I have an API that creates and exports certificates, I also have access to the UI to export them manually. The problem here is: when I export a cert using c# the API returns a well-formed base64 string, if I take this string and convert it to an X.509 object it still works, but, when I export this to a cert file it seems to be insecure. If I export the certificate manually it returns the exact base64 string, but it seems to be secure and well-formed.
So, what's the difference? or how could I export the base64 string to a cert file while avoiding insecurity issues?
Thanks in advance.
My current approach is:
File.WriteAllBytes("certification.cer", GetCertificate(base64).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert));
And:
File.WriteAllBytes("certification.cer", Convert.FromBase64String(base64))
Related
I'm trying to send http requests with a cert,
when in using the SoapUi I'm adding a JKS file to the request and it works great, and now I'm trying to implement this in .Net Core code.
I'm using HttpClient for the request and I don't know how can I attach the JKS file.
Any Ideas?
Thanks
JKS is a Java proprietary format for key stores, used by default until Java8. Since Java9 the default format is PCKS#12.
C# can not read this kind of files, but it is easy to convert from JKS to PKCS#12 using keytool or KeystoreExplore
keytool -importkeystore -srckeystore <jks_file_name.jks> -destkeystore <pk12_file_name.p12> -srcstoretype JKS -deststoretype PKCS12 -deststorepass <password>
See this answer to invoke a http service using client certificates https://stackoverflow.com/a/10170573/6371459
I am trying to consume a Java web service from a C# client. The service requires BinarySecurityToken element with value type X509PKIPathv1.
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1">
MIIH......
</wsse:BinarySecurityToken>
Since WCF does not support X509PKIPathv1 value type, I am generating the SOAP message by hand, signing it using the SignedXml class, encrypting it using the EncryptedXml and sending it using the WebClient class. As for the value of BinarySecurityToken element, I used the value generated in SoapUI for the same certificate, and it works.
But, I would like to be able to generate this value programmatically from .p12 file, and not having to paste it from SoapUI again every time when the certificate expires.
The WS-Security documentation is a bit vague, so I am not sure how to go about it. This is all the information it gives about this token type:
#X509PKIPathv1: An ordered list of X.509 certificates packaged in a PKIPath
How to generate this value from .p12 file in C#? SoapUI does it somehow.
So this may not be a fully solution to your problem but it may help you out somewhat.
This:
#X509PKIPathv1: An ordered list of X.509 certificates packaged in a PKIPath
means is a asn1 sequence or chain of certificates that you have used to sign your message. You can even see it here.
To give some context asn1 is way of representing data in way independent of the machine you are using. This data is binary and not human readable so you transform it to bade 64 and that is what you see in that field.
I am not entirely sure what the exact content of your .p12 file is but at the very least I assume it has the certificate of the private key you used to sign your message and maybe the chain until the publicly trusted certificate or CA.
I am mostly a C++ developer and I know openssl provides a C like api to read a certificate manipulate the underlying asn1 structure and the output it as a string.
Sorry for not providing with a greater level of detail or a code example
I need to obtain the BinarySecurityToken to authenticate to Soap WebApi, I know that BinarySecurityToken is certificate content encoded in Base64. When I test api in SoapUI the Binary sec token is generated from jks file from my certificate, everything works. The problem is when I need to connect to api form C# then I am using p12 cert and getting encoded base64 content of cert like in jks file but the values are different and BinarySecurityToken from p12 is not working with Soap api.
Conclusion: BinarySecToken generated from jks is different than generated from p12.
Is there any way to generate BinarySecToken as same as from jks file?
Is any way to work with jks files in c# ?
This is how I get the BinarySecToken:
X509Certificate2 cert = new X509Certificate2(certPath,"pass");
var content = cert.RawData;
var base64content = Convert.ToBase64String(content);
BinarySecurityToken in .jks file is raw content data but with one difference. Token in jks file contains file size at the begining, token data generated from .p12 is the same data as jks but without file size. In my solution I solve it in other way. I think there is no solutions when you need to obtain BinarySecurityToken from file as raw data. There are other api mechanism that will solve it for you. When you want to obtain token as raw data from file, you do it something wrong and for sure that won't solve your issue.
I want to simulate client side signing via iTextSharp.
I have valid certificate, which were exported in 2 files - .cer file (public key) and .pfx file (with private key), pfx file is used as keystore. Public key used on "server".
Also I have a pdf file - for example https://yadi.sk/i/6vuDlEPXi7oYz. My code copied in this gist: https://gist.github.com/alex-t0/f446ccb5ca5e8936b778.
In a nutshell, there are 3 methods:
ServerSidePrepare (prepare hashes, public key used)
ClientSideSign (signing via private key)
SaveSignedDocumentOnServer (combining signature into pdf on server).
But this code generates pdf document, which signature is not valid. When used method MakeSignature.SignDetached signature in pdf is valid, all ok.
How to debug this and find problem? Or may be other examples of pdf client side signing? With server part, in c#.
You use the wrong digest in your GetEncodedPKCS7 call.
When first building the authenticated attributes you (correctly) use
sgn.getAuthenticatedAttributeBytes(messageHash, now, null, null, CryptoStandard.CMS)
but later when actually building the PKCS7 signature container you do
result.Sign.GetEncodedPKCS7(result.Hash, result.Now, null, null, null, CryptoStandard.CMS);
The parameters of these two calls must be identical (with the exception of the additional ITSAClient argument in the latter call). Otherwise the final authenticated attributes (built in GetEncodedPKCS7) are different from the original ones (built in getAuthenticatedAttributeBytes) and would require a different signature value.
Thus, you should include the byte[] messageHash in your DTO and use it in SaveSignedDocumentOnServer.
I am trying to implement HTTP communication authenticated by client certificate. When sending an HTTP request on "normal" (i.e. not Compact) .NET Framework, it's quite simple:
HttpWebRequest request = ...;
string certificatePath = ...;
string certificatePassword = ...;
request.ClientCertificates.Add(
new X509Certificate(certificatePath, certificatePassword));
However, on Compact Framework 3.5, X509Certificate has only one constructor which accepts byte array and nothing else. I suppose that I should read a certificate file and pass its contents into that byte array, but what about the password? How should I specify it on Compact Framework?
I did not find any way to use X509Certificate and password.
In the end, I've decided to use X509Store and grab certificates from there. This will make deployment a bit more difficult then originally anticipated, but at least it's doable :)
I'm two years late, but I stumbled across this question in my own research.
If you look closely at the documentation's example code, you see that you have to first open the PFX file and then export it before creating another instance of the X509Certificate class.
The way I understood this is as follows: the full .NET Framework API (i.e., on the desktop) takes a password parameter for the class' constructor as an overload. So, using the full framework, you export the certificate's raw data (i.e., without the securing password) using the Export method and then store the resulting byte array into a file. Afterward, you transfer that file to the mobile device, read the file into a byte array and pass that to the X509Certificate constructor on the Compact Framework.
Of course, this is the "raw" way of going about the problem. One has to then take care to secure the data being transferred in some way.
On further reading, exporting the PFX file in this way does not include the private key, though.