I am trying to calculate the b= string in the DKIM-Signature for a e-mail message. However I am getting no luck with the methodes available.
I have created a RSACryptoServiceProvider and imported a private key using the fromXMLString option.
creating a signature from a hash and verifying it works fine.
Dim hashdata As Byte() = Encoding.ASCII.GetBytes(headers.ToString)
Dim signature As Byte() = RSA.SignData(hashdata, CryptoConfig.MapNameToOID("SHA256"))
If RSA.VerifyData(hashdata, "SHA256", signature) = True Then
headers.AppendLine("Signature: RSA-SHA256 ")
Else
headers.AppendLine("Signature: None")
End If
The above code verifies the signature, but the DKIM does not pass valid as a whole.
I have seen a example of bouncyCastle "
ISigner sig = SignerUtilities.GetSigner("SHA256WithRSAEncryption");
But I cant use this in my programming.
Can someone help me on the way on how to properly sign a canonicalized header for dkim purpose ?
Related
I have an old running application. This application connect to Oracle NetSuite and send JSON data. It is written in VB.net and works fine. This application uses SHA1 to make authentication headers. I need to alter application to use SHA256 instead of SHA1. I tried Google and found few articles in python and C# but unfortunately there conversion in VB.net did not work here. Can someone kindly help to make this heading making process with SHA256 encryption. The current code is as below;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 Or SecurityProtocolType.Tls11 Or SecurityProtocolType.Tls
Dim url As New Uri("https://xxxxxx.restlets.api.netsuite.com/app/site/hosting/restlet.nl?script=999&deploy=1")
Dim timestamp = OAuthBase.GenerateTimeStamp()
Dim nonce = OAuthBase.GenerateNonce()
Dim ckey = "01234" '//Consumer Key
Dim csecret = "56789" '// Consumer Secret
Dim tkey = "43210" '// Token ID
Dim tsecret = "98765" '// Token Secret
Dim Signature = OAuthBase.GenerateSignature(url, ckey, csecret, tkey, tsecret, "POST", timestamp, nonce)
If (Signature.Contains("+")) Then
Signature = Signature.Replace("+", "%3D")
End If
Dim header As String = "Authorization: OAuth "
header += "oauth_signature=""" & Signature & ""","
header += "oauth_version=""1.0"","
header += "oauth_nonce=""" & nonce & ""","
header += "oauth_signature_method=""HMAC-SHA1"","
header += "oauth_consumer_key=""" & ckey & ""","
header += "oauth_token=""" & tkey & ""","
header += "oauth_timestamp=""" & timestamp & ""","
header += "realm=""xxxxxx"""
Thanks for your time.
The publicly available documentation for the library you are using only creates signatures in SHA1
see https://developer.tracesmart.co.uk/smartlink/example/vbnet-oauth-library for the code
You could take that and adapt it to use SHA256
System.Security.Cryptography contains an SHA256 class so the work shouldn't be too effortful.
I made the SHA1 -> SHA256 change for my node based library with just two changes. Your effort should be relatively the same.
I'm programming an application in my company, and there is a file watcher:
fsw.NotifyFilter = (NotifyFilters.Security Or NotifyFilters.LastAccess Or NotifyFilters.LastWrite)
AddHandler fsw.Changed, New FileSystemEventHandler(AddressOf OnChanged)
AddHandler fsw.Created, AddressOf OnChanged
AddHandler fsw.Renamed, AddressOf OnRenamed
AddHandler fsw.Deleted, AddressOf OnChanged
But I want to protect some files from users by send it in skype, messanger oruploading it to any cloud.
Ex. I have an dgg file it open with dogland.exe, I want to make this .dgg extension to just with this app and encrypt and protect it from other programs to read this file.
What is the best way to protect this file?
I'm using vb.net, 4.6.1
You're not going to be able to stop a user with admin rights on their machine from sending a file if they want to, so you're right that the answer is to make it useless elsewhere.
Before answering your question, I want to address two key points:
Security comes in different levels. When it comes to information security, the level of protection you achieve corresponds with how much work you put into it;
You cannot not stop a skilled, determined attacker, because there is always a weakness somewhere. All you can do is making their job harder. You must decide what risk profile you're willing to assume and the level of effort that is warranted.
That said, the absolute simplest method is symmetric encryption, where your program uses the same key to both encrypt and decrypt. This is vulnerable to someone examining your code and retrieving the key, but it will stop most casual attempts.
To try it, put this in the main form:
Private Function Encrypt3DES(plainText As String, pw As String) As String
Dim wrapper As New Simple3Des(pw)
Dim cipherText As String = wrapper.EncryptData(plainText)
Return cipherText
End Function
Private Function Decrypt3DES(cipherText As String, pw As String, ByRef plainText As String) As Boolean
Dim wrapper As New Simple3Des(pw)
' DecryptData throws if the wrong password is used.
Try
plainText = wrapper.DecryptData(cipherText)
Return True
Catch ex As System.Security.Cryptography.CryptographicException
Return False
End Try
End Function
And this goes in a helper module:
Imports System.Security.Cryptography
Public NotInheritable Class Simple3Des
Private TripleDes As New TripleDESCryptoServiceProvider
Sub New(ByVal key As String)
' Initialize the crypto provider.
TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
End Sub
Private Function TruncateHash(
ByVal key As String,
ByVal length As Integer) As Byte()
Dim sha1 As New SHA1CryptoServiceProvider
' Hash the key.
Dim keyBytes() As Byte =
System.Text.Encoding.Unicode.GetBytes(key)
Dim hash() As Byte = sha1.ComputeHash(keyBytes)
' Truncate or pad the hash.
ReDim Preserve hash(length - 1)
Return hash
End Function
Public Function EncryptData(
ByVal plaintext As String) As String
' Convert the plaintext string to a byte array.
Dim plaintextBytes() As Byte =
System.Text.Encoding.Unicode.GetBytes(plaintext)
' Create the stream.
Dim ms As New System.IO.MemoryStream
' Create the encoder to write to the stream.
Dim encStream As New CryptoStream(ms,
TripleDes.CreateEncryptor(),
System.Security.Cryptography.CryptoStreamMode.Write)
' Use the crypto stream to write the byte array to the stream.
encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
encStream.FlushFinalBlock()
' Convert the encrypted stream to a printable string.
Return Convert.ToBase64String(ms.ToArray)
End Function
Public Function DecryptData(
ByVal encryptedtext As String) As String
Try
' Convert the encrypted text string to a byte array.
Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)
' Create the stream.
Dim ms As New System.IO.MemoryStream
' Create the decoder to write to the stream.
Dim decStream As New CryptoStream(ms,
TripleDes.CreateDecryptor(),
System.Security.Cryptography.CryptoStreamMode.Write)
' Use the crypto stream to write the byte array to the stream.
decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
decStream.FlushFinalBlock()
' Convert the plaintext stream to a string.
Return System.Text.Encoding.Unicode.GetString(ms.ToArray)
Catch ex As Exception
Return ""
End Try
End Function
End Class
To implement the above code, just call the encrypt method on your data before writing it to your file:
Dim encdata = Encrypt3DES(PlainTextStringToEncrypt, password)
' Write encdata to file...
And you invoke Decrypt3DES to decrypt the data after you load it from your file:
Dim DecodedData as string = ""
If Decrypt3DES(EncryptedData, Password, DecodedData) = True Then
'Do something with DecodedData
End If
This is probably the simplest solution, but the word 'best' is relative in information security. You need to tailor your level of effort to the value of the information that you are trying to protect and the risk profile of having it exposed. You can do either too much or too little.
You could make this method stronger by not storing the encryption key locally but retrieving it at runtime from a server and clearing it from memory immediately after use. Or, you can encrypt the encryption password, so the actual password itself isn't visible in a disassembler and extra work is needed to get it. There are a thousand things you could do - hopefully this give you a starting point.
If you wanted to get more advanced, you could look into certificate-based signing and/or server-based controls that the user has no access to manipulate. It's all a question of how much the information is worth protecting.
DISCLAIMER: I don't warrant this to be fit for any particular purpose. This may or may not be suitable for your needs. Do your own research and ensure that any security mechanisms are fit for your purpose.
-Issue Resolved
On Live accounts that Use Embedded Signing, The Account Manager will need to either disable In Session or apply the accounts X.509 Certificate.
There is no way to bypass without the DocuSign Account Managers/Customer Support making updates to non forward facing settings.
-Using SOAP API in a VB.NET application.
I have recently moved our application to live after endless testing on the staging environment. Everything is working as expected except when I get too opening the recipient signature page.
When I make the RequestRecipientToken call I receive the error "One or both of Username and Password are invalid."
The API log give me 00_Internal Server Error_RequestRecipientToken.txt
the log doesn't really give me any info just shows that call.
I know this all works on staging, and I have tried to have all my account settings the same on both environments.
After looking all over I saw that X509 Certificate was recommended, so I added this last line in my DSAPI
-update code:
Protected Overrides Function GetWebRequest(uri As Uri) As WebRequest
IntegratorKey = SettingsHelper.sIntegrationKey
Password = SettingsHelper.sAPIPassword
Username = SettingsHelper.sAPIUserName
Dim r As System.Net.HttpWebRequest = MyBase.GetWebRequest(uri)
r.Headers.Add("X-DocuSign-Authentication", "<DocuSignCredentials><Username>" & Username & "</Username><Password>" & Password & "</Password><IntegratorKey>" & IntegratorKey & "</IntegratorKey></DocuSignCredentials>")
Dim store As X509Store = New X509Store(StoreName.My, StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadOnly)
Dim certs As X509Certificate2Collection = store.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, <{OUR VALUE}>, False)
Dim cert As New X509Certificate2
If certs.Count > 0 Then
cert = certs(0)
Dim securityToken = New X509SecurityToken(cert)
r.ClientCertificates.Add(securityToken.Certificate)
End If
store.Close()
Return r
End Function
This did not help.
Any help would be appreciated.
I'm working with an S3 target that I think is requiring V2 signature authentication, but I have been unable for the life of me to get this working.
I'm using the Sprightlysoft AWS component.
'create an instance of the REST class
Dim MyREST As New SprightlySoftAWS.REST
Dim RequestURL As String
'Build the URL to call. Do not specify a bucket name or key name when listing all buckets
RequestURL = MyREST.BuildS3RequestURL(True, "s3target.com", "", "", "")
Dim RequestMethod As String
RequestMethod = "GET"
Dim ExtraRequestHeaders As New Dictionary(Of String, String)
'add a date header
ExtraRequestHeaders.Add("x-amz-date", DateTime.UtcNow.ToString("r"))
Dim AuthorizationValue As String
'generate the authorization header value
AuthorizationValue = MyREST.GetS3AuthorizationValue(RequestURL, RequestMethod, ExtraRequestHeaders, TextBoxAWSAccessKeyId.Text, TextBoxAWSSecretAccessKey.Text)
'add the authorization header
ExtraRequestHeaders.Add("Authorization", AuthorizationValue)
'call MakeRequest to submit the REST request
Dim RetBool As Boolean
RetBool = MyREST.MakeRequest(RequestURL, RequestMethod, ExtraRequestHeaders, "")
The error message I get is:
"The AWS Access Key ID and Signature did not match your provided.
Please check your key and signing method"
According to errors and my research, it would seem that the target is requiring a v2 signature, and there seems to be a v2 signature function available, within the Sprightlysoft AWS component.
https://sprightlysoft.com/AWSComponent/Help/html/2605bafc-43dc-df45-7700-bd2fd74e1505.htm
Public Function GetSignatureVersion2Value (RequestURL As String, RequestMethod As String, SendData As String, AWSSecretAccessKey As String ) As String
I've tried to get this working, but I'm just guessing to how/where this needs to be used. I wondered if someone may know how to use this so I can authenticate properly, if this is indeed the missing piece of the puzzle.
I'm using vb.net (4.0) to interact with the DocuSign API. I'm trying to make a process that allows a user to add 30 days to the current expiration date instead of logging into DocuSign.net to correct the envelope. The code seems to work fine (doesn't throw any errors) but the correction doesn't happen on DocuSign's side.
Me.EnvelopeID is the Envelope's ID
DocuService is the namespace of the DocuSign API Service Reference.
Me.AuthorizationString is the Username, Password, Account# and Integrator Key to send as HTTP headers.
Private Sub UpdateExpiration()
'Get envelope details
Dim orig As DocuService.Envelope = ExecuteSoap(Function(client) client.RequestEnvelope(Me.EnvelopeID, False), Me.AuthorizationString)
Dim cor As New DocuService.Correction
cor.EnvelopeID = Me.EnvelopeID
cor.Reminders = orig.Notification.Reminders
cor.Expirations = orig.Notification.Expirations
cor.Expirations.ExpireAfter = (Integer.Parse(orig.Notification.Expirations.ExpireAfter) + 30)
'Execute Correction
Dim cord As DocuService.CorrectionStatus = Me.ExecuteSoap(Function(client) client.CorrectAndResendEnvelope(cor), Me.AuthorizationString)
'If I add a break point on the next line and check the values of cord,
'there is a returned CorrectionStatus object but every property in the object is "Nothing"
Dim check As DocuService.Envelope = ExecuteSoap(Function(client) client.RequestEnvelope(Me.EnvelopeID, False), Me.AuthorizationString)
Console.WriteLine(check.Notification.Expirations.ExpireAfter & " " & (Integer.Parse(orig.Notification.Expirations.ExpireAfter) + 30))
If check.Notification.Expirations.ExpireAfter = (Integer.Parse(orig.Notification.Expirations.ExpireAfter)) Then
'Success :)
MsgBox("success!")
Else
'Failure :(
MsgBox("failure!")
End If
End Sub
Private Function ExecuteSoap(Of TResult)(func As Func(Of DSAPIServiceSoapClient, TResult), authorizationString As String) As TResult
Using client As New DocuService.DSAPIServiceSoapClient(My.Settings.DocusignMode)
Using scope As OperationContextScope = New System.ServiceModel.OperationContextScope(client.InnerChannel)
Dim hp As HttpRequestMessageProperty = New HttpRequestMessageProperty
hp.Headers.Add("X-Docusign-Authentication", authorizationString)
OperationContext.Current.OutgoingMessageProperties(HttpRequestMessageProperty.Name) = hp
Return If(func IsNot Nothing, func(client), Nothing)
End Using
End Using
End Function
We use the same ExecuteSOAP function and AuthorizationString to create & send envelops, and do recipient updates so I know these are correct. I'm not sure whats wrong!
This is most likely 1 of 3 possibilities.
I'm surprised its not error-ing out, but you should not be putting your accountId in the http auth header. See page 19 the SOAP PDF guide:
http://www.docusign.com/sites/default/files/DocuSignAPI_Guide.pdf
There is something else not configured correctly with your SOAP API call. Inspect your raw outgoing request and ensure the xml is what you expect. Post the raw request here if not sure.
A bug with DocuSign. First rule out the other two options and if no dice still post a comment here and I can get a bug logged on DocuSign's side. Also a good test would be to make the correction call through the REST api to see if you can get that to work.