Digitally signing using PKCS#7 as a standard is working fine. But when I am trying to digitally sign document using PAdES as a standard, I am changing sub-Filter from ADBE_PKCS7_DETACHED to ETSI_CADES_DETACHED. But this leads to error Signer's certificate is invalid.
Am I missing something? Do I need to add more information while digitally sign document using PAdES as a standard?
Related
I built an Apereo CAS demo server with a WAR overlay (with which
different services should be authenticated).
I have set up delegated authentication with SAML2 (for integrating
with italian SPID system), following this guide
https://apereo.github.io/2019/02/25/cas61-delegate-authn-saml2-idp/
I copied the SP metadata to a IDP configuration.
This IDP is a test IDP instance, meant to check if SP metadata and the SAML request are ok.
When I run the server and I browse it,
I can see the second login form, but when I click it, the validation checks shows some errors.
Among them there is the following:
"The certificate must be signed with a valid algorithm."
"The certificate must not be signed using the SHA1 algorithm (deprecated)."
I am pretty sure that SHA-256 would be fine with the IDP validator.
In the documentation
https://apereo.github.io/cas/development/integration/Delegate-Authentication-SAML.html
I see that the following parameter should be in charge of specifying
the signing certificate algorithm:
cas.authn.pac4j.saml[].signature-algorithms:
Its description is
# Required: false
# Type: java.util.List<String>
# Owner: org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties
# Module: cas-server-support-pac4j-webflow
# Collection of signing signature algorithms, if any, to override the global defaults.
# cas.authn.pac4j.saml[].signature-algorithms:
I don't know what values are allowed there. I googled a lot but with no luck.
I have tried to set that list like this
cas.authn.pac4j.saml[0].signature-algorithms=["sha256WithRSAEncryption"],
cas.authn.pac4j.saml[0].signature-algorithms=["SHA256withRSA"] but,
after clicking the SAML login button, I always get the following
error:
org.pac4j.saml.exceptions.SAMLException: org.pac4j.saml.exceptions.SAMLException: Could not determine the signature parameters
at org.pac4j.saml.crypto.DefaultSignatureSigningParametersProvider.build(DefaultSignatureSigningParametersProvider.java:60)
...
How can I specify a SHA-256 algorithm for signing the certificate?
I'm using the SignedXml.CheckSignature(X509Certificate2, boolean) method. I would like to know what checks are performed when deciding the validity of the certificate. I have verified that the Current User/Not Trusted list is checked. The documentation says it will use the "address book" store, searching by subject key identifier, to build the certificate chain. I imagine this means the Local Machine and Current User certificate stores?
Am I right to think that certificate revocation and signature timestamp are not checked? To do an OCSP check for certificate revocation, am I obliged to use Bouncy Castle?
In the remarks in the msdn article you link to one finds:
In version 1.1 of the .NET Framework, the X.509 certificate is not verified.
In version 2.0 and later, the X.509 certificate is verified.
In version 2.0 and later of the .NET Framework, the CheckSignature method will search the "AddressBook" store for certificates suitable for the verification. For example, if the certificate is referenced by a Subject Key Identifier (SKI), the CheckSignature method will select certificates with this SKI and try them one after another until it can verify the certificate.
Thus, first of all the behavior of that method has changed in different .NET framework versions. So for reproducible results, you had better not count on that method even check the certificate at all.
Furthermore, the formulation try them one after another until it can verify the certificate sounds like there just might be the mathematical test whether or not the certificate is signed by its alleged issuer.
https://referencesource.microsoft.com/#System.Security/system/security/cryptography/xml/signedxml.cs,b9518cc2212419a2
It checks
The certificate has no Key Usage extension, or the Key Usage extension has either Digital Signature or Non Repudiation usages enabled
The certificate chains up to a trusted root authority
The certificate has not been revoked
The certificate was not expired when you called this method
It doesn't know when the document was signed, so it doesn't answer that question.
That none of the certificates in the chain are explicitly prohibited by the user or system configuration.
I am using Thinktecture STS and would like to sign the issued tokens using SHA256 instead of SHA1?
I tried adding the algorithm to the application using:
CryptoConfig.AddAlgorithm(
typeof(RSAPKCS1SHA256SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
But it starts giving error:
Invalid algorithm specified
Knowing that the certificate I am using is compatible with SHA256.
Any idea?
I have followed the instruction for creating x509 cert, however, after uploading the cert, i get
Your x.509 certificate is invalid. Please upload a new certificate
Anyone seeing the same?
Can you please provide more details about your certificate:
1) Was it a valid X.509 certificate, base64 encoded ( PEM ) format with 1024 bytes key size ?
Also the link you posted is incorrect for the documentation. It is here :
Create X509 Certificate
2) Is the error occuring at the time of uploading CERT or at the time of registering ( clicking on the submit button ) ?
You can always just export the public key only from the PEM and upload that.
You would need to submit a support ticket for us to investigate your cert as we would need to take a look at it.
I have followed the .Net self sign instructions with no issues. However others have had issues with PEM. Follow them to the letter, or like I said export the pub cert as text. that should work.
regards,
Jarred
We are following the below article for over the air enrollment and profile delivery feature
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1
We could able to complete steps in Phase 1 and Phase 2. Once the device acquires the certificate from SCEP server(as part of phase 2), it sends the response back to the MDM server. This response is signed by the new certificate.The response consists of signature, plist content and certificate in binary format. Ideally, we need to extract the public key from this certificate and use that to sign the configuration profile (.mobileconfig). However we have difficulty extracting the certificate from the response. Looks like the certificate is corrupted somehow. We tried different encodings. But it didn't help :(
Has anyone successfully extracted the certificate in Phase #3.
Really appreciate any help in this regard.
Thanks
The response from the device is a DER-encoded SMIME string. You can use openssl smime to extract the public key.
if you are using C#, this can be accessed as part of the Pkcs library.
using System.Security.Cryptography.Pkcs
...
//get the data as a byte[]
var signer = new SignedCms();
signer.Decode(input)
//signer.Certificates[0] contains the cert
To extract the certificates you can use openssl cli :
openssl pkcs7 -print_certs -in requestFromDevice.p7s -inform DER
You can then easily parse the output using stdout.split('-----END CERTIFICATE-----') & stdout.split("\n") (in javascript).