Embed Size (px)
Citation preview
OpenSSL &MS Cryptography ServiceProvider
PKI Certificates with MS Crypto API & OpenSSL
Max Kleiner, 2017
Start with OpenSSL
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.
http://www.softwareschule.ch/download/maxbox_starter47.pdf
The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key. The trick in a key pair is to keep one key secret (private key) and to distribute the other key (public key) to everybody.
2
Install OpenSSL
Nowadays, you do not have to worry too much about installing OpenSSL: most distributions use package management applications (see next).
www.softwareschule.ch/maxbox.htmhttps://www.openssl.org/
The directory for all OpenSSL certificates is /var/ssl/.OpenSSL by default looks for a configuration file
in /usr/lib/ssl/openssl.cnf so always add −config /etc/openssl.cnf to the commands openssl ca or openssl req for instance.
3
maX
box De lphi S
ystem
THE COMMAND TOOL
OpenSSL includes a command line utility openssl.exe that can be used to perform a variety of cryptography functions like generating your machine certificate in [/CERT]. The libraries have no noteworthy dependencies just copy
both DLL files into your application directory libeay32.dll / ssleay32.dll
Get the SLL binary download Package: https://indy.fulgan.com/SSL/openssl-1.0.2l-i386-
win32.zip
4
Create the Certification Authority
To create a certification authority, use the following commands after correctly editing openssl.cnf and open openssl.exe of OpenSSL v1.0.2l:
CA.pl −newca
The utility will ask you to select a certificate file to act as you CA certificate or you are prompted to create one. Follow the steps to create one as exercise.
5
maX
box De lphi S
ystem
Create a Root Certification CA (selfsigned)
First set a const space:
Const OpenSSLPath='..\pki2017\openssl-1.0.2l-i386-win32\';
2. Create the Root CA (private key pair)
ExecuteShell(OpenSSLPath+'openssl.exe', 'genrsa -des3 -out '+OpenSSLPath+'./certs/CA_pvkmX42.pem 2048')
3. Check the key pairrsa -in .\certs3\CA_pvkmX42.pem -check
6
We sign with private key to make a certificate of our CA
4. We generate CA_Cert with signing of private to make a certificate of CA
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -x509 -days 900 -key '+OpenSSLPath+'./certs/CA_pvkmX42.pem -out '+OpenSSLPath+'./certs/CA_crt.pem -config '+OpenSSLPath+'./openssl.cnf')
//}
5. Check the key certrsa -in .\certs3\CA_crt.pem -check
7
Create a Host Cert key pair
Second we need the host private key
6. Create the Host (private key pair)ExecuteShell(OpenSSLPath+'openssl.exe',
'genrsa -des3 -out '+OpenSSLPath+'./certs/host_pvkmX42.pem 2048')
7. Check the keyrsa -in .\certs\host_pvkmX42.pem -check
8
Create a Host Cert Request
We sign the host private from the CA (machine certificate) and generate and sign a certificate request
8. Create the Host csr cert sign requestExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -key '+OpenSSLPath+'./certs/host_pvkmX42.pem -out '+OpenSSLPath+'./certs/host_csr.pem -config '+OpenSSLPath+'./openssl.cnf')
Enter a Common Name (CN) the main usage of the certificate for instance www.max.org if you want to secure the website www.max.org, or enter [email protected] if you want to use to
secure the e−mails 9
Sign and create the Host Cert
We let sign the host private request (machine certificate) and out is the wanted host_crt.pem
9. Create the Host Cert as a web certificate
ExecuteShell(OpenSSLPath+'openssl.exe',
'ca -out '+OpenSSLPath+'./certs/host_crt.pem -in '+OpenSSLPath+'./certs/host_csr.pem -cert '+OpenSSLPath+'./certs/CA_crt.pem -keyfile '+OpenSSLPath+'./certs/CA_pvkmX42.pem -config '+OpenSSLPath+'./openssl.cnf')
10
Verify CA and Host Cert
10. we verify the cert's chain
ExecuteShell(OpenSSLPath+'openssl.exe',
'verify -verbose -CAfile certs/CA_crt.pem -CApath certs certs/host_pvkmX42.pem')
Or
writeln(getDosOutput('openssl.exe verify -verbose
-CAfile certs/CA_cert.pem -CApath certs
certs/host_crt.pem',OpenSSLPath));
11
Convert to PKCS#12
Convert a PEM cert file and a private key to a PKCS#12 (.pfx .p12), you get a file that you import in the Certificate store by clicking on the file when in Windows.
ExecuteShell('cmd.exe','/k '+OpenSSLPath+'openssl.exe '+
'pkcs12 -export -out '+OpenSSLPath+'/certs/CERT_PFX.pfx -inkey '+OpenSSLPath+'/certs/PVK_host.pem -in '+OpenSSLPath+'/certs/CERT_host_crt.pem -certfile '+OpenSSLPath+'/certs/CA_crt.pem') // }
12
THE TEST OVERVIEW
OpenSSL Precompiled Binaries for Win32 test: sr:= loadfromfile(OpenSSLExe+'\openssl.exe')
writeln(getsha256(sr))
sleep(500)
writeln((SHA1(OpenSSLExe+'\openssl.exe')))
sr:= loadfromfile(OpenSSLExe+'\ssleay32.dll')
writeln('ssleay32.dll sha256: '+getSHA256(sr))
sr:= loadfromfile(OpenSSLExe+'\libeay32.dll')
writeln('libeay32.dll sha256: '+getSHA256(sr))
13
Process Overview// we generate the private key pair of the CA:
1. openssl genrsa -des3 -out ./MyDemo/certs/CA_pvk.pem 2048
// we generate CA_Cert sign the private to make a certificate of CA
2. openssl req -new -x509 -days 365 -key ./MyDemo/certs/CA_pvk.pem -out ./MyDemo/certs/CA_crt.pem -config ./openssl.cnf
// we need the host private key
3. openssl genrsa -des3 -out ./MyDemo/crl/host_pvk.pem 2048
// we sign the host private from the CA (machine certificate)
4. openssl req -new -key ./MyDemo/crl/host_pvk.pem -out ./MyDemo/crl/host_csr.pem -config ./openssl.cnf
5. openssl ca -out ./MyDemo/crl/host_crt.pem -in ./MyDemo/crl/host_csr.pem -cert ./MyDemo/certs/CA_crt.pem -keyfile ./MyDemo/certs/CA_pvk.pem -config ./openssl.cnf // we verify the cert's
6. openssl verify -verbose -CAfile ./MyDemo/certs/CA_crt.pem -CApath ./MyDemo ./MyDemo/crl/host_crt.pem
the result is: ./MyDemo/crl/host_crt.pem: OK 14
maX
box De lphi S
ystem
MS Crypto API
We do this with a tool from MS called makecert. Most certificates in common use are based on the X.509 v3 certificate standard. First I open the shell with the MS SDK:
C:\maXbox\EKON_BASTA\EKON19\Windows Kits\10\bin\x64>
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin> makecert -n "CN=maXboxCertAuth" -cy authority -a sha1 -sv "maXboxPrivateKey3.pvk" -r "maXboxCertAuth3.cer" Succeeded
15
Sign Key for Digital Signing
Ref: maxbox_digital_signature_report.pdf
Next we create the second certificate with the purpose to sign all files we want. In our case, you remember, we want to sign an executable: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -n "CN=maXbox3signer" -ic maxboxcertauth3.cer -iv maXboxprivatekey3.pvk -a sha1 -sky exchange -pe -sv maxbox3signerprivatekey.pvk maxboxsigner.cer Succeeded
16
maX
box De lphi S
ystem
COMMONLY USED PFX:
17
maX
box De lphi S
ystem
You need both the public and private keys for an official SSL Certificate to function. So, if you need to transfer your SSL Certificates from one server to another, you need to export is as a .pfx file. Now we generate that as well with the shell:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>pvk2pfx -pvk "maXboxPrivateKey3 .pvk" -spc maXboxCertAuth3.cer -pfx maXboxCertAuth3.pfx -pi password
Sign an executable
So it's time to make the last step namely to sign our executable with another shell tool called signtool:C:\maXbox\EKON_BASTA\EKON19\Windows Kits\10\bin\x64>signtool sign /f "maxboxsigner.pfx" /p "password" /tr http://tsa.starfieldtech.com /td SHA256
C:\maxbox\maxbox3\work2015\maxbox3digisign_certificates\maxbox44.exe
Done Adding Additional Store Successfully signed: C:\maxbox\maxbox3\work2015\maxbox3digisign_certificates\maXbox44.exe
18
Certificate Store
Next I want to stress the chain of certificate (block chain is one of the next big thing). http://www.softwareschule.ch/download/maxbox_starter54.pdf
A certificate authority themselves have a certificate with which they digitally sign all the certificates they issue. My machine (and pretty much everyone's) has a store of the certificates (see first picture) of these different certificate authorities.
The computer then knows that if its sees any certificate that has been signed by one of these trusted certificate authorities' certificate, then the machine should trust that certificate.
19
Regex Test EXAMPLE: Mail Finder
20
maX
box De lphi S
ystem
procedure delphiRegexMailfinder;begin // Initialize a test string to include some email addresses. This would normally be your eMail. TestString:= '<[email protected]>, [email protected]'; PR:= TPerlRegEx.Create; try PR.RegEx:= '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b'; PR.Options:= PR.Options + [preCaseLess]; PR.Compile; PR.Subject:= TestString; // <-- tell PR where to look for matches if PR.Match then begin WriteLn(PR.MatchedText); // Extract first address while PR.MatchAgain do WriteLn(PR.MatchedText); // Extract subsequent addresses end; finally PR.Free; end; //Readln;end;
EXAMPLE: HTTP RegEx[ ]
21
maX
box De lphi S
ystem
% cat get russian rouble rate - datafile
procedure getHttpREGEX(Sender: TObject); var http1: TIDHTTP; htret: string;begin http1:= TIDHTTP.Create(self); htret:= HTTP1.Get('http://win.www.citycat.ru/finance/finmarket/_CBR/'); //writeln(htret); with TRegExpr.Create do try Expression:= russTemplate; if Exec(htret) then begin //if output success writeln(Format ('Russian rouble rate at %s.%s.%s: %s', [Match [2], Match [1], Match [3], Match [4]])); end; //writeln(dump) finally Free; end; //text2html //writeln('deco: '+#13+#10+DecorateURLs(htret,[durlAddr, durlPath])) end;
EXAMPLE: Extract Phones\<city code 812
22
maX
box De lphi S
ystem
% cat grep-delphi-maXbox_datafile
procedure ExtractPhones(const AText: string; APhones: TStrings); begin with TRegExpr.Create do try Expression := '(\+\d*)?(\((\d+)\)*)?(\d+(-\d*)*)'; if Exec (AText) then REPEAT if Match[3] = '812' then APhones.Add(Match [4]); UNTIL not ExecNext; finally Free; end; end;
writeln('Formula Gauss : '+ floatToSTr(maXcalc('1/SQRT(2*PI*3^2)*EXP((-
0.0014^2)/(2*3^2))')));
23
Regex Atoms
An atom specifies what text is to be matched and whereit is to be found.
24
Example: Classes
SUMMARY
OpenSSL Certificates MS Crypto API Certificates Regex Test Examples Certificate Store
https://maxbox4.wordpress.com/
25
maX
box De lphi S
ystem
