How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Are there any c# .net free software composition analysis tools to check opensource component used and its vulnerabilities and license

I have situation where I have to anlyse the third party components\libraries used in the code within the license terms and no know vulnerabilities.

I know there are tool name blackduck and whitesource which can meet the expectation, but we cannot afford costly tools.

Is there any free stable tools available for such analysis. One I came across is OWASP dependency.

Appreciate any help over here.

Asymmetric XML Encryption (in .NET)

I’m trying to decrypt XML EncryptedData in .NET Framework:

<xenc:EncryptedData Id="_741139241b38dfd707421728b0fd4041" Type="http://www.w3.org/2001/04/xmlenc#Element">     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm">         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>     </xenc:EncryptionMethod>     <ds:KeyInfo>         <xenc:EncryptedKey Id="_db6a41a40ccb22cbef88275caff4d05d">             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"/>             <ds:KeyInfo>                 <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">                     <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">                         <xenc11:ConcatKDFParams AlgorithmID="0000002A687474703A2F2F7777772E77332E6F72672F323030312F30342F786D6C656E63236B772D616573323536" PartyUInfo="0000001673796D756C61746F722E6C6F67696E2E676F762E706C" PartyVInfo="0000000743552D554D5750">                             <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                         </xenc11:ConcatKDFParams>                     </xenc11:KeyDerivationMethod>                     <xenc:OriginatorKeyInfo>                         <ds:KeyValue>                             <dsig11:ECKeyValue>                                 <dsig11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>                                 <dsig11:PublicKey>xxxx</dsig11:PublicKey>                             </dsig11:ECKeyValue>                         </ds:KeyValue>                     </xenc:OriginatorKeyInfo>                 </xenc:AgreementMethod>             </ds:KeyInfo>             <xenc:CipherData>                 <xenc:CipherValue>xxxx</xenc:CipherValue>             </xenc:CipherData>         </xenc:EncryptedKey>     </ds:KeyInfo>     <xenc:CipherData>         <xenc:CipherValue>xxxx</xenc:CipherValue>     </xenc:CipherData> </xenc:EncryptedData> 

As I understand I need to implement these steps:

  1. recreate public key stored in OriginatorKeyInfo node using x, y parameters from PublicKey and specified curve, result is publicKey
  2. do KeyAgreement (algorithm:ECDH-ES) operation using my private key and publicKey from step 1, result is sharedKey
  3. do Key Derivation Function (algorithm: ConcatKDF) operation using sharedKey, result is unwrappingKey
  4. do Key Unwrap (algorithm kw-aes256) on EncryptedKey>CipherData>CipherValue using unwrappingKey, result is encryptionKey
  5. do decrypting (algorithm aes256-gcm) on EncryptedData>CipherData>CipherValue using encryptionKey

Currently I’m at step 1. Using jose-jwt I can create public key with EccKey.New(x, y, CngKeyUsages.KeyAgreement), but I don’t understand why there is no curve name parameter? If someone knows way of making this work or some examples (bouncy castle?) please comment.

Cracking .NET random

I know .NET has two PRNGs, one secure and one insecure. I would like to be referenced to a tool/article about cracking the insecure one (I want to use it to test an .aspx site). I searched it all over but I only found references to cracking The random of Java, C and PHP.

.NET application protection technique against cracking

I’m trying to protect my software against cracking. Protection against cracking is crucial before listing the product on market.

Info about the software:

  • Built using .NET C# (Framework 4.5.2)
  • WinForms
  • 32 bit

I have made a several protection layers:

  • Obfuscation, Renaming, anti-debugging
  • Encrypted communications between software and API server (RSA) public key hard-coded
  • The client will generate a temporary AES keys and encrypt it with server public key then sends it to server, The server will decrypt the data with his RSA Private key and respond with a new AES keys encrypted with the ones provided by the client at first request. Then any communication from client to server will be signed by server RSA pub key and encrypted by AES Keys provided by the server.

  • Verify libraries integrity by requesting libraries checksum from API and compare it.

And the most important part is, the application will once request “custom data” from API server and store it in memory, to be used by internal software functions. When a function in the application called it will use the “custom data” as input, so there’s no way for the software to operate correctly without having the “custom data”

The API server provides the “custom data” after verifying software activation code and machine unique ID.

The question is:

  • With all of these layers, can the software cracked?
  • Can the custom data layer bypassed?
  • If a cracker bypassed the protection layers until the “custom data” part, it’s possible to clone the software with the “custom data” meaning the software can operate without need to request the custom data from the API?

What i mean by custom data is making the software hybrid, always needs data from API to function

I am counting on the “custom data” protection layer.

Please let me hear your recommendations. thanks a lot

almacenar intentos en base de datos .net

tengo una consulta estoy haciendo un sistema en .net y sql server , lo que quiero hacer es cuando un usuario se logee, almacene en mi base al usuario que entro o al usuario que erro su cuenta en el login y me diga cuantas veces entro o la hora, les agradecería por la ayuda .

   Private Sub BTNINGRESAR_Click(sender As Object, e As EventArgs) Handles BTNINGRESAR.Click       Try          datos.Usuario_1 = TXTUSER.Text         datos.Contraseña_1 = TXTPASS.Text          If funcion.validar_sesion(datos) = True Then              Preguntas.Show()         ElseIf (contador = 3) Then              MsgBox("Demasiado intentos fallidos")             Me.Close()          Else 'contar loos numeros de intentos               MsgBox("Usuario o Contraseña Invalido, Intente de Nuevo")             TXTUSER.Clear()             TXTPASS.Clear()             contador += 1          End If       Catch ex As Exception         MsgBox(ex.Message)     End Try End Sub 

¿Cómo usar pivot para un campo de una consulta en C# .net?

Tengo una consulta

Tengo una método que devuelve una lista de datos(idColaborador,nombreColaborador,unidad Organizativa, fecha_registro).

Lo que yo quiero es invertir el campo fecha_registro de columna a fila como se trabaja en pivot.

Al principio intente hacerlo el pivot desde base de datos y llamarlo en un procedimiento almacenado pero el problema es que al recibir los datos me traía demasiadas columnas ya que trae todos los días del mes y al momento de mapearlo en mi método tendría que crear la cantidad de atributos necesarios de acuerdo a las columnas que reciba de mi procedimiento es por ello que estoy intentando hacerlo por .net.

Aquí encontré una página de ejemplo pero yo soy nuevo en estos temas y les pido que me puedan ayudar https://www.codeproject.com/Articles/22008/C-Pivot-Table

public List<Sigeri> ExportarResumenHoras()         {  List<Sigeri> lista = new List<Sigeri>();         DatabaseHelper helper = null;         SqlDataReader dr = null;         try         {              helper = new DatabaseHelper(Conexion.Instancia.CadenaConexionDS());             helper.AddParameter("@MesAño", "082019");              dr = (SqlDataReader)helper.ExecuteReader("PA_Control_horas", System.Data.CommandType.StoredProcedure);             while (dr.Read())             {                 var obj = new Sigeri()                 {                     Colaborador = new Colaborador()                     {                         IdColaborador = dr["Id_Colaborador"].ToString(),                         NombreColaborador = dr["Nombre_Colaborador"].ToString()                     },                     Proyecto = new Proyecto()                     {                         IdUnidadOrganizativa=dr["Id_Unidad_Organizativa"].ToString()                     },                     Fecha_registro = DateTime.Parse(dr["Fecha_Registro"].ToString())                  };                 lista.Add(obj);             }          }         catch (Exception ex)         {             throw ex;          }         finally         {             if (helper != null)                 helper.Dispose();         }         return lista;     } 

Ya que luego deseo exportarlo a excel y debe mostrar algo parecido a esta imagen.

introducir la descripción de la imagen aquí

Este sería mi controlador donde se exportaría en excel lo que reciba de mi método ExportarResumenHoras

public JsonResult ExportarResumenHoras()         {             List<Sigeri> data = GestionResumenHoras.Instancia.ListaResumenHoras();              ExcelPackage pkg = new ExcelPackage();             ExcelWorksheet ws = pkg.Workbook.Worksheets.Add("Detalle(Semana)");                ws.Cells["A6"].Value = "DNI";             ws.Cells["B6"].Value = "NOMBRE COLABORADOR";             ws.Cells["C6"].Value = "PROYECTO UO";              int rowstart = 7;             //int columna = 4;             if (data != null)             {                 foreach (Sigeri obj in data)                 {                     ws.Cells[string.Format("A{0}", rowstart)].Value = obj.Colaborador.IdColaborador;                     ws.Cells[string.Format("B{0}", rowstart)].Value = obj.Colaborador.NombreColaborador;                     ws.Cells[string.Format("C{0}", rowstart)].Value = obj.Proyecto.IdUnidadOrganizativa;                     ws.Cells[string.Format("D{0}", rowstart)].Value = obj.Fecha_registro;                  }             }             ws.Cells["A:AZ"].AutoFitColumns();                MemoryStream memoryStream = new MemoryStream();             pkg.SaveAs(memoryStream);             memoryStream.Position = 0;              var bytes = memoryStream.ToArray();             Session["archivoResumenHoras"] = bytes;             return Json(new { success = true }, JsonRequestBehavior.AllowGet);         } 

Disassembling a .NET manually

I would like to statically sign a malware, specifically MSIL Crypter, with a YARA rule. I want to sign specific functions (Assembly.Load for example) but I couldn’t find an informative documentation about how to disassemble a .NET binary into CIL which will help me understand which sequence of bytes to sign. Would be glad to get some help with it.