What is the difference between pkcs#11 and pkcs#12?
How do they work? How export pkcs#11 from e-token?
How it use in java 1.4?
PKCS#12 is a container for certificates with associated private keys.
PKCS#11 is a protocol to work with hardware (usually). So you can't "export" PKCS#11.
The rest of your question is way to broad to answer - try using Wikipedia as a starting point, then proceed to specifications.
Related
Currently working on a project that uses Swift-gRPC; which uses BoringSSL. I would like to know if it is possible to use a custom SSL Provider, such as OpenSSL.
I found this post that allows you to specify an SSL provider for the gRPC C++ library. I would like to know if the same thing is possible in the Swift gRPC library.
So to answer your question: Yes, this is possible because in SwiftNIO an SSL implementation is really just a ChannelHandler that happens to encrypt/decrypt.
BUT: Are you really sure that you want to use an OpenSSL-based implementation? I see absolutely no upsides but many many downsides of doing so. We ship the BoringSSL for you inside the Swift Package so there's no extra work for you and it should support all relevant SSL configurations (Google Chrome also uses BoringSSL so it should work :) ). Is this some legal or so requirement?
Again, I would very much advise against doing that but if you still want to do it, read on.
It it super easy to use an OpenSSL-based TLS implementation with gRPC Swift? No, for at least two reasons:
gRPC Swift AFAIK doesn't let you choose arbitrary SSL implementation. It supports two and will let you choose but I don't think it by default lets you just inject one. But that's easy to work around: It allows you to specify a debugChannelInitializer which you can (ab)use to insert any TLS encrypting ChannelHandler you want. So you'd tell gRPC Swift to use unsafe, unencrypted HTTP and then just shove the TLS handler into the pipeline ($0.debugChannelInitializer = { channel in channel.pipeline.addHandler(MyTLSHandler(), position: .first) }).
As far as I know, there are only two TLS implementations for SwiftNIO: The BoringSSL-based one in swift-nio-ssl and the one that uses Network.framework on Apple platforms in swift-nio-transport-services.
In case you really want to go down the route of adding an OpenSSL-based implementation, I can help you a little bit: Very old swift-nio-ssl implementations for SwiftNIO 1 (unusable with gRPC Swift, deprecated and unsupported) did use an OpenSSL-based implementation. And I just ported that to SwiftNIO 2 (the current version, usable with gRPC Swift) in this branch. If you actually wanted to use that, you'd need to create a new Swift Package hosted somewhere. And please, please do rename the modules from NIO* to something not with a NIO prefix if you actually release this.
Again, I advise against doing so and the code comes with zero promises etc. It needs OpenSSL 1.0 or 1.1 installed on your system and passes its own test suite. But this code has never been used in production anywhere and is based on code that hasn't been touched in years. The actual TLS implementation comes from your system's libraries though.
I have an API REST made in node js, and now I'd like to implement some XACML policy. I have been searching and I found that I can use ALFA to make the XACML rules. But I need a PDP for applying the rules. What can I use / how can I implement it?
I have read about WSO2 Identity Server (which I think I can use as a PDP? I'm not sure). It is probably too much for a little project. Any other suggestions? Or is WSO2 IS adecuate?
The go-to open source implementation of XACML 3.0 nowadays is AuthZForce. In OSS, it's the most up-to-date. In the commercial realm, look into Axiomatics (where I worked). They have the most up-to-date PDP and are the authors of the standard.
Yes, you can use Wso2 Identity Server as your PDP. Once I had a requirement to secure a Spring Boot rest API through XACML[1]. Anyway, It would be much easier for you to use the Identity Server PDP than implementing one. You have easy beginner samples that you can try out for your use case.[2] There are tools in the identity server that you can use to create the XACML rules.
[1].https://medium.com/#buddhimau/role-based-authorization-for-spring-boot-using-wso2-identity-server-3d74ab307fb9
[2].https://medium.com/#gdrdabarera/how-entitlement-management-works-with-rest-api-via-xacml-in-wso2-identity-server-5-3-0-7a60940d040c
Adding to Buddhima Udaranga reply, If you think IS too much for a little project, then you can directly use balana, which is the entitlement engine used inside IS. You can refer to this for more details. But balana have only java API.
I am trying to replace HSM(s) with my software-only application and integrate with PKCS11. The problem I have with that is all of PKCS api functions deal with slots and tokens which are not a part of my software application. Are there examples out there that I can look up to see how a software application can be used to imitate an HSM and integrate with PKCS ?
When you are dealing with HSM's you have to deal with slots and tokens. You have to modify your software slightly to accommodate this.
There are 2 ways you can use the PKCS#11, PKCS#11 Wrapper or PKCS#11 Provider. The Wrapper is the api that calls the native functions of the HSM library (.dll or .so) directly. The Provider uses the Wrapper under the hood, but gives you the convenience of using it with Java KeyStore api.
Considering your case, the Wrapper might not be fit for you, because it involves writing new classes to integrate with the HSM. You could use the provider.
Java has very good documentation of the PKCS11 Provider here. There is also a very good third-party library called IAIK, here is their provider documentation. Even though you use the Provider in your software application, trivial code changes are inevitable.
Where ever you have used the KeyStore api, you may have to make changes there. And initially, when your software loads, you have to load a configuration file for the PKCS11 provider that tells which slot number and the token to connect to.
IAIK has very good examples too, and their provider library is only free for development purposes.
I couldn't find an information about in in Google. We are generating PGP key pairs using Bouncy Castle library and implementing our own "web of trust". I wonder if it is possible to use these keys for JWT also, or I need to use a PKI X509 certificates?
Thanks
The signature and encryption algorithms officially supported are listed here.
No signature or encryption algorithm using PGP is listed.
But nothing prevent you from implementing a new signature/encryption algorithm used by your server and clients.
AFAIK, there is no implementation at the moment that uses GPG.
From my point of view, you have to create a new key type (e.g. JWK with kty=PGP) and new alg (e.g. alg=PGP).
I want to implement RSA encrytion/decryption in my App.I googled around the net to find any Library or Classes which perform the RSA encryption/decryption algorithm,but was not able to find any suitable link.I know i can use the SecKeyGeneratePair provided by Apple to generate the private public key pair.But it is a necessity for me to use the RSA algorithm as i want to implement it over client-server network.So the Algorithm needs to common amongst the parties.
Please provide some valuable info.
Thanks
Aditya
Isn't that what SecKeyEncrypt and SecKeyDecrypt functions do?
The functions SecKeyEncrypt and SecKeyDecrypt uses the RSA keys you got from SecKeyGeneratePair.