I have a PKCS#11 library that contacts with the vendor's smart card. The low level details are not provided and I'm not interested in them either.
BTW the smart card has no internal certificate associated with it, its just a dumb smart card with a private key store.
So my question is:
What kind of code should I write to obtain a certificate from the PKCS#11 library, or do I need to write such code? does PKCS#11 supports exporting certificates?(I heard openssl supports using 3rd party PKCS#11 libraries. Can I use that to export a certificate from a smart card?)
If the answer to previous question is yes, in what kind of format is the certificate created? What kind of conversions should I to do in order to convert the raw created certificate into office supported format certificate?
and the last question is how to apply that certificate into microsoft office(2013) in order to digitally sign documents? It looks like that office itself doesn't like internal certificates and it keeps requesting us to get one from verisign (?) what's wrong here and how can I force office to use my own created certificate using the aforementioned method?
PKCS#11 interface lets you read ("export") the certificate from the hardware. However you need not just a certificate, but also a private key. Most hardware devices won't let you export a private key. PKCS#11 has a set of functions which let you perform cryptographic operations using private keys stored in the hardware, but not to export those keys.
The certificate is usually exported in native DER format, which can later be put to the PFX file. However without a private key it doesn't make sense.
Unfortunately I don't know what MS Office expects. I assume that Office in your case accepts only certificates which can be validated up to the trusted root certificate.
Related
I am using JWT for authentication. I use a signingKey to encode my token. I want to store the signingKey in a safe place on the client side (avoid hard coding it).
I was hoping to use android key store for that; but so far, I have only managed to create a key store using the JDK keytool to sign my app.
My question is: is there any way I can store a key inside the key store associated with my app, prior to its deployment on the device so that I can retrieve the key inside the app and use it to sign the JWT?
If not, what are my other options?
I developing on Xamarin. My backend is ASP .Net, deployed on Azure.
I don't know how to do it using a key store inside the App. But I have done it by storing it inside a JAR/.SO file. This gets obfuscated inside the App and is not available via reverse engineering.
Though this method solves only reverse engineering problem, the best solution would be to do with the server to avoid the network interception problem
I have been working on this task to sign a CSR (generated by third party) to be signed by a root CA, which is stored in a token. Sounds like a straightforward job, except that there is a requirement to add a set of extensions as well as subject alternative name to the certificate based on the specification. Since there is no way to alter the CSR to include these information, I assume this should be done during the signing process. However, I have spent lots of time reading the documentations of certutil and certreq to no avail. There seems to be no way to add information for an existing CSR.
Additional information: This has to be done using Microsoft CA due to the limitation of the security token, so OpenSSL is out of question.
I hope someone can help me in this tricky task.
Yes it is possible, check out he below link it is a good starting point
http://blogs.msdn.com/b/alejacma/archive/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c.aspx
How to fetch the expiry date from PKCS12 certificate using iOS security framework?
Alternately can I use openssl? if yes, please point me towards relevant API's
Thanks
Great question! If I were doing this coding, I would first try to think of a solution using Keychain Services.
First, you'd need to fetch the keychain item. Say, via `SecItemCopyMatching()'.
This returns a reference to the found items. Preferably a SecCertificateRef (which is described more in detail in Apple's Keychain Services Reference guide).
I don't see an easy way to explicitly fetch the metadata (or expiration date) from a SecCertificateRef off the top of my head. There's a code snippet I found on books.google.com from "IOS 5 Programming Pushing the Limits: Developing Extraordinary Mobile Apps" called "Checking Certificate Validity" (pages 218 & 219 -- I've linked it for you) which basically checks to see if a certificate allows usage based on matching keys (in their example, it's the subject or domain name; for you, it would be the expiration date). Their technique may help you out.
As for using OpenSSL, I found an answer where you can come up with the expiration date from the command line using the openssl tool. If you can get a handle to your certificate, I'm pretty certain this can be done programmatically as well.
I am completely new to pgp, as far as i can see pgp is being used to encrypt files and emails.
1) Can it be used for single sign on
2) Their is pgp and gnupg (which is based on openpgp) , can anyone tell me what is the difference ?
3) How would i do this in .net
Any references will be helpful.
There might be some solution for single sign-on using PGP keys, but it's definitely not widespread. Maybe PGP Corporation offers something, you can check...
The standard is called OpenPGP. PGP is the name of the company and their trademark. GnuPG is an open-source implementation of the standard. Software by PGP can use some proprietary extensions added by the company to OpenPGP standard.
Do what? If you want to implement OpenPGP operations in .NET, you can use BouncyCastle or OpenPGPBlackbox package of our SecureBlackbox. If you want to implement single sign-on in particular, then you need to learn how to implement custom single sign-on authentication first, then decide how to use PGP keys in the process.
I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of.
Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a better way to go about including this data in a project?
There is no place on the iPhone to hide data. A user with a jailbroken iPhone has more control over the device than any developer. If possible you should setup a web service such as a REST or SOAP service to take care of these OAuth transactions on behalf of the client.
As Rook said earlier, there is no way to hide your data in iPhone. But you can make hacker job so difficult. I just done a work around for the same issue.
Put oAuth key information in PLIST
Mannually I encrypt this PLIST by using AES key and I got encrypted "CIPHER TEXT"
Modify the AES key by appending characters in between with your own logic. Since it required at runtime to decrypt the plist
Add this modified key with plist "CIPHER TEXT" and store this value in New plist.
Remove old plist which has oAuth information
Now you have only one plist which has encrypted value with modified KEY
Advantage:
Hacking is so difficult since hacker don't have a proper cipher text in plist
To hack this code they should know to separate Modified AES key from Cipher text.
Thou they found Modified AES key, they don't have any clue about the appending algorithm, here i simple used EVEN position of the character, but you can't modify this and you can take 3rd or 4th position of the character. Which is actually will differ for each developer
for more information please visit below link;
https://sites.google.com/site/greateindiaclub/mobil-apps/ios/securelystoringoauthkeysiniosapplication
I'd suggest looking into the Keychain services provided by Apple
http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html