How to generate a key in Qt using openssl? - qt

I need to create a private key using openssl in Qt and then use that key to sign a zip file? I dont even have a clue on how to do this! Can somebody help me to do this?

Creating a key is a multi-step process: create a "certificate signing request" CSR, give the CSR to the "certificate authority" CA, the CA will sign the certificate and return to you a public certificate. (You do this once at first program execution.) You add the certificate and private key to your certificate store (once per program execution), and then you can finally sign the file (probably using an EVP_* function). (Once per zip file.)
Good luck :) OpenSSL is a beast. I suggest using a helper tool such as TinyCA if you're also going to be your own CA. (There's nothing wrong with learning the openssl command line for CA functions, it is just a ton of extra work that doesn't get you much closer to your immediate goal. Still worth looking at.)

Related

Generate a public / private key pair in Julia

I am playing around with some encryption / blockchain ideas right now that require the use of a public / private key pair. I looked at some of the existing packages and could not find one. https://gitlab.com/braneproject/ECC.jl provides much of the desired functionality but lacks the ability to create a public key.
Any idea how I would go about doing this? In Python, I would use from ecdsa import SigningKey to get this functionality. I also looked at https://github.com/JuliaCrypto/OpenSSH.jl but it seems focused on documenter.
The library you mention depends on OpenSSH being installed on your system, and if it is, you can do the following in the REPL. Hit the ';' key and you can enter ssh-keygen at the prompt, as in:
shell> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (users/yourname/.ssh/id_rsa):

google cloud iot core certificates

I am confused with the certificated associated with the google cloud iot core.
which CA certificate is used at the registry level and how to generate it.
And the "roots.pem" certificate used to communicate between device and cloud iot core using mqtt bridge, which i got from this link 'https://pki.google.com/roots.pem'. Is it different than the one which is associated with the registry level certificate?
I have tried adding roots.pem certificate but it throws an error that file is too big. I have also added public key which is used to authenticate device using public/private key pair it was added successfully. but i get confused which one to use and where to use and how to generate one.
How to verify Device with registry level ca certificates for more security?
I am using following command,
for getting roots.pem certificate
'https://pki.google.com/roots.pem'
for getting public/private key pair
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -days 1000000 -out rsa_cert.pem -subj "/CN=unused"
I hope I can help answer your question. One thing that pops out is your use of the Google roots.pem. I'm not sure what that file is, but I haven't needed it in order to validate my GCP IoT clients. I use an openssl command nearly identical to yours (I just haven't been using the "-days:" parameter, but maybe I should!), then on the GCP Console web page for the device I use the "Add public key" to manually copy/paste the contents of the generated public key file (i.e.: "rsa_cert.pem"). Finally, I use the generated private key file (i.e.: "rsa_private.pem") in my code to sign the JWT.
Does that help? I'm not an "expert", but I've been working pretty regularly with this stuff for a couple months.
-C
I personally use python to connect my device and the line of code looks like this:
self.Mqttclient = self.get_client(
self.projectId, cloud_region, self.registryId, self.deviceId,
self.credential, algorithm, root_certificate,
mqtt_hostname, mqtt_port)
so yes I created the root.pem exactly like you did, and create the public and private file with a python script that basically is the same thing you do with openssl in command line.
You can have a look here for more info about certificates.

Kleopatra No secret key

I support an application who call a CMD line to decrypt a file.
The application is a .exe file that is called by the Windows Task Scheduler and is execute as the same user who have all right.
The application run every week day in the evening at 6h30pm and sometimes the CMD line return the message: no secret key.
The application failed because the file was not decrypted. But it doesn't failed every evening, just random evening. It looks totally random.
And if I run the application myself after it failed with the same user, it worked.
The secret key is imported in Kleopatra and it work fine with other application that run in the morning. And it work fine when I used it.
What can cause this?
Thank you
We fix the problem. We must not log off the application user.
If we log off the user, one key is not working, but the others are working.
Some ideas to help you run down the problem:
Check the private keys available to the machine on which the application fails
gpg --list-secret-keys
(IIRC Kleopatra runs on top of GnuPG, so I assume your application does as well. I've been wrong before.) You might notice something out of place with your private (decryption) keys. For example, if the key is listed as either
sec#
ssb>
Then it's a (primary or sub respectively) key located on a smart card for storage. If the card, for whatever reason, isn't in the machine when the app runs it'll fail to decrypt.
Check the disk containing the private keyring is attached/inserted/mounted at the time the application ran and failed to decrypt. If the keys are stored on removable (or unreliable) media then that could also result in a failure to decrypt.
Check that the item failing to decrypt was encrypted properly. If there is some secondary recipient necessary for the app to run there may be a required key that you don't know about (I gather from your post you didn't create this app, just maintain it.) It may even be that the app is trying to decrypt a different file erroneously, but that kind of thing can only be found out by stepping through your source code and resident files.
Failing those, pray for #Jens Erat to notice your question.

Multiple property encryption using jasypt encryption

I have relatively less idea about encryption but i have done research on encryption in spring boot in application.properties file but i have not found any material based on multiple password encryption.If someone could provide some material or some direction as to how i would proceed will be helpful
Basically you got to do 3 things.
1. Encrypt your password using jasypt.This can be done using command line tool as indicated here or using a simple java program as indicated here. You need a password along with the string you need to encrypt. password is something like a secret key(or salt) which is used to encrypt the string you want to encrypt.
2. Add this to your application properties or yml jasypt.encryptor.password=password_used_in_the_previous_step
3. And add the encrypted password you got from step 1 like this ENC(Your_Encrypted_Password)
Add the necessary dependencies.
Here is a good example.
https://github.com/ulisesbocchio/jasypt-spring-boot.

How to Script Automated Root Password Changes?

Currently our process consists of logging into each *nix server and manually changing the password for each. My question is, what is a good way to automate this? I'm thinking of possibly a couple different ways to do this and would like input from others on what they recommend, use, etc.
One way I was thinking is a text file with a list of servers that need the password change and a script that prompts the user for the new password, stores it temporarily in the script and then remote connects into each server and runs the commands. Having a check to make sure the server is reachable or a timeout on the remote connection would be a good idea. Then have output to the console so the person running the script can see what servers were successful and which ones were not.
I was trying to think of another fully automated solution, but couldn't think of a good way to securely store the new password. Plus it is not a huge deal to me to have some user interaction and have to manually start the script as we only would need to do this 6 times a year.
Any thoughts, help, ideas would be greatly appeciated.
openssl passwd -1 $rootpw
Where $rootpw holds the string that will be your root password.
This will output a crypted string that you can just put in the file or whatever. I use this on a script that sets up virtual server instances that are provisioned from a database. I compute this hash before sending it over the network so the script that sets up the server can just use this hash instead of having to send it plain text.
To answer your question, each server would compute the hash slightly differently and result in a different hash, but all of those hashes would equate to the same password. You could use any one of these hashes and they would be functionally equivalent when used on any server, even though the actual content of the hash is different.
For example, I hashed foobar and these are the results:
rootpw=foobar
openssl passwd -1 $rootpw
$1$6pXamKGD$TKQqON1prArop7DpLOyAk1
openssl passwd -1 $rootpw
$1$4A4Mn16f$P7ap2AqNMRK8m72bG/Bve0
openssl passwd -1 $rootpw
$1$DyhsWEMX$i2wH6JpAqoHNFZ0YOBVHj/
openssl passwd -1 $rootpw
$1$m27FIj5e$LZPxVniAeUoZcuUoNHK8c/
openssl passwd -1 $rootpw
$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0
Each of those hashes are different even when computed on the same machine but any of them can be used to equate to the password 'foobar' on any machine.
So just open /etc/shadow and paste that in there where you find the line:
root:$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0:14415:0:99999:7:::
In my script I explode it at the :'s and update element [1] then concatenate the array back to a string and replace the string in the file. You can do it differently if you want, especially if you know the old value (which you can get by exploding it into an array).
I know this question is a few months old so you probably figured it out, but I'm putting this out there for any future googler's coming along and finding this.
You should compute whatever hash are your servers computing on a password and send passwords in this secured, hashed form, ready to put into /etc/shadow.
I do not know however how to do that in practice.

Resources