Well, i decided that i have to post this question because, seriously, i couldn´t find anything related to it.
I´m creating a self-sign certificate but, this is based on another one that has certain properties and at certain point, the below happens and i need to understand what is it and why:
Issuer: O=example.com, OU=example.com CN=.cc-admin/dnQualifier=1sfCakNi3x6UPCYmogMrITuPMos=
....
Subject: O=example.com, OU=example.com, CN=SM.ws-1/dnQualifier=H/z8HyVtKEZSFoTeeI2UV9aBaq8=
....
X509v3 Authority Key Identifier: 21
keyid:the keyid
DirName:/O=example.com/OU=example.com/CN=.ra-1b/dnQualifier=4NMh-Nx9WhmbDcXKl1puOjX4lsp=
serial:56:CE
What is that hash after de dnQualifier? and why is it always different?
That´s it!, that´s all i need to understand. Thanks for you time, regards
Related
I want to decrypt TLS traffic in a pcap file using scapy by providing certificate and private key.
But i dont have a clue how to do it without using wireshark or tshark
Could someone give me some suggestions? Thanks in advance.
The three things you might want to look at are:
TLSSession: https://scapy.readthedocs.io/en/latest/usage.html?highlight=tlssession#advanced-sniffing-sniffing-sessions - i.e. how to dissect "on-the-flow" using a session in Scapy
Scapy's TLS notebooks: https://github.com/secdev/scapy/tree/master/doc/notebooks/tls - they have prety detailed explanations and examples regarding dissection/decryption
This test case in scapy: https://github.com/secdev/scapy/blob/3040f6d705176731494a7bcf76b820f077716729/test/tls.uts#L1166-L1218 that puts it all together.
The key steps are (from the last test case):
>>> key = PrivKeyRSA("srv_key.pem")
>>> res = sniff(offline="tls.pcap", session=TLSSession(server_rsa_key=key))
Obviously this only makes sense when using RSA and not Diffie-Hellman. Good luck !
I am working on a cloud HSM service and I see CKA_ATTRIBUTE_INVALID error when I am trying to create a AES 256 key with following attributes:
CKA_TOKEN=0
CKA_SENSITIVE=0
CKA_PRIVATE=1
CKA_ENCRYPT=1
CKA_DECRYPT=1
CKA_SIGN=1
CKA_VERIFY=1
CKA_WRAP=1
CKA_UNWRAP=1
CKA_DERIVE=1
CKA_EXTRACTABLE=1
CKA_MODIFIABLE=0
and hence the error:
Status: C_DeriveKey returned error. (CKR_ATTRIBUTE_VALUE_INVALID)
I figured out if I pass CKA_SENSITIVE and CKA_PRIVATE both as 1 it passes and key gets created.
My question is how do I know which are the valid attribute combinations?
Can someone point me to a documentation, please.
I didn't find much details in standard PKCS#11 spec guide.
I would appreciate any help here!!
Cheers.
As far as I can see the following attributes are have wrong values:
CKA_SIGN=1
CKA_VERIFY=1
Symmetric key can't be used in signing.
Also this values are have some questions:
CKA_TOKEN=0
means that the key is session object,
CKA_SENSITIVE=0
means that the key value is "visible" - it is not secure.
From my experience:
try to remove attributes from template one by one and you can find which of them are wrong.
Today I came across a weird case of cn mismatch. I have two domains:
kpmg.talentsource.rs and
www.kpmg.talentsource.rs
both have prod.q.ssl.global.fastly.net as their CNAME
they have the same A records and certificates.
Nevertheless:
https://kpmg.talentsource.rs (OK)
https://www.kpmg.talentsource.rs (CN mismatch)
https://www.ssllabs.com/ssltest/analyze.html?d=kpmg.talentsource.rs&s=151.101.65.62
https://www.ssllabs.com/ssltest/analyze.html?d=www.kpmg.talentsource.rs&s=151.101.65.62
Note: none of the two has the kpmg.talentsource.rs in neither the the CN nor the SAN
Any ideas why this is happening?
The certificate has a Subject Alternative Name of *.talentsource.rs (among many others unrelated one).
Per X.509/TLS rules, a * matches only one level/label, it does not cross the dot so to say. So *.talentsource.rs matches an hostname of kpmg.talentsource.rs but NOT www.kpmg.talentsource.rs, hence the browser error.
You need either to add www.kpmg.talentsource.rs or *.kpmg.talentsource.rs as a SAN (note that it has talentsource.rs already in the list too) in this certificate or stop using www.kpmg.talentsource.rs at all (a redirection will not solve the problem as you still need the TLS handshake to complete first before getting the HTTP Location: header, so you still need appropriate certificate).
I bought a ssl certificate for my site, but I do not know which one is the private key.
Here are the available files:
CACertificate-INTERMEDIATE-1.cer
CACertificate-ROOT-2.cer
PKCS7.p7b
ServerCertificate.cer
Meta: this is not a programming or development Q and will likely be voted offtopic.
None of them.
The (normal) sequence is:
you generate a key pair, or a private key which implies the matching public key, on your machine
you create a CSR (Certificate Signing Request) containing your public key, which is signed using your private key. With some software steps 1 and 2 are combined.
you send or submit the CSR to a CA, and also provide proof of identity and if applicable payment; the details of this step can vary depending on the CA you use, the type of cert you request (especially the validation), and who or what you are
the CA validates your identity (and payment) and 'issues' a certificate for you
the CA gives you your cert, plus the related CA certs needed to form a trust chain; this is often one intermediate plus a root (as in your Q) but other combinations are possible.
You are looking only at step 5. You need to look back at step 1 (and possibly 2).
I'm trying to send a request with:
ActiveXObject("WinHttp.WinHttpRequest.5.1")
however this requires a client certificate to do so (which we have been provided).
Having tested in PHP cURL I can do so with:
curl_setopt($SOAP, CURLOPT_SSLCERT,$filepathtocertificate);
Which works fine. However I must use IIS running asp(javascript) and point to the certificate store of the machine the script is running on with:
SetClientCertificate("LOCAL_MACHINE\\Personal\\Certificate subject");
for our actual deployment. The MS documentation (http://msdn.microsoft.com/en-us/library/windows/desktop/aa384055(v=vs.85).aspx) suggests that the path above has to state the 'subject' of the certificate, however the certificate seems to have several subjects and no combination of several or all of them seems to yeild any results and I am stuck with the following error before the request is even sent:
WinHttp.WinHttpRequest error '80072f0c'
A certificate is required to complete client authentication
Looking in the certificate store and using other scripts in the same folder show they are definitely there but have subjects like:
C=US, O=Organisation NAme, OU="Another Organisation Name, Inc.", CN=Organisation Name Root
Or similar.
Any advice on what parameters SetClientCertificate needs to be given to select and send certificates in the certificate store would be much appreciated.
I had a lot of trouble with this same issue - using winhttp 5.1 from a scripting language to set a client certificate before a send.
I had used mmc with the certificates snap-in to import the certificate in CURRENT_USER \ Personal - but the Winhttp SetClientCertificate didn't seem to be doing anything, nor was I able to pick up any error code or message so it was a case of repeated trial and error - the SetClientCertificate string should be something like "Location\store\subject" eg "CURRENT_USER\Personal\My Certificate" (or \ \ if your language requires \ to be escaped) -the final part being 'subject' which is not as clear as it should be. Under MMC the subject is broken into many elements.
I eventually got it working by dropping the location and store - they were the defaults so I may have been fortunate - and providing just the subject field - the value I used for the subject field was the value in the line "CN = " under subject (when the cert is opened under mmc) - but this (perhaps coincidentally) was also the value in the 'Issued To' column on the main mmc certificate list. In my case it worked - clearly if there is a cert with these two values different then you'd need to try each.
Hope this helps if somebody is similarly stuck.
This is a very old question yet I had to find an answer today. The answer provided above by #JSL helped me. If you only provide the certificate subject name then it works! So it is clear that there is a mistake in the way full path is specified.
I got the right info for Windows 7 from this link https://msdn.microsoft.com/en-us/library/windows/desktop/aa384076(v=vs.85).aspx
here is VBA script that works.
Dim objHttp As New WinHttp.WinHttpRequest
objHttp.Open "GET", url, False
objHttp.SetClientCertificate "CURRENT_USER\My\TestCert"
objHttp.send
Valid locations are LOCAL_MACHINE and CURRENT_USER and
Valid store names are "MY", "Root", and "TrustedPeople".
Remember to escape the backslashes in C++, C# etc.