import encrypted private key to jks - encryption

I need use ssl(2 way handshake) socket for connection in my project.
So for creating keys, i used openssl with this comands :
for server :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout a_private.key -out a_certificate.cert
rsa -in a_private.key -des3 -out a_private_des.key
rsa -in a_private_des.key -pubout -out a_pub.key
for client :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout b_private.key -out b_certificate.cert
rsa -in b_private.key -des3 -out b_private_des.key
rsa -in b_private_des.key -pubout -out b_pub.key
for import to jks file i used keytool:
keytool -import -alias a_private -file a_private_des.key -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
after that, I made der file with this command :
pkcs8 -topk8 -in a_private_des.key -out a_private_des.der -outform DER
and retry to import key to jks file:
keytool -import -alias a_private -file a_private_des.der -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
and I get same exception with b_pub.key
how can I import encrypted private key and public key in jks file ?
tanx alot.

To import a key pair (key and cert) into a java keystore, you first need to create a p12 file. Whilst the question is "import encrypted private key to jks", I don't actually believe the key in question is encrypted as the "nodes" option is used.
So to import a key, and cert into a JKS use:
# create p12
openssl pkcs12 -export \
-name a_private \
-out a_private.p12 \
-inkey a_private.key \
-in a_certificate.cert \
-passin "pass:changeit" \
-passout "pass:changeit"
# create jks
keytool -v -importkeystore -deststoretype pkcs12 -destkeystore \
"a.jks" \
-srckeystore "a_private.p12" -srcstoretype pkcs12 \
-alias "a_private" -srcstorepass "changeit" \
-deststorepass "changeit" -destkeypass "changeit"
Actually change the password "changeit" as well.

I believe the -import option only let's you import certificates, not keys. Looking at this post it seems you may have to write some kind of workaround.

Related

OpenSSL - Encrypt plain text using RSAES_OAEP_SHA_256

I want to encrypt local plain text file using openssl and RSAES_OAEP_SHA_256 algorithm.
I tried to use the same approach with this blog entry but it did not work.
https://europatech.co.uk/encryption-decryption-with-kms-and-openssl/
$ echo "hello" > plaintext.txt
$ openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
-in plaintext.txt -pubin -inkey pubkey.pem -out plaintext.bin
-pkeyopt command before -inkey
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-passin arg pass phrase source
am I missing something?
I was looking for the same openssl command and this worked for me:
openssl pkeyutl -in data.txt -encrypt -pubin -inkey Oaep_Pub_Rsa.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out enc.pem

PEM_read_bio_PUBKEY failed while sending signed SAMLRequest to Auth0

I'm trying to sign the (ITfoxtec Identity SAML2) SAMLRequests and testing with Auth0 and I'm getting the following error on the Auth0 side:
invalid_request: PEM_read_bio_PUBKEY failed
I filled the public key in their config.
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signingCert": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqt7eddg/N9MgaivTEWif\n...\nnmEbAFKJtjieiwu1JjsMsdUCAwEAAQ==\n-----END PUBLIC KEY-----\n"
}
Here is how I generated the keys:
openssl req -x509 -sha256 -newkey rsa:4096 -keyout auth0samlprivate.key -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=mydomain.com"
# then i generate the public key to fill in the configuration of Auth0
openssl x509 -pubkey -noout -in auth0samlpublic.pem > auth0samlpublickey.pem
# then I generate the .pfx file to use server side for the private key
openssl pkcs12 -export -out auth0saml.pfx -inkey auth0samlprivate.key -in auth0samlpublic.cer
Then in the code:
config.SignAuthnRequest = true;
config.SigningCertificate = CertificateUtil.Load("Path/To/auth0saml.pfx", "myPassword");
In the browser, I get redirected to the right URL that contains a Signature query parameter, so it seems to be handled correctly but Auth0 doesn't seem to be able to read it.
What did I miss? I'm new to the certificate part of it.
The issue was about the generated certificate.
First, although the example in Auth0 is using a private key, using certificate is fine too.
The following commands worked fine for me:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout auth0samlprivate.pem -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=thefiftyapp.com"
openssl pkcs12 -export -in auth0samlpublic.pem -inkey auth0samlprivate.pem -out auth0saml.pfx
I think the real issue was about changing manually the pem file to a cer file without using a command line.
And the Auth0 config:
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signingCert": "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUXg1jHZ9qRIrtySCsF/bK2JvYxMQwDQYJKoZIhvcNAQEL\n...\n53f63eKJn9PMmyqIYl9/K48ABR3Bf8exfvK4HRudkSU66pQsj8biIxl4MSDMg/6G\naHUZoTBJbJ/sXmoExGpltvFDcNMITfJMKGFCIBO9VnlsJrXdwalSTpxg/9Yi79GD\n5yMXEjicqion8KE0LMsk93LVS92bkujhSg==\n-----END CERTIFICATE-----\n"
}

OpenSSL created Certificate Authority works with Windows 10 but not Ubuntu

I create my own Certificate Authority using OpenSSL.
I put the created root certificate on Windows 10 and Ubuntu 18.04.
I create a signed certificate which is used in a .NET Core Server (running on Ubuntu).
When accessing the server on Windows 10 using Chrome, the certifiate is valid/secure.
When accessing on Ubuntu, the certificate is invalid.
Here are the steps I took:
Create a CA
openssl genrsa -des3 -out self-ca.key -passout pass:password 2048
openssl req -x509 -new -nodes -key self-ca.key -sha256 -days 1825 -out self-ca.pem -passin pass:password
Install CA on Ubuntu
openssl x509 -outform der -in self-ca.pem -out self-ca.crt
cp self-ca.crt /usr/local/share/ca-certificates/.
update-ca-certificates
Install CA on Windows
Place certificate under Trusted Root Authorities
Create Certificate
req.conf file:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
O = Self Certificate
CN = www.<mysite>.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = #alt_names
[alt_names]
DNS.1 = *.<mysite>.com
Certificate commands
openssl genrsa -out self.key 2048
openssl req -new -sha256 -key self.key -config req.conf -out self.csr
openssl x509 -req -in self.csr -CA self-ca.pem -CAkey self-ca.key -CAcreateserial -out self.crt -days 1095 -sha256 -extensions v3_req -extfile req.conf -passin pass:password
Create pfx file for use with .NET Core Server:
openssl pkcs12 -export -inkey self.key -in self.crt -out self.pfx
Chrome in Ubuntu uses NSS database instead of global /etc/ssl storage.
The command certutil can be used to import your certificate to the user-level NSS db.
Install certutil: sudo apt install libnss3-tools
Add your CA certificate: certutil -d sql:$HOME/.pki/nssdb/ -A -n "My private CA" -i CA_cert.pem -t "C,C,C"
This command will install the certificate from file CA_Cert.pem under the name My private CA as trusted root for SSL cerver certificates, S/MIME certificates and code signing sertificates.
To check that the certificate is installed: certutil -L -d sql:$HOME/.pki/nssdb/

Add password to openssl .pem file from -password

I am generating a .pem file using openssl using the command:
openssl genrsa -aes256 -out ca.key.pem 4096
It is working great but when I do this:
openssl genrsa -aes256 -out ca.key.pem 4096 -password pass:abcd
It is still asking me for a password in the terminal and not automatically taking the supplied password.
I've tried generating certificates before and it works for them eg.
openssl pkcs12 -name username -inkey cert/key.key -in abc.pem -export -out cert.p12 -password pass:abcd
You're very close to the goal ! Key size must be the last parameter and -password replace with -passout
openssl genrsa -aes256 -out ca.key.pem -passout pass:abcd 4096

How to generate EC X509 certificate on unix?

I need to generate X509 certificate using EC.
What are the commands that I need to perform in order to achieve a PEM file of this certificate?
First, you need to create a private key with the elliptic curve of your choice:
openssl ecparam -name <curve> -param_enc explicit -genkey -out key.pem
You can find all supported curves with openssl ecparam -list_curves.
Afterwards you can create your certificate request, e.g.:
openssl req -x509 -new -key key.pem -out certificate.pem

Resources