PKCS-12 support in X509
Locked
 
|
Ron and all,
I just published a framework for decoding and decrypting PKCS12 files, in order to gain access t the private key. It is pretty hackish, since I assume encryption algorithms, the private key is RSA and the like, but it works for the example file you gave me, Ron. Load all current packages from the repository and then run: (Pkcs12PrivateKeyFileReader fromFile: pkcs12FileName) asPrivateKey and it will return the RSAPrivateKey. That KDF was a bitch! cheers, Robert _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
Oh, yeah. You may want to run Pkcs12PFX initialize to make sure the
ASN1 gets defined. R On Mar 30, 2007, at 10:24 AM, Robert Withers wrote: > Ron and all, > > I just published a framework for decoding and decrypting PKCS12 > files, in order to gain access t the private key. It is pretty > hackish, since I assume encryption algorithms, the private key is > RSA and the like, but it works for the example file you gave me, Ron. > > Load all current packages from the repository and then run: > > (Pkcs12PrivateKeyFileReader fromFile: pkcs12FileName) > asPrivateKey > > and it will return the RSAPrivateKey. That KDF was a bitch! > > cheers, > Robert > _______________________________________________ > Cryptography mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ > cryptography _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
In reply to this post by Rob Withers
Hey Rob,
That's terrific!! Now I get it. The PKCS-12 file was the file that I exported from MS IIE. I thought you were talking about the signed CSR, that I sent you. Did you catch the comments on the TLS list? I'm almost done with RC2 but do we really need it? I see suggestions that we shouldn't use it. (I'll probably finish it anyway, but I don't suggest we add it to supporteSuites on SSL. Ron > -----Original Message----- > From: Robert Withers [mailto:[hidden email]] > Sent: Friday, March 30, 2007 1:25 PM > To: Ron Teitelbaum > Cc: Cryptography Team Development List > Subject: PKCS-12 support in X509 > > Ron and all, > > I just published a framework for decoding and decrypting PKCS12 > files, in order to gain access t the private key. It is pretty > hackish, since I assume encryption algorithms, the private key is RSA > and the like, but it works for the example file you gave me, Ron. > > Load all current packages from the repository and then run: > > (Pkcs12PrivateKeyFileReader fromFile: pkcs12FileName) > asPrivateKey > > and it will return the RSAPrivateKey. That KDF was a bitch! > > cheers, > Robert _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
Yeah, the PKCS-12 file which you exported, holds the privateKey of
your Certificate in encrypted form. Since you'll want to setup your SSL Server with Certificate-PrivateKey pairs, especially since the test certificate has expired, we needed a way to get the privateKey from the PKCS-12 file. This is it. The structure of a PKCS-12 file is bizarre. Here is an attempt at a representation, in order to talk about RC2. The structure looks like: ASN1 encoded PFX - PkcsContentInfo of type data - content: ASN1 encoded AuthSafe, a sequence of PkcsContentInfos - first PkcsContentInfo of type data - content: ASN1 encoded sequence of Pkcs12SafeBags - first Pkcs12SafeBag - bagValue: Pkcs8EncryptedPrivateKeyInfo - encrypted Pkcs8PrivateKeyInfo, encrypted with 3DES-CBC - encryptionAlgorithm: 3DES-CBC, params holds the salt and iterations - encryptedData: hold the ASN1 encoded RSAPrivateKey - second PkcsContentInfo of type encrypted - content: PkcsEncryptedData - encryptedContentInfo: PkcsEncryptedContentInfo - contentEncryptionAlgorithm: 40BitRC2, params holds the salt and iterations - encryptedContent: contents unknown As you can see, there are 2 ContentInfos. The first is plaintext, so I thought, until ASN1 type mappings showed it holds a EncryptedPrivateKeyInfo. I can decrypt 3DES-CBC, once I derived the keys from the KDF. That was a bitch to write, but I got it and it just worked. The second is EncryptedData, so I thought that is the one that needs decoding, but it seems we are ok, pending a test of the PrivateKey with the corresponding PublicKey. This one is encrypted with RC2 so I thought we needed it. Maybe not. I did see the traffic on TLS, so its old. Funny that it is being used, still. I wonder what data is inside of there - probably some SafeBags of some kind or another. But I would stop working on RC2 if I were you. Robert On Mar 30, 2007, at 10:39 AM, Ron Teitelbaum wrote: > Hey Rob, > > That's terrific!! > > Now I get it. The PKCS-12 file was the file that I exported from > MS IIE. I > thought you were talking about the signed CSR, that I sent you. > > Did you catch the comments on the TLS list? I'm almost done with > RC2 but do > we really need it? I see suggestions that we shouldn't use it. (I'll > probably finish it anyway, but I don't suggest we add it to > supporteSuites > on SSL. > > Ron > >> -----Original Message----- >> From: Robert Withers [mailto:[hidden email]] >> Sent: Friday, March 30, 2007 1:25 PM >> To: Ron Teitelbaum >> Cc: Cryptography Team Development List >> Subject: PKCS-12 support in X509 >> >> Ron and all, >> >> I just published a framework for decoding and decrypting PKCS12 >> files, in order to gain access t the private key. It is pretty >> hackish, since I assume encryption algorithms, the private key is RSA >> and the like, but it works for the example file you gave me, Ron. >> >> Load all current packages from the repository and then run: >> >> (Pkcs12PrivateKeyFileReader fromFile: pkcs12FileName) >> asPrivateKey >> >> and it will return the RSAPrivateKey. That KDF was a bitch! >> >> cheers, >> Robert > > _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
Oops, that should be:
ASN1 encoded PFX - PkcsContentInfo of type data - content: ASN1 encoded AuthSafe, a sequence of PkcsContentInfos - first PkcsContentInfo of type data - content: ASN1 encoded sequence of Pkcs12SafeBags - first Pkcs12SafeBag - bagValue: Pkcs8EncryptedPrivateKeyInfo - encryptionAlgorithm: 3DES-CBC, params holds the salt and iterations - encrypted Pkcs8PrivateKeyInfo, encrypted with 3DES-CBC - privateKey: hold the ASN1 encoded RSAPrivateKey - second PkcsContentInfo of type encrypted - content: PkcsEncryptedData - encryptedContentInfo: PkcsEncryptedContentInfo - contentEncryptionAlgorithm: 40BitRC2, params holds the salt and iterations - encryptedContent: contents unknown _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
|
|
In reply to this post by Rob Withers
Rob,
The rest must be the TBSCertificate itself. I wonder if I had a choice when I exported it. I know there is a setting for advanced encryption, but I didn't use that because I thought this would be easier to work with :). I wonder what the other format is. I should have RC2 done soon. I guess then we'll see. I was able to get my new cert working. All I had to do was replace my X509 cert with the renewal .pem file. The private and public keys were the same. (I just decoded the .pem file, and replaced the bytes in the test store using your x509 from bytes method, it was a ans.1 x509 structure) I guess what I'm hoping to get from all this is a CSR from Squeak, the ability to read a response from a CA, and a way to install that cert in squeak. Since we can now read PKCS-12 I assume we can write out a file in that format. Then all that needs to happen is that when we start the ssl server we read the file, ask for the password and its running. We should store the private key in my KeyHolder. Then it is safely stored on disk encrypted, and in memory encrypted but usable by the system. (we could add instructions about protecting the file using the os in our security doc, once we have one!) Ron > -----Original Message----- > From: Robert Withers [mailto:[hidden email]] > Sent: Friday, March 30, 2007 2:13 PM > > Yeah, the PKCS-12 file which you exported, holds the privateKey of > your Certificate in encrypted form. Since you'll want to setup your > SSL Server with Certificate-PrivateKey pairs, especially since the > test certificate has expired, we needed a way to get the privateKey > from the PKCS-12 file. This is it. > > The structure of a PKCS-12 file is bizarre. Here is an attempt at a > representation, in order to talk about RC2. The structure looks like: > > ASN1 encoded PFX > - PkcsContentInfo of type data > - content: ASN1 encoded AuthSafe, a sequence of PkcsContentInfos > - first PkcsContentInfo of type data > - content: ASN1 encoded sequence of Pkcs12SafeBags > - first Pkcs12SafeBag > - bagValue: Pkcs8EncryptedPrivateKeyInfo > - encrypted Pkcs8PrivateKeyInfo, encrypted with > 3DES-CBC > - encryptionAlgorithm: 3DES-CBC, params > holds the salt and iterations > - encryptedData: hold the ASN1 encoded > RSAPrivateKey > - second PkcsContentInfo of type encrypted > - content: PkcsEncryptedData > - encryptedContentInfo: PkcsEncryptedContentInfo > - contentEncryptionAlgorithm: 40BitRC2, params > holds the salt and iterations > - encryptedContent: contents unknown > > As you can see, there are 2 ContentInfos. > > The first is plaintext, so I thought, until ASN1 type mappings showed > it holds a EncryptedPrivateKeyInfo. I can decrypt 3DES-CBC, once I > derived the keys from the KDF. That was a bitch to write, but I got > it and it just worked. > > The second is EncryptedData, so I thought that is the one that needs > decoding, but it seems we are ok, pending a test of the PrivateKey > with the corresponding PublicKey. This one is encrypted with RC2 so > I thought we needed it. Maybe not. I did see the traffic on TLS, so > its old. Funny that it is being used, still. I wonder what data is > inside of there - probably some SafeBags of some kind or another. > But I would stop working on RC2 if I were you. > > Robert > > On Mar 30, 2007, at 10:39 AM, Ron Teitelbaum wrote: > > > Hey Rob, > > > > That's terrific!! > > > > Now I get it. The PKCS-12 file was the file that I exported from > > MS IIE. I > > thought you were talking about the signed CSR, that I sent you. > > > > Did you catch the comments on the TLS list? I'm almost done with > > RC2 but do > > we really need it? I see suggestions that we shouldn't use it. (I'll > > probably finish it anyway, but I don't suggest we add it to > > supporteSuites > > on SSL. > > > > Ron > > > >> -----Original Message----- > >> From: Robert Withers [mailto:[hidden email]] > >> Sent: Friday, March 30, 2007 1:25 PM > >> To: Ron Teitelbaum > >> Cc: Cryptography Team Development List > >> Subject: PKCS-12 support in X509 > >> > >> Ron and all, > >> > >> I just published a framework for decoding and decrypting PKCS12 > >> files, in order to gain access t the private key. It is pretty > >> hackish, since I assume encryption algorithms, the private key is RSA > >> and the like, but it works for the example file you gave me, Ron. > >> > >> Load all current packages from the repository and then run: > >> > >> (Pkcs12PrivateKeyFileReader fromFile: pkcs12FileName) > >> asPrivateKey > >> > >> and it will return the RSAPrivateKey. That KDF was a bitch! > >> > >> cheers, > >> Robert > > > > > _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
«
Return to Squeak - Cryptography
|
1 view|%1 views
| Free forum by Nabble | Edit this page |