I am using the PHP Openssl Extension by calling openssl_sign() in my code.
My Openssl is configured to use 3 different engines (configuration located in '/etc/ssl/openssl.cnf')
My default engine is set to my custom engine and when I am calling RSA Sign from Command Line (openssl rsautl -sign) it does use my custom engine.
But when using the PHP Openssl Extension it only calls the "regular" Openssl Engine.
I do I force the Extension to use my custom engine ?
Related
Is there a build/compile flag for kubernetes v1.14 to only build for signature verification and not signing? I have an embedded system acting as a kubelet that justs needs to verify a signature. I'm getting error saying, kubelet[289]: remote_image.go:113] PullImage "quay.registry/reponame/podman-test:latest" from image service failed: rpc error: code = Unknown desc = Source image rejected: Invalid crypto engine which indicates that kubernetes is missing external dependencies for signing.
I've tried adding:
-tags "containers_image_openpgp " similar to related issue here:
https://github.com/containers/skopeo/issues/660
My current build command is
make generated_files KUBE_BUILD_PLATFORMS="${HOST_GOOS}/${BUILD_GOARCH}"; make cross KUBE_BUILD_PLATFORMS=${GOOS}/${GOARCH}
The error is coming from GPG. Make sure your device has gpg or gpgv command in PATH and that signature verification with gpg command works.
gpgv is a stripped-down verification-only command that you could use, and Kubernetes supports it. Also, GPG has a ton of compile-time parameters to enable/disable parts of it, you can strip it down once you get it working.
If you find GPG too bloated or have a hard time getting it to work, you can try using https://sequoia-pgp.org/ which compiles to a statically linked binary without external dependencies. You will have to translate calls to gpg command into calls to sqv, but their CLI interfaces are really similar so it should be easy to do with a shell script, or whatever language your embedded platform supports.
I have tried several ways to get some PEM files to be used by CouchDB. I have generated a cert with powershell, exported it with key to a pfx and then used openssl to convert to 2 pem files and installed them in Couch. With this approach it seems to work in IE11, but it doesn't work with firefox or other browsers. Firefox produces this error:
The key does not support the requested operation. (Error code:
sec_error_invalid_key)
I've also gotten a free ssl cert from ssl.com, (they gave me three CRT files) and tried converting it using openssl, but to no avail.
I've also followed the instructions on the page from CouchDB to generate a self signed cert specifically for this purpose, but it will not load the page. (http://docs.couchdb.com/en/latest/config/http.html#config-ssl about half way down)
Has anybody had success with this? How do I get my certs into a format that will play nice with Couch and will all browsers?
UPDATE:
Now I'm getting this error
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
Not sure if this is a step forward or backwards...
It seems like CouchDB versions predating 1.7 or 1.6 are not able to have intermediate certificates specified for certificate verification. Since you are writing about having received three .crt files, (s)ome of those might be required as intermediate certificate(s). CouchDB not knowing about them can be the cause of your problem.
Apparently, one way to work around this is to concatenate your certificate file along with the intermediate certificate file(s). Simply cat them together like
$ cat yours.crt theirs.crt > couchdb.crt
...and use CouchDB's certfile configuration option to point to couchdb.crt's location.
If you prefer to convert .crt to .pem first, use sth like
$ openssl openssl x509 -in yours.crt -inform der -outform pem -out yours.pem
In a new enough version, you can probably use an intermediate certificate by setting CouchDB's cacertfile option. Have a look at this for further information.
I am trying the new Facebook SDK for Unity and I would like to deploy the example included in this SDK but like I am not running any web server. I installed the Python software in the default path (C:\Python33) and the I created web.py file and saved it into the built my Unity game (where is web.unity3d file). More info here.
See I don't have a web server available part.
Since my English is not so good, I could not understand the following part:
Then (install openssl)[http://www.openssl.org/related/binaries.html]
if it isn't already on your computer. In the same directory as above,
generate a key file:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365
-nodes Provide a non-blank answer to each prompt (correctness won't matter, but empty values may).
Start the server:
python web.py
For this, could anybody explain to me how I would have to do it?
Facebook is providing instructions on how to deploy a simple web server locally if you don't already have one, specifically the SimpleHTTPServer one (http://docs.python.org/2/library/simplehttpserver.html). The prerequisite is to have a SSL/TLS-capable Web server. So
First Step: Allow for SSL capability by using openssl to generate a key file for use in the server. (Keep it in the same directory)
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -node
After executing this command, a series of prompts will be asked but for the purposes of the tutorial it isn't important what the values are as long as they are non-blank
Second Step: Create a file called web.py with the following contents
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='server.pem', server_side=True)
httpd.serve_forever()
This line
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler),
is how the server will be presented in a browser, https://localhost:44443/, where the game object will be at https://localhost:44443/web.unity3d
This line
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='server.pem', server_side=True)
sets up SSL with the server key file generated earlier with openssl
Finally httpd.serve_forever() executes the requests and deploys the server at https://localhost:44443/
Third Step: Call the program just created by executing the following command
python web.py
Fourth Step: Navigate to https://localhost:44443/web.unity3d
Alejandro - you don't actually need to set up a localhost server, in fact, I don't recommend it unless you really want to iterate on some Facebook callbacks and you're having trouble getting them working.
Instead I would:
do in-editor testing just to see how things might work. The editor dialogs use fake data, but are indicative of the in-game experience.
push to a hosting site for live testing. e.g. use parse hosting and do 'parse deploy' to push a static file live. I can help with this if you'd like.
Thanks for checking out the SDK!
you are installing the wrong python version. Use 2.7, not 3.3. 3.3 doesn't have that library.
I have been working on an application that create apples new ios pass.I am new to perl modules and i need some answers about how can we create signature files that uses PKCS7 encryption from a json file. any help would be appreciated.I have certificates and teamid for creating passes.
or
more simply how to create a signature for a json file using PKCS7 encryption.
and have certificates of format p12 , pem cer.
To handle PKCS7 you can use OpenCA-PKCS7 module. To deal with JSON you can use JSON module. CPAN documentation gives all the needed info to work with those modules. Enjoy.
Can someone please specify the steps to enable FIPS on Postgres Database? I have googled but was not able to find anything concrete.
Can someone please specify the steps to enable FIPS on Postgres Database?
I don't believe you can run Postgres in "FIPS mode" because of its use of non-approved cryptography. From a past audit, I know it makes extensive use of MD5 (see, for example, Postgres Mailing List: Use of MD5. So lots of stuff is going to break in practice.
Notwithstanding, here are the steps to try and do it via OpenSSL. There are three parts because Postgres is not FIPS-aware, and you need to make some modifications to Postgres.
Step One
You have to build OpenSSL for the configuration. This is a two step process. First you build the FIPS Object Module; and second, you build the FIPS Capable Library.
To build the FIPS Object Module, first you download `openssl-fips-2.n.n.tar.gz. After unpacking, you perform:
./configure
make
sudo make install
After you run the above commands, the fipscanister will be located in /usr/local/ssl/fips-2.0. The FIPS Capable Library will use it to provide the FIPS Validated Cryptography.
Second, you download openssl-1.n.n.tar.gz. After unpacking, you perform:
./configure fips shared <other options>
make all
sudo make install
The critical part is the fips option during configure.
After you run the above commands, you will have a FIPS Capable Library. The library will be located in /usr/local/ssl/lib. Use libcrypto.so and libssl.so as always.
The FIPS Capable Library uses the fipscanister, so you don't need to worry about what's in /usr/local/ssl/fips-2.0. Its just an artifact from building FIPS Object Module (some hand waiving).
Step Two
Find where Postgres calls SSL_library_init:
$ grep -R SSL_library_init *
...
src/backend/libpq/be-secure.c: SSL_library_init();
src/interfaces/libpq/fe-secure.c: SSL_library_init();
Open be-secure.c and fe-secure.c, and add a call to FIPS_mode_set.
/* be-secure.c, near line 725 */
static void
initialize_SSL(void)
{
struct stat buf;
STACK_OF(X509_NAME) *root_cert_list = NULL;
#if defined(OPENSSL_FIPS)
int rc;
rc = FIPS_mode();
if(rc == 0)
{
rc = FIPS_mode_set(1);
assert(1 == rc);
}
#endif
if (!SSL_context)
{
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL);
#endif
SSL_library_init();
SSL_load_error_strings();
...
}
...
}
If the call to FIPS_mode_set succeeds, then you will be using FIPS Validated cryptography. If it fails, you will still be using OpenSSL's cryptography, but it will not be FIPS Validated cryptography.
You will also need to add the following headers to be-secure.c and fe-secure.c:
#include <openssl/opensslconf.h>
#include <openssl/fips.h>
Step Three
The final step is to ensure you are using the FIPS Capable Library from step one. Do that via CFLAGS and LDFLAGS:
cd postgres-9.3.2
export CFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"
./config --with-openssl <other options>
...
For PostgreSQL on Red Hat Linux, the https://public.cyber.mil/stigs/downloads/ web site has a Security Technical Implementation Guide for PostgreSQL 9.x which has this check.
Rule Title: PostgreSQL must implement NIST FIPS 140-2 validated
cryptographic modules to protect unclassified information requiring
confidentiality and cryptographic protection, in accordance with the data
owners requirements.
STIG ID: PGS9-00-008200
Rule ID: SV-87645r1_rule
Vuln ID: V-72993
The "Fix Text" reads
Configure OpenSSL to be FIPS compliant.
PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to
be FIPS 140-2 compliant, see the official RHEL Documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html
For more information on configuring PostgreSQL to use SSL, see supplementary
content APPENDIX-G.
Joseph Conway pointed out "the Appendix G the STIG refers to is in the PostgreSQL STIG supplement, not the [postgresql.org] docs. You can get the supplement (and the rest of the STIG) here: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_SQL_9-x_V2R1_STIG.zip
As I understand your question you are looking at trying to ensure that you can encrypt data transferred to and from PostgreSQL using AES algorithms. While FIPS goes well beyond that, and well beyond what can be asked in Q&A, that question at least is easily answerable.
The simple solution is to use SSL with a certificate authority of your choice (if you are using Active Directory, you could use Certificate Server, and if not you could use OpenSSL to run your own certificate authority). You could then specify which encryption standards to use (see official docs). From there encryption will be used and your server will be authenticated to your clients. You can also set up client certs and require those to be authenticated as well.