How do I configure the Calculator web service sample code in netbeans to use x509 certificates for authentication?

I have successfully followed the steps outlined here: https://netbeans.org/kb/docs/websvc/jax-ws.html

Everything works correctly (i.e. I can run a client jar file from terminal and have it send two numbers to add; the calculator web service receives them and returns the correct sum in the SOAP response).

I now wish to add authentication using x509 certificates, but I am unable to find specific documentation on how to do so. The closest link I found is a secure calculator here:

https://netbeans.org/kb/docs/websvc/wsit.html#Exercise_2_2

But this appears to be using “Username Authentication with Symmetric Keys”, which is not what I am looking for.

I am looking for the calculator client to send its x509 certificate over to the calculator web service. The calculator web service authenticates the x509 certificate it just received from the client. If authentication is successful, it will proceed to add the two numbers sent by the client. Otherwise it returns “invalid cert”.

This seems like a simple thing to do, but I am not able to find any documentation or a sample netbeans project that does this.

This website seems promising: https://docs.oracle.com/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511

Specifically the Example: Mutual Certificates Security (MCS) . However, when I get to the step in the “Securing the Example Web Service Client Application (MCS) section that says:

Select the WSIT Configuration tab of the CalculatorWSService dialog.

Netbeans does not have a WSIT Configuration tab. So this appears to be outdated since I am running Netbeans 8.2.

Would appreciate all / any help from the community.

How to generate a certificate with csr’s sans kept by using openssl x509?

I already know how to add sans to csr, and I know it’s viable to add once again to crt using openssl x509 like this openssl x509 -req -extfile < (printf "subjectAltName=IP:xxx" -days xxx -in xxx.csr -signkey xxx.key -out xxx.crt

but I want to find a way to do that in one command line without using config file.

thanks

Can we keep our customer’s X509 Certificate as BLOB on our server?

I have a scenario in which I need to use the customer’s X509 certificate and passphrase for executing their web services.

Now, I need to know what will it be a security breach if I store customers’ X509 certificate on my server as a BLOB and use it.

If it is a security breach than what is the best approach to use that certificate.

RFC 5280 compliant certificate with x509 extensions

First time posting here, be gentle.

Situation: I have a requirement, to link our printer/scanner to our Azure AD (so that it can lookup users etc.). I have enabled Azure AD Domain Services with LDAP enabled, and this works. I have tested the LDAP lookup by creating a certificate with the x509 extensions per the Azure documentation, installed the certificate for LDAP in AADDS and on my laptop, and can successfully search the domain. Without the certificate, it’s not working -so security wise it seems okay this far.

Azure AD DS says:

Upload a .PFX file containing the certificate to be used for secure LDAP access to this managed domain

The requirements for Azure AD DS LDAP certificate is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/configure-ldaps:

Requirements for the secure LDAP certificate Acquire a valid certificate per the following guidelines, before you enable secure LDAP. You encounter failures if you try to enable secure LDAP for your managed domain with an invalid/incorrect certificate.      Trusted issuer - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public certification authority (CA) or an Enterprise CA trusted by these computers.     Lifetime - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.     Subject name - The subject name on the certificate must be your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be 'contoso100.com'. Set the DNS name (subject alternate name) to a wildcard name for your managed domain.     Key usage - The certificate must be configured for the following uses - Digital signatures and key encipherment.     Certificate purpose - The certificate must be valid for SSL server authentication. 

with an example on how to create it.

$  lifetime=Get-Date New-SelfSignedCertificate -Subject contoso100.com `   -NotAfter $  lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `   -Type SSLServerAuthentication -DnsName *.contoso100.com, contoso100.com 

The printer is HP PageWide Pro 477dw MFP. I have been unable to find any real guides related to this printer and certificates/LDAP. The settings for the printer certificate says:

The file format must be PEM/Base64 encoded (.pem, .cer, .der).

Complication: The printer requires a RFC 5280 compliant certificate. I can create an RFC 5280 compliant certificate, but when I do it with the extensions required by ADDS LDAP, the printer does not validate it as RFC 5280 compliant. If I create a certificate without extensions, the printer can validate the certificate just fine, but then ADDS wont validate it.

Where do I go from here?

Kind regards

Creating X509 certificate in C using post-quantum public key algorithm?

I’m trying to implement a self signed x509 certificate that uses a post-quantum (PQ) public key algorithm as the public key algorithm. I looked at the openssl library in c, and the way it’s done using RSA. I’m essentially trying to replicate the same format. From what I’ve seen in the openssl library, RSA and a couple of other supported algorithms are integrated in the crypto EVP layer (the key is stored as EVP_PKEY). The functions in the openssl library that I’m trying to use are X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey), and some other functions that have very similar inputs. Is there a way that I can integrate the PQ algorithm into the EVP layer? If not, is there any way around using the EVP layer that would achieve the same goal?

I have tried looking into the evp source code in the openssl library. It seems it only supports certain algorithms such as RSA, EC… I’m not sure if it’s possible to incorporate the PQ algorithm into the EVP layer. I’m following along the example in this link: (https://www.codepool.biz/how-to-use-openssl-to-generate-x-509-certificate-request.html) to generate the certificate. Instead of RSA key, I just plug in the PQ algorithm key. So far when I create my certificate, it’s always outputted in the wrong format.

I’m using this command: openssl x509 -in x509Req.pem -text -noout to read the certificate generate. It always shows the error message “unable to load certificate \n 140688586052032:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE”.

Convert CSR to self-signed x509 Certificate

Is it possible to receive a certificate request (CSR) and convert it to a self-signed X509 Certificate without having access to the private key that signed the CSR? I want to do the following: receive CSR from a client and translate it directly to a self-signed X509 Certificate as if it was the client to self-sign it (it is redudant I know but it is for a project). Basically I want to copy a CSR to a X509 certificate without signing the certificate. I would want to do this for example openssl or golang (for the purpose of this question openssl is enough)

Thank you

X509 “Serial Number of certificate” vs serial number attribute in Issuer and Subject?

Is the serial number attribute of an X509 certificate Issuer or Subject, as defined in RFC5280, required to be the same as the Serial Number of the issuing or subject certificate? It seems quite potentially confusing to have it otherwise, but I can’t find where the relevant specifications define this clearly.

In https://tools.ietf.org/html/rfc5280#section-4.1.2.2, we have

4.1.2.2.  Serial Number  The serial number MUST be a positive integer assigned by the CA to each certificate.  It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). 

In https://tools.ietf.org/html/rfc5280#section-4.1.2.4, we have

4.1.2.4.  Issuer     .     .     . Standard sets of attributes have been defined in the X.500 series of specifications [X.520].  Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (Section 4.1.2.6) names:    * country,   * organization,   * organizational unit,   * distinguished name qualifier,   * state or province name,   * common name (e.g., "Susan Housley"), and   * serial number. 

In https://tools.ietf.org/html/rfc5280#section-4.1.2.6, we have

4.1.2.6.  Subject     .     .     . The subject field is defined as the X.501 type Name.  Implementation requirements for this field are those defined for the issuer field (Section 4.1.2.4). 

In https://www.itu.int/rec/T-REC-X.520-201610-I/en, we have

6.2.9 Serial Number  The Serial Number attribute type specifies an identifier, the serial number of an object. An attribute value for Serial Number is a printable string.  serialNumber ATTRIBUTE ::= {     WITH SYNTAX PrintableString(SIZE (1..MAX))     EQUALITY MATCHING RULE caseIgnoreMatch     SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch     LDAP-SYNTAX printableString.&id     LDAP-NAME {"serialNumber"}     ID id-at-serialNumber } 

Firmar xml con RSA y X509 en c#

yo de nuevo xD.

Me encuentro en el proceso de firmar un documento xml utilizando c#. Tengo mis archivos de la firma en una carpeta y mi xml generado. Para ello estoy usando un ejemplo de la página de Microsoft (fue el que me resultó) Microsoft x509

Hasta el momento en mi Formulario puse un botón para generar el certificado.

También comento que estoy utilizando el tipo de firmado envelope (que es el que necesito).

esta es la parte final del documento firmado que yo genero(eliminé partes de los códigos para que no fuera tan largo):

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 		<SignedInfo> 			<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 			<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 			<Reference URI=""> 				<Transforms> 					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 				</Transforms> 				<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 				<DigestValue>2gkfbuT34GapApOKNQef3whZs54=</DigestValue> 			</Reference> 		</SignedInfo> 		<SignatureValue>FYO0xaRbTIHw/M6h...</SignatureValue> 		<KeyInfo> 			<X509Data> 				<X509Certificate>MIIDNjCCAh6gAwIBAgIQNozDOzKInKBAbJ67yETfnjANBgkqhk.....</X509Certificate> 			</X509Data> 		</KeyInfo> 	</Signature>

Se ve bien, pero viendo un documento de ejemplo firmado que me entregaron me esta faltando información:

Pongo un ejemplo:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 				<SignedInfo> 					<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 					<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 					<Reference URI="#Documento101"> 						<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 						<DigestValue>3JUP4fsboOzM3v...</DigestValue> 					</Reference> 				</SignedInfo> 				<SignatureValue>KfDaAuizrGD6p5i0pwN...</SignatureValue> 				<KeyInfo> 					<KeyValue> 						<RSAKeyValue> 							<Modulus>x8uFiN6dlSJHcmDBaSJQB8Eh+SfSRrwdvJITx6F7RlTsiAru8VQ+O6RMgMYH8vVsx9X86mcBSiJUsd+z2bcJHdTkOsgthUG7Ke00wMchASb3gYLXsIWgS0/...</Modulus> 							<Exponent>AQAB</Exponent> 						</RSAKeyValue> 					</KeyValue> 					<X509Data> 						<X509Certificate>MIIHLjCCBhagAwIBAgIKMOyn8gA...</X509Certificate> 					</X509Data> 				</KeyInfo> 			</Signature>

Y como se ve me está faltando la llave RSAKeyValue.

Mi consulta es, acorde a este ejemplo que estoy tomando de Microsoft. ¿qué es lo que me está faltando agregar para generar la RSAKeyValue?

Porque en la pagina encontré cómo se genera la RSAKeyValue pero necesito lograr que me genere la RSA y la X509 al apretar un solo botón de mi aplicación. Quizás sea algo de orden, primero genero la RSA y después le agrego el certificado X509 pero ando un poco perdido.

Si se necesita algo del código que tengo me avisan y lo pongo.

Gracias

Is there a best practice for storing certificates (e.g. x509), which include private keys, used in unit tests?

In a software library, I wrote, large parts of the code use x509 certificates for various puprposes like signing documents digitally.

Is there a best practice for storing test certificates used for the unit tests? Should they be stored in git/the same versioning system where the code is?

The difference between Subject Key Identifier and sha1Fingerprint in X509 Certificates

I have some SW that extracts certificates data and the SW utilizes OpenSSL. I am confused what is the difference between the subjectKeyIdentifier and the sha1Fingerprint. Both are hash values. My intuition is that the subjectKeyIdentifier is the hash of the public-key of the certificate and the sha1Fingerprint is the hash of the overall fields of the certificate. My research made more confused. For example, this reference says about the subjectKeyIdentifier:

This is a hash value of the SSL certificate.

This is an example of what I get from the SW:

"subjectKeyIdentifier": "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1", "sha1Fingerprint": "E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB" 

What is the difference between the two hashes? What each hash is for?