Tag: openssl

PKI

GnuTLS Certificate Authority Commands

Post author By sskaje
Post date December 6, 2015
No Comments on GnuTLS Certificate Authority Commands

By @sskaje
Link: https://sskaje.me/2015/12/gnutls-certificate-authority-commands/

Apple has its own certtool, GnuTLS’ certtool is renamed as gnutls-certtool in MacPorts.

Create Private Key

GnuTLS

gnutls-certtool --generate-privkey --bits 2048 --outfile text.key

1	gnutls-certtool --generate-privkey --bits 2048 --outfile text.key

OpenSSL

openssl genrsa -out test.key 2048

1	openssl genrsa -out test.key 2048

Create Certificate Request

GnuTLS

You can also create your own template file rather than filling interactively.

gnutls-certtool --generate-request --load-privkey test.key --outfile test.csr
Generating a PKCS #10 certificate request...
Common name: 
Organizational unit name: 
Organization name: 
Locality name: 
State or province name: 
Country name (2 chars): 
Enter the subject's domain component (DC): 
UID: 
Enter a dnsName of the subject of the certificate: 
Enter a URI of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): 
Is this a TLS web client certificate? (y/N): 
Is this a TLS web server certificate? (y/N): 
Self signature: verified

gnutls-certtool --generate-request --load-privkey test.key --outfile test.csr

Generating a PKCS #10 certificate request...

Common name:

Organizational unit name:

Organization name:

Locality name:

State or province name:

Country name (2 chars):

Enter the subject's domain component (DC):

UID:

Enter a dnsName of the subject of the certificate:

Enter a URI of the subject of the certificate:

Enter the IP address of the subject of the certificate:

Enter the e-mail of the subject of the certificate:

Enter a challenge password:

Does the certificate belong to an authority? (y/N):

Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):

Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):

Is this a TLS web client certificate? (y/N):

Is this a TLS web server certificate? (y/N):

Self signature: verified

OpenSSL

openssl req -new  -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl req -new -key test.key -out test.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Sign request

GnuTLS

 gnutls-certtool --generate-certificate --load-request sskaje.csr --load-ca-certificate ~/Documents/CA/USER\ CA/user_ca.pem  --load-ca-privkey  ~/Documents/CA/USER\ CA/user_ca.key --template sskaje.tmpl --outfile tmp.pem

1	gnutls-certtool --generate-certificate --load-request sskaje.csr --load-ca-certificate ~/Documents/CA/USER\ CA/user_ca.pem --load-ca-privkey ~/Documents/CA/USER\ CA/user_ca.key --template sskaje.tmpl --outfile tmp.pem

OpenSSL

I don’t like openssl.cnf!

Show certificate information

GnuTLS

gnutls-certtool --certificate-info --infile sskaje-cert.pem

1	gnutls-certtool --certificate-info --infile sskaje-cert.pem

OpenSSL

openssl x509 -in sskaje-cert.pem -text

1	openssl x509 -in sskaje-cert.pem -text

Export as A PKCS#12

GnuTLS

gnutls-certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12
# with ca
gnutls-certtool  --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12

gnutls-certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12

# with ca

gnutls-certtool --load-ca-certificate ca.pem --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile key.p12

OpenSSL

openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -out sskaje.p12 
# with ca
openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -certfile user_ca.pem -out sskaje.p12

openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -out sskaje.p12

# with ca

openssl pkcs12 -export -in sskaje-cert.pem -inkey sskaje-key.pem -certfile user_ca.pem -out sskaje.p12

Extract Keys And Certificates from PKCS#12

GnuTLS

I don’t know how…
You can manually copy from –p12-info

OpenSSL

openssl pkcs12 -in certificate.p12 -nodes -nocerts -out user_ca.key
openssl pkcs12 -in certificate.p12 -nodes -nokeys -out user_ca.pem

1 2	openssl pkcs12 -in certificate.p12 -nodes -nocerts -out user_ca.key openssl pkcs12 -in certificate.p12 -nodes -nokeys -out user_ca.pem

Show PKCS#12 Structure

GnuTLS

gnutls-certtool --inder --infile clients/sskaje/sskaje.p12 --p12-info

1	gnutls-certtool --inder --infile clients/sskaje/sskaje.p12 --p12-info

OpenSSL

openssl pkcs12 -in clients/sskaje/sskaje.p12 -info

1	openssl pkcs12 -in clients/sskaje/sskaje.p12 -info

GnuTLS Certificate Authority Commands by @sskaje: https://sskaje.me/2015/12/gnutls-certificate-authority-commands/

Incoming search terms:

macports /gnutls/portfile

Tags certtool, GnuTLS, openssl, pki

PHP

PHP解密AES

By @sskaje
Link: https://sskaje.me/2015/02/php-aes-encrypt-decrypt/

分析某客户端协议，发现如下代码：

      SecretKey localSecretKey = SecretKeySpec(paramArrayOfByte, "AES");
      Cipher localCipher = Cipher.getInstance("AES");
      localCipher.init(2, localSecretKey);
      byte[] arrayOfByte = localCipher.doFinal(paramArrayOfByte);

SecretKey localSecretKey = SecretKeySpec(paramArrayOfByte, "AES");

Cipher localCipher = Cipher.getInstance("AES");

localCipher.init(2, localSecretKey);

byte[] arrayOfByte = localCipher.doFinal(paramArrayOfByte);

这个和之前分析航旅纵横客户端时的代码类似，都是128位ECB。
当时只是用openssl看了看请求：

 openssl aes-128-ecb -d -in packet.aes -out packet.txt -a -K KEY_IN_HEX

1	openssl aes-128-ecb -d -in packet.aes -out packet.txt -a -K KEY_IN_HEX

于是参考mcrypt的文档，写了简单的代码实现上边Java代码里的AES 128 ECB加密解密

<?php
class aes_128_ecb
{
    protected function prepare_key($key)
    {
        $new_key = array_fill(0, 16, 0);
        for ($i=0; isset($key[$i]); $i++) {
            $new_key[$i % 16] ^= ord($key[$i]);
        }

        $key_text = '';
        foreach ($new_key as $c) {
            $key_text .= chr($c);
        }
        return $key_text;
    }

    public function decrypt($key, $cipher)
    {
        $key = $this->prepare_key($key);
        return rtrim(
            mcrypt_decrypt(
                MCRYPT_RIJNDAEL_128,
                $key,
                $cipher,
                MCRYPT_MODE_ECB,
                ''
            ),
            "\x00..\x1F"
        );
    }

    public function encrypt($key, $plain)
    {
        $key = $this->prepare_key($key);

        $pad_value = 16 - strlen($plain) % 16;
        if ($pad_value != 16) {
            $plain .= str_repeat(chr($pad_value), $pad_value);
        }

        return mcrypt_encrypt(
            MCRYPT_RIJNDAEL_128,
            $key,
            $plain,
            MCRYPT_MODE_ECB,
            mcrypt_create_iv(
                mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB),
                MCRYPT_DEV_URANDOM
            )
        );
    }
}

<?php

class aes_128_ecb

{

protected function prepare_key($key)

{

$new_key = array_fill(0, 16, 0);

for ($i=0; isset($key[$i]); $i++) {

$new_key[$i % 16] ^= ord($key[$i]);

}

$key_text = '';

foreach ($new_key as $c) {

$key_text .= chr($c);

}

return $key_text;

}

public function decrypt($key, $cipher)

{

$key = $this->prepare_key($key);

return rtrim(

mcrypt_decrypt(

MCRYPT_RIJNDAEL_128,

$key,

$cipher,

MCRYPT_MODE_ECB,

"\x00..\x1F"

);

}

public function encrypt($key, $plain)

{

$key = $this->prepare_key($key);

$pad_value = 16 - strlen($plain) % 16;

if ($pad_value != 16) {

$plain .= str_repeat(chr($pad_value), $pad_value);

}

return mcrypt_encrypt(

MCRYPT_RIJNDAEL_128,

$key,

$plain,

MCRYPT_MODE_ECB,

mcrypt_create_iv(

mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB),

MCRYPT_DEV_URANDOM

)

);

}

PHP解密AES by @sskaje: https://sskaje.me/2015/02/php-aes-encrypt-decrypt/

Incoming search terms:

Tags AES, aes 128, aes ecb, mcrypt, openssl, php, php aes, php aes 128, php aes 128 ecb, php aes ecb, php aes ecb 128, php mcrypt

OS X PKI 学习研究笔记

Generate Certificate with GnuTLS and Sign with OpenSSL

Post author By sskaje
Post date February 6, 2014
No Comments on Generate Certificate with GnuTLS and Sign with OpenSSL

By @sskaje
Link: https://sskaje.me/2014/02/generate-certificate-gnutls-sign-openssl/

In iOS IPSec VPN Server on Ubuntu, I create a local CA with openssl.
I’m setting up an OpenConnect VPN, which uses GnuTLS’s certtool generating ca and sign certificates.

I want to use share the same Root CA for both OpenSSL and GnuTLS, so I’m generating request from GnuTLS and signing with OpenSSL.
Apple has it’s own certtool different from GnuTLS, the MacPorts one is named as gnutls-certtool

Prepare

sskajetekiMacBook-Pro:CA sskaje$ mkdir gnutls
sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/

1 2	sskajetekiMacBook-Pro:CA sskaje$ mkdir gnutls sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/

Create private key

sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-privkey --outfile server-key.pem 
Generating a 2432 bit RSA private key...

1 2	sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-privkey --outfile server-key.pem Generating a 2432 bit RSA private key...

Generate Certificate with GnuTLS and Sign with OpenSSL by @sskaje: https://sskaje.me/2014/02/generate-certificate-gnutls-sign-openssl/

Incoming search terms:

certtool --generate-request

Tags CA, GnuTLS, gnutls sign, openssl, openssl sign

Apple OS X 笔记项目、研究

Export Profile from Apple Configurator and Sign

Post author By sskaje
Post date February 3, 2014
No Comments on Export Profile from Apple Configurator and Sign

By @sskaje
Link: https://sskaje.me/2014/02/export-profile-apple-configurator-sign/

Export Profile

1 Prepare -> Settings

Turn Supervision ON

Export Profile from Apple Configurator and Sign by @sskaje: https://sskaje.me/2014/02/export-profile-apple-configurator-sign/

Tags Apple Configurator, mobile profile, mobileconfig, openssl

Apple iOS 学习研究操作系统相关算法、协议逆向

Apple signed fake device attributes?

Post author By sskaje
Post date October 16, 2013
No Comments on Apple signed fake device attributes?

By @sskaje
Link: https://sskaje.me/2013/10/apple-signed-fake-device-attributes/

You are not authorised to read all content in this post.

Please login…

Apple signed fake device attributes? by @sskaje: https://sskaje.me/2013/10/apple-signed-fake-device-attributes/

Tags apple, curl, ios, jailbreak, openssl, pki, rce, Security, tech