To enable the Application Authentication security feature I have to extract the public signing key as documented here:
https://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/dev/c_ibm_worklight_app_authentication_overview.html
My problem is that the wizard from MobileFirst Studio generates the same public signing key for different keystores and certificates.
How can I extract the public signing key manually?
The wizard generates the key based on the keystore file you provide it with. It will not change between generations of you use the same key...by default Android provides a debug keystore. Be sure to create your own keystore as you use to production and use the same key as well for when generating the .apk file (signing it).
I don't understand how extracting it manually makes a difference. You need to extract the key by following the instructions that Worklight/MobileFirst requires.
Related
For my IT Security class I have to create a vulnerable web application.
When logging in the user should upload a certificate (e.g. a PFX file, I chose a use case where this makes sense). However I want to make it so an attacker can recreate the certificate with some basic information.
I did some research and it seems like I need to generate a reproducable SSL key and CSR if I want to use PFX. Can I do this on my own? If so, how? If not, what other options do I have?
I have a hash of a certificate using the example at http://techblog.bozho.net/?p=37 and wish to use this to fill in a signature field in a pdf form with iTextSharp. Does anyone have any examples or know how? This is a web app and the only method I can find for capturing the signature from a smart card local to the client.
Ken
You can't use a hash of the certificate for signing. Signing is performed using the private key (and not its hash either).
For web application you have two options - either transfer the whole document to the client, or use some distributed signing mechanism which involves a client-side module (either a browser plugin / java applet or a standalone application).
Our company developed a distributed cryptography add-on to SecureBlackbox, which is described in details in this SO answer and which does what you need. The scheme in the answer explains how distributed signing would work.
I am beginner of iPhone. I have no idea of upload app in itunes. I have make certificate and provisioning profile but when i downloaded certificate at that time no with private key.. so, give any suggestion which is apply in my app.
You can do 2 things:
1. Create a new certificate identity via the apple devloper portal In this case you'll need to log into the apple developer portal and use the assistant, as part of this you will need to create and upload a CSR (Certificate Signing Request) which will also create the public and private keys on the machine. Apple sign the request and voila, a signed public/private certificate pair : guide
2. Export the private key from the machine originally used to create the Certificate This case is when your signing with an identity previously created, probably on an old machine or if (as in my case) your developing for a client that has their ID's already created. If you can't access the machine originally used to create the certificate identity you'll have to create a new identity as per the guide/assistant.
To do this, you will need to export your private key (a .p12 file), or public/private key pair via Keychain Access, and install the private key or key pair to the machine your developing on: guide
I am developing an html application where an user has to first login using his digital certificate. After login he has to perform encryption and decryption of data using his digital certificate.
Now in case when the certificate is available in the form of .pfx file then we can just install it and the certificate appears in the container and we can use it during login and during encryption and decryption.
This works fine in case if we have .pfx for our digital certificate.
But now i want to enhance it for etoken's(security token). I dont know much about etoken's. The problem is that how can i use the digital certificate stored in it while login?
Also how should i use the private key stored in it while decryption?
Can anyone please tell me about any tutorials (if any) which will explain the usage of etoken and the CryptoAPI's.
As I mentioned in the answer to your previous question, Windows CSPs map the certificate from hardware to Windows certificate storage, so this is transparent to you. If you can access the certificate via Windows certificate storage API, then you don't need to care where the certificate is actually located.
Note that you can't transfer a private key to the server, i.e. you would have to use a client-side module (either ActiveX or Java applet) that will perform operations locally. This is not specific to certificates on hardware, but also to certificates which have non-exportable private keys.
We want to add automatic software updates to our application, but our company isn't yet ready to buy a code-signing certificate from a trusted root CA, so we'll be using a self-signed certificate to sign code updates (.exe and .dll) for now.
Question: how to verify a binary signed with a self-signed certificate, without having to install the certificate, using Microsoft's Cryptography API? The .cer file to check against will be bundled with the application. Or is it simpler to use a generic Crypto library?
You can skip the whole X509 thing, after all you don't really need it if you're going to be using your own certificates...
For what you want to do, first you have to generate your RSA private/public key pair. Then you store the public key in your application.
When you have an update, you sign it on your site, by getting the MD5 or SHA-1 or whatever hash you want to use; then you encrypt that hash with the private key. The installed applications fetch the update and the signature (the encrypted hash); when the application gets the binary file, it computes its hash, then decrypts the other one using the public key and compares them. If they're identical then it's a valid update, otherwise you reject it and warn the user or something.
With X509 certificates that are self-signed the mechanism is going to be exactly that, but the public key is going to have a bunch of additional data like the identity of the issuer which will be the same identity of the certificate.
I seem to recall hearing of a way to enable self-signed certs some years ago, back in the Win2k days, but it was very hacky, not at all suitable for public deployment and has probably been "fixed". If you do think about using some other crypto library, or developing your own, take care: it's very hard to distinguish good crypto from bad crypto.