt
When you decrypt you should:
Read serial number from encrypted data
Pull certificate, from key store, with that serial number
Pull private key out of that certificate
Decrypt symmetric key with that private key
Decrypt data with that symmetric key
Use data
I have a bunch of code samples which accomplish this if you would like to take a look, just let me know which section you need help with.
That was probably a little confusing, so let me know what you want clarified.

How can I encrypt user content on my site so that not even I can access the content?

I need to encrypt content in my web application on a per-user basis.
I, the root user, do not want to have access to users' content, period.
How can I make it so users are the only ones with access to their content? Perhaps I can make it so a hash of their login password acts as an encryption and decryption key (then their password is stored one-way hashed in my database, and the encryption/decryption hash is generated from their raw password on login and stored in a local cookie)? But what if they change their password? Then I have to update all their content which could take a lot of processing power.
Is there an encryption method that would provide this, without having to re-encrypt their content if their password changes? Something similar to ecryptfs on Linux, perhaps? Is researching ecryptfs a good place to start?
Is making it so only the user can access their content on my servers (and not even me) even feasible?
Process:
Generate a random secret to encrypt their content.
Using their provided password encrypt the random secret from #1.
Store their password as a one-way hash (with salt, maybe multi-hash).
Upon Password change:
Re-generate the value from step #2.
Re-generate the hash-cache from step #3.
Upon Login:
Hash password and check against hash generated in step #3.
If password matches - use actual provided password to decrypt random secret from #2.
Use random secret from #2 to unlock data encrypted in #1.
Notes:
No one can decode the data without knowing the random secret (#1). Random secret can only be unlocked with user's actual password (#2) (short of brute-force). User's actual password is only known in one-way hashed form (#3) so you can confirm it's the same, but cannot decode it and recover #2.
A forgotten password process is not possible (you can regenerate #3, but random key in #2 is now lost as is everything locked in their vault).
You don't have to re-encrypt everything in step #1 every time they change their password, only the (simple/quick) random secret from #2.
If you cache their provided password, or the random secret generated at step 1, or their (decrypted) content anywhere you could cause data leaks.
You're spot on that you need to use their password as a key.
I wouldn't monkey with ecryptfs because an encrypted file system isn't the best solution. You wouldn't want one user's data to be encrypted with the same key that another user used.
When you encrypt the data, you should generate a random string to use as salt. This prevents someone from using a pre-generated list of hashes to decrypt your data. It also changes the hash of two people who might use the same password.
When a user changes their password, you'll have to re-encrypt the data and generate a new salt value. This is the level of security I would expect as a customer, knowing that when I change my password, I'm re-encrypting all of my data to prevent someone from trying to brute force my key.
You can store the salt value in your database unencrypted.

Resources