I have generated RSA keypair by using pkcs11 library, and signed the CSR using private key in HSM. but when I decode CSR, it shows invalid signature. I am using bouncy castle to create CSR.
As I am hardstuck on this from many days.
Related
Examples using powershell use [Security.Cryptography.X509Certificates.X509Certificate2] to sign data. The data present here is in the form of what I believe is a Json Web Key (JWK).
How do you convert a JWK to a compliant cert that can be used by X509Certifate2?
https://www.googleapis.com/oauth2/v1/certs gives you the X509 certificates in PEM format, but I believe this endpoint is deprecated.
I got into very odd situation were im not able to create JWT sign token in sap netweaver server.
currently the encryption is done using p12 file instead of pem file in sap server.
Docusign only provide the RSA key in .pem format. Which at the moment is not feasible for me.
Is there a way to download/create RSA key in .p12 format like it is provided in google api's instead of text/pem format or how can we create JWT sign token using RSA private key in .pem format in sap netweaver server.
Thanks and regards,
Rahul.
DocuSign creates the public/private key pairs for JWT signing. You download the private key in pem format from DocuSign. Something like this:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuv1+cIU9ashbXUxkJXzsqoeN3rNjcwcRMI17njwHpOh+ljV6
CNLRu+VAvtFdluK/TN+idb7jlFBe2CIdNbev/sYX1lB0+zJw1vsgSSk31d9vdPQb
n5R0FZUTsAYXv27JB6kc5N/6n2uroeNmeABkZZTLvXSmibYOjVYeB+Ig5HBS2Xxw
...lines omitted...
O2F4bIUOh1pdRydwHH0bMLXfyqn7sOxdEJwIq6Is5DwKeLJUEyfiuaGGjHQBfs+u
eoySeQKBgQC1aRTK4g4c5dgxdywCRTje/kUh5Ion6vFLLrTmEKtV9LFyFvLtFrVL
iX9G3qm0a3raSNwXylfbs88tPDrTGaTEM2opt5YpDWExpS7sLknDQxGcCzgyjTqc
/p6p+tOzgoc+osBMCNvBPS8tEAmdfTk7LFxVh8UY49JIpwoAnJ7c5Q==
-----END RSA PRIVATE KEY-----
Converting to p12 format
You can run open source applications locally to do this conversion.
There are also online converters available. See google for a list.
As per all readings I have found that, while using USB Token(HSM) we are unable to fetch private key from USB Token, Then Why we call KeyStore.getKey(alias,password) in java code.
I have done something like this where ks is my KeyStore object.
PrivateKey privateKey=(PrivateKey)ks.getKey(alias,pass.toCharArray());
and then print privateKey i get the following values.
{algorithm: "RSA", encoded: null, format: null}
Can anybody explain the need of This step, and what it will do while we digitally sign a document using USB Token?
PrivateKey is an interface, the implementation depends on the cryptographic provider.
In your case, for an USB token, the provider (probably Sun pkcs#11) encapsulates the pkcs11 commands to the token when you executes a cryptographic operation. The private key is not really contained in your java service and the commands are executed on the token
A private key is non-extractable, so the encoded value must be null. For example if you use a Pkcs12 keystore ( a local .p12 file) you will see that encoded attribute contains the private key encoded in DER format
Please in my project i want for each ECDSA KeyPair, generate a (Self Signed) trusted certicate of the public key and store it in a keystore. I already geerate the keypair with boundy castle and now want to generate certificate and store ito keystore.
Please how can i do it? Some One has a tutorial than can help me?
You can look into the Bouncy Castle documentation here to create certificates. In your use case you should look into the Creating a version 3 certificate.
And to store the certificate in a KeyStore, you can use
keyStore.setCertificateEntry(alias, signedCertificate);
I am signing saml Response and assertion with x509 certificate. The response is posted to a java app, which throws error Signature length not correct…". I am asked to make sure that the xml doc is signed with certificate in JKS format and not pkcs12.
Is there a way to sign xml document in jks format in c# and then post the saml response to java app?
There is no such thing as a XML document signed in JKS format. These are apples and oranges.
XML digital signatures are specified in XMLDsig standard (assuming that you use XML digital signatures). http://www.w3.org/TR/xmldsig-core/
When you sign something you use the private key of an asymmetric key pair, probably an RSA key pair. http://en.wikipedia.org/wiki/RSA_%28algorithm%29
When you verify the signature you use the public key, commonly wrapped in an X.509 Certificate. http://en.wikipedia.org/wiki/Public_key_certificate
JKS and PKCS#12 are two different formats for storing the private key and the certificate in a container, encrypted using a password (since the private key is supposed to be private you want to protect it using a password).
When you sign an XML document you open the JKS/P12 keystore and use the private key to sign, and optionally include the certificate for easier verification for the recipient.
The private key and the certificate are identical in both cases, i.e. it does not matter if you use JKS or P12, the XML signature is bit for bit identical.
Probably you are sending both the XML document and the PKCS12 keystore to the recipient, and the recipient is unable to open PKCS12 keystore properly?
Java can open both JKS and PKCS12 with no problems at all, most likely your problem is related to something else than JKS vs PKCS12.
I do not know if C# can read and/or write JKS files (JKS == Java Key Store)