I have a file sent to me from a client. The file is being encrypted with public key and I have the private/public key pair, so I can decrypt and read it. We use GPG. Recently, the client started signing the file and gave me the new public key that is being used. However if I try to verify the file using
gpg --verify path/to/public/key.asc /path/to/encrypted/file
I get an error which is...gpg: verify signatures failed: Unexpected error
There is a high possibility that I'm doing something wrong, however conceptually I think I'm missing a few points.
Is there a way to verify the signature of an encrypted file using the provided public key ?
If new public key is used for signing/encryption I guess I'm going to need a new private key for the decryption? Or is it a valid scenario to use one public key for encryption and another for signing?
Related
I've just obtained the certificate from GoGaddy. It came in a .ZIP file, which has two files in it:
"certificate.p7b" & "cetificate.crt"
I've installed both of them, but when I try to lookup the private key on any of them, I get NULL, which means that they have no private.
Of course, all this is a part of the bigger problem, where I'm trying to install a certificate for AZURE web site and it doesn't take .crt file so, I need to export it into the .pfx
By the way, I'm on a work laptop, which has some preinstalled certificates and all them have private keys. This is the code I use to lookup the private key:
X509Store store = new X509Store(StoreName.My);
store.Open(OpenFlags.MaxAllowed);
foreach (var certin store.Certificates)
{
var pk = cert.PrivateKey;
}
WHERE IS THE PRIVATE KEY AND HOW CAN I OBTAIN IT?
You already have it. The first thing you did in this process was to generate a key pair. Then you generated a CSR from the key pair, then you got that signed by the CA, now you have a signed certificate, and you still have the original key pair.
When you order the certificate, you are sometimes asked if you want the CA to create a keypair for you OR you will generate the keys locally. If you were not asked (or have chosen the second option), then the browser generates a key and stores it internally. Then you pass the Certificate Request to the CA and they send you the certificate.
You still have the private key in your browser. There exist several options then: (1) visit the CA's site as per their instructions using the same browser that you used to create a Certificate Request. This will work when the CA instructs you to do so, and (2) CAs offer one free re-issue of the certificate for cases like yours. You can request the r-issue.
But in general you must carefully read all instructions and don't proceed further if you don't understand them. If the key was generated locally, then you could have been offered to save the private key in the safe place. If you didn't do this - you are the one to blame.
I have been asked to update an old project done in objective-c.
I'm having this issue with my distribution provisioning profile. It goes like this
Provisioning profile "XXXXXX" doesn't include signing certificate
"iPhone Distribution: XXXXXXXXXX (XXXXXXXXXX)".
The thing is I can see the certificate "iPhone Distribution: XXXXXXXXXX (XXXXXXXXXX)" in my keychain. But there are 2 of them. One has a private key and the other one doesn't and both have a different expiry date. When I checked the developer account, the distribution provisioning profile is signed with certificate that doesn't have a private key (the expiry date of the certificate shown on developer account is that of the one without private key)
What is causing this issue?
How can I fix it?
What if I can't get the private key from the older machine(as that machine is no more usable)
I tried deleting one of the certificates, and also automatically manage signing. Both didn't work.
Please help.
The problem is that the only valid provisioning profile you have tied to the distribution certificate for which you do not have the private key. Without the private key, it is not a valid signing identity, so Xcode won't use it.
To fix this, You will need to create a new private key / distribution certificate, and then create a new distribution profile using the newly created certificate. You can find instructions, starting with creating the cert signing request, here.
See 2 above. Without the key, you can't use the existing certificate. If you are needing to build from multiple Macs, you need to set up a sharing mechanism to provide the private key to any other Macs that will be downloading and using the certs / profiles from the Apple's site. I would also back up the private key so that you won't run into this in the future if something happens to your build Mac. Also, when the cert expires, it is helpful to keep the .csr file from answer 2 above. This means you can use the same private key for the new cert when your distribution cert expires.
Make sure you have selected right Code Signing identity.
In my case I had selected Distribution instead of Developer
I have created a Xero partner app and I have been asked to renew my Entrust Certificate. When I POST to oauth/RequestToken, I get this error:
oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature
Here are the steps that I took:
I downloaded the P12 Entrust Certificate from Xero.
In certmgr, I imported the P12 certificate into my personal certificate store.
I right clicked the certificate. I clicked all tasks and export.
I said do not export the private key.
I exported the file as a CER.
I logged into developer.xero.com and I clicked apps.
I uploaded the CER in the form and clicked save.
Are there any additional steps I must take?
I think where you went wrong is at stage 5.
The entrust cert isn't supposed to be uploaded into the developer portal.
The .cer file you upload into the developer portal conatins your public key and is used to decode the signature you provide on your API calls. This signature is signed by your application using the private key associated with it. If the certs are mismatched (which they will be now that the API is trying to decode with the wrong public key), you will recieve the "Failed to validate signature" error you are seeing.
You will want to either
Re-upload the previous .cer public key file you used for your application originally, as it will match the private key you are currently signing with (unless you changed this also)
Regenerate a new public/private key pair as described here: https://developer.xero.com/documentation/advanced-docs/public-private-keypair, upload the new .cer public key into the developer portal, and use the new private key in your application
I am using Exchange Web Services (EWS) to read emails and their attachments. I was successful until I started receiving some emails that were digitally signed. I found this link EWS: Retrieving attachments from signed emails where the solution starts off by saying "... Assuming your security context has access to the key. " which is exactly where it seems I have problem. How can I make sure my security context has access to the key? How do I achieve that? The code in the above link gives me an error: ASN1 bad tag value met
Are the messages signed or Encrypted (or both) ? To decrypt an encrypted message you would need to have the Private Key (eg for SMIME these should have been exchanged) the EnvelopedCms will search current user (security context) and computer certificate store for this certificate information. However in Exchange in addition to being stored locally the certificate that could be used to decrypt the message could be stored as an attachment on a Personal Contact or in Active Directory http://blogs.technet.com/b/exchange/archive/2008/04/23/3405402.aspx.
I'm working on some proprietary development on SSH protocol.
I want one clarification on message SSH_MSG_USERAUTH_REQUEST
As per RFC 4252, client can send this below message to server to just verify the whether publickey would be acceptable or not.
byte SSH_MSG_USERAUTH_REQUEST
string user name in ISO-10646 UTF-8 encoding [RFC3629]
string service name in US-ASCII
string "publickey"
boolean FALSE
string public key algorithm name
string public key blob
Once above message is replied properly by server with SSH_MSG_USERAUTH_PK_OK.
Then client sends actual authentication message described below.
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service name
string "publickey"
boolean TRUE
string public key algorithm name
string public key to be used for authentication
string signature :This extra than first message
Now I can see first message (without signature) contains publickey blob.
Should I verify the blob in first message or I should always skip that and do verification only during actual authentication message ?
I'm asking this because I have implemented my code like it does verification on both messages. But whenever i'm trying test against OpenSSH, it fails on first message for authentication but always get passed with second message. However i have debugged and found out OpenSSH is not sending same publickey blob in both message. so my question is why OpenSSH is doing so ?
Is OpenSSH is properly following RFC then seems like i should skip verifying publickey blob in first message. if i do that , am i not breaking the RFC ? doing that is right or not ?
Please help me to resolve this query.
Please let me know if more information is required.
Thanks in advance.
> Now I can see first message (without signature) contains publickey blob.
> Should I verify the blob in first message or I should always skip that and
> do verification only during actual authentication message ?
It is not clear what you mean "verify" for the first message,
but, for that message, sshd will just check if the given publickey blob exists in ~/.ssh/authorized_keys file. If it exists in that file, ssh client will receive SSH_MSG_USERAUTH_PK_OK .
> However i have debugged and found out OpenSSH is not sending same publickey
> blob in both message. so my question is why OpenSSH is doing so ?
I had implemented a ssh client in Java from scratch, but I had not recognized such OpenSSH behaviors.