The documentation says The signature is a PKCS #7 detached signature of the manifest file but how does one do that with openssl?
For Passbook I found these commands:
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -clcerts -nokeys -out ./certificate.pem
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -nocerts -out ./key.pem
openssl smime -passin pass:test -binary -sign -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
Also tried with the WWDR certificate:
openssl smime -passin pass:test -binary -sign -certfile ~/Downloads/AppleWWDRCA.cer -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
And zip it with:
zip -r ../example.zip . -x '*.DS_Store'
But I still get "Signature verification of push package failed".
I've also encounter such problem. After trying, I figured out the different openssl version will result in different size of signature for the same manifest file.
Originally, I was using openssl 1.0.2, 1.0.3 but with no luck, but after I downgrade my openssl version to 0.9.8zf 19 Mar 2015 then everything works fine, and my safari can recognize the push package (my safari version is 8.0.7 (10600.7.12), MAC OS: 10.10.4(14E46))
my openssl command is:
openssl smime -sign -in manifest.json -out signature -signer push.pem -certfile AppleWWDRCA.pem -binary -inkey push.key -outform der
Related
I needed to create a jave keystore and so I downloaded the latest version of openssl but kept getting:
keytool error: java.io.IOException: keystore password was incorrect
As well as windows telling me I had the wrong password if I tried to import the .p12. After hours of trying to get things to work I finally downloaded v1.1.1 and POW things just worked!
Problem solved! but why - why does OpenSSL v3.0.0 not work like v1.1.1?
C:\openssl3> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks300.p12
C:\openssl3> openssl pkcs12 -info -in ks300.p12
Enter Import Password:
<works fine>
...
</works fine>
C:\openssl3> keytool -list -v -keystore ks300.p12
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 6 more
then:
C:\openssl1.1.1> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks111.p12
C:\openssl1.1.1> openssl pkcs12 -info -in ks111.p12
<works fine />
C:\openssl1.1.1> keytool -list -v -keystore ks111.p12
Enter keystore password:
<works fine />
C:\openssl1.1.1> C:\openssl3\openssl pkcs12 -info -in ks111.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
5C200000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
C:\openssl1.1.1>openssl pkcs12 -info -in ks300.p12
<works fine>
Now that last one surprised me as I was collecting the output for this post, but yes the openssl1.1.1 read the openssl3 .p12 file fine but not the other way (openssl3 cannot read the openssl1.1.1 .p12). The keytool and windows kept complaining about the password for the openssl3 .p12 -- but COULD read the v1.1.1 one.
Is there some downward compatibility option I missed.
I seem to be the only person on the internet to run into this issue which usually means that I did something wrong.
some other data points:
C:\> Java --version
openjdk 11.0.2 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
C:\openssl3>openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
C:\openssl1.1.1>openssl version
OpenSSL 1.1.1l 24 Aug 2021
When I try to generate a key from a pfx certificate file, it creates an empty file
openssl pkcs12 -in test.pfx -nocerts -out test.key -nodes
I executed the command on git bash, Windows server 2019. The command seems to run without stoping because I can't type.
Thanks
You can see this error in console under this text. How to solve ssl error 02001003 ? i'm trying to update npm but it's not working...
http://imgur.com/a/AvW4J
Download and install Win64 OpenSSL v1.1.0e on https://slproweb.com/products/Win32OpenSSL.html
after install, go in this directory : C:\OpenSSL-Win64\bin
open cmd (command line) and type this line :
Set OPENSSL=C:\OpenSSL-Win64\bin\openssl.cfg
and finally type this :
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout pri.pen -out pub.pen
reply questions to generate certificates public and private
You can watch this tutorial : https://www.youtube.com/watch?v=H8GxM9ApkYc
I am using wso2-emm 2.0.1 with ubuntu x64 system. While configuring the product I am getting one error in genrating .bks file for android agent certificate.
I've used this cmd:
keytool -noprompt -import -v -trustcacerts -alias 'openssl x509 -inform PEM -subject_hash -noout -in ca_cert.pem' -file ca_cert.pem -keystore emm_truststore.bks -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk16-146.jar -storepass 'wso2carbon'
And the correspoding errror is :
keytool error: java.io.IOException: Wrong version of key store.
java.io.IOException: Wrong version of key store.
at org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(Unknown Source)
Thanks in advance
I have LEMP and I'm trying to install PureFTPd and Quota. When I enter the following command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 \
-keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
I have error:
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Unable to load config info from /usr/lib/ssl/openssl.cnf
I have this file:
find / -name openssl.cnf
/usr/lib/ssl/openssl.cnf
/etc/ssh/ssl/openssl.cnf
How can I fix this issue?
Ubuntu places openssl.cnf for the OpenSSL here
/usr/lib/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf will be used when you issue:
openssl s_client -connect example.com:443 -tls1 -example.com localhost