how to get issuer from x509 certificate flutter? - flutter

How to find issuer from X509 certificate String (example given below) in flutter.
Thanks in advance.
-----BEGIN CERTIFICATE-----
MIICiTCCAjCgAwIBAgIUD3Kab5X9kqd9qN1fqB61TUlwbO0wCgYIKoZIzj0EAwIw
cDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQH
EwZEdXJoYW0xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjIxMDA2MTE0NzAwWhcNMjMxMDExMTAwNzAw
WjBHMTAwCwYDVQQLEwRvcmcxMA0GA1UECxMGY2xpZW50MBIGA1UECxMLZGVwYXJ0
bWVudDExEzARBgNVBAMTCnVzZXJUZXN0MDEwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAQHJXgfHfQ8hDedBuSrthP9B6MB+f1W1FqfecFvvaOYlEsPHrSqATkVNQJ2
2tBxxKTwo7XF2gVqYn7QPUHqwVtgo4HQMIHNMA4GA1UdDwEB/wQEAwIHgDAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBQsiq8NZZh74PK/sMLfhWCq4IbMLjAfBgNVHSME
GDAWgBQdmRqOkqYG/lmxlNopkD99+TOH0jBtBggqAwQFBgcIAQRheyJhdHRycyI6
eyJoZi5BZmZpbGlhdGlvbiI6Im9yZzEuZGVwYXJ0bWVudDEiLCJoZi5FbnJvbGxt
ZW50SUQiOiJ1c2VyVGVzdDAxIiwiaGYuVHlwZSI6ImNsaWVudCJ9fTAKBggqhkjO
PQQDAgNHADBEAiBENbsQCzjg2vux5CWH9S8Xhg9fH2OBF9JZGSibwc4EHAIgBUEo
xQ5UhoNGZtArxDWA97ab7GspkeVF+6wwdakBRlM=
-----END CERTIFICATE-----
tried to decode x509 certificate PEM string, using x509b package, after that generated x509Certificate object from the giving PEM string.

Related

Converting a .pem RSA Public and Private Key to .der X.509 certificates or JWK strings

I working on a project that uses JSON Web Tokens (JWT). I already have the code that creates the token that is signed by an RSA algorithm which was created by the openssl genrsa -des3 -out <private key file name>.pem 3076. I want to check the validity of the tokens I produce on the jwt.io website, but i need "[public/private] Key in...X.509 certificate, or JWK string format".
Format of private key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4AE3D092CB847166
(The actual key)
-----END RSA PRIVATE KEY-----
Format of public key:
-----BEGIN PUBLIC KEY-----
(The actual key)
-----END PUBLIC KEY-----
Is there any command/tools that can be used to convert these into X.509 certificates or JWK strings?
I have already tried using the openssl x509 -in <public or private key file name>.pem -inform PEM -out <X509 certificate file name>.der -outform DER command.
That would always return this error:
unable to load certificate
140258002609472: error: 0909006C: PEM routines: get_name:no start line:../crypto/pem/pem lib.c:745: Expecting: TRUSTED CERTIFICATE
All of the commands have been run using the terminal from a replit project. I am not sure if that plays a role or not but I mention it just in case.
Do you use Windows? Check the encoding. Change to UTF-8 through the Notepad and create it.

How to convert PKCS#8 with password to PKCS#1 with JCE

I have a .pem file(PKCS#8) which has below sections in same file
-----BEGIN ENCRYPTED PRIVATE KEY-----
xx
xx
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
xx
xx
-----END CERTIFICATE-----
It is protected with passcode/password.
How can I decrypt this in java to PKCS#1 within JDK/JCE without BouncyCastle. I cannot even use the openssl commands.
How could I go about this?

RSAES OAEP certificate - public key 0 bits

I have a program that create self-sign certificate of RSA algorithm.
The problem is that if I create certificate of RSAES OAEP parameters,
when I open the certificate I see that the size of the public key is 0 bits .
Do anyone know what is the problem?
I already checked that the ASN 1.0 Encoding of the RSA OAEP Pararmeters is ok.
And if I create certificate RSA without OAEP Parameters than the size of the public key is present ok (not as 0 bits).
I checked in the internet and I didn’t find any certificate of RSA with OAEP pararms for example to compare with my certificate.
I will be glad for any suggestion.
This is the certificate in PEM File:
-----BEGIN CERTIFICATE-----
MIIFyzCCA7OgAwIBAgIDMaTyMA0GCSqGSIb3DQEBBAUAMG0xETAPBgNVBAMTCFN0YW0gSXNo
MRQwEgYDVQQHEwtQZXRhaCBUaWt2YTEPMA0GA1UECBMGSXNyYWVsMQwwCgYDVQQKEwNBUlgx
FjAUBgNVBAsTDVByaXZhdGVTZXJ2ZXIxCzAJBgNVBAYTAklMMB4XDTAwMDEwMTEwMDAwMFoX
DTk5MTAxMzIxNTYxNVowbTERMA8GA1UEAxMIU3RhbSBJc2gxFDASBgNVBAcTC1BldGFoIFRp
a3ZhMQ8wDQYDVQQIEwZJc3JhZWwxDDAKBgNVBAoTA0FSWDEWMBQGA1UECxMNUHJpdmF0ZVNl
cnZlcjELMAkGA1UEBhMCSUwwggJnMFIGCSqGSIb3DQEBBzBFoA8wDQYJYIZIAWUDBAIBBQCh
HDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiFDASBgkqhkiG9w0BAQkEBVRDUEEAA4IC
DwAwggIKAoICAQCizEvm86uS4/f8e7EC81OqNK+fIoCWOYJdc7iDNEbI+7l9C/zD//KiETMD
x1V4WgBXvhokc05a0oLdJ8MlcTFUGsmrX8mxesGnY87wVeJBJ+jPQipZ+ZoA16U9d4xOQU8b
erXUf+w6VFwoL4M3jLyL2lspHiMJPagsukxjzh1Dj/xA6tIVsSnJkffDyRC9l267pP1mXi2u
vAT4zhSX1FLtoO3XkJ0pJarIyJeTnBLMQ5ga1gnDmUFve4tI/cLbb9fxeTF7zA+XNrTTdYrY
9zkiMXBvnT7h0ZpGhfvobC7ULbmO/XyR3tVmuMoTu9mwNgjwCgp5f5Jt7cZbUJNbBateglcv
+Gb9FjFjneCRU4adN87GpyAMfclq5MIO+KCoRWSDRbL/6exYMf0sE3g4ARSru/7Wm82xITNA
fRn2qDErR421SiiuwkIlh97eiyfYeEb+n5eSOr1Qscr+tXOpEuArBDPzg0g5fo0dgomAVZvK
hwfOS+URUmobRPuUN5ecB4dALBJkkN02qaGkCXZmzWicnheXmhTYe3og0fQpajFXUwgwguXl
CDfy91Tn9PBYdRs0G0/gkiRABTP3sZvG3ru9I20W9tdfvN3NssBb+2AadRhSvpgP1wkHIVmZ
/VOQN893TdmaS+WQOiocxh2LxJv7QeC8j8fi9k8LTeM4JCqJ0wIDAQABoy8wLTArBgNVHRAE
JDAigA8xOTk4MDEwMTA4MDAwMFqBDzIwMDAwMTAxMDgwMDAyWjANBgkqhkiG9w0BAQQFAAOC
AgEAODPOHhl4J519jEExA2TIwSWLC23lloBQQPJysE0gelbyTv3xGVmJJZF+JAGvxrkvYado
UMPc9pBF57RsB7tznhCHpcYpSRcEIEArZoxfiVkevheLsm9/gyd5RA/oD6xx8WZBFFjHW+fs
urdJPEfR0lBHGmOKBKTa9aeqwJ5Bfi6Rm6/OvbalWBgZh2+5KYhdtMZH7JnsCCR6ZrJzLp8D
uo5M0iIQ/J6D9pDsPBmYK3/P/c7mVhLhjUBtqelkRGO690VzoBykf9MsWE3IT58gq1Av3dGe
J1LSgijha65s/A+l7zEC0fL7UFSXUnNCghEz+PkpcO14wFeg9UIypM0R85IOO0PBg4FVLACT
hmBmFFJCDOCgMwO+xMQZE+eG5gOEUgESHaQfEUoU7JxPHYB/9Xxl2G69nHr2Fx0KuLrjnrym
SgrFubQ3d+XuSTLxr/Lr7gl7EZP68uEsPcw2CXXdpsq4pvmVbrNspfHGn9SimFkEA8qmPqkt
4wiUPCwLkvY+qZ55JnmtPWoeaekJDx7iox0TtiHlQH6Y+/Rl18zU0lITePKPbc5thPZjiwIl
rR5O1PYzlIzE9m/7mFNitIAR2CixJRNiykgz5Q2gjYu4itmb2aHE1UuzK2mORny2gYnG7mdr
dD2y8hDouRCuxND/kkfdDyspGSRQcnqnmpkt7nQ=
-----END CERTIFICATE-----
Public key is 4096 bits long in the attached certificate. Using MD5 hash with 4k keys is very strange combination as MD5 hash is too weak and all strength of 4k key is eliminated by weakness of a hash.

Apple Push Certificate - Invalid Certificate Signing Request

I've created my own CSR with the following command
openssl req -new -newkey rsa:2048 -nodes -out bgsisson_com.csr -keyout bgsisson_com.key -subj "/C=US/ST=CA/L=Los Angeles/O=Benjamin Sisson/OU=Development/CN=bgsisson.com/emailAddress=myemail#dom.com"
Then I created a CRT with the following command
openssl x509 -req -days 365 -in bgsisson_com.csr -signkey bgsisson_com.key -out bgsisson_com.crt
When I try to upload this cert to https://identity.apple.com/pushcert/ I get a invalid certificate signing request.
Am I creating the certificate wrong? Does the cert need to be verified?
Thanks!
Update - Removed wildcard from CN. I'm still getting an Invalid Cert signing request.
Update - added CSR and CRT. I test uploading both of them, but I think I just need to upload the CSR
Update - added emailAddress to CSR
bgsisson_com.csr
-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAkNBMRQwEgYDVQQH
EwtMb3MgQW5nZWxlczEYMBYGA1UEChMPQmVuamFtaW4gU2lzc29uMRQwEgYDVQQL
EwtEZXZlbG9wbWVudDEVMBMGA1UEAxMMYmdzaXNzb24uY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudmpTvmnWLivwLaFNx6w/kgwUbPCr8ujZOtx
1Lu/+alpuHPoQ4Kpyt3rsj9wc/PSWXBFjIV607YCINTJrQfHUJMq55s3aWxeroB9
llqXn0qTJ2GujAmuWBX2nvIZucQVF1xX3/V1179CKM/+z/rE4ehiJdEnMQk6Otrv
HT1W/eIL5rzSjky+ZpaRSguUpyQSsSuD4Cdfo6NMiY5RVvh9N/Q/O+jEpAJxEHOd
nAbJj8WU2WW9MxtUw21UODh5kHX+b8sLfuKB9EJ2XUqwvdJt9MgnrAiYVkvjq1iT
dZFd2nHiKZnLRr2jBZ74u9duqwm9kD8zoOAiMzbFUTjD1AZIHwIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAK+Zr5pdtcqVUtMD8843wz7h3bAOVIvrJpbr2/g1mUvo
4Pn27Xlw/CZL2aqOniTTCOeGvWAvHtckxaTxPL3Ruid2/QTnOgKecUnqVPAoqaBP
0SPJDo3X1rbWKVTTJOvT67Kywtd8q+Msx46IqE/2YWur+XO47dnKWR4lPJipgjjY
p+zt9TPTAqu+M6xwqsslUy9r68GaQGTdRdQSyZB5XAg+I271mtxrSrImaAPEi1MY
2ch9r4NaFWH9X7CH67Y0QCKsGjKU4Ftz6x8c1cf4n8TuWgD5/S2UeY+zj3JvjVgj
DJlQyKGmYCC6G0FcoWSD7yCvJ+k0DcoJuGUO3094RIg=
-----END CERTIFICATE REQUEST-----
bgsisson_com.crt
-----BEGIN CERTIFICATE----- MIIDajCCAlICCQCMvMl8OXFb3jANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJ1
czELMAkGA1UECBMCQ0ExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRgwFgYDVQQKEw9C
ZW5qYW1pbiBTaXNzb24xFDASBgNVBAsTC0RldmVsb3BtZW50MRUwEwYDVQQDEwxi
Z3Npc3Nvbi5jb20wHhcNMTIwMzIyMTY1MzA1WhcNMTMwMzIyMTY1MzA1WjB3MQsw
CQYDVQQGEwJ1czELMAkGA1UECBMCQ0ExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRgw
FgYDVQQKEw9CZW5qYW1pbiBTaXNzb24xFDASBgNVBAsTC0RldmVsb3BtZW50MRUw
EwYDVQQDEwxiZ3Npc3Nvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC52alO+adYuK/AtoU3HrD+SDBRs8Kvy6Nk63HUu7/5qWm4c+hDgqnK3euy
P3Bz89JZcEWMhXrTtgIg1MmtB8dQkyrnmzdpbF6ugH2WWpefSpMnYa6MCa5YFfae
8hm5xBUXXFff9XXXv0Ioz/7P+sTh6GIl0ScxCTo62u8dPVb94gvmvNKOTL5mlpFK
C5SnJBKxK4PgJ1+jo0yJjlFW+H039D876MSkAnEQc52cBsmPxZTZZb0zG1TDbVQ4
OHmQdf5vywt+4oH0QnZdSrC90m30yCesCJhWS+OrWJN1kV3aceIpmctGvaMFnvi7
126rCb2QPzOg4CIzNsVROMPUBkgfAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBALa5
1rkRjCAJF1WU2TIM9FA7A7upb8YVKnagthCIn3kLYBqI4wRHO28HPm53IWJP/hUG
80rjczKY03PFjuiikrlPzUdBR99n4jq6UhcFdG4Z948lXoS2WsIJc6vZmA6wBAIE
h+Xe4SjdPvhsKKrVLFEgpSb/67mUdHF2qVkhvkqs8EgJ65fozjW2adyF6NxOWrmG
5Q++Dp/+K1TSkLM/yZieWWbQ042OyYCZ+agIuwpduW5waKbN1+TERKJo0eFlwQUi
w7KsgLpfoyGji4FzznODGxRq/2Ja5VPnnfa4pxG+l0qkn5VoW27qFHJy5E6Z7Bqb
RqpfbiQ6jeLcqCiWgig=
-----END CERTIFICATE-----
You need to sign the certificate request from a vendor with an Enterprise Developer Account. The information is available at http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning
I suspect that it is tripping over the wildcard in the CN as AppIDs with wildcards are not accepted.

MDM push certificate creation

I'm interesting in creation of PushCertWebRequest (this is from apple documentation)
I have found a lot of docs how to do this for 3rd party vendors like Air-watch and so on, but they skip last step where they are working with your .p12 certificate. I mean process when you should create PushCertWebRequest and upload it to https://identity.apple.com/pushcert
So my question is how to create a Push Certificate Request plist.
the example of this plist should be following (this is from apple doc)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PushCertRequestCSR</key>
<string>
MIIDjzCCAncCAQAwDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
</string>
<key>PushCertCertificateChain</key>
<string>
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIIQcQgtHQb9wwwDQYJKoZIhvcNAQEFBQAwUjEaMBgGA1UE
AwwRU0FDSSBUZXN0IFJvb3QgQ0ExEjAQBgNVBAsMCUFwcGxlIElTVDETMBEGA1UE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIIBInl9fQbaAkwDQYJKoZIhvcNAQEFBQAwXDEkMCIGA1UE
AwwbU0FDSSBUZXN0IEludGVybWVkaWF0ZSBDQSAxMRIwEAYDVQQLDAlBcHBsZSBJ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIIKRyFYgyyFPgwDQYJKoZIhvcNAQEFBQAwXDEkMCIGA1UE
AwwbU0FDSSBUZXN0IEludGVybWVkaWF0ZSBDQSAxMRIwEAYDVQQLDAlBcHBsZSBJ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIIdv/cjbnBgEgwDQYJKoZIhvcNAQEFBQAwUjEaMBgGA1UE
AwwRU0FDSSBUZXN0IFJvb3QgQ0ExEjAQBgNVBAsMCUFwcGxlIElTVDETMBEGA1UE
-----END CERTIFICATE-----
</string>
<key>PushCertSignature</key>
<string>
CGt6QWuixaO0PIBc9dr2kJpFBE1BZx2D8L0XH0Mtc/DePGJOjrM2W/IBFY0AVhhEx
</string>
Finally I created PushCertRequestCSR and PushCertSignature, but I don't really know how to create PushCertCertificateChain block.
Please see detailed steps and source code here to generate plist.
I ported the softhinker java code to python, and added a few nice things. It's available on GitHub: http://www.github.com/grinich/mdmvendorsign.
create a CSR using any toolkit, i.e. KeyChain Access on Mac System,
then export private key as 'vendor.p12'
log in to Apple Member Center, and go to 'iOS Provisioning Portal'
select 'Certificates' on the left navigation bar, and click 'Other'
tab on the center.
follow the instruction on that page, and upload the CSR you created.
then the certificate for you as a MDM vendor will be available to
download on the 'Other' tab. And download it.
download WWDR intermediate certificate.
download Apple root certificate.
execute below openssl command to convert MDM vendor certificate, WWDR
certificate, and Apple root certificate to PEM format one by one :
openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
Then use the attached Java program in the softthinker webpage to generate encoded plist.
You need to replace the placeholder in the java package with your own ones because the provided on the java package is just sample one(zero size) which are:
customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem
Now first verify the generated plist.xml format that should match with the sample plist.xml provided in MDM Protocol Reference document.
If plist.xml is in appropriate format then upload the encoded_plist to portal . So we need to take care that plist.xml is just for our reference this is not for upload.For upload encoded_plist only.
After that download the certificate from portal.