I want to register a personal certificate on windows, so the web server can verify the client's identity. Here is my code (It's hard for me to find the example,so I don't know whether is right or not):
char* pfile = "d:/client.crt";
FILE* fp = fopen(pfile, "r");
char ch;
char buf[10000] = {0};
int i = 0;
while ((ch = fgetc(fp)) != EOF) {
memcpy(buf+i, &ch, 1);
i++;
}
BYTE pBinByte[8192] = {0};
unsigned long binBytes = 8192;
//decode base64
CryptStringToBinaryA( buf, strlen(buf) ,CRYPT_STRING_BASE64HEADER , pBinByte , &binBytes ,NULL,NULL);
HCERTSTORE hMyCertStore = CertOpenSystemStore(NULL, _T("MY"));
int len = binBytes;
PCCERT_CONTEXT pCertContext = CertCreateCertificateContext(
MY_ENCODING_TYPE,
pBinByte,
len);
BOOL addOK = CertAddCertificateContextToStore(
hMyCertStore,
pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING,
NULL);
CertFreeCertificateContext(pCertContext);
CertCloseStore(hMyCertStore, 0);
After I run the code in the xp, it run success. And I can find the certificate in the certmgr.msc.
But I can't see it in the IE browser's setting.
How can I fix that problem? Please tell me. Thanks.
.crt file does not contain private key and to make that work you may wanna install a .pfx file that has both public and private keys. And to install this you can simply double click the file then click install certificate then just complete the import wizard and it will automatically store the certificate under your "Personal" folder of your keystore.
Related
I'm trying to use Http WebSocket on Mongoose embedded web server with SSL.
And I tried this mongoose example called "simplest_web_server_ssl".
But when I executed the program, it printed out this message below.
"Failed to create listener: Invalid SSL cert"
I think it's because the program doesn't know where the "server.pem" file is.
I put these "server.pem" and "server.key" files from the example folder into a "release" folder where the .exe file is created and runs.
Actually I'm quite new to Mongoose and SSL.
Please anybody could help me?
Thanks, regards.
/*
* Copyright (c) 2016 Cesanta Software Limited
* All rights reserved
*/
/*
* This example starts an SSL web server on https://localhost:8443/
*
* Please note that the certificate used is a self-signed one and will not be
* recognised as valid. You should expect an SSL error and will need to
* explicitly allow the browser to proceed.
*/
#include "mongoose.h"
static const char *s_http_port = "8443";
static const char *s_ssl_cert = "server.pem";
static const char *s_ssl_key = "server.key";
static struct mg_serve_http_opts s_http_server_opts;
static void ev_handler(struct mg_connection *nc, int ev, void *p) {
if (ev == MG_EV_HTTP_REQUEST) {
mg_serve_http(nc, (struct http_message *) p, s_http_server_opts);
}
}
int main(void) {
struct mg_mgr mgr;
struct mg_connection *nc;
struct mg_bind_opts bind_opts;
const char *err;
mg_mgr_init(&mgr, NULL);
memset(&bind_opts, 0, sizeof(bind_opts));
bind_opts.ssl_cert = s_ssl_cert;
bind_opts.ssl_key = s_ssl_key;
bind_opts.error_string = &err;
printf("Starting SSL server on port %s, cert from %s, key from %s\n",
s_http_port, bind_opts.ssl_cert, bind_opts.ssl_key);
nc = mg_bind_opt(&mgr, s_http_port, ev_handler, bind_opts);
if (nc == NULL) {
printf("Failed to create listener: %s\n", err);
return 1;
}
// Set up HTTP server parameters
mg_set_protocol_http_websocket(nc);
s_http_server_opts.document_root = "."; // Serve current directory
s_http_server_opts.enable_directory_listing = "yes";
for (;;) {
mg_mgr_poll(&mgr, 1000);
}
mg_mgr_free(&mgr);
return 0;
}
I've had the same issue. You can step into mongoose using gdb or similar tool to find the actual reason for that error message. If you think mongoose isn't finding your files, try using absolute paths. If it finds the file, you might need to regenerate (and/or register) the cert files on your computer.
I own the server and I own the customer's executable. I'd like to establish a secure TLS connection between them.
I can embed whatever I want into the client executable but I'm not sure how to validate a self-assigned certificate that my client received from a connection to the server, i.e. from a SSL_get_peer_certificate call.
I read around that certificates are just public keys with metadata parts signed with the private key. Can I somehow verify that the certificate the server sent me has indeed all the metadata correctly signed by embedding the public key into my client application? Is this possible (and if it is, how?)
I'm not sure how to validate a self-assigned certificate that my client received from a connection to the server ...
Depending on the OpenSSL library you are using, you have to perform two or three steps for verification. The two versions bisect at OpenSSL 1.1.0. OpenSSL 1.1.0 and above performs hostname validation so it only takes two steps. OpenSSL 1.0.2 and below does not perform hostname validation so it requires three steps.
The steps detailed below are from SSL/TLS Client on the OpenSSL wiki.
Server Certificate
Both OpenSSL 1.0.2 and 1.1.0 require you to check for the presence of a certificate. If you use ADH (Anonymous Diffie-Hellman), TLS-PSK (Preshared Key), TLS_SRP (Secure Remote Password), then there may not be a server certificate to verify.
You get the server's certificate with SSL_get_peer_certificate. If it returns non-NULL, then a certificate is present. Lack of a certificate may or may not be a reason to fail.
Certificate Chain
Both OpenSSL 1.0.2 and 1.1.0 require you to check the result of chain validation. Chain validation is part of path building, and its detailed in RFC 4158, Certification Path Building.
You get the result of path validation with SSL_get_verify_result.
Certificate Names
OpenSSL 1.0.2 an below requires you to verify the hostname matches a name listed in the certificate. Its a big topic, but the short of it is: any hostname or dns name needs to be present in the certifcate's Subject Alternative Name (SAN), and not the Common Name (CN). Also see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl? It provides a lot of background information on X.509 server certificates, how to present names, and where the various rules come from.
Effectively, you fetch the SANs with X509_get_ext_d2i(cert, NID_subject_alt_name, ...). Then you loop over the list and extract each name with sk_GENERAL_NAME_num. Then, you extract a GENERAL_NAME entry and ASN1_STRING_to_UTF8, and see if it matches the name you tried to connect to.
Below are the routines for printing the Subject Alternative Name (SAN) and the Common Name (CN). It came from the example on the OpenSSL wiki page.
void print_san_name(const char* label, X509* const cert)
{
int success = 0;
GENERAL_NAMES* names = NULL;
unsigned char* utf8 = NULL;
do
{
if(!cert) break; /* failed */
names = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0 );
if(!names) break;
int i = 0, count = sk_GENERAL_NAME_num(names);
if(!count) break; /* failed */
for( i = 0; i < count; ++i )
{
GENERAL_NAME* entry = sk_GENERAL_NAME_value(names, i);
if(!entry) continue;
if(GEN_DNS == entry->type)
{
int len1 = 0, len2 = -1;
len1 = ASN1_STRING_to_UTF8(&utf8, entry->d.dNSName);
if(utf8) {
len2 = (int)strlen((const char*)utf8);
}
if(len1 != len2) {
fprintf(stderr, " Strlen and ASN1_STRING size do not match (embedded null?): %d vs %d\n", len2, len1);
}
/* If there's a problem with string lengths, then */
/* we skip the candidate and move on to the next. */
/* Another policy would be to fails since it probably */
/* indicates the client is under attack. */
if(utf8 && len1 && len2 && (len1 == len2)) {
fprintf(stdout, " %s: %s\n", label, utf8);
success = 1;
}
if(utf8) {
OPENSSL_free(utf8), utf8 = NULL;
}
}
else
{
fprintf(stderr, " Unknown GENERAL_NAME type: %d\n", entry->type);
}
}
} while (0);
if(names)
GENERAL_NAMES_free(names);
if(utf8)
OPENSSL_free(utf8);
if(!success)
fprintf(stdout, " %s: <not available>\n", label);
}
void print_cn_name(const char* label, X509_NAME* const name)
{
int idx = -1, success = 0;
unsigned char *utf8 = NULL;
do
{
if(!name) break; /* failed */
idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
if(!(idx > -1)) break; /* failed */
X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, idx);
if(!entry) break; /* failed */
ASN1_STRING* data = X509_NAME_ENTRY_get_data(entry);
if(!data) break; /* failed */
int length = ASN1_STRING_to_UTF8(&utf8, data);
if(!utf8 || !(length > 0)) break; /* failed */
fprintf(stdout, " %s: %s\n", label, utf8);
success = 1;
} while (0);
if(utf8)
OPENSSL_free(utf8);
if(!success)
fprintf(stdout, " %s: <not available>\n", label);
}
Verifying my self-signed certificate with openSSL
Because its your self-signed certificate, you can do even better than above. You have a priori knowledge of the host's public key. You can pin the public key, and just use the certificate to deliever the public key or as a presentation detail.
To pin the public key, see Public Key Pinning over at OWASP.
You should also avoid the IETF's RFC 7469, Public Key Pinning Extension for HTTP with Overrides. The IETF's rendition allows the attacker to break a known good pinset so the attacker can MitM the connection. They also suppress reporting the problem, so the user agent becomes complicit in the coverup.
How to read client certificate from server side using mbedtls(polarssl)?
I had a server that was coded using mbedtls(polarssl). I want to read the client certificate and fetch some information from that certificate. Can anyone know what function will be used to read client certificate?
I think you could use mbedtls_x509_crt_info which returns an informational string about the certificate.
You can get the peer certificate from the ssl session when the client connects and then print the info out.
mbedtls_ssl_context ssl;
...
mbedtls_x509_crt *crt = ssl.session->peer_cert;
unsigned char buf[1024];
int ret = mbedtls_x509_crt_info((char *) buf, sizeof( buf ) - 1, "", crt);
if( ret != -1 )
{
mbedtls_printf( "%s\n", buf );
}
I didn't test this, just checked the examples.
I'm creating a keychain and then I'm adding an item with predefined trusted aplication list to it:
SecKeychainCreate([keychainPath UTF8String], (UInt32)strlen(keychainPass), keychainPass, FALSE, NULL, &someKeychain);
OSStatus someStatus = SecKeychainItemCreateFromContent(kSecGenericPasswordItemClass, &list, len, encryptedPass, someKeychain, accessRef, &someKeychainItem);
When I open the newly created keychain with Keychain Access application, I can see my application on the trusted app list:
The problem is, when I try to read the key from that keychain through one of the trusted applications
SecKeychainUnlock(someKeychain, (UInt32)strlen(keychainPass), keychainPass, TRUE);
UInt32 passwordLen = 0;
void *passData = nil;
const char *cUser_name = [NSUserName() cStringUsingEncoding:NSUTF8StringEncoding];
OSStatus genericPassErr = SecKeychainFindGenericPassword(someKeychain, 0, NULL, strlen(cUser_name), cUser_name, &passwordLen, &passData, NULL);
genericPassErr equals -25293, which means
Error: 0xFFFF9D33 -25293 The user name or passphrase you entered is not correct.
Earlier in the code, I run SecKeychainSetUserInteractionAllowed(0), and if I comment this line out, I get prompted by the system for my permission for the application to access the keychain, and if I grant it, everything runs fine. However, the whole point is that I need to be able to do that without prompting the user. And I expect it to work like this since I added the app to the ACL. Do you know what am I doing wrong?
Everything works without prompt as well when I tick the "all programs have access to this item" radio box in the attached screenshot. But I don't want everyone to be able to access it, just the listed apps.
I was able to make a similar test program work. However, I had to remove and re-add the tool to the always allowed list after each time I had rebuilt it. I did get the same error code when not doing that.
Here's the code:
#import <Foundation/Foundation.h>
#import <Security/Security.h>
int main()
{
#autoreleasepool
{
SecKeychainRef kc;
OSStatus status = SecKeychainSetUserInteractionAllowed(false);
printf("status: %d\n", status);
status = SecKeychainOpen("/Users/tsnorri/Library/Keychains/test.keychain", &kc);
printf("status: %d\n", status);
{
char const *keychainPass = "test123";
status = SecKeychainUnlock(kc, (UInt32) strlen(keychainPass), keychainPass, true);
CFStringRef err = SecCopyErrorMessageString(status, NULL);
printf("status: %d err: %s\n", status, [(id) err UTF8String]);
CFRelease(err);
}
UInt32 passwordLen = 0;
void *passData = NULL;
char const *userName = "tsnorri";
char const *serviceName = "test";
{
SecKeychainItemRef item = NULL;
status = SecKeychainFindGenericPassword(kc, strlen(serviceName), serviceName, strlen(userName), userName, &passwordLen, &passData, &item);
CFStringRef err = SecCopyErrorMessageString(status, NULL);
printf("status: %d err: %s\n", status, [(id) err UTF8String]);
CFRelease(err);
}
printf("pass: %s\n", passData);
}
return 0;
}
I need to have a Win32 application load a hard coded AES-256 key, ideally using the WinCrypt.h methods. I've got my key in an unsigned char[32] but I can't find the correct format of a key blob to pass to CryptImportKey. Everything seems to give me invalid parameter errors. Is there any way to do this?
(Also important is how to set IV in WinCrypt. I can't see how to do that at all)
Solved it. I was using the wrong bType and using 256 for keySize instead of 32.
BYTE myPrivateKey[] =
{1,2,3,4,5,6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,
21,22,23,24,25,26,27,28,29,30,
31,32};
BYTE myIV[] =
{1,2,3,4,5,6,7,8,9,10,
11,12,13,14,15,16};
struct aes256keyBlob
{
BLOBHEADER hdr;
DWORD keySize;
BYTE bytes[32];
} blob;
blob.hdr.bType = PLAINTEXTKEYBLOB;
blob.hdr.bVersion = CUR_BLOB_VERSION;
blob.hdr.reserved = 0;
blob.hdr.aiKeyAlg = CALG_AES_256;
blob.keySize = 32;
memcpy(blob.bytes, myPrivateKey, 32);
HCRYPTKEY hKey;
if (CryptImportKey(hCryptProv, (BYTE*)&blob, sizeof(aes256keyBlob), NULL, 0, &hKey))
{
if(CryptSetKeyParam(hKey, KP_IV, myIV, 0))
{
//do decryption here
}
else{/*error*/}
CryptDestroyKey(hKey);
}
else{/*error*/}