signing with X509 certificate possible?

[agente_mor]

Hi,
Do you have an example where we can sign with X509?
In Linux, using XMLsec, it is a command introduced by hand, like:

xmlsec --sign --output doc-signed-x509.xml --pkcs12 usercert.p12 \ 
   --pwd hello --trusted-pem cacert.pem doc-x509.xml

Using the xmlseclibs, how we could do it?
Thanks a lot
mario

[Rob Richards]

Look in http://code.google.com/p/xmlseclibs/source/browse/trunk/tests/
All the examples use x509 to sign. The library uses pem format so you
just need to convert your p12 files to pem

Rob

> --
> You received this message because you are subscribed to the Google
> Groups "xmlseclibs" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/xmlseclibs/-/8GXaqkEtw5oJ.
> To post to this group, send email to xmlse...@googlegroups.com.
> To unsubscribe from this group, send email to
> xmlseclibs+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/xmlseclibs?hl=en.

[agente_mor]

Hi Rob,
In the Linux example, there are two certificates, one is for PKCS12 certificate and the other is the certificate of the trusted authority.
I can change the format of the PKCS12 certificate, no prob, but what about the certificate of the trusted authority, is there an example where two certificates are handled?
Actually for X509 we need two certificates right???

thanks
Mario

[Rob Richards]

Are you looking to add the trusted authority certs into the attached list of x509 certs in the signature? If not those are only used when verifying the signature so that the signing cert itself can be verified. If you don't need to attach the authority cert (i.e. your cert was issued by the party you are sending the data to or was issued by one of the public certs that most systems already inherintly trust) then you would not need to include it. If you do need to include it, the add509Cert method can take a pem file containing the full chain (including your public cert) and will add all the certs in order to the signature.

Rob

To view this discussion on the web visit https://groups.google.com/d/msg/xmlseclibs/-/4vRc4ZIfQdcJ.

[agente_mor]

Hi Rob,
Actually the certificate has the .cer format.
I was reading in
https://www.sslshopper.com/ssl-converter.html
that pem includes several formats (.crt, .cer, .key, .pem)
Does this mean that I can use the .cer format that has our certificate in the add509Cert method?
and it will work fine?
thanks
Mario

[agente_mor]

Hi Rob, the same for the private key,
In the test example it is used

$objKey->loadKey('privkey.pem', TRUE);

can I use our key, with extension .key, like

$objKey->loadKey('instancia_imta_ope', TRUE);

and it will work ok?

If not, do you know a library for converting from .pem to .cer and .key?
thanks
Mario

[Pada]

Hi Mario,

You can use openssl to convert X509 certificates between PEM and binary (.cert) formats.
You can also convert the private key format with OpenSSL. The private key can be stored in many different formats and it can also be password protected.

Like to convert the X509 certificate from a .cert to a .pem file use the following:
openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.pem

A nice GUI tool to use for certificates and private keys is the KeyTool Explorer java application. With OpenSSL you can pretty much do everything except for creating Java KeyStore files.

You can use '$objKey->loadKey('instancia_imta_ope', TRUE);' as long as instancia_imta_ope is PEM encoded.
If it is not in PEM format, you can try to convert it using:
openssl rsa -inform DER -in myprivatekey.key -outform PEM -out myprivatekey.pem

The most common OpenSSL commands can be found here: http://www.sslshopper.com/article-most-common-openssl-commands.html

Regards,
Chris

[agente_mor]

Hi Pada,
I tried the following link
http://www.sslshopper.com/article-most-common-openssl-commands.html
trying convert the format manually instead of inside php

but it generates a .crt extension
is this extension the same as .pem, if so, Can I use it as:

$objDSig->add509Cert(file_get_contents('instancia_imta_ope.crt'));

Thanks
mario

[Pada]

Hi Mario,

The extensions doesn't matter. It is just the contents of the file that matter.
If you open the file with a text editor and you see "----BEGIN" in the first line, then it is a base64 encoded file (aka PEM encoding).
If you just see garbage in the text editor, then it is a binary file (most likely DER encoding).

The only extension that is usually correct is the .pem file extension, which should be an indication of whether the file is base64 encoded or not.

Regards,
Chris

[agente_mor]

Hi Pada, thanks for your attention
I tried the line you sent previously

openssl rsa -inform DER -in instancia_imta_ope.key -outform PEM -out instancia_imta_ope.pem

but it sends a lot of errores
Are you sure is the rigth sintax?
or could it be the linux we have, it is Ubuntu 12
Mario

[agente_mor]

The errors are:

sergio@sergio-HP:~/Escritorio$ openssl rsa -inform DER -in instancia_imta_ope.key -outform PEM -out instancia_imta_ope.pem
unable to load Private Key
140020821833376:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140020821833376:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140020821833376:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=version, Type=RSA
140020821833376:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:
140020821833376:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140020821833376:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140020821833376:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=version, Type=PKCS8_PRIV_KEY_INFO

what could be wrong?

Thanks
Mario

[Pada]

Hi Mario,

Your key is probably already in PEM format. Just open the file and check if it is base64 encoded, in which case it should already be PEM encoded.

Alternatively run:
openssl rsa -inform PEM -in instancia_imta_ope.key -text

If that works, then it is already in PEM format.

Regards,
Chris

[agente_mor]

Hi Pada, I open the .key file with notepad++ and it looks like:

So do I try what you said?
openssl rsa -inform PEM -in instancia_imta_ope.key -text ???
what is the -text for?
Thanks
Mario

[Pada]

Hi Mario,

The "-text" argument tells openssl to output the key information to the terminal.

Your private key is stored in a binary format when it looks like that. Please don't post highly sensitive information here - like parts of your private key.

Unfortunately I can't tell you what type of private key that is from the binary values. My best guess is that it is a PKCS8 formatted one, in which case you can try to convert it as follow:
openssl pkcs8 -inform DER -in instancia_imta_ope.key -outform PEM -out instancia_imta_ope.pem

I would strongly suggest that you find yourself a book or reading material about cryptography in general and more specifically about public/private encryption and also file formats.

Regards,
Chris

[agente_mor]

Ok Pada, will document myself better,
just let me tell you that I could execute without error the command

OpenSSL> pkcs8 -inform DER -in instancia_imta_ope.key PEM -out llave.pem
then I gave password:*****
then

it shows the block starting with the BEGIN .....

by reading the literature, I found that I have to run next the following:

OpenSSL> rsa -in llave.pem -out llave.txt -text -noout

Question: the file llave.txt, is the file .pem that I can insert in the $objKey->loadKey method, to continue the signing?
hope so

Thanks
Mario

ps. I noticed that the file llave.pem was not generated, thats the reason for the second command
OpenSSL>rsa -in ........ ????